Hacking Exposed

by Aaron Philipp

  Finding Similarity in the User Interface and Output

  Although it will be difficult for you to say definitively that two programs are the same without access to the source code, you can still build a case. The key is to look for similarities. Study the user interface. Are controls laid out the same way? Is the input method similar? What about the size of the windows and text boxes? You can also look at the format and layout of the output. For instance, if the output is a CSV file with data points, how is the text file formatted and what columns are used? Look at the output for similarities with the original output. Do they both round to the same number of floating point decimals? Are the numbers sorted in a certain manner? What about the order of the columns? In general, find out the client program’s “secret ingredient,” and then look at how the program in question deals with some of the same issues. If you notice minor similarities, you may not have enough evidence to go on. But if you find occurrences such as output files that look exactly the same in both programs, or identical or nearly identical user interfaces, further investigation may be warranted.

  Further Analysis While you’re reviewing source code, don’t forget about the traditional methods of IP theft. The whole thing can get a lot easier if you can point definitively to an entire source tree being copied from a computer. It’s important that you look not only at the source code itself, but at the computers on which it resided to determine whether the information was copied. (We discuss how to do this in greater detail in the next section.)

  Trade Secrets and Other Proprietary Information

  IP is typically categorized into various groups—patents, copyrights, trademarks, and trade secrets. These classifications coincide with those used by the US Patent and Trademark Office (USPTO) in describing and conveying certain rights to the respective IP owners—primarily the right to exclude others from the use and/or exploitation of the IP. Various types of patents can be obtained (such as utility, design, plant, animal), which cover a wide range of ideas and inventions, from tangible tools and machines, to things that are more intangible such as novel processes and designs. Copyrights cover the expression of an idea, but not necessarily the idea itself. The most common form of copyright is in association with literary or musical works. A trademark is generally a name, word, or symbol used by a business to market its goods.

  In general, patents, copyrights, and trademarks provide their owners with the legal right to prevent anyone from using the technology or subject matter of the patent, copyrighted material, or trademark for a certain period of time, thereby guaranteeing the IP owner the exclusive right to reap whatever economic benefit or value may be associated with the IP. In addition, since they are typically already in the public domain (that is, a person can look up any patent with the USPTO or purchase a literary or musical work), patents are often misused or infringed upon, but they are rarely the subject of claims for theft or misappropriation. Patents, copyrights, and trademarks are not the only IP held by a company, however.

  IP also incorporates a broader classification of intangible assets that provide value to a company. While patents, copyrights, and trademarks carry certain legal protections for their owners, of no less value and importance to a company are certain trade secrets or other propriety technology and information. Many of these types of IP may not share the same characteristics with patents, or they may simply be IP for which the owner chose not to seek a patent. Trade secrets encompass a broad range of things, and in some respects can be anything considered “secret” that gives the owner an economic advantage or benefit in its business—a unique process, design, or approach to a secret ingredient in the clam chowder at your favorite restaurant, for example. While your favorite restaurant may not have a patent on its clam chowder, the secret ingredient nonetheless has value to the restaurant because of the many customers who frequent the place to eat the famous soup.

  The issuance of a patent, copyright, or trademark provides protection against the misuse of the IP from outsiders. Although it does not always prevent others from using the IP, it provides a legal framework for pursuing damages against those who do. Companies expend significant efforts in pursuing those who infringe upon their IP. However, companies likewise have the right to keep their trade secrets or other proprietary technology and know-how secret from their competitors or others who could use it to undermine their advantage and success in the marketplace.

  Trade secrets come in many forms, from the secret recipe just described, to proprietary engineering or manufacturing processes, specialized software programs, customer lists or other collections of data such as customized databases of information, to the knowledge and skills of its top professionals. Because trade secrets take many forms, and may exist in various aspects of an organization, they can also be difficult to define, value, and protect. As a result, trade secrets are also the target and the subject of the most potential abuse and theft. While companies are typically paying attention to their most valuable patents, as well as the infringement or misuse of their copyrighted material or trademarks in the public domain, many of the various trade secrets that also contribute to a company’s success are often left unguarded, and their misappropriation may go unnoticed for lengthy periods of time, if they’re ever discovered.

  What to Understand

  Where a theft of trade secrets or other proprietary technology is suspected, you must first define the trade secret and/or proprietary technology in question and why it is believed that it may have been misappropriated. This can be one of the most difficult steps in an investigation, as trade secrets and know-how can cover a broad array information and technology.

  You must define what exactly is believed to have been inappropriately taken. Is it tangible, such as software code, proprietary designs and drawings, a customer list, a compilation of data on the market, or the industry’s/company’s sales territories? Or is it more difficult to define, such as the general know-how related to the most efficient manufacturing process for a certain product. Or is it as simple as a copied recipe for clam chowder?

  A clear understanding of what is suspected to have been misappropriated will help you define what efforts should be undertaken from a computer forensics perspective to investigate the possible theft. While customer data will usually be in the form of a large data set and, by necessity and convenience, will be in electronic format, not all trade secrets and other proprietary technology may be in electronic form. In some instances, a company’s trade secrets may walk out the door in hard-copy form in someone’s briefcase. However, it is more likely that some form of electronic media was used to gain access to the information stored on the company’s network or in other electronic files, and either a copy of that information was created on disk or removable storage device, or it was transmitted electronically to outside parties via e-mail. Even the prized clam chowder recipe likely rests in an electronic file somewhere.

  Next, you must understand where the information suspected of misappropriation may reside throughout an organization, both physically and electronically, and who in the organization may have had access to the information. You need to understand whether the information was potentially stolen from the hard-drive of a laptop computer or a portable storage device, through direct interaction with the entity’s internal network, or even the potential scanning of hard-copy data to an electronic file.

  Unlike customer data, which may reside in one specialized location, trade secrets and other proprietary technology may exist across various departments and divisions of a company with generalized access by numerous individuals. Many company trade secrets and other proprietary technology may not be protected as securely as you might expect. In fact, companies often do not realize the value of this IP and the need for security until after an incident has occurred. As such, the IP in question may be widely disseminated throughout an organization with available access via both a company’s internal networks and individual user laptops. The information may also exist in hard-copy form in var
ious locations.

  How widely information is disseminated may pose challenges for an investigator if the list of potential perpetrators and access points cannot be sufficiently narrowed to justify the time and effort required to conduct a thorough investigation—in other words, if it could have been anyone. In such situations, other qualitative aspects may need to be evaluated by the investigative team, including identifying individuals who would have both the knowledge of the existence and potential value of the IP, as well as potential access to the information, and evaluating correlations with evidence of disgruntled or terminated employees. If a list of potential perpetrators, access points, and retrieval methods can be sufficiently narrowed, the computer forensic techniques can help tie these actions to an individual.

  You must try to determine whether the information was stolen from the hard drive of a laptop computer, from a portable storage device, or through direct interaction with the entity’s internal network. Then you need to understand what security procedures exist to protect the information, both to evaluate the relative risk of a perpetrator gaining access to the information and to narrow the potential source of the theft. If the network location of the data had secure or limited access, you need to know who had access, as well as whether the security procedures could have been, or in fact were, overridden to gain access to the data in question.

  What to Look For

  What to look for, as well as when to look, when a trade secret or proprietary technology is suspected of being misappropriated depends on what the IP is, how widely it is disseminated throughout the organization and in what form, and whether the suspected perpetrator, access points, and retrieval methods can be sufficiently narrowed to justify a wide-scale investigation. However, you can look for several definite patterns relative to the theft of trade secrets and other proprietary technology, and these provide good starting points for conducting an initial investigation. Nine times out of ten, you will be handed a computer and told, “We don’t know what they took or how they took it, but we believe this person has taken data with them that they shouldn’t have.” In such situations, we like to start by determining what, if anything, was copied from the computer and when it happened. This information, coupled with a review of the data that was copied, is usually enough to frame the rest of what you are going to do in the investigation.

  Look for Evidence of Copying By definition, theft of proprietary data requires that copying or moving occurs. When you don’t know what was taken, in what form it was taken, and when it was taken, you have to start by determining how it was taken. In modern operating systems, audit trails can be traced for most of the major methods used to get data off a computer. Use of a thumb drive leaves artifacts in the system files. Burning a CD leaves remnants in system directories. Using webmail leaves markers in the Internet history. Even printing leaves a trail in the print spooler. Knowing the different ways that data can leave the system and how to look at what was copied and where it was copied to is absolutely vital in these investigations.

  Burning a CD/DVD

  Most modern operating systems have the ability to burn a CD built into the packaged OS. Generally, as is the case with Mac OS X and Windows, you can drag-and-drop files onto the CD/DVD drive icon and the system will take care of the rest. Because of this ease of use, this is one of the primary ways used by individuals to copy information from a computer. The good news is that the burning process is generally a compilation feature, which means that files are dragged and dropped over a period of time and then later burned. An intermediary location is used to store the data to be burned to the CD, and that means you have a place you can audit if or when a CD was burned and you can determine what was placed on that disc.

  Determining that a CD Was Burned

  The methods you use to determine that a CD was burned varies from computer to computer and even user to user. For instance, some users drag-and-drop the files onto the CD icon and are done with it. Others will use third-party applications, such as NERO or Roxio’s offerings, to burn the CDs. Each application has its own artifacts that you can try to detect, as well as its own stepwise process. Let’s start with the Windows family of operating systems.

  Operating System Burning (Drag-and-Drop) This method is generally fairly easy to detect. Look for the CD Burning folder under the user’s Documents and SettingsApplication Data folder. When a user drags-and-drops a file or set of files to be burned, the files are placed in this directory as a temporary location. Once the CD has been burned, the files are deleted from this folder. This is good news for a forensic analyst, however. If the computer hasn’t been used much since the CD burning took place, the files will generally remain intact. Just use your favorite forensic recovery tool and undelete the files. If the files are still in the CD Burning folder, that can indicate that the person wanted to burn the files but for some reason didn’t do it. Look at the data’s size to determine whether the number and size of files were too large for optical media. In that case, check for other methods that may have been used to get the data to determine whether the individual used something like a thumb drive or external hard drive.

  Third-party Utilities The User Assist logs and prefetch area can be your best friends in determining whether a third-party burning utility was used. Look through the logs to see if an application was used to burn a CD/DVD. The entries in these logs will persist even if the user uninstalled the program itself after burning the media in an effort to hide his or her tracks. If you find evidence that a utility was run, you can look for two things: Generally, when a third-party utility is used to create a CD, a temporary ISO image is created to avoid issues with the burner overrunning the buffer. Since these images are generally in Joilet format, you can search for the file system signature of the Joilet file system and go from there. In addition, you can look at the files that may have been massaccessed during the time the application was running. While this is not an end-all-be-all answer, it can definitely point you toward any files that may have been copied. Then look for link files to see if the newly burned disc was accessed in the computer, showing that the files that had been accessed on the computer were in fact existent on the newly burned CD/DVD.

  Sending via E-mail

  E-mail is commonly used to remove and disperse IP. This generally occurs in one of two ways: the information is either e-mailed to another account using corporate e-mail, or personal webmail such as Gmail is used to send the files. Detecting this method of theft, while somewhat straightforward, definitely has its own set of pitfalls.

  Finding IP in E-mail

  Most forensic tools allow you to take a corporate mail store, such as a Personal Storage Table (PST), and create a table showing all messages to and from various senders. Look through this table and identify e-mails that look like they were sent from the suspect employee to a personal e-mail address. If you know the approximate date range when the theft may have occurred, you can also block out the e-mails that way. Then review all e-mails that meet these criteria to see if they contain any files or appear to have been used to send files off the computer. Some telltale signs are the use of no subjects, small messages that have no other threads, or empty messages. In addition, obtaining the suspect’s webmail addresses can make your job even easier.

  If you find nothing worth investigating in the corporate mail, or even if do find something, you’ll need to reconstruct the suspect’s webmail. We have discussed the Internet cache and how it stores webmail in preceding chapters, and you can apply those techniques here. Look for active webmail cache files on the system, and reconstruct them as appropriate. Doing this will often not reveal all the messages sent from the computer, however. The cache is periodically cleared, depending on the browser, and the suspect may have purposely cleared the cache as a cleanup step somewhere along the line. In this case, you’ll need to employ other techniques: search terms and file carving.

  Using Search Terms to Find E-mail One of the most effective ways to find e-mails that have b
een removed from the web cache is by using keywords. The party asking you to perform the search probably has an idea of what the suspect employee was working on. Ask for terms pertaining to these clients and topics. Find any personal e-mail addresses or screen names that you can on the system and add those as keywords as well. Compile a list of all these terms and keywords and search for them across the unallocated space. More often than not, you will find additional e-mails or e-mail fragments that once existed in the active space of the computer. Some of our cases have hinged on fragments the employee thought were lost. Be warned, however, that this is an arduous process with many false positives. In addition, the data you can carve out of the unallocated space is not going to be the prettiest or most readable. If you find things that are relevant to the issue at hand, you can spend some time beautifying the results, as long as you include the original in your report and note that you have modified its structure only for readability.

  Copying to a USB Drive

  This is by far the most common method we have found for users wanting to copy large amounts of data off the computer. It’s cheap and easy, and the average user believes that there is no way anyone could detect that it has occurred. Fortunately for the forensic examiner, and unfortunately for the person doing the copying, nothing could be further from the truth with most modern operating systems.

  Determining Whether Files Were Copied to a USB Drive

  First, you should take inventory of which thumb drives have been plugged into the computer. For this section, we will focus on Windows XP/Vista. The process is the same with other operating systems, except the places to look for the drives may be different from those discussed here.