As discussed in Chapter 6, the Windows system registry stores the key USBSTOR, which contains information about the USB devices that have been plugged into the computer. Take inventory of this key. Look at the last modified time on the key, as this will generally be the last time the device was plugged into the computer. Also, take note of the parentID prefix and the friendly name (you might also look for the instanceID). You can use these identifiers later to get hold of the actual drives. Your argument gets much stronger when you go from “We know you plugged a USB drive into the computer” to “We know you plugged a Lexar FireFly into the computer on March 5, 2009, at 4:19 P.M.” Once you have a listing of the thumb drives used on the computer and the approximate timeframes, it’s time to see if you can determine usage.
The parentID prefix for a drive is provided by the OS and can change with OS versions. A much better number to use is the instanceID, which is a serial number hard-coded into the device. If the USB drive has a serial number hard-coded, it will not change. This number can be generated by the system, too, if no serial number is hard-coded, but if it is system generated, the second digit in the device instanceID will be an ampersand (&).
Link File Analysis When an office file is opened from a USB drive, a shortcut file is created on the system for it. This shortcut will live on even after the drive has been disconnected from the system. It will give you the name of the device on which the file resided, as well as the filename and modified, accessed, and created (MAC) times for the file. This can be extremely valuable in an IP theft investigation because it gives you a connection between a file that existed on the computer and the same file that potentially existed on an external thumb drive. At the very least, having the set of link files showing proprietary information being opened on the thumb drive can be cause enough to make the suspect produce the USB drive.
BagsMRU The BagsMRU key stores a list of all directories and files that existed in an Explorer window when the window was resized. This can be hugely valuable because it lets you get the entire directory listing for a USB drive. If the user opened the drive in Explorer and then resized the window, the listing will be in the BagsMRU area. Like the link files, the BagsMRU records can be used to establish that proprietary files may have existed on a thumb drive. This can be enough evidence to compel the suspect to produce the actual USB drive.
Mass Access We will start by saying that this method is a bit less reliable than the methods already mentioned. However, if you have the times the USB drive was plugged into the machine, you can review the MAC times for the files on the drive to see if any mass accesses occurred around that time. This can be an indication that the files were copied en masse to the thumb drive. Be very careful when relying solely upon mass access. Many, many things can affect the access times of a file. Always use another data point and correlate it to the mass access, as opposed to making a statement like, “These files were mass accessed; therefore, they were copied to the USB drive.”
Matching Up the USB Drive If you are given a USB device and are told that this is the device you noted as being plugged into the machine, you need to check a couple of things. First, make sure the friendly names match up. If you see that a Lexar was plugged in and you’ve been handed a Corsair, something’s awry. Second, look at the parentID prefix. This prefix is unique to the drive itself and can be used to match up thumb drives across computers. There is a caveat, however. The parentID prefix will change across operating systems, so don’t expect the parentID to be the same for a thumb drive when it’s plugged into Windows XP versus Windows Vista. As mentioned, also check for the instanceID. In general, it will be a much more reliable way to match up a thumb drive used across computers.
Once you have in hand the USB drive you expected, it’s time to see what was copied. Generally, you start by performing a hash analysis and comparing values with the user files on the computer. More often than not, if files were copied to the USB drive, the hash values will match. It’s important that you realize, however, that the standard operating system copy may not be an exact bit-for-bit copy and may have different hash values. If this is the case, make sure you also look at the filenames, sizes, content, and MAC times to see if they are reasonably identical.
Remember that most USB drives are formatted with FAT32 for compatibility. This means that the access field isn’t an access time—instead, it is an access date. Keep this in mind when building the timeline of activity, as a file could have been accessed multiple times in the same day but the access date would stay the same.
Covering Their Tracks
Frequently, after copying the files off the computer, a user will attempt to cover his or her tracks. The method used depends on how the data was copied. If webmail was involved, the user may clear the Internet cache and history and call it a day. Or the user may reinstall the operating system—a quick, uncomplicated way to remove audit trails. The user can also use third-party wiping and evidence-clearing utilities.
Detecting Wiping
As discussed in Chapter 9, look for evidence of disk wiping, review the User Assist logs, and look for programs installed that are specifically designed to wipe data. Always remember to check the OS installation date. Sometimes finding evidence that the user attempted to remove the trail can be just as good as finding the evidence itself.
TYING IT TOGETHER
IP theft can have serious detrimental impacts on an organization. The theft of a single piece of software code or an engineering trade secret has been known to result in the erosion of a company’s competitive advantage and its profitability to competitors who have benefited from the ill-gotten IP. Likewise, the misappropriation of customer data can undermine confidence in a company’s ability to protect customers’ sensitive information, and can expose the company to significant liability to the extent the customer data is used for other illicit purposes. While identifying what was taken, as well as the source and extent of the IP theft, is critical to safeguarding the assets of the company, these are only half the battle. The other half is in the manner in which the investigation is conducted, how the evidence is collected, whether sufficient evidence has been identified to infer intent, in estimating and attempting to mitigate potential damages to the company, and in working with management, outside counsel, and others in seeking retribution and restitution from the perpetrators.
What Was Taken?
As mentioned earlier, you must first determine what IP was taken and by whom. However, of paramount importance to management and the company’s ability to prevent the unauthorized use of the IP is to be able answer, with documented evidence, fundamental questions: “What?” “When?” “Where?” “How?” “By whom?”
Circumstantial evidence rarely persuades law enforcement or the courts to take action against individuals accused of IP theft, much less other kinds of theft. Parts I through IV in this book outline the recommended computer forensic techniques and procedures in preparing for an incident, collecting evidence, conducting the investigation, and in presenting your findings. Poorly or sloppily gathered evidence and/or presentation of your findings will undermine the level of confidence outside parties will place in the evidence in determining whether a theft in fact occurred. Likewise, incomplete evidence or unanswered questions may leave the company exposed if additional IP was taken, involving other individuals, and by different means.
While it is often difficult to ascertain, with any degree of certainty, the extent of an incident and all those involved, undertaking efforts to address the fundamental questions will ensure the company’s ability to respond appropriately to the actual and potential threats posed by the IP theft. As described, understanding what was taken is the first question. However, understanding when is also important, as it may provide some insight into the exact content of the IP theft and what aspects of the business are at risk. It also may help define the extent of the potential damages to the company, as well as assist in the risk assessment regarding whether the misappropriated informati
on could have been used or disseminated by the parties involved. Where IP was taken from may also be important both in eliminating additional involvement in illicit activities and in assisting the company in identifying where added security efforts may be required. Understanding the how also provides valuable information as to whether additional security efforts may be warranted.
Looking at Intent
Equally important to questions of what, when, where, how, and by whom is the why. Why was the IP taken? It is not uncommon for individuals to copy proprietary information to aid in their day-to-day responsibilities. Individuals often copy information to a computer hard-drive or removable storage device so that the information is portable and can be used while traveling or working at home. In fact, a number of the larger reported thefts of customer data involve individuals who did not directly perpetrate the theft, but instead made it possible by the unauthorized copying of information and the subsequent loss or theft of a laptop or theft through an insecure wireless or home computing network. These individuals were not guilty of theft, only poor judgment and the potential violation of corporate policies. However, the ramifications and potential damage to the corporation are the same.
Was the IP theft intentional or inadvertent? Did the accused unknowingly copy proprietary information, did she copy the IP with innocent intentions, or was it taken with the intent to do harm to the company or to benefit the individual or another enterprise? Intent becomes a critical component for law enforcement and the courts in evaluating whether the company has been damaged and to what extent the perpetrators may be required to provide restitution, as well as whether they face potential criminal action.
Estimating Damages
Of immediate concern in most IP theft situations is to plug the leak, and then contain the potential damage. Once the floodwaters have subsided and the relevant parties have been notified and engaged to assist in the investigation, the attention of higher-ups quickly turns to “what was the damage?” or more appropriately “what could the potential damage be?” While critical efforts are focused on identifying the source of potential theft, determining the extent of the IP that may have been taken, and how the potential theft was carried out, are also of concern. These efforts reveal the impact the stolen information could have or is having on the company and help you and the company determine how to mitigate both the potential for, as well as ongoing, losses to the company.
An initial assessment of potential damages should be made by relevant parties to the investigation, including corporate management, general counsel if one exists, outside counsel, and outside consultants. In certain instances, as in the case of customer data, response plans will need to be developed and implemented to minimize the risk to the company’s customers from the loss of customer-specific data. Other immediate actions may be taken to halt the further dissemination of information in the case of the theft of technology or PI. In certain instances, the IP theft may pose a risk to other information or technology, and appropriate planning may need to take place to address various contingencies.
Often a theft is not identified until long after it occurs, when the company has little recourse in mitigating the potential damage. In such situations, the objectives focus on preventing further unauthorized use of the IP through injunctive relief, as well as through criminal and civil remedies via law enforcement and the courts, respectively. Available remedies differ depending on whether they are granted through court-ordered restitution and penalties in criminal matters or claims for damages in civil lawsuits. Remedies also differ depending on the type of IP and whether the issue and remedy pursued is governed by federal or state laws.
In most cases, damages are based on the economic detriment suffered by the IP owner. Most often, the measurement of economic detriment is based on a determination of the company’s lost profits or the loss of business resulting from the loss of the company’s competitive advantage that was associated with the stolen IP. In certain situations, the economic benefit derived by the perpetrator is allowed to serve as evidence of the estimated damages to the IP owner. In each case, estimating damages as a result of IP theft can be difficult. Whereas the value of IP, as well as various other intangible assets, is typically difficult to quantify, estimating the value of damages resulting from IP theft is also difficult to quantify. In such situations, companies often rely on the expertise of outside consultants including economists, accountants, and others with specialized knowledge and experience in valuing IP and in estimating damages.
Working with Higher-Ups
Any question involving potential IP theft will undoubtedly draw the attention of management, including likely senior management and the firm’s in-house and outside counsel. The seriousness and potential damage to the company that could result from IP theft will escalate any investigative effort to include various parties in upper management, possibly the board of directors, and the firm’s inside and outside counsel. You must recognize and be sensitive to the different priorities and perspectives each group may place on various aspects of the investigative process.
While as an IT specialist, your primary focus will likely be on the computer forensics aspects of the investigation, and the subject matter of this book, other parties may have different priorities, which may be no less important to the company’s resolution of the matter. Upper management initially may be more concerned with understanding where the company’s system of internal controls broke down (How did this happen? Has it happened before? How do we prevent it from happening again?), rather than the systematic approach of collecting, documenting, and evaluating potential evidence. However, both are critical components in the overall investigation of IP theft and in designing and implementing additional security and controls to limit potential future occurrences. The IT professional needs to be sensitive to the various priorities of parties involved in the matter and be prepared to allocate the necessary time and resources to evaluating various elements and/or ramifications of the theft at the same time.
Working with Outside Counsel
Given the seriousness of the ramifications from IP theft, it is not unusual for outside counsel to be brought in to assist in evaluating avenues for potential recourse that are available to the company. Often, outside counsel will be asked to take over, or initiate, the internal investigation to ensure that adequate evidence gathering and documentation procedures are used so as to not to impair the company’s potential causes of action against the perpetrators of the theft, as well as to enhance the potential recovery of the stolen IP and potential damages for harm to the company. Depending on the nature and extent of the IP theft, outside counsel may also seek to employ the services of various specialized consultants, including outside computer forensic specialists, licensed private investigators, forensic accountants, and public relations specialists, among others.
As with upper management, the outside counsel’s primary concerns initially may be different from those of the IT administrator charged internally with uncovering the details of the suspected theft. Outside counsel likely will be more interested in protecting the company and pursuing legal action against the perpetrators. (How do we mitigate the risk to the company? How do we recover the IP and hold those accountable for the theft? Has the company been damaged, and can we recover those damages through the company’s insurance or through a lawsuit?)
CHAPTER 17
EMPLOYEE MISCONDUCT
While computer forensics is routinely integral parts of investigations into allegations of fraud, IP theft, and other forms of corporate malfeasance or corruption, computer forensics is also used when various other forms of employee misconduct is suspected. Although not typically considered as serious as fraud or IP theft, employee misconduct can have serious, as well as potentially costly, ramifications for a company. From improper use of corporate assets to improper behavior in the workplace, employee misconduct results in lost productivity at least and at most can put the company at significant risk of potential lawsuits
from a variety of employment-related issues.
As it has with embezzlement, IP theft, securities fraud, and other forms of potential wrongdoing in the corporate environment, the digital age has opened various new avenues and ways for employees to misuse corporate assets, invade the privacy of others, obtain unauthorized corporate information, or otherwise violate a host of corporate policies. Corporate policies related to many aspects of employee conduct have been standardized for many years, guided in part by labor laws, as well as trends in employment related issues. Many of these policies comprise an “employee handbook” that can be fairly standard from one corporation to another. However, corporations have been required to adopt a whole new set of policies during the past decade to address the various aspects and misuse or improper use of technology that has become part of the daily business environment.
Computer forensics can be a valuable tool when employee misconduct is suspected. However, the inappropriate use, timing, or absence of discretion when such techniques are targeted against an employee or group of employees can also result in significant, and sometimes unwarranted, discord among the employees in question, as well as among a company’s wider employee population. The tools and techniques described throughout this chapter may be viewed by some as invasive and inappropriate in certain settings, especially where such investigative tools are in contrast to the established guidelines and culture established by the company. As such, while such techniques can often be beneficial to addressing questions and concerns surrounding employee conduct, you must take care to ensure that such efforts are within the framework of the company’s policies and have the support of the various company departments (such as human resources) where such concerns might be expressed.
Hacking Exposed Page 37