Hacking Exposed

by Aaron Philipp

  What to Look For

  What to look for depends on the circumstances of the alleged misconduct, the potential corporate resources involved, the corporate policies and procedures and federal and state laws that govern behavior in the workplace, and the purpose for the inquiry.

  Pirated/Malicious Installed Software

  Software may have been have installed on the computer. If a suspect is pirating software or downloading movies illegally, for instance, chances are she has either a point-to-point (P2P) client installed or some type of torrent downloader. In addition, she may have installed encryption or wiping utilities to attempt to hide or cover her tracks. We have seen this a lot when things like pornography are involved. Taking accurate inventory of not only what is installed on the computer but also what has been installed on the computer can be paramount in these types of situations.

  Taking Inventory of Software on a Computer

  At first glance, this seems like this would be an easy task with modern operating systems such as Windows XP, where the installed software registers with the system and has entries in the registry. And while that may be true for 90 percent of the software out there, if you check only the relevant registry keys, you could miss software that either was uninstalled or was designed to be intentionally evasive. Let’s take a look at some of the areas both inside and outside the registry where information about installed programs can be found.

  The Program Files Directory This task, though simple, is incredibly effective. Go into the Program Files folder (Applications on OS X and /usr/bin on UNIX) and take a look at what’s there. If you have a date range for when the activity may have started and ended, look at the metadata and the deleted files from that timeframe in this directory and see what comes to light.

  The SOFTWARE Registry File In the Windows family of operating systems, installed software gets its own registry file, which is located with the rest of the registry in C:Windowssystem32configSOFTWARE (referenced as HKLM/Software in registry viewer). As new software is installed on the computer, whatever global settings the software needs to function are generally stored in this set of keys. Generally, each key under the root of SOFTWARE will relate to an installed program. If you use a forensic tool such as Access Data’s Registry Viewer, you can also determine when the registry keys were created and last modified, giving you an idea of when the software was installed and potentially last run.

  The Windows Installer Registry Inside the SOFTWARE registry file is a key that tracks all programs that have been installed on the system. This key is used by the Add/Remove Programs Control Panel widget. Navigate to MicrosoftWindowsCurrentVersion Uninstall and you will see large number of subfolders, each named the unique ID of the software installed. Inside each subfolder is a display name key and large amounts of metadata that can assist with your timeline reconstruction process, including such things as Publisher, Installed Date, Install Source, and the Estimated Size of the software.

  The User Assist Logs We have discussed how to access the User Assist utility at length in earlier chapters. These logs come in handy in this case as well, as they can show program execution for software that may have been uninstalled or wiped from the computer. Take a look for any suspiciously named software or software executed around the dates of interest. If something catches your eye, cross-reference it with the other methods to find installed software to determine whether it is still on the machine. If it’s not, make a note about and follow up later.

  Prefetch Entries As discussed in earlier chapters, any time an executable is run in Windows XP and later systems, a file is created for it in C:WindowsPrefetch. These entries can be valuable because they are user-independent. No matter who runs the software, the prefetch file will always be placed in this directory, as opposed to having to repeat analysis for multiple users. However, this can be an issue on multi-user systems. Also, if malware or spyware executes software it will be registered here as well. While the prefetch files can be valuable investigative tools, make sure you have some other data points to cross-validate findings and don’t rely solely on them to conclude that the user was executing malicious software.

  MRU Entries and Link Files Finally, take a look at the various most recently used (MRU) registry keys and the link files that may exist on the system. The MRUs can store information about document type associations as well as which programs have been manually run from the command line. Additionally, the link files can help to determine what files were accessed when and if programs had been used that were previously on the computer and are no longer there. For more information on how to parse out and what is contained in these link files, refer to Chapter 6.

  Making Sense of it All

  There are many different ways to determine what software was installed on a computer and where it may have lived. Once you have created the list and have the set of items that you think may be at issue (for instance you find encryption software, or shredder programs being run), it’s time to step back and look at it in the context of the investigation. Does the software have a legitimate business purpose? Is there any way you can tie the activity of the software to the individual? What does the usage of the software mean in the larger context of the law and even the corporation’s policies?

  Using Corporate Resources for Personal Profit

  Using corporate resources for personal gain is nothing new and still holds true in the digital age as well. While most corporations allow a certain amount of personal use on the corporate IT system, some will step over the line—from running a side business selling designer socks to running a directly competitive company at lower rates to siphon off business.

  Finding Evidence of Personal Profit

  While we dedicate an entire chapter to full-fledged embezzlement, here we’ll show you how to go about finding evidence that corporate resources are being used for personal profit, such as running side businesses, and that are in violation of the employment agreement. Look for the following.

  E-mails from Other Company E-mail Address This sounds pretty straightforward, and, in general, it is. Suppose you notice that an employee named Tim is sending e-mails from his computer using Tim@MyOtherCompany.com. This is what we call in the industry a “clue.” When looking for evidence of this kind of activity, always check all of the installed mail programs, as Tim may use Outlook for his company e-mail and Outlook Express for his other company’s e-mail. Also, don’t forget about webmail. With the adoption of services such as Google’s corporate mail services, people are increasingly using webmail to access these types of corporate accounts.

  Documents Associated with the Other Company It’s hard to do business without creating things like spreadsheets and Word documents. If the user has a company-issued laptop, it’s not uncommon for him or her to use that laptop to create these documents and business files. If you are reviewing a computer, take a look at the user documents on that computer. If you don’t feel comfortable reviewing the documents for relevancy, offer to burn a DVD with the documents for your legal counsel or other investigators. If you do find something that seems pertinent to the case, be sure to preserve all the metadata and file information, as this file could potentially be vital to the case down the road.

  Review Corporate Files for Evidence of Solicitation We will discuss this in more detail later in the chapter, but don’t forget to perform keyword searches and review on the e-mails and documents that have been created for the original company. I am always shocked at how many people will solicit or offer alternative arrangements that cut the company out of the loop inside a corporate e-mail. The same is true with user-created files. I remember once seeing a spreadsheet of company customers in which the individual had marked those that he thought he could do business with on the side. A complete and thorough review is vital.

  Employment Discrimination/Harassment

  Federal EEO laws prohibit job discrimination. Various federal laws were passed in the United States, including Title VII of the Civil Rights Ac
t of 1964, the Equal Pay Act of 1963 (EPA), the Age Discrimination Act in Employment Act of 1967 (ADEA), Title I and Title V of the Americans with Disabilities Act of 1990 (ADA), Sections 501 and 505 of the Rehabilitation Act of 1973, and the Civil Rights Act of 1991. All of these laws protect individuals in the workplace from unwarranted discrimination and harassment on the basis of race, color, religion, sex, national origin, disability, or age.

  Discrimination can take many shapes and forms and impact employees in the workplace in a variety of ways, including in relation to hiring/firing, compensation, promotions, benefits, use of corporate facilities, and access to internal opportunities and training, among others. Title VII prohibits intentional discrimination, as well as practices that have the effect of discriminating against individuals because of their race, color, national origin, religion, or sex. The ADEA banned discrimination on the basis of age.

  Harassment is a form of employment discrimination that violates Title VII and is defined as “any unwelcome conduct that is based on race, color, national origin, disability, and/or age.” When the “unwelcome conduct” is offensive and enduring, it becomes a condition of continued employment, or it creates a work environment that could be considered intimidating, hostile, or abusive, the conduct can be deemed illegal.

  While discrimination and harassment are typically carried out by individuals, corporations can be held liable for such practices if employers do not properly advise employees of their rights; if the corporation is using and/or allowing practices, policies, or procedures that promote such practices (such as hiring policies and practices); and if the corporation fails to provide a workplace and environment that is free from such practices, especially if they are aware of its existence.

  The occurrence of such improper practices, especially the existence of a pattern of conduct or practice over a long period of time and involving more than one individual, can put the corporation at significant risk for employment-related lawsuits, as well as investigations and including legal actions by the EEOC. Understanding the nature of the alleged misconduct and assisting appropriate management and board-level personnel to evaluate and address the misconduct in a timely manner can significantly mitigate that risk and prolonged harm to both the corporation and the employee.

  What to Understand

  You need to understand the nature of the alleged conduct giving rise to the claims of discrimination or harassment. While certain types of employee misconduct may involve the use of the corporation’s computers, networks, and e-mails, employment discrimination and harassment more often will involve direct interaction between individuals. It is important that you understand the breadth of conduct that may be involved and whether documentation may exist to support the allegations. Is the alleged inappropriate conduct physical in nature, or does it extend to e-mails, text messages, voice mails, and other forms of communication within the workplace? Is the alleged conduct primarily through personal interaction or does it extend into company-related matters such as job-performance reviews and evaluations, promotion considerations, compensation adjustments, reprimands, or other documented performance issues? While much of this information may be readily available to human resource personnel with the company, other information or evidence of misconduct may be hidden, with attempts made to destroy it, once allegations become public and/or lawsuits or investigations have been initiated.

  Not dissimilar to other types of employee misconduct, employment discrimination and harassment usually involve a pattern of conduct over a period of time. Determine how long the alleged misconduct may have occurred to provide a framework for the breadth of information and time periods that may need to be evaluated for potential information.

  Next, you must understand the working and reporting relationships of the individuals involved, as well as others in close proximity to the individuals (that is, same department, division, work group or location, and so on). Even if the pattern of alleged misconduct exists only between two individuals, it may be witnessed by many. The individuals involved, as well as the witnesses to the conduct, may communicate and/or document their concern and frustration about the conduct in e-mails or other forms or written communication. Likewise, the longer the period of time the improper conduct exists, the greater the likelihood that others will have witnessed the conduct, as well as commented on the conduct through e-mail and other forms of communication.

  What to Look For

  While employment discrimination and harassment may not typically involve many of the computer forensics tools and techniques outlined in this book, computer forensics may be of importance in uncovering and documenting this type of employee misconduct. The types of information that may require the use of computer forensics may vary widely depending on whether the allegations are specific to an individual or more broadly targeted at corporate-wide practices. However, while many practices may be initiated through personal interaction, the pattern of misconduct often extends and is supported by e-mail, text messages, and other forms of written communication, and attempts may be made to discard or erase such evidence once allegations become known. We have employed computer forensics in employment discrimination and harassment cases for the following examples.

  Threatening/Discriminatory Messages

  These cases generally hinge upon some type of messages that were sent to or from coworkers. These messages can take several forms: e-mails, IMs, text messages, or even entries on internal WIKIs or Facebook pages. Generally, if harassment is the issue, the person being harassed will be able to point you in the direction of the type of messages received. Discrimination can be a different story. If an employee or ex-employee claims discrimination, he may withhold the messages until the last possible moment as a legal maneuver. In these situations, it is vital that a forensic investigator assist with the complete searches and help to locate the messages that the party finds to be discriminatory. Let’s look at several techniques to locate these types of messages.

  E-mail Messages Finding these types of messages usually involves performing some type of keyword search or individual review. If the e-mail universe is small, you can usually just do an e-mail–by–e-mail review. If it’s large, you can first triage the e-mail in several ways. First, you can look at the senders and receivers. If you see known players in the situation, review all of their e-mail boxes, as one person may have deleted an e-mail another person kept. Second, work with management and counsel to create a set of keywords that relate to the situation and use those to winnow down the e-mail. Also, use a tool such as EnCase or LTU-Finder to identify whether any explicit messages were sent or received by an individual.

  Instant Messages/Chat Logs Use of IMs and chats is prevalent in corporations these days. If logged properly, such chats can be extremely helpful in illuminating what really happened. If you are the administrator and you know where and how the logs are kept, you can use this information to find what you need. If you are an outside party, you should ask several key questions: What type of IM is used company-wide? Could other methods have been used? Armed with this information, you have a place to start. If they log the chat conversations, you can request the logs for the custodians in question during the relevant time periods and review them. If there are no logs, your task is more complex. Look to the actual computers used by the people involved and determine whether any additional logs or history type files are on the machine that aren’t on the server. If you find none, then your last resort is to search the page file and the unallocated space on the machine for them. This is where knowing the chat program used becomes vital. For instance, Yahoo! Messenger stores the chat logs in an encoded temporary file, even if the history is turned off. With Lotus Sametime, you can look to the page file and find fragments of chat logs, as long as the chat didn’t occur too far back in the past.

  Phone Logs/SMS Messages More and more corporations are issuing and paying for always-on smartphones such as Blackberrys and iPhones. These devices can be virtual treasure troves for this typ
e of investigation. For example, with a Blackberry, as we discuss in Chapter 13, you can recover all the phone logs, text messages, and even things such as “to do” lists. I’ve experienced situations in which supposed harassment was actually identified as being mutual after it was discovered through SMS messages and phone call logs on the Blackberry device that the two people involved had been having an affair that “went bad.” If you get hold of the smartphone and it has been reset or wiped, look for archives or backups. For instance, if someone uses the Blackberry Desktop Manager software, the software will create an archive weekly in an .ipd file that contains everything stored on the Blackberry in plaintext. These are also great archives for finding deleted messages, as a user will frequently delete them from the Blackberry but the inbox still stores the archive.

  Violation of Non-compete/Non-solicitation Agreements

  When employees leave positions with their companies for other opportunities, they are often subject to various types of non-compete and non-solicitation agreements. This is especially prevalent in industries and positions in which employees are key assets of the corporation and are directly responsible for generating revenue for the corporation— such as partners at law firms, accounting firms, and consulting firms, or other professional services firms where the entity is essentially selling the services of an individual. However, such agreements are also common in sales-related positions for which an employee has established significant relationships with the company’s clients or an employee possesses key knowledge of a company’s competitive advantages (such as proprietary technology, informational databases, customer lists, and so on).