forensicscasestudies

Computer Forensics Case Studies

Identifying the Insider

An organization was investigating a derogatory email that was sent to 2000 employees, claiming to be sent from the CEO. The organization had already determined it was a “spoofed” e-mail, and their internal staff had traced the source of the email to a server within their infrastructure. They further identified a workstation that had connected to that server during the timeframe in which the email was sent. Their forensic analysis of the workstation did not yield conclusive results as to whether the email was sent from the workstation. In fact, they were unable to find anything related to the derogatory email on the workstation. They asked MANDIANT to investigate and see what we could find. Their suspicion was that the owner of the workstation had sent the email, or that the owner of the workstation had been a victim of a virus which allowed another person to have control of the workstation. Our analysis of the memory on the workstation showed that the scripts used to send the “spoofed” e-mail did in fact originate from this workstation. Our analysis of the “set-up” API log and Windows Registry revealed that the email file originated from a USB removable storage device. We provided our client with the information about the USB device and instructed the organization how to search their infrastructure to identify the unique device. Their search revealed that one suspect workstation on the network (and only one) had used this same USB device. Forensics on the suspect workstation determined the user had installed encryption software and four different wiping utilities. The outcome resulted in the termination of the employee based on the results of an interview with him when he was presented with the evidence.

Internal HR Investigation

A large law enforcement entity had to terminate their Information Technology manager. The organization suspected that the terminated employee might take retaliatory action against them by hacking or otherwise compromising their network - or influencing other remaining members of the team to do the same. The organization hired MANDIANT to monitor the IT team’s computer and network activity and determine if they were in the act of compromising the organization’s network. MANDIANT performed remote, surreptitious monitoring of employee activity for sixty hours. We also monitored the network for any malicious attacks from the terminated employee. Our 24/7 monitoring of employee activity led to disciplinary action.