PRESENTED BY
DAVE MAUPIN
SECURITY MANAGEMENT PARTNERS
WALTHAM, MA
WWW.SMPONE.COM
1




MIT graduate with 30 years of experience in IT
Senior Information Security Consultant for Security
Management Partners.
PCI QSA
Forensic investigations with IT, HR and Legal departments
for various regulated industries such as banking, healthcare
and pharmaceutical.
2




ACH fraud
Embezzlement
Harassment
Civil case
3
1.
2.
3.
4.
5.
6.
7.
8.
Encase Forensic 7.07
Antivirus software
Malwarebytes
Excel
Volatility
HBGary Responder CE
Mandiant Redline
Knowledge of Windows technical details
4




Funds moved electronically from business
online banking account
Investigate—initial information gathering from
the financial institution and the business
customer
Acquire media using chain of custody protocol
Forensic analysis—acquire forensically and run
analysis
5
Entry Date
Entry Full Path
Entry Type
08/24/10
11:29:11AM
C\WINDOWS\Prefetch\WINZIP32.EXE-2F3C90C9.pf
Created Date
08/24/10
11:29:11AM
C\WINDOWS\Prefetch\WINZIP32.EXE-2F3C90C9.pf
Written Date
08/24/10
11:29:11AM
C\WINDOWS\Prefetch\WINZIP32.EXE-2F3C90C9.pf
Modified Date
08/24/10
11:29:16AM
C\Documents and Settings
\User.Domain\Cookies\username@ads.pointroll[2].txt
Accessed Date
800 entries for cookies on the system
08/24/10
11:29:21AM
C\Documents and Settings
\User.Domain\Cookies\username@rad.microsoft[2].txt
Accessed Date
6




Funds stolen from business
Investigate—initial information gathering from
the business
Acquire media using chain of custody protocol
Forensic analysis—acquire forensically and run
analysis
7




Changing the extension on a file.
Embedding data in a graphic file or scanning a
document so that it becomes a graphic file. This
would prevent the text within the document
from being identified during a keyword search.
Using a compression utility to compress
multiple files or documents into a single
compound file (i.e. .zip file).
Encryption: using a utility such as TrueCrypt
to create a hidden\encrypted volume on the
hard drive.
8




Intellectual property stolen from business
Investigate—initial information gathering from
the business
Acquire media using chain of custody protocol
Forensic analysis—acquire forensically and run
analysis
9


Shortcuts contain a volume serial number
In order for these Link files to have been
created on the hard drive, the USB drive had to
have been plugged into the computer
containing the hard drive on which the Link
files were located and a file from the USB drive
had to have been accessed from that computer.
10




Employee reports harassment to HR
Investigate—initial information gathering from
the business
Acquire media using chain of custody protocol
Forensic analysis—acquire forensically and run
analysis
11


System Restore uses a feature called system
protection to regularly create and save restore
points on your computer. These restore points
contain information about registry settings and
other system information that Windows uses.
People trying to hide their activities may not
realize that information has been saved by
System Restore
12



A/V definitions change daily, full scans should
be run at least weekly
Investigate what your a/v console reports
Investigate unusual events:


Account lockouts
Use a minimum necessary approach
throughout your environment:



Block outbound traffic
Only give access to social media to those with a
business need (marketing)
Block webmail access
13

Train your users


Call the help desk
Be careful with email attachments
14