Continuing on with the means data escapes the grasps of its business owners, aka data theft with the insider threat, we look at more online exfiltration methods. Last week we briefly talked about online storage a la Dropbox or Google Docs, and like other avenues, we’ll talk about it again in greater and/or new detail in future postings. For today however, we’re going to focus on and explore a more adventurous means of data theft. An example of this is when someone sets up a storage server at their home and copies data to it that way. These users tend to be a bit more tech savvy yes, but this is not out of reach for many folks thanks to an ever increasing list of features and conveniences offered on today’s storage devices. Features and convenience should sound familiar, as it’s already come up in previous posts. These “personal storage features” are typically tied in with some sort of home “server” network device or box. Quite a few such devices exist from manufacturers such as Western Digital, Seagate & Synology, and you can pickup one up at your local Best Buy or Wal-Mart for that matter. They afford you local storage when you connect it to your home network and allow you to have remote storage when you are away from home.
Outside of forensics, such a device is really a must nowadays to backup your local computers to and in my opinion much more appealing than backing up your data up to the cloud. Shocker right? Better to be in control of your backup locally than out of control with it someplace out on the Internet. Again, my opinion, but I prefer to maintain control over my data rather than wait until some online system is compromised or hacked. In the event you feel you must store centrally online, please by all means ensure the data is encrypted, use unique credentials AND multi factor authentication if possible. Please.
Back to the personal storage server narrative. Such a device on your local network and connected to the internet from your home allows you to login from Grandma’s to show your stored pictures of the kids or access a PDF copy of your W-2 for your accountant. You can also send data there, like say when you’re at the office. Some have programs that give your personal home server a drive letter so copying things to it from the office is quite simple, just drag and drop. And you don’t have to be at the office either. You could use your work laptop from your house with virtual private network (VPN) and drag and drop to what is now your local storage. You can also drag and drop emails directly out of outlook, no need to forward, just save the contents out of the program that way. Why would someone go through the trouble of doing this? There are any number of reasons from it being an innocent act of “hey I didn’t know I could do this” to something more nefarious such as “let me copy this file this way since everyone’s on the lookout for USB drives”. Having found this sort of scenario before via investigation, if there is any forethought at play, we’ve found users that thought there would be much less of a trail left behind by setting up a remote site. Most are savvy to the idea of an autopsy taking place on their computer once they leave and a few of those folks know (or can guess) that there are telltale signs of USB drive use left behind when the company’s data is copied. I suspect a number of folks view the ability to create their own cloud storage site, then upload it, seemingly less fettered with clues. That or perhaps they’re just unable to copy files via USB drives. Whether such a limitation is imposed by a policy update to the computer preventing copying via software or a physical limitation by the IT department putting epoxy in the USB ports. Yes, that does happen. I’m reminded of the insightful line by Jeff Goldblum in Jurassic Park, “Life, uh…finds a way.” Create one roadblock and another means to accomplish the same action emerges. Such clever users are correct in one regard in that the same types of clues aren’t left behind, but there are others to be found! The fact remains that operating systems have a habit of keeping all kinds of bits and pieces behind that are invisible to near all but the most tech savvy users. As a whole, we become distracted by the hunt for new and improved features and conveniences. Once the thrill of the hunt takes over, security and privacy are often relegated to an after thought, if at all.
Continuing with online exfiltration, in the old days we saw more users merely forward work emails to their personal email accounts with gmail or yahoo. This sort of action obviously leaves telltale evidence within the user’s corporate email account with local sent copies or transaction metadata on the backend at the company’s email server. Even if the email is deliberately deleted by the user, there should still be data left in logging reports with useable information such as where the email was sent, as well as the message size which can indicate the existence of attachments. What many folks do nowadays is create an email to themselves using their online account, i.e. send an email to email@example.com from firstname.lastname@example.org, and attach the documents they want to take. An escalation of this type of scenario is logging into the online email account, creating an email, including the attachments, but merely saving it as a draft and not actually sending it. The user is then free to login to the account from another location and download the attachments there. Since most forensics tends to focus on email that was actually sent and/or received, this is clearly a crafty scenario and one that would easily be overlooked. Either way, the user’s online email account is the carrier mechanism for their ill-gotten gains.
When it comes to investigating this activity,
today’s webmai is a different animal than in years past. It used to be that when a user logged in to their email account, a static page was created that would show the full listing of emails in their account (received date and time, who it was from, the subject line and sometimes an email size). This sort of page (largely an HTML file) was pretty easily located and used in the investigation. Nowadays this sort of email listing is still presented to a user when they log in but the artifacts left behind are largely more challenging to extract and interpret. Recreating this webpage from the artifacts left behind today is still feasible but more complex and oftentimes incomplete. These artifacts that are recoverable can be found in disparate areas of the drive, no longer just in the temporary internet files folder for the respective browser program. Enough artifacts can often be located to either fully assemble and recreate the email or give enough clues as to what the communication was. Ideally if we can locate some key terms or keywords, we can parse out email content that will either spell out what the user was doing or give a good indication of what they were doing. Particularly when we combine this data with other data we’ve found. We’ll pick up from here next time, discussing key terms and keywords that we almost always employ when investigating a case. More specifically, the development of these key terms and keywords, and role they play in the case. #OnlineDataTheft #InsiderThreat