No two investigations are exactly alike. I alluded to something of this nature last post. When we’re dealing with a strictly investigative case there are usually some standard approaches, or “templates” if you will, one can use. However, when the investigation is “here’s a computer/smartphone/server/online account so go ahead and run your things and make a report” no two matters are exactly the same. They’re not the same when it comes to actually investigating all the various elements involved, nor are they the same when it comes to reporting. And for good reason.
Let’s start with investigating. There is typically low hanging fruit that can be addressed first, sure. USB drives these days can consist of simple thumb type USB drive ranging in size from a few hundred Megabytes (if they’re older especially) to 512 Gigabytes as of now (and I’m sure they’ll continue to grow). USB drives are also available as hard drives with a USB interface such as a laptop type hard drive (slightly larger than a business card and about half an inch thick), the more standard hard drive (the size of a small book), or they might consist of a set of hard drives which has tremendous storage capacity (think the size of a small shoe box). Yes all of these devices are available with a USB interface which means what someone has, or could have copied to them, can range from a few important documents all the way up to making a mirror image of your entire shared directory on the server. Ideally these devices, once connected, will leave expected artifacts on the computer of the user. I say ideally because there are times when these expected artifacts are not available. That doesn’t mean the devices weren’t connected. This just means that a more in depth analysis will be required to determine not only the conditions of their connection, but also what activity has transpired, what their contents may be or more accurately what the contents were last time they were connected. An explanation for this lack of readily available data range could be something as simple as the type of controller that was used to convert to USB, or it could be that the user ran a utility to try to obscure or wipe out that Metadata. Rest assured it is almost certain that there will be enough evidence of the drive such as the manufacturer, time connected, and so forth which will be assistive in making a more pointed case. This means there will be more than just low hanging fruit to harvest.
Part of that harvest typically includes email, which needs to be quickly analyzed. This can and often involves data being emailed from the corporate network to one’s personal email address. Although many assume the suspect would not be this careless, it still occurs quite often. I can tell you, especially in times of last minute opportunity, caution to cover one’s tracks is not at the forefront of a subject’s mind. And even if the subject or user did take precautions to not be so obvious with their actions, no one is perfect. In fact, all it takes is an accidental email being sent to a personal address to then have it appear on our radar. Once it’s on the radar, we begin culling data and artifacts to assemble what has occurred with their personal email. After all, the odds are pretty good that once they send themselves an email with their ill-gotten data, they will login to the account to verify it went through…from the same computer. You don’t need to suffer from OCD to pull that move! You have to make sure the goods went through, right? To make matters worse some try to clean up their tracks afterwards. What most don’t realize is (again) there will almost always be some sort of artifact or evidence of such wrong-doing. And this evidence of trying to obscure what has been done actually makes the case worse for them. It’s a lot easier to try to explain away why one might have legitimately emailed themselves data, when it’s overtly done. It’s a lot more difficult to explain why you emailed yourself company data, then deleted the sent items in your email box and ran CCleaner afterwards to erase your steps.
There are any number of additional artifacts to be investigated on a device depending on the type of matter at hand. Online storage would be one of these instances. Services such as Dropbox, Google Drive and OneDrive are good examples. Most of these services like to function as a syncing type service. As such, there is typically some sort of listing or index of data that is available at the hosted storage location in order to make sure that the local data is actually in sync with the data there. Mind you, we’ve got to actually determine if such a service or account has even been utilized on the computer first. Other artifacts could include Link files (largely related to USB devices but also very applicable when a subject has a remote server that they’re connecting to), Shellbags (windows registry artifacts relating to folder particulars that are useful to show file and folder contents at certain points in time previously), and Jump Lists (quick access to files previously opened like documents and spreadsheets that can show what a user worked on).
I mentioned reporting as well. Not every report is the same. And there’s no magic report button for all our searches, investigating and findings. Some reporting of pertinent findings is suitable for internal purposes documenting the misuse of company assets, harassment or any sort of misconduct not inline with policy. These are critical statements of fact that will go a long way in the event there is an allegation of wrongful termination. Another type of report centers on not only wrongful actions on the computer but their standing as it relates to matters of ethics, especially when there is licensing or certification involved in the person’s employment. And yet another style of reporting all together is needed for use in litigation for official filing with the court such as statements of fact and affidavits. These different types of reports highlight different areas of importance depending on your need and anticipated outcome. As you can see, not every case is the same, not every subject of an investigation acts identically and not every report is a photocopy of the last one we put out.