Almost without fail when meeting new folks, and upon hearing that we perform digital forensic investigations, the first comment is, “Wow, you must see a lot of really interesting things.” In truth, most of the day-to-day investigations are without many amazing finds per se. Don’t get me wrong, there are a number of actionable artifacts almost always found in the course of making a case against a perpetrator or in support of someone wrongly accused, but in terms of “Wow, that’s certainly interesting”, not a whole lot of those moments happen on a routine basis. It’s true that we’ve seen just about all manner of graphic images (some we would call “interesting” and others quite frankly cringe worthy), spreadsheets with numbers that boggle the mind, and of course the atrocious things people have written to others via txt or email thinking it would never see the light of day.
Every so often however, a case comes around that can’t help but drawn you in with all of its twists and turns. It is usually an investigation where someone else has already taken a crack at solving it with internal resources, but they were ultimately unable to do so, and the concern or issue persisted. One such case that comes to mind involved a local refinery a few years ago. It seemed that there had been a repeated occurrence of false alarms at the facility with their access control system. Now when most folks have an alarm that goes off a number of times it’s a nuisance but in this facility it had a more problematic outcome that impacted the refinery’s operation. It caused an integral portion of the operation to shut down. And when part of a refinery shuts down, it has a domino effect that can turn costly fast. The usual troubleshooting had taken place whereby sensors and points of ingress/egress were checked out for malfunctions to no avail. Each alarm event was continuing to cost the facility more and more money in a cumulative fashion. It was at this point we were called in and given a rundown of all that the internal security department had investigated to try to determine the source of the interruptions. Quickly we focused on the contract security guards in no small measure because their contract had come up for renewal and the client had already elected to not renew the services due to their less than stellar performance in general. Just enough service so as to not trigger non-performance clauses, but unsatisfactory nonetheless. Before the contract security folks were to quit performing these services though, part of their duty was to help determine the source of the interruptions.
In an effort to try an out of the box investigative tact, we turned to digital forensics. There were two computers owned by the client that were routinely used in the office that the contract security staff was based out of. After forensically imaging the machines, an initial analysis was not fruitful. We were hopeful there might be some sort of email communication that had taken place that might prove a valuable clue, but alas, none seemed to be resident on the computer’s hard drive. Upping the ante (due in part to the case’s intrigue), we decided to go though what data was available in the evidence with a fine tooth comb. An anomaly arose. It seemed there was a previous installation of a program called “Evidence Eliminator” on the computer. With this new information (or fragment of information as it were), further scouring of the computer forensic data commenced. After much iteration of searches on the forensic images we were still coming up dry with establishing a connection to the alarm system and the guards themselves. After looking back at the alarm reports we decided to search specifically for the date of the last alarm. A timeline analysis had already taken place on the image but it hadn’t shown any results of interest. However, when we searched for the date in several formats as a keyword (i.e. 4/7/15) low and behold we found some logging information in the unallocated areas of the drive! The logging information found amongst the mishmash of data was parsed out and pointed us to the use of a website on that date. The website was of a provider who had access to the alarm monitoring station. It turns out this website provided the ability to “trip” various alarms in a testing manner but they had neglected to enable logging themselves that would have afforded us the opportunity to have run an audit report to shed light on it earlier. We should point out that this was a rudimentary back door of sorts and was a beta type setup for some functionality not currently implemented. Very few people outside of the security alarm station even knew of its existence, as it was a work in progress. And yes it turns out one of the guards knew one of the folks at the station that was involved with the website. Additionally, even when we were able to discover the website address and backtrack to the numerical IP address, a review of the client’s network proxy logging showed no sign of the computer having made a visit to the site.
Further analysis of the computer’s image led us to discover that a modem was installed in the computer some time before the first alarm issue arose. This was odd given that the computer had no real need for a modem as it was connected via a network adapter card and cable to the client’s corporate network thereby giving it internet access. We discovered this modem was used with a dial up client program on the computer in order to connect to a separate internet service provider (outside of the computer’s corporate network). Having bypassed the usual means of connection with the company’s network afforded the suspect (one of the guards) an alternative means of setting off the alarms and not appearing on the radar of the client. With our findings, the client was able to confront the subcontractors who could not refute the findings of the investigation. The contract was immediately terminated and the client was compensated for the cost of the investigation & saved from any future distress this guard company may have brought them. These are not the people you want securing your facility!
One more thought before I go. Above I mentioned a program called “Evidence Eliminator” which although defunct now, has been replaced nowadays with a number of other programs such as CCleaner and BleachBit. And although in our investigation we were unable to directly correlate the use of the program on the specific date in question, it was clear that it was run shortly after the latest alarm event. Although these programs have powerful abilities to “clean” things up thus destroying evidence, almost without fail, there remain fragments and artifacts that are useful in an investigation of what actions took place on the computer in question. Although the program had done a fairly decent job of obscuring the actions taken by the suspect, the reality is that even when someone takes efforts to obscure or destroy incriminating evidence on a computer, it’s awfully difficult to completely rid the drive of ALL evidence.
*As I’m sure you’ll understand, the names of individuals and companies, as well as a few unnecessary details have been left out in order to respect our client’s confidentiality*