Windows Forensics: The Field Guide for Corporate Computer Investigations

The computer investigator's crime scene is potentially broader than that of the traditional investigator. Identifying the crime scene may not be easy, and detailed research might be required just to know where to look. The remote nature of computing and evidence distribution present additional challenges to the investigator , including the following:

• The scene might be distributed and consist of multiple server rooms, offices, and communications closets. The investigator must determine which evidence locations are true physical scenes that need to be physically secured (for example, a suspect's office) versus which locations harbor logical evidence and can be analyzed and secured logically (for example, a router in a remote, locked communications closet).

• The scene may not be easily accessible. The physical crime scene may be located at another organization, within a private residence, or even in another country, which may or may not have similar computer crime laws. This might require court orders, visas, and cooperation before physical or logical access can be obtained to conduct a successful investigation.

• A specific physical crime scene might not exist. With the advent of wireless technology, there may be no individual physical location to check. Similarly, a corporate user with a laptop might be performing actions at home and at work with the same machine, and the location where an action was taken may determine its corporate permissibility.

When identifying the crime scene(s), the investigator may want to ask a few questions to determine potential locations for evidence:

• What machine was the target of the attack?

• Where was the suspected source of the attack or wrongdoing?

• Where did the data accessed reside?

• What routers/firewalls/switches did the suspect traverse?

• What printers does the subject use?

• What file servers (shares) does the subject use?

• What FTP servers does the subject use?

• Does the subject have more than one machine? Where are they located?

• Does the subject use a proxy server?

• Does the subject use a DHCP server?

• Are there any peripherals the subject owns (PDAs, cell phones, digital cameras , or USB drives )?

The potential locations for evidence will change over the course of the investigation. For example, when analyzing the subject's computer, an investigator might find FTP connections to a corporate server. An examination of that server's logs may show additional connections from the same suspect on a completely different system.

The most likely location for a physical crime scene is the actual location where the suspect initiated a digital connection. This might be an office, a residence, or even a vehicle and is the best candidate for establishing and securing a physical scene.

Targeted machines, log servers, and network devices may require handling as a logical scene. In order to make the determination about whether to treat the scene as physical or logical, an analyst must ask two questions:

1. Is there likely to be physical evidence present in addition to digital evidence?

2. Will not treating the scene as a physical scene result in the loss, corruption, or destruction of digital evidence?

If the answer to either question is yes, treat the scene as a physical crime scene.

An external router was discovered bridging a switch on the corporate network of one of our clients directly to the Internet. Some initial analysis by the client's team determined that the router was connected to an internal switch but was placed on a different subnet and logically inaccessible from direct internal connections. It was likely that a member of the company's networking team made the connection to have a local port to plug in directly for unmonitored Internet access.

The location of the router and switch was an access-controlled server room. The server room itself was initially treated as a crime scene. The router was secured and removed for remote analysis, and card reader access logs to the room were obtained. Likewise, an intrusion detection system (IDS) sensor on the same switch was treated as a logical part of the scene, and forensic copies were made of its logs. Because the room housed other operational servers, it was not feasible to secure the entire room.

The IDS sensor logged the IP address assignments and subsequent connections made to two devices on the external subnet and their respective MAC addresses. As expected, one of the MAC addresses matched the router. After researching the organization associated with the second address, analysts determined that it was a built-in laptop card.

The badge reader logs from the site security team presented a few possible suspects , several of which regularly ran network sniffers as part of their normal course of business, thereby making remote probing difficult. Additionally, because the network team was potentially implicated, it was impossible to connect to the other switches at that location to sniff passively for the MAC address or to review network logs.

The MAC addresses of the machines assigned to each of the suspects were remotely queried using nbmac from an anonymous workstation, making a simple NetBIOS call unlikely to arouse suspicion. One of the suspects' MAC addresses matched the address found in the IDS logs, allowing analysts to identify a single suspect and laptop to continue to investigation.