Blended Enterprise Investigations

Blended Enterprise InvestigationsBlended Enterprise InvestigationsUsing Digital Forensics and Physical Security to Build Your Case

By John Grancarich, Paul Hastings Janofsky & Walker LLP

P A G E P A G E 11

Blended Enterprise Investigations

IntroductionPure digital investigations are becoming a thing of the pastThe physical world is increasingly going digital A puzzle contains more than one piece - investigate them all

— Digital forensics— Interviews of key players— Building/floor access logs— Floor plan analysis

The essential aspect of the blended role? Solid investigative skillsCan one person do it all? Not always

P A G E P A G E 22


AgendaInvestigative methodologyCase study – workplace harassmentBlended investigation techniques

P A G E P A G E 33


Investigative PhilosophyThe goal of any investigation is to discover and present the truthHow do we get to the truth? Trusted, non-biased methodology and technologyThe effectiveness of the investigative process depends upon high levels of objectivity applied at all stagesIntellect over emotion at all timesUnderstand difference between examination and investigation

— Examiner reports on findings— Investigator puts all the pieces together

P A G E P A G E 44


Investigative Process Model

Incident Alert / Accusation / Claim

Reporting

Persuasion and Testimony

Analysis

Organization and Search

Reduction

Harvesting

Recovery

Preservation

Identification or Seizure

Incident Response / Protocol

Assessment of Worth

Crime or policy violation

Prioritize / choose

Actions at scene

Recognition & proper packaging

Maintain integrity

Get it all!

Data about data

Filter and eliminate

What is the focus?

Scrutinize and understand

Prepare detailed record

Translate and explain

Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey

P A G E P A G E 55


Investigative Process Model – Stage 1


Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


• Triggering event• Consider source and reliabilityof information• Start gathering initial facts• Delicate stage in aninvestigation

Stage 1

P A G E P A G E 66


Case Study – Workplace HarassmentIncident Alert / Accusation / Claim

— Client’s IT group consists of two employees working in secured area— Claimant accuses respondent of downloading adult content to work computer

and viewing it in workplace— Alleges this activity has been going on for approximately nine months— Two days before claim was made alleges that respondent attempted to initiate

a physical relationship with claimant in the office against claimant’s wishes. Attempt was graphic and involved according to allegation.

— Claimant goes to HR and makes claim— Incident is documented and claimant immediately goes on paid leave, stating

severe physical side effects and emotional distress as a result of this experience

P A G E P A G E 77




Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 2

• Apply investigative resourceswhere needed most• Questions asked to focus on mostsevere problems• Result of this step is one of two options: no further action or continue to investigate

P A G E P A G E 88


Case Study – Workplace HarassmentAssessment of Worth

— Internal investigators immediately informed of incident— Very serious allegations— Do the respondent’s alleged actions (the unwanted physical advances)

constitute harassment only, or sexual assault?— Claimant deserves to have allegations investigated, and company has duty to

determine what happened— Would have serious ramifications if not pursued— Continue to investigate? Yes

P A G E P A G E 99




Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 3

• Retain and document items atscene• Follow accepted protocols• Result of this step is secure scenewhere evidence is “frozen” in place

P A G E P A G E 1010




Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 4

• Identify and seize potential evidence• Goal is not to seize everything –make informed, reasoned decisions• Documentation is key• Use memory aids (procedures, checklists, forms)



Case Study – Workplace HarassmentIncident Response / Seizure

— Work area is observed – Claimant and Respondent have left the premisesNo video surveillance in work areaArea is secured though – do access key records exist?

— Work area is photographed— Computers are found powered off at time of arrival on scene— Hard drives from Claimant’s and Respondent’s computers are forensically

imaged at scene— Any other items of interest on desks or in work areas? CD/DVDs, USB, mobile

devices, notes, folders, etc.— Server e-mail, e-mail backups and home shares forensically copied for further

analysis





Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 5

• Take proper actions to ensure integrityof physical and digital evidence• Often first stage that uses tools of aparticular type• Output of this stage is usually a set ofduplicate data





Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 6

• Extract deleted, hidden, camouflaged or otherwise unavailable data• Performed on copies of digitalevidence from the preservation stage• Objective is to identify, and if possiblemake visible, all data that belongs to a particular data type



Case Study – Workplace HarassmentPreservation / Recovery

— Still primarily in realm of digital forensics at this point— Allegation partially relates to images downloaded from internet— Where to begin:

Images and html from allocated and unallocated space All Internet history filesAll Windows event logs All Windows registry files All files in C:\Documents & Settings\Respondent\Recent and Desktop and any other potentially relevant user foldersWindows prefetch files

— Goal is to recover everything that is potentially relevant for later research and analysis

— At this point in investigation, no perceived need to conduct physical investigation





Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 7

• Scrutiny of evidence begins• Facts begin to take shape thatsupport or negate claims oraccusations• Look for categories of evidencethat seem or are known to be relatedto key facts of investigation



Case Study – Workplace HarassmentHarvesting

— First question: does Respondent’s computer have prohibited images on it?— Start with the low hanging fruit - targets or goals which are easily achievable

and which do not require a lot of effort— Review of images from allocated space on Respondent’s computer reveals a

substantial number of adult images are present— This evidence supports Claimant’s allegation. Or does it?



Case Study – Workplace HarassmentHarvesting

— Two ways to look at Claimant’s allegation:Scenario 1: Yes, Respondent downloaded prohibited images and videos to his computerScenario 2: There are prohibited images and videos on Respondent’s computer, but we don’t have enough information to determine who put them there

— Step outside of digital realm: consider physical layout of work area— Recall that only two employees are in secured work area – Claimant and

Respondent— Recall that Claimant alleges several months of illicit downloading of

pornography before making claim – this is an unusually long time before making a complaint

— Conclusion: there is not enough evidence to prove scenario 1 is true





Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 8

• Separate the wheat from the chaff• Consider material facts of case tohelp prioritize evidence• Intended result is smallest set ofevidence that has highest potentialfor containing data of probative value



Case Study – Workplace HarassmentReduction

— Initial Findings on Respondent’s ComputerSeveral hundred pornographic images (allocated and unallocated)Multiple visits to various pornographic sites over several month periodApproximately 75 e-mails from Claimant’s Yahoo! account, including Claimant’s written complaint to HR from unallocated spaceReimaged computer on day claim made against him

— QuestionsHow did Claimant’s e-mails get onto Respondent’s computer?Did Claimant download the illicit images onto Respondent’s computer?How credible is Claimant?Further investigation of Claimant warranted



Case Study – Workplace HarassmentReduction

— Initial Findings on Claimant’s ComputerMultiple visits to various pornographic sites over several month periodComputer reimaged on same day claim was madeKeystroke logger “SoftActivity” installed

Summary to this point— There is truth to Claimant’s allegation, but…— Claimant has serious credibility issue too— Who did what and when?— Too many open questions – need to broaden scope of investigation— Need to put people in place and time



Case Study – Workplace HarassmentRecovery and Harvesting, Phase II

— Domain controller logsWho was logged into which computer, and when?What activity took place?

— Blended Investigation TechniquesVideo Surveillance

– Work area? Hallways? Stairwells?Floor Plan

– Open plan? Small or large space?Access key records (i.e. floor entries and exits)

– Who entered or left and when?Interview of supervisor and other knowledgeable personnel

– Do they have any helpful information to provide?

Ultimate goal is to build defensible timeline of what we know happened





Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 9

• Organize reduced set of materialinto meaningful “buckets”• Simplifies locating and identifyingdata during analysis stage• May incorporate search technologyor topic/cluster-based review





Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 10

• Detailed scrutiny of materials• Assess content and try to determinemeans, motivation and opportunity• Experimentation with untestedmethods• Correlation and timeline• Validation


Blended Enterprise InvestigationsCase Study – Workplace Harassment: Organization and Analysis

Claimant alleges Respondent sexually harassed him on June 16, 2008 between 5:00-5:30pm in secured IT area on 13th floor.Physical security: access key records for June 16, 2008, 4:30-6:00pm

Respondent admitted to 14th floor stairwell06/16/2008 17:38:17

Respondent admitted to 13th floor IT area06/16/2008 17:32:27

Respondent admitted to 13th floor server room06/16/2008 17:17:19


Respondent admitted to 13th floor server room06/16/2008 17:13:39

Claimant admitted to 13th floor IT area06/16/2008 17:12:20

Claimant admitted to 13th floor lobby06/16/2008 17:11:57

Claimant admitted to 13th floor IT area06/16/2008 16:58:48


Claimant admitted to 14th floor cafeteria06/16/2008 16:57:25



Respondent admitted to 13th floor lobby06/16/2008 16:40:02

Respondent admitted to 11th floor lobby06/16/2008 16:32:40

ActivityTime

Maximum amount oftime together during alleged confrontation:4 minutes 59 seconds



Case Study – Workplace Harassment: Organization and AnalysisDomain controller log for Claimant’s computer from morning of alleged physical incident until time claim was filed

Temp Account06/19/2008 18:03:3106/19/2008 18:00:31Logoff3CompanyClaimantPC

Temp Account06/19/2008 18:00:31Logon0CompanyClaimantPC


Claimant06/18/2008 09:12:0306/18/2008 08:34:43Logoff37CompanyClaimantPC

Claimant06/18/2008 08:34:43Logon0CompanyClaimantPC

Respondent06/17/2008 18:36:3806/17/2008 06:34:51Logoff1CompanyClaimantPC

Respondent06/17/2008 18:34:51Logon0CompanyClaimantPC

Administrator06/17/2008 18:34:3706/17/2008 18:23:14Logoff11CompanyClaimantPC

Administrator06/17/2008 18:23:14Logon0CompanyClaimantPC

Administrator06/17/2008 18:19:4906/17/2008 18:18:48Logoff1CompanyClaimantPC

Administrator06/17/2008 18:18:48Logon0CompanyClaimantPC

Temp Account06/17/2008 18:17:3406/17/2008 18:15:28Logoff2CompanyClaimantPC


Respondent06/17/2008 18:15:1006/17/2008 17:43:16Logoff31CompanyClaimantPC

Respondent06/17/2008 17:43:16Logon0CompanyClaimantPC

Claimant06/17/2008 17:35:2906/16/2008 08:36:58Logoff1978CompanyClaimantPC

Claimant06/16/2008 08:36:58Logon0CompanyClaimantPC

UserTimeLogin TimeEventDurationDomainName



Case Study – Workplace HarassmentOrganization and Analysis

— Interviews of human resources personnel indicate Claimant met with them to discuss allegations on June 18, 2008 between 2:00-5:00pm in 14th floor conference room.

— What was Respondent doing during this time frame? Reimaging his computer.

Respondent reimages computer with Windows XP06/18/2008 16:47:00

ActivityTime

— Is this a coincidence?— What could cause Respondent to reimage his computer during the time Claimant was meeting

with HR regarding his claim? Could he have learned of the meeting?



Case Study – Workplace HarassmentOrganization and Analysis

— Floor plan for 14th floor mapped with Respondent’s access key records during time frame of Claimant’s meeting with HR

6/18/08

2:51:07pmRespondent enters 14th

floor (stairwell 2) – was on same floor during Claimant’s meeting with HR

2:52:35pmRespondent returns to 13th floor (stairwell 2)

2:52:59pmRespondent enters secured IT area on 13th floor

Respondent does not enter secured administration area from 2:00-5:00pm on 6/18/08

14th Floor





Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 11

• Should contain important detailsfrom each step• Focus of report is on the analysis• Can demonstrate investigator’sobjectivity be describing eliminatedtheories that were unsupported orcontradicted



Case Study – Workplace HarassmentReporting

— Should contain important details from each step of the process— Focus of report will be on the analysis leading to each conclusion and

descriptions of all of the supporting evidence— In a report, no conclusion should be presented without a thorough description

of the supporting digital and physical evidence and your analysis— Be prepared to be challenged— In our case study, because of the significant number of details and movement

of the parties, investigator requests a comprehensive timeline of events for both Claimant and Respondent as opposed to a technical examination report –tie the digital and physical evidence together

— Investigator reserves right to request background technical information and documentation to corroborate all items in timeline



Case Study – Workplace HarassmentReporting / Timeline

— Evidence of Respondent’s viewing of pornographic websites and other prohibited activity

Approximately 1,200 pornographic images located on computer (allocated and unallocated)Multiple visits to various pornographic sites over several month periodApproximately 75 e-mails from Claimant’s Yahoo! AccountInstalled keystroke logging software on Claimant’s computer




— Evidence of Claimant’s viewing of pornographic websites

Internet History AnalysisClaimant visits adult website06/17/2008 10:35:00

Access Key RecordsClaimant enters secured IT area on 13th floor06/17/2008 10:26:46

Access Key RecordsClaimant enters 13th floor06/17/2008 10:26:33

SourceActivityTime

— Where was Respondent during this time frame?

Access Key RecordsRespondent enters secured IT area on 13th floor06/17/2008 10:54:32

Access Key RecordsRespondent enters 13th floor06/17/2008 10:53:53

Access Key RecordsNo entries to any other floors are recorded by

Respondent06/17/2008 8:37:47 - 10:53:52

Access Key RecordsRespondent enters 14th floor pantry06/17/2008 09:40:17

Access Key RecordsRespondent enters 14th floor06/17/2008 08:37:46

SourceActivityTime




— Respondent’s spying on Claimant

Domain Controller LogRespondent logs off of Claimant's computer06/17/2008 18:15:10

Internet History AnalysisRespondent installs keylogger software "SoftActivity" on Claimant's computer06/17/2008 18:05:23

Internet History AnalysisRespondent visits www.softactivity.com using Firefox06/17/2008 18:00:00

Internet History AnalysisRespondent visits www.dirfile.com/revealer_free_edition.htm using Firefox06/17/2008 17:55:00

Internet History AnalysisRespondent visits www.keyghost.com06/17/2008 17:54:00

Internet History AnalysisRespondent visits www.freedownloadscenter.com using Mozilla Firefox and searches forkeystroke

06/17/2008 17:53:00

Internet History AnalysisRespondent performs another Yahoo! search using Internet Explorer and searches for free keystroke software

06/17/2008 17:53:00

Internet History AnalysisRespondent performs another Yahoo! search using Internet Explorer and searches for keystroke software

06/17/2008 17:51:00

Internet History AnalysisRespondent visits Yahoo! using Internet Explorer and searches for Yahoo! password helper06/17/2008 17:47:00

Domain Controller LogRespondent logs on to Claimant's computer using Respondent’s user ID06/17/2008 17:43:16

Access Key RecordsRespondent enters secured IT area on 13th floor06/17/2008 17:37:23

Domain Controller LogClaimaint logs off Claimant's computer06/17/2008 17:35:29

Domain Controller LogRespondent logs off Respondent's computer06/17/2008 17:34:57

SourceActivityTime



Case Study – Workplace HarassmentSocial networking evidence also refutes Claimant’s story of physical and emotional distress

— Uses pseudonym – same as Yahoo! E-mail account name— Pseudonym was unique, not common – useful for search engine research— Google searches revealed social networking profiles or dating profiles on the

following sites:MySpaceFacebookMultiple dating websites, including at least one nude photo

— MySpace entries during leave of absence include:“Are you ready to party?”“So where will you be tonight?... I am your new stalker.”“Thank you so much for the wonderful experience of last Saturday night”.“We should go and have a blast tonight”.“I had a blast with you guys! Where is the next party?”



Case Study –Workplace Harassment

Social networking evidence— Photograph of Claimant

located on Internet at a trendy hotel in New York City

— Taken during time of Claimant’s leave of absence

— The hotel was hosting an event the weekend of June 28-29, 2008





Reporting


Analysis


Reduction

Harvesting

Recovery

Preservation



Assessment of Worth


Stage 12

• May be necessary to testify oranswer questions before decisionmakers can reach conclusion• Much preparation required• Use techniques and methods totranslate technical detail intounderstandable terms



Case Study – Workplace HarassmentPersuasion and Testimony

— More difficult to explain digital evidence than physical evidence— If you weren’t a digital forensics practitioner, would YOU understand what you

were saying?— Your audience must be able to comprehend what you’re telling them in order to

make appropriate decisions— Practice your techniques on a co-worker or lay person if necessary— For some helpful tips on testifying and conveying information, see

http://www.justice.gov/usao/ne/vw/prep%20testify.pdf



Case Study – Workplace HarassmentInvestigation results

— After two weeks of investigation Respondent was terminated for violation of the company’s technology usage policy

— Claimant filed a demand letter threatening to sue employer— Investigation established that Claimant was a ‘bad actor’ and had also violated

the company’s technology usage policy— Claimant filed a demand letter threatening to sue the company while on leave— Claimant’s activity was tracked for six weeks while he was on leave; activity

clearly refuted claims of physical ailments and emotional distress— In order to avoid further conflict and possible legal action, the company

decided to settle the matter with the Claimant



SummaryBlended investigation techniques are a crucial must-have in your investigative methodologyPossible areas to investigate and pursue:

— Digital forensics— Face to face interviews— Access card logs— E-mail discovery and review— Voicemail— Video surveillance and analysis— Inventory audits— Financial statement analysis / forensic accounting— Anything else relevant to your investigation



Contact informationJohn Grancarich, EnCEPractice Support Electronic Discovery ConsultantPaul Hastings Janofsky & Walker [email protected]