Resources
- Overview
- Neohapsis Service Datasheets
- Security Mailing List Archives
- OSEC
- Ports List
- Securing Electronic Evidence
- Digital Forensics - Hypothetical Cases
Forensics
Digital Forensic Analysis: Hypothetical Cases
1. ISSUE: An executive in charge of breakthrough scientific research resigns without notice. An internal forensic analysis of the executive's workplace computer reveals no evidence the executive took confidential research data. Senior management, however, requests an independant examination.FINDINGS: Neohapsis examines the executive's workplace computer and establishes that, the day before the executive's departure, the executive formatted a writeable CD and created files on it with names and time/date stamps identical to those of the company's confidential research files. We then analyze the capture log file packets of the computer's personal firewall and establish that, immediately after the writeable CD was initialized, the company's confidential research files were downloaded.
2. ISSUE: A company sues a former employee for theft of trade secrets and the court orders the former employee to preserve all home computer information. The parties agree to an examination of the home computer by an independent and mutually acceptable computer forensics expert.
FINDINGS: Neohapsis examines the home computer and determines that, two days after issuance of the preservation order, numerous files were deleted and a wipe utility was then executed, erasing most evidence of the deleted files. However, we recover the names of the deleted files, many of which correspond to the file names of the company's trade secret data.
3. ISSUE: An employee with access to sensitive data abruptly resigns. The IT department reports the employee's laptop hard drive has been completely erased with a highly sophisticated wipe utility.
FINDINGS: With no hard drive to analyze, Neohapsis reassembles packets from the company's recent network traffic logs and determines the employee had indeed downloaded numerous sensitive files.
4. ISSUE: An analyst leaves a company that utilizes complex, proprietary economic models. A routine forensic examination of the analyst's workplace computer reveals no proprietary information has been downloaded. However, within weeks, the analyst's new employer launches a competing business.
FINDINGS: Neohapsis establishes that, on the analyst's last day of employment, a high-capacity, exernal drive was attached to the analyst's workplace computer. On this external drive, a directory structure was created - identical to the directory structure of the database containing the company's proprietary economic models. During subsequent litigation, the analyst's new employer provides hash values (digital "fingerprints" unique to each file) for the files on the analyst's new workplace computer. We compare these hash values to those of the files in the former employer's proprietary database and establish that many are identical matches.
5. ISSUE: An employee arrested for child enticement claims to have engaged in no inappropriate activity at the workplace or while using corporate computer resources.
FINDINGS: Without benefit of the employee's personal ISP account passwords, Neohapsis examines the workplace computer and recovers evidence providing the employee used a personal email account to send and receive incriminating pornographic images. We also recover related instant-message remnants placing the employee at the office.
6. ISSUE: Several customers receive email messages - harshly critical of a key supplier. Although it appears the supplier's internal auditor sent the messages from a personal email account, the auditor claims to have been locked out of that email account for several days. The company's internal forensics investigators determine the messages did not originate from the auditor's computer, but actually originated from the public IP (Internet Protocal) address assigned to another employee's computer. When confronted, the employee denies involvement and alleges someone must have mimicked the IP address assigned to the employee's computer.
FINDINGS: Neohapsis examines both computers and determines the IP addresses associated with the computers have not changed in several months. Further, we recover remnants of the original emails and corresponding reply messages from the employee's computer - and none from the auditor's computer. Finally, the employee admits shoulder-surfing to obtain the auditor's personal email account password, changing the account password, and sending the critical messages.
7. ISSUE: A subordinate accuses a high-level employee of downloading and viewing pornographic images - a violation of the company policy. After the company's internal forensics investigators identify a substantial volume of pornographic images on the employee's computer, the company requests an examination by an independent forensics expert.
FINDINGS: Neohapsis discovers the system time-date setting on the computer was altered. We then establish the actual download dates and times. Finally, an examination of the company's cardkey access records reveals the download dates and times correspond to a period when the accuser was in the building, but the accused employee was not.