The Sandwich Thief
It is common knowledge that the Internet is full of quirky, humorous stories. One of my favorites is the story of the “Sandwich Thief” and “Turkey and Swiss on Rye” (http://metro.co.uk/2014/08/21/battle-of-sandwich-turkey-and-swiss-on-rye-fridge-note-war-is-the-most-passive-aggressive-thing-weve-ever-seen-4841225/). For those who have not read the exchange before, the “Sandwich Thief” (later identified as Francis) takes a sandwich belonging to another coworker from the corporate refrigerator without permission. The passive-aggressive exchange between Francis and the coworker, culminating in Tina’s discovery of Francis being the criminal mastermind, is nothing short of classic office humor, and is also something that many people in corporate environments have likely been able to relate to.
This story of the “Sandwich Thief” serves as a humorous example for my points on the importance of quick preservation in response to a security incident. Behind the scenes, IT/HR in the story was able to check the print logs to determine that Francis’s computer was the one that had sent the numerous print requests. Let’s pretend that, prior to checking the print logs, Tina had asked for physical evidence from the victim employee that someone had actually stolen the sandwich. The employee could have taken the printed materials affixed to the refrigerator (the photos in the story indicate that paper that was taped appeared to have been torn from the door) and presented them as evidence. Had someone else removed the papers from the door immediately after they were affixed, they might have been placed in a company document shredder and have been lost. At that point, suddenly, the caper of the stolen sandwich takes on the persona of the “he-said-she-said” investigation.
As of the publishing date of this post, I have been analyzing computers in incident response/breach cases for 4 ½ years. One of the largest roadblocks in my analysis is when I find that the machine whose forensic image I am examining was indeed infected, but the actual malicious files were removed by antivirus, and/or IT performed their own manual cleanup – by taking actions such as deleting user profiles or reinstalling applications. While the actions of IT may prove helpful to company from an end-user standpoint (as the computer is now virus-free), they can definitely also thwart a forensic investigation. After all, evidence is being trampled upon during the cleanup since files and directories are being added or removed. Granted, I can perform research on the malware if I know its name from examining an antivirus log, but malware can have several “flavors” (called variants) that behave differently. Antivirus logs may not capture that information. Think of malware variants as different versions of a program – Microsoft Word 2016 looks starkly different from Microsoft Word 2003, for instance. It becomes much harder to conclude the events that took place from infection to remediation if I am unable to determine such items as when the malicious program took residency on the computer because new files have already overwritten the metadata of the ones that I’m after.
The Key to Data Preservation
In forensics, if one artifact fails, another may contain the desired information. In breach cases, I explore all avenues in an effort to answer the questions asked of me. However, some avenues may never be available if preservation is not performed at the right time.
For instance, malware is capable of opening network ports on an infected computer to exfiltrate data. As part of a “live” preservation, forensic software is capable of reporting which ports are open and which are closed. It can tell me what processes are currently loaded into the computer’s memory, what users are logged in, and a number of other useful bits of information that may prove instrumental in incident response investigation. Granted, I may be able to determine select bits of information regarding those items several months down the road (if the computer isn’t preserved in a timely manner), but that process becomes much more difficult and time-consuming as the days pass while legal/IT debates on a course of action.
In breach investigations, however, time is often of the essence. A couple of years back, I was performing some testing related to deletion analysis. On a 500 GB hard drive with Windows 7 Professional as its operating system and 75% of the drive available for storage, it took less than ten minutes for the operating system to overwrite a file that I had deleted. Ten minutes. Hypothetically speaking, I had ten minutes to preserve the computer (if I wanted to) before that file’s contents became at least partially overwritten.
The best-case scenario after a breach has been identified from a forensic standpoint is preservation as rapidly as possible. Immediate preservation allows for the most relevant data to be collected and as few opportunities for the evidence to be trampled upon. In the story of the “Sandwich Thief,” the unnamed employee was right in swiftly acting upon the theft. Just like a deleted file on a computer, the print logs that were likely analyzed can rotate and the evidence that showed Francis’s computer as the one printing the numerous documents could have been overwritten. Those print logs were the “smoking gun” evidence in that “case.” In a real-world breach, preserving volatile data immediately gives a forensic examiner the best opportunity to reconstruct events on the infected machine, and ultimately provides the most information needed to answer questions as to how the breach happened, if it spread, and if any data was exfiltrated from the organization.