Blended Enterprise Investigations

Blended Enterprise Investigations
Using Digital Forensics and Physical Security to Build Your Case
By John Grancarich, Paul Hastings Janofsky & Walker LLP


Introduction
Pure digital investigations are becoming a thing of the past
The physical world is increasingly going digital
A puzzle contains more than one piece - investigate them all
— Digital forensics
— Interviews of key players
— Building/floor access logs
— Floor plan analysis
The essential aspect of the blended role? Solid investigative skills
Can one person do it all? Not always

P A G E 1


Agenda
Investigative methodology
Case study – workplace harassment
Blended investigation techniques

P A G E 2


Investigative Philosophy
The goal of any investigation is to discover and present the truth
How do we get to the truth? Trusted, non-biased methodology and
technology
The effectiveness of the investigative process depends upon high levels
of objectivity applied at all stages
Intellect over emotion at all times
Understand difference between examination and investigation
— Examiner reports on findings
— Investigator puts all the pieces together

P A G E 3


Investigative Process Model
Persuasion and Testimony Translate and explain

Reporting Prepare detailed record

Analysis Scrutinize and understand

Organization and Search What is the focus?

Reduction Filter and eliminate

Harvesting Data about data

Recovery Get it all!

Preservation Maintain integrity

Identification or Seizure Recognition & proper packaging

Incident Response / Protocol Actions at scene

Assessment of Worth Prioritize / choose

Incident Alert / Accusation / Claim Crime or policy violation

Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
P A G E 4


Investigative Process Model – Stage 1

Persuasion and Testimony
Reporting
Analysis
Organization and Search
Reduction
• Triggering event
Harvesting • Consider source and reliability
Recovery of information
• Start gathering initial facts
Preservation • Delicate stage in an
investigation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Stage 1 Incident Alert / Accusation / Claim

P A G E 5


Case Study – Workplace Harassment
Incident Alert / Accusation / Claim
— Client’s IT group consists of two employees working in secured area
— Claimant accuses respondent of downloading adult content to work computer
and viewing it in workplace
— Alleges this activity has been going on for approximately nine months
— Two days before claim was made alleges that respondent attempted to initiate
a physical relationship with claimant in the office against claimant’s wishes.
Attempt was graphic and involved according to allegation.
— Claimant goes to HR and makes claim
— Incident is documented and claimant immediately goes on paid leave, stating
severe physical side effects and emotional distress as a result of this
experience

P A G E 6



Reporting
Analysis
• Apply investigative resources
Reduction where needed most
• Questions asked to focus on most
Harvesting
severe problems
Recovery • Result of this step is one of two
options: no further action or
Preservation continue to investigate
Stage 2 Assessment of Worth

P A G E 7


Assessment of Worth
— Internal investigators immediately informed of incident
— Very serious allegations
— Do the respondent’s alleged actions (the unwanted physical advances)
constitute harassment only, or sexual assault?
— Claimant deserves to have allegations investigated, and company has duty to
determine what happened
— Would have serious ramifications if not pursued
— Continue to investigate? Yes

P A G E 8



Reporting
Analysis
Organization and Search • Retain and document items at
scene
Reduction • Follow accepted protocols
• Result of this step is secure scene
Harvesting where evidence is “frozen” in
Recovery place

Preservation
Stage 3 Incident Response / Protocol
Assessment of Worth

P A G E 9



Reporting
• Identify and seize potential
Analysis evidence
• Goal is not to seize everything –
Organization and Search make informed, reasoned decisions
• Documentation is key
Reduction
• Use memory aids (procedures,
Harvesting checklists, forms)

Recovery
Preservation
Stage 4 Identification or Seizure
Assessment of Worth

P A G E 10


Incident Response / Seizure
— Work area is observed – Claimant and Respondent have left the premises
No video surveillance in work area
Area is secured though – do access key records exist?
— Work area is photographed
— Computers are found powered off at time of arrival on scene
— Hard drives from Claimant’s and Respondent’s computers are forensically
imaged at scene
— Any other items of interest on desks or in work areas? CD/DVDs, USB, mobile
devices, notes, folders, etc.
— Server e-mail, e-mail backups and home shares forensically copied for further
analysis

P A G E 11



• Take proper actions to ensure integrity
Reporting of physical and digital evidence
• Often first stage that uses tools of a
Analysis
particular type
Organization and Search • Output of this stage is usually a set of
duplicate data
Reduction
Harvesting
Recovery
Stage 5 Preservation
Assessment of Worth

P A G E 12


• Extract deleted, hidden, camouflaged
Persuasion and Testimony or otherwise unavailable data
• Performed on copies of digital
Reporting evidence from the preservation stage
• Objective is to identify, and if possible
Analysis
make visible, all data that belongs to a
Organization and Search particular data type

Reduction
Harvesting
Stage 6 Recovery
Preservation
Assessment of Worth

P A G E 13


Preservation / Recovery
— Still primarily in realm of digital forensics at this point
— Allegation partially relates to images downloaded from internet
— Where to begin:
Images and html from allocated and unallocated space
All Internet history files
All Windows event logs
All Windows registry files
All files in C:Documents & SettingsRespondentRecent and Desktop and any other
potentially relevant user folders
Windows prefetch files
— Goal is to recover everything that is potentially relevant for later research and
analysis
— At this point in investigation, no perceived need to conduct physical
investigation

P A G E 14



Reporting
Analysis
Reduction
Stage 7 Harvesting
Recovery
• Scrutiny of evidence begins
Preservation • Facts begin to take shape that
support or negate claims or
Identification or Seizure accusations
• Look for categories of evidence
that seem or are known to be related
Assessment of Worth to key facts of investigation


P A G E 15


Harvesting
— First question: does Respondent’s computer have prohibited images on it?
— Start with the low hanging fruit - targets or goals which are easily achievable
and which do not require a lot of effort
— Review of images from allocated space on Respondent’s computer reveals a
substantial number of adult images are present
— This evidence supports Claimant’s allegation. Or does it?

P A G E 16


Harvesting
— Two ways to look at Claimant’s allegation:
Scenario 1: Yes, Respondent downloaded prohibited images and videos to his
computer
Scenario 2: There are prohibited images and videos on Respondent’s computer, but
we don’t have enough information to determine who put them there
— Step outside of digital realm: consider physical layout of work area
— Recall that only two employees are in secured work area – Claimant and
Respondent
— Recall that Claimant alleges several months of illicit downloading of
pornography before making claim – this is an unusually long time before
making a complaint
— Conclusion: there is not enough evidence to prove scenario 1 is true

P A G E 17



Reporting
Analysis
Stage 8 Reduction
Harvesting
• Separate the wheat from the chaff
Recovery • Consider material facts of case to
help prioritize evidence
Preservation • Intended result is smallest set of
evidence that has highest potential
Identification or Seizure for containing data of probative value
Assessment of Worth

P A G E 18


Reduction
— Initial Findings on Respondent’s Computer
Several hundred pornographic images (allocated and unallocated)
Multiple visits to various pornographic sites over several month period
Approximately 75 e-mails from Claimant’s Yahoo! account, including Claimant’s written
complaint to HR from unallocated space
Reimaged computer on day claim made against him
— Questions
How did Claimant’s e-mails get onto Respondent’s computer?
Did Claimant download the illicit images onto Respondent’s computer?
How credible is Claimant?
Further investigation of Claimant warranted

P A G E 19


Reduction
— Initial Findings on Claimant’s Computer
Computer reimaged on same day claim was made
Keystroke logger “SoftActivity” installed

Summary to this point
— There is truth to Claimant’s allegation, but…
— Claimant has serious credibility issue too
— Who did what and when?
— Too many open questions – need to broaden scope of investigation
— Need to put people in place and time

P A G E 20


Recovery and Harvesting, Phase II
— Domain controller logs
Who was logged into which computer, and when?
What activity took place?
— Blended Investigation Techniques
Video Surveillance
– Work area? Hallways? Stairwells?
Floor Plan
– Open plan? Small or large space?
Access key records (i.e. floor entries and exits)
– Who entered or left and when?
Interview of supervisor and other knowledgeable personnel
– Do they have any helpful information to provide?

Ultimate goal is to build defensible timeline of what we know happened

P A G E 21



Reporting
Analysis
Stage 9 Organization and Search
Reduction
Harvesting
• Organize reduced set of material
Recovery into meaningful “buckets”
• Simplifies locating and identifying
Preservation data during analysis stage
Identification or Seizure • May incorporate search technology
or topic/cluster-based review
Assessment of Worth

P A G E 22



Reporting
Stage 10 Analysis
Reduction
• Detailed scrutiny of materials
Harvesting • Assess content and try to determine
means, motivation and opportunity
Recovery • Experimentation with untested
methods
Preservation
• Correlation and timeline
Identification or Seizure • Validation

Assessment of Worth

P A G E 23

Case Study – Workplace Harassment: Organization and Analysis
Claimant alleges Respondent sexually harassed him on June 16, 2008
between 5:00-5:30pm in secured IT area on 13th floor.
Physical security: access key records for June 16, 2008, 4:30-6:00pm
Time Activity

06/16/2008 16:32:40 Respondent admitted to 11th floor lobby

06/16/2008 16:40:02 Respondent admitted to 13th floor lobby

06/16/2008 16:40:29 Respondent admitted to 13th floor IT area

06/16/2008 16:55:54 Claimant admitted to 14th floor lobby

06/16/2008 16:57:25 Claimant admitted to 14th floor cafeteria

06/16/2008 16:58:34 Claimant admitted to 13th floor lobby
Maximum amount of
time together during 06/16/2008 16:58:48 Claimant admitted to 13th floor IT area
alleged confrontation:
4 minutes 59 seconds 06/16/2008 17:11:57 Claimant admitted to 13th floor lobby

06/16/2008 17:12:20 Claimant admitted to 13th floor IT area

06/16/2008 17:13:39 Respondent admitted to 13th floor server room


06/16/2008 17:17:19 Respondent admitted to 13th floor server room


06/16/2008 17:38:17 Respondent admitted to 14th floor stairwell

P A G E 24

Case Study – Workplace Harassment: Organization and Analysis
Domain controller log for Claimant’s computer from morning of alleged physical
incident until time claim was filed
Name Domain Duration Event Login Time Time User
ClaimantPC Company 0 Logon 06/16/2008 08:36:58 Claimant
ClaimantPC Company 1978 Logoff 06/16/2008 08:36:58 06/17/2008 17:35:29 Claimant
ClaimantPC Company 0 Logon 06/17/2008 17:43:16 Respondent
ClaimantPC Company 31 Logoff 06/17/2008 17:43:16 06/17/2008 18:15:10 Respondent
ClaimantPC Company 0 Logon 06/17/2008 18:15:28 Temp Account
ClaimantPC Company 2 Logoff 06/17/2008 18:15:28 06/17/2008 18:17:34 Temp Account
ClaimantPC Company 0 Logon 06/17/2008 18:18:48 Administrator
ClaimantPC Company 1 Logoff 06/17/2008 18:18:48 06/17/2008 18:19:49 Administrator
ClaimantPC Company 0 Logon 06/17/2008 18:23:14 Administrator
ClaimantPC Company 11 Logoff 06/17/2008 18:23:14 06/17/2008 18:34:37 Administrator
ClaimantPC Company 0 Logon 06/17/2008 18:34:51 Respondent
ClaimantPC Company 1 Logoff 06/17/2008 06:34:51 06/17/2008 18:36:38 Respondent
ClaimantPC Company 0 Logon 06/18/2008 08:34:43 Claimant
ClaimantPC Company 37 Logoff 06/18/2008 08:34:43 06/18/2008 09:12:03 Claimant
ClaimantPC Company 3 Logoff 06/19/2008 18:00:31 06/19/2008 18:03:31 Temp Account

P A G E 25

Organization and Analysis
— Interviews of human resources personnel indicate Claimant met with them to discuss
allegations on June 18, 2008 between 2:00-5:00pm in 14th floor conference room.
— What was Respondent doing during this time frame? Reimaging his computer.

Time Activity

06/18/2008 16:47:00 Respondent reimages computer with Windows XP

— Is this a coincidence?
— What could cause Respondent to reimage his computer during the time Claimant was meeting
with HR regarding his claim? Could he have learned of the meeting?

P A G E 26


Organization and Analysis
— Floor plan for 14th floor mapped with Respondent’s access key records during
time frame of Claimant’s meeting with HR

6/18/08

2:51:07pm
Respondent enters 14th
floor (stairwell 2) – was on
same floor during Respondent does not enter
Claimant’s meeting with secured administration
HR area from 2:00-5:00pm on
6/18/08
2:52:35pm
Respondent returns to
13th floor (stairwell 2)

2:52:59pm
Respondent enters
secured IT area on 13th
floor
14th Floor

P A G E 27



Stage 11 Reporting
Analysis
• Should contain important details
Reduction from each step
• Focus of report is on the analysis
Harvesting • Can demonstrate investigator’s
Recovery objectivity be describing eliminated
theories that were unsupported or
Preservation contradicted

Assessment of Worth

P A G E 28


Reporting
— Should contain important details from each step of the process
— Focus of report will be on the analysis leading to each conclusion and
descriptions of all of the supporting evidence
— In a report, no conclusion should be presented without a thorough description
of the supporting digital and physical evidence and your analysis
— Be prepared to be challenged
— In our case study, because of the significant number of details and movement
of the parties, investigator requests a comprehensive timeline of events for
both Claimant and Respondent as opposed to a technical examination report –
tie the digital and physical evidence together
— Investigator reserves right to request background technical information and
documentation to corroborate all items in timeline

P A G E 29


Reporting / Timeline
— Evidence of Respondent’s viewing of pornographic websites and other
prohibited activity
Approximately 1,200 pornographic images located on computer (allocated and
unallocated)
Approximately 75 e-mails from Claimant’s Yahoo! Account
Installed keystroke logging software on Claimant’s computer

P A G E 30


— Evidence of Claimant’s viewing of pornographic websites

Time Activity Source

06/17/2008 10:26:33 Claimant enters 13th floor Access Key Records

06/17/2008 10:26:46 Claimant enters secured IT area on 13th floor Access Key Records

06/17/2008 10:35:00 Claimant visits adult website Internet History Analysis

— Where was Respondent during this time frame?


06/17/2008 08:37:46 Respondent enters 14th floor Access Key Records

06/17/2008 09:40:17 Respondent enters 14th floor pantry Access Key Records
No entries to any other floors are recorded by
06/17/2008 8:37:47 - 10:53:52 Respondent Access Key Records

06/17/2008 10:53:53 Respondent enters 13th floor Access Key Records

06/17/2008 10:54:32 Respondent enters secured IT area on 13th floor Access Key Records

P A G E 31


— Respondent’s spying on Claimant

06/17/2008 17:34:57 Respondent logs off Respondent's computer Domain Controller Log
06/17/2008 17:35:29 Claimaint logs off Claimant's computer Domain Controller Log
06/17/2008 17:37:23 Respondent enters secured IT area on 13th floor Access Key Records
06/17/2008 17:43:16 Respondent logs on to Claimant's computer using Respondent’s user ID Domain Controller Log
06/17/2008 17:47:00 Respondent visits Yahoo! using Internet Explorer and searches for Yahoo! password helper Internet History Analysis
06/17/2008 17:51:00 Respondent performs another Yahoo! search using Internet Explorer and searches for keystroke Internet History Analysis
software
06/17/2008 17:53:00 Respondent performs another Yahoo! search using Internet Explorer and searches for free Internet History Analysis
keystroke software
06/17/2008 17:53:00 Respondent visits www.freedownloadscenter.com using Mozilla Firefox and searches for Internet History Analysis
keystroke
06/17/2008 17:54:00 Respondent visits www.keyghost.com Internet History Analysis
06/17/2008 17:55:00 Respondent visits www.dirfile.com/revealer_free_edition.htm using Firefox Internet History Analysis

06/17/2008 18:00:00 Respondent visits www.softactivity.com using Firefox Internet History Analysis

06/17/2008 18:05:23 Respondent installs keylogger software "SoftActivity" on Claimant's computer Internet History Analysis
06/17/2008 18:15:10 Respondent logs off of Claimant's computer Domain Controller Log

P A G E 32


Social networking evidence also refutes Claimant’s story of physical and
emotional distress
— Uses pseudonym – same as Yahoo! E-mail account name
— Pseudonym was unique, not common – useful for search engine research
— Google searches revealed social networking profiles or dating profiles on the
following sites:
MySpace
Facebook
Multiple dating websites, including at least one nude photo
— MySpace entries during leave of absence include:
“Are you ready to party?”
“So where will you be tonight?... I am your new stalker.”
“Thank you so much for the wonderful experience of last Saturday night”.
“We should go and have a blast tonight”.
“I had a blast with you guys! Where is the next party?”

P A G E 33


Case Study –
Workplace Harassment
Social networking evidence
— Photograph of Claimant
located on Internet at a
trendy hotel in New York City
— Taken during time of
Claimant’s leave of absence
— The hotel was hosting an
event the weekend of June
28-29, 2008

P A G E 34


Stage 12 Persuasion and Testimony
Reporting
Analysis
• May be necessary to testify or
Organization and Search answer questions before decision
makers can reach conclusion
Reduction • Much preparation required
Harvesting • Use techniques and methods to
translate technical detail into
Recovery understandable terms

Preservation
Assessment of Worth

P A G E 35


— More difficult to explain digital evidence than physical evidence
— If you weren’t a digital forensics practitioner, would YOU understand what you
were saying?
— Your audience must be able to comprehend what you’re telling them in order to
make appropriate decisions
— Practice your techniques on a co-worker or lay person if necessary
— For some helpful tips on testifying and conveying information, see
http://www.justice.gov/usao/ne/vw/prep%20testify.pdf

P A G E 36


Investigation results
— After two weeks of investigation Respondent was terminated for violation of the
company’s technology usage policy
— Claimant filed a demand letter threatening to sue employer
— Investigation established that Claimant was a ‘bad actor’ and had also violated
the company’s technology usage policy
— Claimant filed a demand letter threatening to sue the company while on leave
— Claimant’s activity was tracked for six weeks while he was on leave; activity
clearly refuted claims of physical ailments and emotional distress
— In order to avoid further conflict and possible legal action, the company
decided to settle the matter with the Claimant

P A G E 37


Summary
Blended investigation techniques are a crucial must-have in your
investigative methodology
Possible areas to investigate and pursue:
— Digital forensics
— Face to face interviews
— Access card logs
— E-mail discovery and review
— Voicemail
— Video surveillance and analysis
— Inventory audits
— Financial statement analysis / forensic accounting
— Anything else relevant to your investigation

P A G E 38


Contact information
John Grancarich, EnCE
Practice Support Electronic Discovery Consultant
Paul Hastings Janofsky & Walker LLP
johngrancarich@paulhastings.com
212-318-6553

P A G E 39

Blended Enterprise Investigations

Recomendados

Recomendados

Más contenido relacionado

Similar a Blended Enterprise Investigations

Similar a Blended Enterprise Investigations (20)

Blended Enterprise Investigations