I. Misuse of company equipment with allegation of sexual harassment. II. Theft of Intellectual Property III. Network Intrusion Analysis

Misuse of company equipment with allegation of sexual harassment.

Company A received a complaint from a female employee of possible sexual harassment by a coworker, Mr. Smith. The allegations claimed that Mr. Smith often visited adult websites while at work, and “showed off” his ability to fool the cooperate Internet Adult filters. The I.T. staff was called in to make a “ghost” copy of Mr. Smith’s computer, and to find evidence of the above allegations. The I.T. staff was unsuccessful, and reported that “No inappropriate material was found” on Mr. Smith’s computer hard drive. It is not necessarily the IT staff’s fault, they just do not know how to properly conduct computer forensics.

Soon after the initial probe by the I.T. staff, a second complaint was filed with HR, alleging that Mr. Smith was again visiting adult pornography websites. This time the complainant had a print out of a website which had “inflammatory statements” about a co-worker. The complaint suggested that Mr. Smith did the posting of the message, since he once dated the mentioned employee. The posted “inflammatory statements” also contained some “threatening” statements which raised concern.

Again, the I.T. staff was called in to find any evidence of misuse, and specifically to locate any references to the inappropriate postings. After spending several weeks manually reviewing the thousands of files located on Mr. Smith’s computer, the I.T. staff was again unsuccessful.

DataClues was contacted and engaged to:

• Find any inappropriate websites residing on the computer in question
• If possible, try to determine who visited the websites
• Search for any keywords that matched the ones used to post the “inflammatory statements”.

DataClues was able to provide the company with the following results:

1. Several employees were interviewed by the executive staff, which revealed 3 other employees who were either witnesses or possible victims related to the current investigation.
2. Several hundred adult websites were visited over a 8 month span, which were linked to Mr. Smith’s computer
3. Since the computer required a “login”, a detailed list of Mr. Smith’s internet activity was reported, which corresponded with the adult websites found.
4. We were able to identify the exact date/time that the “inflammatory statements” were posted, which corresponded to an email sent by Mr. Smith.

Mr. Smith was presented with all the findings, and immediately resigned.

DataClues suggested and assisted in implementing the following guidelines:

• Training of the HR department in dealing with computer misuse allegations, specifically on evidence preservation.
• Training of the I.T. staff in proper computer system dissemination and record keeping.
• A complete audit of current computer use policies.
• A complete audit of the current Network Infrastructure for proper logging of specific events.

Company B’s owner received a phone call stating that two of his employees had established a competing company. The owner was very concerned, because the two employees where currently working on a new design concept. The owner could not turn to his IT staff because all of them had personal ties to the employees in question.

The owner hired a private investigative firm to install an email “monitoring” software on the server to capture all in/out bound emails from the two suspected employees. After 3 months of reviewing hundreds of email, nothing was found to be suspicious. The two employees became aware of the internal investigation, and both left the company.

A month later, the two ex-employees started Company Z, and were in direct competition with their former company. It was soon discovered that Company Z was offering a product that once was designed at Company B.

DataClues was contacted and engaged to:

• Search the computer systems used by the two ex-employees. DataClues soon found out that the computer systems were “formatted” and issued to new employees.
• Assist the Legal Counsel in the preparation of evidence preservation subpoenas for additional computer systems, located within the competing company.

DataClues was able to provide the company with the following results:

1. Executive staff members interviewed several employees. It was found out that the ex-employees were always aware of the internal investigation.
2. DataClues was able to recover several KEY files from the “formatted” hard drives.
3. It was determined that the two ex-employees used a web-based email system (e.g. Hotmail and Yahoo) to send and receive email with out being detected by the “monitoring” software.
4. DataClues also examined the computer systems of Company Z (with a court order), and was able to EXACTLY MATCH files sent from Company B computer via email to Company Z’s computer.

Company B sued Company Z for the theft of their intellectual property and settled out of court.

DataClues suggested and assisted in implementing the following guidelines:

• Training of the HR department in dealing with computer misuse allegations.
• Training of the I.T. staff in proper computer system imaging and record keeping.
• A completed audit of current computer use policies.

Network Intrusion Analysis

Company C manages an enterprise level network with thousands of nodes world wide. They purchased and employed very sophisticated routers and were running a world class NID's (Network Intrusion Detection) platform. The companies Internal network is highly secure and the remote users have specialized remote access software installed, along with firewall software on their laptops.

As employees returned from a weekend off, several of them were confronted with "Account Lockouts" which mean that someone had attempted to use their user name and password to login to the network, but after three failed attempts the account is automatically locked out. The NID's was immediately check for signs of an Intrusion, but it did not reveal any clues to the locked out accounts. Company C's IT staff spent hours pouring over router logs and were finally able to track the activity to an employees laptop.

After an interview of the employee that possessed the laptop, it was determined that the employee was not actively involved in the intrusion. Company C's IT staff conducted a virus scan of the laptop and managed to find several viruses. However, they also destroyed the viruses and the evidence related to them.

Dataclues was contacted and engaged to:

• Locate any evidence of an intrusion
• If evidence is located, determine how the intrusion occurred
• Make recommendations on how to prevent it from occurring again

Dataclues was able to provide the company with the following results:

1. The intrusion method was detected and determined to be an IRC compromise. The attacker managed to deliver a payload to the victim laptop and then remotely execute commands from that laptop via an IRC channel.
2. The hackers "Root Kit" was located on the victims hard drive. (A root kit are the files put in place and used by the hacker to remotely control the victim computer)
3. After examination of the root kit, it was determined that the attacker was in the United Kingdom and used a common exploit to gain access to the victims computer.
4. It was then determined that the hacker, using the victim laptop when it was connected to Company C's network remotely, launched an IRC bot into the companies network. The IRC bot went to work and promptly started attacking computers on the network for weak user names and passwords, which resulted in the "Account lockouts". It was further determined that the NID's did not detect the traffic as hostile because the attack appeared at NetBIOS and RPC queries.

Dataclues presented Company C with the findings. Company C immediately made enhancements to their security policies based on our findings, thus preventing future intrusions utilizing the same methods.

Dataclues was able to provide Company C with the following results:

1. Better security management for remote users regarding permission level and password.
2. Insight as to how a single attacker was able to bypass thousands of dollars worth of security equipment.
3. A loose geographic area of the hacker and the area where the hacker obtained his tools, how the tools worked, and what evidence was left on the laptop that enabled us to identify this event.