- Who copied or modified a file, or
- Who created or modified a user account
So, what do you do? After all, if it wasn't important, the customer wouldn't have called you, right? What do you tell them?
The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics", as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".
I have been in a similar situation and I ended up telling the FSO he was out of luck because he and his IT department had no controls established. They had to let it go and start over with new controls in place.
ReplyDeleteI had the same told to me by a very pricey investigator once. We changed our policies and procedures in a hurry.
It is okay to say no. Does the customer really want you to blow smoke?
Not so much "blow smoke", as I fully agree that you should be straight with the customer.
ReplyDeleteHowever, are there things that you can do or look for that might give you some indication, or provide something for the customer? For example, Registry keys that contain listings of applications run on the system?
You take the time to educate the customer on why it is important to have controls in place. Use this as an example. Enable the settings on a test box, and then show them what you could have done if they followed the best practice.
ReplyDeleteThere are two parts to this problem:
ReplyDelete1. Educate the customer about proper account management, security controls, and auditing.
2. Attempt to develop the information requested by the customer.
There are still some options to explore with regards to answering the customer's question. A timeline analysis can reveal what type of activity occurred in the same time block as the modified files or account modification. Some of this activity may be possibly linked to a particular user based on the significance of the activity, such as user authentication to websites, email communications, etc. Also, did the users all gain access to the box via physical means, or are there ssh logs that can idenfity unique users by IP address and compare against the timeline?
And, of course, the conclusion, findings, and recommendations should include how to tighten the controls to prevent future similar circumstances.