SERVICES: Forensic Acquisition and Forensic Analysis
An executive for a global leader in manufacturing quickly realized he had a serious problem. While in Shanghai to visit one of the company’s Chinese facilities, his corporate laptop went missing. The device containing a significant number of company documents and sensitive information was now unaccounted for, in China. The device was not equipped with full disk encryption.
Encryption converts data into unreadable code that cannot be easily deciphered without proper authorization. With full-disk encryption, everything that could possibly reveal important confidential data, including swap space and temporary internet files, is encrypted. With full disk encryption, the decision of which individual files to encrypt is not left up to users’ discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files.
When the device was mysteriously recovered 12 hours later (details undisclosed) the company’s IT department wanted to quickly assess the potential damage of a data breach. Their first call was to SecureState’s Incident Response Team.
Why This Engagement Wasn’t as Cool as it Could Have Been
The keys to any quality forensic investigation (as you probably learned watching CSI) are to preserve the evidence and document everything. SecureState worked closely with company personnel to create an image of the laptop. SecureState then analyzed this image for potential unauthorized access. While the company was worried that proprietary information was stolen, they were ultimately concerned with malicious software being installed on the system due to the fact that the laptop suspiciously reappeared. Due to not having full disk encryption, it would be relatively easy for an attacker to bypass Windows authentication and access sensitive files or modify the system state in a malicious manner.
After carefully and meticulously analyzing every piece of data collected, SecureState was to put the client’s concerns to rest, mostly. The results showed no rogue processes, successful administrative-level compromises, or delivery of malicious software. Additionally, no evidence indicated that unauthorized users successfully modified, stole, or intercepted sensitive data on the system or in transit.
What the Consultants Had to Say
“However, as the lead IR consultant points out, “due to the lack of full disk encryption on the system, it is possible that a malicious individual could have used a forensic boot disk or hardware write blocker to access the data on the drive and potentially pull the information off. There just are no definite methods to prove if this was performed.”