The Pocket Sized Attack

Back in July Reuters reported on warnings by a UN team regarding mobile device vulnerabilities.

Last week, I got an email notice from the Facebook gods that once again their policies were changing, among them some updates to language concerning what data you're sharing with mobile devices.

4 days prior to that, I saw this article in the New York Times about malicious software being installed by clicking on a video link.

And immediately prior to that, Red Sky and Wapack Labs came out with a Priority Incident Report in which it was stated:
"Kaspersky recently reported that five million Android devices have been infected with malware, through Google Cloud Messaging, which allows hackers to send update messages directly to applications installed on a device.[i] The malware is designed to steal the victims information including the phone’s contact list and is the most diffused agent in over 97 countries."

As I mentioned previously, one of the most common vectors that bad people use to get into the intellectual property of companies large and small is through you and your contacts.

Being able to hijack a contact list allows hackers to gain a treasure trove of information that otherwise would take multiple phishing attacks over long periods of time. Names, addresses, phone numbers, company info...all of which can be used in very specific social engineering.

I'm delivering a presentation in a few weeks to a group of concerned parents that are exactly the same as every other parent. They are concerned about their children and want to do everything they can to protect them. What makes this group intriguing is that they have extremely high net worth.

Does this make them any different than you and me? Not in the least.

Hackers will use any vector they can to get the information that they need. High net worth individuals tend to be in CXO type positions or have significant influence in their companies. If their children are not using safe online practices, it could expose the parent to attacks both physical and cyber.

These days, most parents will have their children listed as contacts and vice-versa (at least one would *think*). To the hacker, it's all about who is in your contact list and how that information can be exploited. They have no problem compromising a child's mobile device to gain access to home networks of powerful people.

For some reason, the folks that I speak to tend to believe that cyber attacks will only occur on their laptop or home computer or company network. They forget that the device that they hold in their hand is a 4 ounce key to their entire life, sometimes much more powerful and valuable than anything you may have on your daily PC.

Just because you can fit it in your pocket doesn't mean it is any less susceptible to compromise.

Stay vigilant, stay up to date with your security patches, and for goodness sake, don't click that sketchy Facebook video link on your phone.

The Secret Lives of Computers:

The things you find in a digital forensic investigation

It is often asked “Why would I ever conduct a forensic investigation on a computer?!” Well if you are concerned about what people are doing on a computer (or cell phone), what is going on it, coming from it, or happening to it then it benefits you to conduct an investigation. A digital forensic investigation sounds like a big complicated procedure, but an initial examination can have a relatively quick turn around and give you plenty of information. In some cases involving white collar crime, a single investigation (with an affidavit) can be brought to civil court to produce injunctive relief or even settlements.

So let's begin to answer the mysteries of a computer investigation and see if it is something that would benefit you, your company, or legal situation. In a preliminary forensic investigation many questions can be answered if you are concerned about something specific, but typically we like to try and shed light on the following:

File Activity

No, unfortunately I can't show you files jumping around or being active, but I can show you creation, deletion, and modification. In most cases this file activity drives the rest of the investigation. When we plot out file activity on a timeline it begins to tell a tale of what was going on with the computer at the time. For instance if we see large file creation on a certain date, then that usually indicates things like installing programs or copying files from one place to another. If we see a lot of file deletion, then that could mean that someone is trying to “burn” or “shred” the evidence. If you couple large creation and deletion together then that could point to someone copying files from one place (let’s say your company’s network server) to the local system, copying off the computer (maybe to a thumb drive) and then wiping them clean. Or so they think.

USB Drives

USB devices are becoming more ubiquitous and increasing to incredibly large capacities. The amount of data that used to be contained in several servers is now placed onto one 2TB external hard drive. While their capacity is very large, their physical size gets smaller and smaller. Are you aware of all the things that your employees are carrying on a thumb drive? Very few companies implement a policy to control the flow of information to external devices. In my experience, a majority of my investigations have included someone plugging a thumb drive into their computer days, if not hours before they leave the company. Are you sure they only took their personal photos and music, or did they just clean out all of your client records and proprietary information?

Internet History

Internet history can sometimes be the most telling of all the information in a computer. How often do you go to work, log into your computer, and then go directly to Gmail and log into your personal email? Few companies restrict this type of personal access (although they may frown upon it). Today many applications and services are becoming “cloud ready”. This means that information is no longer stored on your local systems. Instead this information travels out over the Internet and is stored on some other company’s servers. Is it secure in travel? Is it safe when sitting on those servers? Many services like Dropbox also offer huge amounts of storage space for people to upload information to. An employee could easily upload information from their system, to Dropbox, and then access it from anywhere else in the world.

If you aren’t concerned about movement of data through the Internet, maybe you are concerned about what your employees are doing on their computers as far as spending too much time on Facebook or playing games. Plenty of HR people lose sleep over what is being done and said over things like Facebook or Instant Messaging. In many cases a computer investigation can collect and parse this type of information and even give you remnants of the pages that the person looked at. For investigations pertaining to harassment, chat logs can be collected and produced for legal counsel (in many cases even if they had been deleted).

Wait, there’s more…

These are just a few of the things that a standard preliminary investigation could offer you. If you have a concern about what is happening on your work or personal computers, then please give Wapack Labs a call to find out how we can help. Whether you are in HR, legal, IT, or own your own business, there are several ways that we could help put your mind at ease or solidify a legal action. Our certified and experienced digital forensic examiners can assist with almost any type of digital investigation. We specialize in helping even those that have never heard of digital forensics or are wary of technology in general. Don’t worry, we speak English too and won’t get overly technical! Wapack Labs is located in Manchester, NH and services all of New England. Call us at 603-606-1246, email me at dkirmes@wapacklabs.com, or stop by our lab at 250 Commercial St. Suite 2013.

Your Company Is Walking Out the Door

Today just about every company in America has their vital proprietary information on computers. Everything from email, client lists, pricing models, to trade secrets is stored on company computers. In many cases those computers leave the office daily, or sometimes never show up onsite if the employee works from home. Even if your company utilizes the most rigid security rules and not a single computer leaves the facility, emails are still sent back and forth from smart phones. A lot of the time attachments can be saved directly from emails to the smart phones and then transferred on from there without the company’s IT department ever being aware.

This situation becomes even more precarious when you include companies that allow people to bring their own device (BYOD). In these situations company data often resides on the personal laptop or in a “cloud” solution where the data are available from any device connected to the internet. What happens when the employee leaves? Can you guarantee that nothing was stolen, deleted maliciously, or taken to a competing shop? Without conducting a proper digital forensic investigation by certified examiners you may never know what was taken. Even if your internal IT department does their due diligence in trying to determine a theft, without the proper forensic handling of the evidence, it may not be admissible in court.

Attorney Sid Leach from the law firm Snell & Wilmer wrote an excellent paper (“What Every Lawyer Needs to Know about Computer Forensic Evidence”) pertaining to the valuable information that digital forensic investigations reveal. Whether it pertains to fraudulent activities, non-compete contracts, harassment, or intellectual property theft, Mr. Leach explains that “A forensic examination of a departing employee’s laptop or computer workstation can provide a goldmine of information concerning what the ex-employee was doing”.

In my own experiences I have seen companies both large and small with employees leaving abruptly or on bad terms causing suspicions as to their activities. It is always in the company’s best interest to at least have a forensic examiner create a forensically sound bit-by-bit copy of the device before it is used by another employee. In these situations, even if your company doesn’t proceed with an immediate investigation, at least you have a court admissible copy to work from if anything were to arise in the future. Wapack Labs is a digital forensic firm based in Manchester, NH with certified and experienced digital forensic examiners to handle any investigation or discovery need. Contact us today to see how we can help you!

Why use Digital Forensics? Let us help you solidify your case!

Why Use Digital Forensics?

Working in the digital forensics field has opened my eyes to many other professional practices. Specifically in my job I deal with a lot of lawyers, law firms small and large, and plenty of litigation protocol. One of the most interesting aspects of the law field to me and specifically when dealing with on-stand experts, is that you don’t ask a question you don’t already know (or think you know) the answer to. This important factor made me think: Why don’t more litigators use digital forensics in their cases? Having a certified forensic expert helping you in your case is like giving you the answers to questions you haven’t even thought about asking!

Recently I worked in Chicago where I collaborated with lawyers throughout the country who had various levels of experience with digital forensics and computer investigations. One of my most memorable cases was an attorney from a very small law firm in the suburbs of Chicago who dealt with Employment and Labor law. This attorney had come to me with ongoing litigation concerns about an employee who left a company and went to work for a direct competitor within a matter of weeks.  This employee had been in a position where they were privy to a lot of sensitive data about the company (product specs, pricing models, client lists, sales leads, etc.). While we already knew that the employee had violated their non-compete contract, counsel was worried that the business might have been harmed by the theft of this sensitive information. I was brought in to either put these fears to rest, or create a “slam dunk” case with empirical digital evidence.

Not long after our initial conversation where I addressed what kind of things we may find in a digital investigation, counsel was able to procure the work laptop from the company. Within a week of receiving the device I was able to image (duplicate the evidence to be able to work on a copy), parse, index, and analyze the entire system. Combined with a simple questionnaire from the client, I had a complete understanding of the activities on the system. In this case (as with most investigations) I focused on the employee’s last two weeks at the company. I was able to pin down that before leaving the company (and pretty much right before walking out of the door) the employee was attaching USB thumb drives to the system, and copying data to these drives. Along with the USB devices, I could see that through emails and by viewing his Internet history (Gmail, DropBox, LinkedIn) that the employee had been planning to leave the company for some time. The combination of the employee’s actions, coupled with solid digital evidence, proved that sensitive information was taken from the company laptop, and copied to personal devices. Information provided by digitial forensic examination of the laptop provided counsel with ample means to win their case.

The best part for me on a personal level was that this case was the first time the attorney had ever used a computer investigation. It provided me the ability to teach counsel exactly what we do, how digital forensic science is proven in court, and how best to phrase his questions and shape his case to present what we found. Not only was this his first case involving digital forensics, but it was my first deposition as well! That give and take provided a great working relationship for the case going forward and the follow on investigations that arose from it.

At Wapack Labs we are driven to provide that same level of service to litigators throughout the Employment and Labor, Intellectual Property, and Technology law practices. Give us a call to see how we can help! Find us online at http://wapacklabs.com/ or give us a call at 603-606-1246. Be sure to follow us on LinkedIn as well as this blog.