Company computers were locked down tight. Each employee was assigned a user profiles that was not permitted to install software. Each computer also had an Administrator account so that IT could install software, apply updates, and so forth. The company also had mechanisms in place to stop employees visiting non-work websites at the office.
The IT department discovered that the safeguards on an employee-issued laptop computer had been disabled. They brought us in to investigate.
We found that the Administrator account had been used to install and run TOR. This is a special web browser that encrypts all of your browsing activity, making it difficult for the company to detect and block non-work websites.
The employee, Mr. Smith, claimed innocence. He said that it wasn't him and that someone in IT must be responsible instead.
We continued our investigation, trying to determine who was using the laptop computer at the time that the software was installed. We found the following:
1. The password for the Administrator account was reset a few days prior to the install of TOR.
2. Using the Administrator account, the computer connected to the WiFi at the Marriott Hotel - Renaissance, Boston on a specific date.
3. While connected to the hotel WiFi, the Administrator account used the Firefox web browser to conduct a Google search for 'download a tor'. A few minutes later TOR was downloaded and the installation is started.
Still, there's a chance that this isn't Mr. Smith, right? Someone else could have taken his laptop to the hotel. Here's what we haven't told you yet:
1. Ten minutes before the Administrator account logged in, the user 'smithj' logged in to the computer with his username and password.
2. When logging in to Hotel WiFi you will usually be presented with a page asking if you're a guest. In order to connect to the guest WiFi network you typically need to enter your name and room number. Here is what we found in his internet history:
3. Finally, we went to Smith's company email. Here we found a booking for the Marriott Hotel - Renaissance, Boston for that specific date.
Upon leaving his current employment and going to work for a competitor, Mr. Brown handed back his work laptop, an Apple MacBook Pro. When the company attempted to view the data stored thereon they found a single user named 'admin' and no files. Our investigators were asked to take a look.
Using our forensic tools, we imaged and investigated the computer. Typically, we would expect to see at least a small number of deleted files. In this particular instance there were no deleted files. Further, examination of the unallocated space revealed that it was completely empty. There was nothing recoverable on the computer.
Analysis of the log files showed that the Apple Disk Utility was used to erase the unallocated space just prior to the computer being handed back to the company. These log files also showed that, in the days leading up to the employee's departure, there were two user profiles in use on the computer. Further, the amount of disk space in use on the computer went from nearly 400GB to less than 40GB. We also saw the use of an external USB hard disk drive just prior to the deletion of the ~360GB of data.
Unknown to the employee, Apple computers store changes to any files stored on the computer in a hidden location. When we looked at this location we could see the two previously-existing accounts. One belonged to the employee, the other belonged to his wife. We were also able to see lists of files and folders that no longer existed on the computer.
Using a combination these lists, the log files, and other metadata stored on the MacBook, we were able to piece together what had happened and when:
1. Two days prior to handing in the laptop, Brown created a third user account on the computer, the 'admin' account.
2. Using this account, he copied over 100GB of data to an external USB hard drive.
3. Brown then deleted the other two accounts from the computer. All data belonging to these two accounts, including the data and email messages belonging to the company, was placed in the MacBook's Trash.
4. The Trash was then emptied, permanently deleting the data.
5. Shortly thereafter the Disk Utility was run. This was set to overwrite all deleted data three times. Making it unrecoverable. The default setting for overwriting data is once.
Based on our findings, the company sued Brown, and his new employer. The case was settled before trial.
On Monday morning everyone showed up to work as normal but found that they could not access the server. The IT staff quickly found that the server was completely empty. All of the drives had apparently been wiped. All of the company data was destroyed and, due to a glitch in the way the backups were set up, the most current backup was from three years previous.
I was asked to take a look to see if anything could be recovered. The company was in dire straits as they weren't able to function without their critical data.
I imaged the server and reviewed it in my forensic software. All zeroes, there was nothing to be recovered, not a single deleted file. This was weird. A server this size should, in theory, take a few days to wipe so how was this done so quickly?
Rather than looking at the forensic image of the server I decided to look at the physical device. I removed one of the hard drives and connected it to my write-blocker (a device that can access the data on the drive without disrupting any of the data). After a few button clicks I was able to look at the drive's S.M.A.R.T. data. This data records things such as the number of time that the drive has been turned on, the number of hours the drive has been in use, etc.
To my surprise (well, kind of), I saw that this drive had only been powered on a handful of times. Moreover, when I looked at the total number of hours in service it was less than fifty. This piqued my interest and I started to look at the same data for the other drives in the server. They were all virtually the same and this was from a server that had allegedly been in use for over five years.
A review of the security cameras showed a member of the IT staff coming in late in Sunday with a large box and leaving thirty minutes later carrying the same box. When confronted, he folded. Apparently he was about to leave the company for a competitor and was seeking to give his new employers an advantage over their rivals. He replaced all of the hard drives in the server with new, unused drives. The original server hard drives were in a box at his home. He was accompanied back to his home where he produced the missing hard drives. We were able to replace the drives and have the company back up and running within a day.