The Chief Information Security Officer (CISO) of a research company was made aware of unusual activity by one of the company’s employees. A researcher was observed running a piece of software which we later determined to be a known hacker tool from his laptop computer. All the employee saw was a black screen with lines of white text scrolling in a rapid fashion. As all the computers used Windows operating systems and were locked down, a black screen with scrolling white text appeared peculiar to the reporter. He decided to report it. The CISO of the corporation contacted us to investigate. Even though this particular company is a Fortune 500 corporation and have their own IT security team, in their words, they said they needed a "swat team” to deal with this situation.


Our response team began gathering facts about the subject individual, his background, and his capabilities. The subject held a PhD in Computer Science and Mathematics. Before his immigration to the United States, according to his statements to the management, he was a major in the armed forces of a country whose intelligence service is known for spying on US businesses. It became apparent early on that we were dealing with what was potentially a professional spy, who was possibly involved in industrial espionage. He worked in an extremely well-guarded location on a dedicated network which had no outside access. It was totally isolated from the Internet and from the company's main network. There were a total of nine researchers working on a particularly important project. They each worked on a different component and they did not share their work with each other. Only two individuals had access to everyone's work in the entire company -- the actual founders. The suspect slowly gained the trust of the CEO and was allowed to take his laptop home so he could continue working on the project evenings and over the weekend.


Our team determined that the best approach would be the covert forensic imaging and examination of the suspect’s laptop and desktop computers. The challenge, however, was to get our hands on the laptop. He took it home at night and did not leave it unattended long enough for it to be forensically imaged. As it was a company-assigned laptop we knew the make and model of the laptop and the size of the hard drive it contained. A plan was developed to create a situation where he would arrive at work and, after placing his laptop on his desk, he, along with other researchers, would be called to an emergency meeting. This would allow us to get our hands on the laptop and make a forensic image of it without his knowledge. A high-speed Forensic Drive Duplicator would be used to obtain a forensic copy of the laptop hard drive without turning it on. We obtained an identical laptop from the client's IT department and practiced on speedy removal of the drive to a point where the assigned investigator could do it blindfolded. We also determined how long it would take to take forensic image of it. The entire operation would take less than forty-five minutes. Once we worked out all the details, the plan was put into effect and executed. The suspect never knew that his laptop hard drive was imaged and that he was under investigation. Later that evening, we imaged the hard drive of his desktop computer and covertly installed a Network Forensic Collector on the R&D network and configured the R&D Server to start logging all file-access events.

Our forensic examination revealed several interesting facts. Firstly, the suspect cracked the "local" admin password on both of his computers and installed a key logger on each one. This was rather clever as he would immediately know if someone became suspicious and accessed his computer while he was away. He would catch anyone trying to put any type of monitoring software on either one of his computers. For this purpose, he deployed a potent detection mechanism to alert him if he was under investigation. Any attempt to peek at the subject employee’s computer by the IT Security staff when he was away from it would be immediately revealed. In his laptop, he had installed various hacker tools in addition to a data scrubber software. The software included network sniffers, password crackers, network vulnerability scanners, etc. He basically had a full arsenal of tools to hack into any computer on the network, and sniff and crack passwords. Our initial forensic examination of the laptop revealed no evidence of wrongdoing due to the presence of a data scrubber. It appeared that he was running the scrubber program periodically to clean his hard drive. The drive contained virtually no data anywhere, other than a handful of legitimate files he was working on. As there was no evidence of data theft on the laptop drive, and the mere existence of the hacker tools could be explained as being innocent in many different ways, we had to find the “smoking gun” in other ways. The Network Forensics collector and server logs proved to be fruitful. After a week of collecting network traffic and analysis of the logs, the truth was finally revealed: he had successfully compromised the entire network and cracked all other researcher’s passwords. He would periodically log in to the server, access other researcher’s data, and download it to his laptop to take it home. He would then remove the data from his laptop and run a scrubber software to eliminate any evidence that other scientists’ data were ever present on his hard drive.



Back to Case Studies