39. We performed forensic analysis focusing on evidence of data exfiltration once we identified the device as having been compromised in order to determine whether any data was extracted by the attacker(s). We continued to monitor internet traffic to see if any attempt was being made to remove data from the network.
40. System activities, user activities, active processes and related data, and network connections were all inspected using multiple forensic tools for evidence of data exfiltration. Each tool used in the analysis gave us a unique insight into the security environment of the system.
41. We conducted comprehensive forensic analysis for any evidence of data exfiltration by looking for any form of evidence that may be indicative of file upload activity to the cloud, such as examining file and folder access during off hours, checking for installation of software utilities that can facilitate file archiving and exfiltration, looking for suspicious HTTP, HTTPS, and FTP connections, running keyword searches and examining hits for relevancy to file exfiltration activity, and analyzing Windows event logs to focus on critical times.