Analysis of the gathered data is a long and time-intensive process. As network forensic experts, we need to work towards the goals defined for us within the available time frame. In this specific case that we have been discussing, the situation is extremely time critical. Looking at the huge volume of potential evidence available to us, we have to take a call on the triaging process and decide what we wish to focus on first.

One very valuable input that we deduced was that the data had been exfiltrated just over two days before the receipt of the mail by the CEO. The process of exfiltration of data by any criminal actually involves a chain of events. These links in the chain or steps are shown in the following:

While each of these stages will leave some traces on the victims systems, the major role of a forensics investigator comes into play during the last two stages.

Returning to our specific case, we are aware of an exfiltration having taken place. As exfiltration involves large volumes of data leaving the network, it becomes important to identify all the outbound network activity that relates to this in the specified time range. Therefore, logs from the proxy server are examined for the two-day period to identify, if possible, the exfiltration of about 500 MB or more of data. The figure of 500 MB is arrived at based on the contents of the mail received by the CEO, where the attacker had threatened to expose over 500 MB of sensitive data allegedly held by him. While there is no hard and fast rule that the attacker will exfiltrate the complete 500 MB in one go (this could be broken into more manageable packets, encrypted, and sent out all at once or over an extended period of time), if we refer back to the stages of an exfiltration-focused attack, we will find that exfiltration is the last and final stage. It is very common among attackers to accumulate the data and then try and upload the data out in one go due to the fear that the moment the data is identified as having left the network, all the previously used avenues for further data exfiltration will be shutdown and the process of remediation and recovery will be initiated. This is the stage that carries the highest risk of discovery for the criminal; once the discovery has been made, further opportunities to exfiltrate the data may be severely affected.

The proxy server logs provide the forensic investigator some interesting insights. The first observation made is that over the two-day period prior to the e-mail, there is not much activity. That is understandable due to it being a weekend. A study of the data that is transferred does not show any single large exfiltration of a file of that magnitude. While this rules out data exfiltration in a single shot, the possibility of data having been exfiltrated in segments still remains.

There is some HTTPS traffic in the logs that seems to carry the data that is close to 20 MB. However, this is encrypted and we are only able to see the basic metadata information such as source, destination, and port details. The following image graphically represents the path taken to exfiltrate data:

To begin with, we look closely at the logs associated with the suspected HTTPS traffic.

An examination of the logs shows that this traffic was directed to the 46.246.46.27 IP. An online lookup shows that this IP address belongs to an organization in Sweden. To perform this online lookup, we visit any site on the Web that allows us to do a Whois IP lookup. I use https://whois.net/. A whois query of the IP under investigation is shown as follows:

An attempt to connect to it in the incognito mode does not yield any result. Further research on the Internet shows multiple online lists that show this IP as a part of the Tor network, as shown in the following image:

From the investigation perspective, this is a eureka moment. The e-mail that triggered this investigation originated from the Tor network. We now uncovered the logs that show some evidence of exfiltration to the Tor network. Ordinary users usually do not access Tor unless they have critical reasons for staying anonymous.

Now, having unknotted one end of the ball of string, the investigator proceeds to unravel the rest of the puzzle. Based on the organizational network architecture charts (made during the preparation stage in the earlier chapters), our investigator identifies the organizational IP address associated with the computer that was used as the staging post for the exfiltration. This turns out to be an old computer used as a print server in the organization.

All throughout the network forensic investigation process, the senior management team is kept appraised of the development and progress.

Following proper forensic procedures, a covert image of both the memory and media of the print server is made and preserved.

Based on the decisions made by the senior management, it is decided to disable the network connectivity to the print server while making the disruption seem part of a network outage.

In the meantime, a high speed examination of the forensic images that were created earlier is made.

A short summary of the relevant findings is listed in the following:

At this juncture, the picture was becoming a lot clearer. The evidence collected so far also pointed to an insider involvement. A picture of the adversary was emerging slowly and the need for caution and speed was increasing.

A schematic diagram depicting the data exfiltration route was made for better understanding of the incident. This is shown in the following:

It was clear that an insider with administrator privileges could actually cause considerable harm to the organization and had to be removed at the earliest. However, this had to be done in a smooth manner so that the insider remained unaware right until the last minute. It was quite evident that, with network administrator privileges, the insider could be privy to all the e-mail conversations on the e-mail servers, administrator actions, as well as confidential data across the length and breadth of the network.

Therefore, the need for caution and speed!

Again, after a quick consultation, it was decided to once again enable the network access of the print server and perform a Wireshark capture for all the network traffic from and to that IP address.

However, to prevent the existing collected data from being exfiltrated, it was decided that the ZIP files lying on the print server would be damaged using a hex editor so that even in the event that they were exfiltrated, they would be corrupted and unusable. The idea was to gain some time and gather further the evidence, while every effort was made to identify the perpetrator at the earliest.

Keeping the preceding information as the prime objective, the CSO, working in parallel, called for the biometric access records in order to determine the people who had worked in the specified office over the weekend in question. Two IT support engineers were identified. He also called for their HR files to check their track records.

In the meantime, our Digital 007 covertly captured forensic images of memory and media of the suspected systems. Simultaneously, he looked further back in the log entries to determine other days and time that Tor had been accessed. The Tor access was correlated with the RDP access of the print server as well. A proper timeline of these activities was created. This was shared with the CSO for correlation with attendance and access records.

The result was that one of the IT support engineers fit directly in the slot. With clarity obtained, the immediate objective of identifying the attacker was achieved.

From the system images created, it was determined that the person in question was abusing his privileged position as an IT support engineer by disabling the protection on sensitive systems and deploying keyloggers to gather critical information as well as user credentials. A collection of malware was recovered as well as the evidence of having searched for anonymous e-mail free and other suggestive search terms that were indicative of his intentions.