Case Study: Investigating a Computer Crimes Case

SCENARIO

Jeff is a security consultant who has been hired by a small law firm to beef up their security and check their network for security flaws. As part of his overall security check, Jeff implements security auditing on the authentication servers. In reviewing the security logs, he discovers that someone is accessing the network remotely, using a VPN to log on with the account name and password of a former employee who was fired two weeks previously. Immediately following the unauthorized logon, he discovers that several important files containing mission-critical data have been deleted from the file server. File and object audit logs show that those files were accessed by someone using the former employee's account. When Jeff presents this information to the head of the firm, he is told that the firm wants to press criminal charges against the former employee.

ANALYSIS

Jeff's first priority should be protecting the firm from any further data loss. Toward that end, he should immediately disable the former employee's user account. He should not delete the account, as he may need to prove to police that the account existed on the firm's network. Jeff should also take steps to provide for immediate notification (using alert software) to himself and other administrators if anyone attempts to log on remotely with the account. Remote access policies should be set on the remote access server to ensure that only those employees who need remote access are able to log on remotely.

Jeff may be able to recover the deleted files if they have not been overwritten. He should immediately make a complete copy of the disk, and attempt to recover the files using data recovery software.

To help build the case for prosecution, Jeff should make both printouts and electronic copies of the security audit logs.