RSS Feed

A Study in Black

Created: 20.09.2020

Someone has violated corporate policy by watching porn using the corp PC.

Do you have the authority?

What are the expected results?

Some prohibited internet traffic. Check network logs of an application layer firewall 🔥 or content filter (any gateway between the suspect and the network), filter them out. But the user was smart enough to use VPN. What’s then? Application layer firewall only sees application traffic, it is not aware of TCPs, Shudipis and etc. Read this article about TCP/IP stack to understand better why application layer firewalls won’t see anything other than what’s on top.


Step 1. Two bit-by-bit copy of the hard drive

Step 2. Validate these copyies by comparing the hashes.

Step 3. Enable write block (DDF- ?).

Step 4. RAM (vol.py)

Step 5. HDD/SDD (DDF)

Step 6. Enumerate browser history (Autopsy/vol.py)

Information leakage. If the suspect has leaked some information and the information is stored in the Cloud ☁️ in this company, then check gateway’s logs for any connections to the storage or use Cloud logs 🪵.

Harassment. Check social media (FB, Ok, LinkedIn, Vk etc). Collect all information that could be produced by the communication of the suspect and the victim. Get the suspect’s friends, neighbours and partners. They might have the evidence against them.

Network breach. Possible indicators: security tools alarms/logs, unsual behaviour, unauthorised traffic, network performance changes, communication from the attacker or some event. Look at security tools’ logs. Useful to know how to grep, regex, python. If nothing is found in the logs, or it’s still not clear, try doing port scanning for any unusual ports, or adding some triggers like bruting activity, malicious files, netflow baselines, general IPS signatures, honey 🍯 pots. Scope, contain, remediate. Identify the attack and patch. Evaluate and upgrade the policy for a breach.

Step 1. Copy evidence (logs and other files of interest).

Step 2. Validate these copies (hash).

Step 3. Chain of custody, recommendation for these evidence, signoff.

HDD from eBay. What was installed on this device? Using OSINT (correlate, say, eBay and FB accs), determine the company the person is or was working for. The data might have been still on HDD.


Step 1. Two bit-by-bit copy of the hard drive

Step 2. Validate these copyies by comparing the hashes.

Step 3. Enable write block (DDF- ?).

Step 4. File recovery (filemost).

Step 5. Enumerate metadata (exiftol).

Step 6. Investigate further if needed using the Internet and the recovered data.


Scope of work (networks and technologies + users\things + billing structure + contacts during investigation + white/black/grey).

Step 1. Network and host logs.

Main idea - think, what data could have been produced and think of the ways and tools that could be useful. Keep in mind their cons and pros and theur digital footprints.


[1] About forensic tools like DFF

[2] Another case study