The second series of "CSI:Internet" was originally published in c't magazine starting with issue 15/2011. For links to articles in the first series please refer to our CSI:Internet HQ page.
CSI:Internet
Episode 2: Controlled from the beyond
by Eduard Blenkers
The telephone rings. The caller introduces himself as Mr. Waldmann. He is in charge of IT security in a medium-sized company and attended one of our training sessions some time ago. He is being summoned by his boss, who has discovered that his PC has developed a life of its own. There were ghostly activities like reading emails, opening attachments, fetching contact details and checking the calendar – all taking place without him touching the mouse.
Mr Waldmann feels confident that he could analyse the incident himself but he's paid attention to our course and knows that with a hacker attack this obvious, it is not just about finding out what happened. Almost more important is to secure evidence of the attack that will hold up in court. And that's where I, as a forensic investigator, come in.
As the unknown visitor is no longer active, I advise my client to pull the power plug out of his boss's potentially compromised workstation at once. No, don't shut it down! That could allow potential shut-down scripts to run that could destroy valuable traces, or the system could even install some patches. Just pull the plug. I promise to come by immediately and impress on him not to take his eyes off the system until I arrive.
When I arrive at the premises about an hour later, I find Mr Waldmann sitting in his boss's chair, apparently messing around with his boss's notebook. However, before I can protest he puts the lid down and explains that he had someone bring him his own machine. The object under investigation is under the table – a plain PC.
After a quick hello, I get to work and go through my usual routine: on a new hard disk, I set up a folder structure for all the information and intermediate results pertaining to the case; I write down the date and time and take pictures of the computer, including close-ups of the device's type label and inventory number. Then I open the housing to get to the hard disk. I take further pictures of all the details, which will be placed in the project folder later – a systematic and orderly approach is the central pillar of a forensic investigator's work.
As I'm packing up the hard disk, Mr Waldmann eloquently insists that, if at all possible, the sensitive data mustn't leave the premises. So I get a provisional lab set up for the coming weeks, and the company caretaker, having been summoned by phone, grumpily changes the lock. Yes, that is necessary, I explain to the security officer – after all, we can't rule out that company employees may be involved in the matter, and we don't want to risk having the hard disk stolen. The caretaker hands the only two keys to me and Mr Waldmann. That should do for now; after all, we're not dealing with rocket science here.
Even before taking a first look at the hard disk, I boot the disk-less workstation. I'm interested in its system time: 14:53. Glancing at my wrist watch, I see that it shows the same time. Mr Waldmann, who doesn't take his eyes off me, proudly tells me about his local NTP time server which of the company's computers are synchronised with at regular intervals. That makes my job much easier already, because it allows us to simply match the log file entries of firewall and proxy servers with a file's time stamps as required. The greater the time discrepancy between clocks, the harder it is to find a matching entry in the proxy log file using, for example, the time stamp of a file in the browser cache.
To examine the hard disk, I bring out my most important professional tool: the write blocker. This device is inserted between the controller and the hard disk, and its task is to block any write accesses at a hardware level. This ensures that components such as my virus scanner don't prematurely wipe precious evidence from the disk.