Fiction author needing help with research question...please...

[Cyberruk]

Based on my experienceas a security analyst and just knowing how doctor's offices work, it would require an external person auditing the system to make a determination if the system has been compromised.

Systems deployed in doctor's offices tend to be small networks or stand-alone systems; those in hospitals are much more likely to have a degree of security associated with them that would log changes. All too often, the systems in doctor's offices have an older operating systems which are more readily "crackable".

Example: using a program called StealthAudit from Stealthbits, it is possible to determine (on Windows systems) whether or not someone attached a USB device to a port and if traffic flowed to that location. If installed, a host-based tool can detect if changes were made to local files (works on both a server or desktop and Tripwire can do either of them). Network sniffers can locate traffic flowing out of a desktop across the wire to internal external systems if monitoring is implemented (Wireshark).

There are a myriad of tools which a motivated person can try and obscure what they are doing and security professionals have a similar suite to try and detect forensically what has happened on the same system.

The real dependency in your story needs to be the motivation of the perpetrator - is s/he very capable as a "cracker/hacker" or someone with limited capabilities? What you decide here will determine what they do and what they will likely leave as a tr4ail that can be found by a forensic level audit.

[er0k]

not to be insulting, but I seriously doubt the reader's of "erotic romance novels," are going to be too concerned with technical details

[rapier57]

Well, even romance writers need to do research. I commend Samantha for making the attempt to have her technical details ring true. That's how good stories are crafted. I'm impressed that she was first published last year, according to her author's bio, and has four books out and one on the way. I'm a slow writer. It takes me 20 years to write 15 chapters.

[SirDice]

Originally posted here by er0k
not to be insulting, but I seriously doubt the reader's of "erotic romance novels," are going to be too concerned with technical details

Perhaps she's attempting to write a book that's erotic for geeks?

Penetrating systems is very.. ahum.. stimulating

[brokencrow]

I'm currently writing a scene in which someone breaks into an office, hacks into a computer, and downloads some files, including a calendar and contacts list.

Easy enough to do. SirDice, morganlefay and others covered the live cd angle. A live CD can be anything from Insert to Knoppix (both of which are Linux systems) to Barts PE (Windows-based). Linux is definitely the way to go, leaving virtually no traces you were on a PC.

The sad fact is computer security is most doctor's offices is going to be crap. The smaller the office, the worse it is. But even big practices will have networks shot full of holes. So it's not unreasonable to assume you'd be able to boot a PC with a live cd (I do it all the time in my line of work, seldom have problems).

Calendars and contact lists are, in a typical office environment, going to be MS Outlook files, which have a .pst extension. Typically, the file name will simply be outlook.pst and includes all the emails, contacts and calendars for a particular user (could have several .pst files on a PC if you have more than one user). Patient files are a different story, and very much dependent on the software used in the office. I'm not familiar with medical apps and don't know the formats, but conceivably they could even be Excel files, which have an .xls extension.

As part of the story line, you'll need a usb drive onto which to copy the stolen data. USB drives are bootable on the newest computers, but for my money, if I was breaking into a system to steal data, it'd be an Insert live cd. It's small, loads fast, and picks up USB drives no problem.

p.s. -- in an office environment with ten or more employees (and sometimes less), most data is going to reside on a server to which the other computers (workstations) are networked. So if you're going to break into an office to pilfer data, you'd look for the server first. And, again, security is often lax in these smaller offices and it would not be unusual to be able to boot even the server to a live cd.

Hope this helps....and don't try this in real life. You could get in a lot of trouble.

[cgkanchi]

Heh,

I wrote my long elaborate scenario before the doctor thing was posted, so I was expecting a large corporation . Anyway, I think what the OP wants is for the theft to be detected. If that is the case, most solutions here are going to be useless. Samantha, care to confirm?

Cheers,
cgkanchi

[brokencrow]

Hell, thinkin' about it, the best way to rip off the data would be as an inside job. I suspect that's how many security breaches take place anyway.

[sommersby]

First let me say that I am so thankful for everyone's willingness to help. cgkanchi is correct, I do want the theft to be detected. The theives are smart, but not smarter than the hero. (Romance novel rule - the hero always figures it out and saves the day.) It's a psychiatrist's office and a small private practice, so there is only one computer in the office. I'll need to read through all of these more carefully in the morning--I'm likely to have some questions or need some additional clarification. I appreciate your patience!

[nihil]

Hmmmmm,

OK, here are a few more things to consider:

1. There are rules regarding the holding and storage of personal information. I am not familiar with the US scene but possibly HIAPPA and sarbanes-oxley? I am sure one of my US colleagues will fill that in.

2. Single computer in an office. Probably not connected to the internet, as it would have no reason to be. Over here Veterinaries, Doctors and Dentists usually have some little outfit that supplies support and comes round and give them updates periodically. The practicioners use laptops for their personal e-mail and so on, and DO NOT keep patient/personal data on them..........particularly after the VA fiasco?

3. That would force physical access no matter what the setup?

4. Some of the private setups I have done involve a fixed hard drive as a slave to a removable master drive (C:\). The procedure is to back up the data from the C:\ drive on a daily basis and then remove it and lock it in a fireproof safe. So if a natural disaster occurs, you have the drive in the safe. If the master drive fails you have the slave still in the machine as a backup.

5. If you are ultra paranoid (have a strong security requirement) then you would have access to the hard drive password protected, and the backup data strongly encrypted. That would require considerable skill, resources and patience to crack. Which is probably why failure to provide password and encryption key data when legally required to do so can get you 2 years in prison in the UK.

6. The weak link: (you will need this ) If I am locking the master drive in a good quality fireproof safe, why should I bother encrypting that, as it is not at risk like the one left in the machine?

So, if someone were to break in, crack the safe and copy the master (C:\) drive, they would get an unencrypted copy of the data. However, the precautions taken would meet the data protection requirements of most countries (I don't know about the USA?).

7. How would you discover it? well, only when things started to happen I am afraid, it is a bit like identity theft. As already suggested, if the thieves were in any way competent, they would not leave an electronic trace. Even if you had some super monitoring system, it would only tell you that someone had accessed the drive (which you already know) at a particular time, which you could probably guess?

Anyway, if you were going to install that sort of system, which would only tell you that you had been robbed, wouldn't it make more sense to password protect and encrypt both drives?

Hope that helps

[dmorgan]

Rootkit maybe? Gives the doc a way to catch them and if it's a small practice, I can see it being hooked to the internet. (Best practices aren't always in practice when it's just 1-5 person(s) in a small office ?) Maybe the doctor notices in the app/system logs that a .pst was saved to a USB ?

Gotta ask; is bad guy gettin down in Doctor Lovemember's office ?