Fiction author needing help with research question...please...

[nihil]

Hmmmmm,

Time for a reality check?

1. This is a single stand alone PC?............. why on Earth would it have any network security software on it?

2. I have done a fair bit of support for Doctors, Dentists and Veterinaries in my time............ they know nothing about IT in general and security in particular, but I have yet to see a single system that was connected to the internet!............a LAN, yes, but NOT the internet.

3. The most common scenario is that they have a PIM (personal information manager) on the office machine and a copy on their laptop, which they synchronise from time to time.

4. From your forensics you should be aware that the first thing to do is to make a certified/authenticated/MD5 hashed copy of the suspect HDD. THIS MUST NOT MAKE ANY CHANGES TO THE ORIGINAL DRIVE ..............if it does, you have compromised your crime scene?

So, if you make a forensic evidence acceptable copy....................the activity will be untraceable.

5. Similarly, from data recovery exercises you know that you do not want to change anything on the HDD, as that could corrupt vital data?

If I took the drive and slaved it to a PC and ran a Linux recovery tool or something like roadkil's unstoppable copier you would not be able to trace the activity.

http://www.roadkil.net/unstopcp.html

6. SNORT?..................the only snorting I would associate with psychiatrists would *cough* involve a $100 bill *cough*

7. As a rule, psychiatrists don't do housecalls? (except prisons and hospitals).

Perhaps you need to revisit the premise that this is a stand alone machine?


// off topic

LOL, that's the most creative euphemism I've read in a while.

Nah!............. the correct phrase is: "syphon the python", although "drain the dragon" and "strain the potatoes" can be substituted if required //

EDIT: Possible solution? A lot of PCs have a BIOS feature that warns you if the case has been opened. This is in the BIOS, so does not impact on the HDD, and might reasonably be overlooked by a miscreant?

If the alarm has been triggered and there is no evidence of activity, I would suggest it prudent and assume that all data have been copied?

You normally only see the case opened warning on reboot.............

Obviously, I can get around that, but just how IT savvy are these vampires?

[brokencrow]

He-heh, leave it to a bunch of engineers to make things complicated.

1. This is a single stand alone PC?............. why on Earth would it have any network security software on it?

Nihil's right. Forget StealthAudit and Wireshark. A bad guy's gonna use a keylogger on a standalone.

2. I have done a fair bit of support for Doctors, Dentists and Veterinaries in my time............ they know nothing about IT in general and security in particular, but I have yet to see a single system that was connected to the internet!............a LAN, yes, but NOT the internet.

My experience is just the opposite. Here in the States, most billing is done and submitted electronically (Medicare certainly!). Thus everything I've seen in my doctors' and dentist's offices was connected to the web (both standalones and via a LAN -- local area network). In fact, I've helped my eye doctor (standalone) and dentist (2 computer LAN) with connectivity issues.

3. The most common scenario is that they have a PIM (personal information manager) on the office machine and a copy on their laptop, which they synchronise from time to time.

Microsoft Outlook, yes? Is there any other PIM that comes close? Palm Pilot, maybe. But even those sync with Outlook. And WTF is a PIM? Engineeranese?

4. From your forensics you should be aware that the first thing to do is to make a certified/authenticated/MD5 hashed copy of the suspect HDD. THIS MUST NOT MAKE ANY CHANGES TO THE ORIGINAL DRIVE ..............if it does, you have compromised your crime scene?

Look, a psychiatrist with a standalone PC is NOT going to hire a computer forensics specialist. Most won't even know what computer forensics is, or that is a dead body somehow stuffed into a PC. A psychiatrist going to hire a friend (another client, maybe?) or tech from the Geek Squad, who comes out onsite, and if they're worth a damn, will find the keylogger. Finding keyloggers is little different than finding viruses in my experience. Then from the timestamp on the keylogger itself or the log file generated, they'll be able to deduce how long the BS has been going down.

A standalone PC in a sole pratice is certainly plausible. Keep it simple.

[nihil]

Hi My experience is just the opposite. Here in the States, most billing is done and submitted electronically

I forgot about what country this is supposed to be in.................I guess I don't associate the USA with vampires......... bloodsucking leaches yes, but lawyers and accountants are pretty much everywhere?

Over here, we have a national health service, and the system is paper based.

Microsoft Outlook, yes? Is there any other PIM that comes close? Palm Pilot, maybe. But even those sync with Outlook.

Lotus Notes? but I would normally associate that with a network deployment?

Look, a psychiatrist with a standalone PC is NOT going to hire a computer forensics specialist. She/he's won't even know what computer forensics is.

I wasn't thinking of it from that angle, I was speculating that a bad guy could use a forensics tool and get the data without detection.

Finding keyloggers is little different than finding viruses in my experience. Then from the timestamp on the keylogger itself or the log file generated, they'll be able to deduce how long the BS has been going down.

I believe that a keylogger is the way to go? it would do the job from the bad guys' viewpoint and would be reasonably easy to detect. Also if there isn't a net connection the bad guy would have to come back to retrieve the data?................ if the log file had been detected and "suitably amended" this could cause very interesting repercussions?

[brokencrow]

Vampires, bloodsucking leaches, lawyers, accountants...

Jeez, nihil, I hate to be so hard on you, but you left out 'brokers' (again, the prevalence of which might be uniquely American).

And, uh, actually, I used to date a vampire. She was VERY seductive, but then my money ran out.

[nihil]

To be perfectly honest with you mate, I am not sure what a "broker" is to you guys. Over here they just buy and sell stocks for you and the fees are fixed.

We did have problems with mortgage brokers, life insurance brokers and pension brokers, but they are so heavily regulated now, they are trying to get back into throwing trash for a living.

And, uh, actually, I used to date a vampire. She was VERY seductive, but then my money ran out.

That sounds like a lawyer to me........................vampires like the blood bank not the piggy bank?

[rapier57]

Lotus Notes? Hey, Johnno, I haven't seen a Lotus Notes installation in many years. Almost always some flavor of Outlook connected to Exchange or some other enterprise mail/collaboration system. A small office like a physicians clinic (the one I go to uses larger servers) or similar smaller outfits will use Windows 2003 Small Business Server.

YMMV, and regional differences abound.

[sommersby]

Well, I went back yesterday to do some rewrites and was working through the scene. The psychiatrist isn't a vampire and neither are the theifs. The theif was hired to get the doc's schedule so that they could plan an abduction. It was supposed to be a simple matter.
Go in on a Sunday, get the info and get out. Unfortunately, the receptionist walked in with plans to catch up on some billing. They bop her over the head, download the calendar and leave.

Guess what? Receptionists boyfriend is a penetration expert. When the psychiatrist moved to a computer based system for all of her records and bililng he offered to set it up for her. He also expressed concern about building security, but she rents. Just recently they replaced all the locks with those electronic keypads...she figured she was nice and secure.

But nooooooooo!

If our smart and very sexy penetration expert installed Stealthaudit and WireShark would that work?
Or a key logger that would notify him if someone was accessing a file afterhours?


Sam

[morganlefay]

No...with a live cd there would be no record of the PC being accessed....only through a system log...with the shutdown restart...times

so....the very sexy pen tester.....would look at those logs...and see that the computer was accessed at the same time the receptionist gets bonked on the head.....so then he could then figure out that the computer was fiddled with....because the 2 events correspond.....but he may not know exactly what files were accessed....a good sexy pentester would assume all data on the machine has been compromised.

The software you are talking about all runs within the operating system.....which is bypassed with a live cd.....hence the software would not know about it....but the system logs would...due to the shutdown and restart times.

Clear as mud

MLF

[Ghost_25inf]

Good resource for hacking computers would be Dan Brown books, or the movie Track Down featuring Kevin Mitnick as the hacker.

Physical hacking would be harder than over the internet, when it comes to covering your tracks. Using a bootcd that has a password remover would work great but how do you replace the password back to the original.

What would be more likely would be a home hack, maybe even wireless home hack if you want to add a little wardriving into the book. Alot of people bring there mail home with them, look at the VA issue a few months back good example. But hey I commend you for comeing here for help. Alot of writers would just make up a bullS*#t hack without doing the research. Those types of movies and books turn me off from reading them.

If you want to go with the wireless hack look at

wardriving tools

Netstumber used to find signals
Can antenna used to find location of wireless router
Look for WEP encryption tools
Packet capture tools
password brute force tools

the list can be long but if the person is not computer savy, you will find the wireless network is unsecure and the computer will have no firewall and filesharing enabled. I would use XP as the os that is getting attacked.

If you wanted to do a inhouse office attack, I would use a live cd like Kanotics that has NTFS support to pull off the hack.

[brokencrow]

Stick to the keylogger and forget Wireshark and StealthAudit (those are network tools and you got a standalone). Keyloggers generate log files. An expert could, reading those, determine what the hacker got. As for the calendar, if it's is in the Outlook program (which is typical) and the perp opened Outlook that Sunday afternoon to have a looksee, the .pst file (Outlook date file) would be appropriately timestamped for that Sunday afternoon. The expert could then determine it was accessed at that time.

Make sense?