Fiction author needing help with research question...please...

Hmmmmm,

Time for a reality check?

1. This is a single stand alone PC?............. why on Earth would it have any network security software on it?

2. I have done a fair bit of support for Doctors, Dentists and Veterinaries in my time............ they know nothing about IT in general and security in particular, but I have yet to see a single system that was connected to the internet!............a LAN, yes, but NOT the internet.

3. The most common scenario is that they have a PIM (personal information manager) on the office machine and a copy on their laptop, which they synchronise from time to time.

4. From your forensics you should be aware that the first thing to do is to make a certified/authenticated/MD5 hashed copy of the suspect HDD. THIS MUST NOT MAKE ANY CHANGES TO THE ORIGINAL DRIVE ..............if it does, you have compromised your crime scene?

So, if you make a forensic evidence acceptable copy....................the activity will be untraceable.

5. Similarly, from data recovery exercises you know that you do not want to change anything on the HDD, as that could corrupt vital data?

If I took the drive and slaved it to a PC and ran a Linux recovery tool or something like roadkil's unstoppable copier you would not be able to trace the activity.

http://www.roadkil.net/unstopcp.html

6. SNORT?..................the only snorting I would associate with psychiatrists would *cough* involve a $100 bill *cough* :D

7. As a rule, psychiatrists don't do housecalls? (except prisons and hospitals).

Perhaps you need to revisit the premise that this is a stand alone machine?


// off topic

Quote:

---

LOL, that's the most creative euphemism I've read in a while.

---

Nah!............. the correct phrase is: "syphon the python", although "drain the dragon" and "strain the potatoes" can be substituted if required :p //

EDIT: Possible solution? A lot of PCs have a BIOS feature that warns you if the case has been opened. This is in the BIOS, so does not impact on the HDD, and might reasonably be overlooked by a miscreant?

If the alarm has been triggered and there is no evidence of activity, I would suggest it prudent and assume that all data have been copied?

You normally only see the case opened warning on reboot.............

Obviously, I can get around that, but just how IT savvy are these vampires?

He-heh, leave it to a bunch of engineers to make things complicated. :)

Quote:

---

1. This is a single stand alone PC?............. why on Earth would it have any network security software on it?

---

Nihil's right. Forget StealthAudit and Wireshark. A bad guy's gonna use a keylogger on a standalone.

Quote:

---

2. I have done a fair bit of support for Doctors, Dentists and Veterinaries in my time............ they know nothing about IT in general and security in particular, but I have yet to see a single system that was connected to the internet!............a LAN, yes, but NOT the internet.

---

My experience is just the opposite. Here in the States, most billing is done and submitted electronically (Medicare certainly!). Thus everything I've seen in my doctors' and dentist's offices was connected to the web (both standalones and via a LAN -- local area network). In fact, I've helped my eye doctor (standalone) and dentist (2 computer LAN) with connectivity issues.

Quote:

---

3. The most common scenario is that they have a PIM (personal information manager) on the office machine and a copy on their laptop, which they synchronise from time to time.

---

Microsoft Outlook, yes? Is there any other PIM that comes close? Palm Pilot, maybe. But even those sync with Outlook. And WTF is a PIM? Engineeranese?

Quote:

---

4. From your forensics you should be aware that the first thing to do is to make a certified/authenticated/MD5 hashed copy of the suspect HDD. THIS MUST NOT MAKE ANY CHANGES TO THE ORIGINAL DRIVE ..............if it does, you have compromised your crime scene?

---

Look, a psychiatrist with a standalone PC is NOT going to hire a computer forensics specialist. Most won't even know what computer forensics is, or that is a dead body somehow stuffed into a PC. A psychiatrist going to hire a friend (another client, maybe?) or tech from the Geek Squad, who comes out onsite, and if they're worth a damn, will find the keylogger. Finding keyloggers is little different than finding viruses in my experience. Then from the timestamp on the keylogger itself or the log file generated, they'll be able to deduce how long the BS has been going down.

A standalone PC in a sole pratice is certainly plausible. Keep it simple.

Hi My experience is just the opposite. Here in the States, most billing is done and submitted electronically

I forgot about what country this is supposed to be in.................I guess I don't associate the USA with vampires......... bloodsucking leaches yes, but lawyers and accountants are pretty much everywhere? :D

Over here, we have a national health service, and the system is paper based.

Quote:

---

Microsoft Outlook, yes? Is there any other PIM that comes close? Palm Pilot, maybe. But even those sync with Outlook.

---

Lotus Notes? but I would normally associate that with a network deployment?

Quote:

---

Look, a psychiatrist with a standalone PC is NOT going to hire a computer forensics specialist. She/he's won't even know what computer forensics is.

---

I wasn't thinking of it from that angle, I was speculating that a bad guy could use a forensics tool and get the data without detection.

Finding keyloggers is little different than finding viruses in my experience. Then from the timestamp on the keylogger itself or the log file generated, they'll be able to deduce how long the BS has been going down.

I believe that a keylogger is the way to go? it would do the job from the bad guys' viewpoint and would be reasonably easy to detect. Also if there isn't a net connection the bad guy would have to come back to retrieve the data?................ if the log file had been detected and "suitably amended" this could cause very interesting repercussions?

;)

Vampires, bloodsucking leaches, lawyers, accountants...

Jeez, nihil, I hate to be so hard on you, but you left out 'brokers' (again, the prevalence of which might be uniquely American). :)

And, uh, actually, I used to date a vampire. She was VERY seductive, but then my money ran out. :(

To be perfectly honest with you mate, I am not sure what a "broker" is to you guys. Over here they just buy and sell stocks for you and the fees are fixed.

We did have problems with mortgage brokers, life insurance brokers and pension brokers, but they are so heavily regulated now, they are trying to get back into throwing trash for a living. :D

Quote:

---

And, uh, actually, I used to date a vampire. She was VERY seductive, but then my money ran out.

---

That sounds like a lawyer to me........................vampires like the blood bank not the piggy bank?

:cool: :p

Lotus Notes? Hey, Johnno, I haven't seen a Lotus Notes installation in many years. Almost always some flavor of Outlook connected to Exchange or some other enterprise mail/collaboration system. A small office like a physicians clinic (the one I go to uses larger servers) or similar smaller outfits will use Windows 2003 Small Business Server.

YMMV, and regional differences abound.

Well, I went back yesterday to do some rewrites and was working through the scene. The psychiatrist isn't a vampire and neither are the theifs. The theif was hired to get the doc's schedule so that they could plan an abduction. It was supposed to be a simple matter.
Go in on a Sunday, get the info and get out. Unfortunately, the receptionist walked in with plans to catch up on some billing. They bop her over the head, download the calendar and leave.

Guess what? Receptionists boyfriend is a penetration expert. When the psychiatrist moved to a computer based system for all of her records and bililng he offered to set it up for her. He also expressed concern about building security, but she rents. Just recently they replaced all the locks with those electronic keypads...she figured she was nice and secure.

But nooooooooo!

If our smart and very sexy penetration expert installed Stealthaudit and WireShark would that work?
Or a key logger that would notify him if someone was accessing a file afterhours?


Sam

No...with a live cd there would be no record of the PC being accessed....only through a system log...with the shutdown restart...times

so....the very sexy pen tester.....would look at those logs...and see that the computer was accessed at the same time the receptionist gets bonked on the head.....so then he could then figure out that the computer was fiddled with....because the 2 events correspond.....but he may not know exactly what files were accessed....a good sexy pentester would assume all data on the machine has been compromised.

The software you are talking about all runs within the operating system.....which is bypassed with a live cd.....hence the software would not know about it....but the system logs would...due to the shutdown and restart times.

Clear as mud :D

MLF

Good resource for hacking computers would be Dan Brown books, or the movie Track Down featuring Kevin Mitnick as the hacker.

Physical hacking would be harder than over the internet, when it comes to covering your tracks. Using a bootcd that has a password remover would work great but how do you replace the password back to the original.

What would be more likely would be a home hack, maybe even wireless home hack if you want to add a little wardriving into the book. Alot of people bring there mail home with them, look at the VA issue a few months back good example. But hey I commend you for comeing here for help. Alot of writers would just make up a bullS*#t hack without doing the research. Those types of movies and books turn me off from reading them.

If you want to go with the wireless hack look at

wardriving tools

Netstumber used to find signals
Can antenna used to find location of wireless router
Look for WEP encryption tools
Packet capture tools
password brute force tools

the list can be long but if the person is not computer savy, you will find the wireless network is unsecure and the computer will have no firewall and filesharing enabled. I would use XP as the os that is getting attacked.

If you wanted to do a inhouse office attack, I would use a live cd like Kanotics that has NTFS support to pull off the hack.

Stick to the keylogger and forget Wireshark and StealthAudit (those are network tools and you got a standalone). Keyloggers generate log files. An expert could, reading those, determine what the hacker got. As for the calendar, if it's is in the Outlook program (which is typical) and the perp opened Outlook that Sunday afternoon to have a looksee, the .pst file (Outlook date file) would be appropriately timestamped for that Sunday afternoon. The expert could then determine it was accessed at that time.

Make sense?

More reality check?

1. If you are a sole practicioner, the only things you enter into your PIM are the unusual ones. You actually know when you are going on vacation? and so does your receptionist/secretary. You only enter stuff that you might forget like once off appointments, the dentist, vet, and that sort of thing?

If you were talking a 500 partner law or CPA practice it would be different; but not so here?

You only keep details of work done, because that is billable, and taxable ............ it is also history?

2. Psychiatrists don't do housecalls It is office, prison, hospital............... very predictable, and the consulting hours are on the shingle outside the office.

3. Penetration testing "expert"............ installs what on the computer?............ no removeable hard drive and butterfly cabinet?........... no strong encryption of data?.................... the only penetration testing he should be involved in should involve a Colt .45ACP!!!!........... actually I think that the Speer 485Gr SJSWC is very sexy :D

Oh Well, up to you :)

Quote:

---

Stick to the keylogger and forget Wireshark and StealthAudit (those are network tools and you got a standalone). Keyloggers generate log files

---

Keylogger wont log a live cd............


MLF

There are lots of ways to make this scene a lot more complicated then it really needs to be.

There truly are. But for a fictional purpose, and because I am sure Sam wants to keep the action moving, and not get bogged down into a technical dialog, keeping it as simply as possible is probably the best choice. Especially because her target readers are most likely not as technical as the AO crowd is.

My personal experience is that small to medium sized hospital tend toward lotus notes, and the small doc in a box office that are connecting to them are using a VPN configured by the hospital IT staff, or Outlook. But for the one or two doc shops, some use Outlook, but I was somewhat surprized to see how many of them use ACT! for a contact mananger/PIM.

Getting back to my point is a round about way, not a single one of these shops would guess someone had access their computers, unless it was while they had stepped out of the room, and came back and found the desktop or screen different. But over a weekend? Nah. They wouldnt even know to look for any differences.

If they DID happen to think someone had accessed their system, they are more likely to call a local computer shop. Their express area of interest would be PATIENT RECORDS not they PIM. They would only really care about that if the information was lost or altered, OR is they might be held liable for it. Seriously thou. I cant think of a single person in the health care field that wouldnt just miss completely that someone had rebooted their computer/server with a LiveCD. As long as everything worked when they came back into the office Monday, they would never have a reason to check the logs.

Cheers!

OK, just something to add, Sam, and I hope this doesn't throw to big a wrench into things. Osiris is a package that can be used like TripWire on a Windows box to check for changes to files. This is an ideal tool for standalones that you want to protect. Google that for a bit more detail, but the non-technical side is that it could have been installed by the boyfriend.

Boyfriend, penetration expert. Now, doesn't that equate to, like, 99 percent of boyfriends?
;)

Hey Rapier57

you forgot SEXY penetration expert.....

the sexy is VERY a important skill and job requirement ;)

MLF

He-heh, I had a client once for whom I was using grc.com's web scan, explaining it probes her (network) ports.

She sighed, and said it'd been awhile since anyone probed her ports.

I got some good hours in on that job. :p

Yeehaw!

Hey Sommersby,

It's been hinted at already, but I think your solution may require a little lateral thinking. While everyone is talking about the merits/demerits of various operating systems/applications etc. -- and this is understandable given you asked for technical advice -- how about looking at it differently?

e.g. something happens to the protagonist whereby the only possible explanation for someone being there/that thing happening at that time, is that someone has read their diary?

- that way they know someone's been at their machine, but they don't need to know how.

Perhaps...

cheers,

Vaughan.

I haven't read all the posts but I know a lot of non technical people tend to just turn off the screen at night and not lock the computer. If this was the case in your book the petaganist could just break into the office turn on the screen and find the computer not locked. They open the addresse book and meeting calender but get disturbed and just turn off the screen without closing the different programes as they leave. Your doctor can then come by the next day and either realise right away that someone had been looking at his appointments or he can realise it later when something happens. As i said this I havent read all the other posts so some one may have already suggested this.

My word, this is getting complex.

Just a suggestion...

Bad guy turns on PC & opens outlook (or other mail client) to examine calendar & then to save the contatcs to a usb keydrive.

However, while he's doing this, unbeknowst as it were, outlook dials in & downloads some email...

Bad guy shuts down.

Psych finds office broken into, contatcs his security expert, who upon checking (with the modem disconnected just in case) find downloaded email dated after the last time the Psych used the computer & then investigates further....

Finds a recent driver change in the registry pointing to a new usb keydrive being used in the timescale of the email & puts 2 & 2 together...

Simple but effective.

Drop me a pm sommersby if you want more details.

Steve

...or, user sees their most recent email is marked as 'read' but received after they left the office, ergo someone's been at their desk.

...or, break-in-guy attempted to PRINT the contents of the Calendar/Diary, but there was a paper jam, or it printed two copies, or 1 page dropped to the floor...

...and so on. Keep it simple, I guess.

I'm not trying to be a troll now , but I think you guys are all the victims of social engineering.
This topic is an innovative way of asking "how to hack someone's computer".

Ummm...,

If you look at the OP, she seems to be genuine. Look at http://www.samanthasommersby.com/ . Of course, there is a possibility that this is an elaborate social engineering plot, but highly unlikely if you see how much she knows about the characters in her previous novel and how consistent she is about how she is going to develop them.

Cheers,
cgkanchi

Quote:

---

This topic is an innovative way of asking "how to hack someone's computer".

---

Not really, the primary assumption is physical access, which makes the hacking trivial.

The issue seems to be to find a plausible scenario where the computer is accessed, and this activity is actually detected, given the characters involved, their IT knowledge and the security measures they might reasonably be expected to apply.

;)

I'm just catching up on posts after being without my laptop for a week. The "Genius" at the bar in the Apple store couldn't tell me why I kept losing my airport signal-- so I had to check it into the hospital. Parting with it was traumatic for both of us. I assure everyone - I'm on the up and up. If you google my pen name you'll find numerous reviews and interviews. Plus, I did a book-signing today in San Diego at Mysterious Galaxy (www.mysteriousgalaxy.com)....Oh, and I was a presenter at COMICON a few weeks ago. I sat on a panel with John Ridley, Peter David, Kelley Armstron, Lara Parker, and Nancy Holder. The topic was URBAN FANTASY: Our Lives Made Less Mudane.
Although perhaps some folks are clever enough to fake all that....not me. LOL!

I'm really trying to just figure our how the hacker could be detected and how they could determine it was the calendar. I do like the "keep it simple" advice. Now that my computer is back I hope to settle into some re-writes this week and I think that I have the basic info that I need.

If anyone if willing to look over the section and provide feedback please let me know.

Sam

Hi Sam,

Glad that you are back online, well, "AntiOnline"................sorry :p

I would certainly be willing to review the section for you, from a cynical Englishman's viewpoint. :D

Yes, I fully appreciate that your questions are totally genuine, as they are directed at "how the guy gets found out"..................... we have had a lot of suggestions on how to avoid that, and even more clever ones as to how they could be detected.

My thinking is that you are writing a romantic novel involving vampires? this probably means that your audience would be totally baffled by the more sophisticated computer scenarios suggested here. That would sort of be counterproductive, would it not?

I have used systems where if you opened the calendar/diary, it would record that you had seen the invitation to a meeting but had not acknowledged/confirmed it. It would be "flagged as read but not responded to"

So, if the Dr. synchronised her diary with her PC, the invitations to attend the local psychiatrists' meeting would be there, but as unread ................. if she noticed that they were "read" but not "responded" to......................they should not have been "read".

Professionals tend to have local meetings by arrangement rather than a known schedule?

just a few thoughts?
:)