I'm needing some help. I'm currently writing a scene in which someone breaks into an office, hacks into a computer, and downloads some files, including a calendar and contacts list.
I need to be able to describe how someone could tell that this had been done. Are there logs within the computer system that would tip off someone that those files were copied? I've yet to define what the operating system is, etc. So that's up for grabs.
Samantha Sommersby
www.samanthasommersby.com
Why whould "they" even physically break into the office when all office computers seem to be connected to the Internet these days? Or did you mean "they" broke into the office network?
And it doesn't matter what kind of operating system is used. If the culprits physically broke in and are able to boot from a cd or usb-stick there would be no trace if/when the files were copied.
Depending on the OS....you can check logs...
also depending on the "hacker"...on how you would track them
Is this for a new book.....
Do I get money to help :D
MLF
For a new book, yes. Urban Fantasy - a sequel to Forbidden: The Claim. This one is titled Forbidden: The Awakening and is due out in December. No money - but I can send you a copy of the book and mention you in credits :)
Was just joking ;)Quote:
For a new book, yes. Urban Fantasy - a sequel to Forbidden: The Claim. This one is titled Forbidden: The Awakening and is due out in December. No money - but I can send you a copy of the book and mention you in credits
SirDice nailed it with a boot cd...
I guess it depends on the sophistication of the "hacker"
MLF
Darn it! Does that mean I'm going to have to resort to having them steal an appointment book?
How boring! Getting to the computer isn't the only reason that they break into the doctors office.
You mention the internet. Can you elaborate? Perhaps that's the way to go with the computer piece. Could a someone tell that their files were accessed by another party over the internet?
Sam
On the other hand, I'm sure a really paranoid system admin *could* in theory set up a custom built application (or custom policy) that audits every local file copy operation (possibly an application like filemon for Windows with output piped to a text file). However, the logs are likely to get so huge that finding a single (or even a bunch of) file copy operations is going to involve TONS of digging).Quote:
Why whould "they" even physically break into the office when all office computers seem to be connected to the Internet these days? Or did you mean "they" broke into the office network?
And it doesn't matter what kind of operating system is used. If the culprits physically broke in and are able to boot from a cd or usb-stick there would be no trace if/when the files were copied.
Also, if the system is broken into locally, a livecd of some sort can be used to bypass operating system restrictions and entirely bypass any logging operations in place.
Thus, I guess it depends on *how* the system is broken into locally and *where* the system is. For example, I can't see a highly secure system (such as maybe a defence system) not having these logs.
A possible scenario would be that the system (hardware) is custom built to prevent booting from anywhere except existing hardware or the CPU itself is locked in a break-proof safe with only the monitor, keyboard/mouse and other peripherals on the outside. Assuming that it is also setup to allow only local logins, a scenario could be envisioned where the "hacker", having obtained a password to the system, logs in and copies stuff to an external hard disk connected to an external USB hub (yeah yeah, a system that secure isn't likely to have a USB hub sitting around, so the scenario needs to be refined, maybe a laptop that connects to the system concerned via a wireless LAN connection), thereby activating the logging system put in place by the admin. *phew* that was a long sentence.
Cheers,
cgkanchi
Any (half) decent "secure" OS has the option to audit. On NT and higher (2K, XP, 2K3, Vista) there's an option to audit the reading (or writing) of files. It would have to be turned on but could be used to trace who read the files and when. But as I said, if the culprits used some livecd it would bypass this.
But ofcource, a lot of people tend to write down their passwords. Perhaps the appointment book could contain a password for some (other; external) system? Then the culprits would login that system (using the stolen password) and access the data? At least that's something that could show up in all sorts of logs (accesslogs, audit trails, etc.) and could be traced.
Hi Sam,
I may have a solution for you based on my experience in the defense sector............
We have two networks, one is the general network, that is accessible by and to the internet. The second is the "secure network" which does not access the internet (it also does not not allow floppy drives, USB, CD/DVD either). One of its protections is that all the desktop machines have removable hard drives. You log out, remove the hard drive and lock it in your MoD/DoD/N.A.T.O. approved safe ;)
You mention a doctor, (presumably MD? although it doesn't really matter). He may well have come across the idea of the removable hard drive from contacts or patients?
The building of very restricted machines is generally military, enforcement, Fortune 500 and the like. The removable hard drive can be implemented for less than 20 bucks!!!! That he might be inclined to go for. I put them in all my SOHO (small office home office) and sole trader machines.
If someone was to break in, they would hopefully see that the machine was missing its hard drive (there is a big hole in the front :D ) and not bother to steal it. Even if they did, it contains no sensitive information (assuming the thief did not have the forensic skills and equipment to extract data from the RAM). And I can get my clients back up and running within an hour.
I guess that that $20 scenario would force someone to gain physical access, as they would need to slot the hard drive into the computer, or hook it up to a laptop and copy it (another possibility?).................yes, as my colleagues have suggested that using a " live CD" would circumvent this, but so would installing the removable hard drive as a slave to a laptop (you would need an adapter) and just copying it.
Then, if you put everything back, nobody would know.
Incidentally, if there were some sort of encryption and security, you would now have a mirror image of the drive to work with at your leisure, and without the knowledge of the owner. Also, this method would circumvent the situation where the local PC will not allow external devices.
Just a couple of thoughts?
As mentioned in other posts, physical access to the system can trump any other security. A bootable, Live-CD in a system that doesn't have BIOS security or allows booting to removable media (CD, Floppy, USB), can perform tasks that are, for most, difficult to track. There are still other issues, though. The system has to be rebooted for the Live-CD to work. That creates a system log. Then the system has to be started after the operation is completed. That creates another system log.Quote:
Originally posted here by sommersby
Darn it! Does that mean I'm going to have to resort to having them steal an appointment book?
How boring! Getting to the computer isn't the only reason that they break into the doctors office.
You mention the internet. Can you elaborate? Perhaps that's the way to go with the computer piece. Could a someone tell that their files were accessed by another party over the internet?
Sam
Breaking into the office can mean a number of things, too. Use of a stolen swipe card? Surgically removed the eyeball of a high security tech for the company? Jimmied the security in the doors? Coattailed behind some sleepy tech or security guard on the way in?
Depending on the building, the company's physical security and the ways that ingress and egress to the office/building is managed, that can help track the perp.
Compare all this with the computer logs, timing and such, and you can determine a lot of things. The length of time between restarts on the target system can circumstantially ID the file(s) copied. The logs can be checked with the physical security system to corelate the times of entry and exit, tapes or records of video camera, etc.
Think how your target organization is set up. Would they be a leading edge outfit that merges IT security and physical security? Are the logs collected in a central location so that they can be quickly accessed and the activity tracked? Or, is this a typical organization for today that keeps the IT and Physical security roles separate, if not antagonistic? That could throw another wrench into the investigation.
Some physician offices use leased space and the physical security is provided by the landlord. Some are facilities are owned (designed and built for specific specialties) by a consortium of physicians, and they manage it like a corporation, with areas of responsibility for IT and Physical security, maintenance and tenant (some services like minor radiology and outpatient surgery lease space in the building) management.
You probably now have more to think about that you originally envisioned. You are welcome to PM me for details or clarification.
Based on my experienceas a security analyst and just knowing how doctor's offices work, it would require an external person auditing the system to make a determination if the system has been compromised.
Systems deployed in doctor's offices tend to be small networks or stand-alone systems; those in hospitals are much more likely to have a degree of security associated with them that would log changes. All too often, the systems in doctor's offices have an older operating systems which are more readily "crackable".
Example: using a program called StealthAudit from Stealthbits, it is possible to determine (on Windows systems) whether or not someone attached a USB device to a port and if traffic flowed to that location. If installed, a host-based tool can detect if changes were made to local files (works on both a server or desktop and Tripwire can do either of them). Network sniffers can locate traffic flowing out of a desktop across the wire to internal external systems if monitoring is implemented (Wireshark).
There are a myriad of tools which a motivated person can try and obscure what they are doing and security professionals have a similar suite to try and detect forensically what has happened on the same system.
The real dependency in your story needs to be the motivation of the perpetrator - is s/he very capable as a "cracker/hacker" or someone with limited capabilities? What you decide here will determine what they do and what they will likely leave as a tr4ail that can be found by a forensic level audit.
not to be insulting, but I seriously doubt the reader's of "erotic romance novels," are going to be too concerned with technical details ;)
Well, even romance writers need to do research. I commend Samantha for making the attempt to have her technical details ring true. That's how good stories are crafted. I'm impressed that she was first published last year, according to her author's bio, and has four books out and one on the way. I'm a slow writer. It takes me 20 years to write 15 chapters.
Perhaps she's attempting to write a book that's erotic for geeks? :DQuote:
Originally posted here by er0k
not to be insulting, but I seriously doubt the reader's of "erotic romance novels," are going to be too concerned with technical details ;)
Penetrating systems is very.. ahum.. stimulating :umph:
Easy enough to do. SirDice, morganlefay and others covered the live cd angle. A live CD can be anything from Insert to Knoppix (both of which are Linux systems) to Barts PE (Windows-based). Linux is definitely the way to go, leaving virtually no traces you were on a PC.Quote:
I'm currently writing a scene in which someone breaks into an office, hacks into a computer, and downloads some files, including a calendar and contacts list.
The sad fact is computer security is most doctor's offices is going to be crap. The smaller the office, the worse it is. But even big practices will have networks shot full of holes. So it's not unreasonable to assume you'd be able to boot a PC with a live cd (I do it all the time in my line of work, seldom have problems).
Calendars and contact lists are, in a typical office environment, going to be MS Outlook files, which have a .pst extension. Typically, the file name will simply be outlook.pst and includes all the emails, contacts and calendars for a particular user (could have several .pst files on a PC if you have more than one user). Patient files are a different story, and very much dependent on the software used in the office. I'm not familiar with medical apps and don't know the formats, but conceivably they could even be Excel files, which have an .xls extension.
As part of the story line, you'll need a usb drive onto which to copy the stolen data. USB drives are bootable on the newest computers, but for my money, if I was breaking into a system to steal data, it'd be an Insert live cd. It's small, loads fast, and picks up USB drives no problem.
p.s. -- in an office environment with ten or more employees (and sometimes less), most data is going to reside on a server to which the other computers (workstations) are networked. So if you're going to break into an office to pilfer data, you'd look for the server first. And, again, security is often lax in these smaller offices and it would not be unusual to be able to boot even the server to a live cd.
Hope this helps....and don't try this in real life. You could get in a lot of trouble. ;)
Heh,
I wrote my long elaborate scenario before the doctor thing was posted, so I was expecting a large corporation :D . Anyway, I think what the OP wants is for the theft to be detected. If that is the case, most solutions here are going to be useless. Samantha, care to confirm?
Cheers,
cgkanchi
Hell, thinkin' about it, the best way to rip off the data would be as an inside job. I suspect that's how many security breaches take place anyway.
First let me say that I am so thankful for everyone's willingness to help. cgkanchi is correct, I do want the theft to be detected. The theives are smart, but not smarter than the hero. (Romance novel rule - the hero always figures it out and saves the day.) It's a psychiatrist's office and a small private practice, so there is only one computer in the office. I'll need to read through all of these more carefully in the morning--I'm likely to have some questions or need some additional clarification. I appreciate your patience!
Hmmmmm,
OK, here are a few more things to consider:
1. There are rules regarding the holding and storage of personal information. I am not familiar with the US scene but possibly HIAPPA and sarbanes-oxley? I am sure one of my US colleagues will fill that in.
2. Single computer in an office. Probably not connected to the internet, as it would have no reason to be. Over here Veterinaries, Doctors and Dentists usually have some little outfit that supplies support and comes round and give them updates periodically. The practicioners use laptops for their personal e-mail and so on, and DO NOT keep patient/personal data on them..........particularly after the VA fiasco?
3. That would force physical access no matter what the setup?
4. Some of the private setups I have done involve a fixed hard drive as a slave to a removable master drive (C:\). The procedure is to back up the data from the C:\ drive on a daily basis and then remove it and lock it in a fireproof safe. So if a natural disaster occurs, you have the drive in the safe. If the master drive fails you have the slave still in the machine as a backup.
5. If you are ultra paranoid (have a strong security requirement) then you would have access to the hard drive password protected, and the backup data strongly encrypted. That would require considerable skill, resources and patience to crack. Which is probably why failure to provide password and encryption key data when legally required to do so can get you 2 years in prison in the UK.
6. The weak link: (you will need this ;) ) If I am locking the master drive in a good quality fireproof safe, why should I bother encrypting that, as it is not at risk like the one left in the machine?
So, if someone were to break in, crack the safe and copy the master (C:\) drive, they would get an unencrypted copy of the data. However, the precautions taken would meet the data protection requirements of most countries (I don't know about the USA?).
7. How would you discover it? well, only when things started to happen I am afraid, it is a bit like identity theft. As already suggested, if the thieves were in any way competent, they would not leave an electronic trace. Even if you had some super monitoring system, it would only tell you that someone had accessed the drive (which you already know) at a particular time, which you could probably guess?
Anyway, if you were going to install that sort of system, which would only tell you that you had been robbed, wouldn't it make more sense to password protect and encrypt both drives?
Hope that helps :)
Rootkit maybe? Gives the doc a way to catch them and if it's a small practice, I can see it being hooked to the internet. (Best practices aren't always in practice when it's just 1-5 person(s) in a small office ?) Maybe the doctor notices in the app/system logs that a .pst was saved to a USB ?
Gotta ask; is bad guy gettin down in Doctor Lovemember's office ?
Most (even small) practices I have seen do have a small network. What about the scenario where theres a server but theres a huuuge giant lock on the door so the theif breaks into the doctors office and uses a boot cd aproach on the workstation. If the data was stored on the server then even if the local machine was compromised the server would still be able to log the file access. Of course the problem with this scenario is if its an outlook style contacts list i dont think it would be stored on the server. Although with it being in a medical establishment its possible they would use bespoke/specialist software to store the patients details and contacts etc could be a part of that.
Hmm,
Building on this, what if there was a secure server (maybe someone else set it up for him or maybe the doc was just a security enthusiast like us?) with all the data and the doc routinely used his laptop to establish a wireless connection with it. Thus, someone breaking in would simply connect his own laptop to the wireless LAN and pull the data off? Maybe the doc wrote down the password somewhere. Later, the guy who set it up for the doc can come and look at the logs if the doctor suspects a break-in...
Cheers,
cgkanchi
I didn't read this whole thread, but I wanted to point you to some more info a weakness in swipe cards that may give your character an easy entry.
Quote:
Breaking into the office can mean a number of things, too. Use of a stolen swipe card? Surgically removed the eyeball of a high security tech for the company? Jimmied the security in the doors? Coattailed behind some sleepy tech or security guard on the way in?
Depending on the building, the company's physical security and the ways that ingress and egress to the office/building is managed, that can help track the perp.
Social Engineering, the Shoppers' Way
http://www.darkreading.com/document....T.svl=tease3_2
I've heard of other weaknesses of electronic locks that rely on RFID. It is possible to clone an RFID signal creating a duplicate keycard.
http://www.wired.com/wired/archive/14.05/rfid_pr.html
On my way to work, but that reply by rapier57 quoted above really peaked my interest since I was reading about electronic locks for a new facility I'm planning.
If they were to boot from a live CD then they'd need some writable media to put the stolen infomation on, a floppy for instance. If the thief had to leave in a hurry they might be careless enough to take the infomation home on thier floppy but leave the live CD in the computer.
Something I noticed my doctor using recently was a key card in a slot attached to thier keyboard, I would assume that the computer locks up without it, it seemed quite sensible but I could easily imagine a lazy doctor leaving thier key card in when they had to awnser natures call or whatever.
The thief's NOT the hero? What kind of story is this? :pQuote:
cgkanchi is correct, I do want the theft to be detected. The theives are smart, but not smarter than the hero.
I have to say that I'm amazed and thankful for everyone's willingness to help. I think that I have this sussed out...
I'm going to fill in a bit of the back story for context. The main hero is a 379 year old vampire by the name of Byron Renfield. The heroine a human psychiatrist. My mythology is a bit unconventional. So often the vampire is the seducer. In my corner of the universe he's a good boy in search of redemption. He'd isolated himself away from society to avoid temptation, but our heroine shows up and "corrupts" him...or saves him...depending on your perspective. That's greatly simplified, but all the mythology isn't really of significance.
Our hero, in choosing to give up his life of service to the clan in favor of his mate, pisses off the other immortals. There is a tremendous amount at stake...financially and spiritually. So, **** starts to happen. The bad guys go after the girl.
One thread involves them gaining access to her appointments so that they know where she is going to be and when...that way they can possibly stage an abduction.
Here's what I'm thinking about based on feedback. Will this ring true?
The psychiatrist isn't all that savvy about computers, but suitably concerned about confidentiality and the current government regulations (HIPAA/SOX). She hires someone who is a friend of the receptionist to set up her computer system in the office.
This "Friend" installs something that traces stuff like cyberuk mentioned. Perhaps StealthAudit and Wireshark (I have a character from an earlier work that would be fun to bring back for this.)
When the break in happens a forensics type is called in. Forensic guy figures that the thief used a live CD to gain access to the system. The logs show there was a download through a USB device and that the calendar and contacts files were transmitted.
Does that work? Am I understanding suggestions correctly?
Sam
P.S. For those that are curious...yes, there is hot sex in the book. Mostly because I write for an adult audience, so in the sex scenes I don't pull punches. I write stories about people...adult people (and vamps) have sex. I don't write about sex around which I try to create a flimsy plot. That should help explain my desire to do the necessary research. Admittingly, I don't profess to have this piece nailed down...quite the contrary...I'm working to make this story ring true to the extent possible and this aspect is something I need help with. I want to engage my readers and create something believable enough to captivate them. You've given me a fabulous start. I'm completely taken aback by how generous you all have been._ I don't want to make this unnecessarily complex. But I want it to feel real._
P.S.S. Loved the bit about the swipe card...I'm going to use it. That's too good to pass up!
Do they really call in penetration testing?
Yep...Quote:
Do they really call in penetration testing?
thats where they probe all the ports.... :D
for response...err vulnerabilities
Sure sounds interesting...kinda like Ann Rices alter ego :eek: (I cant remember what name she used for her "adult" series)
One thing is...if they use a live CD and a usb key...I am not sure there would be any trace of the breakin...because you wouldnt load the OS...hence the audit software...
Maybe they could use the live cd to load a piece of malware onto the computer...and then the stealthaudit\wireshark software would find it calling home...or something like that.
MLF
edit>http://www.amazon.com/gp/product/045...lance&n=283155
Ann Rice as A. N. Roquelaure
Just some suggestions, for plausibility's sake:
Have the 'friend' install a keylogger. A keylogger, hardware or software, would give a perp the info they need to track someone, even emailing the info to the perp. And they are not uncommon. I don't know about StealthAudit, but Wireshark is a good-sized program that would not be used as you are describing.Quote:
This "Friend" installs something that traces stuff like cyberuk mentioned. Perhaps StealthAudit and Wireshark (I have a character from an earlier work that would be fun to bring back for this.)
Keyloggers are much more detectable than if someone used a live cd. As morganlefay says, use of a live cd is virtually undetectable. Keyloggers, being detectable, play better into your storyline.
My limited knowledge of StealthAudit is that it is a Windows program and would be rendered useless by a live cd.
Someone shows up at the office unexpectedly on a Sunday. The bad guy hears them enter through the reception area and clobbers her over the head as she walked into the inner office where the computer is and the patient's records. So they know that there was an intruder in there...that prompts them to look at the systems to see what's been accessed.
Given that...does the scenario work?
:D
"thats where they probe all the ports....
for response...err vulnerabilities"....can I steal that line?
Sam
LOL.............Sure :cool:Quote:
can I steal that line?
MLF
As has been said, LiveCD's tend to bypass all (or most) security measures implemented in software. However, a forensic expert *might* be able to tell by looking at the "last accessed on" dates for files, which I assume will be updated by any standard LiveCD? Anyone care to check this, I seem to have lent all my LiveCDs out :p.
Cheers,
cgkanchi
AFAIK...no....maybe if opened...but no copied
How would the software know about it\mark it ..if it or the os wasnt running???
I am not sure...but logically...the audit software would have to be on the disk\partition\BIOS level itself and not run under the OS
MLF
Just a couple thoughts. Any activity performed while the Live-CD is running will not be logged or tracked by the installed OS (since it isn't running). The system logs will give time and date of reboots that are required to bring up the Live-CD. The gap in the logs will give you how long the system was under the Live-CD boot, which can then be co-related to other logs, video records, swipe cards, etc.
The theft of the calendar and appointments for the purpose of setting up an abduction works so long as the theft hasn't been discovered. If an attempt was made and thwarted, and the logic (main character) asks just how could they have arranged this at this time? Only with access to the appointment calendar! Trigger investigation.
However, once foiled, the same type of attempt would be foolish and unbelievable on a second try, and only pursued by stupid (Hollywood) bad guys. Smart bad guys know they will be found out. However, there is other information in the Outlook files that can be used (journaling, if it hasn't been turned off, will point to documents and activities), Tasks can have deadlines and pretty extensive notes, and some appointments include contact information for friends and associates. These can be used by smart bad dudes to wrangle intended victims into corners.
Yes, you managed to get some of the more generous and helpful of the AO'ers on this topic. It is fun, though.
So, if the live CD is used to get into the system. The log will only show the start and restart times...even with ShelthAudit and Wireshark. Because in order for those to work they would have to use something other than a live CD to gain access. So the forensics guy won't be able to tell that any data was transferred to a USB, nevermind what kind of files?
Sam
Yup, right on the money.
Personally it's easier for the intruder to find the password written down somewhere in the office. The intruder can even find it unexpectadly as he is going through the papers/files on the desk.
This way, the forensics person can discover the break in. Everything will be logged.
Also, I agree with rapier57. It would be odd for the theft to be discovered. Of course the reader would know, but the victim should not. Maybe add a bit of drama to it, and have it happen on a Friday night, and they plan on abducted her on Monday at 10:30am. It just so happens that the forensics/computer guy it scheduled to come into her office at 10:00 am to do a system update. Maybe he notices that the office was left in disarray, and becomes suspicious. Decides to check the logs, finds out that the system was logged into after hours on Friday, and notices that the calendar and other personal information was offloaded.
Then it becomes a race to save her!
Yeah, I got nothing...never guess thats why I do what I do, and am not a writer.
Good luck!
StealthAudit will provide information more from servers and Active Directory than from the individual workstation. WireShark is an excellent tool that can track network traffic from the target machine. However, Wireshark will only show you what is passed across the network, not from the hard drive to the USB device. WireShark will show you when a system goes off the line, though, as in a reboot. If the Live-CD is booted using network access, it may attempt to get DHCP for an IP address on the local network, and may attempt to pass some traffic if the local network gives it an IP number. WireShark will capture that information. But that assumes that WireShark is set up and running on a system connected to the same hub as the target system, at the time the target system is being compromised.
A keystroke logger, as mentioned in a previous post, may be worth looking at. The logger will capture keystrokes on the system and send them to the remote collector in chunks at random times. WireShark will see this traffic, though it will probably be encrypted and unreadable right off the wire. Decryption of the traffic may take days, if a good encryption tool is used. Or seconds if a weak one is used.
A more likely scenario may involve a rootkit installed when the system is vulnerable (Doctor leaves keycard in system while going off to drain snake), and the rootkit searches and finds certain information on the local system, the servers and other workstations on the network, compiles it and ships it to a remote system (bad guys). Rootkit is virtually undetectable until WireShark shows the reconnaisance of the network and the transmission of the file packages. Again, this assumes that you have a tool in place when the bad stuff happens so you can catch it, and you have alerts set for the type of activity you didn't know would be on your network.
SNORT may be a better tool to have in place in the network. The backstory justification can be that you are using SNORT for IDS and HIPPA compliance and have custom alerts for files leaving the network that contain certain data. SNORT can alert the network admin to the recon activity of the rootkit or the attempt to ship data to remote systems. This might alert, but the network admin may not have the pager on and won't see it until the next day, when it was too late?
Now I've gone and confused you. Just slap me.
***Can you see me banging my head on the desk?***
I'm getting confused.
So - it sounds like I don't want to go with a live CD, because that wouldn't tip our Forensics guy off that the Calendar and Contacts were stolen.
If the thief finds the password on a sticky and goes in that way...then will there be traces that something was transferred to another device through USB?
Can you explain in simple terms how Rookit, Wireshark, and SNORT would work to alert someone that theirs something wrong and data is being stolen? That scenario could work for the sake of plot.
Sam
Hi Sam.
Having read the previous comments, I'm going to say what I think you should use in your story, and attempt to explain what each part means. Feel free to ignore this post if you want to do what the others have said ;)
The thief breaks into the office and finds the sticky with the user's password (let's say it's the manager's PC). What he doesn't know is that the PC has a keylogger installed on it (on Windows) which is set to run at off-hours (when nobody should be in the office), so that if a PC is turned on and accessed when everyone has left, the keylogger will log every key that the intruder hits and then send it off to the administrator at a certain time (let's say as soon as it is turned on the following working day).
So now that we have that sorted, here's a brief run-down:
1. Thief breaks into office. He walks up to the manager's desk, and finds the sticky. He turns on the PC, and boots into Windows XP.
2. He misreads the sticky, and so the password he enters doesn't work! Drats. He resorts to something else - he takes out a CD from his backpack (reference: Offline NT Password and Registry Editor), and uses that to reset the manager's password.
3. He then logs in with the blank password. Little does he know that a keylogger is installed on it, and everything he types is logged (remember the off-hours thing). He finds the file(s) he wants, and plugs in his USB drive. However, there is a group policy restricting USB devices (this means that any USB devices, like his USB drive, will not be shown in Windows when he plugs it in, so it won't work).
4. As this method has failed, he goes onto the internet, and logs into his Gmail account (he doesn't know about that keylogger - lucky us, eh?). He uploads the files onto there by saving them as attachments to a draft, and then logs out and leaves the building.
5. The following morning, all the employees return to work and discover the breakin (duh). The system administrator is quickly on the scene, and he checks his email - aha! The keylogger logged something and sent it to him by email (the manager had just logged in, as had the other employees - a few policemen weren't going to stop them from working).
6. He reads the log. In it are the thief's Gmail username and password. Excellent! What does he do next? He goes onto Gmail and uses that username and password to log in. There's an unopened email; he clicks on it and begins to read - the thief seems to have arranged a meeting with a friend of his in Cafe Boheme on Rue de Jean at 5:15pm on Tuesday 15th March. He jots down the details, marks the email as unread, and logs out.
7. And the story continues from here ;)
Please let me know if there are any parts of that you'd like me to explain in more detail. That aside, best of luck with the book, and I look forward to reading it when it comes out!
Sam, the scenario could work like this:
The physician's network has a SNORT installation running to monitor network traffic and provide some Intrusion Detection. WireShark is also running connected to the network router to capture traffic on a scheduled basis. The logs of traffic captures are stored on the hard disk of the Wireshark system. These are no-cost/low-cost solutions and ideal for a small office. The part-time network administrator has set up SNORT to send email alerts to his pager.
The workstations are connected to a Windows-based network, using Active Directory, configured with SmartCard authentication support.
One of the doctors is working on a station near the examination rooms (not in the office). He has to take a bathroom break and runs down the hall. He leaves his SmartCard in the slot on the workstation. Bad Guy, who has been hanging around waiting for an appointment, sees the opportunity and quickly drops a rootkit onto the system via a USB thumb drive. Doctor comes back and finishes his reports and logs out. The rootkit installs itself and does some network recon. It probes for vulnerable ports on the systems in the network, identifies open and vulnerable servers and workstations, and penetrates into those systems to find the kinds of files it has been designed to harvest. The traffic, coming from inside the network, is somewhat disguised, and the rootkit takes its time so as not to cause undue alarms on the network.
SNORT, meanwhile, is seeing some of the activity, but none of its rules flag the traffic as bad, until later in the evening, when .pst (calendar and other Outlook content) are being moved and then sent outside the network. SNORT sends an alert via email, but did not block the traffic (the rule didn't say block the traffic, just alert, right?).
WireShark is quietly sitting in its corner, collecting network packets and saving them in logs.
The network admin's pager battery is dead. The admin arrives to work the next morning, replaces the pager battery and all hell breaks loose. He checks the SNORT logs and finds the alerts. Stuff has been shipping out of the network most of the night in dribs and drabs. He links to the WireShark system and copies capture logs to his workstation and examines them in WireShark. Yep, there is the information being sent out of the network. He is able to get the originating IP (the station near the exam rooms) and the destination IP (the bad guys). Whois provides the ISP information for the destination IP.
Hero and his sweetie show up after just foiling an abduction attempt and having snacked on the abductors ...
;)
Now, hero and sweetie know that the data is stolen. They just don't know how it will be used next, or when. All sweetie's contacts, notes, tasks, journals. Hmmm ...
LOL, that's the most creative euphemism I've read in a while.Quote:
A more likely scenario may involve a rootkit installed when the system is vulnerable (Doctor leaves keycard in system while going off to drain snake)