Page 1 of 7 123 ... LastLast
Results 1 to 10 of 66

Thread: Fiction author needing help with research question...please...

  1. #1
    Junior Member
    Join Date
    Jul 2006
    Posts
    10

    Fiction author needing help with research question...please...

    I'm needing some help. I'm currently writing a scene in which someone breaks into an office, hacks into a computer, and downloads some files, including a calendar and contacts list.

    I need to be able to describe how someone could tell that this had been done. Are there logs within the computer system that would tip off someone that those files were copied? I've yet to define what the operating system is, etc. So that's up for grabs.

    Samantha Sommersby
    www.samanthasommersby.com

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Why whould "they" even physically break into the office when all office computers seem to be connected to the Internet these days? Or did you mean "they" broke into the office network?

    And it doesn't matter what kind of operating system is used. If the culprits physically broke in and are able to boot from a cd or usb-stick there would be no trace if/when the files were copied.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Depending on the OS....you can check logs...

    also depending on the "hacker"...on how you would track them

    Is this for a new book.....

    Do I get money to help

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    Junior Member
    Join Date
    Jul 2006
    Posts
    10
    For a new book, yes. Urban Fantasy - a sequel to Forbidden: The Claim. This one is titled Forbidden: The Awakening and is due out in December. No money - but I can send you a copy of the book and mention you in credits

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    For a new book, yes. Urban Fantasy - a sequel to Forbidden: The Claim. This one is titled Forbidden: The Awakening and is due out in December. No money - but I can send you a copy of the book and mention you in credits
    Was just joking

    SirDice nailed it with a boot cd...

    I guess it depends on the sophistication of the "hacker"

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Junior Member
    Join Date
    Jul 2006
    Posts
    10
    Darn it! Does that mean I'm going to have to resort to having them steal an appointment book?
    How boring! Getting to the computer isn't the only reason that they break into the doctors office.
    You mention the internet. Can you elaborate? Perhaps that's the way to go with the computer piece. Could a someone tell that their files were accessed by another party over the internet?

    Sam

  7. #7
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Why whould "they" even physically break into the office when all office computers seem to be connected to the Internet these days? Or did you mean "they" broke into the office network?

    And it doesn't matter what kind of operating system is used. If the culprits physically broke in and are able to boot from a cd or usb-stick there would be no trace if/when the files were copied.
    On the other hand, I'm sure a really paranoid system admin *could* in theory set up a custom built application (or custom policy) that audits every local file copy operation (possibly an application like filemon for Windows with output piped to a text file). However, the logs are likely to get so huge that finding a single (or even a bunch of) file copy operations is going to involve TONS of digging).
    Also, if the system is broken into locally, a livecd of some sort can be used to bypass operating system restrictions and entirely bypass any logging operations in place.
    Thus, I guess it depends on *how* the system is broken into locally and *where* the system is. For example, I can't see a highly secure system (such as maybe a defence system) not having these logs.
    A possible scenario would be that the system (hardware) is custom built to prevent booting from anywhere except existing hardware or the CPU itself is locked in a break-proof safe with only the monitor, keyboard/mouse and other peripherals on the outside. Assuming that it is also setup to allow only local logins, a scenario could be envisioned where the "hacker", having obtained a password to the system, logs in and copies stuff to an external hard disk connected to an external USB hub (yeah yeah, a system that secure isn't likely to have a USB hub sitting around, so the scenario needs to be refined, maybe a laptop that connects to the system concerned via a wireless LAN connection), thereby activating the logging system put in place by the admin. *phew* that was a long sentence.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Any (half) decent "secure" OS has the option to audit. On NT and higher (2K, XP, 2K3, Vista) there's an option to audit the reading (or writing) of files. It would have to be turned on but could be used to trace who read the files and when. But as I said, if the culprits used some livecd it would bypass this.

    But ofcource, a lot of people tend to write down their passwords. Perhaps the appointment book could contain a password for some (other; external) system? Then the culprits would login that system (using the stolen password) and access the data? At least that's something that could show up in all sorts of logs (accesslogs, audit trails, etc.) and could be traced.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Sam,

    I may have a solution for you based on my experience in the defense sector............

    We have two networks, one is the general network, that is accessible by and to the internet. The second is the "secure network" which does not access the internet (it also does not not allow floppy drives, USB, CD/DVD either). One of its protections is that all the desktop machines have removable hard drives. You log out, remove the hard drive and lock it in your MoD/DoD/N.A.T.O. approved safe

    You mention a doctor, (presumably MD? although it doesn't really matter). He may well have come across the idea of the removable hard drive from contacts or patients?

    The building of very restricted machines is generally military, enforcement, Fortune 500 and the like. The removable hard drive can be implemented for less than 20 bucks!!!! That he might be inclined to go for. I put them in all my SOHO (small office home office) and sole trader machines.

    If someone was to break in, they would hopefully see that the machine was missing its hard drive (there is a big hole in the front ) and not bother to steal it. Even if they did, it contains no sensitive information (assuming the thief did not have the forensic skills and equipment to extract data from the RAM). And I can get my clients back up and running within an hour.

    I guess that that $20 scenario would force someone to gain physical access, as they would need to slot the hard drive into the computer, or hook it up to a laptop and copy it (another possibility?).................yes, as my colleagues have suggested that using a " live CD" would circumvent this, but so would installing the removable hard drive as a slave to a laptop (you would need an adapter) and just copying it.

    Then, if you put everything back, nobody would know.

    Incidentally, if there were some sort of encryption and security, you would now have a mirror image of the drive to work with at your leisure, and without the knowledge of the owner. Also, this method would circumvent the situation where the local PC will not allow external devices.

    Just a couple of thoughts?

  10. #10
    Originally posted here by sommersby
    Darn it! Does that mean I'm going to have to resort to having them steal an appointment book?
    How boring! Getting to the computer isn't the only reason that they break into the doctors office.
    You mention the internet. Can you elaborate? Perhaps that's the way to go with the computer piece. Could a someone tell that their files were accessed by another party over the internet?

    Sam
    As mentioned in other posts, physical access to the system can trump any other security. A bootable, Live-CD in a system that doesn't have BIOS security or allows booting to removable media (CD, Floppy, USB), can perform tasks that are, for most, difficult to track. There are still other issues, though. The system has to be rebooted for the Live-CD to work. That creates a system log. Then the system has to be started after the operation is completed. That creates another system log.

    Breaking into the office can mean a number of things, too. Use of a stolen swipe card? Surgically removed the eyeball of a high security tech for the company? Jimmied the security in the doors? Coattailed behind some sleepy tech or security guard on the way in?

    Depending on the building, the company's physical security and the ways that ingress and egress to the office/building is managed, that can help track the perp.

    Compare all this with the computer logs, timing and such, and you can determine a lot of things. The length of time between restarts on the target system can circumstantially ID the file(s) copied. The logs can be checked with the physical security system to corelate the times of entry and exit, tapes or records of video camera, etc.

    Think how your target organization is set up. Would they be a leading edge outfit that merges IT security and physical security? Are the logs collected in a central location so that they can be quickly accessed and the activity tracked? Or, is this a typical organization for today that keeps the IT and Physical security roles separate, if not antagonistic? That could throw another wrench into the investigation.

    Some physician offices use leased space and the physical security is provided by the landlord. Some are facilities are owned (designed and built for specific specialties) by a consortium of physicians, and they manage it like a corporation, with areas of responsibility for IT and Physical security, maintenance and tenant (some services like minor radiology and outpatient surgery lease space in the building) management.

    You probably now have more to think about that you originally envisioned. You are welcome to PM me for details or clarification.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •