Page 4 of 7 FirstFirst ... 23456 ... LastLast
Results 31 to 40 of 66

Thread: Fiction author needing help with research question...please...

  1. #31
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    As has been said, LiveCD's tend to bypass all (or most) security measures implemented in software. However, a forensic expert *might* be able to tell by looking at the "last accessed on" dates for files, which I assume will be updated by any standard LiveCD? Anyone care to check this, I seem to have lent all my LiveCDs out .

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  2. #32
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    AFAIK...no....maybe if opened...but no copied

    How would the software know about it\mark it ..if it or the os wasnt running???

    I am not sure...but logically...the audit software would have to be on the disk\partition\BIOS level itself and not run under the OS

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #33
    Just a couple thoughts. Any activity performed while the Live-CD is running will not be logged or tracked by the installed OS (since it isn't running). The system logs will give time and date of reboots that are required to bring up the Live-CD. The gap in the logs will give you how long the system was under the Live-CD boot, which can then be co-related to other logs, video records, swipe cards, etc.

    The theft of the calendar and appointments for the purpose of setting up an abduction works so long as the theft hasn't been discovered. If an attempt was made and thwarted, and the logic (main character) asks just how could they have arranged this at this time? Only with access to the appointment calendar! Trigger investigation.

    However, once foiled, the same type of attempt would be foolish and unbelievable on a second try, and only pursued by stupid (Hollywood) bad guys. Smart bad guys know they will be found out. However, there is other information in the Outlook files that can be used (journaling, if it hasn't been turned off, will point to documents and activities), Tasks can have deadlines and pretty extensive notes, and some appointments include contact information for friends and associates. These can be used by smart bad dudes to wrangle intended victims into corners.

    Yes, you managed to get some of the more generous and helpful of the AO'ers on this topic. It is fun, though.

  4. #34
    Junior Member
    Join Date
    Jul 2006
    Posts
    10
    So, if the live CD is used to get into the system. The log will only show the start and restart times...even with ShelthAudit and Wireshark. Because in order for those to work they would have to use something other than a live CD to gain access. So the forensics guy won't be able to tell that any data was transferred to a USB, nevermind what kind of files?

    Sam

  5. #35
    Yup, right on the money.

    Personally it's easier for the intruder to find the password written down somewhere in the office. The intruder can even find it unexpectadly as he is going through the papers/files on the desk.

    This way, the forensics person can discover the break in. Everything will be logged.


    Also, I agree with rapier57. It would be odd for the theft to be discovered. Of course the reader would know, but the victim should not. Maybe add a bit of drama to it, and have it happen on a Friday night, and they plan on abducted her on Monday at 10:30am. It just so happens that the forensics/computer guy it scheduled to come into her office at 10:00 am to do a system update. Maybe he notices that the office was left in disarray, and becomes suspicious. Decides to check the logs, finds out that the system was logged into after hours on Friday, and notices that the calendar and other personal information was offloaded.

    Then it becomes a race to save her!


    Yeah, I got nothing...never guess thats why I do what I do, and am not a writer.

    Good luck!
    Tachyon

    |-----|Alcohol is my anti-drug |-----|

  6. #36
    StealthAudit will provide information more from servers and Active Directory than from the individual workstation. WireShark is an excellent tool that can track network traffic from the target machine. However, Wireshark will only show you what is passed across the network, not from the hard drive to the USB device. WireShark will show you when a system goes off the line, though, as in a reboot. If the Live-CD is booted using network access, it may attempt to get DHCP for an IP address on the local network, and may attempt to pass some traffic if the local network gives it an IP number. WireShark will capture that information. But that assumes that WireShark is set up and running on a system connected to the same hub as the target system, at the time the target system is being compromised.

    A keystroke logger, as mentioned in a previous post, may be worth looking at. The logger will capture keystrokes on the system and send them to the remote collector in chunks at random times. WireShark will see this traffic, though it will probably be encrypted and unreadable right off the wire. Decryption of the traffic may take days, if a good encryption tool is used. Or seconds if a weak one is used.

    A more likely scenario may involve a rootkit installed when the system is vulnerable (Doctor leaves keycard in system while going off to drain snake), and the rootkit searches and finds certain information on the local system, the servers and other workstations on the network, compiles it and ships it to a remote system (bad guys). Rootkit is virtually undetectable until WireShark shows the reconnaisance of the network and the transmission of the file packages. Again, this assumes that you have a tool in place when the bad stuff happens so you can catch it, and you have alerts set for the type of activity you didn't know would be on your network.

    SNORT may be a better tool to have in place in the network. The backstory justification can be that you are using SNORT for IDS and HIPPA compliance and have custom alerts for files leaving the network that contain certain data. SNORT can alert the network admin to the recon activity of the rootkit or the attempt to ship data to remote systems. This might alert, but the network admin may not have the pager on and won't see it until the next day, when it was too late?

    Now I've gone and confused you. Just slap me.

  7. #37
    Junior Member
    Join Date
    Jul 2006
    Posts
    10
    ***Can you see me banging my head on the desk?***

    I'm getting confused.
    So - it sounds like I don't want to go with a live CD, because that wouldn't tip our Forensics guy off that the Calendar and Contacts were stolen.

    If the thief finds the password on a sticky and goes in that way...then will there be traces that something was transferred to another device through USB?

    Can you explain in simple terms how Rookit, Wireshark, and SNORT would work to alert someone that theirs something wrong and data is being stolen? That scenario could work for the sake of plot.

    Sam

  8. #38
    Senior Member
    Join Date
    Jul 2004
    Posts
    548
    Hi Sam.

    Having read the previous comments, I'm going to say what I think you should use in your story, and attempt to explain what each part means. Feel free to ignore this post if you want to do what the others have said

    The thief breaks into the office and finds the sticky with the user's password (let's say it's the manager's PC). What he doesn't know is that the PC has a keylogger installed on it (on Windows) which is set to run at off-hours (when nobody should be in the office), so that if a PC is turned on and accessed when everyone has left, the keylogger will log every key that the intruder hits and then send it off to the administrator at a certain time (let's say as soon as it is turned on the following working day).

    So now that we have that sorted, here's a brief run-down:

    1. Thief breaks into office. He walks up to the manager's desk, and finds the sticky. He turns on the PC, and boots into Windows XP.
    2. He misreads the sticky, and so the password he enters doesn't work! Drats. He resorts to something else - he takes out a CD from his backpack (reference: Offline NT Password and Registry Editor), and uses that to reset the manager's password.
    3. He then logs in with the blank password. Little does he know that a keylogger is installed on it, and everything he types is logged (remember the off-hours thing). He finds the file(s) he wants, and plugs in his USB drive. However, there is a group policy restricting USB devices (this means that any USB devices, like his USB drive, will not be shown in Windows when he plugs it in, so it won't work).
    4. As this method has failed, he goes onto the internet, and logs into his Gmail account (he doesn't know about that keylogger - lucky us, eh?). He uploads the files onto there by saving them as attachments to a draft, and then logs out and leaves the building.
    5. The following morning, all the employees return to work and discover the breakin (duh). The system administrator is quickly on the scene, and he checks his email - aha! The keylogger logged something and sent it to him by email (the manager had just logged in, as had the other employees - a few policemen weren't going to stop them from working).
    6. He reads the log. In it are the thief's Gmail username and password. Excellent! What does he do next? He goes onto Gmail and uses that username and password to log in. There's an unopened email; he clicks on it and begins to read - the thief seems to have arranged a meeting with a friend of his in Cafe Boheme on Rue de Jean at 5:15pm on Tuesday 15th March. He jots down the details, marks the email as unread, and logs out.
    7. And the story continues from here

    Please let me know if there are any parts of that you'd like me to explain in more detail. That aside, best of luck with the book, and I look forward to reading it when it comes out!

  9. #39
    Sam, the scenario could work like this:

    The physician's network has a SNORT installation running to monitor network traffic and provide some Intrusion Detection. WireShark is also running connected to the network router to capture traffic on a scheduled basis. The logs of traffic captures are stored on the hard disk of the Wireshark system. These are no-cost/low-cost solutions and ideal for a small office. The part-time network administrator has set up SNORT to send email alerts to his pager.

    The workstations are connected to a Windows-based network, using Active Directory, configured with SmartCard authentication support.

    One of the doctors is working on a station near the examination rooms (not in the office). He has to take a bathroom break and runs down the hall. He leaves his SmartCard in the slot on the workstation. Bad Guy, who has been hanging around waiting for an appointment, sees the opportunity and quickly drops a rootkit onto the system via a USB thumb drive. Doctor comes back and finishes his reports and logs out. The rootkit installs itself and does some network recon. It probes for vulnerable ports on the systems in the network, identifies open and vulnerable servers and workstations, and penetrates into those systems to find the kinds of files it has been designed to harvest. The traffic, coming from inside the network, is somewhat disguised, and the rootkit takes its time so as not to cause undue alarms on the network.

    SNORT, meanwhile, is seeing some of the activity, but none of its rules flag the traffic as bad, until later in the evening, when .pst (calendar and other Outlook content) are being moved and then sent outside the network. SNORT sends an alert via email, but did not block the traffic (the rule didn't say block the traffic, just alert, right?).

    WireShark is quietly sitting in its corner, collecting network packets and saving them in logs.

    The network admin's pager battery is dead. The admin arrives to work the next morning, replaces the pager battery and all hell breaks loose. He checks the SNORT logs and finds the alerts. Stuff has been shipping out of the network most of the night in dribs and drabs. He links to the WireShark system and copies capture logs to his workstation and examines them in WireShark. Yep, there is the information being sent out of the network. He is able to get the originating IP (the station near the exam rooms) and the destination IP (the bad guys). Whois provides the ISP information for the destination IP.

    Hero and his sweetie show up after just foiling an abduction attempt and having snacked on the abductors ...



    Now, hero and sweetie know that the data is stolen. They just don't know how it will be used next, or when. All sweetie's contacts, notes, tasks, journals. Hmmm ...

  10. #40
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    A more likely scenario may involve a rootkit installed when the system is vulnerable (Doctor leaves keycard in system while going off to drain snake)
    LOL, that's the most creative euphemism I've read in a while.
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •