Hmm - where did I save those files?

Published: 2013-07-12
Last Updated: 2013-07-12 21:42:03 UTC
by Rob VandenBrink (Version: 1)
12 comment(s)

A client recently called me with some bad news.  "Our CFO's laptop was just stolen!" he told me - "What should we do?".  My immediate response (and out-loud I'm afraid) was "Fire up the Delorean, go back in time and encrypt the drive".  Needless to say, he wasn't keen on my response, even though I offered up a spare flux capacitor - maybe his Delorean was in the shop.

His response actually suprised me "We're actually in the middle of a WDE (WHole Disk Encryption) project.  The CFO's laptop was scheduled for next week (delayed at his request)".  But no matter how good that project is, it wasn't helping us today.
This client is under both NERC and PCI regulation, so I asked the obvious "did he have any financial data on his machine?  Do you need to disclose the theft as a breach?".  The response was an immediate "he says not".  Since the answer wasn't a definite "no", I asked the obvious - "Do you believe him?"  The answering pause really said it all.

The challenge we then had was to prove to the CFO, one way or the other, that sensitive data did or did not exist on the laptop.  Having just taken SANS FOR408, I know for a fact that even if he didn't save anything to the laptop, the presense of files and either parts of or full files are strewn across the file structure, registry and a kazzilion other locations on the machine.

So the scenario and a fun forensics question to end your week is:
A Windows 7 laptop, fully patched with Office 2010 installed
The corporate browser is IE10, but Firefox is also installed

Using our comment form, share where you would look for sensitive files, fragments of files or indicators of the presence of files.
Passwords, links and other sensitive information are all in play.
Be sure to include the tool or method you would use to find any evidence - duplicate "findings" are perfectly fine, as long as the tool or method is different.

Let's assume that the user didn't download anything to the "downloads" directory, and didn't have "I don't know where I saved that file" files strewn across his local profile and drive (even though that's extremely likely)

I'll update this story in a week or so with how the story played out, and how we made the point to the CFO.

Happy forensicating everyone!
 

===============
Rob VandenBrink
Metafore

Keywords: forensics
12 comment(s)

Microsoft Teredo Server "Sunset"

Published: 2013-07-12
Last Updated: 2013-07-12 11:54:50 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Microsoft has offered a Teredo server to allow users behind NAT gateways to obtain an IPv6 connection. Teredo was always considered as a transition technology to obtain IPv6 connectivity is nothing else works to connect to a particular resource ("path of last resort"). With native IPv6 connectivity becoming more common, there will be less need for transition technologies like Teredo. 

As we reported earlier, the host name for Microsoft's Teredo server (teredo.ipv6.microsoft.com) doesn't resolve currently. This is appearantly part of a "test" to measure the impact of the service being turned off. As an alternative, Microsoft still offers the "test.ipv6.microsoft.com" hostname to connect to it's Teredo servers. To adjust your settings, use:

netsh interface teredo set state client test.ipv6.microsoft.com

Of course, one may argue that with native IPv6 connecitvity becoming more common, transition technologies like Teredo will be more important for those of us left out in the legacy internet.

Thanks to our reader Gebhard for pointing out these URLs with more details:

http://translate.googleusercontent.com/translate_c?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&u=http://ipv6.br/teredo-sunset-mais-um-passo-na-transicao-para-o-ipv6/&usg=ALkJrhgoYr5-CiFM3iwhL2Ann78qqng-_A

http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FIPv6-Tunnel-Microsoft-testet-Teredo-Nutzung-mit-Serverausfall-1916499.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: ipv6 microsoft sunset teredo
0 comment(s)
DNS resolution is failing for Microsofts Teredo server (teredo.ipv6.microsoft.com)

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
5 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
5 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives