Forensic Investigation

Tech or Treat: The Forensic Investigation */?> Tech or Treat: The Forensic Investigation

Posted by · November 7, 2017 7:00 am

It all started with a phone call. The then acting director of the Office of Research Computing called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.

I am not overly religious, but I do take off for the Jewish High Holidays, which includes Yom Kippur. The Director of the Office of Research Computing, a colleague of mine, emailed me on Yom Kippur of 2016 to ask me to shutdown my computer because:

“We are getting alerts that device CNCCR0J, which I believe is yours, is engaged in activity that is abusing [institution name] Active Directory. If you have initiated this activity, then this activity must stop immediately. If you have not engaged in this activity, then your computer is infected and must be disconnected from the network immediately. If I do not hear back from you by 2:40 today, then we will disconnect the computer. If you did not engage in this activity, then we need to remove device CNCCR0J for forensic investigation.”

I suggested the “activity” in question might be due to software I used to scan the network, but was assured that was not the case.

This was not a big deal for me in that I could easily remote in and perform a shutdown on the machine in question — my primary work machine. I immediately did so and emailed back informing him that it was done. Now came the start of a saga that lasted from 10/12/16 to 11/29/16. Our parent company wanted to do a forensic analysis on the machine and needed to take it to their facility in Yonkers to do so. I didn’t think this would be a problem, except they didn’t do a complete test until 11/01/16 when I received a notification, through TeamViewer, that the computer had come online.

The kicker here was that my computer is probably one of the most secure computers on campus. Between the several anti-ransomware programs and monitoring apps, along with standard endpoint protection, I have never had a problem. When I asked for the logs that would indicate why the machine was identified as causing a problem, I was told that only the Director of the Office of Research Computing could request these, and he refrained from doing so.

This was a nightmare if ever there was one. I was lucky enough to have a spare laptop hanging around which I used while my primary machine was unavailable. I wouldn’t have been half as frustrated if something had indeed been found.

When I did finally get my machine back, nearly two months later, there was no discernible difference (a friend kept telling me I would probably get it back wiped). Some software had to be re-registered, for different reasons. I never did find out why this all happened in the first place…

I recently did an even more intrusive scan of our network using a Kali Linux machine and ran NMAP/Zenmap. This raised no flags.



This article was originally published on on October 24, 2017.

By Thomas Zucker-Scharff, Systems Analyst and Experts Exchange member