I have been working on a case recently where we were asked to investigate possible data exfiltration from inside a corporate network. While investigating this type of scenario is not uncommon and has a number of investigative methods that can be used (see our previous post here), this scenario had a unique characteristic - namely that both computers we were asked to investigate had been reformatted/reinstalled since the investigated employee left.
This obviously was going to make the case more difficult and required some creative thinking in order to recover the necessary data to analyze. When attempting to document the process taken to perform a component of the analysis, what was meant to be a couple paragraph blog post, turned into a multiple page writeup. For that reason, I chose to simply convert the writeup to PDF and release it as a mini-whitepaper that can be found here:
I hope you take a few minutes (should be 10-15 at most) to read the paper and hopefully learn something from it. From the feedback I got from other investigators who have seen the paper, (@kdpryor, @wyattroersma, @littlemac042), they all have liked it and found it interesting, and I believe you will too.
Please either comment on the blog or write me directly if you have any questions.
Andrew Case - @attrc