While I could speculate about what might have happened here, it is better not to deviate from routine procedures and potentially overlook a crucial aspect in the process. A systematic and orderly approach is half the battle. I therefore first start a virus scan across the entire disk and, while we're waiting, ask Mr Waldmann about his company's IT policies: who has which access privileges, under what circumstances is the help desk allowed to access a PC, and what are the rules for email and internet users.
The virus scanner doesn't return any malicious files; a more in-depth manual analysis will be needed to confirm this verdict later. For now, I'm going to focus on analysing the disk with my forensics software. Every investigator has his favourite tools; many swear by Guidance Software's Encase, while others use Access Data's Forensic Toolkit or Helix by e-Fense.
Most of the tasks could generally also be done manually or using free tools. However, I prefer a well-established tool that will automate and log many steps of the procedure. My chosen tool is X-Ways Forensics. Its detailed technical report provides information on the hard disk's serial number, capacity and partitions, and I save it in the project directory. Systematic and orderly – you know …
Next, I examine the computer's various log files. The event log contains several interesting entries: on the day in question, the PC accepted various network connections from a specific workstation on the network. Congratulations, Mr Waldmann! Your prudent policy-making may have already given us the first usable lead. Windows will only record such network log-ons if the administrator explicitly implements a suitable policy.
I sort the hard disk's files according to their time stamps and across directories – an essential function of any forensic suite – and locate a VNC server that was deposited on the computer at the time of the first of those network log-ons. This is in keeping with the spooky incidents described by Waldmann's boss. The remote maintenance software allows a computer's monitor contents to be displayed on another computer, and even enables the software user to control them from there using a keyboard and mouse.
Mr Waldmann investigates who uses that workstation while I return to my routine tasks and create a hard disk image. To generate such an image, X-Ways copies all sectors, including those hard disk areas that aren't partitioned, and calculates SHA-256 hashes for the hard disk contents and the image. If the two data records' digital finger prints match, the records truly are identical; an analysis I create from the image will then even be accepted as evidence in court. Even the smallest copy error would cause the values to deviate.
Meanwhile, Mr Waldmann has found out that the remote computer in question is the notebook of a certain Mr Steinbach, one of the company's system administrators. Maintaining the affected PC is definitely not among his tasks. The next step is a little tricky: we need to examine Mr Steinbach's notebook – and we need to do so before he has the opportunity to activate a trace destructor, which would not make it impossible for me to succeed, but it would create unnecessary complications. We therefore go and see the admin team leader, who asks Mr Steinbach to come to his office.
Mr Waldmann calmly explains the situation: that the computer of a company executive has been attacked, and that the IP address of Mr Steinbach's computer showed up in one of the log files. We will therefore need his notebook for further investigations and that Mr Steinbach should please use a substitute computer for the time being. Although visibly taken aback, Steinbach consents. I've long given up drawing conclusions from a suspect's response. I prefer sticking to the digital facts – zeros and ones never lie.
On the admin's desk, we find the notebook with its desktop locked. Once again I go through the motions, take pictures of the screen and switch the notebook off the rough way. After I've unplugged the device's power lead, I remove the battery. I then take pictures of the system and write down which peripheral devices are connected to which ports. A few pictures of the workplace round off my documentation. We now take the computer, leaving the docking station with monitor, keyboard and mouse behind on the desk. There are no potentially private mobile storage devices such as USB pen drives, for which I would need to ask Mr Steinbach's permission before I could examine them.
I connect his hard disk to my project notebook via the obligatory write blocker, generate a detailed technical report with two mouse clicks, and start the virus scan. If the computer has been infected with a trojan, I want to extend my search to include further systems in the network as soon as possible. When the virus scanner returns no infections, Mr Waldmann and I breathe a sigh of relief. At least we're not dealing with a bush fire and can, in all conscience, call it a day. The copying procedure that is now required can run without supervision. Having carefully locked the room, I say goodbye for the day.