File system forensics

One user account, many problems

Ukatemi Technologies

09/23/2021

Background

Large companies often deploy directory systems that enable users to use a single account to access various shared services in the company’s infrastructure. One of these services is electronic mailing. The infrastructure of this service includes a mail server which is accessible from the public internet. Other mail servers use this connection to deliver email to recipiants that hold an account under the company’s domain.

In case of one of our customers, this was a Microsoft Office 365 system including Teams (video conferencing), Outlook (email, calendar) and Sharepoint (file sharing). One day, several employees of our customer reported receiving suspicious emails from their co-workers. These emails were written in different style and formatting than the usual ones. They informed their local IT infrastructure team and so the investigation began.

Incident severity

At this point it was possible that the potential attackers obtained login credentials to one or more employee accounts. This would have provided them with access to internal documents (e.g invoices, research papers, orders, business plans, company secrets) as well as company assets, internal systems. Also, company email accounts may be used for two-factor authentication with external systems. Thus the incident is classified high severity.

Investigation

During our investigation, our goal was to find out if any accounts or systems have been compromised, who the potential attackers were and how they executed their plan, what their objectives were, how they obtained initial access. First we examined the reported email messages and the workstations of the owners of the sender accounts. We created forensic duplicates of the main hard drives of the workstations. Operating system drives contain many hidden information about the history of the machine. These information may be deleted or altered by the attackers to cover their tracks, but this requires expertise and low-level technical knowledge of the effected system and is nearly impossible to execute thoroughly.

In the end we proved that in this case, the attackers didn’t acquire access to the workstations only to some email accounts. We created a detailed, evidence-based report for our customer, in which we uncovered the attackers activity, including their identity and intentions. We also gave suggestions on how the customer could exclude the attackers from the system as well as how they could avoid future incidents of this kind.