Corporate server failure/commercial crime investigation - USA
April 14, 2015
Digital Forensics, Cyber Incident Response, Computer Forensics Investigation
Envista Forensics was hired by a large international insurance carrier to investigate a corporate server failure. The insured, a regional distributer of automobile parts and tires, had recently terminated a contract with their Information Technology (IT) vendor. Soon after this contract termination, the insured’s system became inaccessible and then finally inoperable. At the time of loss, it was believed that damage sustained to the insured’s computer network was caused by a virus or malicious activity. No one could provide factual evidence to support the beliefs.
To begin, Envista digital forensics experts collected all of the necessary information pertaining to the insured’s server, computer network and all activities surrounding the events of the loss. In addition, we completed a site inspection to provide a forensic image of the original hard disk drives (HDDs).
Our digital forensic experts then began an analysis of the forensic image and were able to track activity throughout the server. Namely, our team of experts observed public Internet Protocol (IP) addresses that were gaining access into the Virtual Private Network (VPN). The initial activity also indicated that the identified username and password activity was the original IT vendor’s and that the activity corresponded with the IP address that was logged. It would be later verified that this IP address would be confirmed as belonging to the original IT vendor’s home following our transfer of information to the local Federal Bureau of Investigations (FBI) task force.
In addition, Envista was able to provide supporting information to the FBI illustrating that this user caused damage to other files and file structures by means of deleting. We also confirmed that the insured’s Microsoft Structured Query Language (SQL) database was damaged by an individual with identical credentials. Using change logs and performing a review of the database fields, Envisat experts were able to verify that this activity was causing the system to become inoperable. Further inspections of the server identified that multiple Active Directory (AD) changes were made causing the server to become inaccessible.
Through the completed investigation, Envista was able to provide our client with the exact root cause of the server failure. In addition, we were able to provide supportive information/documentation to the FBI. Ours investigation allowed for the FBI to take custody of the IT Vendor’s computer equipment and a comparative forensic investigation was being completed. Moreover, our client was able to provide the insured with funds to cover a portion of their loss and also assisted the FBI with access to any data that would support the investigation.