Uncovering insider threats with remote endpoint forensics: a case study
In today’s digital age, organizations face significant threats not just from external sources, but from within.
Insider threats, particularly involving intellectual property (IP) theft, pose a substantial risk. In this case study, we will explore how advanced endpoint forensics tools, specifically Magnet Axiom Cyber and Magnet Nexus, can be utilized to uncover and analyze an insider threat involving the theft of sensitive information.
In this post, we’ll look at a real-world scenario and how you can effectively use insider threat detection methodologies and solutions to uncover insider threats and share those findings with your stakeholders (such as HR and general counsel).
Case overview: Insider threat detection
This scenario involves the theft of certain intellectual property (IP) from a global chemical innovation company, and an employee’s attempt to hide the theft. By leveraging remote desktop access and various network resources, the unknown individual transferred IP to an external location. The forensic examination provided crucial evidence to substantiate these claims. (No actual IP addresses or sensitive case data will be displayed in this study.)
The case begins
Tier 1 analysts were alerted by their EDR solution that unusual remote desktop protocol (RDP) traffic had taken place on their network.
Although the company allows RDP access to the network, the activity was flagged as being conducted from an IP address not known to the network. On an initial review by DFIR staff, EDR logs indicated that after the RDP was initiated, that endpoint was utilized to connect to another networked computer. This activity was exceptionally unusual. The case was escalated for additional review by DFIR personnel.
At this time, Magnet Nexus, previously deployed enterprise-wide as a lightweight agent, was utilized to remotely access and pull information from the computer that received the RDP connection.
About Magnet Nexus
Magnet Nexus is a cloud based endpoint forensics solution, designed to facilitate the remote collection, processing, and analysis of digital evidence from multiple endpoints.
By enabling investigators to connect to and gather data from remote devices—running Windows, Linux and MacOS—across an organization or network, Nexus significantly streamlines the insider threat detection process. It allows for real-time acquisition and analysis of data without the need for physical access to the devices, which is particularly useful in distributed environments or during incident response scenarios.
Magnet Nexus enhances the ability of forensic teams to perform thorough investigations, ensuring that evidence from remote endpoints is securely collected and analyzed efficiently, aiding in quick and informed decision-making.
Initial findings: tracing the digital footprints through endpoint forensics
After the initial collection was conducted from the endpoint, Magnet Nexus was utilized to identify the following artifacts:
RDP artifacts
Remote Desktop Protocol (RDP) artifacts are critical for understanding remote access activities on a system. These artifacts help you to track and analyze RDP sessions, which are commonly used in cases involving unauthorized access or lateral movement within a network. These artifacts come from locations such as: Windows Event Logs, Terminal Services Logs, and Registry Artifacts. Let’s look at exactly how we identify malicious behavior using these artifacts:
- The endpoint (Target Computer 1, 192.168.68.51) had incoming connections from 68.12.169.99.
- This data contains several critical pieces of evidence. We have the originating IP address, the date and time of the RDP connection, and the account utilized to make the connection (James Arden).
- Also seen is this outgoing connection to another computer on the same network. Computer 2 (192.168.68.53) was connected, and the account “james.arden” was utilized to log on.
- These RDP artifacts can be analyzed and see some evidence that might give us some idea of how the network was accessed and some evidence of lateral movement within the network. The IP addresses contained within will be critical to insider threat detection by identifying an individual and timelining events.
Jump Lists
Jump List artifacts in endpoint forensics are used to track user activity and interaction with files and applications on a Windows system. Introduced in Windows 7, Jump Lists provide quick access to recently or frequently used files, folders, and tasks, making them a valuable source of evidence for forensic investigators.
- From this artifact, we can see this directory (\James located on 192.168.68.53) was accessed immediately after the first RDP session
IP address identification
In this category, we see information pulled from RDP logging, which included the previously identified 68.12.169.99 and 192.168.68.53 IP addresses.
Shellbags
ShellBags are digital forensic artifacts in Windows operating systems that track user preferences and activity related to folder views and window settings in File Explorer. They provide valuable insight into the directories a user has accessed, even if those directories have been deleted, making them a critical artifact in endpoint forensics investigations.
- We can see the following folders were accessed My Network Places:\192.168.68.53\James and My Network Places:\192.168.68.53\James\Documents
- These shellbag artifacts show the user’s interactions with these directories on the endpoint bearing 192.168.68.53.
Windows Event Logs
Windows Event Logs are crucial endpoint forensics artifacts that record system, security, and application events on a Windows system. They provide a detailed timeline of user and system activities, including logins, file access, software installations, network connections, and system errors.
- From this final category examined in Nexus, we can see logins conducted during the first RDP session, and from the explicit login to the second computer. Finally, we see a network share access at the IP 192.168.68.53.
Final analysis
So, what does all this mean?
Clearly, we can see some exceptionally potentially unusual activity taking place on the network. We can verify that the initial RDP session was also utilized to access another computer.
But what happened? This calls for a deeper dive into the computer. This is where Axiom Cyber can be utilized to really dig into the digital artifacts.
About Magnet Axiom Cyber
DFIR solutions like Magnet Axiom Cyber are essential for businesses to acquire data from remote endpoints and analyze data from multiple sources. Those sources include Windows, Mac, or Linux devices, in addition to mobile devices, cloud-based apps or storage services such as AWS or Azure, not to mention the ever-expanding number of IoT devices, and combine them into one case for a broad picture view of an incident.
Axiom Cyber has the ability to conduct a “deep dive” into endpoint forensics artifacts. By locating these artifacts and presenting them in an artifacts-first approach, you get to the critical data more quickly and in an easy-to-understand format.
Once analysis is complete, Axiom Cyber has comprehensive reporting functionality that can produce a range of reports: everything from technical exports for review by other DFIR colleagues or a load file or RSMF export for eDiscovery analysts to easy-to-read and understand reports for non-technical stakeholders such as HR or Legal teams.
Deeper dive investigation: the evidence of theft
After utilizing Axiom Cyber to extract more data from the computer, there are several ways to examine this data. (Look here for more information on remote collections and the covert ad-hoc agent generated by Axiom Cyber)
Since we have a definite point in time (RDP session), the Timeline feature can be utilized:
This automatically places key evidence in a visual timeline and chronological list to see what events happened and in what order.
Looking at times after the RDP/connections were made we see:
- From the Recycle Bin we see a file here, with a created date just after the connection to the second computer. (We will see the name of the file when we look at the recycle bin directly). The name and the hash will be utilized later to confirm the identity of the file.
- From Prefetch files, we see that PowerShell is launched:
Prefetch files are great artifacts for forensic investigators trying to analyze applications that have been run on a system. Windows creates a prefetch file when an application is run from a particular location for the very first time. This is used to help speed up the loading of applications. For investigators, these files contain some valuable data on a user’s application history on a computer.
- In this case, we can see that the user launched PowerShell. The next artifact explains why PowerShell logging is critical in investigations.
- Next, we look at PowerShell logging, PowerShell logs are crucial in digital forensics because they provide detailed records of script executions and command-line activities, helping investigators trace malicious actions, privilege escalation, and lateral movement in compromised systems. From the PowerShell logs in this case, (ConsoleHost_history.txt) we see the text of the PowerShell session:
- Compress-Archive -Path “C:\Users\James.Arden\Documents\Secret copy.rtf”, “C:\Users\James.Arden\Documents\Secret_File.jpg” -DestinationPath “C:\Users\James.Arden\Documents\1.zip”
Get-ChileItem -Path “C:\Users\James.Arden\Documents”
Get-ChildItem -Path “C:\Users\James.Arden\Documents”
exit
- From this critical piece of evidence, we can see that a Zip archive was created of two files. For this re-creation, the file names are “Secret_File.jpg” and “Secret copy.rtf”. They were placed into a file 1.zip and then the contents of the directory were listed. It is commonplace for individuals to compress files into a ZIP before exfiltrating data from a network because it reduces file size for faster transfer, helps evade detection by bundling multiple files, and can be encrypted to obscure the contents from security monitoring tools.
- Compress-Archive -Path “C:\Users\James.Arden\Documents\Secret copy.rtf”, “C:\Users\James.Arden\Documents\Secret_File.jpg” -DestinationPath “C:\Users\James.Arden\Documents\1.zip”
- We also now see another new file (that is also now in the recycle bin), that was created after PowerShell was launched.
- From Edge/IE history, we see that an FTP side was accessed:
- As we see the FTP site in Shellbags, this likely means it was accessed through File Explorer:
- Now we see that 1.zip is deleted (placed into the recycle bin), and the contents is assigned the name $RY5RZET.zip. This file was originally located in C:\Users\James.Arden\Documents.
- Subsequently, the files Secret copy.rtf and Secret_File.jpg are also deleted (placed into the recycle bin). The contents were assigned the files $RD3DJ7Z.rtf and $RK0NON5.jpg.
What do these additional artifacts provide? By conducting a deeper dive through Axiom Cyber, we were able to establish a complete timeline of events:
Reconstructing the timeline of events
The investigation allowed us to reconstruct the following timeline:
- Remote access: An individual used the account, James.Arden to RDP from outside IP (68.12.169.99) to access the networked machine at 192.168.68.53.
- File copying: The file Secret copy.rtf was transferred from another computer on the network to the device used to connect the RDP session.
- File compression: PowerShell was then used to zip Secret copy.rtf and Secret_File.jpg.
- File transfer: Finally, an external FTP site was accessed, and the zip file was uploaded, effectively exfiltrating the sensitive data.
The files were both definitively identified by the victim corporation as “sensitive intellectual property” using the hashes provided by Axiom Cyber. The final step in the process was verifying the initial IP address (68.12.169.99), which was confirmed to belong to employee James Arden after reviewing past correspondence. Upon interview and presentation of the facts, Arden admitted to the facts of the case.
Strengthening insider threat detection through remote endpoint forensics
This case exemplifies the power of endpoint forensics tools in uncovering insider threats. Although the EDR identified some unusual network activity, using Magnet Nexus and Axiom Cyber was necessary to uncover and process critical artifacts. With these artifacts, the investigators were able to trace the digital footprints of the suspect, reconstruct the sequence of events, and confirm the theft of intellectual property.
The integration of tools like Magnet Axiom Cyber and Magnet Nexus played a pivotal role in building a compelling case against the insider threat, demonstrating their value in protecting organizational assets and investigating incidents.
This case serves as a reminder that vigilance and the right forensic tools are essential in the fight against insider threats, ensuring that no trace goes unnoticed.
To learn more about these products or request a trial, please visit Axiom Cyber and Magnet Nexus.