Data Exfiltration

ID: S1001

Description: An employee is suspected of unauthorized copying of sensitive data (code, trade secrets, etc) from internal systems to those outside of the company's control.

Are there any indications of anti-forensic efforts? F1007

• Q1024  Was an Incognito/Private browser session used?
• Q1028  Was there specialized "anti-forensic" (or "privacy") software on a computer?
• Q1029  Were any encryption programs used on a computer?
• Q1030  Were any security or monitoring agents tampered with or disabled?
• Q1032  What actions were taken in an Incognito (or "private") browser session?
• Q1033  Was shell history cleared?
• Q1074  Were any system event logs cleared?

Are there signs of staging data for future exfiltration? F1008

"Staging" refers to the collection of data of interest onto a local system, as a precursor step for future exfiltration of that data. When reviewing data from Questions in this Facet, look for unusual volumes of results (number or size of files downloaded or sent, for example).

• Q1001  What files were downloaded using a web browser?
• Q1004  What screenshots were taken on a computer?
• Q1005  What files have ever been on a computer?
• Q1006  What files are present on a computer?
• Q1017  Were any files collected into a container?
• Q1034  Was content copied from a file?
• Q1035  Were any copies made of sensitive files?
• Q1077  Were there bulk downloads from Google Drive?

Was any sensitive data sent externally via email? F1009

• Q1016  What files were sent externally via email attachments?
• Q1075  Is the recipient account controlled by the sender?
• Q1076  Were the files screenshots?
• Q1078  Were the files copies?
• Q1079  Is there a history of communication with the recipients?
• Q1080  How many external recipients does the email have?

Was any sensitive data exfiltrated via a physical medium? F1010

• Q1003  What files were copied from a computer to a USB device?
• Q1010  What was printed from a computer?

Was any sensitive data exfiltrated via a web service? F1011

• Q1007  What files were synced or backed-up to external services?
• Q1009  What interactions with external cloud storage sites did the actor have using their web browser?
• Q1011  What files were sent or received by a chat application?
• Q1025  What external accounts has the actor used in their web browser?
• Q1038  Were any files sent via CLI utilities?
• Q1084  What data was uploaded to a website via a web browser?

System Information F1012

• Q1008  What programs are installed on a computer?
• Q1081  Does the user have a recently provisioned host?

Were any files sent via other network media? F1026

• Q1082  Were any files sent via AirDrop?
• Q1083  Were any files sent via Bluetooth?