Description: An employee is suspected of unauthorized copying of sensitive data (code, trade secrets, etc) from internal systems to those outside of the company's control.
Are there any indications of anti-forensic efforts? F1007
- Q1024 Was an Incognito/Private browser session used?
- Q1028 Was there specialized "anti-forensic" (or "privacy") software on a computer?
- Q1029 Were any encryption programs used on a computer?
- Q1030 Were any security or monitoring agents tampered with or disabled?
- Q1032 What actions were taken in an Incognito (or "private") browser session?
- Q1033 Was shell history cleared?
- Q1074 Were any system event logs cleared?
Are there signs of staging data for future exfiltration? F1008
"Staging" refers to the collection of data of interest onto a local system, as a precursor step for future exfiltration of that data. When reviewing data from Questions in this Facet, look for unusual volumes of results (number or size of files downloaded or sent, for example).
- Q1001 What files were downloaded using a web browser?
- Q1004 What screenshots were taken on a computer?
- Q1005 What files have ever been on a computer?
- Q1006 What files are present on a computer?
- Q1017 Were any files collected into a container?
- Q1034 Was content copied from a file?
- Q1035 Were any copies made of sensitive files?
- Q1077 Were there bulk downloads from Google Drive?
Was any sensitive data sent externally via email? F1009
- Q1016 What files were sent externally via email attachments?
- Q1075 Is the recipient account controlled by the sender?
- Q1076 Were the files screenshots?
- Q1078 Were the files copies?
- Q1079 Is there a history of communication with the recipients?
- Q1080 How many external recipients does the email have?
Was any sensitive data exfiltrated via a physical medium? F1010
- Q1003 What files were copied from a computer to a USB device?
- Q1010 What was printed from a computer?
Was any sensitive data exfiltrated via a web service? F1011
- Q1007 What files were synced or backed-up to external services?
- Q1009 What interactions with external cloud storage sites did the actor have using their web browser?
- Q1011 What files were sent or received by a chat application?
- Q1025 What external accounts has the actor used in their web browser?
- Q1038 Were any files sent via CLI utilities?
- Q1084 What data was uploaded to a website via a web browser?
System Information F1012
- Q1008 What programs are installed on a computer?
- Q1081 Does the user have a recently provisioned host?
Were any files sent via other network media? F1026
- Q1082 Were any files sent via AirDrop?
- Q1083 Were any files sent via Bluetooth?