Saturday, 18 February 2012

Anatomy of an IT Network Trace

I have seen many people asking Kady O'Malley (for some reason) how the person behind the former @vikileaks30 account could be identified if they were on the Government of Canada network. Since I've been involved in legal discoveries collecting evidence, I do have some insight into the matter.

First of all, why would there be an effort made to identify this person, since they didn't do anything illegal? They may not have done anything illegal, but this individual (or individuals) may have violated the terms of their employment. Assuming their employer is the Government of Canada or one of its departments, this affair could result in disciplinary action up to and including termination of employment. Disciplinary action still requires proof, so the methods used by IT would be the same.

So what would be required? Data, and lots of it. Given that this is an investigation within the government's computer systems, I am assuming that a very detailed and comprehensive data logging system is in place. Such a system would log all internet activity, all internal network activity, and all activity on devices used for government purposes. This system would know who logged into which computer, what internal resources they accessed and what external (or internet based)resources were accessed. These logs would record detailed information to the second or even to the millisecond and a thorough combing of them would put together a very comprehensive and detailed portrait of any activity.

An audit of the logs would start with the @vikileaks30 twitter account itself. Every tweet has a date and time stamp on it, and all of those would be collected to create a baseline of activity to look for. (Given that the @vikileaks30 account has now been deleted, anyone investigating would have needed to record all that activity beforehand. But, since twitter accounts have a full URL path (i.e. https://twitter.com/#!/vikileaks30) the account deletion may only prove to be a handicap.)

From that pattern of activity, it would be relatively simple to comb through the internet activity logs and map that activity to an internal resource. Many internet logging utilities that organizations use will also record the account that was logged into the device that accessed a site on the internet. At this point the investigator will know which internal device and probably which user account was logged onto that device. Using the logs from internal systems, it can be verified that the suspect system was indeed being used by the suspect user account, what time the account logged on and what time they logged off. An interview with this person's supervisor would also be conducted to determine if that employee was actually at that system at the times recorded (if it was traced to an internal office). This would be done to determine if the user account password was known by more than one individual who could have access to the device identified.

The internal network itself can also record all activity, providing a second level of logs that will confirm if the activity seen at the Internet gateway can be traced right to the physical device through each layer of network services between the device and the Internet gateway. This will serve to validate and confirm the findings made thus far and to lay to rest any suspicions about "spoofing" or other hack techniques.

Lastly, the device may be seized and an exhaustive search of internet or browsing history will be conducted. Searches for cookies, temp files and any other data will be done, again to confirm the information found so far. At this point the correlations will start to pile up and it will be very difficult to provide alternate explanations. A summary of all these findings will be made to human resources and/or lawyers and IT will be asked to explain and justify their conclusions.

What if the device were compromised by a hacker and it was made to look like this person was the @vikileaks30?

Several points would exist to discount that theory. Usually when a system is compromised, the services that run on behalf of the hacker would run under a compromised system account, not the account of the user using the device. The logs would show that distinction. Also, time based anomalies would likely appear, i.e. the employee was in a staff meeting and the device was conducting google queries during their absence or while the user account was logged off.

We also have the nature of the activity. The hacker theory means that someone hacked into the Government of Canada network, used that hack to create a twitter account that they then updated with information that was already available to the general public. The point of the @vikileaks30 account was to mock Vic Toews and the hacker needed a patsy to pin it on. Any hacker that actually did this would be extremely talented and also stupid beyond all degrees of common sense. Hacking into a Government of Canada network is a federal offense. The RCMP and CSIS would be called upon to find the perp and send him to Syria for some very uncomfortable questioning. Hacking changes the vikileaks30 affair from a minor employer/employee disciplinary issue into a serious criminal investigation. Anyone that hacked into Government of Canada systems would be more interested in collecting sensitive data or causing widespread havoc, or both. They wouldn't be chortling in their basement over their Vic Toews tweets.

However, if none of data collected showed any anomalies, then the logical conclusion would implicate the employee. A hacker theory would have to be discarded as no evidence would exist to support it. Lots of evidence would exist to implicate the employee.

And that, as we say, is that.

1 comment:

Anonymous said...

nicely put...