SANS Digital Forensics and Incident Response Blog: Daily Archives: Feb 02, 2009

Change Controls: Ur Doin It Rong

by Hal Pomeranz, Deer Run Associates

More details are emerging in the case of Rajendrasinh Makwana, a former consultant at Fannie Mae, who allegedly planted malicious code on Fannie Mae's servers after he had been terminated. If the code had not been detected, it apparently would have destroyed data on a large number of Fannie Mae's servers on January 31st.

There's been a great deal of hand-wringing over the fact that Makwana continued to have sufficient access after he was terminated to allow him to plant the malicious code. Well, let's review the facts as presented by FBI Agent Jessica Nye's affidavit:

"On October 24, 2008 between 1:00 and 1:30pm, MAKWANA was terminated as an employee of [Fannie Mae]... At


PTK Live and Indexed keyword search

A forensics analysis tool has to be able to execute thorough keyword search operations. PTK's search tool is be able to isolate the keywords searched even in the most complex and unusual situations. It is possible to verify if a keyword is in portions of the file system that are hard to analyze whether this is due to chance or user intent. Here are examples of the most interesting situations:

'' allocated/unallocated space
'' crosses two allocated/unallocated files
'' crosses consecutive sectors in a file
'' crosses a file into slack
'' slack space
'' crosses fragmented sectors
'' Resident allocated/unallocated file
'' Resident alternate data stream in an allocated/unallocated file/directory
'' Non-resident allocated/unallocated file

All these situations can further vary depending on the file system under investigation. For instance, NTFS offers features that can be used to "hide" a file, consider the

... Continue reading PTK Live and Indexed keyword search