Users and forensics

An essential part of computer forensics is talking to the user. I talk about this in the presentation I gave to the campus technology conference last December and will probably be re-addressing that this year.
A key thing to remember is that talking to the user is the beginning of your forensic process, not the end. Too many people are willing to take what our users say at face value – “no, I don’t run P2P software,” ok, so it must be something else. Sometimes it turns out that the something else was Skype or some television viewing software. Both of those are (or can be) p2p as well, but since they’re not BitTorrent, people forget about them.
This is not to say that we need to approach our users in a hostile manner, as some do – that is counterproductive. Rather, we need to take our time and doublecheck: “ok, so you don’t use p2p, but this behaviour just started – what have you installed lately?” Sometimes that approach yields the answer you need. Other times, it’s more digging.
This post was brought about because we’ve been seeing a lot of alerts on possible Kraken activity on our network courtesy of our Snort sensor, but in the one response I’ve received, it was to say “oh, I reinstalled the workstation, so no problem.” I’d even asked specifically if the admin could check to see if there was a problem, since I don’t know how well this rule is working for us.
Another admin did actually dig down, and the user’s response was essentially nope, no p2p, but I just started using this software called UUSee to watch soccer games. Turns out there was a game on the same time we were receiving the alerts. I never claimed to be the sharpest crayon in the box, but I can connect two dots if they’re put down for me.