> Belkasoft Evidence Center
Case Study: A bank's money transfer system compromised
The Group-IB Company was approached by a bank whose management suspected that the bank’s money transfer system had been compromised. The forensics and data recovery laboratory investigated the image of the hard drive of the computer where a client of the money transfer system had been installed and used, as well as the access log of the firewall in the bank’s LAN. By recovering the data and analyzing the system logs and access logs, the investigators found out that the computer in question had been accessed remotely. In order to find additional evidence, the lab investigated the browser logs and user profiles registered in Documents and Settings, but no suspicious activity was discovered.
In another attempt to solve the problem, the lab staff used Belkasoft Evidence Center to scrutinize the image of the hard drive. What this software helped to find was that the criminals had been using the user profile SYSTEM, which was very smart of them. This profile is listed in the catalog WINDOWS\system32\config\systemprofile. With the help of Belkasoft Evidence Center, it became clear that the structure of the catalogs of this profile is not typical of system profiles. This software also allowed the investigators to retrieve the Internet Explorer logs with the URLs of websites visited by the criminals, namely, the URL of the ftp-server where they had downloaded the software they used to access the computer remotely and compromise the money transfer system.
Thus, the lab restored the chronology of the crime and found out the criminal’s ip-address and the ip-address of the server where the malevolent software had been downloaded from. Belkasoft Evidence Center insured the success of the investigation by scanning the entire hard drive and finding the false system profile. Such profiles are hardly ever used by criminals, so they tend to be overlooked by forensic investigators.
Case Study: Seized laptops investigation under time constraint