Unraveling the Treasury Laptop Mystery: A Forensic Guide to Investigating a Corporate Heist

The Treasury Laptop Mystery: Using Forensics to Solve a Corporate Heist

Today, we’re diving into a truly fascinating and relevant case—a full-blown investigation from the “where did the big money go” series. We’ll examine a corporate Windows 10 laptop that became the victim of a cybercriminal attack. Or maybe, company employees simply pocketed the money and blamed “evil hackers”? Let’s find out. Onward, in search of the truth!

Incident Background

We have a Windows 10 laptop that was part of a corporate domain and used as the main work machine by an employee. It could also be taken on business trips or used at home, meaning it had VPN or other connections to the corporate perimeter.

The user did not have local admin rights by default, enforced domain security policies were in place (password policy, BitLocker encryption, built-in firewall enabled, UAC active), a well-known Russian antivirus was installed, and there were no internet restrictions. The laptop belonged to the treasurer, whose main job was preparing and executing financial payment documents (transactions in remote banking systems).

The organization discovered unauthorized payments in the remote banking system of one of its connected banks. All transactions were performed under legitimate user accounts (the CFO and chief accountant). Large sums were transferred to unknown third-party accounts in foreign banks. At the time, the organization’s security systems detected no suspicious activity (IDS/IPS, SIEM connectors, AV, and WAF were silent).

It’s assumed that attackers either hacked the laptop remotely or gained physical access, or this was an inside job involving authorized personnel. That’s what we’ll be investigating today.

WARNING: Always clearly understand what action you’re taking and why. Incorrect use of the programs mentioned in this article can lead to loss of information (artifacts) or distortion of forensic evidence. Neither the author nor the editors are responsible for any damage caused by improper use of these materials.

Hypotheses

Let’s start untangling this web. All we have at the outset is the information above and the laptop itself, which was immediately seized after the fraud was discovered. There are basically two hypotheses: either it’s an inside job staged to look like an external hack, or it’s unauthorized hacker access to the laptop. In the first case, we’ll focus on finding artifacts or mistakes pointing to an employee. In the second, we’ll look for evidence of remote hacking (disabling security, use of exploits, malware, etc.).

The laptop had decent baseline security, suggesting the attackers were skilled. However, since the laptop could be used outside the office and domain, corporate protections might not always be active. This introduces risks of physical access and the possibility of dumping all data from the hard drive (including saved passwords, registry keys, etc.), reinstalling the OS, and wiping traces of the crime.

Vulnerabilities and Attack Scenarios

Before we get into forensic procedures, here are some useful resources to help you brainstorm possible attack scenarios:

Studying and Cracking BitLocker: How Windows Disk Protection Works and How to Break It and news about BitLocker vulnerabilities here, here, and here.
FUCK UAC! 10 Ways to Bypass User Account Control in Windows and news about UAC bypasses.
Black Injection: Bypassing Antivirus with Shellter and bypassing with Veil.
RDP remote connection hacks using Pass-the-Hash, another option with Metasploit, news about a ready-made exploit, the fuzzbunch utility, and a guide for it.
Guides for creating PowerShell and Metasploit payloads.
Reports from Positive Technologies on (in)security of remote banking systems: “Cybersecurity 2018,” “Attacks on Banks,” “New Attacks on Banks.”

Setting Up the Forensics Lab

All artifact discovery and extraction operations can be divided into two main types: working with volatile memory (RAM processes, network connections, etc.) and non-volatile memory (HDDs, removable media, hidden/deleted files, alternate NTFS streams, installed software, patched system libraries, etc.).

We’ll use two or three of the most popular tools for most forensic procedures. Many are open source or free, while others are proprietary and require payment.

Windows 10 Forensics: Key Differences

Since Windows Vista, many technical aspects (registry, event logs, etc.) have changed. Guides for Windows XP often don’t work for later versions, especially Windows 10, which receives constant updates.

Compared to previous versions, Windows 10 offers additional data sources for forensic experts:

Edge Browser – replaced IE
Cortana – Microsoft’s voice engine and HMI
OneDrive – cloud storage, often used for backups and as app storage for Android devices
Native Applications (Skype, Photo App, Webcam App) – pre-installed after system setup
Notification – system tray notifications, often revealing info about running programs, AV, firewall status, etc.
Prefetch files – cached files for quick launch, useful for gathering extra info

Microsoft has also published a checklist of key artifacts and their sources, known as Windows Jump Lists for Windows 7 and Windows 10.

General Forensic Checklist

To search for and collect forensic evidence, check the following on your system:

RAM (system/user processes, injected DLLs, rogue services, running malware)
Hard drive (deleted partitions, disk areas, erased files, shadow copies, Recycle Bin remnants, LNK shortcuts, notifications, installed software, downloads, etc.)
Network stack (active connections, open ports, unknown services, suspicious traffic)
System registry (installed/removed software, temp shortcuts, file associations, etc.)
System logs (logons, privilege escalation, directory access, group policy changes, account creation/deletion, crashes, reboots)
Pagefile and hibernation files (often contain preserved data)
Application data (Skype, OneDrive, Xbox), email, browsers (history, bookmarks, downloads, possibly passwords)

Imaging the Compromised HDD

First, always create a full image of the laptop’s hard drive. This prevents accidental damage or loss of artifacts, serves as a reference for the system’s state at the time of seizure, and allows for deep analysis without needing the physical device. We’ll use FTK Imager for this task.

You can download FTK Imager from the official site or find it in specialized distributions like DEFT or CAINE. For more info, see the SANS document Forensic Images: For Your Viewing Pleasure or a step-by-step guide with pictures (in Russian).

CLI Method

Remove the HDD from the laptop and connect it to your forensic workstation.
Run FTK Imager in console mode:

E:\>ftkimager.exe \\.\PhysicalDrive0 e:\IMAGE_FORENSIC\filename --e01 --frag 2G --compress 9 --verify

If successful, you’ll see a confirmation at the end.

GUI Method

Open FTK Imager and go to File → Create disk image.
Select “Physical Drive” as the source.
Choose the system disk if there are multiple drives.
Check “Verify images after creation.”
For compatibility, select the default E01 format.

Live CD Method (Most Secure)

1. Boot the laptop from a CAINE Linux Live USB.
2. Connect an external HDD and mount it:

root@caine:~# mkdir /mnt/target
root@caine:~# mount /dev/sdb1 /mnt/target

1. Create an MD5 hash of the laptop’s HDD:

root@caine:~# md5sum /dev/sda > /mnt/target/HDD_Img_Forensic.md5

1. Dump the disk image:

root@caine:~# dd if=/dev/sda of=/mnt/target/HDD_Img_Forensic.img conv=sync,noerror bs=8k

1. Verify the image:

root@caine:~# md5sum /mnt/target/HDD_Img_Forensic.img > /mnt/target/HDD_Img_Forensic.img.md5
root@caine:~# cat /mnt/target/*.md5

1. Unmount before shutting down:

root@caine:~# umount /mnt/target/

Dumping the Laptop’s RAM

After imaging the HDD, dump the RAM, as it may contain crucial artifacts, especially for infection or unauthorized software traces. Use DumpIt from the Comae Memory Toolkit or Belkasoft RAM Capturer. The resulting .mem images can be parsed with Volatility, Rekall, or Belkasoft Evidence Center.

Artifact Discovery

Start by gathering user profile info with ForensicUserInfo, which extracts system info like RID, account expiration, password changes, LM/NT hashes, login counts, failed attempts, groups, and profile paths.

To list user and system processes, use the built-in tasklist utility:

c:\>tasklist — lists all processes
c:\>tasklist /svc — lists all running services
c:\>tasklist > c:\processes_list.txt — saves process info to a text file

Alternatively, use third-party task managers like AnVir Task Manager or Process Explorer.

Forensic Tools: Sleuth Kit

Use Sleuth Kit utilities for deeper analysis:

mmstat — info about system volume types and partition tables
mmls — info on used space, deleted and allocated files
fsstat — file system info, including serial number, ID, cluster size, offset
fls — search for allocated and deleted files
mactime — create a timeline of file system activity

For example, to view unallocated disk areas:

mmls -t dos X:RAM_Img_Forensic.E01

To view deleted files and segments:

fls -o 1435648 X:RAM_Img_Forensic.E01

To create a timeline:

fls -r -m "/" -o 1435648 X:RAM_Img_Forensic.E01 > bodyfile.txt
mactime.pl -b bodyfile.txt -d > timeline.csv

For a user-friendly interface, use Autopsy from Sleuth Kit to search for deleted and allocated files. Also, try NirSoft ShadowCopyView to look for remnants in Windows shadow copies.

Registry Analysis

Analyze the system registry with tools like Magnet AXIOM, RegRipper, and Registry Explorer. Key registry locations include:

NTUSER.DAT\SOFTWARE\Microsoft\UserData\UninstallTimes — uninstalled software
NTUSER.DAT\SOFTWARE\Microsoft\InternetExplorer\TypedURLs — saved URLs (IE)
NTUSER.DAT\Software\Microsoft\Internet Explorer\IntelliForms — saved passwords (IE)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU — most recently used files
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist — unique IDs for OS objects and apps
HKEY_LOCAL_MACHINE\System\ControlSet00x\Enum\USBSTOR — all USB devices ever connected
HKEY_LOCAL_MACHINE\Software\microsoft\WZCSVC\Parameters\Interface — Wi-Fi SSIDs ever connected

For more, see Forensic Analysis Of The Windows Registry.

Network Stack

To quickly view network connections, use the netstat command:

netstat -a

Key statuses:

CLOSED — connection closed
LISTEN (LISTENING) — waiting for incoming connections
ESTABLISHED — connection established

Additional options:

// List TCP connections
netstat -at
// List UDP connections
netstat -au
// List all open incoming ports
netstat -n

For a graphical view, use TCPViewer. For advanced analysis, try NetworkMiner, which can extract files from FTP, TFTP, HTTP, POP3, IMAP, extract X.509 certificates from SSL sessions, decapsulate GRE, 802.1Q, PPPoE, VXLAN, determine geolocation by IP, and export results in various formats.

To be continued…

DarkNet KING Shedding Light on the Hidden Web — Your Gateway to Trusted, Secure Information