Medical Records Breach: Part 1

Most job descriptions list demonstrated written communication skills under the requirements section.

Students in cyber degree programs with little or no relevant work experience often only need examples to help guide their research for assignments.

Paying it forward by publishing this research paper meets both of the objectives above.

Breach Scenario Case Study:

A Fortune 500 health care company received complaints from users about their systems acting cray cray after opening an email attachment from HR.

Cray cray was not a typo 🙂

An initial incident analysis uncovered some inconsistencies in the Snort IDS logs, so a digital forensics firm was hired to analyze the network, DB server, and impacted workstations for evidence.

The database server is a Microsoft Windows 2003 Server running Microsoft SQL Server 2008.   They also use Linux and Windows XP in their environment.

This is part 1 of a 2 part series describing how I would approach the a breach investigation per the given scenario.

Part 1: The Plan for Identifying Potential Digital Evidence

As a matter of planning after being contracted to investigate a potential breach of their medical records system, Brager Security, hereinafter referred to as BragerSec, has established a work plan that incorporates requirements set forth by the Federal Rules of Evidence.

Plan Overview

  • Get supervisor’s approval that evidence was collected properly
  • Document time, date, location of evidence collection
  • Secure the workstation and server evidence
  • Validate image integrity by generating hash
  • Review Federal Rules of Procedure for due diligence
  • Review organizational procedures
  • Start a chain of custody form
  • Start Log of Forensic Analysis
  • List potential sources of data, including volatile/non-volatile data
  • Prepare for Testimony
  • Outline ethical considerations

The following section will go into more detail using four principal phases of the investigative process in support of evidence gathering for potential litigation:

  • Identification
  • Preparation
  • Acquisition
  • Preservation

Evidence Identification

In identifying the assets associated with, or impacted by the breach, BragerSec will identify hardware configurations, model numbers, serial numbers, and properly catalog them as potential evidence, with coded tags, as an appendix into the work plan.

Additionally, photographs will be taken of the cataloged items and appended as part of the work plan.

For any computing assets, operating system versions, applications software, and relevant log source locations will be gathered and added to the work plan documentation.

An identification of potential data locations not connected with log data that may be of interest for this case will be documented as well.

[RELATED: Using Logs As Forensics Sources]

Search Preparation

Evidentiary acquisition preparation will begin with understanding the appropriate skill set(s) needed to extract digital evidence from the impacted assets, and ensuring that the investigator has the appropriate background to perform the extractions needed.

The forensic investigator will conduct interviews of the DB, Email, and network administrators to determine what he/she recollects about the chain of events leading up to the receipt and subsequent opening of the suspicious email.

Anomalous event data to add in chain re-creation will be of interest too.

Additionally, the forensic investigator will discuss the inconsistencies observed with the IDS with the network administrator to determine whether data evidence extracted from that source will yield usable data.

BragerSec will acquire the necessary software and hardware tools required for repeatable acquisition of evidence from the impacted assets. The team will also  use secure, anti-static evidence bags to collect any digital extracted evidence for preservation.

Evidence Acquisition

Once the relevant interviews and preliminary fact finding have concluded, BragerSec will proceed with acquiring digital assets from all impacted systems, including, but not necessarily limited to:

  1. Forensic, sector level copies of hard disk images where feasible (RAID or striped-set type disks will be beyond the scope of this acquisition, unless a form of logical volume management is being used to logically represent the volume)
  2. Extraction of system and network log files, memory, browser histories, pagefiles and other artifacts that may have relevant data to this case
  3. Email system logs and extracted mail message (including full headers)

The team will collect these artifacts and properly catalog and label for further processing.

Evidence Preservation

BragerSec, in support of potential legal proceedings or prosecutorial needs, will provide a complete and aligned work plan that documents repeatable processes for identifying, acquiring and preserving any digital evidence found during this investigation.

The team will take detailed notes of any deviations or special circumstances encountered while acquiring aforementioned digital evidence.

The forensics analysts will create and maintain chain of custody documentation for any digital evidence collected, in tamper resistance anti-static bags, with cataloged date and time of evidence acquisition.

Finally, all personnel will have another member of the forensics team walk through the work plan to ensure that following the details in the work plan reveal the same evidence set as the prior acquisition.

The storage and preservation of digital evidence collected in this case is of principal concern to BragerSec and as such will be leveraging anti-static, tamper-resistant evidence bags and standard chain of custody documentation that will require signatures of both the examiner/investigator, as well as the custodian.

Any subsequent need to access the digital evidence once preserved will need to re-establish chain of custody with both signatures from the investigator and custodian.

Steps that will be taken to process DB admin’s computer, including drive imaging:

A Forensic Analysis Log will be used to document each step to ensure the process complies with the requirements set forth for admissibility in the Federal Rules of Evidence. Additional caution will be taken since there is suspicion of malware on the machine.

Note that I used tables instead of a numbered list or bullet points because professors like to see tables and it makes it easier to think through all the necessary steps with a visual.

Bosses also like tables too, so this is a good habit to develop.

Some of the columns in the tables are not visible on mobile devices, so I recommend viewing on a regular screen.

DBA Workstation Forensic Analysis Log

Tracking No. Date/Time Action Comments


Obtain drive image of database administrator’s computer tower hard drive Document whether powered on or off state
2 TBD Initiate Open VPN session Use secure authentication to virtual machine that contains Autopsy digital forensics platform
3 TBD Authenticate to Secure center hosting virtual machine
4 TBD Authenticate to external IP address provided using secure session within VNC viewer Facilitates access to local drive, file retrieval, and Autopsy digital forensics application on Helix
5 TBD Open Applications/Forensics & IR/Root terminal Password TBD
6 TBD Run command mount –t ntfs3g –o rw \c:\windows\system32 hit enter,

Repeated command, hit enter

This will mount drive icons on the desktop
7 TBD Run command ls –lah \c:\windows\system32 This will create evidence file
8 TBD Run command cd c:\windows\system32 hit enter;

then run command mkdir –p \c:\windows\system32 \evidence\autopsy, hit enter

This will populate drive info
9 TBD Run command autopsy, hit enter This will reveal http://localhost: 9999/autopsy
10 TBD Open Firefox web browser application and browse to http://localhost:9999/autopsy This will open Autopsy Forensic Browser 2.20
11 TBD Click Open Case This will open a new case
12 TBD Enter case details:

Case name: HCC_DBA_Computer

Description: Keirsten Brager

Investigator Names: Keirsten Brager

New case identification details
13 TBD


Click Add Host, then enter hostname and description details.

Then click add host

This will add the new host to the case
14 TBD Click Add Image File, then enter Location, Type, and Import Method. Click next: This will add the new image to the host
15 TBD On Image File Details page, calculate hash value for image, designate Mount Point, and choose File System Type. Click add, then ok after hash calculation process finishes. Record MD5 Hash value here.
16 TBD Select drive, Analyze, File Analysis Tab, and Add Notes It is important to keep notes through the process to capture noteworthy details throughout the process.
17 TBD Clicked Generate MD5 List of Files Recorded all MD5 hashes for report
18 TBD


Review results in FileType, Image Details, MetaData, and Data Units tabs
19 TBD Analyze contents of pagefile
20 TBD Analyze registry
21 TBD Analyze user files
22 TBD Analyze $LogFile
23 TBD Document remaining items of interest in Notes
24 TBD Power device off End of investigation.


Potential DBA Workstation Evidence

As part of the acquisition and analysis process, BragerSec will perform the following acquisition tasks against the indicated assets, depicted in the following table:

Acquisition Table

Type of Acquisition Windows XP/Windows Server SQL Server Email Server Network IDS/IPS
Active Memory x x
System Page File x x
System Registry x x
Evaluation of System Files (c:\windows\system and c:\windows\system32) x x
Enumerate and extract Listening Ports for Evidence of Data Exfiltration x x
Extract Antivirus Logs and Verify Function x
Extract Browser Logs and Browser History x
Extract application, system, and security logs x x
Extract any netflow data x
Extract IDS logs (once verified) x
Extract Firewall Logs x
Extract email headers associated with impacted email x
Extract PDF attachment x
Extract database transaction log x
Extraction of /var/log/messages x
Extraction of /var/log/snort x

BragerSec will extract the active memory profiles of the Window XP workstation, Windows Server (which houses the SQL Server) to look for evidence of system and continual infection by malware, or evidence of malware that is persisted in services or processes within memory.

[RELATED: Malware: How It Hides, Detects, and Reacts]

Additionally, antivirus logs will be extracted and analyzed to determine whether the malware damage or otherwise rendered the antivirus software inoperable, and further, whether the system detected the existence of the malware, but had no signature to remediate the infection.

Extractions of the system registry, system file areas, browser logs and browser histories, listening ports, and the application, security, and system logs are indicated in this investigation and will be acquired according to standard forensic principles.

The team will acquire and analyze the database logs for the SQL Server, looking for evidence of account creation, database drops, table drops or modifications, permission modifications, or stored procedure creation.

System, security, and application logs will be further analyzed to determine whether the operating system was leveraged to obtain access to the database and facilitate a breach.

BragerSec will extract and analyze a copy of the database administrator’s mailbox, including the infected email and attachment.

Email message logs will be extracted to determine whether the database administrator was the only recipient of the infected PDF, or it is there other recipients within the organization targeted.

Full headers for all email messages will be extracted where feasible, and reversing will be performed on the infected PDF in a sand-boxed environment to determine its mechanism of operation.

Other Potential Workstation Evidence

BragerSec will extract any network related data such as netflow logs that are available from switches where the impacted assets are connected, to determine the nature of communication that may have flowed through those devices during the breach. Netflow is important because internal communication data does not pass through the firewalls.

Firewall logs will also be extracted and parsed to identify the specific assets in question to determine what form of network traffic they were generating and where the traffic was destined.

BragerSec will also extract IDS/IPS logs after verification that the integrity of the logs is reliable, by evaluating the /var/log/snort and /var/log/messages logfiles to look for evidence of tampering or changes to the configuration of the IDS/IPS.

This concludes part 1 of this 2 part series.  Part 2 will cover DB evidence collection, expert testimony preparation, and ethical considerations.


Here are my tips for passing the Security+ exam, resources for getting your CASP, and conquering the new CISSP exam.

Jobs will not come to entry level people, even with a degree and/or certs.  You have to put yourself out there.


Share the love!