The Clock Is Ticking – A Forensic Investigation Case Study

Published on 29 June 2017

“Privilege Misuse is the third most prevalent cause of data breaches.” – Verizon 2017 Data Breach Investigations Report.

This post details a post-mortem investigation scenario after a third-party administrator was accused with a data theft. We also show how an advanced Privileged Access Management solution helped security analysts conduct the forensic investigation.

Incident Overview

The victim is a government contractor with a national security profile. Therefore, they monitor and record all third party access to their internal systems. Unexpectedly, they received an urgent warning that one of their third-party administrators was suspected of stealing a classified document one week prior. The incident was being investigated by law enforcement which required evidence stored in the government contractor’s IT systems. The investigation occurred in two phases.

Investigation Phase One – Proving the allegation

  1. Immediately after receiving the police request, the security analyst of the contractor starts an investigation searching for digital evidence of malicious activity in the systems.
  2. First, he reviews the logs of the corrupted file server around the specified date and time.
  3. Server logs show that the suspected admin was indeed logged in that server in question.
  4. However, as the logs don’t show the detailed activity flow of the admin on the server, the analyst continues the investigation looking for more reliable evidence.
  5. He switches to the GUI of the PAM tool and searches for the session recordings (replayable audit trails) of the suspected admin.
  6. Based on the specified date and time, the analyst quickly finds the relevant audit trail.
  7. Using the free text content search in the PAM tool, he searches for typical file moving applications opened within the Windows session (e.g. “explorer.exe”, “total commander”, “winSCP”, “cmd.exe”, etc.)
  8. The PAM tool lists one occurrence of a file moving application in the session.
  9. The analyst double checks: following the security protocol*, he starts the video-like replay of the session.
    (Note: Due to the sensitive nature of the contractor’s operations, the audit trails are digitally signed, timestamped and encrypted with multiple encryption keys. To open and replay the trails the presence of a second key is necessary which is possessed by the CISO (4-eyes principle)).
  10. The session is 2-hours long, so the analyst quickly navigates to those parts of the session where the PAM tool marks any user activity
  11. While reviewing the session of the suspected admin, the analyst identifies the unauthorized file copy operation by using the “explorer” program.

Figure 1. Replay of a Windows (RDP) session in a PAM tool

The first phase of the investigation took just 30 minutes! Without the fast search and easily accessible evidence of the PAM tool, aggregating and investigating logs would have likely taken days or weeks. The video-like audit trails clearly showed the administrator’s malicious activity. Thanks to the tamper-proof nature of the network-based PAM technology the authorities accepted the audit trail as an authentic source of evidence.

Phase Two – Adding analytics to look for other suspicious activity

The investigators still have two important questions to answer. Were the system administrator’s credentials stolen and was the document theft the only malicious activity? To answer these two questions, the company could run historical data through an analytics tool.

  1. All of the session recordings in the previous year concerning the system admin were run through the privileged account analytics engine.
  2. The analytics builds a baseline of the system admin’s behavior over the course of a year.
  3. It doesn’t show any deviation from the admin’s baseline activity in the session in question: he logged in at a usual time (i.e. in the maintenance window), from his usual machine, via usual connection and, except for “Windows Explorer”, he opened the usual applications. His behavioral biometric identifiers, such as his keystroke dynamics and mouse movement characteristics were also typical for him.
  4. The analyst draws the conclusion: during his regular maintenance work, the admin illegally accessed and transferred a classified document.
  5. No other suspicious behavior was detected by the analytics so the analyst concludes the investigation.


The second phase of the forensics answered two important remaining questions. The system admin’s credentials were not stolen and he was he at fault. Secondly, this incident is the only session that shows abnormal behavior, in the form of a file transfer so the scope of the investigation does not need to be expanded.

Using Privileged Access Management, the security team was able to quickly verify the third party administrator’s malicious activity with tamper-proof audit trails. Moreover, they were able to confirm that the administrator’s credentials had not been compromised, nor had there been any other suspicious activity.



by Gábor Marosvári

Gábor Marosvári joined Balabit in 2011. As a senior product marketing manager, he is responsible for evangelizing, market intelligence and go-to-market strategy of Balabit's Privileged Access Management portfolio.

share this article
Mitigate against privileged account risks
Get in touch

Recent Resources

The top IT Security trends to watch out for in 2018

With 2017 now done and dusted, it’s time to think ...

The key takeaways from 2017’s biggest breaches

Like many years before it, 2017 has seen a large ...

Why is IT Security winning battles, but losing the war…?

When a child goes near something hot, a parent will ...

“The [Balabit] solution’s strongest points are the privileged session management, recording and search, and applying policy filters to apps and commands typed by administrators on monitored sessions.”

– The Forrester Wave, Privileged Identity Management, Q3 2016, by Andras Cser