Use Cases for IT Forensics – Deep Investigation into Your Windows Environment

“Which files and folders can Dave in Tech Support modify?”

“HR just gave us a heads-up on these former employees. Find out which servers they had access to.”

“Check to see who changed permissions on any of the folders in Marketing in the last 24 hours.”

“Ravi says he’s lost cloud access. See what’s going on.”

Do you like responding to IT issues like these? Most IT admins don’t mind a little investigative work now and then. It keeps their skills sharp.

But checking security and compliance like that is no fun when you don’t have the right tools. And as more of these issues are rooted in the cloud, three out of four security professionals are realizing that traditional security tools don’t offer the insight they need.

 

Use Cases for IT Forensics – IT Security Search

Last time, I introduced IT Security Search, the intelligent looking glass into your environment. It’s a web interface that correlates IT data from disparate systems into an interactive search engine. In this post, I’ll take you through four common issues and show how you can use IT Security Search to get to the bottom of them.

IT Security Search pulls together the data from Quest platform management products – Enterprise Reporter, Change Auditor, InTrust, Recovery Manager for Active Directory and Active Roles – at no additional cost to you. It lets you run simple, text-based searches on your entire environment from a search field that looks like this:

Just like performing an ordinary web search, you drill into the search results until you can discover who has access to data, how they obtained it and how they’ve used it.

It’s a lot easier than studying log files all day and all night. Have a look at some examples.

Use case 1: Security breach

Think about currency the way a cybercrook thinks about it, in terms of personally identifiable information (PII), credit card numbers, health care data and intellectual property. Those assets live in databases and in files on drives with shares, and you can best defend them through monitoring, auditing and searching for access and permissions.

In the event of a security breach you can use IT Security Search to investigate who did what in two main ways:

  • Find all occurrences of the file, folder, group or user account in your environment. Then use the links in search results to create a context for your investigation and filter out irrelevant data. In these results, four instances of files turn up after a search on “*credit*” in IT Security Search:

  • Find all occurrences of a given event, especially within a specific period of time. The timeline below shows how you can quickly locate peaks of activity that need closer examination:

Drilling down into link after link, you discover who accessed the file when, who granted the permissions, any other files and folders to which the user has permissions and any activity initiated by the user.

Want to see how we used IT Security Search to crack the mystery of a mock payment card breach investigation? Check out the on-demand webcast, Inside a Mock Breach Investigation.

Use Case 2: Tracking Permission Management

IT Security Search allows drill-down on any file or folder it finds with links showing “Who changed permissions on this file” and “Who changed permissions on this folder,” respectively:

The links lead you further down the investigative path.

Use Case 3: Rolling back changes

Show me something that has suddenly stopped working, and I’ll show you an accidental deletion. Or maybe a deliberate deletion. In either event, your job is to find the change that unexpectedly occurred and roll it back, if need be.

When connected to Recovery Manager for Active Directory, IT Security Search lets you start your search from the high level of the user ID. As you drill down, you arrive at the change history of related Active Directory objects and explore the three most recent states of objects on the History tab. Here, investigation leads to the conclusion that the user account was deleted:

Assuming the deletion was accidental, you can restore the object to an earlier state.

Use Case 4: Access Reconciliation

To find events where a particular, known user is somehow involved (as the doer or as a subject), simply search on any of the names that identify that user in the environment. For example, enter the string “dana easton” OR “easton dana” OR “danaeaston” OR “eastondana.” The search results rank downward in relevance, and you can refine your search by Who, What, Where, Workstation and Whom facets. You can also search on the name of the user’s manager, then look for the user among the manager's direct reports.

Once you’ve found the user, IT Security Search provides links to the “Files and folders owned by this user” and “Files and folders where this user has permissions” as shown below:

Alternately, you can start from a particular file or folder and examine its table of permissions, which will lead you to all users with access.

 

Get started with IT Security Search

“How can I get my hands on all that information?” you ask. By getting your hands on Quest platform management products – Enterprise Reporter, Change Auditor, InTrust, Recovery Manager for Active Directory and Active Roles – and installing IT Security Search at no extra cost.

In my next few posts, I’ll describe each of those platform management products so you can see how they collect the data and make it available as a search-based IT forensics tool.

 

Start Investigating

About the Author
Austin Collins
Product Marketing Manager that supports Quest's Microsoft Platform Management solutions.   Within Microsoft Platform Management we focus on Migrations and consolidations for Active Directory, Exchange...