Windows·65,585 discussions

I need a Report and dont know how.

Tags: Security, Security

I have a client who asked me to go over his computer to see if it were hacked. I used a man to do this and he seemd reputable and honest he told me all hed done and I wrote it down but my client wants a report. I dont know the jargon and the guy who did the work says he doesn’t do reports. I have done a lot of running around to not get paid – which is not that much but I need something.

Topic

Security Reports can be Difictult

In reply to I need a Report and dont know how.

Depending on what the client wants it can be time consuming and may even result in you appearing as an “Expert Witness” which can be weeks of preparation and days of waiting around in court buildings to give evidence and then when they find out you did not do the work they will ignore everything you have said because it is not First Hand Evidence.

To do a Security Report you have to have done the work because if you did not it is meaningless and has no weight which is most likely why the person you got to do the work doesn’t write Reports any longer as you can never charge enough to cover the time you waste running around after the report is written and goes God Knows where that you have no idea of.

Also by doing anything you have stopped any further person from doing a full Report and left both yourself and who ever you got to do the work open to claims that you have interfered and altered this system and if there was anything on it it will be claimed by someone in court that you or the person who did the work put it there.

Having spent months giving evidence in Courts over the years the only people who can do reports like you are asking about work in Big International Business who can afford to have a Tech tied up in doing Court work for months at a time and they have the right personality to sit in a Courtroom and answer the most silly questions to the best of their ability which is mostly answering the same question asked 2 million different ways by someone who has no idea of what they are talking about to begin with.

What a Security Person would say is a Phishing Expedition hoping to get something to hang someone with and that is mostly the person giving the evidence

My best advice is give the unit back do not ask for any money and treat it as a Learning Experience of something that you never want to get involved with again.

For example the last time I was in court a Power Supply had failed and allowed mains power to enter the case which then went out over the Network Lines and somehow caused the building to burn to the ground along with everything inside it. That took 8 years to reach the court and 4 months to hear, granted I was only giving evidence for 2 days about what I had discovered from the remains of the server but all that evidence had to be stored where it could not be touched for that time and I had to have a full memory of what I had put into the Report.

thankyou

In reply to Security Reports can be Difictult

thankyou – that is so interesting. its going to be hard to let go of the money as i have run around so much – delivering the computer – driving miles – sitting with this person and that. Do you think my mistake was not getting a forensic image carried out. i was trying to save the person money as the cost the earth. i got the guy with a degree in Forensic computing as i felt it would work and a forensic guy who does imaging said itd be cheaper.

An image would have been the starting point

In reply to thankyou

But you have to maintain what they call CHAIN OF EVIDENCE which has to be provable to a courts satisfaction. Not the place to make a mistake really and really how much you charge someone for things like this is NEVER ENOUGH.

To give you some idea in the above court case I referred to had a Lighting Strike to the Communications box outside the building sometime overnight and the Insurance Company was attempting to Claim Act of God so they did not have to pay up. I was standing up in a Court saying I do not know what happened all I can tell you is that this is what I found when I looked at the remains of several computers that were in the building. I can not tell you what happened first or what caused what. It could have been the Lighting Strike coming in over the Phone Network which fried everything and caused the Power Supply to allow Mains Voltage into the case and out over the network cables or it could just as easily have been the Power Supply failed feed Mains Power into the case and caused the building to be destroyed with the fire starting at several different points simultaneously I am just unable to say with any certainty.

A day and a half I spent giving evidence with the Judge jumping onto the Barrister saying things about Rules of Evidence and how I felt had no bearing on the case. Also things like I do not know which court you practice in but it’s not this court and I think you need a lot more practice before you attempt to appear again.

Worst time I ever gave evidence ever and I was a quivering wreck when I left the place only to find out from the Sheriff that the Barrister in Question had represented that Judges Wife in a Divorce which I assume had not gone well for the Judge so he did everything within his power and the law to prevent that guy practicing in court again or at least not Criminal/Civil Court. Not something I had ever experienced previously and I was wondering what I had done wrong to get the Judge so worked up. It’s never a good idea to Peve Off someone like that and I was wanting to know what had/was happening but apparently according to the guy who I was giving evidence for I did a great job just couldn’t go to work for a couple of weeks after though.

thankyou

In reply to An image would have been the starting point

Hi There,

Yes, I hear you. He has told me he doesnt want it for court and that its just to know what was covered. The tech guy who examined it didnt find anything – meaning it wasn’t hacked. He is Indian and doesnt know good command of English so is saying i have to do the report for them – but i don’t know how to word it.

Well then do it the easy way

In reply to thankyou

Start on a Letterhead and give a basic report on what was checked and a summary of the conclusions.

Start with the easy things like what was asked for and then what and how it was checked any other tests performed on it and then state the conclusions.

Then sign it with the companies owners name and any other things that should be listed after the name of the person signing it.

However I always get concerned when I get people saying no trouble but I want it this way as that always sounds like some sort of Legal Action to me.

thankyou

In reply to Well then do it the easy way

Hi OH,
You said – Start on a Letterhead and give a basic report on what was checked and a summary of the conclusions.
– I can do a letterhead. The computer guy won’t tell me what he checked. Well he did at the time – i think ports and logs and system – but that will take up all of one line.

Start with the easy things like what was asked for and then what and how it was checked any other tests performed on it and then state the conclusions.
The client asked was his computer hacked. The computer guy said he checked everything and it wasn’t accessed. I believed him. Now cant reach him as he says he doesn’t do reports – so Im on my own with listing the things in detail and im not techy at all. I dont know where to find a list of things that would be checked.

Well then you can’t really do a report can you?

In reply to thankyou

The issue here is that you have to list what was done in a sequential manner and maybe pad out the checks a bit. In the old days they used to say if you can’t Baffle them with Science Blind them with BS.

Doesn’t mean you lie but you can say for instance Scanned all outgoing ports and checked against known issues and a list of what should be open instead of just saying Scanned Ports.

But if you can not get the guy who did the work to work with you which they will probably want to get paid for there isn’t really much you can do is there?

I really suggest you walk away from this one as it is pointless throwing good money after bad and you have to understand when to cut your losses which happen all of the time.

The worst job I ever walked away from was when I had an Apprentice forced on me and they destroyed a couple of Million $ worth of new mainframe. After they did the same thing 3 times with exactly the same result I had had enough and just suggested that they get someone else to train their guy who was not possible to train.

That was 4 months work and it hurt but I did learn from that NEVER to Take on Customers Staff to Teach Them. Only good thing to come out of that was I did make the little sod pull a cable over 18 floors 3 times but each time he connected it the wrong way and would not learn from their mistakes. In the end I had to not only stand over the kid as he pulled the cable but I had to do all the work and not let them touch anything.

I have been trying to reply for days.

In reply to Well then you can’t really do a report can you?

I have to thankyou for your reply and I was trying to get back for you for days but the site wouldnt let me. Hes done a report and its one paragraph. Literally – checked ports and the system. There MUST be more that can be said. Can you help?

Ok this is most defiantly not my area of Expertize

In reply to I have been trying to reply for days.

But I would start with stating the obvious the name and so on of the customer followed by the brand and model of the computer or if it’s a white box the internal components and any serial numbers that may be on it.

Then a paragraph or 2 on what was requested.

After than state what was done to it to check for infections things like Running F Secure from a Live Disc to fully scan the OS and installed software check open ports and so on.

A list of what the Scanning found and finally a summary of the results of the scan.

As I’m not sure what was done here you’ll have to fill that in but don’t say anything you are not sure of and if you do a quick Google Search of Security Templates for Windows whatever, that may help. I think there should be something out there giving a list of what either Microsoft or one of security companies thinks is important

Just make sure it’s for the version of Windows that is installed on the system including any Patch Levels and also above when you list the software on the system list all of the installed patches and if any are not installed, of course you’ll need the unit for that and have to copy out what has been installed as well as any Patches/ Service Packs and so on.

OI seem to remember Microsoft having some Base Line Security Templates as well but as I have never used them I’m not sure what they cover or if they will be any use in this case.

If there was more than one scan performed list them all and the results of those scans and also list if they where done from a Live Disc or with the Installed OS running. Having the installed OS running is not as effective as any infections can be masked by the OS if who ever cracked the system knows what they are doing so it’s always better running from a Live Disc or pulling the HDD and fitting to another Secured Computer to scan the drive, it’s just more likely to show up that way, that’s all.

Hope that helps some.

thankyou

In reply to Ok this is most defiantly not my area of Expertize

Thankyou OH.

Where do i get the security templates – ive tried google but they dont come up.

youve put this below – what is Fsecure?
After than state what was done to it to check for infections things like Running F Secure from a Live Disc to fully scan the OS and installed software check open ports and so on.

A list of what the Scanning found and finally a summary of the results of the scan.

He said he didnt find anything.

Here is his report below – its very tatty and shoddy – he wasnt shy in asking for money for it. as follows:
• There is no remote connection Software Installed on mac
• Malware detection was run and could not found any issue.
• All remote port is disabled.
Further steps to Investigate.
• Users must change his Apple ID password and make sure enable his MFA (Multi-Factor Authentication)
• User must change his WIFI Password.
• Router default password must be changed.
• This is important to run scanning on the user network to Find out miscellaneous activities.
• A program like Crowd Strike of solution from force point is highly recommended to investigate further. Their Client agent will be installed on all machines, and they will report back to the admin about all activity happening on the Network.
• Shared PC will display on the Network. User must check all connected device to Network on router admin portal.
i mean its just a paragraph. is there a way of padding it or making it look – well ot certainly needs padding. best Isa.

OK first things first

In reply to thankyou

F Secure is a AV Program that you can use to scan systems with either from a DVD or from within Windows.

As this is a Mac it would have to be run from a DVD and even then I’m not sure it’s going to be overly effective as Apple use BSD “Berkeley Software Developments” and overlay their own user interface it is sort of like Unix in the way it works and a Lot More Secure Than Windows.

As for the list of what was done he has provided that in this bit

• There is no remote connection Software Installed on mac
• Malware detection was run and could not found any issue.
• All remote port is disabled.

Then goes on to say

Further steps to Investigate.
• Users must change his Apple ID password and make sure enable his MFA (Multi-Factor Authentication)
• User must change his WIFI Password.
• Router default password must be changed.

OK it’s all Basic Stuff but it’s also important to do but I would have added that when it comes to changing Passwords they should all be different as if they are the same you break one and you have access to everything which is not a good way to go.

Then suggests

• This is important to run scanning on the user network to Find out miscellaneous activities.
• A program like Crowd Strike of solution from force point is highly recommended to investigate further. Their Client agent will be installed on all machines, and they will report back to the admin about all activity happening on the Network.
• Shared PC will display on the Network. User must check all connected device to Network on router admin portal.

Again all good suggestions and all basic things that should be done to protect the user,

Were I would go from here is list the Model of the Mac including it’s Serial Number BIOS Version and OS level this includes the version of the OS and whatever patches it has had applied showing that it was either fully updated as Apple released Patches or nothing was done to protect the thing and the user/owner was not doing their job, or anything in between, that alone should take quite a few pages but it shows weather or not the user was doing anything to protect the thing from infections and so on. It not only establishes that the report covers the same machine as the guy who brought it in but what they had been doing with it and what measures they where following to protect it and if they had used it unsafely.

By the sounds of things as it is suggested to change the Router Password nothing is being done

Carry on

In reply to thankyou

Nothing is being done to protect the system and network it is connected to. The easiest way into anything is through a router with it’s default password unchanged that is like leaving no password on it as say it’s a Netgear Router they only have the one password which is spread about everywhere one cares to look by it’s maker not at all hard to find as the maker puts it in their Owners Service Guide Manual.

As there was the thought it may have been compromised the other Passwords need changing because they could have been lifted off the system and continue to be used by another for whatever reasons. What is Important here though is that

“and make sure enable his MFA (Multi-Factor Authentication)”

While it is not unbreakable it makes it so much harder to break into the thing with it running.

While CrowdStrike is not told to be loaded it is highly recommended to scan the network for any activity that is no expected,.

The problem here though is that the user is probably unlikely to recognize any activity that should not be there and as a result not see things that should not be happening.

thankyou

In reply to Carry on

IM not sure how to word that – the computers gone now so how do i find out OS and Patches. i wish i could do all this myself. thankyou Isa.

Well as I have very little idea of what went on

In reply to thankyou

Doing a copy and paste will only bring you a world of hurt as the bit you provided above is perfectly acceptable as a report for most non legal uses.

It tells the owner that the system was scanned no problems found and then what else they need to do without getting overly complicated. Ut even goes on to tell them what they need to do which is most likely beyond the average users ability, the fact that they want more to me at least points to this being a Legal Matter no matter what they claim and is something you don’t want to be involved with.

As for the Specs of the system you’ll have to get it back to do anything more and if they really want it for anything but screwing you on the price they will bring it back and leave it with you.

That will also mean that there is something happening that you really do not want to be involved with as Legal Issues came back to BITE HARD particularly when you don’t know about them in the first place.

When it comes you’ll have to not only know what to do but also know exactly what has been done and who ever hits you will try to make you look like an idiot to get what the user here wants whatever that is.

I really advise you to forget it and stop throwing good money after bad as no matter how much you hope to get it will not cover the costs that you will incur.

To give you some idea the last Legal Job I did we got paid 250K for but it cost us all up 2.3 million so even though we appeared to get a decent payment we were still down just under 2 million.

A easy 20 minute report that went on over 8 years and to be perfectly honest because the appeal process is not yet exhausted we still have that equipment is Secure Storage so the costs are continuing to be incurred with no possibility of ever being recovered.

thankyou

In reply to Well as I have very little idea of what went on

I have gone back to guy who did the work and he has done a report – it is one page but at least its something – he was too lazy to do it before. Moral of the story – check out first. Are you in UK – OH? Can you rec anyone?

[Author]

Replies