Using red teams to track criminals

The use of hacking (I hate the ethical hacking name) techniques can be used for more than penetration testing and red team assessments. In one occasion, my team helped a law enforcement agency in the collection of information that lead to the capture of a criminal.

The owner of a company contacted the authorities about a former employee that took with him very sensitive and valuable proprietary information. They have some proof of it and were hoping the authorities could help locating and acquiring the proof he needed to take this person to court.

After a few months of not going anywhere the company contacted us to see whether we could help the law enforcement officials locate and track the former employee (I'll refer to him as Bob). We were given all the information, including some really nice open source intelligence collected by the good guys. Two pieces of information gave us a good lead: Bob's personal email and his social media information.

With the help of the law enforcement officials we were able to obtain access to the backup servers of the social media website hosting Bob's info. That access showed several IP addresses belonging to a provider in Europe.
We managed to get access to the server hosting Bob's email. We had to use some good ol' social engineering, a bunch of Exchange exploits and some privilege escalation tricks. We had System access to Bob's email messages, logs, access history, etc.
It took us a week of intense analysis of the emails, logs and other information collected at the mail server. We discovered the same IP and hostnames emanating from Europe that we observed on the social media site.

Just to be on the safe side we left a little utility back at the mail server that would alert us in real time if Bob's account was accessed and would log and send us his source IP and other bits of info we could collect.

Having two different sources showing us that Bob had accessed in the past his information from a computer in Europe gave us a lead to follow. We performed a network mapping of the network that IP belonged to and we discovered it was part of an internet provider. Too big a target to tackle, besides if Bob is using a normal account chances are that he is having a new IP now. Still, we were hopeful.
We hoped that the city's police where this internet provider was located would help us through Interpol. We placed the request to access the provider's logs from the dates we thought would be relevant.

Two weeks went by without any news from Interpol and no other leads. Both the email account and the social media site were silent. It seemed this guy was good in keeping away from the internet.

Then we had a break. Bob logged into his email account, only briefly - 45 seconds - but it was enough for our trace utility to capture his source IP and other bits of info such as a domain name belonging to the network Bob was logged in, his MAC address and geolocation. This was a new IP, one we haven't see before but in the same country and city as the ones we recovered earlier.
We notified Interpol to let them know we were going to perform a full network mapping on the IP range (illegal in certain places in Europe) and that we were going to try to collect information.
The scan and mini-vulnerability assessment took 48 hours. We discovered that apparently Bob was connected to a network belonging to a fairly big corporation located in Europe. We didn't know whether we was working at this company (the company wasn't a direct competitor of our client) or he managed to connect to an open wireless access point inside the company; however we consulted with our customer and he gave the green light for a full on penetration attempt of the company.

We had a target now, penetrate the company and once inside try to find Bob (based on the MAC address we had). We again notified Interpol, which objected to our trying to penetrate the company and instead told us that they would try to get a court permission to go inside. That would take long. So we told our customer that we could find our way in, quietly, and that we could be out before anyone noticed anything. We, again, had the green light.

And so we began searching for a way in. A part of the team flew to Europe just in case we needed to try a physical entry or we needed to use a local network to access backdoors or other tools we might plant inside the system.
Two days later (still no news from Interpol other than "we are trying") we found a vulnerable server connected to the internet. D, our exploit guru, spent the next 24 hours writing an exploit for this server. We found some exploits that might work, however we needed to be certain that 1) we would succeed and 2) that the exploit would not cause any harm to the server. We performed dry runs on our own servers (where we installed the same OS and applications installed on the real target) and prepared our "receivers" (a receiver is an utility we wrote that gathers all the shells returned by backdoors, exploits, etc) and went for it. After some tense moments where we set up out anonymizing network we fired up the exploit.

It worked. We had a shell to the server. All of us now focused on one thing: track and find that MAC address and collect information about it. Then try to penetrate it and see if it belonged to Bob, someone that might have contact with Bob or other.
We started crawling the network manually. We were doing this very carefully in order not to leave traces where possible and not to set any alarms on any IDS that might be monitoring the network. We would work on rotations of 1 hour each. It is easy to get tired when you are working this carefully.

Then we found the workstation. A laptop connected to the marketing network. Great, 5 hours in and we had the laptop. We scanned the laptop and found it fairly secure: personal firewall, latest patches, etc. What I opted to do then was to try to find the domain controller and try to get information about the user from there. That ended up being fairly easy: finding the server was straight forward and when we tried our administrator password (extracted from the server we initially hacked) we had access to the controller. D asked me "did you try that password on the laptop?". I haven't so we tried it.

To our surprise that administrator password worked on the laptop as well. We had access to the laptop. We searched the laptop: we extracted users, documents, outlook email files, pictures, etc. After downloading all that information we left a backdoor and got out.
We analyzed all the information and after showing it to our customer we were able to identify that laptop, based on the username, emails and IP address, as one belonging to Bob. Now we knew where Bob was and where he worked. Moreover, we had a backdoor to his laptop.

We put the guys in Europe (part of our team sent earlier) on recon alert: they would perform surveillance on the company's building 24/7. We sent them pictures of Bob provided by our customer. Then we all flew there with some law enforcement officers that would be our link to Interpol (which by the way did get an order to go in but it was better not to spook Bob so we decided to play it quietly).

The next day the guys had a positive ID on Bob leaving on a black car. They followed it and were able to find where Bob apparently lived. An apartment building on a wealthy part of the city. They mounted surveillance there too and the next morning Bob went back to the company. He logged into their network. We were in country already and as soon as the computer went online we were able to access his laptop as well.

The law enforcement officers together with Interpol and directed by the information we gathered went into the company's premises. We were able to tell them in which floor Bob was located based on the Ethernet port he was using. Half an hour later Bob was being escorted out of the building by Interpol.

I don't know what happened after that, but we were really happy with our job and used the bonus we received from our customer to stay another week in Europe and enjoy the good food, beer and weather.