Uncovering unauthorised remote access

A case study on work that Notion Digital Forensics has completed.

Notion Digital Forensics was approached by a customer who had concerns that their IT managed service provider (MSP) was accessing commercially sensitive information without explicit consent. The customer was not sure if the MSP was taking commercially sensitive information without their consent.

Background

The concerns arose because of an incident where a helpdesk staff member took control of the keyboard, mouse and display of a customer’s computer without telling them.

However, the MSP claimed that they were only responding to a request to fix a computer problem and cited a help desk ticket to show that.

Objectives

The objective of the project was:

• To determine whether the MSP had taken information without authorisation,

• whether the MSP had implied consent to remotely control a mouse and keyboard without explicit consent from the company or the user.

Approach

Notion Digital Forensics carried out a remote forensic acquisition of the staff member’s computer that was accessed and interviewed the affected party. This was done to the 800-86 standard.

Results

The analysis confirmed that the MSP connected to a desktop computer without explicit consent.

However, there was no evidence to suggest that they did anything other than action the help desk ticket. They did not access any commercially sensitive information, and they resolved the issue they were asked to fix.

Conclusion

Notion Digital Forensics’ investigation clarified the situation for both parties. While the MSP had indeed accessed the computer without explicit consent, they did not take any unauthorised actions during their access. This finding was instrumental in resolving the dispute between the customer and the MSP.

It also led to them improving their procedures to ensure that parties were informed when a help desk staff member took control of the keyboard and mouse of a personal computer.