Exfiltration via Physical Medium

A subject connects their personal device, under a Bring Your Own Device (BYOD) policy, to organization resources, such as on-premises systems or cloud-based platforms. By leveraging this access, the subject exfiltrates sensitive or confidential data. This unauthorized data transfer can occur through various means, including copying files to the personal device, sending data via email, or using cloud storage services.

A subject exfiltrates data using writeable disk media.

A subject exfiltrates data using a floppy disk drive.

A subject exfiltrates data by connecting an additional drive to a system using the Serial Advanced Technology Attachment (SATA) interface on a motherboard, and copying files to the new storage device.

A subject exfiltrates data by retrieving the physical drive used by a system.

A subject tansports physical documents outside of the control of the organization.

When a Mac is booted into Target Disk Mode (by powering the computer on whilst holding the ‘T’ key), it acts as an external storage device, accessible from another computer via Thunderbolt, USB, or FireWire connections. A subject with physical access to the computer, and the ability to control boot options, can copy any data present on the target disk, bypassing the need to authenticate to the target computer.

A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.

The subject uses a USB cable, and any relevant software if required, to transfer files or data from one system to a mobile device. This device is then taken outside of the organization's control, where the subject can later access the contents.

A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.

A Data Classification Policy establishes a standard for handling data by setting out criteria for how data should be classified and subsequently managed and secured. A classification can be applied to data in such a way that the classification is recorded in the body of the data (such as a footer in a text document) and/or within the metadata of a file.

An Acceptable Use Policy (AUP) is a set of rules outlining acceptable and unacceptable uses of an organization's computer systems and network resources. It acts as a deterrent to prevent employees from conducting illegitimate activities by clearly defining expectations, reinforcing legal and ethical standards, establishing accountability, specifying consequences for violations, and promoting education and awareness about security risks.

CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file.

Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.

Shellbags are located in the following registry keys:

Windows XP

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags

Windows 7 and later

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
 

Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive.

MountPoints2 is a Windows Registry key used to store information about previously connected removable devices, such as USB drives, CDs, and other external storage media. It is located at:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Each subkey under MountPoints2 represents a unique device, often identified by its GUID (Globally Unique Identifier) or other unique identifier.
These subkeys can contain various values that describe the properties and behavior of the corresponding device, such as the assigned drive letter, volume label, and other relevant data.