Compromised Machines & Forensic Processing

The University at Buffalo’s Information Security Office (ISO) has developed and implemented the Forensics for Compliance program. The objective of this program is to comply with applicable federal, state, SUNY, and university regulations involving University data. Adhering to the Forensics for Compliance process and following all documented steps ensures UB’s compliance with all data security regulations.

The Forensics Program

The program involves the performing of computer forensics on hosts that potentially contain Category 1 - Restricted Data and have become compromised through infection or other means.  In the event that it is determined that Category 1 - Restricted Data has been copied without authorization, UB is required to report it. Category 1- Restricted Data includes, but is not limited to: Social Security Numbers, driver license numbers, state-issued non-driver ID number, bank or financial account numbers, HIPAA-regulated protected health information, passport numbers, and UBIT authentication credentials. Refer to the Data Risk Classification Policy for more information about data classifications used at UB.

When a computer becomes compromised, if it is  known or suspected to have been used to access or handle Category 1- Restricted Data, the following process is completed by the ISO:

  1. Obtain the machine and or its drives
  2. Extract an image of the contexts of the hard drive(s)
  3. Return the machine to its department

This process requires up to three business days to complete, depending on the size of the drive(s).

After this, the ISO:

  1. Analyzes a copy of the contents
  2. Determines if Category 1- Restricted Data are present
  3. Determines the manner in which the machine was compromised
  4. Determines the intent of the compromise
  5. Advises the VPCIO on whether it is reasonable to believe that Restricted Data was improperly copied

Next, the VPCIO, in cooperation with University Counsel, determines whether to report the breach to New York State. The VP for University Communication manages communication with the public and press about the breach.

A breach of Category 1- Restricted Data is a serious matter, and carries significant penalties. As such, UB invests in training and tools that enable the ISO to assess the likelihood of unauthorized access.

In order for the VPCIO to have the best information available when making the decision to report, it is important that a rigorously defined process is followed in every instance. 

The steps in following diagram should be followed to determine whether or not the Information Security Office should be involved when a host is compromised. If there is any doubt, contact the Information Security Office.

Forensic Program Steps

Forensic Process Chart: Start: Workstation Compromised. Immediately disconnect from network, provide user with alternative machine, DO NOT attempt to modify/clean/inspect the compromised machine, tell the user to change their UBITName password and all passwords for any account they accessed from the compromised machine (including personal accounts like banking, etc.). Next: Do any workstation users handle restricted data, Personally Identifiable Information, HIPAA regulated data or any other sensitive data? If no, wipe the hard drive including the Master Boot Record (MBR), re-image the workstation, and fully patch the workstation and all software on it including third-party packages and then return workstation to user. If yes, then report details of incident to ISO will determine if forensics are required; if so, arrangements made for machine drop off. Wipe the hard drive (including the MBR), re-image the workstation, fully patch the workstation and all software on it, including third-party packages, then return workstation to user.

Category 1 - Restricted Data Reporting Requirements

Category 1- Restricted Data is defined in the NYS General Business Law 899 as "private information" and contains Social Security Numbers, driver's license number or non-driver identification card number, and account numbers that permit access to an individual's financial account. The law requires that the University reports when this information has been downloaded or copied without authorization, or when the University reasonably believes that this information has been downloaded or copied without authorization.

Reporting consists of notifying the following individuals/organizations:

  • All affected individuals (in writing)
  • Consumer credit reporting agencies (if the breach involves more than 5,000 New York residents)
  • Attorney General of New York’s office
  • NYS Department of State’s Division of Consumer Protection
  • NYS Office of Cyber Security & Critical Infrastructure Coordination

The New York State Information Security Breach and Notification Act stipulates that knowingly or recklessly failing to report a breach can carry a $10 penalty per individual affected (up to $150,000), in addition to any damages awarded to those individuals by the court.

Forensics Tools


Spirion is a managed software licensed by the University at Buffalo that IT support staff can use proactively to detect Category 1- Restricted Data on a host. If Category 1- Restricted Data  is found, you can secure or remove it.

Spirion is meant to be used prior to indications of infection to detect Category 1- Restricted Data.  Do not use Spririon  to look for Category 1- Restricted Data  once a machine is deemed compromised or potentially compromised.

Training for Handling Data Safely

The Handling Data Safely course is available as a self-paced, online training though UB Edge. The Handling Restricted Data section is intended to raise awareness of the issues surrounding restricted data. Anyone with a UBITName can self-enroll in the UB Edge course. The ISO recommends using this training material within your department to help employees understand how to properly handle restricted data.

We continue to ask for your assistance in limiting the use of Category 1- Restricted Data and heightening faculty, staff, and student awareness of the risks associated with storing such data on computers and portable devices. The best way to protect Category 1- Restricted Data is to ensure employees that require it to perform their job are able to work with it in a secure environment. 

Still need help?

Contact the UBIT Help Center.