Running Head: COMPUTER FORENSIC EXAMINATION REPORT 1

Computer Forensic Examination Report

CSOL 590 – Module 7

Magdy Abadir

mabadir@sandiego.edu

University of San Diego

10 December 2018
COMPUTER FORENSIC EXAMINATION REPORT 2

TABLE OF CONTENTS

Abstract 3

Background 4

Image Acquisition Procedure 4

Image Analysis Procedure 5

Conclusion and Recommendation 9

References 10

Appendix A 11

Chain of Custody 11
COMPUTER FORENSIC EXAMINATION REPORT 3

ABSTRACT

As a forensics investigator, and IT professional, I have learned that most of the time, people tend

to be the weakest link when it comes to any organization’s security. This concept will be

presented in this paper in the form of a forensic investigation report for a small private start-up

organization, M57.Biz. The case, a corporate exfiltration where a spreadsheet containing

sensitive and confidential employee information was leaked, or somehow stolen from a company

executive’s laptop and posted on the comments section of a competitor’s website. The

investigation will include getting a forensic image of the executive’s laptop using Encase

Forensic and analyzing the data from the hard drive which includes, but is not limited to, files,

folders, and emails using FTK Imager. The outcome of this analysis is to be able to answer the

three questions asked by the client who is m57.biz’s first-round founder; when did the executive

create the spreadsheet, how did it get from the executive’s laptop to the competitor’s website,

and was anyone else at M57.Biz involved?

Keywords: Corporate exfiltration, Forensic Image, Encase, FTK Imager, PST viewer,

spoofing, spear phishing, email headers, steganography

COMPUTER FORENSIC EXAMINATION REPORT 4

BACKGROUND

M57.biz is a small start-up company with $3M in seed funding; now closing $10M

round. The company was founded and is owned by two people. During the first year, 10

employees were hired; Alison, the President of the company, Jean, the Chief Financial Officer

(CFO), 4 Programmers, Bob, Carol, David, and Emmy, two in the Marketing department, Gina,

and Harris, and Indy in Business Development.

Business is conducted as follows: Programmers work from home and meet weekly at the

office park. Marketing and Business Development are on the road most of the time. They work

out of hotel rooms or Starbucks and meet in person once every two weeks. Most documents are

exchanged through email.

The incident involves a spreadsheet, m57plan.xls that was stolen from the CFO’s laptop

and published on a competitor’s website, in the comments section. The spreadsheet contained

m57.biz employee names, positions, salaries, and Social Security Numbers (SSN).

The President and CFO were interviewed and their statements were as follows: CFO Jean

stated that the President, Alison asked her to prepare the spreadsheet as part of the new funding

round and send it to her by email; Alison, stated that she does not know what Jean is talking

about, that she had never asked Jean for the spreadsheet, nor did she ever receive it by email.

IMAGE ACQUIS ITION PR OCEDURE

As a forensics investigator, I was given a forensic image of Jean’s laptop that was

extracted using Encase Forensic to analyze the data and present the evidence to court. As this

laptop is company property, and m57.biz is a private employer, the company policy states that all

devices owned by m57.biz may be inspected and all data contained therein, may be extracted and
COMPUTER FORENSIC EXAMINATION REPORT 5

investigated without notice. The company requires that all employees sign a consent form that

they have read, understood the company policy and will adhere to it as part of their employment

at m57.biz. Furthermore, the client, m57.biz signed a consent form for the internal forensic

investigation detailing the complete scope of the search to extract and analyze an image of the

CFO’s hard drive. All procedures were complying with all laws and regulations.

The digital image processing process started with the thorough assessment of the digital

evidence with respect to the scope of the case to determine the course of action to take. Next,

since the digital evidence is fragile, can be altered, damaged, or destroyed by improper handling,

a copy of the original evidence is taken in a manner to protect the integrity of the evidence;

multiple copies are then taken using Encase Forensic Software where they were safely stored as

backup while one copy was used for the analysis. Data from the evidence is extracted and

analyzed then put in a logical and useful format. Finally, actions and observations were

documented throughout the forensic analysis process (U.S. Department of Justice, 2004).

All activity pertaining to the seizure, examination, storage, or transfer of the digital

evidence is documented, preserved, and available in the chain of custody form to ensure

evidence integrity. Timestamps were recorded with each step along with the actions taken and

the acquired devices (laptop and hard drive) as well as the first image of the hard drive (a.k.a.

best image) were packaged and stored onsite, in a fireproof safe (Scalet, 2005). (See Appendix A

for details).

IMAGE ANALYS IS PROCE DURE

FTK Imager version 3.4.3.3 software was used to analyze the acquired data from the

forensic image and Lepide Software’s PST Viewer to analyze email and headers from the CFO’s
COMPUTER FORENSIC EXAMINATION REPORT 6

email client. The data was not encrypted, and no password cracking was required. The following

steps were taken during the forensic analysis:

1) Loaded the image in FTK Imager tool and verified that the computed MD5 Hash

matched the stored verification hash of the image file (Bone, 2017). (Figure 1-1).

Figure 1-1: FTK Imager

2) The spreadsheet, m57biz.xls was found in Jean’s user profile on the Desktop folder.

The file creation date shows as 07/20/2008 (Figure 2-1). File metadata shows the

author was Alison Smith who created the file on 06/16/2008 and it was last saved by

Jean on 07/19/2008 (Figure 2-2). Further analyzing Jean’s profile, it seems like she is

using Microsoft Outlook as her email client. The PST file was exported and opened

using PST Viewer (Lepide Software Private Limited, 2018). (Figure 2-3).

Figure 2-1: m57biz.xls Spreadsheet Figure 2-2: Spreadsheet Metadata

COMPUTER FORENSIC EXAMINATION REPORT 7

Figure 2-3: PST Viewer

3) Going through Jean’s Inbox, I found a spoofed email that appears to be from

alison@m57.biz. Further checking the email, the From Address shows that it had

originated from alison@m57.biz with the mailto address being

tuckgeorge@gmail.com (Figure 3-1).

Figure 3-1: Spoofed Email

4) I searched all email to alison@m57.biz in the Sent Items folder and found an email in

reply to the email in the Inbox with the subject “Please send me the information now”

sent out at 07/19/2008 at 17:28pm. The email shows the attachment, m57biz.xls

which when opened using Microsoft Excel showed the file in question. A “Thanks”

email from tuckgorge@gmail.com, claiming to be from Alison was found in the

Inbox folder, dated 07/19/2008. The email headers show that the spoofed email

claiming to be from alison@m57.biz <tuckgorge@gmail.com> was sent through

COMPUTER FORENSIC EXAMINATION REPORT 8

dreamhost.com servers at IP address 208.97.132.74 with a Return-Path header going

back to simsong@xy.dreamhostps.com (American Registry for Internet Numbers,

Ltd. 2018). (Figure 4-1)

Figure 4-1: Spoofed Email and Headers

5) Steganography analysis was performed on m57biz.xls spreadsheet as an embedded

image (image_0.png) was found in the document. Nothing suspicious noted. (see

Figure 5-1).

Figure 5-1: Embedded Image

COMPUTER FORENSIC EXAMINATION REPORT 9

CONC LUS ION AND RECOM MENDATION

The outcome of the forensic analysis of the CFO’s hard drive and email shows that the

spreadsheet was created on her computer on 07/20/2008. Analyzing Outlook PST file shows that

an email was sent out from the CFO’s email account with the spreadsheet attached on

07/19/2008 to tuckgorge@gmail.com thinking it was being emailed to alison@m57.biz. The

analysis hasn’t shown that anyone else at the company was involved.

The analysis of the evidence shows that this was a spear-phishing attack where the CFO was

targeted by an attacker to exfiltrate sensitive company information presented in the form of the

spreadsheet in question. After receiving the spreadsheet, the attacker made it public by posting it

to the competitor’s website.

Proper security awareness training should be conducted for all employees at m57.biz to raise

the awareness of the employees and prevent similar attacks from happening in the future.

Additional investigation may be needed to try and identify who tuckgorge@gmail.com is; he/she

may be a disgruntled current or former employee. The email analysis shows that an employee

who had applied for a job was turned down as per Alison’s email to Jean on 07/06/2008 referring

to a tattooed woman who had applied for a job and was turned down.
COMPUTER FORENSIC EXAMINATION REPORT 10

REFERENCES

American Registry for Internet Numbers, Ltd. (2018). Retrieved from

https://whois.arin.net/rest/net/NET-208-97-128-0-1/pft?s=208.97.132.74

Bone, B. (2017, October 12). How to Verify the MD5 Hash Value of an Image. Retrieved from

https://support.accessdata.com/hc/en-us/articles/203921395-How-to-Verify-the-MD5-

Hash-Value-of-an-Image

Lepide Software Private Limited. (2018). PST Viewer - Free tool to open and view content of

PST files without Ms Outlook. Retrieved from https://www.nucleustechnologies.com/pst-

viewer.html

Obbayi, L. (2018, March 23). Chain of Custody in Computer Forensics. Retrieved from

https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-

study/legal-and-ethical-principles/chain-of-custody-in-computer-forensics/#gref

Scalet, S. D. (2005, December 1). How to Keep a Digital Chain of Custody. Retrieved from

https://www.csoonline.com/article/2118807/investigations-forensics/how-to-keep-a-

digital-chain-of-custody.html

Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.

(2009). Retrieved from Office of Legal Education Executive Office for United States

Attorneys website: https://www.justice.gov/sites/default/files/criminal-

ccips/legacy/2015/01/14/ssmanual2009.pdf

U.S. Department of Justice. (2004). Forensic Examination of Digital Evidence: A Guide for Law

Enforcement. Retrieved from National Institute of Justice website:

https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
COMPUTER FORENSIC EXAMINATION REPORT 11

APPENDIX A

CHAIN OF CUSTODY

The first goal as a forensic investigator when handling a case, is establishing a chain of

custody of the best image; it is important to keep as much information as possible concerning the

evidence at hand to ensure admissibility in court. The process followed to establish chain of

custody is as follows (Obbayi, 2018):

1) Saved the original forensic image as well as the hard drive from the laptop in a secure

location and used a copy of the image to conduct my analysis.

2) Took photos of physical evidence in the form of the CFO’s laptop as well as the internal

SSD hard drive showing all details like physical condition, serial number, model number,

hard disk size and type.

3) Screenshots of the evidence content were taken and presented in this report.

4) A detailed timeline of who had the evidence, since its acquisition, and the actions that

were performed.

5) Bit-for-bit clone of digital evidence content was injected into our forensic computers to

ensure that we obtain a complete duplicate of the digital evidence in question.

6) A hash test analysis was performed to further authenticate the working clone and ensure

that the data that was obtained from the bit-by-bit copy procedure is not corrupt and

reflects the true nature of the original evidence.

The chain of custody form was updated every time the best evidence was handed off

since it’s seizure and until the evidence is presented to court. A written affidavit describing

the investigator, evidence and findings is written, reviewed, and signed off on by a colleague

forensic investigator as well as myself; there is no need to bring the hardware evidence to
COMPUTER FORENSIC EXAMINATION REPORT 12

court. As per the decommissioning plan, the stored evidence will be destroyed accordingly

after the presenting the findings to court (Scalet, 2005).

Table 1.0 shows the devices that were acquired for analysis and Figure 1.1 shows the

partition information:

Evidence Description and Model Serial Number Notes

1 Black and Grey Compaq CND6752RJN Photograph taken. Minor

Presario C600 laptop scratches shown on the

laptop screen

1 Seagate SSD Hard Drive S/N: P4N00512 1 NTFS, Windows XP

Volume S/N: 744F-C21F partition: 10,228MB size

Table 1.0: Acquired Digital Evidence Information

Figure 1.1: Forensic Image Information