Professional Documents
Culture Documents
Magdy Abadir
mabadir@sandiego.edu
10 December 2018
COMPUTER FORENSIC EXAMINATION REPORT 2
TABLE OF CONTENTS
Abstract 3
Background 4
References 10
Appendix A 11
Chain of Custody 11
COMPUTER FORENSIC EXAMINATION REPORT 3
ABSTRACT
As a forensics investigator, and IT professional, I have learned that most of the time, people tend
to be the weakest link when it comes to any organization’s security. This concept will be
presented in this paper in the form of a forensic investigation report for a small private start-up
sensitive and confidential employee information was leaked, or somehow stolen from a company
executive’s laptop and posted on the comments section of a competitor’s website. The
investigation will include getting a forensic image of the executive’s laptop using Encase
Forensic and analyzing the data from the hard drive which includes, but is not limited to, files,
folders, and emails using FTK Imager. The outcome of this analysis is to be able to answer the
three questions asked by the client who is m57.biz’s first-round founder; when did the executive
create the spreadsheet, how did it get from the executive’s laptop to the competitor’s website,
Keywords: Corporate exfiltration, Forensic Image, Encase, FTK Imager, PST viewer,
BACKGROUND
M57.biz is a small start-up company with $3M in seed funding; now closing $10M
round. The company was founded and is owned by two people. During the first year, 10
employees were hired; Alison, the President of the company, Jean, the Chief Financial Officer
(CFO), 4 Programmers, Bob, Carol, David, and Emmy, two in the Marketing department, Gina,
Business is conducted as follows: Programmers work from home and meet weekly at the
office park. Marketing and Business Development are on the road most of the time. They work
out of hotel rooms or Starbucks and meet in person once every two weeks. Most documents are
The incident involves a spreadsheet, m57plan.xls that was stolen from the CFO’s laptop
and published on a competitor’s website, in the comments section. The spreadsheet contained
m57.biz employee names, positions, salaries, and Social Security Numbers (SSN).
The President and CFO were interviewed and their statements were as follows: CFO Jean
stated that the President, Alison asked her to prepare the spreadsheet as part of the new funding
round and send it to her by email; Alison, stated that she does not know what Jean is talking
about, that she had never asked Jean for the spreadsheet, nor did she ever receive it by email.
As a forensics investigator, I was given a forensic image of Jean’s laptop that was
extracted using Encase Forensic to analyze the data and present the evidence to court. As this
laptop is company property, and m57.biz is a private employer, the company policy states that all
devices owned by m57.biz may be inspected and all data contained therein, may be extracted and
COMPUTER FORENSIC EXAMINATION REPORT 5
investigated without notice. The company requires that all employees sign a consent form that
they have read, understood the company policy and will adhere to it as part of their employment
at m57.biz. Furthermore, the client, m57.biz signed a consent form for the internal forensic
investigation detailing the complete scope of the search to extract and analyze an image of the
CFO’s hard drive. All procedures were complying with all laws and regulations.
The digital image processing process started with the thorough assessment of the digital
evidence with respect to the scope of the case to determine the course of action to take. Next,
since the digital evidence is fragile, can be altered, damaged, or destroyed by improper handling,
a copy of the original evidence is taken in a manner to protect the integrity of the evidence;
multiple copies are then taken using Encase Forensic Software where they were safely stored as
backup while one copy was used for the analysis. Data from the evidence is extracted and
analyzed then put in a logical and useful format. Finally, actions and observations were
documented throughout the forensic analysis process (U.S. Department of Justice, 2004).
All activity pertaining to the seizure, examination, storage, or transfer of the digital
evidence is documented, preserved, and available in the chain of custody form to ensure
evidence integrity. Timestamps were recorded with each step along with the actions taken and
the acquired devices (laptop and hard drive) as well as the first image of the hard drive (a.k.a.
best image) were packaged and stored onsite, in a fireproof safe (Scalet, 2005). (See Appendix A
for details).
FTK Imager version 3.4.3.3 software was used to analyze the acquired data from the
forensic image and Lepide Software’s PST Viewer to analyze email and headers from the CFO’s
COMPUTER FORENSIC EXAMINATION REPORT 6
email client. The data was not encrypted, and no password cracking was required. The following
1) Loaded the image in FTK Imager tool and verified that the computed MD5 Hash
matched the stored verification hash of the image file (Bone, 2017). (Figure 1-1).
2) The spreadsheet, m57biz.xls was found in Jean’s user profile on the Desktop folder.
The file creation date shows as 07/20/2008 (Figure 2-1). File metadata shows the
author was Alison Smith who created the file on 06/16/2008 and it was last saved by
Jean on 07/19/2008 (Figure 2-2). Further analyzing Jean’s profile, it seems like she is
using Microsoft Outlook as her email client. The PST file was exported and opened
using PST Viewer (Lepide Software Private Limited, 2018). (Figure 2-3).
3) Going through Jean’s Inbox, I found a spoofed email that appears to be from
alison@m57.biz. Further checking the email, the From Address shows that it had
4) I searched all email to alison@m57.biz in the Sent Items folder and found an email in
reply to the email in the Inbox with the subject “Please send me the information now”
sent out at 07/19/2008 at 17:28pm. The email shows the attachment, m57biz.xls
which when opened using Microsoft Excel showed the file in question. A “Thanks”
Inbox folder, dated 07/19/2008. The email headers show that the spoofed email
image (image_0.png) was found in the document. Nothing suspicious noted. (see
Figure 5-1).
The outcome of the forensic analysis of the CFO’s hard drive and email shows that the
spreadsheet was created on her computer on 07/20/2008. Analyzing Outlook PST file shows that
an email was sent out from the CFO’s email account with the spreadsheet attached on
analysis hasn’t shown that anyone else at the company was involved.
The analysis of the evidence shows that this was a spear-phishing attack where the CFO was
targeted by an attacker to exfiltrate sensitive company information presented in the form of the
spreadsheet in question. After receiving the spreadsheet, the attacker made it public by posting it
Proper security awareness training should be conducted for all employees at m57.biz to raise
the awareness of the employees and prevent similar attacks from happening in the future.
Additional investigation may be needed to try and identify who tuckgorge@gmail.com is; he/she
may be a disgruntled current or former employee. The email analysis shows that an employee
who had applied for a job was turned down as per Alison’s email to Jean on 07/06/2008 referring
to a tattooed woman who had applied for a job and was turned down.
COMPUTER FORENSIC EXAMINATION REPORT 10
REFERENCES
https://whois.arin.net/rest/net/NET-208-97-128-0-1/pft?s=208.97.132.74
Bone, B. (2017, October 12). How to Verify the MD5 Hash Value of an Image. Retrieved from
https://support.accessdata.com/hc/en-us/articles/203921395-How-to-Verify-the-MD5-
Hash-Value-of-an-Image
Lepide Software Private Limited. (2018). PST Viewer - Free tool to open and view content of
viewer.html
Obbayi, L. (2018, March 23). Chain of Custody in Computer Forensics. Retrieved from
https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-
study/legal-and-ethical-principles/chain-of-custody-in-computer-forensics/#gref
Scalet, S. D. (2005, December 1). How to Keep a Digital Chain of Custody. Retrieved from
https://www.csoonline.com/article/2118807/investigations-forensics/how-to-keep-a-
digital-chain-of-custody.html
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations.
(2009). Retrieved from Office of Legal Education Executive Office for United States
ccips/legacy/2015/01/14/ssmanual2009.pdf
U.S. Department of Justice. (2004). Forensic Examination of Digital Evidence: A Guide for Law
https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
COMPUTER FORENSIC EXAMINATION REPORT 11
APPENDIX A
CHAIN OF CUSTODY
The first goal as a forensic investigator when handling a case, is establishing a chain of
custody of the best image; it is important to keep as much information as possible concerning the
evidence at hand to ensure admissibility in court. The process followed to establish chain of
1) Saved the original forensic image as well as the hard drive from the laptop in a secure
2) Took photos of physical evidence in the form of the CFO’s laptop as well as the internal
SSD hard drive showing all details like physical condition, serial number, model number,
3) Screenshots of the evidence content were taken and presented in this report.
4) A detailed timeline of who had the evidence, since its acquisition, and the actions that
were performed.
5) Bit-for-bit clone of digital evidence content was injected into our forensic computers to
6) A hash test analysis was performed to further authenticate the working clone and ensure
that the data that was obtained from the bit-by-bit copy procedure is not corrupt and
The chain of custody form was updated every time the best evidence was handed off
since it’s seizure and until the evidence is presented to court. A written affidavit describing
the investigator, evidence and findings is written, reviewed, and signed off on by a colleague
forensic investigator as well as myself; there is no need to bring the hardware evidence to
COMPUTER FORENSIC EXAMINATION REPORT 12
court. As per the decommissioning plan, the stored evidence will be destroyed accordingly
Table 1.0 shows the devices that were acquired for analysis and Figure 1.1 shows the
partition information:
laptop screen