Professional Documents
Culture Documents
Examination
Report
Final Project
Cameron W
CSOL-590
1
Investigator Information
Investigator Cameron Walters
Position Senior Security Lead
Company M57
Case Number 40404
Report Synopsis
Subject Digital Forensic Examination Report
Offence Leak of Private Information, Privacy Breach, Data Exfiltration
Accused Jean Jane
Date of Request December 3rd, 2018
Date of Conclusion December 10th, 2018
Table of Contents
Corporate Breach.............................................................................................................................3
Examination Details.........................................................................................................................7
Tools Used.......................................................................................................................................7
VirtualBox...............................................................................................................................7
Win 10 Virtual Machine..........................................................................................................7
Autopsy....................................................................................................................................7
Belkasoft Acquisition Tool......................................................................................................7
Evidence to be Searched For.......................................................................................................8
Leaked Spreadsheet.................................................................................................................8
Findings from the Investigation...................................................................................................9
Email 1: Phished email sent with spoofed email name...........................................................9
Email 2: Reply to spoofed email with leaked spreadsheet......................................................9
Email 3: Reply to spoofed email with leaked spreadsheet, attachment shown.....................10
Analysis Results.............................................................................................................................10
Conclusion.....................................................................................................................................11
Recommendation...........................................................................................................................11
References......................................................................................................................................12
On August 7th, 2008 a spreadsheet containing sensitive information was posted online, on
a competitor forum page. The spreadsheet included sensitive personal information of M57’s
employees and new hires such as employee names, positions, salaries, and social security
3
numbers. There was only one person who had this information in the company which lead to
Jean Jane as she her position is the only one who deals with the employee’s social security
numbers.
When Jean Jane was confronted she claimed she was hacked and had no idea on how the
spreadsheet had left her laptop. She claimed she was hacked as she said she didn’t disclose or
give out the spreadsheet to anyone but to those within the company. She gave us full access to
her work laptop and all media storage to be analyzed to prove her innocence.
The case was given to Security Team Lead Cameron Walters who acts as the company’s
forensic expert and investigator. The data taken was a hard drive from Jean Janes laptop, to
which was imaged to preserve the original image using Belkasoft Acquistion Tool. Once the
image was created it was brought to a secure air gaped laptop with a Windows 10 VM, where the
data was downloaded and then analyzed using Autospy. How the data was leaked will hopefully
on her hard drive and will be discovered while preserving the integratory of the data.
Corporate Breach
At this current moment Jean Jane is accused of leaking and breaking company policy
with providing the personal employee information to competitors which was then leaked to the
public. The breach breaks the company’s policies on how personal private data is to be handled.
Questions
1. How was the data exfiltrated without company knowledge at the time of breach?
Why did it take for the knowledge of the data breach to be posted online to be
2.
known?
3. How did the attacker know Jean had the spreadsheet in question?
4
Offences
1. Theft of private information on employees.
2. Theft of private information on new hires.
3. Theft of company data.
4. Publication of private facts.
5. Invasion of Privacy
One item was seized for the investigation which was a Dell Inspiron Laptop that was
collected while the power was on to ensure that all volatile data was preserved. Once the volatile
data was preserved and stored the hard drive was taken out to be documented and imaged to
create a workable image of the original drive to ensure there was no tampering of the evidence
while the forensic investigation of the contents of the hard drive.
Evidence Seized
# Evidence Description and Model Serial Number
1. Dell Inspiron 15.6 - I7567-5650BLK-PUS 40412345689404
2. Samsung HDD - HM160HC S12TJD0Q149197
5
Below is a copy of the chain of custody forum that was used for this investigation. In the
image below Cameron Walters the lead investigator has
submitted and documented the evidence which is
displayed in the form below. The evidence was only
checked out once for the forensic analysis and was check
backed in to Ryan Zane, ensuring the integrity of the
evidence.
6
Examination Details
Tools Used
VirtualBox
Autopsy
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and
other digital forensics tools. It is used by law enforcement, military, and corporate examiners to
investigate what happened on a computer. You can even use it to recover photos from your
camera's memory card. (Sleuthkit)
Belkasoft Acquisition Tool helps investigators to complete one of the most important
steps of investigation: obtaining data from a data source. Four types of data sources are currently
supported: Hard or removable drives, Mobile devices, Computer RAM memory, Cloud data.
(Belkasoft)
8
Leaked Spreadsheet
Below is an image of the spreadsheet in question that was leaked to the public, on a
competitor’s website in their forums section. You can see that the document is located on Jean’s
drive, on her desktop called m57biz.xls. Inside the spreadsheet you can see the employee’s
information and their personal information.
Below is an image from Autospy from Jean’s email account, the email being sent to
Jean’s account has a spoofed email address madding to look like its alison@m57.com a
coworker, however it is truly from tuckgorge@gmail.com. The email is requesting Jean to send
the attacker a list of employees and new hires names, salaries and social security numbers.
Below is an image from Autospy from Jean’s email account, where Jean has replied to
the attack with the spreadsheet containing all the private employee information.
Below is an image from Autospy from Jean’s email account, where Jean has replied to
the attack with the spreadsheet containing all the private employee information.
Analysis Results
The spreadsheets location on Jeans drive was on the desktop a file called m57biz.xls.
Once the files existence was verified on the drive I then searched the imaged drive for any kind
of exfiltration of the spreadsheet, checking the USB connections around the date in question
which there was none. From there I went and searched her email account, searching for any
emails with attachments. The email in which she sent the spreadsheet was located and then
analyzed. Upon review I found that the attacker spoofed his email address to look like Alison’s
email address, another employee within the company, to validate the request, also passing any
suspicion off. Jean then replied to the attacker’s email complying with the request for the
spreadsheet, sending the spreadsheet attached to the reply email, thus leaking the information.
11
The emails are displayed above in screenshots from the investigation. Figure 3 is proof of
the attacker sending a request and figure 5, 6, and 7 show Jean’s reply to the spoofed attacker
email.
Conclusion
Upon analysis of the event I found that Jean was a victim in a phishing attack. The
attacker spoofed his email address to look like Alison’s email address who works with Jean in
M57, masking his attack to look like a normal everyday request within the company. There is no
evidence to contradict that she was a victim. Likewise, there is no evidence that Jean was
working with the attacker or for anyone else. There is no evidence that Jean had any knowledge
of the attack beforehand or any reason to doubt her innocence from the evidence provided.
Jean Jane was targeted for her access to the sensitive data on the employees, with the
combination of using Alison’s email address any for normal employee could fall into this attack
as this is why the attack is very common and effective.
Recommendation
It is my recommendation that the charges and suspicion against Jean Jane be dropped as
there is no evidence to support them.
It is my recommendation that Jean Jane is to be treated as a victim of a Phishing attack.
It is also my recommendation that the company provide Phishing training, so no further
incidents happen.
12
References
D4Discovery (November 08, 2018). How to Document Your Chain of Custody and Why It's
Important. Retrieved on December 8nd, 2018 at https://www.d4discovery.com/discover-
more/how-to-document-your-chain-of-custody-and-why-its-important
RFC-Editor (February 2002). Guidelines for Evidence Collection and Archiving. Retrieved on
December 8nd, 2018 at https://www.rfc-editor.org/rfc/pdfrfc/rfc3227.txt.pdf
Digital Forensics. HOW TO MAKE THE FORENSIC IMAGE OF THE HARD DRIVE.
Retrieved on December 8nd, 2018 at https://www.digitalforensics.com/blog/how-to-make-the-
forensic-image-of-the-hard-drive/
DMLP. Publishing Personal and Private Information. Retrieved on December 8nd, 2018 at
http://www.dmlp.org/legal-guide/publishing-personal-and-private-information
NIST (2018). Sample Chain of Custody Form. Retrieved on December 8nd, 2018 at
https://www.nist.gov/document/sample-chain-custody-formdocx