12/10/2018 Computer Forensic

Examination
Report
Final Project

Cameron W
CSOL-590
 1

Digital Forensic Report Overview

Investigator Information
Investigator Cameron Walters
Position Senior Security Lead
Company M57
Case Number 40404

Digital Forensics Examiner

Forensics Examiner Cameron Walters
Employee ID #4040404
Experience Digital Forensic Expert
Location Los Angeles, CA
Contact Number (909) 404-0404

Report Synopsis
Subject Digital Forensic Examination Report
Offence Leak of Private Information, Privacy Breach, Data Exfiltration
Accused Jean Jane
Date of Request December 3rd, 2018
Date of Conclusion December 10th, 2018

Table of Contents

Digital Forensic Report Overview...................................................................................................1

Background to the Case...................................................................................................................3

 2

Corporate Breach.............................................................................................................................3

Questions Asked Relevant to the Case............................................................................................4

List of Criminal Offence..................................................................................................................4

Search and Seizer of Evidence........................................................................................................5

Evidence Chain of Custody Forum..................................................................................................6

Examination Details.........................................................................................................................7

Tools Used.......................................................................................................................................7

VirtualBox...............................................................................................................................7
Win 10 Virtual Machine..........................................................................................................7
Autopsy....................................................................................................................................7
Belkasoft Acquisition Tool......................................................................................................7
Evidence to be Searched For.......................................................................................................8
Leaked Spreadsheet.................................................................................................................8
Findings from the Investigation...................................................................................................9
Email 1: Phished email sent with spoofed email name...........................................................9
Email 2: Reply to spoofed email with leaked spreadsheet......................................................9
Email 3: Reply to spoofed email with leaked spreadsheet, attachment shown.....................10
Analysis Results.............................................................................................................................10

Conclusion.....................................................................................................................................11

Recommendation...........................................................................................................................11

References......................................................................................................................................12

Background to the Case

On August 7th, 2008 a spreadsheet containing sensitive information was posted online, on
a competitor forum page. The spreadsheet included sensitive personal information of M57’s
employees and new hires such as employee names, positions, salaries, and social security
 3

numbers. There was only one person who had this information in the company which lead to
Jean Jane as she her position is the only one who deals with the employee’s social security
numbers.

When Jean Jane was confronted she claimed she was hacked and had no idea on how the
spreadsheet had left her laptop. She claimed she was hacked as she said she didn’t disclose or
give out the spreadsheet to anyone but to those within the company. She gave us full access to
her work laptop and all media storage to be analyzed to prove her innocence.

The case was given to Security Team Lead Cameron Walters who acts as the company’s
forensic expert and investigator. The data taken was a hard drive from Jean Janes laptop, to
which was imaged to preserve the original image using Belkasoft Acquistion Tool. Once the
image was created it was brought to a secure air gaped laptop with a Windows 10 VM, where the
data was downloaded and then analyzed using Autospy. How the data was leaked will hopefully
on her hard drive and will be discovered while preserving the integratory of the data.

Corporate Breach

At this current moment Jean Jane is accused of leaking and breaking company policy
with providing the personal employee information to competitors which was then leaked to the
public. The breach breaks the company’s policies on how personal private data is to be handled.

Questions Asked Relevant to the Case

Questions
1. How was the data exfiltrated without company knowledge at the time of breach?
Why did it take for the knowledge of the data breach to be posted online to be
2.
known?
3. How did the attacker know Jean had the spreadsheet in question?
 4

4. What is the company policy on handling private data?

5. Why wasn’t the company policy on private data not followed?

List of Criminal Offence

Offences
1. Theft of private information on employees.
2. Theft of private information on new hires.
3. Theft of company data.
4. Publication of private facts.
5. Invasion of Privacy

Search and Seizer of Evidence

One item was seized for the investigation which was a Dell Inspiron Laptop that was
collected while the power was on to ensure that all volatile data was preserved. Once the volatile
data was preserved and stored the hard drive was taken out to be documented and imaged to
create a workable image of the original drive to ensure there was no tampering of the evidence
while the forensic investigation of the contents of the hard drive.

Evidence Seized
# Evidence Description and Model Serial Number
1. Dell Inspiron 15.6 - I7567-5650BLK-PUS 40412345689404
2. Samsung HDD - HM160HC S12TJD0Q149197
 5

Figure 1: Item #1 Dell Inspiron Laptop Figure 2: Item #2 Samsung HDD

Evidence Chain of Custody Forum

Below is a copy of the chain of custody forum that was used for this investigation. In the
image below Cameron Walters the lead investigator has
submitted and documented the evidence which is
displayed in the form below. The evidence was only
checked out once for the forensic analysis and was check
backed in to Ryan Zane, ensuring the integrity of the
evidence.
 6

Figure 3: Copy of Chain of Custody Form

 7

Examination Details

Tools Used
VirtualBox

VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product for enterprise as

well as home use. Not only is VirtualBox an extremely feature rich, high performance product
for enterprise customers, it is also the only professional solution that is freely available as Open
Source Software under the terms of the GNU General Public License (GPL) version 2. See
"About VirtualBox" for an introduction. (VirtualBox)

Win 10 Virtual Machine

A Win10 VM is a Windows 10 Virtual Machine provided from Microsoft to be used as a

platform to investigate the digital evidence. The reason this was use is because it provides a safe
environment for me to forensically search the data and not have the possibility of external
intrusion.

Autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and
other digital forensics tools. It is used by law enforcement, military, and corporate examiners to
investigate what happened on a computer. You can even use it to recover photos from your
camera's memory card. (Sleuthkit)

Belkasoft Acquisition Tool

Belkasoft Acquisition Tool helps investigators to complete one of the most important
steps of investigation: obtaining data from a data source. Four types of data sources are currently
supported: Hard or removable drives, Mobile devices, Computer RAM memory, Cloud data.
(Belkasoft)
 8

Evidence to be Searched For

Leaked Spreadsheet

Below is an image of the spreadsheet in question that was leaked to the public, on a
competitor’s website in their forums section. You can see that the document is located on Jean’s
drive, on her desktop called m57biz.xls. Inside the spreadsheet you can see the employee’s
information and their personal information.

Figure 4: Screenshot of Spreadsheet and location on the drive

 9

Findings from the Investigation

Email 1: Phished email sent with spoofed email name

Below is an image from Autospy from Jean’s email account, the email being sent to
Jean’s account has a spoofed email address madding to look like its alison@m57.com a
coworker, however it is truly from tuckgorge@gmail.com. The email is requesting Jean to send
the attacker a list of employees and new hires names, salaries and social security numbers.

Figure 5: Screenshot in Autospy of spoofed email

Email 2: Reply to spoofed email with leaked spreadsheet

Below is an image from Autospy from Jean’s email account, where Jean has replied to
the attack with the spreadsheet containing all the private employee information.

Figure 6: Screenshot in Autospy of reply to spoofed email

 10

Email 3: Reply to spoofed email with leaked spreadsheet, attachment shown

Below is an image from Autospy from Jean’s email account, where Jean has replied to
the attack with the spreadsheet containing all the private employee information.

Figure 7: Screenshot in Autospy of reply to spoofed email attachment

Analysis Results

Once acquiring Jean’s laptop, a Dell Inspiron 15.6 - I7567-5650BLK-PUS (Serial #

40412345689404) the laptops hard drive was removed so it could be imaged using Belkasoft
Acquisition Tool. The original hash of the hard drive was A232AF9FKJ290342123934HJ. After
using the tool and checking the imaged drive hash is the same as the original hash,
A232AF9FKJ290342123934HJ.

The spreadsheets location on Jeans drive was on the desktop a file called m57biz.xls.
Once the files existence was verified on the drive I then searched the imaged drive for any kind
of exfiltration of the spreadsheet, checking the USB connections around the date in question
which there was none. From there I went and searched her email account, searching for any
emails with attachments. The email in which she sent the spreadsheet was located and then
analyzed. Upon review I found that the attacker spoofed his email address to look like Alison’s
email address, another employee within the company, to validate the request, also passing any
suspicion off. Jean then replied to the attacker’s email complying with the request for the
spreadsheet, sending the spreadsheet attached to the reply email, thus leaking the information.
 11

The emails are displayed above in screenshots from the investigation. Figure 3 is proof of
the attacker sending a request and figure 5, 6, and 7 show Jean’s reply to the spoofed attacker
email.

Conclusion

Upon analysis of the event I found that Jean was a victim in a phishing attack. The
attacker spoofed his email address to look like Alison’s email address who works with Jean in
M57, masking his attack to look like a normal everyday request within the company. There is no
evidence to contradict that she was a victim. Likewise, there is no evidence that Jean was
working with the attacker or for anyone else. There is no evidence that Jean had any knowledge
of the attack beforehand or any reason to doubt her innocence from the evidence provided.

Jean Jane was targeted for her access to the sensitive data on the employees, with the
combination of using Alison’s email address any for normal employee could fall into this attack
as this is why the attack is very common and effective.

Recommendation

 It is my recommendation that the charges and suspicion against Jean Jane be dropped as
there is no evidence to support them.
 It is my recommendation that Jean Jane is to be treated as a victim of a Phishing attack.
 It is also my recommendation that the company provide Phishing training, so no further
incidents happen.
 12

References

Sleuthkit (2018). Autospy. Retrieved on December 8nd, 2018 at

https://www.sleuthkit.org/autopsy/

Belkasoft (2018). Belkasoft Acquisition Tool. Retrieved on December 8nd, 2018 at

https://belkasoft.com/bat

Microsoft (2018). Download Virtual Machines. Retrieved on December 8nd, 2018 at

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

VirtualBox (2018). VirtualBox. Retrieved on December 8nd, 2018 at https://www.kali.org/

https://www.virtualbox.org/

D4Discovery (November 08, 2018). How to Document Your Chain of Custody and Why It's
Important. Retrieved on December 8nd, 2018 at https://www.d4discovery.com/discover-
more/how-to-document-your-chain-of-custody-and-why-its-important

RFC-Editor (February 2002). Guidelines for Evidence Collection and Archiving. Retrieved on
December 8nd, 2018 at https://www.rfc-editor.org/rfc/pdfrfc/rfc3227.txt.pdf

Digital Forensics. HOW TO MAKE THE FORENSIC IMAGE OF THE HARD DRIVE.
Retrieved on December 8nd, 2018 at https://www.digitalforensics.com/blog/how-to-make-the-
forensic-image-of-the-hard-drive/

DMLP. Publishing Personal and Private Information. Retrieved on December 8nd, 2018 at
http://www.dmlp.org/legal-guide/publishing-personal-and-private-information

Wikipedia (2018). Information privacy law. Retrieved on December 8nd, 2018 at

https://en.wikipedia.org/wiki/Information_privacy_law
 13

NIST (2018). Sample Chain of Custody Form. Retrieved on December 8nd, 2018 at
https://www.nist.gov/document/sample-chain-custody-formdocx