Final Project: Computer Forensic Examination Report

Final Project: Computer Forensic Examination Report

Cyber Incident Response and Computer Network Forensic

Cesar A. Martinez

University of San Diego

1
Final Project: Computer Forensic Examination Report

Digital Forensics Examiner: Cesar Adrian Martinez

Subject: Digital Forensic Examination Report

Offence: Leak spreadsheet with sensitive information

Accused: One of the employees or an outside attacker

Date Request: June 23, 2020

Date Conclusion: June 29, 2020

2
Final Project: Computer Forensic Examination Report

Contents Page

 Background – page 4

 Objectives – page 4

 Questions – page 4

 Tools used – page 4

 Legal considerations – page 4

 Chain of custody – page 5

 Evidence Collection – page 5

 Evidence Found and Analysis – page 6

 Analysis results – page 8

 Conclusion – page 9

3
Final Project: Computer Forensic Examination Report

Background

Recently a spreadsheet from the company M57 dotBiz has been posted in the competitor’s
website. We know that the spreadsheet had personal information of several individuals from
the company, including their first and last name, their position in the company, salary, and
social security number. The possible suspects involve the president Alison Smith, the CFO Jean
Jones, 4 programmers, 2 marketing employees, and 1 BizDev employee. From an interview with
Alison and Jean, we get some information in regards of this incident. Jean, the CFO, said that
Alison asked him to prepare a spreadsheet as part of the new funding round, Jean complied
with this task and sent Alison the spreadsheet through email. Alison, the president, denied
taking any part in this incident. She denied knowing what Jean was talking about, she argued
that she never asked for a spreadsheet and that she never received a spreadsheet by email.
Lastly, an image file of the hard drive of Jean has been collected and will be analyzed by the
digital forensic team.

Objectives

Our objective is to
 analyze the image file of the hard drive from Jean’s computer.
 single out any data that is link with the data leak incident
 document our investigation process
 prepare a report to be presented to a court/judge

Questions

 How did the spreadsheet end up in the competitor website?

 Were any of the employees at M57 dotBiz involve in the data leak of the spreadsheet?
 Was it a malicious attack, either from the inside or the outside?

Tools used

 Autopsy
 FTK Imager
 PST Viewer
 EnCase

Legal considerations

 The Fourth Amendment

i) An internal investigation was conducted, which allows the company to seize
company’s electronic devices, desktops, laptops, etc.
 Voluntary Consent

4
Final Project: Computer Forensic Examination Report

ii) Both suspects have given the investigation team from the company a consent to
search for evidence in their electronic devices
iii) see Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)

Chain of Custody

What is the Evidence?

• Hard Drive image of the suspect. jeanm57.E01
How did you get it?
• The image file was given to the Digital Forensic Team by the IT Department from
M57 dotBiz.
When was it collected?
• July 22, 2008
Who has handled it?
• IT Department from M57 dotBiz and Digital Forensic Team
Why did that person handle it?
• The IT Department from M57 dotBiz were the first ones to respond to the
incident. They collected the evidence to avoid any alteration of it by the
suspects.
Where was it stored?
• It’s currently stored in our laboratory, where it is under surveillance and only
authorize personnel can access it.

Evidence Collection

The collection of the evidence was done following the guidelines from SWGDE.

1) Remove all non-essential personnel from the proximity of the digital evidence
2) Label the scene and document possible evidence
3) Recognize possible devices that might store data and information
4) Determine computer systems or electronic devices operational state
5) Observe the system for any potential destructive activity
6) Capture the RAM and other volatile data from the operating system
7) Store and secure evidence to prevent loss, contamination, or deleterious change
8) Document the collection of devices

5
Final Project: Computer Forensic Examination Report

Evidence Found and Analysis

Evidence #1 – Screenshot of the image file from Jean’s hard drive

The screenshot Evidence #1 was gathered using a forensic tool called Autopsy. This tool allows
us to access the image file that was created from the hard drive from Jean. In here we can see
that Jean created the spreadsheet called m57biz.xls. Jean created this on July 19, 2009. We can
also see that the spreadsheet was sent by mail to Alison Smith.

Evidence #2 – Screenshot of the request made by Alison to Jean.

6
Final Project: Computer Forensic Examination Report

The screenshot of Evidence #2 was gathered using a PST Viewer tool, since the image file had
several email conversations that where save with .pst. The evidence shows the conversation of
Alison and Jean using the official emails from the company. For Alison it is “alison@m57.biz”
and for Jean it is “jean@m57.biz”. From the conversation we can determine that a request was
made by Alison, in which she asked for the employees’ salary and social security number. In
addition, she asked Jean not to mention this to anybody. The request was made due to a
potential investor.

Evidence #3 – Screenshot from the conversation with Jean and an impostor of Alison

The screenshot from Evidence #3 is gathered similarly to the one previously using a PST Viewer.
This screenshot from the email conversation between Jean and the impostor of Alison shows
how Jean complied with the request of the spreadsheet by sending it as an attachment. What
we see on the top is that Jean is using his official email account, but the impostor has a name of
“alison@m57.biz” and the email account “tuckgorge@gmail.com”. We can appreciate from this
conversation that the impostor was granted the spreadsheet that was made for Alison.

Evidence #4 – Second screenshot of the conversation between Jean and the impostor

7
Final Project: Computer Forensic Examination Report

The screenshot of Evidence #4 is once again gathered with PST Viewer. Here, we can see a
continuation of the conversation between Jean and the impostor. Once again, we can see that
the impostor is using the email “tuckgorge@gmail.com” but has the name “alison@m57.biz”. In
the conversation the impostor acknowledges that the spreadsheet has been received. In
addition, the impostor asked for discretion and not to tell anybody.

Analysis Results

From the evidence that we have gathered we can conclude that Jean was the one that created
and sent the spreadsheet through email. Alison did request the spreadsheet to be created with
the names, salaries, and social security numbers from the employees. Jean did send the
spreadsheet through email but unfortunately it wasn’t sent to Alison. The spreadsheet was sent
to an impostor pretending to be Alison, the president of the organization. The imposter used
the email address of “tuckgorge@gmail.com” and the name of “alison@m57.biz”. The impostor
used the official email of Alison as its name in the email, this was probably why Jean was
deceived and trick into sending the spreadsheet to the wrong email.

Conclusion

 Alison requested a spreadsheet to be created by Jean with sensitive information

 Jean created the spreadsheet and sent through email to an impostor pretending to be
Alison
 The impostor received the spreadsheet using the email “tuckgorge@gmail.com”

8
Final Project: Computer Forensic Examination Report

 The spreadsheet was probably posted on the competitor’s website thanks to the
impostor