Professional Documents
Culture Documents
Cesar A. Martinez
1
Final Project: Computer Forensic Examination Report
2
Final Project: Computer Forensic Examination Report
Contents Page
Background – page 4
Objectives – page 4
Questions – page 4
Conclusion – page 9
3
Final Project: Computer Forensic Examination Report
Background
Recently a spreadsheet from the company M57 dotBiz has been posted in the competitor’s
website. We know that the spreadsheet had personal information of several individuals from
the company, including their first and last name, their position in the company, salary, and
social security number. The possible suspects involve the president Alison Smith, the CFO Jean
Jones, 4 programmers, 2 marketing employees, and 1 BizDev employee. From an interview with
Alison and Jean, we get some information in regards of this incident. Jean, the CFO, said that
Alison asked him to prepare a spreadsheet as part of the new funding round, Jean complied
with this task and sent Alison the spreadsheet through email. Alison, the president, denied
taking any part in this incident. She denied knowing what Jean was talking about, she argued
that she never asked for a spreadsheet and that she never received a spreadsheet by email.
Lastly, an image file of the hard drive of Jean has been collected and will be analyzed by the
digital forensic team.
Objectives
Our objective is to
analyze the image file of the hard drive from Jean’s computer.
single out any data that is link with the data leak incident
document our investigation process
prepare a report to be presented to a court/judge
Questions
Tools used
Autopsy
FTK Imager
PST Viewer
EnCase
Legal considerations
4
Final Project: Computer Forensic Examination Report
ii) Both suspects have given the investigation team from the company a consent to
search for evidence in their electronic devices
iii) see Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)
Chain of Custody
Evidence Collection
The collection of the evidence was done following the guidelines from SWGDE.
1) Remove all non-essential personnel from the proximity of the digital evidence
2) Label the scene and document possible evidence
3) Recognize possible devices that might store data and information
4) Determine computer systems or electronic devices operational state
5) Observe the system for any potential destructive activity
6) Capture the RAM and other volatile data from the operating system
7) Store and secure evidence to prevent loss, contamination, or deleterious change
8) Document the collection of devices
5
Final Project: Computer Forensic Examination Report
The screenshot Evidence #1 was gathered using a forensic tool called Autopsy. This tool allows
us to access the image file that was created from the hard drive from Jean. In here we can see
that Jean created the spreadsheet called m57biz.xls. Jean created this on July 19, 2009. We can
also see that the spreadsheet was sent by mail to Alison Smith.
6
Final Project: Computer Forensic Examination Report
The screenshot of Evidence #2 was gathered using a PST Viewer tool, since the image file had
several email conversations that where save with .pst. The evidence shows the conversation of
Alison and Jean using the official emails from the company. For Alison it is “alison@m57.biz”
and for Jean it is “jean@m57.biz”. From the conversation we can determine that a request was
made by Alison, in which she asked for the employees’ salary and social security number. In
addition, she asked Jean not to mention this to anybody. The request was made due to a
potential investor.
Evidence #3 – Screenshot from the conversation with Jean and an impostor of Alison
The screenshot from Evidence #3 is gathered similarly to the one previously using a PST Viewer.
This screenshot from the email conversation between Jean and the impostor of Alison shows
how Jean complied with the request of the spreadsheet by sending it as an attachment. What
we see on the top is that Jean is using his official email account, but the impostor has a name of
“alison@m57.biz” and the email account “tuckgorge@gmail.com”. We can appreciate from this
conversation that the impostor was granted the spreadsheet that was made for Alison.
Evidence #4 – Second screenshot of the conversation between Jean and the impostor
7
Final Project: Computer Forensic Examination Report
The screenshot of Evidence #4 is once again gathered with PST Viewer. Here, we can see a
continuation of the conversation between Jean and the impostor. Once again, we can see that
the impostor is using the email “tuckgorge@gmail.com” but has the name “alison@m57.biz”. In
the conversation the impostor acknowledges that the spreadsheet has been received. In
addition, the impostor asked for discretion and not to tell anybody.
Analysis Results
From the evidence that we have gathered we can conclude that Jean was the one that created
and sent the spreadsheet through email. Alison did request the spreadsheet to be created with
the names, salaries, and social security numbers from the employees. Jean did send the
spreadsheet through email but unfortunately it wasn’t sent to Alison. The spreadsheet was sent
to an impostor pretending to be Alison, the president of the organization. The imposter used
the email address of “tuckgorge@gmail.com” and the name of “alison@m57.biz”. The impostor
used the official email of Alison as its name in the email, this was probably why Jean was
deceived and trick into sending the spreadsheet to the wrong email.
Conclusion
8
Final Project: Computer Forensic Examination Report
The spreadsheet was probably posted on the competitor’s website thanks to the
impostor