Scribd Logo
Upload

Welcome to Scribd!

  • Student Expert Witness Report

    Uploaded by

    api-567277280
    164 views10 pages

    Original Title

    student expert witness report

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    164 views10 pages

    Student Expert Witness Report

    Uploaded by

    api-567277280

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    M57.

    biz-Jean
    Forensic Report
    By:
    Marcus Lionel Holland
    June 18
    2020
    Legal Aspects to Consider

    • Avoid infringement of civil rights


    • Having permission by either the user of court of
    law to take/subpoena the required digital media to
    perform digital forensics
    • Must meet the burden of proof that the origination
    of the evidence retrieved was obtained correctly
    and has integrity.
    • Must be able to clearly articulate and document
    every step of the investigation
    • Determine if the evidence meets the guidelines for
    a Criminal prosecution or Civil trial.
    • Wrongfully accusing someone of committing an
    offense may be grounds for a counter-suit.
    • Title II of the ECPA

    2
    Investigation of the M57.biz Exfiltration

    Facts Involving the Case:


    • A Spreadsheet that only Jean (the CFO) created
    and has access ended up on a rival’s website
    • Jean says Alison (CEO) asked for the spreadsheet
    via email, but Alison says that never happened.
    • Investigation must show if one of them is not being
    truthful, or find out what really happened.
    • Jean willingly provided a copy of her hard drive for
    digital forensic examination.

    Questions to be Answered:
    • When did Jean create the spreadsheet?
    • How did it get from her computer to the competitor’s
    website?
    • Who else within M57.biz may be involved?

    3
    Process and Tools used to Collect and Analyze Data

    Tools:
    • Forensic Toolkit
    • Autopsy

    Process of verification:
    • Using FTK, it verified the hashes
    to ensure the file had not been
    corrupted. The MD5 and SHA1
    hash matched perfectly. This
    ensures all evidence being
    reviewed is 100% accurate.
    • Autopsy was chosen for analyzing
    the data because if its ability
    create a timeline of events and
    produce an image of Jean’s hard
    drive
    4
    Findings
    Creation of Answer to Question 1:
    Jean’sSpreadsheet
    • Autopsy revealed when Jan
    created her spreadsheet.

    • Path to Jean’s spreadsheet:


    /img_nps-2008-
    jean.E01/vol_vol2/Documents
    and
    Settings/Jean/Desktop/m57biz.xls

    • After discovering when the


    spreadsheet was created, when
    or if it was ever sent to Alison was
    the question of interest.

    5
    Findings

    Answer to Question 2:
    • A keyword search for the name of
    spreadsheet revealed the spreadsheet
    never left Jean’s computer until it was
    sent in this email which appears to be
    Alison. It even ends with Alison’s name
    in the signature. It appears the
    spreadsheet ended up on the rival’s
    website not long after the spreadsheet
    was sent from Jean’s computer on July
    19, 2008.
    • In the email, a “from” address includes
    tuckgorge@gmail.com which was
    interesting.
    • A keyword search of
    tuckgorge@gmail.com revealed many
    more unknown address that had been
    intercepting Jean’s emails

    6
    Findings Cont.
    Jean’s Acquittal

    • The keyword search for


    tuckgorge@gmail.com revealed many more
    hidden entities that had been intercepting
    Jean’s email.
    • The entities involved in this investigation can
    be traced all the way back to July 6, 2008.
    • From the inception of phishing attacks from
    July 6, 2008, at 02:38 Alison’s email was
    spoofed and Jean though she was talking to
    Alison. Alison’s email to Jean was
    intercepted on July , 2008 at 14:25

    7
    Findings Cont.
    Answer to Question 3:
    • Due to the phishing attack employees
    appeared to be involved including.
    Entities “Involved”
    • Jean - CFO
    • Alison - President
    • Carol - Programmer
    • Bob – Programmer

    8
    alex@m57.biz

    Expert Opinion

    Conclusion of the matter:


    It is in my professional opinion that Jean’s
    email had been compromised. As previously shown,
    Jean’s email had been phished early in the making of
    the Outlook email Account. The unknown email
    addresses x2789967@spunkymail-
    mx1.g.dreamhost.com, spunkymail-
    a3.g.dreamhost.com, and tuckgorge@gmail.com, and
    alex@m57.biz, disguised themselves in the email. It is
    obvious by the confusion in the emails that no one had
    a clue what was really happening. Unfortunately,
    phishing led to spoofing of emails similar to the people
    Jean works with. I believe when Jean sent the email to
    Alison.m57.biz, she thought it was the President of the
    Company. There are many alarms that should have
    been apparent to Jean and Alison that education and
    training in detecting phishing and spam attacks will help
    deter. 9
    THANK
    YOU!
    Marcus
    Holland

    Email
    marcusholland@sandiego.edu

    You might also like