MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 1

Module 7 Final Project – Computer Forensic Examination Report

Keith E. Anderson, Sr.

CSOL-590-02-FA18

University of San Diego

MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 2

Abstract

The USD digital forensic team was tasked with determining how data was stolen from the laptop

of Jean Jones, CFO of M57dotBIZ, a start-up web company developing a body art catalogue. To

follow, is a complete computer forensic examination report, documenting our progression and

findings throughout the phases of the computer forensic examination process.

MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 3

Investigator: Cameron Carter

Affiliated Institution: University of San Diego

City: San Diego, CA

Telephone Number: 555-555-1212

Digital Forensics Examiner: Keith Anderson

Affiliated Institution: University of San Diego

City: San Diego, CA

Telephone number: 215-570-1999

Subject: Digital Forensics Examination Report

Offense: Stolen data from a company laptop that was

posted to the comments section of a
competitor’s website.
Accused: tuckergorge@gmail.com (name unknown)

Date of Request: December 4, 2018

Date of Conclusion: December 11, 2018

MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 4

Background to the case 1

Legal questions asked relevant to the case 2

Search, seizer, and transport of evidence 3

List of Criminal Offenses 4

Collection and analysis of data from the evidence 5

Timeline of events 6

Conclusion 7

References 8

Contents Page
MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 5

Module 7 Final Project – Computer Forensic Examination Report

1. Background to the Case

A small web start-up company, M57dotBIZ, is developing a catalogue for body art. A few

weeks into the company’s inception, a spreadsheet containing private corporate information and

the personal data of its top executives was found posted to the comments section of a

competitor’s website. This spreadsheet only existed on the laptop of Jean Jones, the CFO of the

company. Jean has indicated the spreadsheet was emailed to company President, Alison Smith, at

Ms. Smith’s request. Ms. Smith has indicated she never requested the spreadsheet, nor did she

receive it, as indicated by Ms. Jones.

The goal of our investigation was to determine if data from the laptop of the CFO was

stolen, and if so, how. In addition, we attempted to establish a timeline of events leading-up to,

and including, exfiltration of the spreadsheet. The tools employed during this investigation were

Guidance Software’s EnCase and The Sleuth Kit’s Autopsy. Encase was used to acquire the

image of the CFO’s laptop, and Autopsy was leveraged to ingest and analyze the data.
MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 6

2. Legal questions relevant to the case

There were several legal questions we needed to address prior to moving forward with our

investigation; these questions are identified below:

1. Who owns the evidence targeted for this investigation?

a. The evidence is owned by M57dotBIZ

2. Who is our client, and do they have the authority to approve access to the evidence

targeted for this investigation?

a. A first-round funder for the start-up company is our client, and they have the

authority to approve our access to the evidence

3. Is a search warrant required to gain access to this evidence?

a. A search warrant is not required, as this is a private company with ownership of

the evidence, and approval has been granted by an authorized party

MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 7

3. Search, seizer, and transport of evidence

As it relates to this case, the evidence in question has already been identified, preserved,

and distributed to the forensic team in the form of an EnCase image of the CFO’s PC…which

was made-up of the following files:

a. Nps-2008-jean.E01, which was obtained from:

i. http://downloads.digitalcorpora.org/corpora/drives/nps-2008-m57-jean/nps-2008-jean.E01

b. Nps-2008-jean.E02, which was obtained from:

i. http://downloads.digitalcorpora.org/corpora/drives/nps-2008-m57-jean/nps-2008-jean.E02 

4. List of criminal offenses

The criminal offense identified in this case is theft by deception.

5. Collection and analysis of data from the evidence

Data obtained from the image files making-up the CFO’s laptop were ingested and

analyzed leveraging Autopsy. The actions taken to carry-out these tasks are documented below:

a. Case CSOL 590-02-FA18-Assignment-6 was created in Autopsy to begin the

process of image ingestion and evidence analysis:

MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 8

b. The image file(s) was selected for ingestion:

c. All ingest modules available from Autopsy were run against the image of the

CFO’s PC (allowing for data categorization and analytics):

d. Information provided as a precursor to this investigation, which also served as

guidance toward our analysis of the PC image, includes the following:

i. A spreadsheet was obtained from M57dotBIZ and posted to a competitor’s

website

ii. M57dotBIZ President, Alison Smith, claims she never requested the

spreadsheet (nor received it via email)

MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 9

iii. M57dotBIZ CFO, Jean Jones, claims Alison Smith did, in fact, request the

spreadsheet…which was delivered via email

e. Verification of the image file was carried-out leveraging the MD5 hash value

(documented below, and confirmed with a screenshot):

i. 78a52b5bac78f4e711a607707ac0e3f93 (original MD5 hash value)

ii. Based on the information provided, we conducted a search of M57dotBIZ

President Alison Smith’s alison@m57.biz email address, which netted

several hits:

1. Based on the hits of alison@m57.biz, investigated

messages between Alison Smith and Jean Jones (jean@m57.biz)

a. Suspicious message threads from alison@m57.biz with a

return path of simsong@xy.dreamhostps.com were

discovered

i. Investigated all messages with this return path, and

discovered several messages with the gmail “Reply

to” field set

MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 10

 One “Reply to” field was set to

alison@m57.biz

 Two “Reply to” fields were set to

tuckergorge@gmail.com

ii. A total of six emails were analyzed:

 Four contained the return path of

simsong@xy.dreamhostps.com

 Two were responses between jean@m57.biz

and alison@m57.biz, orchestrated by the

aforementioned gmail “Reply to” field

manipulation

iii. Confirmation of the original hash value was, once again, verified (below):

1. 78a52b5bac78f4e711a607707ac0e3f93 (original MD5 hash

value)
MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 11

6. Timeline of events

Based on the evidence provided, the following timeline of events is, what we believe to

be, reflective of the events leading to the exfiltration of the corporate data exposed on the

M57dotBIZ competitor’s website:

a. Saturday, July 19, 2008 16:39:57 (PDT)

i. jean@m57.biz receives an email with a return path of

simsong@xy.dreamhostps.com requesting private corporate

information

1. Subject = background checks

2. Reply to = alison@m57.biz, so Alison Smith will get the

response

b. Saturday, July 19, 2008 16:44:00 (PDT)

i. jean@m57.biz responds to the 16:39:57 message with, “Sure thing.”

c. Saturday, July 19, 2008 16:50:20 (PDT)

i. alison@m57.biz receives the unexpected response from

jean@m57.biz, so she sends the response, “What’s a sure thing?”

d. Saturday, July 19, 2008 18:22:45 (PDT)

i. jean@m57.biz receives another email with a return path of

simsong@xy.dreamhostps.com

1. Subject = Please send me the information now

2. Reply to = tuckgorge@gmail.com
MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 12

e. Saturday, July 19, 2008 18:28:45 (PDT)

i. jean@m57.biz responds to the 18:22:45 message with an attachment

called M57biz.xls

1. This response (and spreadsheet with the corporate data) goes to

tuckgorge@gmail.com

f. Saturday, July 19, 2008 22:03:40 (PDT)

i. jean@m57.biz receives a final message with a return path of

simsong@xy.dreamhostps.com

1. Subject = Thanks!

2. Reply to = tuckgorge@gmail.com

6. Conclusion

Based on the evidence provided, the summary below is what we have concluded occurred

the night of Saturday, July 19, 2008. These events, we believe, would eventually lead to the

exposure of M57dotBIZ’s corporate and private information.

a. The email account belonging to M57dotBIZ President, Alison Smith, was spoofed

by a malicious actor

b. Jean Jones was lured into believing a request for confidential corporate

information came from Alison Smith

c. In accommodating the request, Jean Jones unknowingly emailed M57biz.xls

(containing the confidential corporate information) to tuckergorge@gmail.com

MODULE 7 FINAL PROJECT – COMPUTER FORENSIC EXAMINATION REPORT 13

8. References

1. The

Sleuth Kit (2017). Autopsy User's Guide. Retrieved December 6, 2018 from

http://sleuthkit.org/autopsy/docs/user-docs/4.3

2. Guidance Software (2018). OpenText EnCase Forensic. Retrieved December 6, 2018 from

https://www.guidancesoftware.com/docs/default-source/document-library/product-brief/

encase-forensic-product-overview.pdf?sfvrsn=761867a2_34