SCHOOL OF COMPUTER SCIENCE AND ENGINEERING

DIGITAL FORENSICS
CSE4004

Slot: L21 + L22

Lab Assessment-1
TOPIC: Personal Data Theft and Cyber Extortion

TEAM DETAILS:

Suchismitaa Chakraverty 18BCE0883

Lakshit Dua 18BCE0824

Sanjana Mishra 18BCE2324
Anurag Parcha 18BCE2335

Aban Zafar Ali 18BCE2350

Under the guidance of:

Prof. Murugan K
 Crime Name: Personal Data Theft and Cyber Extortion

CASE DETAILS AND SCENARIO

Two JLT employees, including a woman, were among three persons arrested on Monday for
allegedly trying to extort ₹20 crore each from the members of the Board of the corporate giant,
after threatening to leak stolen personal data and information, Noida Police said here. The
arrested woman, who allegedly masterminded the extortion bid, is the chief marketing officer
of the organization and the trio had threatened to leak the data and misuse the information to
cause the firm loss and dent its public image, officials said. The three employees of the Noida-
headquartered finance firm were arrested late Monday afternoon by a team from the Sector 20
police station, while their fourth accomplice is still at large, a senior official said. According to
the police, those arrested are the chief marketing officer (identity withheld), her husband
Roopak Jain and another JLT employee Devnedra Kumar. The fourth accused, Rohit Chomal,
is a resident of Kolkata and had allegedly sent self-destructing extortion emails to the members
of the Board. “One of the board members, Mr. Sahaney had made a complaint with the police
that the firm’s employees, a woman and her aides, had hacked the board of members’ database
in order to steal their sensitive personal details and were blackmailing them for quite some
time. They were demanding ₹ 20 crore for not leaking it," Senior Superintendent of Police
(SSP), Gautam Buddh Nagar, Ajay Pal Sharma said. “Taking immediate action on it, an FIR
was registered and three persons, including the woman, arrested and a black bag containing
two Samsung J7 smartphones and an Intel laptop was confiscated. They are being probed about
the data and their modus operandi. Police will share the facts as they are unearthed," Sahaney
said. The SSP said they will seek their custody to interrogate them further and gather more
details. Police were not clear as to what kind of data was stolen. He said that the local police
are in touch with their counterparts in Kolkata to track down Chomal, who allegedly sent the
extortion emails to the 12 board members’ private email ids. When contacted, JLT confirmed
in a statement that the Noida Police have arrested three people, including one female employee
of JLT, in the case of personal data theft and cyber extortion. “We are standing by our
colleagues till the police enquiry reaches its meaningful conclusion," the company said.
 INVESTIGATION PLAN
In order to perform a successful crime investigation, it is quite essential to prepare a detailed
investigation plan or activity roadmap as to how the investigation must be carried out
systematically. Therefore, in the context of the given crime scenario, we, a team of five
computer forensic analysts have prepared an elaborate plan of action comprising of the five
phases of forensic investigation i.e., identification of the crime scene, collection of crime
evidence along with their careful preservation, examination and analysis of the evidences to
identify the guilty and lastly to document and present the case before closing it. The systematic
investigation approach followed along with the description of each phase of the action plan
pertaining to the given crime scenario is elucidated as follows: -

IDENTIFICATION

Initially we decided to state and list out all the details, goals and the evidence to be gathered
with respect to the given scenario. This information includes the personnel involved in the
given scenario, from the perpetrators to the victims.

Secondly, we move to gather the time and place of the crime and what exactly took place
according to the time stamps. This will make our task of tracing back steps of the crime a little
easier.

As we move further into our process, our team will use the various tools and gather information
on how the crime occurred, the weak links in the company (technically or people wise). This
will give us a better idea on how to navigate our case in a more efficient manner. Moreover,
collecting all the evidence will be crucial.

Initial survey of the crime scene and the FIR registered revealed the following:

● Self-destructing emails sent from certain IP addresses, locations; used to blackmail 12

board members
● Hacked company database to steal personal data of employees
● Devices used to carry out the operation recovered from the scene: 2 Samsung J7 mobiles
and an Intel laptop.

COLLECTION

Our cybercrime will not only contain physical evidence but also digital devices in the scenario
that were used by the perpetrators. We initially make sure the crime and scene and the devices
used are not touched and all the information is properly documented.

With the help of our team's prime investigator, we then need to analyse the intricacies of our
crime scene- digital devices used, what kind of tools were involved and what operating systems
they used etc. As noted during the identification step, we must recover detailed information
from IP addresses of email senders to location and timestamps on emails along with email send
and receive logs. Company data stolen must be probed in the hard drives of the devices
recovered and traces of other data that could possibly broaden the scope of the investigation
must be collected.

PRESERVATION

To not face complexities in the latter stages of our investigation, we as a team will make sure
all the physical, online and logical evidence is carefully and safely preserved. This guarantees
that the evidence will not be modified and thus no one can manipulate the investigation process.
This requires quick preservation of data and documentation of all the physical evidence as well.
Electronic Safety bags are used to make sure that no electronics are damaged while touching
due to static electricity. Using labels to mark evidence along with a short description will help
sort evidence and make sure delicate pieces of evidence are well preserved and sorted according
to their categories.

EXAMINATION

The collected evidence and other details regarding the crime scene, modus operandi of the
operation is to be thoroughly examined. The collected evidence is to be probed in order to
recover details such as IP addresses, location, send and receive logs, timestamps and email ids
of the sender of extortion emails. Examination of the type and the amount of personal data
stolen from the company database must be carried out.

ANALYSIS

Evidence and facts collected and documented properly pave the way for a smooth analysis of
the case. It is evident here that the extortion of company employees was possible using stolen
data from the company database that was carried out using blackmailing and self-destructing
emails.

PRESENTATION AND REPORTING

The case files along with evidence is to be presented to the court so that proper sentence hearing
can be carried out. The team must prepare and present a report that lists out the order of events
that occurred, crimes and violations at each step and the evidence regarding the same to the
court. The evidence must be tagged and labelled according to the accepted norm.
 TOOLS

A) For data loss prevention (DLP): These tools help in forensic analysis however these
need to be installed on the system before the incident occurs. These prevent the
occurrence of a data leakage or data breach incident. They have combined tools to
monitor data and archive data collectively either on cloud storage or local storage. They
are also necessary for companies and businesses to employ in their work environment
to monitor any possible malicious or unintended and accidental threat activity.

1) SolarWinds Data Loss Prevention Tool with ARM: As mentioned previously

this is a tool which helps in monitoring the activities of users in a work
environment usually employees. Access rights manager (ARM) is set up with
the SolarWinds DLP tool to set predefined access controls, rules and policies.
This also reports suspicious activities which occur.

2) CoSoSys Endpoint Protector: This is also a tool which helps with the DLP
solutions and preventions in a work environment and specializes in the
application of storage on the cloud.
 3) Symantec Data Loss Prevention: This tool enforces policies and rules which
enhance threat protection and data encryption.

4) Comodo MyDLP: This tool provides detailed predefined access control rules
along with detailed DLP solutions.

B) For Data Recovery and Incident Analysis: These Tools help in the digital forensics after
the incident (Data breach/Leakage) has occurred. Some of these tools act as FTKs (Forensic
Toolkits) which contain many modules required for a thorough cyber forensic analysis,
however, they usually specialize in one aspect more than the others which let them be ideal in
certain situations. Suppose in this case Oxygen Forensic Tool is an exceedingly popular mobile
and smartphone data analysis tool which is required in this case to identify and extract evidence
from smartphones.
1) EnCase: This is a powerful forensics tool which helps in the collection of evidence from
a wide range of device types and with high detail of files and registers on that device
for further analysis.

2) Bulk Extractor: This is an extremely popular and powerful tool to assess and analyse
the storage for all types of critical files, registers and much more in detail. This tool
paired with Encase can help contain and nullify the data breach and prevent further
breaches quickly.

3) SolarWinds MSP Mail Assure: Cloud based email security storage of all incoming and
outgoing mails in a company environment. This tool archives all the emails including
self-destructing ones when opened as it includes real time monitoring of the activities
of the employee devices.
4) Oxygen Forensic Tool: This is a powerful mobile forensic tool with built-in analytics
and cloud extractor. Helps gather evidence from smart mobile phones and even from
their cloud recovery and back up storage. It supports a very user-friendly interface for
the extraction of required evidence from analysis of data on smartphones.

5) Autopsy: A tool to provide all modules necessary for a thorough digital forensic
analysis and Data Recovery. This is the graphical interface (GUI) for utilizing the
Sleuth Kit for forensic analysis. It is used by law enforcement, military, and corporate
examiners to investigate what happened on a computer.
 6) Xplico: This cyber forensic tool helps in the identification of any traffic over the
internet. This tool also can extract the necessary details and credentials required from
an email and track and trace the IP address and even the geographical locational
coordinates where the email originated when paired with some external modules.

Among the tools that will be useful for our investigation, we can further classify them as
follows:

Data management and analysis tools EnCase, Bulk Extractor, Autopsy

(related to all kinds of data)

Mail Archiving and Analysis SolarWinds MSP Mail Assure

(as emails were sent in the case, this tool
will be used to analyse them)

Mail tracking and tracing over the Xplico

internet
(as self-destructing emails were sent. This
 tool will help us to trace those)

Data Analysis Tool for Smart Phones Oxygen Forensic Tool

(Analysis of the data from recovered
mobile devices)

With regards to our case scenario, the roles of the tools will be as follows:

Xplico and SolarWinds MSP Mail assure: to trace and track the blackmailing emails which
were sent. These even though they were self-destructive, once opened, SolarWinds captures
and archives the data.

Bulk Extractor, Autopsy: used for data extraction and deep analysis to find any data which
has been leaked and to recover it. We can use this with regards to the laptop obtained as
evidence.

Oxygen Forensic tool: in a similar manner as Bulk extractor and Autopsy, this tool is
specialized towards the smartphones and to gather evidence from it. As we have gathered 2
mobile phones, these tools will be useful.

Encase: helps contain the data leak or breach.

INVESTIGATION FORM