Running head: M57 – Digital Forensics Report 1

M57 – Digital Forensics Report

Justin R. Cook

University of San Diego, CSOL-590

M57 – DIGITAL FORENSICS REPORT 2

Abstract

This paper is a digital forensics report performed for M57.biz on the laptop belonging to

their CFO, Jean Jones. A confidential spreadsheet ended up on a competitor’s website, and Jean

Jones claims that the CEO, Alison Smith, requested that spreadsheet via email. The purpose of

this digital forensics report is to outline the data collection and analysis process and to provide

the findings.
M57 – DIGITAL FORENSICS REPORT 3

Table of Contents

Case Information.............................................................................................................4

Background to Case.........................................................................................................4

Questions Asked Relevant to the Case............................................................................4

Search and Seizer and Transport of Evidence.................................................................5

Evidence to Search For....................................................................................................6

List of Criminal Offense..................................................................................................6

Examination Details.........................................................................................................6

Analysis Results...............................................................................................................7

Timeline...........................................................................................................................8

Conclusion.......................................................................................................................9

References..........................................................................................................................10
M57 – DIGITAL FORENSICS REPORT 4

Case Information

Investigator: Alison Smith

CEO
M57.biz

Digital Forensics Examiner: Justin Cook

Detective #101
Computer Security Consultant
San Diego, CA
(858) 567-1234
Subject: Digital Forensics Examination Report
Offense: Leaking confidential information
Accused: Jean Jones
Date of Request: June 23, 2020
Date of Conclusion: June 29, 2020

Background to Case

M57.biz recently experienced a major issue where the names, salaries, and social security

numbers of their employees were leaked on a competitor’s website. The person in question is the

CFO Jean Jones who claims to have sent that document to the CEO, Alison Smith, after being

requested to do so via email. Alison says that she never received the spreadsheet from Jean nor

requested the spreadsheet in the first place. Alison Smith requested the digital forensics to be

performed on Jean’s laptop to figure out what happened and how the confidential information

was leaked onto the competitor’s website. Alison wants to know when the spreadsheet was

created, how it got to the competitor’s website, and who else from the company is involved.

Questions Asked Relevant to the Case

The case background provided a lot of useful information, mainly that Jean claims her

and Alison communicated via email regarding the spreadsheet. The following additional

questions were brought forward:

1. Is Jean’s computer system personal or is it owned by M57.biz?

M57 – DIGITAL FORENSICS REPORT 5

2. Does Jean access email on any other device?

3. Does anyone else have access to Jean’s laptop?

4. Did any employee use Jean’s laptop before it being assigned to her?

These questions were answered before the investigation. We learned that Jean only

accesses email on her laptop which is owned by M57.biz. She is the only user of this laptop and

no one else has access to it.

Search and Seizer and Transport of Evidence

Jean Jones was compliant with this case, and law enforcement was not involved in the

evidence collection. The Fourth Amendment to the US Constitution allows the government to

obtain a warrant to perform forensics on certain electronic devices if there is probable cause and

use the findings as evidence in court (Wright, 2008). However, since Jean Jones was using a

device owned by her employer, a warrant was not legally required to obtain her laptop.

Additionally, Jean Jones was compliant with the investigation and willfully handed over her

laptop to the digital forensics team.

Chain of custody is the process of validating how evidence has been gathered, tracked,

and protected before it reaches a court of law (Scalet, 2005). During this case, the chain of

custody was tracked in detail and the entire investigation adhered to best practices for handling

digital evidence. The team created a disk image of Jean’s laptop and securely stored the laptop.

The disk image of the laptop was used as evidence to protect the integrity of the actual evidence.

Cons # Exhibits Submitted for Analysis Serial Number

1 Dell Latitude 9750 Laptop 5GY847H
M57 – DIGITAL FORENSICS REPORT 6

Evidence to Search For

Based on the information gathered before the investigation, and the background questions

asked, the analysis will focus on locating and analyzing email conversations on the laptop.

Additionally, the confidential spreadsheet will need to be located and its details need to be

obtained. Deleted files and software will be scanned to see if any malware or spyware was

installed on the laptop.

List of Criminal Offense

Jean Jones is being investigated for leaking a confidential spreadsheet that contained the

full name, salary, and social security numbers of the employees at M57.biz. Upon being

employed at the company, Jean Jones signed a Non-Disclosure Agreement (NDA), which is a

legal contract that protects confidential information or trade secrets (Haskins, 2019). If it is found

that Jean Jones violated the NDA, there will be a legal case for M57.biz to pursue against Jean.

Files of Evidentiary Value to the Case

The spreadsheet, m57biz.xls contains all of the information that was leaked to
the competitor’s website. This file was last edited by Jean Jones.
The Outlook.PST file located on Jean’s laptop contains a record of all of the
email conversations that occurred. This file shows that Jean emailed the
confidential file to an external user, ([email protected]).

Examination Details

Jean’s laptop was securely imaged without altering the original storage to preserve the

integrity of the evidence. The disk image file was named nps-2008-jean.E01, which was

mounted in Autopsy and attached to a new case. The MD5 Hash for the evidence file is:

78a52b5bac78f4e711607707ac0e3f93. The contents of Jean’s laptop were not encrypted, and

accessing the Outlook.pst file did not require any credentials, therefore password cracking was

not required.
M57 – DIGITAL FORENSICS REPORT 7

Analysis Results

The digital forensics tool, Autopsy, was used to analyze the evidence. Once the disk

image was mounted, I was able to browse the file system and look for relevant files. The

confidential spreadsheet, m57biz.xls, was located on Jean’s laptop in the Desktop folder.

The file’s metadata shows that Jean was the last person to edit this file which was on

2008-07-19. The claim made by Jean was that Alison requested her to make a spreadsheet

containing the names, salaries, and social security of all employees in the company via email.

Therefore the next part of my data analysis included looking at email-related files. I parsed

through the main Outlook.pst file and noticed some odd behavior. I did see an email on 2008-07-

19 being sent to Jean requesting that spreadsheet, but the sender was not Alison. A malicious user

spoofed his email to appear as if it were being sent from Alison but it was actually from the

address ‘[email protected]’.
M57 – DIGITAL FORENSICS REPORT 8

On that same date, 2008-07-19, Jean responded to that email to who she thought was Alison. The

response email attached the confidential spreadsheet and was sent to [email protected].

During the data analysis, I did not discover any other relevant information regarding this case.

There were lots of deleted files, but none of them had any relevance to the case.

Timeline

Below is the timeline of events that occurred, according to the evidence found and

analyzed.
M57 – DIGITAL FORENSICS REPORT 9

Conclusion

The evidence shows that Jean was a victim of a spear-phishing attack. Her email was

comprised, and the hacker was able to learn about the company as well as spoof his email to

appear to be sent as the CEO. The hacker then emailed Jean pretending to be the CEO and

requested Jean to put together a spreadsheet with all of the employee’s names, salaries, and

social security numbers. Jean complied and sent the spreadsheet to the attacker who was believed

to be Alison. Although Jean’s actions led to the leaking of confidential data which is a violation

of her NDA, she had no malicious intent. Jean was following orders and believed that she was in

communications with Alison. I would recommend that Jean be found innocent of violating the

NDA since she was a victim of a phishing attack.

M57 – DIGITAL FORENSICS REPORT 10

References

Haskins, J. (2019, February 28). Understanding Non-Disclosure Agreements. Retrieved

June 29, 2020, from https://www.legalzoom.com/articles/understanding-non-disclosure-

agreements

Scalet, S. D. (2005, December 1). How to Keep a Digital Chain of Custody. Retrieved

May 22, 2020, from https://www.csoonline.com/article/2118807/how-to-keep-a-digital-chain-of-

custody.html

Wright, C. (2008, December 22). Related Content. Retrieved May 22, 2020, from

https://www.sans.org/blog/searches-and-the-us-4th-amendment/