i

COMPUTER FORENSIC EXAMINATION REPORT – Assignment 7

Kevin Splittgerber

University of San Diego – CSOL590

 i

Table of Contents

Abstract.............................................................................................................................i

DIGITAL FORENSIC REPORT....................................................................................1

Background......................................................................................................................2

Questions Asked Relevant to the Case............................................................................2

Search and Seizure and Privacy.......................................................................................2

Evidence and Chain of Custody......................................................................................3

Forensic Examination Details..........................................................................................4

Evidence and Timeline of Events....................................................................................8

Analysis...........................................................................................................................9

Conclusion.....................................................................................................................11

Corrective Actions.....................................................................................................11

References......................................................................................................................13
 i

Abstract

M57dotBIZ is a small virtual organization with employees working remotely and

communicating via electronic means such as chat and email. A short time after the company is

founded, a spreadsheet was discovered on a competitor’s website containing confidential

information about M57dotBIZ employees including names, salaries, and social security numbers.

An internal investigation showed that the confidential information originated from Jean, the

company CFO. Subsequent interviews were inconclusive as Jean claims that Alison, the

company President requested the information. The company owners requested a forensic

investigation be conducted to determine what happened.

 1

DIGITAL FORENSIC REPORT

INVESTIGATOR: Kevin Splittgerber

DIGITAL FORENSICS EXAMINER: Jim Jackson

SUBJECT: Digital Forensics Examination Report

OFFENCE: Theft of Intellectual Property

DATE: 06/29/2020
Background

The small start-up company M57dotBiz, is primarily a “virtual” organization with

employees working remotely and meeting in person several times a month. Communication

between employees is accomplished using email and the AOL Instant Messenger chat service.

Not long after the company was founded, a spreadsheet containing confidential information

about employees was discovered on a competitor’s website. The spreadsheet included names,

social security numbers and salaries. An internal investigation determined that the spreadsheet

originated from Jean, the company’s CFO. The investigators called Jean for an interview. Jean

explained that the company President Alison specifically asked for the spreadsheet with the

confidential information as part of a background check of employees to satisfy a potential new

investor in the company. Jean also explained that Alison requested she send the spreadsheet to

her by email. Investigators then questioned Alison who denies both asking for the spreadsheet

and receiving any such spreadsheet by email. Due to the inconclusive results of the internal

investigation, first round investors, looking to protect their investment in the company,

authorized a forensic investigator to search Jean’s laptop and determine exactly what happened.

Questions Asked Relevant to the Case

1. Is the laptop and any device used in the commission of the leak company owned?

2. Could Jean have been working with anyone else at M57dotBIZ?

3. How did the spreadsheet end up on a competitor’s website?

Search and Seizure and Privacy

In this case, the legality of search and seizure of Jean’s laptop is straight forward. The

investigation is not conducted by law enforcement for the purposes of a criminal investigation

and therefore the 4th amendment does not apply (FindLaw, 2019). Even if this case were to be
taken to criminal court at a later date, the 4th amendment may not be claimed as Jean consented

to the search and provided both the laptop and passwords to the investigators. Privacy laws are

also of no concern in this case. As part of the terms of employment, Jean agreed and signed

company policies regarding acceptable use of company owned devices, and consent to company

search of data contained on the device. These policies indicate that company owned devices

must be used for business purposes only and the company is within its rights to monitor all

activity that is carried out on the device (O’Driscoll, 2017).

Evidence and Chain of Custody

To ensure that the results of the investigation would be admissible in court should the

need arise, the investigators followed standard Evidence Chain of Custody procedures was

followed. Procedures required documentation in the form of a sequential account of all evidence

gathered, by whom when, for what purpose as well as preservation of evidence to maintain its

integrity (Badiye, 2019).

Table 1: Inventory of Evidence

ITEM NO. DATE RECEIVED DESCRIPTION

0001 06-03-2020 M57dotBIZ owned Laptop used by Jean
0002 06-03-2020 USB storage device containing EnCase Image.
MD5 Hash: 78a52b5bac78f4e711607707ac0e3f93
0003 06-03-2020 m57biz.xls file
0004 06-03-2020 Outlook.pst file
MD5 Hash: 8c862a8c7ad8b7aff1df4d44fbf1fe95
Table 2: Evidence Chain of Custody

LINE ITEM FROM TO DATE ACTION

NO. NO.
0001 0001 Jean Jim. 06-03- Surrender of Device
Jackson 2020
0002 0002 Jim Kevin 06-03- EnCase Image of device, evidence item
Jackson Splittgerbe 2020 0001, forensically sound copies made.
r
0003 0001 Jim Jean 06-03- Device returned to Jean
Jackson 2020
0004 0003 M57dot Jim 06-03- USB device with m57biz.xls file
Biz Jackson 2020 containing confidential information
leaked.
MD5 Hash:
e23a4eb7f2562f53e88c9dca8b26a153
0005 0003 Jim Kevin 06-03- Accepted for forensic examination.
Jackson Splittgerbe 2020
r

Forensic Examination Details

The forensic examination began with Jean surrendering her laptop to investigators.

Digital Forensic Examiner Jim Jackson logged the laptop into evidence and took a forensic

image of the device and computed a MD5 hash: 78a52b5bac78f4e711607707ac0e3f93.

Following this Jim Jackson made two other images of the device for performing the forensic

analysis and verified that the MD5 hashes matched. Upon completing his task, Jim returned the

laptop to Jean and signed the evidence out of the log. Jim then transferred the evidence to a

write protected device for storage, and transferred copies to a USB device to be used for forensic

analysis. The USB device was then transferred to forensic investigator Kevin Splittgerber for

analysis. Kevin Splittgerber accepted the USB device and entered the transfer into the chain of

custody log.

A copy of the image on the USB device was loaded into Sleuthkit Autopsy 4.14 and

MD5 hashes were then confirmed to match evidence log. The full suite of ingestion modules
activated, and the process allowed to complete. Interviews conducted during the internal

investigation concluded that Jean communicated via email with Alison and sent an excel

spreadsheet containing the confidential information, Kevin used Autopsy’s advanced features to

find the excel file and relevant threads of communication.

Using Autopsy’s file views feature, Kevin found the excel file containing the confidential

information. See Figure 1: m57biz.xls Excel file used to leak confidential information. The

excel file exists in two locations on Jean’s laptop. The original file on her desktop and a copy

used for attaching to an outlook email in the Outlook.pst file.

Figure 1: m57biz.xls Excel file used to leak confidential information.

Using Autopsy’s Communication module, Kevin visualized the threads of email

communication to filter down to just communication between Jean and Alison, [email protected].
 Figure 2: Autopsy Communication Visualization of Jean's Outlook Email Account

Figure 3: Outlook Email threads between Jean and Alison

The email communication salient to this investigation are dated 7-19-2008 with subject

“background checks” and 7-29-2008 with subject “Please send me the information now.”

Autopsy was unable to display the full email chain of “Please send me the information now.” To
extract the contents of the email and access the headers, the Outlook database contained in the

Outlook.pst file was extracted and loaded into Microsoft Outlook for Office 365 v.

16.0.12827.20200.

Kevin opened the EnCase image into FTK Imager v. 4.3.1.1, and found the Outlook.pst

file in the folder hierarchy at path: /img_nps-2008-jean.E01/vol_vol2/Documents and

Settings/Jean/Local Settings/Application Data/Microsoft/Outlook/outlook.pst. The outlook.pst

file logged into evidence with MD5 Hash: 8c862a8c7ad8b7aff1df4d44fbf1fe95. The entire

email threads were then opened and examined.

 8

Evidence and Timeline of Events

Date Time Event

SATURDAY Jean receives an email from [email protected] asking for information to be used for background
7/19/2008 4:40 PM
checks on current employees. Requested is a spreadsheet with name, salary, and social security

numbers for each employee, and not to include the text of the message in the reply.
SATURDAY Jean replies to [email protected] with text removed except for her reply: “Sure thing.”
7/19/2008 4:46 PM

SATURDAY Jean receives a reply from [email protected]: “What’s a “sure thing.”?

7/19/2008 4:50 PM
SATURDAY Jean receives an email from [email protected] but disguised as [email protected]. Email
7/19/2008 6:23 PM
Subject: “Please send the information now” The email apologizes for the bother but the “VC guy is

being very insistent”, repeats the request for the information and instructs Jean to reply to this email.

SATURDAY Jean replies to the email and attaches the m57biz.xls file with the requested information
7/19/2008 6:29 PM
 9

Analysis

Looking at the emails received by Jean from Alison, the evidence corroborates the

statements given by both CFO Jean and CEO Alison during the interviews after discovery of the

leak.

Alison’s email, [email protected], did request the confidential information under the

premise of a background check of all employees as required by a new investor and requested the

text of the email be deleted in any replies.

Jean replied “Sure Thing” to [email protected] and deleted the contents of the previous

email as instructed.

Alison replied, “What’s a “sure thing”?” indicating that she has no idea what Jean is

talking about, indicating the possibility that Alison’s email account has been compromised with

an unauthorized individual gaining access and sending emails to Jean. The email headers

obtained from Outlook appear that the emails are valid and sent from the account as indicated.
 The email sent on 7/19/2008 6:23 from [email protected] appears to use a very low-

tech spoof to trick Jean into believing it is from [email protected]. In Outlook, if the email

account has a name populated, it is displayed in lieu of the sender’s email address. In this case

the attacker entered [email protected] as the sender’s name, any replies would be sent to the

sender’s email address: [email protected].

 The evidence indicates that this is a case of a successful spear phishing attempt after

gaining access to Alison’s company email and having some knowledge about the current events

of the company, in this case a round of funding with investors.

Conclusion

Based upon the evidence obtained from Jean’s laptop, this appears to be a case of a

successful spear phishing attempt and Jean’s actions were based on her belief that she was

fulfilling a request by her superior. The investigation concludes that no mal intent was intended

by Jean, and therefore no disciplinary or legal actions be taken.

Investigation does have three findings that directly lead to the successful spear phishing

attack and the leak of confidential information.

1. Apparent compromise of Alison’s outlook account and unauthorized access.

2. Jean’s failure to identify the spear phishing attempt.

3. Lack of policy forbidding transmission of sensitive personal information across

insecure channels.

4. Lack of policy requiring multiple forms of validation when requesting confidential or

sensitive information.

Corrective Actions

1. Multi-factor authentication methods be implemented when accessing corporate

resources. The passwords surrendered by both Alison and Jean at the start of the

investigation appear to be complex, however they are the only form of authentication

to access the email server.

2. Implement a training program to identify phishing emails. The very low-tech attack

could have been very easily prevented had Jean been able to see that she was

responding to an external email account.

3. Create a policy that any sensitive information be sent via secure channels outside of

email where the recipient is authenticated and authorized.

4. Implement processes where requests for confidential and sensitive information go

through an authorization process more sophisticated than email.

References

Badiye, A. (2019, November 26). Chain of Custody (Chain of Evidence). Retrieved July 02,
2020, from https://www.ncbi.nlm.nih.gov/books/NBK551677/

FindLaw. (2019, February 05). When the Fourth Amendment Applies. Retrieved July 02, 2020,
from https://criminal.findlaw.com/criminal-rights/when-the-fourth-amendment-applies.html

O'Driscoll, A. (2017, October 13). A guide to employee monitoring and workplace privacy.
Retrieved July 02, 2020, from https://www.comparitech.com/blog/vpn-privacy/a-guide-to-
employee-monitoring-and-workplace-privacy/