COMPUTER FORENSIC EXAMINATION REPORT 1

Computer Forensic Exanimation Report

Emmylou Bice

CSOL 590 Cyber Incident Response and Forensics

University of San Diego

COMPUTER FORENSIC EXAMINATION REPORT 2

Table of Contents

Abstract..........................................................................................................................................3

Computer Forensic Examination Report – M57 Case...............................................................4

1 Case Background.....................................................................................................................4

2 Questions Relevant to the Case...............................................................................................4

3 Search and Seizer and Transport of Evidence.........................................................................5

3.1 Exhibits Submitted for Analysis......................................................................................5

3.2 Chain of Custody.............................................................................................................5

3.3 Further Questions Relevant to the Case...........................................................................5

4 Evidence to Search for.............................................................................................................6

5 List of Criminal Offence..........................................................................................................6

6 Files of Evidentiary Value to the Case / Examination Details.................................................6

7 Corporate Breach.....................................................................................................................8

8 Analysis Results.......................................................................................................................8

9 Conclusion.............................................................................................................................13

10 References..............................................................................................................................14
COMPUTER FORENSIC EXAMINATION REPORT 3

Abstract

This paper documents the digital forensic examination details for the M57.biz data spill.

The data spill consists of a sensitive spreadsheet being sent over to a competitor’s website. The

main suspect in this case is Jean Jones. Digital forensics is meant to shine light on the

investigative or legal related questions to help a court decide the ruling of a court case. With the

M57.biz data spill, the company hired an investigator to analyze the evidence of the case. The

main questions to answer include how the information leave the company networks and whether

or not the main suspect, Jean Jones, is innocent or guilty. As the forensic investigator, I have

analyzed the evidence and collected plenty of data to produce this Examination report to present

my findings and improvement recommendations for M57.biz.

COMPUTER FORENSIC EXAMINATION REPORT 4

Computer Forensic Examination Report – M57 Case

1 Case Background

The company, M57.biz, encountered a data spill which consisted of a company sensitive

information leaving the corporate network to a competitor. This spreadsheet contains sensitive

employee personal identification information including names, salaries, and social security

numbers of some key M57.biz employees. The company suspects that Jean Jones, the Chief

Financial Officer (CFO), is highly linked to the data spillage as she was the only individual with

access to the document.

To conduct an effective, efficient, and thorough investigation, I analyzed the evidence

using a variety of forensics tools including the Forensic Tool Kit (FTK) Imager, Autopsy, and the

Microsoft Office Suite. Each of these tools provided different features to further analyze the

evidence files. With FTK Imager and Autopsy, I opened and analyzed the image of Jean’s

computer which led to discovering a variety of information to assist with closing the case.

2 Questions Relevant to the Case

Prior to conducting the investigation on the evidence, it is important to understand the

expected outcomes of the investigation and to gather as much information as possible from the

personnel involved to have a better insight. Therefore, both Alison (M57.biz president) and Jean

were questioned to acquire their point of view on the data spill. With respect to this case, the

following questions were presented to the client, M57.biz.

1. When was the spreadsheet created and by who?

2. How did the competitor get the spreadsheet?

3. Did Jean have a part in transmitting the spreadsheet?

4. Are there any other parties involved in the case outside of the key suspects?
COMPUTER FORENSIC EXAMINATION REPORT 5

3 Search and Seizer and Transport of Evidence

As this is an incident involving M57.biz information, legal authorities allow the company to

examine any company related property that might be relevant to the case. As Jean is the prime

suspect, the organization has the authority to search and seize any company assets Jean accessed

that can be served as digital evidence.

3.1 Exhibits Submitted for Analysis

The following is the evidence provided for this investigation. These acquired artifacts and

information were carefully packaged and brought under a chain of custody to ensure the integrity

of the information was kept intact.

Evidence Serial Number

Jean Jone’s Computer N/A
Evidence Copy of Jean’s Computer (nps-2008- 5139c6aa-f298-489e-9f46-247c5d0918ad
jean.E01/E02)
Login Credentials of Alison and Jean N/A
Table 1: Investigation Exhibits
3.2 Chain of Custody

To ensure these artifacts keep their integrity, a chain of custody log was maintained shown

in the following table.

Number Date/Time Released By Received By Comments/Location

1. 7/21/2008 Jean Jones Security Collected and stored at M57.biz in a
6:00am security approved locked cabinet.
2 7/21/2008 Security Security Security created an image file of
8:00am Jean’s computer to limit any chances
of compromise of original computer
3. 7/21/2008 Security Emmylou Security provided the image to
12:00pm Bice Emmylou to be analyzed
Table 2: Chain of Custody
3.3 Further Questions Relevant to the Case

After receiving the evidence, additional questions were brought up.

1. Did anyone else have access to the spreadsheet?

2. How did the breach get discovered?

COMPUTER FORENSIC EXAMINATION REPORT 6

4 Evidence to Search for

The evidence to search for includes the sensitive spreadsheet that contains employee PII.

During the investigation, I will search for this spreadsheet on the provided image of Jean’s

computer, identifying the document creation date and creator. I will also look for traces of any

evidence on who, when, and how the spreadsheet was transmitted and sent outside of the

company network. Lastly, I will locate any instances indicating whether the leak was intentional

or not.

5 List of Criminal Offence

The criminal offences facing ‘Jean Jones’ include: violating company email policies,

releasing of employee PII, and breaching company security. Depending on the location of

m57.biz, both Jean and the company could be facing additional criminal offenses such as social

security number disclosure laws in many locations like Connecticut. In Connecticut, there are

multiple laws or rules prohibiting or restricting individuals and business actions with respect to

social security numbers (Orlando, 2011).

6 Files of Evidentiary Value to the Case / Examination Details

I discovered the spreadsheet on the image of Jean’s computer. The filename is called

m57biz.xls the creation date is 7/20/2008 at 1:28:03 AM. The spreadsheet was not encrypted or

password protected therefore I did not need to crack any passwords or encryption to obtain

access to the contents.

The following table identifies a series of highlighted emails that were sent between Jean

and Alison, M57.biz’s president. The series of emails led to identifying how the spreadsheet was

transmitted to the other company, who sent the spreadsheet, who the recipient was, and when the

transmission occurred. I had exported the emails into a CSV file to then be analyzed via
COMPUTER FORENSIC EXAMINATION REPORT 7

Microsoft Excel. I have also taken the emails directly and viewed them in Microsoft Outlook.

The last couple of messages in the table identifies the exact details of the transaction for when

the sensitive spreadsheet was emailed.

Time To From Message

7/6/2008 Jean Alison Please do not send me links
12:25pm like this. I have no way of
knowing if they are from
you or from some hacker.
7/10/2008 Alison Jean I thought you told me not to
12:48am send links.
7/19/2008 Jean Alison Are you going to use
4:32pm ([email protected]) [email protected] or
[email protected]?
7/19/2008 Jean Alison Please send me the
6:23pm ([email protected]) information now
7/19/2008 Jean Alison I need that information now
6:23pm ([email protected])
7/19/2008 Alison Jean I've attached the information
6:28pm ([email protected]) that you have requested to
this email message.
(Sent confidential excel
sheet)
7/19/2008 Jean Alison Jean, Thanks for the file. I'll
10:03pm ([email protected]) handle it from here.
Table 3: Email Timeline
The email timeline starts with Alison telling Jean not to send her emails with links in

them on 7/6/2008. Jean proceeds to continuously send Alison emails with links in it over the

course of the week. Although not shown in the timeline, Jean also sent Alison emails with links

which prompted Alison to restate to not send any links. About a week later, Jean emails Alison

asking which email to send to [email protected] email or the [email protected] email. This creates

confusion for Jean as she receives responses from both emails meaning people can reach Alison

through multiple emails. On 7/19/2008 at 4:32pm, Jean receives an email from who she believes

is Alison because the name displays as “[email protected]” however the email is from

“[email protected]”. Given, Alison has multiple emails, Jean must have gotten confused.
COMPUTER FORENSIC EXAMINATION REPORT 8

This email requests that Jean sends the employee background check information. Jean does not

respond to this, but then “Alison” asks for the file a few hours later. This creates a sense of

urgency. On 7/19/2008 at 6:28pm, Jean responds to “Alison” ([email protected]) and

sends the sensitive spreadsheet.

7 Corporate Breach

From the email timeline, I identified that Jean was at fault for the data spillage of the

sensitive spreadsheet that contained employee information. She violated company policy and

breached corporate security by sending out this information. However, because the emails

showed that there were multiple seemingly urgent messages coming from someone posing as

Alison, I have determined that Jean was a victim of a phishing attacks. A phishing attack is an

attack where the threat or adversary poses as a trusted individual or organization to trick victims

into sharing sensitive information by either replying to the email or clicking on suspicious links

(Malwarebytes, n.d.).

8 Analysis Results

To analyze Jean’s image, I used a combination of FTK Imager, Autopsy, and the

Microsoft Office Suite. The first step in analyzing the image includes verifying that the image

did not become corrupted during the ingest. The figure below identifies the integrity verification

results.
COMPUTER FORENSIC EXAMINATION REPORT 9

Figure 1: FTK Imager Integrity Verification

Once I verified that the evidence was loaded properly, I used both FTK Imager and

Autopsy to peruse the directories and folders of the system. From there, located on Jean’s

Desktop was the sensitive file named as m57biz.xls as shown in the Figure below.

Figure 2: m57biz.xls File Location

COMPUTER FORENSIC EXAMINATION REPORT 10

This provides some proof that Jean may have been involved with the data spill since the

file was discovered on her system. Once this file was found, I identified that Alison created the

spreadsheet, but Jean was the last person to edit it as shown in the following figure.

Figure 3: m57biz.xls Info Details

After, I focused my attention on locating any additional information that may point to the

data spill itself. In the evidence file, I located a series of .pst files on the system which are

emails. In autopsy, I was able to export the emails to a csv format for easy data analysis. I also

exported the .pst files directly to be examined via Microsoft Outlook. The following image

identifies an email from Alison requesting Jean to create the sensitive spreadsheet that consisted

of employee social security numbers and salary.

COMPUTER FORENSIC EXAMINATION REPORT 11

Figure 4: [email protected] Email

The following figure identifies the spoofing email where the adversary

([email protected]) posed as Alison ([email protected]) and asked for the spreadsheet with

an urgent tone.

Figure 5: [email protected] Email

Jean responded to this email with the spreadsheet attached as depicted in the figure

below.
COMPUTER FORENSIC EXAMINATION REPORT 12

Figure 6: Jean’s Response Email

9 Conclusion

As a result of the investigation, I was able to recover relevant artifacts and emails for the

investigation all while maintaining integrity of the evidence files by using industry approved

tools. From the image, I confirmed that the spreadsheet was on Jean’s computer and was created

at 7/20/2008 at 1:28AM. From the emails identified, I was able to read through them and

determine the series of events and all the associated details that led up to the data spillage.

Overall, after analysis all the pieces of evidence, I concluded that Jean was the individual that

caused the spill, but was a victim of a phishing attack due to Alison having multiple emails and

the requester of the spreadsheet had Alison’s name despite being a Gmail address. Jean thought

she was sending the spreadsheet to Alison.

Therefore, as a path forward, I recommend that M57.biz make improvements to the

policies, training, and technical protections. To include clearing stating what is an isn’t allowed

to me transmitted in the email policy, refreshing the entire staff on the dangers of phishing

attacks and how to spot them, and implementing a robust firewall and data loss prevention
COMPUTER FORENSIC EXAMINATION REPORT 13

software to block phishing attacks and ensure files are either prohibited from leaving the network

or identified sooner for investigation.

COMPUTER FORENSIC EXAMINATION REPORT 14

10 References

Crawford, V. (2015). Example of an Expert Witness Digital Forensic Report. From

https://www.academia.edu/12324822/Example_of_An_Expert_Witness_Digital_forensics_

Report

Malwarebytes. (n.d.). What is phishing? From https://www.malwarebytes.com/phishing

Orlando, J. (2011, November 2). Disclosure of Social Security Numbers. From

https://www.cga.ct.gov/2011/rpt/2011-R-0369.htm