Solving cases- 03/02/25

Case 1: Corporate Data Breach Investigation

 Step 1: Identification
To investigate the data breach at FinSecure, the first step would be to identify the issues
that have arisen. This includes the outbound traffic at 2:00 AM, unauthorised access to a
database by John Doe and a phishing email which was flagged but ignored. We can now
move onto determining the source.

 Step 2: Preservation
To ensure that no other sensitive data is compromised, it is significant to isolate infected
systems. Firstly, we will physically restrict and freeze John Doe’s account. He should be
permanently suspended and be restricted from company portals to ensure that the
databases can’t be accessed by unauthorised members. Next, forensic disk images should
be created through FTK Imager and all the affected servers and employee workstations
should be investigated. You should also preserve and track network logs to discover
outbound data flow. The flagged phishing emails should also be tracked and examined
through Wireshark.

 Step 3: Collection
Now we would collect all the necessary evidence to aid the investigation.
 Network logs to trace the exfiltration of sensitive data.
 Employee access records to determine unauthorized database access.
 Email server metadata to analyse phishing attack details.
 John Doe’s workstation logs to examine suspicious activity.

 Step 4: Analysis
The analysis verifies that significant amounts of client data were exported to an external
server during off-peak hours, as indicated by Wireshark. Splunk indicates that John Doe's
account accessed restricted data from an unknown VPN, attempting to hide activity.
Autopsy reveals browser history that links him to cloud storage, where the data was likely
uploaded. The phishing email did contain a credential-harvesting link; however, the Email
Header Analyzer indicated no evidence of his credentials being stolen. All of these points
lead to a conclusion that John Doe accessed, copied, and transferred financial data in a
deliberate manner, thereby pointing to an insider attack instead of an external breach.

 Step 5: conclusion/Reporting
It was concluded that John Doe accessed and exfiltrated client information deliberately
through his own credentials and via a VPN. The phishing email is probably only a distraction
and not the main attack vector. It is recommended to:
 Implement MFA and least privilege access to prevent unauthorized access to data.
 Install SIEM solutions
 Educate employees to recognize and report phishing emails.

Case 2: Cyberbullying and harassment

 Step 1: Identification
Sarah has received threatening emails and impersonation attempts and coercive messages
from someone an anonymous person. A harasser impersonated Sarah with fake social
media accounts and tries to manipulate Sarah into giving private information. Through email
metadata, links to these fake accounts, and Sarah's device logs, investigators can assess
whether the attacker used VPNs, anonymizers, or phishing tactics.

 Step 2: Preservation
To prevent data tampering, forensic images of Sarah's devices were created using FTK
Imager, and stored data was examined by Autopsy for traces of malicious files. Screenshots
of threatening messages and impersonation attempts were preserved to ensure evidence
integrity. Email headers and metadata were extracted for further analysis to track the origin
of the threats.

 Step 3: Collection
Investigators extracted IP addresses from emails and monitored network activity for signs of
unauthorized access with the help of Wireshark. Social Media Scrapers collected data from
fake accounts, enabling investigators to track behavioural patterns and online interactions.

 Step 4: Analysis
The forensic analysis of the email sender showed that they used temporary anonymous
email services; however, with Email Header Analyzer and Wireshark, the general location
could be traced. Autopsy and Windows Event Viewer proved that no malware had been
installed and, therefore, hacking was out of the question. However, analysis of phishing
attempts on PhishTank indicated that the harasser had tried to gain unauthorized access to
Sarah's accounts. With cross-referencing of timestamps, social media activity, and email
behaviour, investigators identified a suspect known to Sarah who used multiple fake
identities to intimidate her.

 Step 5: conclusion/Reporting
The investigation found that Sarah's harasser was known to her, as the harasser had used
fake accounts and anonymous emails to intimidate. Forensic evidence was handed over to
the police for further legal action. Her online security was strengthened by two-factor
authentication and updating of privacy settings. The fake accounts were reported to remove
them, and awareness sessions were recommended to be conducted with Sarah and her
friends about cyberbullying prevention and digital security. The investigation identified the
harasser, ruled out hacking, and provided actionable steps to protect Sarah from further
harm.

Case 3: Intellectual property theft

 Step 1: Identification
This case centres around allegations that Ahmed had been stealing source code and design
documents for TechVision's fraud detection algorithm prior to his resignation. Internal
investigations suggest that Ahmed accessed a restricted folder, plugged in various USB
drives, and then uploaded files to personal cloud storage. Moreover, he wiped some of his
emails, but traces remain on the company's email archiving system. The investigators need
to ascertain whether any of these actions amounted to data theft and whether the VisionAI
product is indeed based on stolen code.

 Step 2: Preservation
For data integrity, a forensic image using FTK Imager of Ahmed's work laptop was created
before any form of analysis. Write blockers were used to prevent any unintended
modification during the review of external storage devices. EnCase and Microsoft 365
Compliance Center were used to preserve the company servers and email archives, ensuring
that crucial evidence was not lost.

 Step 3: Collection
To begin with, investigators performed an analysis of USB connection logs and events of
accessed files through USBDetective and Windows Event Viewer. Cloud activity related to
the storage was assessed based on browser history analysis from Autopsy, while
unauthorized transfers were scanned in the Wireshark logs. Email metadata was extracted
using the Email Header Analyzer and eventually linked to or traced any communication
deleted from the account.

 Step 4: Analysis
X-Ways Forensics' investigation of the file system revealed that Ahmed accessed
TechVision's proprietary source code just prior to his resignation. Last accessed timestamps
suggested that critical files had been opened just before the connection of USB devices,
supporting the theory that data was copied. The login records for cloud storage pointed to
several uploads from Ahmed's company laptop, lending more credence to the suspicion that
data was deliberately exfiltrated. Deep comparison of code between TechVision's fraud
detection algorithm and VisionAI's product, employing Beyond Compare and analyzing GIT
history, revealed a significant amount of commonality, which suggests that VisionAI's
system was created leveraging stolen intellectual property.

 Step 5: conclusion/Reporting
The forensic investigation documented that Ahmed left after copying TechVision's
proprietary algorithm and design documents. There exists strong evidence to support suit--
the USB file transfer, the uploads to cloud storage, and the code similarities. A very detailed
report was prepared for TechVision's legal team, recommending litigation for IP theft.
Moreover, security policies were reviewed to prevent further occurrence of data leaks,
suggesting enhanced access control, real-time file monitoring, and stricter data transfer
policies. This investigation was able to successfully establish the theft, thus enabling
TechVision to take measures to protect its proprietary technology.

Case 4: Murder investigation

 Step 1: Identification
The police suspect Ali Khan as there is conflicting evidence against him. His car was seen
near the crime scene, and GPS data contradicts his alibi. Also, searches were found on his
laptop that looked suspiciously related to crime scene cleanup. Investigators need to
recover deleted data from the devices owned by Ali and verify his movement patterns and
activities to create a timeline.

 Step 2: Preservation
Forensically sound images of Ali's phone, laptop, and GPS system of the car were created
using FTK Imager and Cellebrite UFED to avoid any forms of modification. The onboard
system of the car was preserved to guarantee integrity of the original data during
extraction.

 Step 3: Collection
Deleted browsed history and file remnants were recovered via Autopsy and X-Ways
Forensic, establishing that Ali was searching methods of erasing GPS data. GPS logs from the
vehicle system were extracted, which revealed coordinates placing Ali near the crime scene
at around the time of death. Mobile forensics were carried out to examine deleted text
messages, call logs, and app data from Ali's telephone, finding discrepancies in his digital
trail that pointed to deliberate deletion.

 Step 4: Analysis
The car’s GPS records showed Ali’s movements, contradicting his claim of being out of town.
Browser history analysis confirmed searches about hiding digital traces, indicating an
attempt to cover his tracks. Digital timestamps extracted from Ali’s laptop revealed file
deletions around the time of the murder, further raising suspicion. Additionally, a metadata
review of his phone’s activity log suggested tampering, supporting the theory that
incriminating data was erased.

 Step 5: conclusion/Reporting
The forensic analysis disproves Ali’s alibi, confirming that his car was driven home at the
time of the crime and that his digital activity suggests premeditation and cover-up attempts.
The evidence—GPS data, deleted searches, and phone activity gaps—provides strong
grounds for legal action. The findings were submitted to law enforcement, strengthening
the case against Ali and allowing investigators to refine the timeline of events leading to
Ayesha’s murder.