The Final Project

CSOL-590: Module 7

Ted Huskey
 Table of Contents

Abstract 3

Forensic Examination

Readiness 4

Evaluation 4

Collection 5

Analysis 5

Presentation 6-11

Review 12

Conclusion 12

2
 Abstract

M57.biz is a small online company with less than 10 employees. Lacking a brick

and mortar presence, employees work from home or local retail spaces and use

available public WiFi for their Internet access. Although there are weekly face-to-

face meetings, employee interaction is primarily via email or web chat.

A spreadsheet containing M57.biz company sensitive data (employee’s names,

positions, salaries and compensation) was found posted on a competitor’s

bulleting board. The company Chief Operations Office (CFO) was the only

person with access to the spreadsheet and claimed she did not post the

document. A digital forensic company was hired to conduct a computer forensics

examination of the incident to determine the facts, develop evidence for

presentation in court and make recommendations.

Computer forensics examination are conducted to gather, analyze, report and

preserve evidence (NIJ, 1994). For the M57.biz case, evidence was collected,

interviews taken and analysis performed. Acting on orders, she thought were

from the company president, the M57.biz Chief Financial Officer (CFO) created

and emailed a spreadsheet containing company sensitive information. Analysis

of the evidence suggests M57.biz president’s email account was spoofed and a

(undetermined) bad actor was able to take control, direct the CFO to email the

spreadsheet and eventually provide the spreadsheet to be posted online.

3
Computer forensics examination is a six-stage process and is very helpful in

determining the facts of the case and formed the basis of the recommendation to

the court.

Readiness Stage

Validity of data is an important characteristic of evidence. In the matter of

computer forensics, particularly with court cases, the validity of data or evidence

is highly dependent on the process used by the forensic examiner. Readiness

plays a key role in achieving and maintaining creditability of an expert witness.

Readiness includes training and testing of the expert but also education of fellow

employees. Readiness ensures the software being used is current and up to

date. But readiness is not limited to just the witnesses, readiness includes

training and preparing clients (Forensics Control, 2018). The examiner used in in

the M57.biz case was at a very high state of readiness having just completed his

annual technical and legal refresher training.

Evaluation Stage

Starting off in the right direction with the proper guidance is critical to a

successful forensics examination. The evaluation stage is where the

investigative team receives their marching orders. Incoherent or nonsensical

instructions can kill an examination (Boniface, 2017). The client, one of

M57.biz’s first-round funders, was very clear in his instruction – he wanted to

4
know when the spreadsheet was created, how did it get to a competitors

computer and who from the company was involved.

Collection Stage

The collection stage is where the rubber hits the road. Proper handling and

safeguarding of the data is crucial to insuring the information will be admissible in

legal proceedings (Strickland, 2018). Physical evidence (imaged hard drive files

from the suspected laptop and a printout of the subject spreadsheet) was

provided to the investigator. Physical chain of custody was maintained at all

times and evidence was transported using only bonded and licensed courier

services. Personal interviews were conducted and recorded and a chaperone

was present during the interviews.

Analysis Stage

No one stage is more important than any of the others but the consequence of

poor analysis can be catastrophic. Analysis must be accurate, repeatable and

free of errors. Center to the analysis stage are the tools used. Two forensic

analysis tools were considered for this case: Access Data’s Forensic Toolkit and

Sleuth Kit Autopsy. Given the ease of use, appropriateness for format of the

evidence files and the examiners familiarity with the software, Autopsy was used

for this examination. A attractive feature of Autopsy is the speed at which

various analysis are performed which allows the examiner to discuss with the

5
client to gain better understanding of the data and in turn adjust the analysis to

get the most useable data in the allotted time (Yusoff, Ismail and Hassan, 2011).

Presentation Stage

The results of the examination of M57.biz are presented in the following report.

DIGITAL FORENSIC REPORT

M57.BIZ DATA EXFILTRATION

Investigator: Ted Huskey

CEO
Digital Detective Services

SUBJECT: M57.biz Digital Forensics

Examination Report

OFFENCE: Unauthorized distribution of

company sensitive information

ACCUSED: Jeans Jones

DATE OF REQUEST: Dec 04, 2018

DATE OF CONCLUSION: Dec 11, 2018

6
Contents Page

Case Background

Evidence

Data Collection

Data Analysis

Legal Aspects

Facts

Findings

Recommendation

7
Case Background
M57.biz is a small web based company with less than 10 employees. It is
essentially a virtual corporation with a majority of employees working out of their
homes using laptops and their interactions are primarily electronic – emails or
chat.
A document containing company sensitive information was posted on line. The
document was emailed by the CFO to the president. The CFO claimed she was
directed to do so by the company president but the president claimed she did not
request or receive the document

Evidence
Three pieces of evidence were provided: a printout of the subject spreadsheet, a
M57.biz presentation and an EnCase formatted image of the CFO’s laptop
The spreadsheet was a single page with ‘M57.biz company’ typed at the top and
listed the company’s employees ‘first name, last name, position, salary and SSN
The Power Point presentation provided amplifying company information. The
imagine of the CFO’s laptop was provided in two EnCase formatted files.

Data Collection
Data integrity and chain of custody were of prime importance and the first
consideration when conducting data collection and analysis. EnCase was used
to recover all evidence/data from the CFO’s laptop and EnCase files were
created and provided as part of the evidence package. The files were uploaded
onto an exclusive and case specific workstation

Data Analysis
Analysis was a two-step process. First Sleuth Kit Autopsy was used to analyze
the image and display the results for further analysis then the investigators
painstaking manually analyzed the Autopsy generated data using keyword and

8
file types searches that targeted ‘suspect’ areas (e.g. xls, pst, spreadsheet,
Starbucks ..) looking for clues (see Figure 1).

Figure 1

Legal Aspects
Consistent with company policy, the CFO’s laptop is company property and as
such was imaged for evidence then returned to the employee without the need of
a warrant.
Data integrity and evidentiary chain of custody were of prime importance and the
investigators were keenly aware of the legal implications and ramifications of
their analysis. The investigators were professional and in complete compliance
with all legal and regulatory measures particularly with regard to rules of
evidence.
Evidence chain of custody was maintained through the use of a dedicated
desktop workstation assigned exclusively to this case (no other activities were
conducted). The workstation kept in an access-controlled room and only
authorized users were given access. When transportation was required, only
licensed and bonded couriers were used.

9
Facts of the Case
At 16:39 on 7/19/2008, M57.biz CFO (Jean) received an email from the company
president (Alison) requesting a spreadsheet with company data. Jean complied
and emailed the spreadsheet as directed (see Figure 2).

Figure 2

Examination of the revealed Alison’s email account had been spoofed (by
simsong) (see Figure 3).

Figure 3

Case Findings
Although the actual point of intrusion or intruder have not been identified using
the available evidence, M57.biz president’s email account was spoofed. The
likely point of intrusion was the use of an alias email address of alex@m57.biz’ in
place of the president’s actual emails address ‘alison@m57.biz that started
appearing in the hours leading up to the request of the spreadsheet (see Figure
4).

10
 Figure 4

M57.biz has poor Internet usage policies. Employees frequented numerous

websites (with ‘click bait’ like adds) via suspect public WiFi hotspots making them
an easy target. The CFO was inundated with emails from the spoofer which
added to the her acceptance of the alias email address as being legitimate.

Recommendations
Based on the available evidence, sensitive M57.biz information was sent from
the company CFO’s email account at the direction of the company president.
The company’s president’s email account was spoofed making the CFO a victim
of a well-crafted attack. The attack was possible due to poor network
management and weak cyber policies.
Recommend no punitive action be taken against the CFO. To avoid future
occurrences, recommend M57.biz beef up their cyber/network security polices
and (if still a viable company) establish a brick and motor presence to enable
employees to conduct more business on site and less out in town using non-
secure WiFi.

11
Review Stage

Every forensic examination presents learning opportunities for not only the client
but for the investigator as well. Poor training and weak Internet usage policies
coupled with heavy reliance/use of unsecure WiFi hotspots exposed M57.biz to a
spoofing attack that resulted in the theft of sensitive company information. Once
these deficiencies are corrected, M57.biz can look forward to a more secure and
private future.

Conclusion
Computer forensics plays a greater and greater role in cyber security. Being able
to collect and analyze the data in such a matter that is admissible in a court of
law is vitally important to convict the bad actors and prevent future occurrences.

12
 References

Boniface. (2017, November 12). Processes/Stages in Computer Forensics.

Retrieved from https://www.kenyaplex.com/resources/13755-processes-stages-
in-computer-forensics.aspx

Forensics Control. Introduction to Computer Forensics. Retrieved 06 December

2018 from https://forensiccontrol.com/resources/beginners-guide-computer-
forensics/

National Institute of Justice. (1994, April 04). Forensic Examination of Digital

Evidence. Retrieved from https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

Strickland, J. How Computer Forensics Works. Retrieved 06 December 2018

from https://computer.howstuffworks.com/computer-forensic2.htm
Law Enforcement
Yusoff, Y., Ismail, R. and Hassan, A. (2011). Common Phases of Computer
Forensics. International Journal of Computer Science & Information Technology
(IJCSIT), Vol 3, No 3, 17-30.

13