Running Header: Expert Witness Testimony Digital Forensics Investigation 1

Micah Geertson
CSOL 590
12/08/2018

Expert Witness Testimony

Digital Forensics Investigation
Expert Witness Testimony 2

Table of Contents
Table of Figures........................................................................................................................................... 3
Abstract........................................................................................................................................................ 4
Investigation Overview ............................................................................................................................... 5
About the Forensics Investigator ............................................................................................................... 6
Affected Company’s Information .............................................................................................................. 6
Investigation Background .......................................................................................................................... 7
Scope of Investigation ................................................................................................................................. 7
Tools Used to Conduct Analysis ................................................................................................................ 8
Investigation Timeline of Events ............................................................................................................... 8
Investigative Recap ................................................................................................................................... 10
Analysis of Results .................................................................................................................................... 14
Expert Witness Testimony 3

Table of Figures
Figure 1 – Verifying Image Integrity ...................................................................................................... 10
Figure 2 – Locating M57Plan.xls ............................................................................................................. 11
Figure 3 – Verifying File’s Contents ....................................................................................................... 11
Figure 4 – Inspecting File Attributes....................................................................................................... 12
Figure 5 – Locating the Original Email Between Jean and Allison ..................................................... 12
Figure 6 – Email Address Anomaly......................................................................................................... 13
Expert Witness Testimony 4

Abstract
On November 20, 2018, the start-up web design company M57 experienced confidential

data disclosure when an internal document containing the names of its employees, their job titles,

salaries and Social Security Numbers were posted on a competing company’s web forum.

ACME Forensics was contracted to conduct a thorough digital forensics analysis of the

company’s Chief Financial Officer, Jean Jones’ workstation. Utilizing the Autopsy Digital

Forensics Platform Version 4.9.1, ACME Forensics lead analyst, Micah Geertson was able to

uncover a phishing attack that resulted in Jean Jones being deceived into sending the confidential

document to whom she thought was Allison Smith, President of M57. Through thorough

analysis of Jean’s computer and her email communications, all findings point to nothing more

than a user’s technological naivety. Had Jean inspected or questioned the email address that was

contained within the request for the document, she could have easily discovered that there was an

anomaly in the correspondence. Unfortunately, this was not the case and the confidential

document was sent to a malicious 3rd party. However, it is of my opinion that Jean Jones should

not be convicted of any intentional wrongdoing in the matter of this case.

Expert Witness Testimony 5

Investigation Overview
Case Number: #123123
Investigator: Geertson, Micah D.
Date: 12/08/2018

Case Number: #123123

Subject: Expert Testimony In Regards To Digital Forensics Examination

Offense: Confidential Documentation Exfiltration/Disclosure

Accused: Jean Jones

Requestor: M57.biz on behalf of Jensen & Filmore Financial Holdings

Forensics Investigator: Geerton, Micah D.

Date of Request: 11/27/2018

Date of Conclusion: 12/08/2018

Expert Witness Testimony 6

Case Number: #123123

Investigator: Geertson, Micah D.
Date: 12/08/2018

About the Forensics Investigator

I, Micah D. Geertson, am currently employed by ACME Forensics as a Senior Technical

Advisor and Digital Forensics Analyst. I have accrued over 10+ years working in the Digital

Forensics realm and have written several published white papers for SANS Institute on

collection and investigative techniques in regards to digital evidence collection and analysis.

Affected Company’s Information

M57 is an online, start-up e-commerce website which caters to the body art industry. The

company’s staff currently consists of nine (9) individuals: Alison Smith (President), Jean Jones

(Chief Financial Officer), Bob Blackman, Carol Canfred, David Daubert, Emmy Arllington

(Programmers), Gina Tangers, Harris Jenkins (Marketing) and Indy Counterching (Business

Development). Additionally, a security contractor by the name of Jay Doe was hired to conduct

the initial digital forensics collection. M57 resided entirely in the virtual domain with no

physical storefront or dwelling to encompass the staff. As such, employees are required to

utilize resources (such as internet access) from home or where publicly available. According to

employee interviews, it is normal procedure to conduct conversations or exchange documents via

email.
Expert Witness Testimony 7

Case Number: #123123

Investigator: Geertson, Micah D.
Date: 12/08/2018

Investigation Background
On 11/20/2018, M57 experienced a disclosure of confidential information when a

business document entitled “m57plan.xls” surfaced on a competitor’s web forum. According to

investigative interviews with Allison Smith and Jean Jones conducted on 11/28/2018, prior to the

information disclosure, the only known copy of “m57plan.xls” was created by Jean Jones, per

Allison Smith’s request, and existed solely on her workstation. This confidential document

contained the names of M57 employees, their position within the company, annual salaries, and

Social Security Numbers (SSNs).

Scope of Investigation

Per M57.biz’s request on behalf of Jensen & Filmore Financial Holdings, ACME

Forensics was to conduct a static analysis on an image taken of Jean Jones’ workstation utilizing

the Scientific Working Group on Digital Evidence (SWGDE) documents entitled SWGDE Best

Practices for Computer Forensics and SWGDE/SWGIT Guidelines & Recommendations for

Training in Digital & Multimedia Evidence. The investigation was given unrestricted access to

attempt any method or technique necessary to determine the root cause of the data exfiltration.

Should ACME Forensics encounter any password protected or encrypted files, directories or disk

sectors, decryption techniques to include brute-force and rainbow table cracking were

authorized.
Expert Witness Testimony 8

Case Number: #123123

Investigator: Geertson, Micah D.
Date: 12/08/2018

Tools Used to Conduct Analysis

The tool of choice to conduct static analysis of the imaged disk is known as Autopsy

Digital Forensics Platform (Version 4.9.1). It is an open sourced application released as a GUI

to interface with The Sleuth Kit, a forensics toolkit (Sleuthkit.com, 2018). Through use of this

tool, it was possible to extract and review user file creations, file access and deletion dates,

browsing history and email correspondence. All of the retrieved data is indexed and searchable

(which proved invaluable in recovering the confidential document in question).

No further tools were utilized during this investigation.

Investigation Timeline of Events

The investigation began with a traditional interview of the involved parties as suggested by

the U.S. Department of Justice document Digital Evidence in the Courtroom: A Guide for Law

Enforcement and Prosecutors. An example of the questions asked were as follows:

• Who may be responsible for the incident?

• What is the impact on the business?

• When did the incident first occur?

• What actions have been taken to identify, collect, preserve, or analyze the data and the

devices involved?
Expert Witness Testimony 9

Case Number: #123123

Investigator: Geertson, Micah D.
Date: 12/08/2018

• What is the chronology of the access to or changes in data?

As the prosecution will have presented the answers to similar questions, this testimony will focus

on the final two questions. When interviewing Jay Doe, a security contractor at M57 who was

hired to conduct the initial evidence collection (to include disk imaging), he was asked how the

initial disk image was taken and preserved:

“When taking the initial image, as Ms. Jones’ workstation had been powered off, I physically

removed the hard drive from the machine. I then connected it to my WiebeTECH Forensic

Ultradock V5 to obtain a bit-by-bit image using the Belkasoft Acquisition Tool. The image was

encoded as an ENCASE .E01 file and the end result produced a SHA-1 and MD5* hash for

integrity verification purposes.”

Mr. Doe provided a link to a walkthrough document1 created by the Digital Forensics

Corporation on how to take a valid disk image without disrupting the original data. Upon

completing a Chain of Custody report, the disk and image were transferred to the possession of

ACME Forensics for analysis. A second hash** of the disk image was conducted to ensure

validity and data integrity (Hagy, National Institute of Justice 2007).

* Provided MD5 Hash: 78a52b5bac78f4e711607707ac0e3f93

** Verified Hash: 78a52b5bac78f4e711607707ac0e3f93
1
https://www.digitalforensics.com/blog/how-to-make-the-forensic-image-of-the-hard-drive/
Expert Witness Testimony 10

Case Number: #123123

Investigator: Geertson, Micah D.
Date: 12/08/2018

To see the timeline of events in full, please refer to the slideshow presentation that accompanies

this document.

Investigative Recap

Starting with opening the ENCASE .E01 file entitled “nps-2008-jean.E01,” we see the

calculated MD5 hash which allows us to verify the integrity of the image remains intact (Figure

1).

Figure 1 – Verifying Image Integrity

Upon loading the entire disk image, I attempted to locate the confidential file in question,

“m57plan.xls” utilizing the built-in index search capabilities included with Autopsy 4.9.1

(Figure 2).
Expert Witness Testimony 11

Case Number: #123123

Investigator: Geertson, Micah D.
Date: 12/08/2018

Figure 2 – Locating M57Plan.xls

The search returns fruitful with multiple results as shown in Figure 3. The file is then

opened to verify the contents before continuing the investigation (Figures 4-5).

Figure 3 – Verifying File’s Contents

Expert Witness Testimony 12

Case Number: #123123

Investigator: Geertson, Micah D.
Date: 12/08/2018

Figure 4 – Inspecting File Attributes

Figure 5 – Locating the Original Email Between Jean and Allison

Expert Witness Testimony 13

Case Number: #123123

Investigator: Geertson, Micah D.
Date: 12/08/2018

Further investigation into the original email chain between Jean and Allison reveals a

strange anomaly between Alison’s email address and the actual email address that Jean was

responding to (Figure 6). Inspecting the email’s header attributes reveals that the email was

being redirected to an email tuckgorge@gmail.com. When questioning Allison and Jean as to

who this email may belong to, both claimed to have never seen nor corresponded with the email

address before.

Figure 6 – Email Address Anomaly

Expert Witness Testimony 14

Case Number: #123123

Investigator: Geertson, Micah D.
Date: 12/08/2018

Analysis of Results
Based on the email communication chain, it was apparent that Jean Jones was under the

assumption that she was communicating with Allison Smith and simply was complying with

what she thought her boss wanted. According to the State of Phish report for 2018, nearly 76%

of organizations worldwide experience phishing attacks (Bisson, 2018). It is my expert opinion

that the only thing to fault Ms. Jones’ on is her technological naivety. Had M57 incorporated an

adequate cyber awareness program, this data exfiltration and disclosure could have easily been

avoided and prevented.

Expert Witness Testimony 15

References

Bisson, D. (2018, January 25). Report: 76% of Organizations Experienced Phishing Attacks in
2017. Retrieved December 9, 2018, from https://www.tripwire.com/state-of-security/security-
data-protection/three-quarters-organizations-experienced-phishing-attacks-2017-report-uncovers/

Garnett, B. (2010, August 25). SANS Digital Forensics and Incident Response Blog. Retrieved
December 9, 2018, from https://digital-forensics.sans.org/blog/2010/08/25/intro-report-writing-
digital-forensics/

Hagy, D. W. (2007). Digital Evidence in the Courtroom: A Guide for Law Enforcement and
Prosecutors. Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors.
Retrieved December 9, 2018, from https://www.ncjrs.gov/pdffiles1/nij/211314.pdf.

Mikhaylov, I. (2018, April 06). How to Make the Forensic Image of the Hard Drive. Retrieved
December 9, 2018, from https://www.digitalforensics.com/blog/how-to-make-the-forensic-
image-of-the-hard-drive/

Hart, S. V. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement.
Forensic Examination of Digital Evidence: A Guide for Law Enforcement. Retrieved December
9, 2018, from Forensic Examination of Digital Evidence: A Guide for Law
Enforcement.SWGDE. (2010, January 15). https://www.swgde.org/pdf/Current
Documents/1e17485a-df78-380d-9aa4-b649a05ebf47.pdf

SWGDE. (2014, September 5). SWGDE Best Practices for Computer Forensics. Retrieved
December 9, 2018, from https://www.swgde.org/documents/Current Documents/SWGDE Best
Practices for Computer Forensics

Wright, C. (2009, May 11). SANS Digital Forensics and Incident Response Blog. Retrieved
December 9, 2018, from https://digital-forensics.sans.org/blog/2009/05/11/a-step-by-step-
introduction-to-using-the-autopsy-forensic-browser