Академический Документы
Профессиональный Документы
Культура Документы
Micah Geertson
CSOL 590
12/08/2018
Table of Contents
Table of Figures........................................................................................................................................... 3
Abstract........................................................................................................................................................ 4
Investigation Overview ............................................................................................................................... 5
About the Forensics Investigator ............................................................................................................... 6
Affected Company’s Information .............................................................................................................. 6
Investigation Background .......................................................................................................................... 7
Scope of Investigation ................................................................................................................................. 7
Tools Used to Conduct Analysis ................................................................................................................ 8
Investigation Timeline of Events ............................................................................................................... 8
Investigative Recap ................................................................................................................................... 10
Analysis of Results .................................................................................................................................... 14
Expert Witness Testimony 3
Table of Figures
Figure 1 – Verifying Image Integrity ...................................................................................................... 10
Figure 2 – Locating M57Plan.xls ............................................................................................................. 11
Figure 3 – Verifying File’s Contents ....................................................................................................... 11
Figure 4 – Inspecting File Attributes....................................................................................................... 12
Figure 5 – Locating the Original Email Between Jean and Allison ..................................................... 12
Figure 6 – Email Address Anomaly......................................................................................................... 13
Expert Witness Testimony 4
Abstract
On November 20, 2018, the start-up web design company M57 experienced confidential
data disclosure when an internal document containing the names of its employees, their job titles,
salaries and Social Security Numbers were posted on a competing company’s web forum.
ACME Forensics was contracted to conduct a thorough digital forensics analysis of the
company’s Chief Financial Officer, Jean Jones’ workstation. Utilizing the Autopsy Digital
Forensics Platform Version 4.9.1, ACME Forensics lead analyst, Micah Geertson was able to
uncover a phishing attack that resulted in Jean Jones being deceived into sending the confidential
document to whom she thought was Allison Smith, President of M57. Through thorough
analysis of Jean’s computer and her email communications, all findings point to nothing more
than a user’s technological naivety. Had Jean inspected or questioned the email address that was
contained within the request for the document, she could have easily discovered that there was an
anomaly in the correspondence. Unfortunately, this was not the case and the confidential
document was sent to a malicious 3rd party. However, it is of my opinion that Jean Jones should
Investigation Overview
Case Number: #123123
Investigator: Geertson, Micah D.
Date: 12/08/2018
Advisor and Digital Forensics Analyst. I have accrued over 10+ years working in the Digital
Forensics realm and have written several published white papers for SANS Institute on
collection and investigative techniques in regards to digital evidence collection and analysis.
company’s staff currently consists of nine (9) individuals: Alison Smith (President), Jean Jones
(Chief Financial Officer), Bob Blackman, Carol Canfred, David Daubert, Emmy Arllington
(Programmers), Gina Tangers, Harris Jenkins (Marketing) and Indy Counterching (Business
Development). Additionally, a security contractor by the name of Jay Doe was hired to conduct
the initial digital forensics collection. M57 resided entirely in the virtual domain with no
physical storefront or dwelling to encompass the staff. As such, employees are required to
utilize resources (such as internet access) from home or where publicly available. According to
email.
Expert Witness Testimony 7
Investigation Background
On 11/20/2018, M57 experienced a disclosure of confidential information when a
investigative interviews with Allison Smith and Jean Jones conducted on 11/28/2018, prior to the
information disclosure, the only known copy of “m57plan.xls” was created by Jean Jones, per
Allison Smith’s request, and existed solely on her workstation. This confidential document
contained the names of M57 employees, their position within the company, annual salaries, and
Scope of Investigation
Per M57.biz’s request on behalf of Jensen & Filmore Financial Holdings, ACME
Forensics was to conduct a static analysis on an image taken of Jean Jones’ workstation utilizing
the Scientific Working Group on Digital Evidence (SWGDE) documents entitled SWGDE Best
Practices for Computer Forensics and SWGDE/SWGIT Guidelines & Recommendations for
Training in Digital & Multimedia Evidence. The investigation was given unrestricted access to
attempt any method or technique necessary to determine the root cause of the data exfiltration.
Should ACME Forensics encounter any password protected or encrypted files, directories or disk
sectors, decryption techniques to include brute-force and rainbow table cracking were
authorized.
Expert Witness Testimony 8
The tool of choice to conduct static analysis of the imaged disk is known as Autopsy
Digital Forensics Platform (Version 4.9.1). It is an open sourced application released as a GUI
to interface with The Sleuth Kit, a forensics toolkit (Sleuthkit.com, 2018). Through use of this
tool, it was possible to extract and review user file creations, file access and deletion dates,
browsing history and email correspondence. All of the retrieved data is indexed and searchable
The investigation began with a traditional interview of the involved parties as suggested by
the U.S. Department of Justice document Digital Evidence in the Courtroom: A Guide for Law
• What actions have been taken to identify, collect, preserve, or analyze the data and the
devices involved?
Expert Witness Testimony 9
on the final two questions. When interviewing Jay Doe, a security contractor at M57 who was
hired to conduct the initial evidence collection (to include disk imaging), he was asked how the
“When taking the initial image, as Ms. Jones’ workstation had been powered off, I physically
removed the hard drive from the machine. I then connected it to my WiebeTECH Forensic
Ultradock V5 to obtain a bit-by-bit image using the Belkasoft Acquisition Tool. The image was
encoded as an ENCASE .E01 file and the end result produced a SHA-1 and MD5* hash for
Mr. Doe provided a link to a walkthrough document1 created by the Digital Forensics
Corporation on how to take a valid disk image without disrupting the original data. Upon
completing a Chain of Custody report, the disk and image were transferred to the possession of
ACME Forensics for analysis. A second hash** of the disk image was conducted to ensure
To see the timeline of events in full, please refer to the slideshow presentation that accompanies
this document.
Investigative Recap
Starting with opening the ENCASE .E01 file entitled “nps-2008-jean.E01,” we see the
calculated MD5 hash which allows us to verify the integrity of the image remains intact (Figure
1).
“m57plan.xls” utilizing the built-in index search capabilities included with Autopsy 4.9.1
(Figure 2).
Expert Witness Testimony 11
opened to verify the contents before continuing the investigation (Figures 4-5).
Further investigation into the original email chain between Jean and Allison reveals a
strange anomaly between Alison’s email address and the actual email address that Jean was
responding to (Figure 6). Inspecting the email’s header attributes reveals that the email was
who this email may belong to, both claimed to have never seen nor corresponded with the email
address before.
Analysis of Results
Based on the email communication chain, it was apparent that Jean Jones was under the
assumption that she was communicating with Allison Smith and simply was complying with
what she thought her boss wanted. According to the State of Phish report for 2018, nearly 76%
that the only thing to fault Ms. Jones’ on is her technological naivety. Had M57 incorporated an
adequate cyber awareness program, this data exfiltration and disclosure could have easily been
References
Bisson, D. (2018, January 25). Report: 76% of Organizations Experienced Phishing Attacks in
2017. Retrieved December 9, 2018, from https://www.tripwire.com/state-of-security/security-
data-protection/three-quarters-organizations-experienced-phishing-attacks-2017-report-uncovers/
Garnett, B. (2010, August 25). SANS Digital Forensics and Incident Response Blog. Retrieved
December 9, 2018, from https://digital-forensics.sans.org/blog/2010/08/25/intro-report-writing-
digital-forensics/
Hagy, D. W. (2007). Digital Evidence in the Courtroom: A Guide for Law Enforcement and
Prosecutors. Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors.
Retrieved December 9, 2018, from https://www.ncjrs.gov/pdffiles1/nij/211314.pdf.
Mikhaylov, I. (2018, April 06). How to Make the Forensic Image of the Hard Drive. Retrieved
December 9, 2018, from https://www.digitalforensics.com/blog/how-to-make-the-forensic-
image-of-the-hard-drive/
Hart, S. V. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement.
Forensic Examination of Digital Evidence: A Guide for Law Enforcement. Retrieved December
9, 2018, from Forensic Examination of Digital Evidence: A Guide for Law
Enforcement.SWGDE. (2010, January 15). https://www.swgde.org/pdf/Current
Documents/1e17485a-df78-380d-9aa4-b649a05ebf47.pdf
SWGDE. (2014, September 5). SWGDE Best Practices for Computer Forensics. Retrieved
December 9, 2018, from https://www.swgde.org/documents/Current Documents/SWGDE Best
Practices for Computer Forensics
Wright, C. (2009, May 11). SANS Digital Forensics and Incident Response Blog. Retrieved
December 9, 2018, from https://digital-forensics.sans.org/blog/2009/05/11/a-step-by-step-
introduction-to-using-the-autopsy-forensic-browser