COMPUTER FORENSIC EXAMINATION REPORT

COMPUTER FORENSIC EXAMINATION REPORT

By: Henry Babcock Ms. Cyber Security, University of San Diego

Professor Plunkett CSOL 590

December 10, 2018

DIGITAL FORENSIC REPORT By: Henry Babcock Ms. Cyber Security

Henry Babcock Ms. Cyber Security University of San Diego

2

INVESTIGATOR: Alison President M57.biz DIGITAL FORENSICS EXAMINER: Henry Babcock Detective #1005318 Digital Forensics Expert San Diego, California (760) 828-2559 SUBJECT: Digital Forensics Examination

Report OFFENCE: Leaking private information

ACCUSED: Jean

Chief Financial Officer (CFO)

DATE OF REQUEST December 4, 2018

DATE OF CONCLUSION December 10, 2018



3

Table of Contents

Abstract ................................................................................................................................. 4

Background to the Case .......................................................................................................... 4

Questions Asked Relevant to the Case .................................................................................... 4

Search and Seizer and Transport of Evidence .......................................................................... 5

Exhibits Submitted for Analysis ........................................................................................................ 5

Further Questions Asked Relevant to the Case ........................................................................ 5

Evidence to Search For ............................................................................................................ 5

List of Criminal Offence .......................................................................................................... 5

Emails Found of Evidentiary Value to the Case ........................................................................ 6

Corporate Breach ................................................................................................................... 6

Examination Details ............................................................................................................... 6

Analysis Results ...................................................................................................................... 7

Legal Aspects ........................................................................................................................ 12

Recommendation .................................................................................................................. 13

Conclusion ............................................................................................................................. 13

Generated Material ............................................................................................................... 14

References ............................................................................................................................. 14



4

Abstract This report will detail the processes involved and the results of the M57.biz case. Furthermore, this report will cover the fifth step in the computer forensic examination process: the presentation stage. It will address important questions, the chain of custody of the evidence, the evidence and findings, legal issues, and provide a recommendation.

Background to the Case M57.biz is a hip web start-up company who encountered a serious incident. An excel spreadsheet was discovered weeks into inception on their firm’s competitors comments section. This excel spreadsheet contained personal information of all their staff including social security numbers and salaries. Jean, the chief financial officer was suspected of being engaged in unlawfully releasing private, personal information of her fellow co-workers, espionage, sabotage, and breaching the security and integrity of the company. Jean claims that she has no idea how this spreadsheet left her computer and claims she was hacked. To conduct an effective and efficient investigation, I employed the use of Cain & Abel to try to see if Jean and her president, Alison’s account passwords could be easily hacked and Autopsy to delve deeper into a disk image of Jean’s computer. Based on my expert knowledge of digital forensics, I believe that because Jean sent this excel document through email to Alison, there has to be important details hidden within her emails.

Questions Asked Relevant to the Case Further background checks were conducted on Jean. She and Alison were questioned in order to acquire legitimacy for data acquisition. The following questions were brought forward: Questions

1. What information do you have that could be relevant to this case? 2. What do you think happened? 3. Do you believe you were hacked?



5

Search and Seizer and Transport of Evidence A request was filed for legal authorities to enter the M57.biz company. The warrant was issued for the search and seizer of Jean’s devices which may be analyzed and serve as digital evidence, in order to convict or exonerate her. Upon the search and seizer of the necessary devices, which may provide digital evidence, the acquired materials were carefully packaged, and a chain of custody was efficiently established by a non-affiliating third party, so to ensure the integrity of the evidence and gather an audit trail. Exhibits Submitted for Analysis

Cons# Exhibits Description and Model

Serial number

1. Black and grey Lenovo laptop CND8224RJN 2. Silver Apple Wi-Fi iPhone C39VK5GHJCL8

Further Questions Asked Relevant to the Case 4. Did anyone else other than the accused have access to the computer; exhibit 1 [serial-

( CND8224RJN) before, during, or after Jean’s possession of it?

Evidence to Search For Based on the nature of the case and all that which have been made against the accused (Jean), to begin analysis of the obtained evidence, the search for data of probative value to the investigation will be in the area of; (A) acquiring the hard drive files of the accused’s computer, (B) investigate the emails of the accused between her co and her co-workers.

List of Criminal Offence The criminal offences facing ‘Jean’ are unlawfully releasing private, personal information, espionage, sabotage, and breaching the security and integrity of the company.



6

Emails Found of Evidentiary Value to the Case Here is a table that provides a list of the most suspicious emails between Jean and her co-worker Alison. This table provides the time stamp of the email, to whom and from, and a brief summary of the message.

Time Stamp To & From Message 7/6/2008 12:25 Alison to Jean Please do not send link to

me. I do not know if they are from a hacker.

7/6/2008 12:25 Alison to Jean Check this one out. Woman we turned down.

7/6/2008 22:25 Jean to Alison I thought you told me not to send links.

7/19/2008 16:39 Alison to Jean (different return path)

Background checks

7/19/2008 18:22 Alison to Jean (same return path as the email from background checks)

I need excel document as soon as possible

7/19/2008 18:28 Jean creates excel document Jean creates excel document 7/19/2008 18:28 Jean to Alison Excel document sent

Corporate Breach Jean deemed to have committed a corporate breach such as breach of contract to maintain data integrity and company confidentiality.

Examination Details I first employed the use of Cain & Abel because I was given Jean and Alison’s account usernames and passwords and wanted to initially try and see if either of their accounts was deemed ‘easy’ to crack. Based on these results, I would be able to narrow my investigation down further to discovering who was guilty and lying to me in their interviews. I added both their user accounts and then I performed a dictionary attack using the NTLM hash on both user accounts. I then used Autopsy to add the disk image file I was given of Jean’s computer. From



7

there, I was able to access all her email correspondence and traced it back as far as I could go in order to look for clues as to when she could have been hacked or if someone else was hacked instead. I also used a timeline editor within Autopsy to help me get a time frame of when things started to get suspicious to when the email was sent containing the excel document.

Analysis Results Here are screenshots of my results Below is a screenshot of the results of the dictionary attack I performed on Jean’s user account



8

Below is a screenshot of the results of the dictionary attack I performed on Alison’s user account

Below is a screenshot of the timeline editor within Autopsy of when the first suspicious email occurred



9

Below is a screenshot of the timeline editor within Autopsy of when the excel document was first created



10

Below is a screenshot of Alison asking for a background check document from Jean, however, the return path is not from Alison but from a different address which is believed to be from the hacker



11

Below is a screenshot of Alison questioning “What’s a sure thing?” because she was not the one who had sent out the email asking for the background checks and the return path is different than the background checks email



12

Below is a screenshot of the email Alison had sent to Jean however, this email does not look like it actually came from Alison as there is a mail to [email protected] attached to the email and the return path is the same as the previous email about the background checks that was believed to be the return path of the hacker

Legal Aspects The legal aspects that were considered when handling the digital evidence were legal authority, constitutional law, and integrity of evidence. For legal authority, forensic investigator must ensure that they have legal authority such as search warrants or consent in order to search through digital data. That is why for this case, we obtained a warrant to search through Jean’s computer in order to uncover any clues as to why she could have been hacked or if someone else was hacked. Then there is constitutional law. While the U.S. Constitution provides the foundation for our legal system, the evolution of the Information Age has presented new challenges for interpretation of the constitution. Guarantees of free speech and free press apply in cyberspace as well as in traditional domains, but how they apply is often fact- and context-based (Nance, 2011). Forensic investigators must be careful by making sure they have the proper authorizations and counsel when conducting these investigations to make sure that they are still honoring the American people’s rights especially when it comes to privacy. The U.S. Patriot Act is also to be considered when it comes to monitoring individuals and obtaining private information. Research into these areas is important and a perspective that includes all



13

three of the tightly coupled field (digital forensics, procedural law, and cybercrime) is essential to move forward in this area. Lastly, there is integrity of evidence where these technical issues combined with legal missteps can affect the admissibility of digital evidence. Admissible evidence must be properly collected and relevant to a case in order to be used in court and a judge, jury, or tribunal may use it in order to decide a case (Infosec Institute, 2018). When performing a forensic investigation, you must carefully ensure that the evidence is not unintentionally altered during or after the acquisition. Through proper validation and credibility testing, organizations can make sure evidence has not been unintentionally altered. For this case, that is why we employed a third party who kept an audit trail and preserved the chain of custody of the evidence at hand.

Recommendation

Moving forward, I believe that M57.biz should be holding regular cyber security awareness training sessions and hire a cyber security expert to come in and talk about something new that their staff should be aware of in terms of cyber security. Since the company is a virtual company, they could simply have a group conference call where a cyber security expert just reminds everybody of the importance of staying safe online and well as what to watch out for and what’s going on in the news. I would also recommend that the M57.biz does all their work at home in their own private network and if they choose to do their work at a coffee shop or a hotel, that they use a personal hotspot when accessing the internet to avoid any possibility of a cyber-attack. I also think that M57.biz should also add in their policies that passwords for email accounts, and file sharing accounts should be updated regularly, like quarterly, to help prevent a hacker from cracking their accounts. Lastly, they should also install an anti-virus/malware software that detects phishing emails and potential viruses and ransomware attacks. They should also make sure that certain private information files from M57.biz should be encrypted so that even if a private file gets sent out to a hacker, they couldn’t just upload it without having to figure out how to decrypt the file first. With these proper steps in place, I believe that M57.biz will be able to build a stronger defense strategy and prevent potential attacks from happening in the near future.

Conclusion In conclusion, I believe that Jean is not guilty, and that Alison was the one who was hacked by clicking a link from a phishing email that Jean sent her. This makes sense to their answers in their interview as Jean had received an email from Alison’s hacker posing as her to create this excel document and send it to them. Jean didn’t look into the return path of this email and as a result created this document and sent it. This would also explain why Alison believed that she never asked for this information and never sent an email to Jean asking for her to create an



14

excel document because she was hacked and didn’t know that the hacker was sending emails to Jean posing as her. In the end, neither Jean nor Alison sent this private information to the firm’s competitor, but Alison is the one who was guilty of being hacked.

Generated Material

• Evidence found on Exhibits • Table of Emails found of evidentiary value to the case

References Infosec Institute. 2018. Computer Forensics: digital evidence: what ethical issues need to be considered when evaluating digital evidence. Retrieved December 9, 2018, from https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-study/legal-and-ethical-principles/digital-evidence/#gref Nance, K. 2011. Legal aspects of digital forensics: a research agenda. Retrieved December 9, 2018, from https://www.computer.org/csdl/proceedings/hicss/2011/9618/00/05719007.pdf

COMPUTER FORENSIC EXAMINATION REPORT

Documents

Transcript of COMPUTER FORENSIC EXAMINATION REPORT