Beruflich Dokumente
Kultur Dokumente
Background
M57, an E-Commerce startup, located in Torenation, USA, has contracted ACT Forensic Services
(ACT) to perform a digital forensic investigation to determine how sensitive employee data was breached from
the sole possession of the authorized M57 custodians. Employee first and last names, social security numbers,
and salaries were posted to the online forum belonging to one of their competitors. A copy of the file posted to
Project Profile:
Objective Determine how M57 employee PII, including SSN, left the
company.
Forensic Subject Forensic image of PC used by the M57 CFO (jean-13fbf038a3).
Using the forensic image provided by, ACT will attempt to answer the following questions provided by
M57.
ACT takes the legalities of all digital forensic investigations very seriously and takes steps to ensure
compliance with all laws and regulations. In this case, the owner of forensic subject and data contained is our
client. M57 has hired and authorized ACT to inspect the captured forensic data. ACT is therefore reasonably
assured that the owner of the system and data gave consent to discover forensic facts and is not in violation of
the 4th Amendment on the US Bill of Rights, related to unreasonable search and seizure.
Furthermore, ACT receives express written consent from all involved parties (M57 President and M57
CFO) absolving ACT from any liability related to any damages caused by our identification of other illicit
content identified on the subject and subsequently disclosed to authorities. M57 and users acknowledge that
ACT is obligated to alert Torenation PD if content outside the scope of this project is discovered on the subject:
• Child pornography
• Plans, plots, or anything suggesting intent to commit or support foreign or domestic terrorism
The forensic data analyzed by ACT was both captured by FTK Imager, a free tool commonly used in the
field. FTK Imager creates an exact forensic copy of the subject system and stores it in a read-only format that
can be used for analysis and data recovery purposes. During this initial capture, a second copy is also made for
record keeping and verification that the subject data was not modified in any way.
The forensic case management and forensic analysis is performed using Autopsy, a free and open
source, widely accepted and used tool, Autopsy running on a Windows 10 system.
To provide assurance that data integrity was not compromised at any point in the investigation, ACT
verified the SHA256 hash of the forensic image at all significant points of the investigation using PowerShell
read only.
Certainties
• The CFO’s actions contributed to data loss - There is no doubt that the CFO was phished, and data was
leaked to a phisher at tuckgorge@gmail.com. The attack tactic was simple. The attacker impersonated
the President and configured direct email responses to send directly to an alternate external email
address.
Limitations
• The file posted to the internet cannot be forensically verified as the same file the CFO leaked due to the
lack of the hash of the hash of the file on the web forum.
ACT is unable to conclusively state that the file contained on the system created by the CFO and
leaked to the attacker is the exact file. However, the files do appear to be identical in data and format.
• There is not enough evidence to conclude that other internal actors were not involved.
The scope of our forensic data is limited to the CFO’s system. Therefore, we are not able to forensically
conclude that no other internal parties were colluded or conspired in the successful phishing attack on the
CFO. With that said, there is no evidence to suggest anyone else was.
Questions
Was the CFO the sole possessor of this data or was it stored somewhere? Could this be the source of the leak?
Timeline
Using the tools noted above, ACT was able to find evidence of confusion by the CFO about which email
address to use for sending emails to the President, which could have contributed to the ease at which she was
phished. During this time, a spoofed message was sent to the CFO pretending to be the President requesting
employee details. The CFO did not initially respond. The attacker followed up 99 minutes after the first
message. The CFO provided the details approximately 5 minutes later. The format of this file is an exact match
to the file provided to ACT for investigative purposes. The first email inquiry from a concerned/impacted
• Sat, 19 Jul 2008 16:33:13 -0700 (PDT) – CFO receives confirmation from President that alex@m57.biz is
the correct email address
• Sat, 19 Jul 2008 16:39:57 -0700 (PDT) - First message from attacker to CFO impersonating President
requesting M57 employee details.
• Sat, 19 Jul 2008 16:43:48 -0700 (PDT) –CFO receives email from President correcting previous instruction
about email - alison@m57.biz should be used.
• Sat, 19 Jul 2008 18:22:45 -0700 (PDT) – Second message from attacker to CFO requesting M57 employee
details with increased urgency.
• Sat,19-Jul 2008 18:28:00 -0700 (PDT) –Response from CFO sent to requested details to attacker
• Note: The file sent != the fileprovided for investigation. Data and format appears consistent, but the name is
different.
• Sat,19-Jul 2008 18:28:03 -0700 (PDT) – File containing employee details was created on CFO’s system
• Sun, 20 Jul 2008 16:52:54 -0700 (PDT) – First email from employee regarding their personal details
appearing online.
M57 Questions
M57 Question ACT Expert Opinion
When did Jean create this spreadsheet? Sat,19-Jul 2008 18:28:03 -0700 (PDT)
How did it get from her computer to Cannot be determined with current evidence.
competitor's website?
Who else from the company is There is no evidence to indicate anyone else is
involved? involved. However, to confidently say others
weren’t involved requires additional evidence.
Recommendations
Perform Additional Data Discovery and Analysis
ACT recommends that additional evidence be obtained to answer the questions above. The President may have
• Inspect their system and the HR system access log to determine if this happened.
• Cross reference headers contained in .pst files to verify they align with the email system and rule out
evidence tampering.
• Review the President’s system to verify that there was no collusion to intentionally confuse or frame the
CFO as the source of the data leak and confirm the file does not also exist on that system.
Implement Email Security Mechanisms
Regardless of the above, email security should be improved. Basic filtering would block the spoofed message.
Employee Training
Finally, users must be educated about security risks. Users are the primary control in email security and the
weakest link. Effective user discretion is imperative, and a formal education plan should be implemented and
Employees should understand that sending sensitive data in an unencrypted format like in the leaked file via
email is never a good idea. If email is necessary, use PGP encryption and password protected files.