Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Aarontoren

    Hochgeladen von

    api-452132375
    80 Ansichten6 Seiten

    Originaltitel

    aarontoren

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    80 Ansichten6 Seiten

    Aarontoren

    Hochgeladen von

    api-452132375

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 6

    Forensic Project Overview

    Background

    M57, an E-Commerce startup, located in Torenation, USA, has contracted ACT Forensic Services

    (ACT) to perform a digital forensic investigation to determine how sensitive employee data was breached from

    the sole possession of the authorized M57 custodians. Employee first and last names, social security numbers,

    and salaries were posted to the online forum belonging to one of their competitors. A copy of the file posted to

    the forum was provided by M57 for investigative purposes.

    Project Profile:

    Forensic Lead Aaron Toren

    Client M57, Torenation, USA

    Scope M57 employee PII data loss

    Objective Determine how M57 employee PII, including SSN, left the
    company.
    Forensic Subject Forensic image of PC used by the M57 CFO (jean-13fbf038a3).

    Limitations Analysis of data contained on the provided forensic image may


    result in more unanswered questions. Subsequent forensic data may
    be necessary to provide conclusive results.
    Client Questions

    Using the forensic image provided by, ACT will attempt to answer the following questions provided by

    M57.

    • When did Jean create this spreadsheet?

    • How did it get from her computer to competitor's website?

    • Who else from the company is involved?

    The Investigative Process


    Legal Considerations

    ACT takes the legalities of all digital forensic investigations very seriously and takes steps to ensure

    compliance with all laws and regulations. In this case, the owner of forensic subject and data contained is our
    client. M57 has hired and authorized ACT to inspect the captured forensic data. ACT is therefore reasonably

    assured that the owner of the system and data gave consent to discover forensic facts and is not in violation of

    the 4th Amendment on the US Bill of Rights, related to unreasonable search and seizure.

    Furthermore, ACT receives express written consent from all involved parties (M57 President and M57

    CFO) absolving ACT from any liability related to any damages caused by our identification of other illicit

    content identified on the subject and subsequently disclosed to authorities. M57 and users acknowledge that

    ACT is obligated to alert Torenation PD if content outside the scope of this project is discovered on the subject:

    • Child pornography

    • Plans, plots, or anything suggesting intent to commit or support foreign or domestic terrorism

    • Plans, plots, or anything suggesting intent to harm self or another individual

    Data Collection & Tools

    The forensic data analyzed by ACT was both captured by FTK Imager, a free tool commonly used in the

    field. FTK Imager creates an exact forensic copy of the subject system and stores it in a read-only format that

    can be used for analysis and data recovery purposes. During this initial capture, a second copy is also made for

    record keeping and verification that the subject data was not modified in any way.

    The forensic case management and forensic analysis is performed using Autopsy, a free and open

    source, widely accepted and used tool, Autopsy running on a Windows 10 system.

    Data Integrity & Chain of Custody

    To provide assurance that data integrity was not compromised at any point in the investigation, ACT

    verified the SHA256 hash of the forensic image at all significant points of the investigation using PowerShell

    and retained a chain of custody record for the file.

    File SHA256 value Event Note Integrity Match


    nps-2008- DF3A995C7A594E0BA6D95B9AAE735A44
    jean.E01 4313FAE435A87E7536F9DAD3DB2769CE Original Capture n/a
    nps-2008- DF3A995C7A594E0BA6D95B9AAE735A44 Transference to ACT
    jean.E01 4313FAE435A87E7536F9DAD3DB2769CE premises TRUE
    nps-2008- DF3A995C7A594E0BA6D95B9AAE735A44 Forensic Analysis Start
    jean.E01 4313FAE435A87E7536F9DAD3DB2769CE - 3-December-2018 TRUE
    nps-2008- DF3A995C7A594E0BA6D95B9AAE735A44 Forensic Analysis End -
    jean.E01 4313FAE435A87E7536F9DAD3DB2769CE 4-December-2018 TRUE
    At no point during the investigation was the data integrity breached. All tools used for forensic analysis were

    read only.

    Digital Forensic Investigation Results


    Summary Findings

    Certainties

    • The CFO’s actions contributed to data loss - There is no doubt that the CFO was phished, and data was

    leaked to a phisher at tuckgorge@gmail.com. The attack tactic was simple. The attacker impersonated

    the President and configured direct email responses to send directly to an alternate external email

    address.
    Limitations

    • The file posted to the internet cannot be forensically verified as the same file the CFO leaked due to the

    lack of the hash of the hash of the file on the web forum.
    ACT is unable to conclusively state that the file contained on the system created by the CFO and

    leaked to the attacker is the exact file. However, the files do appear to be identical in data and format.

    • There is not enough evidence to conclude that other internal actors were not involved.

    The scope of our forensic data is limited to the CFO’s system. Therefore, we are not able to forensically

    conclude that no other internal parties were colluded or conspired in the successful phishing attack on the

    CFO. With that said, there is no evidence to suggest anyone else was.

    Questions

    Was the CFO the sole possessor of this data or was it stored somewhere? Could this be the source of the leak?

    Timeline

    Using the tools noted above, ACT was able to find evidence of confusion by the CFO about which email

    address to use for sending emails to the President, which could have contributed to the ease at which she was

    phished. During this time, a spoofed message was sent to the CFO pretending to be the President requesting

    employee details. The CFO did not initially respond. The attacker followed up 99 minutes after the first

    message. The CFO provided the details approximately 5 minutes later. The format of this file is an exact match

    to the file provided to ACT for investigative purposes. The first email inquiry from a concerned/impacted

    employee was received the following afternoon.

    • Sat, 19 Jul 2008 16:33:13 -0700 (PDT) – CFO receives confirmation from President that alex@m57.biz is
    the correct email address
    • Sat, 19 Jul 2008 16:39:57 -0700 (PDT) - First message from attacker to CFO impersonating President
    requesting M57 employee details.
    • Sat, 19 Jul 2008 16:43:48 -0700 (PDT) –CFO receives email from President correcting previous instruction
    about email - alison@m57.biz should be used.
    • Sat, 19 Jul 2008 18:22:45 -0700 (PDT) – Second message from attacker to CFO requesting M57 employee
    details with increased urgency.
    • Sat,19-Jul 2008 18:28:00 -0700 (PDT) –Response from CFO sent to requested details to attacker
    • Note: The file sent != the fileprovided for investigation. Data and format appears consistent, but the name is
    different.
    • Sat,19-Jul 2008 18:28:03 -0700 (PDT) – File containing employee details was created on CFO’s system
    • Sun, 20 Jul 2008 16:52:54 -0700 (PDT) – First email from employee regarding their personal details
    appearing online.
    M57 Questions
    M57 Question ACT Expert Opinion
    When did Jean create this spreadsheet? Sat,19-Jul 2008 18:28:03 -0700 (PDT)
    How did it get from her computer to Cannot be determined with current evidence.
    competitor's website?
    Who else from the company is There is no evidence to indicate anyone else is
    involved? involved. However, to confidently say others
    weren’t involved requires additional evidence.

    Recommendations
    Perform Additional Data Discovery and Analysis
    ACT recommends that additional evidence be obtained to answer the questions above. The President may have

    had a part in framing the CFO or colluding with an attacker.

    • Inspect their system and the HR system access log to determine if this happened.
    • Cross reference headers contained in .pst files to verify they align with the email system and rule out
    evidence tampering.
    • Review the President’s system to verify that there was no collusion to intentionally confuse or frame the
    CFO as the source of the data leak and confirm the file does not also exist on that system.
    Implement Email Security Mechanisms
    Regardless of the above, email security should be improved. Basic filtering would block the spoofed message.

    Employee Training
    Finally, users must be educated about security risks. Users are the primary control in email security and the

    weakest link. Effective user discretion is imperative, and a formal education plan should be implemented and

    monitored for effectiveness.

    Employees should understand that sending sensitive data in an unencrypted format like in the leaked file via

    email is never a good idea. If email is necessary, use PGP encryption and password protected files.

    Das könnte Ihnen auch gefallen