RUNNING HEAD: COMPUTER FORENSIC EXAMINATION REPORT: M57.

BIZ

COMPUTER FORENSIC
EXAMINATION REPORT

WAYNE FISCHER
DECEMBER 7, 2018
UNIVERSITY OF SAN DIEGO

CSOL 590 Fall 2018

Case: M57dotBIZ – Jean – Data exfiltration

Professor Ashton Mozano, J.D.

COMPUTER FORENSIC EXAMINATION REPORT: M57.BIZ
Table of Contents
Abstract ................................................................................................................................................................................... 2
Search and Seizure and Chain of Custody ........................................................................................................................... 3
Forensic Examination Details .............................................................................................................................................. 4
Artifacts Identified and Timeline of Events......................................................................................................................... 5
Timeline........................................................................................................................................................................... 5
Analysis Results ................................................................................................................................................................... 6
Examination Conclusion ...................................................................................................................................................... 6
References .............................................................................................................................................................................. 8

1
COMPUTER FORENSIC EXAMINATION REPORT: M57.BIZ

Abstract
This forensic examination report details the forensic examination in a case of spear phishing which was created

by Dr. Simson Garfinkel and outlined by the Infosec Institute (Infosec Institute, 2016). In this case, we are acting in the

role of a forensic analyst. We are given a forensic image file of a laptop hard disk and asked to determine whether an

employee leaked sensitive information. The employee, Jean, is the Chief Financial Officer of M57dotBIZ, a fictional web

start-up company specializing in cataloging body art.

Jean is suspected of leaking confidential information about the company but believes she was “hacked”. She

states that the CEO, Alison, requested a spreadsheet of social security numbers, names, and salaries and that is why she

has a spreadsheet “m57.xls” which contains the information which was posted to a competitor’s web site chat forums.

Alison states she did not ever request the information Jean assembled. We are asked to find any evidence of the

spreadsheet, as well as to determine whether Jean leaked the information and how this was done.

2
COMPUTER FORENSIC EXAMINATION REPORT: M57.BIZ
Search and Seizure and Chain of Custody
A digital copy of Jean’s laptop computer hard drive was provided, as authorized by corporate policy. In this case,

we are working under the presumption that m57dotBIZ is a private employer, not a government agency, and that the

employee gave consent and provided the laptop to our forensic analyst. Barbara Repa, a lawyer and journalist

specializing in workplace rights, shares that “the law considers whether the employee had reasonable expectations of

privacy. A worker who legitimately expects, based on the employer's policies, past practice, and common sense, that

the employer will not search certain areas has as strong case that there was a violation of privacy (Repa, 2016). In this

case, we assume Jean has willingly provided her laptop as the company policies are written so that she does not have an

expectation of privacy and therefore we are not violating her expectation of privacy.

In order to ensure that evidence collected maintains authenticity and integrity, the collection of the laptop hard

drive data is assumed to have been performed with the use of a device known as a write-blocker and the program FTK

Imager. Using FTK Imager and this device an exact forensic copy of the hard drive data is created without any means of

changing any data copied. The digital copy was saved as nps-2008-jean with a unique volume MD5 hash value of

78a52b5bac78f4e711607707ac0e3f93

onto a new 128 Gigabyte USB Flash Drive. The drive was placed in a sealed chain of custody bag and labeled with the

investigation number, date, location, collectors name, file sizes, and hash value of the collected image files. This bag was

then taken by Mr. Fischer and placed and stored in our media safe until it was analyzed.

The following recordings and transports of the examination data occurred to ensure an unbroken chain of

custody. A Chain of Custody Tracking Form was used for all items and evidence collected, transported, stored, analyzed,

and accessed for reporting. The following actions took place with the data and items involved in this case.

• Forensic Analyst Wayne Fischer used Property Record Number M57-001 for two items involved in this case, a

Laptop by Jean, and a new USB Drive which was obtained by our evidence custodian Joe Smith.

3
COMPUTER FORENSIC EXAMINATION REPORT: M57.BIZ
• Mr. Fischer notated his collection of the laptop being investigated and the name and hash of the image being

captured.

• Mr. Fischer noted the transportation and storage of the image in media storage as well as the removal of the

forensic image for analysis and finally redepositing the forensic image into digital media storage with Mr. Smith.

• This form is available for presentation in court or during arbitration to demonstrate an intact chain of custody.

Forensic Examination Details

The examination process proceeds in the following manner and with the following tools. Forensic analysts

received the laptop a in question from Jean. The laptop hard drive was removed and connected to a Digital Intelligence

UltraKit IDE/SATA write-blocker kit’s IDE/SATA write-blocker in preparation for copying data. A forensic system was

used with the write-blocker and FTK Imager 4.2.0 to create a forensically sound copy (e.g. image) of Jean’s laptop hard

drive. During the image creation a new 128 GB USB Flash Drive was used to store the image from FTK Imager 4.2.0

obtained with the write-blocker during collection.

Autopsy 4.9.1 was used to analyze a copy of the forensic image after validating the volume hash (Figure 1).

Autopsy has included tools (i.e. ingestion modules) to identify hashes of files, deleted files, email conversations,

messaging app conversations, and encrypted or hidden files. Forensic Analysts used Microsoft Windows 10 as a working

workstation operating system used to analyze the forensically sound image of Jean’s laptop hard drive. Forensic

analysts use the most recent version of Autopsy (at time of analysis v4.9.1) to analyze a copy of the laptop forensic

image collected. Each analyst system uses a fresh installation of Windows 10 which is up-to-date with the tools required

for each analysis. Forensic images and/or data are signed out and removed from secure media vaults using chain of

custody forms and evidence custodians.

1. Data is copied to the analyst machine using write a blocker to ensure it will not be altered when copied.

2. Hashes of forensic images/data are confirmed immediately when forensic images are loaded into Autopsy.

3. Figure 1 row labeled MD5 Hash shows that the forensic volume hash matched that of the collected image on the

analysis system, proving they are identical data sets.

4
COMPUTER FORENSIC EXAMINATION REPORT: M57.BIZ
4. The forensic image copy data is reviewed for artifacts related to the case.

Figure 1. Table from Autopsy v4.9.1 validating authenticity of volume hash for Jean’s laptop’s forensic image.

Artifacts Identified and Timeline of Events

The following artifacts were identified on the system which were relevant to this case.

1. An excel spreadsheet named m57biz.xls with the MD5 hash of bdb368615df94d7d8844497a6e6327a2

was discovered at the location C:\users\Jean\Desktop\m57biz.xls. This is a common location for
working files for Windows XP, the operating system used by the client.
2. A Microsoft Outlook email program and associated storage file outlook.pst with an MD5 has of
8c862a8c7ad8b7aff1df4d44fbf1fe95 was found at C:\users\Jean\Local Settings\Application
Data\Microsoft\Outlook\outlook.pst using known locations (Microsoft Support, n.d.).
3. A matching m57biz.xls with the same MD5 hash as item 1 was found in the Microsoft Outlook
“outlook.pst” file indicating that an email had included this document.

The spreadsheet containing the data the investigation was inquiring about was found on Jean’s desktop and in

the Jean’s email client list of files. This prompted a review of email activity around the dates of the file creation to

determine a timeline of activities.

Timeline
 Email request July 19, 2008 @ 1639 PDT received by Jean for a list of salaries and social security numbers from
spoofed email simsong@xy.dreamhostsps.com to appear from alison@m57.biz
 A reply from Jean to alison@m57.biz was sent July 19, 2008 @ 1644 PDT acknowledging the request with “Sure
thing.”.
 Alison responded July 19, 2008 @ 1650 PDT asking “What’s a ‘sure thing.’?”
 A second spoofed email request urging Jean to action was received July 19, 2008 @1822 PDT which is from
tuckgeorge@gmail.com and simsong@xy.dreamhostps.com
 Data file “m57biz.xls” was created July 19, 2008 @ 1828 PDT and saved to Desktop of user Jean (Figure 2).

5
COMPUTER FORENSIC EXAMINATION REPORT: M57.BIZ

Figure 2. Location and hash displayed in Autopsy for m57biz.xls artifact.

 Jean sends an email with the “m57biz.xls” data to the spoofed email sent July 19, 2008 @ 1828 PDT
 A response was sent by spoofed “Alison” thanking Jean for the requested information July 19, 2008 @ 2203 PDT
 Jean’s inbox begins receiving various emails from peers asking why sensitive information was posted began
being received by Jean on July 20, 2008.

Analysis Results
The forensic analysis of the laptop image was able to produce evidence of the exfiltration of sensitive data (the

spreadsheet in question). A timeline was established of the data exfiltration based on the email program Outlooks

default outlook.pst file in user Jean’s folders, as well as an excel spreadsheet on user Jean’s desktop. The analysis also

determined that, it is highly likely, that Jean was targeted and manipulated into providing sensitive data to an attacker

posing as another legitimate employee in an attack known as a “Spear Phishing” attack. In this attack an email is sent

requesting data which appears to be from a trusted person, but is in fact a person masquerading as a trusted individual.

Examination Conclusion
The findings from this investigation identified spear phishing using an altered “From” field in the email headers.

Email headers include information about email and some of these can be changed to user preferred settings

(Mediatemplate.net, n.d.). This is a common technique used by bad actors to trick and deceive ignorant victims into

believing they are someone other than they truly are. The following findings and recommendation are below.

• A person (the attacker) spoofed Alison’s email address in the From field of the email header to appear it was
from (alison@m57.biz) so that unknowing victims would see “alison@m57.biz”.
• The spoofed email address was determined to have originated from simsong@xy.dreamhostps.com as
identified by the “Return-Path” email header field.

6
COMPUTER FORENSIC EXAMINATION REPORT: M57.BIZ
• When Jean responded “Sure thing.”, her email response went to the correct email address of “Alison” who was
unaware of the original email and questioned the email. Jean did not respond to her response.
• The attacker sent a follow-up email urging Jean to send the requested data using the email
tuckgorge@gmail.com based on the Return-Path email header field, to which Jean responds and sends the
requested data.
• Recommendations for m57.biz are to provide user security-awareness training, install and run an email filtering
program, and to add procedures to verify sensitive information requests in person before sending data.
• Recommendations to the court are to recognize that this may not have been intentional exfiltration. The
Forensic analysis suggests additional subpoenas for additional evidence from other email systems involved in
the incident for forensic analysis to determine the identity of the attacker if m57.biz desires this action.

7
COMPUTER FORENSIC EXAMINATION REPORT: M57.BIZ
References
Infosec Institute. (2016, October 04). Forensics Investigation of Document Exfiltration involving Spear Phishing: The M57
Jean Case. Retrieved December 7, 2018, from https://resources.infosecinstitute.com/forensics-investigation-
document-exfiltration-involving-spear-phishing-m57-jean-case/ Courtesy of Dr. Simson Garfinkel

Mediatemplate.net. (n.d.). Understanding an email header. Retrieved December 10, 2018, from
https://mediatemple.net/community/products/dv/204643950/understanding-an-email-header

Microsoft Support. (n.d.). Find and transfer Outlook data files from one computer to another. Retrieved December 10,
2018, from https://support.office.com/en-us/article/find-and-transfer-outlook-data-files-from-one-computer-
to-another-0996ece3-57c6-49bc-977b-0d1892e2aacc

Repa, B. K. (2012, March 28). Employer Searches and Seizures: What Are Your Rights? Retrieved December 7, 2018, from
https://www.nolo.com/legal-encyclopedia/free-books/employee-rights-book/chapter5-5.html