1

Running head: DIGITAL FORENSIC REPORT

Digital Forensic Report

Jessica Romio
University of San Diego
 2
DIGITAL FORENSIC REPORT

Contents
Abstract ......................................................................................................................................................... 3
Background to the Case ................................................................................................................................ 4
Questions Asked Relevant to the Case ......................................................................................................... 4
Search and seizer and transport of evidence ................................................................................................. 4
Exhibits Submitted for Analysis ............................................................................................................... 4
Further Questions Relevant to the Case .................................................................................................... 4
Chain of Custody ...................................................................................................................................... 4
Evidence to Search For ................................................................................................................................. 5
List of Criminal Offence ............................................................................................................................... 5
Files of Value to the Case & Examination Details ....................................................................................... 5
Corporate Breach .......................................................................................................................................... 6
Analysis Results ............................................................................................................................................ 6
Conclusion .................................................................................................................................................... 8
Generated Material........................................................................................................................................ 9
References ................................................................................................................................................... 10
 3
DIGITAL FORENSIC REPORT

Abstract
“The purpose of digital forensics is to answer investigative or legal questions to prove or
disprove a court case. To ensure that innocent parties are not convicted and that guilty parties are
convicted” (n.d). This paper serves as the expert report provided by me, the digital forensic
investigator. In the case, company confidential information has been released to a competing
company. The confidential spreadsheet was created by a company employee, Jean. Jean claims
that the spreadsheet was requested by the company president, Alison, whereas Alison claims to
not know what Jean is talking about. The question lies on how this information left Jean’s
computer and whether Jean is guilty. As a forensic investigator, I have collected and analyzed
data in the case and produced the following report to present my findings and recommendations.
 4
DIGITAL FORENSIC REPORT

Background to the Case

Jean Jones, Chief Financial Officer (CFO) of the company M57.biz, is suspected of leaking
confidential information. A spreadsheet containing confidential information was posted as an
attachment on a competing company’s website. The spreadsheet, containing the names and
salaries of the company’s key employees, came from Jean’s computer. She was the only one who
owned the document.
To conduct a proper and thorough investigation, I used the tool, Forensic Tool Kit Imager (FTK
Imager). With the software I was able to open and analyze the files from Jean’s computer. Upon
finding email files, I also used Microsoft Outlook to search through Jean’s emails.

Questions Asked Relevant to the Case

The following questions have been brought forward from the client:
Questions
1. When did Jean create the spreadsheet?
2. How did the documents get on the competitor’s website?
3. Is Jean innocent or did she have anything to do with the file getting out?

Search and seizer and transport of evidence

Exhibits Submitted for Analysis
Item # Quantity Description of Item
1. 1 Jean Jone’s computer
2. 1 nps-2008-jean.E01 (Evidence file imaged from Jean’s computer)
3 1 Usernames and passwords of Alison and Jean

Further Questions Relevant to the Case

Questions
1. Was anyone else in the company involved?

Chain of Custody
Item Date/Time Released By Received By Comments/Location
#
1. 7/21/2008 Jean Jones Security Collected and stored to be
6:00am analyzed. Stored at M57.biz HQ
in a locked cabinet
2 7/21/2008 Security Security Security created an imaged
8:00am evidence file of Jean’s computer
2. 7/21/2008 Security Jessica Romio Security transferred the imaged
12:00pm file to Jessica to be analyzed
 5
DIGITAL FORENSIC REPORT

Evidence to Search For

This case will begin by searching for the created spreadsheet within the evidence files that I was
provided with. I will search for it on Jean’s computer and when the file was created. Next I will
search for any evidence of how the file was sent out, who it was sent to, and when it was sent.
After that, I will search for any communications that indicates whether the leak of the
spreadsheet was intentional or not.

List of Criminal Offence

The list of offences facing ‘Jean Jones’ are the release of private and personal information,
violating company policy, and breaching the security of the company.

Files of Value to the Case & Examination Details

The spreadsheet was found on Jean’s desktop, m57biz.xls, created on 7/20/2008 at 1:28:03 AM.
I did not need to crack passwords on the device as it was not needed to access information.
The following shows the emails that were found on Jean’s computer that were sent to and from
the company president, Alison. These emails show when the confidential spreadsheet was sent
and who it was sent to. These files were all found within the Microsoft Outlook files on Jean’s
computer. The message that is highlighted in red shows exactly when the confidential
spreadsheet was sent out.
Time To From Message
7/6/2008 Alison Jean Please do not send me links
12:25pm like this.
7/6/2008 Alison Jean Check this one out: Looks
12:25pm like the woman we turned
down for the job...
7/10/2008 Jean Alison I thought you told me not to
12:48am send links.
7/19/2008 Jean Alison (alex@m57.biz) Are you going to use
4:32pm alex@m57.biz or
alison@m57.biz?
7/19/2008 Jean Alison Please send me the
6:23pm (tuckgorge@gmail.com) information now
7/19/2008 Jean Alison I need that information now
6:23pm (tuckgorge@gmail.com)
7/19/2008 Alison Jean Sent confidential excel sheet
6:29pm (tuckgorge@gmail.com)

The timeline begins with an email from Alison telling Jean not to send her emails with links in
them on 7/6/2008. Shortly after the email is sent, Alison sends Jean an email with links in it, to
which Jean responds that she thought she didn’t want her sending any links. About a week after,
Jean emails Alison whether she should be emailing her at the alex@m57.biz email or the
alison@m57.biz email, this creates confusion for Jean as she receives responses from both
 6
DIGITAL FORENSIC REPORT

emails. On 7/19/2008 at 4:32pm, Jean receives an email from who she believes is Alison because
the name displays as “alison@m57.biz” however the email is from “tuckgeorge@gmail.com”.
This email requests that Jean sends a background check of their current employees. Jean does not
initially respond, and the email once again asks for the file a few hours later. On 7/19/2008 at
6:29pm, Jean responds to tuckgeorge@gmail.com, who she believes to be Alison, with the
confidential spreadsheet.

Corporate Breach
It has been concluded that Jean did commit a corporate breach and violated company policy by
sending out a confidential email with the personal information of employees, outside of the
company. However, I do not believe this was done intentionally. Based off of the emails between
Jean and Alison and someone posing to be Alison, it can be determined that Jean was the victim
of a targeted phishing attack.

Analysis Results
I used FTK Imager for my analysis of Jean’s evidence files. After loading the evidence file into
FTK Imager, the first thing I did was verify the hash to ensure the integrity of the files.

I then was able to locate the Excel file on Jean’s Desktop.

Once the file was located, I began searching for any evidence of communication to another
individual to identify when the file was sent out. I was able to locate the .pst file within Jean’s
computer image and I exported the Outlook items and opened them within Outlook.
 7
DIGITAL FORENSIC REPORT

The following image shows when a spoofed email account, posing as Alison, asked for the
spreadsheet.

The following image shows exactly when Jean sent the email to who she thought was Alison.
 8
DIGITAL FORENSIC REPORT

Lastly, the following email came from Alison’s actual account and shows that she was confused
and did not request any type of confidential spreadsheet.

Conclusion
• I was able to recover all the data relevant to the investigation and maintain the integrity of
the data by verifying the hash values.
• I was able to read through all the email files using Microsoft Outlook to see the dates and
times of the mail, as well as who it was sent to
• I was able to conclude that there was evidence of the confidential spreadsheet on Jean’s
computer at 7/20/2008 1:28am.
• The digital evidence does not lead me to believe that the leak of the file was done
intentionally. I believe that Jean was targeted in a phishing attack and she unknowingly
send the information outside of the company, believing it was being sent to the company
president, Alison.
 9
DIGITAL FORENSIC REPORT

• This explains why Jean believes she was innocent and claimed that Alison requested the
file, it also explains Alison’s confusion as she did not know what Jean was talking about
since someone was acting as her to gain information from Jean.
• I would recommend that M57, as a company, employs better security training to ensure
phishing attacks do not occur. Firewalls and additional security systems would also help
to block attacks like phishing, as well as spam and malware.

Generated Material
• Microsoft Word document of Digital Forensic Report and Findings
• Evidence found on exhibits
 10
DIGITAL FORENSIC REPORT

References
Forensic Analysis and Examination Planning. (n.d.). Retrieved June 21, 2020, from
https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-of-
study/forensic-science/forensic-analysis-and-examination-planning/

Crawford, V. (2015). EXAMPLE OF AN EXPERT WITNESS DIGITAL FORENSIC REPORT.

Retrieved from https://learn-us-east-1-prod-fleet01-
xythos.s3.amazonaws.com/5c2103143e6a3/1364737?response-cache-
control=private%2C%20max-age%3D21600&response-content-
disposition=inline%3B%20filename%2A%3DUTF-
8%27%27M7%2520Final%2520Project%2520Digital%2520Forensic%2520Report%2520
Example.pdf&response-content-type=application%2Fpdf&X-Amz-Algorithm=AWS4-
HMAC-SHA256&X-Amz-Date=20200620T210000Z&X-Amz-SignedHeaders=host&X-
Amz-Expires=21600&X-Amz-
Credential=AKIAZH6WM4PLTYPZRQMY%2F20200620%2Fus-east-
1%2Fs3%2Faws4_request&X-Amz-
Signature=4673ad24986c3aea83c12a1b764385a668d990ee50b0fc8a0379d197ae7f10d3