RUNNING HEADER: CSOL590 FINAL PROJECT ASSIGNMENT

Computer Forensic Examination Report:

M57.biz Case

Student: Frank Ahan

Institution: University of San Diego

Instructor: Ron Fulton, M.S.

Class: CSOL-590-004-FA21

Date: 9 December 2021

COMPUTPER FORENSIC EXAMINIATION REPORT 2

Table of Contents

INTRODUCTION .......................................................................................................................................................... 3

BACKGROUND TO THE CASE ................................................................................................................................. 3

EVIDENCE AND TOOLS USED ................................................................................................................................. 3

ANALYSIS .................................................................................................................................................................... 4

FINDINGS ..................................................................................................................................................................... 4

CONCLUSION AND RECOMMENDATIONS ......................................................................................................... 11

REFERENCE ............................................................................................................................................................... 12
COMPUTPER FORENSIC EXAMINIATION REPORT 3

Introduction

The purpose of this report is to explain the processes and tools used to analyze the digital

evidence that was submitted to the digital forensics analyst. Then run through the analysis,

explain the findings, and offer recommendations.

Background to the Case

What prompted this case, and the investigation was that confidential information was

posted on M57.biz’s competitors “technical support” forum as an attachment. How did said

attachment end up on that website?

Two witnesses were interviewed Alison, President of M57.biz and Jean, CFO of M57.biz.

The following was gathered from those interviews.

• Alison has and had no knowledge of any requests for Jean to send information found on

the spreadsheet in question. Second, Alison said she never received said spreadsheet from

Jean.

• Jean received an email from Alison requesting for information and the spreadsheet as part

of a new funding round which was to be sent to Alison to her email address.

Email addresses of the witnesses were obtained along with the login credentials. Alison’s

email address is alison@m57.biz and Jean’s email address is jean@m57.biz.

Evidence and Tools Used

A bit-for-bit image of the hard drive of the employee question was provided and used.

• http://downloads.digitalcorpora.org/corpora/drives/nps-2008-m57-jean/nps-2008-

jean.E01

• http://downloads.digitalcorpora.org/corpora/drives/nps-2008-m57-jean/nps-2008-

jean.E02
COMPUTPER FORENSIC EXAMINIATION REPORT 4

By using the provided image, it provided an exact clone of the original hard drive without

the danger of losing any information or accidentally changing any information from of the original

hard drive which is the digital evidence. By being bit-for-bit, all the data is the same and deleted

information and logs will be kept intact. The hashes are provided in the supplementary analysis

report to prove that everything is a legitimate image of the original files.

A combination of FTK Imager and Autopsy, both digital forensics platforms were used to

process the image file. Before uploading the image files, other sample files were used to test that

the programs were working well and as intended. These programs are fully licensed and used

according to their purposes. All the processes have been documented and are provided within the

supplementary analysis report, in accordance with the reporting aspect of chain of custody for

digital evidence.

Analysis
Once the image file was uploaded and analyzed, the email files were found, and a discovery

process was started. The email with the attachment in question was found and any relevant

conversation or thread emails were also analyzed. The text and the headers were looked at to help

with the analysis of the events and how things happened. By using the emails, a timeline was able

to be put together to get a clearer picture of the succession of events and eventually explain how

the information was exfiltrated from the company and ultimately end up on the competitor’s

website.

Findings
This first email seems to be the start of the events.
COMPUTPER FORENSIC EXAMINIATION REPORT 5

Figure 1: First email

In the text it shows the request for the background check with a timestamp of 2008-07-19

116:39:57

Figure 2: Text of the initial Email

When looking at the header files it reveals that the return path of this email is different than

who is meant to be the receiver which is the email account alison@m57.biz and rather going to

simsong@xy.dreamhostps.com.
COMPUTPER FORENSIC EXAMINIATION REPORT 6

Figure 3: Header information showing different email address

Second email received by Jean, who assumed it was Alison comes two hours later putting

pressure on Jean to send over the file urgently.

Figure 4: Second email, urgency requested

COMPUTPER FORENSIC EXAMINIATION REPORT 7

Figure 5: Second email text

Looking at the header of the email again shows that it is not from alison@m57.biz but from

simsong@xy.dreamhostps.com but also another email address of tuckgorge@gmail.com is found.

Figure 6: Header information

COMPUTPER FORENSIC EXAMINIATION REPORT 8

Then a third email thanking Jean for the file and asking her not to let anyone know that

such a file was sent, was received.

Figure 7: Third Email

From looking at the text, seems as though the imposter got sloppy and showed the

tuckgorge@gmail.com in the message itself.

Figure 8: Text of third email in question

Again, the header shows that it is coming from and going to the

simsong@xy.dreamhostps.com email address.

COMPUTPER FORENSIC EXAMINIATION REPORT 9

Figure 9: Header Information

What is interesting though, it seems as though some of the email correspondence was still

going back and forth from Jean to Alison legitimately. But because of this outside thread was

unknown to Alison she sent back a confused message.

Figure 10: Confused Message

COMPUTPER FORENSIC EXAMINIATION REPORT 10

Figure 11: Text

Figure 12: From legitimate address

COMPUTPER FORENSIC EXAMINIATION REPORT 11

Conclusion and Recommendations

After reviewing the evidence in particular the emails correspondence back and forth from

Jean and Alison. It looks like Jean jean@m57.biz was the victim of email spoofing thinking it was

the President of the company Alison alison@m57.biz asking for sensitive information on a

spreadsheet. Common tactics used by malicious actors were found, such as putting urgency

pressure on the victim to send information as soon as possible, and also asking the victim to not

let anyone know as it is a confidential matter. These should have been flags for the victim and

should have reached out to Alison directly by other means of communication, perhaps with a SMS

message or a phone call. There were correspondences going between Jean and the Spoofer and

other messages between Jean and Alison, where Alison is confused of the messages. Finally, as

the different engineers are hearing that their information has been posted somewhere reach out to

Jean to figure out what is going on. This tipped off Jean that something was amiss and reported it

to the proper authorities.

As a recommendation for the organization going forward to avoid the reoccurrence of such

events, we recommend that M75.biz use tools that are available to avoid email spoofing and filter

them out, so they do not reach the users inboxes. Provide training going forward to users to spot

and detect spoofing, but also to reach out by other means if a message or a request seems off.

Lastly, use tools to be able to allow for Data Loss Protection, and block the sending of personal

identifiable information through unsecure means and through attachments.

COMPUTPER FORENSIC EXAMINIATION REPORT 12

Reference
AY, O. (2020, May 29). Digital Forensics Investigation Jurisprudence: Issues of Admissibility of

Digital Evidence. Www.Heraldopenaccess.Us. Retrieved December 6, 2021, from

https://www.heraldopenaccess.us/openaccess/digital-forensics-investigation-

jurisprudence-issues-of-admissibility-of-digital-evidence

GeeksforGeeks. (2020, June 2). Chain of Custody - Digital Forensics. Retrieved December 6,

2021, from https://www.geeksforgeeks.org/chain-of-custody-digital-forensics/

Murphy, M. (2015, February 25). Digital Forensic Evidence. YouTube. Retrieved December 6,

2021, from https://www.youtube.com/watch?v=nySje7f9Mdg