Professional Documents
Culture Documents
Assignment
Assignment
Assignment
M57.biz Case
Class: CSOL-590-004-FA21
Table of Contents
INTRODUCTION .......................................................................................................................................................... 3
ANALYSIS .................................................................................................................................................................... 4
FINDINGS ..................................................................................................................................................................... 4
REFERENCE ............................................................................................................................................................... 12
COMPUTPER FORENSIC EXAMINIATION REPORT 3
Introduction
The purpose of this report is to explain the processes and tools used to analyze the digital
evidence that was submitted to the digital forensics analyst. Then run through the analysis,
posted on M57.biz’s competitors “technical support” forum as an attachment. How did said
Two witnesses were interviewed Alison, President of M57.biz and Jean, CFO of M57.biz.
• Alison has and had no knowledge of any requests for Jean to send information found on
the spreadsheet in question. Second, Alison said she never received said spreadsheet from
Jean.
• Jean received an email from Alison requesting for information and the spreadsheet as part
of a new funding round which was to be sent to Alison to her email address.
Email addresses of the witnesses were obtained along with the login credentials. Alison’s
• http://downloads.digitalcorpora.org/corpora/drives/nps-2008-m57-jean/nps-2008-
jean.E01
• http://downloads.digitalcorpora.org/corpora/drives/nps-2008-m57-jean/nps-2008-
jean.E02
COMPUTPER FORENSIC EXAMINIATION REPORT 4
By using the provided image, it provided an exact clone of the original hard drive without
the danger of losing any information or accidentally changing any information from of the original
hard drive which is the digital evidence. By being bit-for-bit, all the data is the same and deleted
information and logs will be kept intact. The hashes are provided in the supplementary analysis
A combination of FTK Imager and Autopsy, both digital forensics platforms were used to
process the image file. Before uploading the image files, other sample files were used to test that
the programs were working well and as intended. These programs are fully licensed and used
according to their purposes. All the processes have been documented and are provided within the
supplementary analysis report, in accordance with the reporting aspect of chain of custody for
digital evidence.
Analysis
Once the image file was uploaded and analyzed, the email files were found, and a discovery
process was started. The email with the attachment in question was found and any relevant
conversation or thread emails were also analyzed. The text and the headers were looked at to help
with the analysis of the events and how things happened. By using the emails, a timeline was able
to be put together to get a clearer picture of the succession of events and eventually explain how
the information was exfiltrated from the company and ultimately end up on the competitor’s
website.
Findings
This first email seems to be the start of the events.
COMPUTPER FORENSIC EXAMINIATION REPORT 5
In the text it shows the request for the background check with a timestamp of 2008-07-19
116:39:57
When looking at the header files it reveals that the return path of this email is different than
who is meant to be the receiver which is the email account alison@m57.biz and rather going to
simsong@xy.dreamhostps.com.
COMPUTPER FORENSIC EXAMINIATION REPORT 6
Second email received by Jean, who assumed it was Alison comes two hours later putting
Looking at the header of the email again shows that it is not from alison@m57.biz but from
Then a third email thanking Jean for the file and asking her not to let anyone know that
From looking at the text, seems as though the imposter got sloppy and showed the
Again, the header shows that it is coming from and going to the
What is interesting though, it seems as though some of the email correspondence was still
going back and forth from Jean to Alison legitimately. But because of this outside thread was
Jean and Alison. It looks like Jean jean@m57.biz was the victim of email spoofing thinking it was
the President of the company Alison alison@m57.biz asking for sensitive information on a
spreadsheet. Common tactics used by malicious actors were found, such as putting urgency
pressure on the victim to send information as soon as possible, and also asking the victim to not
let anyone know as it is a confidential matter. These should have been flags for the victim and
should have reached out to Alison directly by other means of communication, perhaps with a SMS
message or a phone call. There were correspondences going between Jean and the Spoofer and
other messages between Jean and Alison, where Alison is confused of the messages. Finally, as
the different engineers are hearing that their information has been posted somewhere reach out to
Jean to figure out what is going on. This tipped off Jean that something was amiss and reported it
As a recommendation for the organization going forward to avoid the reoccurrence of such
events, we recommend that M75.biz use tools that are available to avoid email spoofing and filter
them out, so they do not reach the users inboxes. Provide training going forward to users to spot
and detect spoofing, but also to reach out by other means if a message or a request seems off.
Lastly, use tools to be able to allow for Data Loss Protection, and block the sending of personal
Reference
AY, O. (2020, May 29). Digital Forensics Investigation Jurisprudence: Issues of Admissibility of
https://www.heraldopenaccess.us/openaccess/digital-forensics-investigation-
jurisprudence-issues-of-admissibility-of-digital-evidence
GeeksforGeeks. (2020, June 2). Chain of Custody - Digital Forensics. Retrieved December 6,
Murphy, M. (2015, February 25). Digital Forensic Evidence. YouTube. Retrieved December 6,