Computer Forensic Examination Report

Joseph Wagner CSOL 590

Professor John Fincannon

University of San Diego

 2

Contents

Background of the case……………………..……………………………………………...…...…3

Case Request…………….……….…………………………………………………..…….……4-7

Case Questions………………………………………………………………………...……..…3-4

Evidence………………...…………………………………...…………….…………..……...…..4

Process……………………………………………………………………………..……...…….4-5

Hypothesis………………………………………………………………..………..……………5-7

Recommendations…………………………………………………………………...…….……7-8

References…………………………………………………………………………………………9
 3

Background of the Case

M.57.biz is a small but fast growing start up in the body art industry. They are 12

employees total and in hyper growth mode as they are about to finalize their series A funding of

10 million dollars. M.57 is a fully remote organization which communicates via email, video

conferencing, and some in person meetings. M.57 prides itself in innovation through flexibility

and loves giving their employees the opportunity to work from home, the coffee shop, or even a

beachside hotel. Due to the startup nature of the company, their IT department and security

framework had not matured to state to block and recognize threats. Also, the employees had not

been enrolled into a robust security training program to help spot attacks. During what seemed

to be a normal email exchange between the CEO Alison Smith and CFO Jean, a document was

sent containing extremely confidential data with employee’s salary, SSN, name, and title. The

CEO Alison states she never asked for the document to be sent and never received the

spreadsheet in an email, while Jean insists, she requested it as part of their new funding round for

a meeting with the board of directors.

Case Request

Due to the severity of the breach, one of the board members is questioning giving M.57

the funding and is asking for a detailed analysis around what happened and how the file ended up

on a competitor’s website. This report will detail what happened and recommend next steps for

M.57 and the board.

Questions

1. Did Jean send this file maliciously?

2. If Jean did not send the file, how was the system infiltrated?

3. What type of malicious cyber-attack could Jean have been a victim of?
 4

4. Was anyone else in the company involved?

5. What are the next steps for the organization and the board?

Evidence

-One single image of Jeans hard drive from the computer in question

-A copy of the spreadsheet

-Testimony of both Alison Smith and Jean

Process

Once given the disk image of Jeans computer, a full read and analysis needed to be used to

understand the potential of what happened. This can be achieved by using tools such as:

1. Autopsy by Sleuthkit

2. Encase

3. FTKimager

The purpose of using one of these tools is to gains as much access as possible to the drive

to be able to piece together the case and the steps of what may have happened. These tools allow

for a read of the disk image but also maintain proper chain of custody and evidence integrity

because any of the data collected cannot be altered. Since this case had not reached criminal

prosecution of law enforcement engagement, keeping the evidence and chain of custody as clear

as possible is not necessary but is a good best practice to present it to the board member in the

most professional manner possible. The tool that I focused on for the purpose of this

investigation was Autopsy by Sleuthkit. This tool was able to ingest the data into a nice

graphical interface which allowed for quick search and a detailed view of the files and data on

the disk image. “Autopsy can process disk images or directories to help you generate an event

timeline. It assists you in putting the pieces together and determining what might have caused an
 5

incident to happen in the first place.” (Teodorovici, 2021). Autopsy was able to generate a

timeline which was used to understand what happened to Jean and why she created and sent the

file that she did. A hypothesis was able to be formed by looking at the email history, file

creation, and other logs on the drive. Being able to see when emails were sent and to what

addresses allowed for a proper analysis and to understand if Jean was acting criminally or was a

victim of an attack.

Hypothesis

Based on the timeline when Jean and Alison started using their company emails, they seemed to

have some issues. On 7/19 an email was sent to Jean from an email with a header that matched

her boss, Alison. This email asked for a file to be created and sent that contained employee’s

social security numbers, titles, and salary. This email was sent from tuckgorge@gmail.com and

tricked Jean into thinking that the email was coming from her boss
 6

Alison Smith. Jean appears to be a victim of a social engineering phishing attack.

“What does social engineering look like in action? It could look like an email that has been

designed to seem like it is from a credible organization, like your message service or Fed Ex or

even your bank. But if you open it and click on that attachment, you could be installing malware

or ransomware. Or, it could be disguised to look like it comes from someone inside your

organization (like an unusual title such as IT@yourorganization – someone whom you trust). But

if you respond to that email with your username and password, your computer is easily

compromised. The rule is Think Before You Click.” (Mitnick, 2020)

Jean did not maliciously send this file to anyone based on the evidence found in the email

communications. She had with all good intentions sent the requested file to what she thought

was her boss. She created the file on 7/19 and sent it back and got a response from the same
 7

email which she thought was her boss thanking her for what she sent over as well as asking to

not speak about it due to the sensitivity with the board and the next round of funding.

On 7/20 a programmer asked if she knew why a competitor had this type of information on their

website forum, which then launched into the investigation around what happened. No one

besides Alison was involved with this and was unaware that any of this was happening since her

credentials and email were not what was used to get the spreadsheet.

Recommendations

Since Jean did not act maliciously to leak this data this was an issue of a social

engineering phishing attack which is incredibly common in the workplace today. “One of the

reasons why phishing is so effective is that it can be hard to recognize; scams are constantly

evolving. Phishing attacks also target individuals, rather than IT vulnerabilities. Employees and

business owners are only human, and it’s easy to fall for a sophisticated phishing scheme.

The best chance businesses must prevent phishing is through education. Teach your teams what

to look for and how to recognize a potential phishing attempt.” (Heaslip, 2021)

Since phishing attempts are sophisticated and always changing it is important to education

M.57 about what happened and how to prevent this in the future. Even with the most

sophisticated anti phishing tools in place, ensuring that employees are well training on potential

attacks and how to avoid them is the most important foundation to a well-established security

framework. For the individual Jean who fell victim to the social engineering phishing attack, it
 8

may be wise for her to enroll in robust training to make sure that this would not happen again.

For the affected employees the company should provide identity theft protection for free for 7

years to help identify if their information is being used maliciously. Software also needs to be

added to the employees’ laptops to help stop these attacks, though this was more of a social

engineering phishing attack, they could add filters and identify things like:

-SSNS

-Salaries

-Addresses

-Any other sensitive data

Also, enabling policy and tools which will not let an individual share any files unless it was

encrypted and sent through the correct tool. A way this can be done could be through Microsoft

SharePoint, google drive, drop box, Citrix, and various others. This is a best practice when

sending any file period, and especially files that hold sensitive data whether that is employee data

or customer data. “Modern-day businesses need to share large files digitally, and in doing so,

there always remains a security threat if not done through secure channels. However, not all

businesses understand the gravity of the situation as to how fragile the Internet is until they learn

it the hard way. According to statistics, more than 4 billion records were exposed globally due to

data breaches in mid-2019. Therefore, regulations such as PCI Data Security Standard and

HIPAA guide organizations by providing a framework for storage, handling, and safeguarding of

their sensitive information.” (Acharya, 2020). By using an encrypted file sharing practice, M.57

will have a stronger way to send files even when they are sensitive in nature. This with

employee training and education will go a long way for the future of the organization and their

employees as the business grows.

 9

References

Acharya, D. (2020, November 13). 11 secure file sharing services to send data privately.

Geekflare. Retrieved December 14, 2021, from https://geekflare.com/secure-file-sharing/.

Heaslip, E. (2021, June 16). What is a phishing scam? Guide for Protecting Your Business.

https://www.uschamber.com/co. Retrieved December 13, 2021, from

https://www.uschamber.com/co/run/technology/phishing-scam-protection-tips.

Mitnick, K. (2020, December 1). Social engineering attacks: Common techniques & how to

prevent an attack. Digital Guardian. Retrieved December 13, 2021, from

https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-

prevent-attack.

Teodorovici, M. (2021, November 12). Download autopsy 4.19.2. softpedia. Retrieved

December 13, 2021, from

https://www.softpedia.com/get/Others/Miscellaneous/Autopsy.shtml.