Professional Documents
Culture Documents
Computer Forensic Examination Report Joseph Wagner CSOL 590 Professor John Fincannon University of San Diego
Computer Forensic Examination Report Joseph Wagner CSOL 590 Professor John Fincannon University of San Diego
Contents
Case Request…………….……….…………………………………………………..…….……4-7
Case Questions………………………………………………………………………...……..…3-4
Evidence………………...…………………………………...…………….…………..……...…..4
Process……………………………………………………………………………..……...…….4-5
Hypothesis………………………………………………………………..………..……………5-7
Recommendations…………………………………………………………………...…….……7-8
References…………………………………………………………………………………………9
3
M.57.biz is a small but fast growing start up in the body art industry. They are 12
employees total and in hyper growth mode as they are about to finalize their series A funding of
10 million dollars. M.57 is a fully remote organization which communicates via email, video
conferencing, and some in person meetings. M.57 prides itself in innovation through flexibility
and loves giving their employees the opportunity to work from home, the coffee shop, or even a
beachside hotel. Due to the startup nature of the company, their IT department and security
framework had not matured to state to block and recognize threats. Also, the employees had not
been enrolled into a robust security training program to help spot attacks. During what seemed
to be a normal email exchange between the CEO Alison Smith and CFO Jean, a document was
sent containing extremely confidential data with employee’s salary, SSN, name, and title. The
CEO Alison states she never asked for the document to be sent and never received the
spreadsheet in an email, while Jean insists, she requested it as part of their new funding round for
Case Request
Due to the severity of the breach, one of the board members is questioning giving M.57
the funding and is asking for a detailed analysis around what happened and how the file ended up
on a competitor’s website. This report will detail what happened and recommend next steps for
Questions
2. If Jean did not send the file, how was the system infiltrated?
3. What type of malicious cyber-attack could Jean have been a victim of?
4
5. What are the next steps for the organization and the board?
Evidence
-One single image of Jeans hard drive from the computer in question
Process
Once given the disk image of Jeans computer, a full read and analysis needed to be used to
understand the potential of what happened. This can be achieved by using tools such as:
1. Autopsy by Sleuthkit
2. Encase
3. FTKimager
The purpose of using one of these tools is to gains as much access as possible to the drive
to be able to piece together the case and the steps of what may have happened. These tools allow
for a read of the disk image but also maintain proper chain of custody and evidence integrity
because any of the data collected cannot be altered. Since this case had not reached criminal
prosecution of law enforcement engagement, keeping the evidence and chain of custody as clear
as possible is not necessary but is a good best practice to present it to the board member in the
most professional manner possible. The tool that I focused on for the purpose of this
investigation was Autopsy by Sleuthkit. This tool was able to ingest the data into a nice
graphical interface which allowed for quick search and a detailed view of the files and data on
the disk image. “Autopsy can process disk images or directories to help you generate an event
timeline. It assists you in putting the pieces together and determining what might have caused an
5
incident to happen in the first place.” (Teodorovici, 2021). Autopsy was able to generate a
timeline which was used to understand what happened to Jean and why she created and sent the
file that she did. A hypothesis was able to be formed by looking at the email history, file
creation, and other logs on the drive. Being able to see when emails were sent and to what
addresses allowed for a proper analysis and to understand if Jean was acting criminally or was a
victim of an attack.
Hypothesis
Based on the timeline when Jean and Alison started using their company emails, they seemed to
have some issues. On 7/19 an email was sent to Jean from an email with a header that matched
her boss, Alison. This email asked for a file to be created and sent that contained employee’s
social security numbers, titles, and salary. This email was sent from tuckgorge@gmail.com and
tricked Jean into thinking that the email was coming from her boss
6
“What does social engineering look like in action? It could look like an email that has been
designed to seem like it is from a credible organization, like your message service or Fed Ex or
even your bank. But if you open it and click on that attachment, you could be installing malware
or ransomware. Or, it could be disguised to look like it comes from someone inside your
organization (like an unusual title such as IT@yourorganization – someone whom you trust). But
if you respond to that email with your username and password, your computer is easily
Jean did not maliciously send this file to anyone based on the evidence found in the email
communications. She had with all good intentions sent the requested file to what she thought
was her boss. She created the file on 7/19 and sent it back and got a response from the same
7
email which she thought was her boss thanking her for what she sent over as well as asking to
not speak about it due to the sensitivity with the board and the next round of funding.
On 7/20 a programmer asked if she knew why a competitor had this type of information on their
website forum, which then launched into the investigation around what happened. No one
besides Alison was involved with this and was unaware that any of this was happening since her
credentials and email were not what was used to get the spreadsheet.
Recommendations
Since Jean did not act maliciously to leak this data this was an issue of a social
engineering phishing attack which is incredibly common in the workplace today. “One of the
reasons why phishing is so effective is that it can be hard to recognize; scams are constantly
evolving. Phishing attacks also target individuals, rather than IT vulnerabilities. Employees and
business owners are only human, and it’s easy to fall for a sophisticated phishing scheme.
The best chance businesses must prevent phishing is through education. Teach your teams what
to look for and how to recognize a potential phishing attempt.” (Heaslip, 2021)
Since phishing attempts are sophisticated and always changing it is important to education
M.57 about what happened and how to prevent this in the future. Even with the most
sophisticated anti phishing tools in place, ensuring that employees are well training on potential
attacks and how to avoid them is the most important foundation to a well-established security
framework. For the individual Jean who fell victim to the social engineering phishing attack, it
8
may be wise for her to enroll in robust training to make sure that this would not happen again.
For the affected employees the company should provide identity theft protection for free for 7
years to help identify if their information is being used maliciously. Software also needs to be
added to the employees’ laptops to help stop these attacks, though this was more of a social
engineering phishing attack, they could add filters and identify things like:
-SSNS
-Salaries
-Addresses
Also, enabling policy and tools which will not let an individual share any files unless it was
encrypted and sent through the correct tool. A way this can be done could be through Microsoft
SharePoint, google drive, drop box, Citrix, and various others. This is a best practice when
sending any file period, and especially files that hold sensitive data whether that is employee data
or customer data. “Modern-day businesses need to share large files digitally, and in doing so,
there always remains a security threat if not done through secure channels. However, not all
businesses understand the gravity of the situation as to how fragile the Internet is until they learn
it the hard way. According to statistics, more than 4 billion records were exposed globally due to
data breaches in mid-2019. Therefore, regulations such as PCI Data Security Standard and
HIPAA guide organizations by providing a framework for storage, handling, and safeguarding of
their sensitive information.” (Acharya, 2020). By using an encrypted file sharing practice, M.57
will have a stronger way to send files even when they are sensitive in nature. This with
employee training and education will go a long way for the future of the organization and their
References
Acharya, D. (2020, November 13). 11 secure file sharing services to send data privately.
Heaslip, E. (2021, June 16). What is a phishing scam? Guide for Protecting Your Business.
https://www.uschamber.com/co/run/technology/phishing-scam-protection-tips.
Mitnick, K. (2020, December 1). Social engineering attacks: Common techniques & how to
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-
prevent-attack.
https://www.softpedia.com/get/Others/Miscellaneous/Autopsy.shtml.