Professional Documents
Culture Documents
Csol 590
Csol 590
Sabrina Toubbeh
Case Background
M57.biz is a web start-up company developing a body art catalog. The company is a virtual
corporation with employees working out of their houses or locations with public internet access
and collaborating with online tools. Most documents are exchanged via email. The company has
A spreadsheet containing confidential information of M57.biz and its employees was posted as
an attachment in the “technical support” forum of a competitor’s website. The spreadsheet file
came from Chief Financial Officer (CFO), Jean Jones’ computer, who is suspected of exfiltrating
the information. Jean Jones claims that the President of M57.biz, Alison Smith, asked for the
spreadsheet to be sent by email to her as part of a new funding round. Alison Smith claims that
she has no idea what Jean is referring to and never asked for such a document to be prepared or
sent to her.
A request was made from a client who is one of the first-round funders to investigate Jean
Jones computer. Jone’s willingly and voluntarily agreed to a search of her work computer. A
copy of the disk image from Jean’s laptop was then created using FTK Imager (AccessData,
2017) and given to the forensic examination team for analysis. A copy of the spreadsheet titled
“m57plan.xlxs” was also handed over as evidence. Before the copies were created, all the tools
2
used to collect and analyze the data were tested and verified. Once access to the equipment was
Legal Concerns
There are two main legal concerns that were considered during this investigation. The
first one was to legally obtain evidence without breaking the Fourth Amendment of the U.S.
Constitution which protects private citizens from unreasonable searches and seizures. Any
evidence obtained through illegal searches is not admissible in a court of law (Morrow, 2020).
However, there are exceptions where a warrant is not required and consent from an individual is
one of them. Because Jean Jones agreed to a search of her computer, our forensic examination
team was able to collect evidence without a warrant and use any findings in court.
The second legal concern revolves around the authenticity and integrity of digital
evidence. As technology advances and becomes more accessible, digital media evidence has
become easier to edit, modify, and alter (Primeau, 2014). Having a complete chain of custody
form, as well as any other accompanying forms and including any visual proof of retrievals, such
as pictures or video, greatly helps prove the authenticity and admissibility of the evidence in the
courtroom.
Chain of Custody
To ensure that the chain of custody was kept intact, I made sure that the evidence given to
me was handled in a manner that did not modify it in any way that is different from the original.
This is necessary because when examining digital evidence, the original file should never be
examined (Primeau, 2014). A copy of the file should be worked on so the original remains
untouched. As stated before, FTK Imager was used to create a copy of the disk image from
Jean’s laptop. FTK Imager creates perfect copies, or forensic images of computer data without
3
making changes to the original evidence (Exterro). An MD5 hash was also generated by FTK
Imager which can be used to verify that the image hash and the drive hash match after the image
is created, and that the image has remained unaltered since acquisition. The MD5 hash value of
Based on the nature of the case, analysis of the following will begin on the obtained
● Investigating Jean’s email threads with Alison to determine if Jean’s is guilty or innocent
● Establish if there was anyone else involved with the transmission of the spreadsheet
CFO Jean Jones is being investigated for possible corporate espionage and corporate
exfiltration of data.
For forensic investigation, I used the well-known and legally proven software “Autopsy”
to perform analysis of the disk image. As email communication was indicated as the exfiltration
point, I conducted a thorough investigation of Jean’s email threads. Several email messages were
found between Jean Jones and the bad actor pretending to be Alison Smith. Using these email
correspondences, I was able to establish a timeline of events to determine if Jean Jones is guilty.
● 7/19/2008 16:39:57: Jean Jones, the CFO of M57.biz, is contacted from what looks like
Alison Smith’s corporate email. The bad actor spoofed Alison’s email address
(alison@m57.biz) to ask Jean to send a spreadsheet of the names of each employee, their
current salary, social security numbers, and to not speak about the request to anyone.
4
● 7/19/2008 16:44: Jean Jones responds “Sure thing” to acknowledge the request of the
spreadsheet
5
● 7/19/2008 18:22:45: The bad actor emails Jean again adding a false sense of urgency to
● 7/19/2008 18:27:42: Jean Jones opens the spreadsheet file “m57biz.xls” on her laptop.
● 7/19/2008 18:28:00: Jean responds to the email with the spreadsheet file attached. The
(alison@m57.biz).
● 7/19/2008 22:03:40: The bad actor responds to Jean thanking her and to not speak about
Analysis Results
xy.dreamhost.com domain which was used to spoof Alison’s email address. The screenshot of
the email is evidence that someone was pretending to be Alison. And when Jean sent the email
reply with the spreadsheet attached, it got sent to the xy.dreamhost.com domain which was then
posted on a competitors public facing website. The xy.dreamhost.com domain is a website that
anyone with internet access can use to spoof legitimate email addresses to carry out a phishing
attack, which is a type of social engineering where an attacker sends a fraudulent message
designed to trick a human victim into revealing sensitive information to the attacker.
Conclusion
It is my expert opinion that Jean was a victim of a spear phishing attack. I conclude that
Jones was not complicit in the exfiltration of confidential information. This is due to the
following reasons:
1. For most non-technical users, the file looks to be requested by Alison and sent to Alison
3. Jean redacted portions of the email messages at the request of the attacker which made it
I believe M57 should implement a security awareness program for all employees.
Training should be required annually as a refresher for all employees and if a serious incident
occurs where human error was the cause. Security awareness training will cover the importance
of compliance for employees and for the company, where they can go for guidance, and how to
report compliance issues. Training will also give employees the opportunity to learn new skills
8
that can help them in their personal life. This will give them a sense of ownership which
their expectations, how to achieve them, and what the consequence is for failure to adhere to
I believe an investigation should be started to identify the owner and location of the email
address tuckgorge@gmail.com and that a subpoena should be sent to both Google and web host
service provider DreamHost to assist with the investigation to identify the person behind the
References:
Morrow, S. (2020, September 29). Know your rights: Can you be searched without a warrant?
https://www.legalzoom.com/articles/know-your-rights-can-you-be-searched-without-a-warrant.
Primeau, E. (2014, October 27). Blindspot Episode 7: Importance of the Chain of Custody for
https://www.primeauforensics.com/7-importance-of-the-chain-of-custody-for-digital-media-evid
ence/.
https://www.exterro.com/ftk-imager