Computer Forensic Examination Report

Sabrina Toubbeh

University of San Diego

CSOL 590 - Cyber Incident Resp/Forensics

Professor John Fincannon

December 13, 2021

 1

Case Background

M57.biz is a web start-up company developing a body art catalog. The company is a virtual

corporation with employees working out of their houses or locations with public internet access

and collaborating with online tools. Most documents are exchanged via email. The company has

a current staff of nine people.

A spreadsheet containing confidential information of M57.biz and its employees was posted as

an attachment in the “technical support” forum of a competitor’s website. The spreadsheet file

came from Chief Financial Officer (CFO), Jean Jones’ computer, who is suspected of exfiltrating

the information. Jean Jones claims that the President of M57.biz, Alison Smith, asked for the

spreadsheet to be sent by email to her as part of a new funding round. Alison Smith claims that

she has no idea what Jean is referring to and never asked for such a document to be prepared or

sent to her.

Questions Relevant to the Case

● When did Jean create this spreadsheet?

● How did it get from her computer to the competitor’s website?

● Who else, if anyone, from the company is involved?

Collection and Transportation of Evidence

A request was made from a client who is one of the first-round funders to investigate Jean

Jones computer. Jone’s willingly and voluntarily agreed to a search of her work computer. A

copy of the disk image from Jean’s laptop was then created using FTK Imager (AccessData,

2017) and given to the forensic examination team for analysis. A copy of the spreadsheet titled

“m57plan.xlxs” was also handed over as evidence. Before the copies were created, all the tools
 2

used to collect and analyze the data were tested and verified. Once access to the equipment was

granted, a chain of custody was established to perverse the evidence.

Legal Concerns

There are two main legal concerns that were considered during this investigation. The

first one was to legally obtain evidence without breaking the Fourth Amendment of the U.S.

Constitution which protects private citizens from unreasonable searches and seizures. Any

evidence obtained through illegal searches is not admissible in a court of law (Morrow, 2020).

However, there are exceptions where a warrant is not required and consent from an individual is

one of them. Because Jean Jones agreed to a search of her computer, our forensic examination

team was able to collect evidence without a warrant and use any findings in court.

The second legal concern revolves around the authenticity and integrity of digital

evidence. As technology advances and becomes more accessible, digital media evidence has

become easier to edit, modify, and alter (Primeau, 2014). Having a complete chain of custody

form, as well as any other accompanying forms and including any visual proof of retrievals, such

as pictures or video, greatly helps prove the authenticity and admissibility of the evidence in the

courtroom.

Chain of Custody

To ensure that the chain of custody was kept intact, I made sure that the evidence given to

me was handled in a manner that did not modify it in any way that is different from the original.

This is necessary because when examining digital evidence, the original file should never be

examined (Primeau, 2014). A copy of the file should be worked on so the original remains

untouched. As stated before, FTK Imager was used to create a copy of the disk image from

Jean’s laptop. FTK Imager creates perfect copies, or forensic images of computer data without
 3

making changes to the original evidence (Exterro). An MD5 hash was also generated by FTK

Imager which can be used to verify that the image hash and the drive hash match after the image

is created, and that the image has remained unaltered since acquisition. The MD5 hash value of

the image created from Jean’s laptop: 78a52b5bac78f4e711607707ac0e3f93.

Evidence to Search For

Based on the nature of the case, analysis of the following will begin on the obtained

copied disk image of Jean Jone’s laptop:

● When the spreadsheet file “m57biz.xls” was created

● Investigating Jean’s email threads with Alison to determine if Jean’s is guilty or innocent

● Establish if there was anyone else involved with the transmission of the spreadsheet

List of Criminal Offense

CFO Jean Jones is being investigated for possible corporate espionage and corporate

exfiltration of data.

Forensic Examination of Evidence

For forensic investigation, I used the well-known and legally proven software “Autopsy”

to perform analysis of the disk image. As email communication was indicated as the exfiltration

point, I conducted a thorough investigation of Jean’s email threads. Several email messages were

found between Jean Jones and the bad actor pretending to be Alison Smith. Using these email

correspondences, I was able to establish a timeline of events to determine if Jean Jones is guilty.

● 7/19/2008 16:39:57: Jean Jones, the CFO of M57.biz, is contacted from what looks like

Alison Smith’s corporate email. The bad actor spoofed Alison’s email address

(alison@m57.biz) to ask Jean to send a spreadsheet of the names of each employee, their

current salary, social security numbers, and to not speak about the request to anyone.
 4

● 7/19/2008 16:44: Jean Jones responds “Sure thing” to acknowledge the request of the

spreadsheet
 5

● 7/19/2008 18:22:45: The bad actor emails Jean again adding a false sense of urgency to

send the spreadsheet over. User tuckergorge@gmail.com originated from the

xy.dreamhostps.com domain which was used to spoof Alison’s email address.

 6

● 7/19/2008 18:27:42: Jean Jones opens the spreadsheet file “m57biz.xls” on her laptop.

● 7/19/2008 18:28:00: Jean responds to the email with the spreadsheet file attached. The

email gets sent to tuckgorge@gmail.com which shows up as Alison’s email address

(alison@m57.biz).

● 7/19/2008 22:03:40: The bad actor responds to Jean thanking her and to not speak about

the email correspondence to anyone.

 7

Analysis Results

Through my findings, I found that user tuckergorge@gmail.com originated from the

xy.dreamhost.com domain which was used to spoof Alison’s email address. The screenshot of

the email is evidence that someone was pretending to be Alison. And when Jean sent the email

reply with the spreadsheet attached, it got sent to the xy.dreamhost.com domain which was then

posted on a competitors public facing website. The xy.dreamhost.com domain is a website that

anyone with internet access can use to spoof legitimate email addresses to carry out a phishing

attack, which is a type of social engineering where an attacker sends a fraudulent message

designed to trick a human victim into revealing sensitive information to the attacker.

Conclusion

It is my expert opinion that Jean was a victim of a spear phishing attack. I conclude that

Jones was not complicit in the exfiltration of confidential information. This is due to the

following reasons:

1. For most non-technical users, the file looks to be requested by Alison and sent to Alison

2. Jean is not purported to be an expert in technology but has a background in accounting

3. Jean redacted portions of the email messages at the request of the attacker which made it

harder to detect the data exfiltration and react faster.

Recommendation Based on Evidence

I believe M57 should implement a security awareness program for all employees.

Training should be required annually as a refresher for all employees and if a serious incident

occurs where human error was the cause. Security awareness training will cover the importance

of compliance for employees and for the company, where they can go for guidance, and how to

report compliance issues. Training will also give employees the opportunity to learn new skills
 8

that can help them in their personal life. This will give them a sense of ownership which

encourages support of the compliance program. Training is necessary so employees understand

their expectations, how to achieve them, and what the consequence is for failure to adhere to

them. This eliminates any surprises, thus protecting M57.biz

I believe an investigation should be started to identify the owner and location of the email

address tuckgorge@gmail.com and that a subpoena should be sent to both Google and web host

service provider DreamHost to assist with the investigation to identify the person behind the

return path simsong@xy.dreamhostps.com.

 9

References:

Morrow, S. (2020, September 29). Know your rights: Can you be searched without a warrant?

LegalZoom. Retrieved December 8, 2021, from

https://www.legalzoom.com/articles/know-your-rights-can-you-be-searched-without-a-warrant.

Primeau, E. (2014, October 27). Blindspot Episode 7: Importance of the Chain of Custody for

Digital Media Evidence. Primeau Forensics. Retrieved December 8, 2021, from

https://www.primeauforensics.com/7-importance-of-the-chain-of-custody-for-digital-media-evid

ence/.

https://www.exterro.com/ftk-imager