Professional Documents
Culture Documents
590 WK
590 WK
Nicholas Wicker
Table of Contents
Abstract..................................................................................................................................2
Section 1. Information............................................................................................................2
Section 2. Background............................................................................................................2
Section 3. Questions Relevant to the Case...............................................................................3
Section 4. Hardware and Software Utilized.............................................................................3
4.1 Hardware....................................................................................................................................3
4.2 Operating System........................................................................................................................3
4.3 Hypervisor...................................................................................................................................3
4.4 Testing Applications....................................................................................................................3
4.5 Forensic Analysis........................................................................................................................3
4.6 PST Viewer.................................................................................................................................4
Section 5. Presentation of Evidence........................................................................................4
Section 6. Legal Concerns.......................................................................................................5
Section 7. Examination Details...............................................................................................6
Section 8. Timeline of Events..................................................................................................7
Section 9. Observations.........................................................................................................14
Section 10. Conclusion..........................................................................................................14
Section 11. Chain of Custody................................................................................................15
Section 12. Generated Material.............................................................................................15
References............................................................................................................................16
2
Abstract
This is a digital forensic report, which provides an analysis of a disk image to identify the cause
unauthorized external recipient. The accused party claims that they were requested to send the
document via email to the recipient, who denies such a request. This report details the forensic
Section 1. Information
Section 2. Background
M57.biz is a web start-up virtual corporation developing a body art catalog. The company
currently has 10 employees and comprises programmers, marketing, and business development
In a remote work environment, the programmers work from their homes and
communicate via daily online chat sessions with one weekly in-person meeting, usually at a park.
The marketing and BizDev personnel work out of hotels and cafés while on the road and meet
3
in-person every two weeks. Most of the company documentation and correspondence is
exchanged by email.
an attachment in the “technical support” forum of a competitor’s website. This document was
4) What are the stipulations to user account settings (i.e.: login name, password, etc.)
4.1 Hardware
MacBook Air
4.3 Hypervisor
Kali Linux v5.10.0 (digital forensic, network security, and penetration testing applications)
The evidence, in this case, was provided to the forensic team for analysis. The image of
the hard drive was provided in the format of Encase Image File Format (eXX) as shown in
figure 1. There are two files for this case which have a header with case information, then a
series of data blocks with cyclical redundancy check, and finally an MD5 and SHA-1 check sum-
Figure 3. File m57biz.xls with the timestamp of last modified in the desktop of Jean disk image
5
Digital evidence admissibility in court requires that the evidence be authentic, accurate,
complete, and convincing to the juror. However, the challenges of bridging the gap between the
judiciary, law enforcement agencies, forensic investigators, and expert witnesses have been a
major issue due to a lack of a robust cybercrime legal framework. Additionally, the issues of
implementing, enforcing the laws, and the applying rule of law is also a major determinant in
The Fourth Amendment allows protection against unreasonable search and seizure. The
Fifth Amendment allows for protection against self-incrimination. Although the amendments
were made before there were problems caused by people misusing computers, the principles in
them apply to how computer forensics is practiced. Therefore, Federal Rule 702 can be applied
i. the expert’s scientific, technical, or other specialized knowledge will help the trier of fact
iii. the testimony is the product of reliable principles and methods; and
iv. the expert has reliably applied the principles and methods to the facts of the case.
(public, private, VPN), personal laptops, and other mobile devices might be out of date regarding
competence, and certified investigators are major factors. Similarly, the challenge of using
6
obsolete tools or outdated company policies and procedures can affect the evidence. Further, lack
Second, anyone concerned with computer forensics must know how three U.S. Statutory
laws affect them. (US-CERT, 2008). The Stored Wired and Electronic Communications Act is
The chain of custody was kept intact as the files were authenticated via hashing
algorithms. All evidence items are controlled and safeguarded by the investigator and require
The evidence, in this case, was always handled in a controlled manner. The software
utilized during analysis does not alter or modify any data in any form. Also, cryptographic
hashes were assigned to the disk image and verified in the FTK application before further
The interviews of both Alison and Jean lead the analysis to focus on the emails of Jean’s
disk image. While Alison states that she did not request the file to be sent to her via email, Jean
is contradicting her interview by saying she was asked to send her the file. Using FTK, I was
able to locate the email personal storage table (.pst) of Jean’s user profile seen in figure 4. An
export copy of the .pst was then loaded into GoldFynch eDiscovery PST Viewer seen in figure 5.
This application allows the .pst file to be viewed, which displays the following folders: Deleted
Utilizing GoldFynch PST Viewer, a careful review of emails received (Inbox) and sent
(Sent Items) was completed. Using the date and timestamps of these emails, the following events
were identified:
8
Email no.1
9
Email no.2
Email no.3
10
Email no.4
Email no.5a
11
Email no.5b
Email no.6
Email no.7
12
Email no.8
Email no.9
13
Email no.10
Section 9. Observations
14
Jean’s inbox showed that she was receiving multiple emails daily, duplicates in some
instances, of spamming messages. These emails could lead a user who is not knowledgeable of
cyber threats to be a victim of spoofing. Other than the email messages, I also reviewed web
searches, chats, saved documents, and other folders and file paths with no suspicious or
The key element to this event is the email from Jean to Alison which asks about the
alex@m57.biz email address before any communication comes from that address according to
After a thorough analysis of the disk image and review of the contents mentioned
throughout this report, Jean did commit a breach of safeguarding sensitive corporate data.
However, based on analysis of the context in the emails, she was a victim of spoofing and did not
intentionally send the “m57biz.xls” file to an external source or purposely release confidential
using a virtual private network (VPN) when connecting to public networks (internet)
staff an IT with cybersecurity knowledge to help implement safeguards due to the nature
provide training in cyber awareness and best practices when handling business-sensitive
data
15
enforce credential complexity (passwords are not complex and could be vulnerable to
brute-force attacks)
- Files nps-2008-jean.E01 and nps-2008-jean.E01 (figure 1) was received for disk image
analysis.
- Disk image created and both MD5 and SHA-1 hash validated (figure 2).
document exfiltration.
References
LII Staff. (2019, December 18). Rule 702. Testimony by Expert Witnesses. Retrieved December
Ofori, A., & Akoto, D. (2020, May 29). Digital Forensics Investigation Jurisprudence: Issues of
https://www.heraldopenaccess.us/openaccess/digital-forensics-investigation-
jurisprudence-issues-of-admissibility-of-digital-evidence
cert.cisa.gov/sites/default/files/publications/forensics.pdf