Computer Forensic Examination Report:

Case of M57.Biz Corporate Document Exfiltration

Nicholas Wicker

Program of Cyber Security Operations & Leadership, University of San Diego

CSOL 590-05-FA21: Cyber Incident Response & Forensics

Professor John Fincannon

December 13, 2021

1

Table of Contents
Abstract..................................................................................................................................2
Section 1. Information............................................................................................................2
Section 2. Background............................................................................................................2
Section 3. Questions Relevant to the Case...............................................................................3
Section 4. Hardware and Software Utilized.............................................................................3
4.1 Hardware....................................................................................................................................3
4.2 Operating System........................................................................................................................3
4.3 Hypervisor...................................................................................................................................3
4.4 Testing Applications....................................................................................................................3
4.5 Forensic Analysis........................................................................................................................3
4.6 PST Viewer.................................................................................................................................4
Section 5. Presentation of Evidence........................................................................................4
Section 6. Legal Concerns.......................................................................................................5
Section 7. Examination Details...............................................................................................6
Section 8. Timeline of Events..................................................................................................7
Section 9. Observations.........................................................................................................14
Section 10. Conclusion..........................................................................................................14
Section 11. Chain of Custody................................................................................................15
Section 12. Generated Material.............................................................................................15
References............................................................................................................................16
2

Abstract

This is a digital forensic report, which provides an analysis of a disk image to identify the cause

of the exfiltration of a business-sensitive document. This document ended up in the hands of an

unauthorized external recipient. The accused party claims that they were requested to send the

document via email to the recipient, who denies such a request. This report details the forensic

analysis of the disk image of the accused, particularly their emails.

Section 1. Information

Investigator: Alison Smith

President
M57.biz

Digital Forensics Examiner: Nicholas Wicker

Student
USD CSOL Program

Subject: Digital Forensics Examination Report

Offense: Business Sensitive Document Exfiltration
Accused: Jean Jones / Chief Financial Officer
(CFO)

Date of Request: Tuesday, December 7, 2021

Date of Conclusion: Monday, December 13, 2021

Section 2. Background

M57.biz is a web start-up virtual corporation developing a body art catalog. The company

currently has 10 employees and comprises programmers, marketing, and business development

(BizDev) personnel who all work remotely.

In a remote work environment, the programmers work from their homes and

communicate via daily online chat sessions with one weekly in-person meeting, usually at a park.

The marketing and BizDev personnel work out of hotels and cafés while on the road and meet
3

in-person every two weeks. Most of the company documentation and correspondence is

exchanged by email.

A spreadsheet containing sensitive personally identifiable information (PII) was posted as

an attachment in the “technical support” forum of a competitor’s website. This document was

created by Jean (Jones), the company CFO.

Section 3. Questions Relevant to the Case

1) How did the document end up on the competitor’s website?

2) What date was the file created?

3) Are there any other known files missing or compromised?

4) What are the stipulations to user account settings (i.e.: login name, password, etc.)

5) Are there others from the company involved?

Section 4. Hardware and Software Utilized

4.1 Hardware

MacBook Air

4.2 Operating System

macOS Monterey v12.0.1

4.3 Hypervisor

VMware Fusion v12.2.1

4.4 Testing Applications

Kali Linux v5.10.0 (digital forensic, network security, and penetration testing applications)

4.5 Forensic Analysis

AccessData Forensic Tool Kit (FTK) Imager v4.5.0.3

4

4.6 PST Viewer

GoldFynch e-Discovery PST viewer

Section 5. Presentation of Evidence

The evidence, in this case, was provided to the forensic team for analysis. The image of

the hard drive was provided in the format of Encase Image File Format (eXX) as shown in

figure 1. There are two files for this case which have a header with case information, then a

series of data blocks with cyclical redundancy check, and finally an MD5 and SHA-1 check sum-

hashing algorithm seen in figure 2.

Figure 1. Encase files

Figure 2. Hash results

Figure 3. File m57biz.xls with the timestamp of last modified in the desktop of Jean disk image
5

Section 6. Legal Concerns

Digital evidence admissibility in court requires that the evidence be authentic, accurate,

complete, and convincing to the juror. However, the challenges of bridging the gap between the

judiciary, law enforcement agencies, forensic investigators, and expert witnesses have been a

major issue due to a lack of a robust cybercrime legal framework. Additionally, the issues of

implementing, enforcing the laws, and the applying rule of law is also a major determinant in

ensuring legal proceedings (Ofori & Akoto, 2020).

The Fourth Amendment allows protection against unreasonable search and seizure. The

Fifth Amendment allows for protection against self-incrimination. Although the amendments

were made before there were problems caused by people misusing computers, the principles in

them apply to how computer forensics is practiced. Therefore, Federal Rule 702 can be applied

which is a witness who is qualified as an expert by knowledge, skill, experience, training, or

education may testify in the form of an opinion or otherwise if:

i. the expert’s scientific, technical, or other specialized knowledge will help the trier of fact

to understand the evidence or to determine a fact in issue;

ii. the testimony is based on sufficient facts or data;

iii. the testimony is the product of reliable principles and methods; and

iv. the expert has reliably applied the principles and methods to the facts of the case.

(LLI Staff, 2019)

Additionally, technical challenges regarding legality such as the form of a network

(public, private, VPN), personal laptops, and other mobile devices might be out of date regarding

security updates or already be compromised and vulnerable. Lack of expertise, technical

competence, and certified investigators are major factors. Similarly, the challenge of using
6

obsolete tools or outdated company policies and procedures can affect the evidence. Further, lack

of reporting platforms and information-sharing platforms to create awareness of the threat

landscape, vulnerabilities, risks, and impact (Ofori & Akoto, 2020).

Second, anyone concerned with computer forensics must know how three U.S. Statutory

laws affect them. (US-CERT, 2008). The Stored Wired and Electronic Communications Act is

commonly called the Electronic Communications Privacy Act (ECPA).

The chain of custody was kept intact as the files were authenticated via hashing

algorithms. All evidence items are controlled and safeguarded by the investigator and require

credentials to access hardware and software devices.

The evidence, in this case, was always handled in a controlled manner. The software

utilized during analysis does not alter or modify any data in any form. Also, cryptographic

hashes were assigned to the disk image and verified in the FTK application before further

analysis was conducted (see figure 2).

Section 7. Examination Details

The interviews of both Alison and Jean lead the analysis to focus on the emails of Jean’s

disk image. While Alison states that she did not request the file to be sent to her via email, Jean

is contradicting her interview by saying she was asked to send her the file. Using FTK, I was

able to locate the email personal storage table (.pst) of Jean’s user profile seen in figure 4. An

export copy of the .pst was then loaded into GoldFynch eDiscovery PST Viewer seen in figure 5.

This application allows the .pst file to be viewed, which displays the following folders: Deleted

Items, Inbox, Outbox, and Sent Items.

7

Figure 4. .pst file location

Figure 5. GoldFynch PST Viewer with Jean’s .pst file imported

Section 8. Timeline of Events

Utilizing GoldFynch PST Viewer, a careful review of emails received (Inbox) and sent

(Sent Items) was completed. Using the date and timestamps of these emails, the following events

were identified:
8

Email No. Date Time Analysis Comment

1 Jul 6 2008 12:25pm The first email was identified from Alison (“AlisonM57”
<alison@m57.biz >) to <jean@m57.biz>. Subject: business plan
2 Jul 19 2008 16:33pm Suspicious email from user “alex” alex@m57.biz sent to “Jean
User”<jean@m57.biz> and <alison@m57.biz>.
From alex is not the same in item 1 and the sender also added the Alison
email in the recipients' section.
3 Jul 19 2008 16:39pm The first request for sensitive information “background checks” was sent
to Jean from <alison@m57.biz>
4 Jul 19 2008 16:43pm An email from “alex” <alison@m57.biz> responds to Jean about email
misconfiguration. Again, this is not Alison but Alex as the email name.
5a Email from “alison@m57.biz” <tuckgorge@gmai.com> sent to
<jean@m57.biz> requesting employee information that is business
Jul 19 2008 18:22pm sensitive. This is the first instance of Tuck Gorge, the possible attacker
in spoofing Jean.
5b Header information that shows From: tuckgorge@gmail.com
(alison@m57.biz)
6 Jul 19 2008 18:28pm “Jean User” <jean@m57.biz> sends m57biz.xls file to “alison@m57.biz”
<tuckgore@gmail.com>
7 Jul 19 2008 22:03pm Tuck Gorge alias confirms receipt of sensitive information.
8 Jul 20 2008 16:47pm “AlisonM57” <alison@m57.biz> emails Jean about something very
strange going on.
9 Jul 20 2008 16:53pm Employee Bob (programmer) emails Jean about his SSN posted on the
internet.
10 Jul 20 2008 17:11pm Bob follows up with another email to Jean about his SSN and salary
being evidence in a court of law.

Email no.1
9

Email no.2

Email no.3
10

Email no.4

Email no.5a
11

Email no.5b

Email no.6

Email no.7
12

Email no.8

Email no.9
13

Email no.10

Section 9. Observations
14

Jean’s inbox showed that she was receiving multiple emails daily, duplicates in some

instances, of spamming messages. These emails could lead a user who is not knowledgeable of

cyber threats to be a victim of spoofing. Other than the email messages, I also reviewed web

searches, chats, saved documents, and other folders and file paths with no suspicious or

malicious activity identified within the disk image.

The key element to this event is the email from Jean to Alison which asks about the

alex@m57.biz email address before any communication comes from that address according to

the contents of the .pst file.

Section 10. Conclusion

After a thorough analysis of the disk image and review of the contents mentioned

throughout this report, Jean did commit a breach of safeguarding sensitive corporate data.

However, based on analysis of the context in the emails, she was a victim of spoofing and did not

intentionally send the “m57biz.xls” file to an external source or purposely release confidential

data to a non-employed M57.biz person.

It is my recommendation that to prevent situations such as this from occurring in the

future, m57 should be considered the following:

 using a virtual private network (VPN) when connecting to public networks (internet)

while conducting business actions

 staff an IT with cybersecurity knowledge to help implement safeguards due to the nature

of remote employees and working with personal sensitive data

 provide training in cyber awareness and best practices when handling business-sensitive

data
15

 enforce credential complexity (passwords are not complex and could be vulnerable to

brute-force attacks)

Section 11. Chain of Custody

Nicholas Wicker - 11.24.2021 / 0929 Pacific Time

- Files nps-2008-jean.E01 and nps-2008-jean.E01 (figure 1) was received for disk image

analysis.

Nicholas Wicker – 11.25.2021 / 0916 Pacific Time

- Disk image created and both MD5 and SHA-1 hash validated (figure 2).

Nicholas Wicker – 11.30.2021 / 2037 Pacific Time

- Slide deck “The case of M57.biz” received amplifying information on corporate

document exfiltration.

Nicholas Wicker – 12.05.2021 / 1106 Pacific Time

- Evidence package presentation submitted.

Nicholas Wicker – 12.12.2021 / 1230 Pacific Time

- Forensic Examination Report completed.

Section 12. Generated Material

i. Evidence discovered during computer forensics analysis

ii. Table with events of emails (date, timestamps, and comments)

16

References

LII Staff. (2019, December 18). Rule 702. Testimony by Expert Witnesses. Retrieved December

3, 2021, from https://www.law.cornell.edu/rules/fre/rule_702

Ofori, A., & Akoto, D. (2020, May 29). Digital Forensics Investigation Jurisprudence: Issues of

Admissibility of Digital Evidence. Retrieved December 3, 2021, from

https://www.heraldopenaccess.us/openaccess/digital-forensics-investigation-

jurisprudence-issues-of-admissibility-of-digital-evidence

US-CERT. (2008). Computer Forensics. Retrieved December 2, 2021, from https://us-

cert.cisa.gov/sites/default/files/publications/forensics.pdf