View
3
Download
0
Category
Preview:
Citation preview
M57.biz report
Hill, Bennie A Mr CTR
Mirc 1st street San Diego CA
Background to the C ase
The case against defendant Jean Story, an employee at M57.biz, derives from
confidential information being leaked to the firm’s competitors. M57.biz claims that a
confidential spreadsheet, which contained the names and salaries of the company’s key
employees, was found posted to the comments section of one of the firm’s competitors. The firm
also claims that Jean was the only employee with that spreadsheet on her laptop. Jean states she
believes she was hack and does not know how the information left her laptop. I was given a disk
image of Jean’s Laptop and asked to answer the following questions:
Questions1 Was the data stole from Jean’s laptop?2 Did Jean release confidential information to a competitor?3 Did Jean intentionally release confidential information to a competitor?
List of Criminal Offenses
The criminal offences facing the defendant are:
Offense1 Violation of The Privacy Act of 1974,
o Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by the Privacy Act or by rules or regulations established there under, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
Readiness
Forensic readiness is an important and occasionally overlooked stage in the examination
process. Readiness will include appropriate training, to ensure that my services are among the
2
most reliable services available. I have acquired the following certifications and kept them up to
date:
GIAC Certified Forensic Examiner
(GCFE)
GIAC Certified Forensic Analyst
(GCFA)
AccessData Certifies Examiner
(ACE)
Certified Forensic Computer
Examiner (CFCE)
Computer Hacking Forensic
Investigator (CHFI)
EnCase Certified Examiner (EnCe)
GIAC Reverse Engineering Malware
(GREM)
GIAC Network Forensic Analyst
(GNFA)
GIAC Advanced Smartphone
Forensics (GASF)
GIAC Cyber Threat Intelligence
(GCTI)
To ensure reliability of software and equipment, monthly updates and testing have been
conducted. The two programs (FTK and Autopsy) utilized and any supporting software
platforms have been updated to their latest version. The test include white, grey and black box
testing methods. FTK and Autopsy are tested in each method three times. For example FTK was
utilized during a white box testing scenario 3 times in the month of October 2018, as well as a
black and grey box scenarios. This is done to ensure that the programs are running how they
should be. If there was an error within the program, they would be corrected accordingly.
To ensure all measures of analysist are conducted in accordance with current law,
monthly legal checks have been conducted. Also legality checks are be conducted prior to
3
preparation for any forensic investigation. The checks include review of all current and new laws
and also highlight any old laws that might apply to the current investigation. Constitutional law
was be reviewed for privacy, search and seizure, and 1st amendment violations. Tort law was
analyzed for invasion of privacy and downstream liability violations. Also contract law, along
with evidence law were examined to ensure that the identification of evidence and identity
management was handle in the right way. Finally the dealing with unexpected issues (e.g., what
to do if indecent images of children are found present during a commercial job) and any
unexpected Issue that might have arose during the investigation, (e.g., images of child
pornography were found), would have resulted in an immediate stoppage of the investigation.
The issues that caused the halt would then be examined to the extent needed to determine if the
issue would constituent another crime or a hindrance to the investigation. If so, the proper
authorities would have been contacted. This does not mean the company would have been the
first to be notified, especially if it was a crime non-related to that of which the investigation
cover. The investigation would not commence again until the proper authorities granted that
authorization.
Evaluation
The Company, M57.biz, provided a disk image of the employee’s laptop for evaluation.
Sensitive company information was leaked and published by a competitor. The sensitive
information only existed on this one employee’s laptop. M57.Biz wants the laptop to be analyzed
for any data that could prove if the information was leaked purposely or not. All forensic
analysis and protection of the data was assigned to be conducted by Bennie Hill. Bigwig Inc
designated to be in charge of all facility security. An alternate warm site was set up in case a
4
natural disaster or a fire occurred at the original site. The alternate site had manned security to
ensure the data inside was not compromised.
Collection
Authorities acquire Jean’s laptop on the 21 July 2008. I was provided with a copy of the
warrant that authorized the authorities to confiscate Ms. Jean’s property on that date. After
confirmation that the data was obtained legally, I took possession of the disk image of Jean’s
laptop. Once the original evidence was received, the data was copied to a secure hard-drive so as
to ensure the integrity of that data was not compromised. The Hard-drive was protected by a
program called BitLocker to Go. This program provides protection to mobile hard drives such as
USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the
NTFS, FAT16, FAT32, or exFAT file systems. BitLocker also requires a password to access the
data within. The data from the Disk image was analyzed at a secure computer forensics
laboratory. When the hard-drive was not in the physical position of authorized handlers it was
stored in a two drawer GSA approved safe. Only individuals with authorized access to the hard
drive had the code for the safe. Authorized personnel consisted of:
Bennie Hill
The safe is located in a secure facility, which has 24 hour security coverage. The data on the
disk image was only reviewed or handled by authorized personnel. After the assessment was
completed, all data was given back to the proper authority. All examination, storage, and
transferences of the data on the disk image has been document for future review.
5
Analysis
The analysis of the data started with locating the company’s sensitive information that
was leaked. Once found, that information was analyzed and the date of creation and last
modification was recorded. All activity conducted around that time frame was consolidated on
the program Autopsy and analyzed. All data involved with communications, e.g. email, chat, and
any other forms of information sharing was analyzed. Then created documents, such as word,
excel spreadsheets, ect, in that time frame were analyzed and documented. Then all downloaded
media files, such as pictures, videos, or recordings, were analyzed. Finally all webpage history
would be analyzed for any suspicious activity.
Examination Details and Results
Using both the FTK and Autopsy software I was able to acquire information pertaining
the release of the M57.Biz confidential spread sheet. After finding the confidential spreadsheet
that was leak, I acquired it’s modification date, which was 20 July 2008. I then searched all data
in a 3 month time frame around that date. First I analyzed all of the email communication, which
produced key information pertaining to the release of the confidential spread sheet. In an email
chain between jean@m57.biz (possibly defendant Jean) and alsion@m57.biz (possibly Allison
Smith, Jean’s boss at M57.biz) the confidential spread sheet was transmitted. The email chain
between the two emails, started with alsion@m57.biz requesting that jean@m57.biz create the
confidential spreadsheet. Then alsion@m57.biz requested that jean@m57.biz send the
confidential spreadsheet. The individual from the jean@m57.biz email sent the confidential
spreadsheet to alsion@m57.biz email. However upon further analysis, whenever the
alsion@m57.biz email address requested for the creation and the sending of the confidential
information, the Return-Path on the email header was allocated to an email
6
simsong@xy.dreamhostps.com. And when jean@m57.biz replied to the original message that
requested for the confidential spreadsheet, the email address tuckgorge@gmail.com displayed in
the original message header (as displayed below):
The fact that the Return-Path email was different than the alison@m57.biz email and the original
message requesting for the confidential information came from tuckgorge@gmail.com, and used
alison@m57.biz as a display name, lends to the possibility that an email spoofing attack was
conducted. Email spoofing is when an email header is modified to make the recipient of the
email believe it came from a source other than the actual source.
The following are the key email traffic between the email address jean@m57.biz and
alsion@m57.biz, with annotations of when the header had been alter:
7
Sender Reciever Emailsjean@m57.biz Alison@m57.biz Are you going to use alex@m57.biz or
Alison@m57.biz? Alex@m57.biz jean@m57.biz Hi, Jean have you started putting together the
financial projections yet?Alex@m57.biz jean@m57.biz (sent 10 emails with various news postings and
links)Alex@m57.biz jean@m57.biz This one, obviously.
Alison@m57.biz Return-Path: simsong@xy.dreamhostps.com
jean@m57.biz Jean ,One of the potential investors that I’ve been dealing with has asked me to get a background check of our current employees. Apparently they recently had some problems at some other company they funded.Could you please put together for me a spreadsheet specifying each of our employees, their current salary, and their SSN?Please do not mention this to anybodyThanks.(ps: because of the sensitive nature of this, please do not include the text of this email in your message to me. Thanks)
Alison@m57.biz jean@m57.biz Have you heard anything yet from Alice, Bob and Carol? They were all supposed to start last week.
Alison@m57.biz jean@m57.biz Whoops. It looks like my email was misconfigured. My email is Alison@m57.biz, not alex. Sorry about that.
Jean@m57.biz alex So are you going to get this email?
Jean@m57.biz alex Not yet
Jean@m57.biz Alison@m57.biz Sure thing.
Jean@m57.biz Alison@m57.biz I’m confused
Alison@m57.biz jean@m57.biz Yes, I got this email
Alison@m57.biz jean@m57.biz Well, make it happen
Alison@m57.biz jean@m57.biz What’s a “sure thing”?
Alison@m57.biz jean@m57.biz Sorry; I don’t know why I sent that to you. (in regards to her 10 emails about news)
Alison@m57.biz jean@m57.biz Please stop this email train
Alison@m57.biz Really: tuckgorge@gmail.com
jean@m57.biz Hi, Jean.I’m sorry to bother you, but I really need that information now--- this VC guy is being very insistent. Can you please reply to this email with the information I requested --- the names, salaries, and social security numbers(SSNs) of all our current employees and intended hires?Thanks,Alison
8
Jean@m57.biz Alison@m57.biz Really: tuckgorge@gmail.com
I’ve attached the information that you have requested to this email message. (attachment has confidential spreadsheet)
Alison@m57.biz Really: tuckgorge@gmail.com
jean@m57.biz Jean,Thanks for the file. I’ll handle it from here. Once again, please don’t tell anyone about this.
Conclusion
Answers to aforementioned questions:
1. Was the data stolen
2. from Jean’s laptop? No, the data was not stolen from her laptop.
3. Did Jean release confidential information to a competitor? Yes, she emailed the
information to tuckgorge@gmail.com email.
4. Did Jean intentionally release confidential information to a competitor? No, I can not
confirm that Jean intentionally released the confidential information.
Recommendations
1. It is possible that the Defendant, Jean, was a victim of email spoofing, so I cannot
recommend that Jean be found guilty in the case against her.
2. I recommend that further investigation be conducted into Alison’s digital property, to see
if she had any further knowledge of the compromise that took place.
3. I also recommend further investigation into the owners of the AIM account names
alisonm57 and m57jean. There were some suspicious messages between the two accounts
shortly before the compromised occurred.
9
ReferenceBosworth, Seymour, et al. (2009) Computer Security Handbook. John Wiley & Sons.
Conklin, Wm Arthur, et al. (2015) CompTIA Security : Exam Guide (Exam SYO-401).
McGraw-Hill.
The United States Department of Justice
https://www.justice.gov/jm/eousa-resource-manual-142-judicial-remedies-and-penalties-
violating-privacy-act
10
Recommended