Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
1
CSOL 590: Assignment 7
Vincent T. Panaligan
University of San Diego
29 June 2020
2
Table of Contents
Title Page 1
Table of Contents 2
Abstract 3
Case Background 3-4
Questions Asked Relevant to the Case 4-5
Search and Seizer & Transport of Evidence 5
Exhibits Submitted for Analysis 5-7
Further Questions Asked Relative to the Case 7
Evidence to Search For 7
Examination Details 8-9
Analysis Results 10
Recommendations 10
References 11
3
Abstract
This report covers the case of a small start-up company, M57.Biz. It will mainly cover the
presentation stage of the computer forensic examination process, where the examiner will
develop a comprehensive report on findings and evidence, important questions, along with
involved legal issues and recommendations.
Cyber forensics, also known as Digital forensics or computer forensics, is the process of
removing data and information from a computer or personal computing device, which will
serve as digital evidence to prove and legally prosecute cybercrime and cybercriminals.
According to the US-CERT (2008), "Forensics also is the process of using scientific
knowledge for collecting, analyzing, and presenting evidence to the courts. "
Case Background
M57.Biz is a small start-up company that consists of:
2 Founders/Owners
10 Employees hired within first year
$3 Million in seed funding; now closing $10 Million round
Current Staff:
o President: Alison Smith
o Chief Financial Officer (CFO): Jean
o Programmers: Bob, Carole, David, Emmy
o Marketing: Gina, Harris
o BizDev: Indy
4
A spreadsheet, that contained confidential information about M57’s employees, was leaked onto
a competitor’s website. The spreadsheet information were the names and salaries of the
employees, along wit their Social Security Numbers (SSNs). The spreadsheet originated from the
CFO’s, Jean’s, laptop.
Questions Asked Relevant to the Case
Interviews were conducted with Alison and Jean, along with a background check on where and
how M57’s employees work on a daily basis.
Question asked to Alison and Jean: How did the document get on the competitor’s website?
Alison
“I don’t know what Jean is talking about.”
“I never asked Jean for the spreadsheet.”
“I never received the spreadsheet by email.”
Jean
“Alison asked me to prepare the spreadsheet as part of a new funding round.”
“Alison asked me to send the spreadsheet to her by email.”
“That’s all I know.”
M57 working environment:
Programmers:
o Work out of their houses
o Daily online chat session; Weekly in-person meetings in office park
Marketing & BizDev:
5
o Work out of hotel rooms or Starbucks (mostly on the road)
o In-person meetings once every two weeks
Most documents are exchanged by email
Search and Seizer & Transport of Evidence
A request was filed for legal authorities to give the investigator an image copy of Jean’s hard
drive, a copy of the spreadsheet, and the credentials of Alison and Jean. Upon the search and
seizer of the image hard drive which may provide digital evidence, the acquired items were
carefully maintained, and a chain of custody was efficiently established, in order to ensure data
integrity.
Exhibits Submitted for Analysis:
1. An Image copy of Jean’s Computer’s Hard Drive
jeanm57.E01
6
7
2. A copy of the confidential spreadsheet
Further Questions Asked Relative to the Case
1. When did Jean create this spreadsheet?
2. How did it get from her computer to the competitor’s website?
3. Who else from the company is involved?
Evidence to Search For
Based on the mature of the case and all that which have been made against the accused (CFO,
Jean), the investigator will be searching for 1) Knowledge and 2) Control of the data and
documents presented in this case.
8
Examination Details
Forensic Tools used in this investigation were FTK Imager and Autopsy. These tools helped
examine the jeanm57.E01 image.
On FTK Imager, the spreadsheet document was found in this path:
Root/DocumentsandSettings/Jean/Desktop/m57biz.xls
Clicking on the .xls file. This shows that Jean created this document and the exact date and time
of the creation of the document.
9
How did it get from her computer to the competitor’s website?
As mentioned earlier, M57’s employees mostly exchange documents through email. This pointed
to the direction of obtaining the PST outlook file to analyze any conversations Jean had with her
coworkers or anyone external.
Kernel Outlook PST Viewer was used to analyze recovered PST file.
Initial email sent from ‘bad actor’ spoofing as Alison. Bad actor requesting for spreadsheet.
10
Analysis Results
M57.Biz’s CFO, Jean was the victim of a clear “Spear Phishing Attack.” The bad actor used
Social Engineering tactics, such as “urgency” to get Jean to send “Alison” the spreadsheet as
soon as possible. The bad actor was also disguised as Alison’s work email
[email protected]<[email protected]>. This tricked Jean into believing that she was
communication with Alison the whole conversation.
No other parties or employees were involved in this case.
Recommendations
Based on the results, Jean was responsible for leaking the confidential document but did not leak
it with any bad intentions. Jean had control of the document but did not have the proper
knowledge and awareness. I do not recommend pressing any charges against Jean.
Alison and Jean both told the truth in their interviews. Alison was unaware of the situation
because Jean was never in communication with the real Alison. I do not recommend pressing any
charges against Alison.
My recommendation to M57.Biz as a whole, is to invest into a cyber security team that develops
and trains their employees on proper cyber usage and awareness against threats and
vulnerabilities in the cyber environment. This organization is a virtual company; therefore, it is
important to ensure their employees are properly trained and know the proper practices of
safeguarding their organization’s vital information from bad actors.
11
References
Forensics Investigation of Document Exfiltration involving Spear Phishing: The M57 Jean Case.
(2016, October 4). Retrieved from https://resources.infosecinstitute.com/forensics-investigation-
document-exfiltration-involving-spear-phishing-m57-jean-case/
US-CERT (2008). Computer Forensics. Retrieved from US-CERT website:
https://www.us-cert.gov/sites/default/files/publications/forensics.pdf