1

CSOL 590: Assignment 7

Vincent T. Panaligan

University of San Diego

29 June 2020

2

Table of Contents

Title Page 1

Table of Contents 2

Abstract 3

Case Background 3-4

Questions Asked Relevant to the Case 4-5

Search and Seizer & Transport of Evidence 5

Exhibits Submitted for Analysis 5-7

Further Questions Asked Relative to the Case 7

Evidence to Search For 7

Examination Details 8-9

Analysis Results 10

Recommendations 10

References 11

3

Abstract

This report covers the case of a small start-up company, M57.Biz. It will mainly cover the

presentation stage of the computer forensic examination process, where the examiner will

develop a comprehensive report on findings and evidence, important questions, along with

involved legal issues and recommendations.

Cyber forensics, also known as Digital forensics or computer forensics, is the process of

removing data and information from a computer or personal computing device, which will

serve as digital evidence to prove and legally prosecute cybercrime and cybercriminals.

According to the US-CERT (2008), "Forensics also is the process of using scientific

knowledge for collecting, analyzing, and presenting evidence to the courts. "

Case Background

M57.Biz is a small start-up company that consists of:

2 Founders/Owners

10 Employees hired within first year

$3 Million in seed funding; now closing $10 Million round

Current Staff:

o President: Alison Smith

o Chief Financial Officer (CFO): Jean

o Programmers: Bob, Carole, David, Emmy

o Marketing: Gina, Harris

o BizDev: Indy

4

A spreadsheet, that contained confidential information about M57’s employees, was leaked onto

a competitor’s website. The spreadsheet information were the names and salaries of the

employees, along wit their Social Security Numbers (SSNs). The spreadsheet originated from the

CFO’s, Jean’s, laptop.

Questions Asked Relevant to the Case

Interviews were conducted with Alison and Jean, along with a background check on where and

how M57’s employees work on a daily basis.

Question asked to Alison and Jean: How did the document get on the competitor’s website?

Alison

“I don’t know what Jean is talking about.”

“I never asked Jean for the spreadsheet.”

“I never received the spreadsheet by email.”

Jean

“Alison asked me to prepare the spreadsheet as part of a new funding round.”

“Alison asked me to send the spreadsheet to her by email.”

“That’s all I know.”

M57 working environment:

Programmers:

o Work out of their houses

o Daily online chat session; Weekly in-person meetings in office park

Marketing & BizDev:

5

o Work out of hotel rooms or Starbucks (mostly on the road)

o In-person meetings once every two weeks

Most documents are exchanged by email

Search and Seizer & Transport of Evidence

A request was filed for legal authorities to give the investigator an image copy of Jean’s hard

drive, a copy of the spreadsheet, and the credentials of Alison and Jean. Upon the search and

seizer of the image hard drive which may provide digital evidence, the acquired items were

carefully maintained, and a chain of custody was efficiently established, in order to ensure data

integrity.

Exhibits Submitted for Analysis:

1. An Image copy of Jean’s Computer’s Hard Drive

jeanm57.E01

6

7

2. A copy of the confidential spreadsheet

Further Questions Asked Relative to the Case

1. When did Jean create this spreadsheet?

2. How did it get from her computer to the competitor’s website?

3. Who else from the company is involved?

Evidence to Search For

Based on the mature of the case and all that which have been made against the accused (CFO,

Jean), the investigator will be searching for 1) Knowledge and 2) Control of the data and

documents presented in this case.

8

Examination Details

Forensic Tools used in this investigation were FTK Imager and Autopsy. These tools helped

examine the jeanm57.E01 image.

On FTK Imager, the spreadsheet document was found in this path:

Root/DocumentsandSettings/Jean/Desktop/m57biz.xls

Clicking on the .xls file. This shows that Jean created this document and the exact date and time

of the creation of the document.

9

How did it get from her computer to the competitor’s website?

As mentioned earlier, M57’s employees mostly exchange documents through email. This pointed

to the direction of obtaining the PST outlook file to analyze any conversations Jean had with her

coworkers or anyone external.

Kernel Outlook PST Viewer was used to analyze recovered PST file.

Initial email sent from ‘bad actor’ spoofing as Alison. Bad actor requesting for spreadsheet.

10

Analysis Results

M57.Biz’s CFO, Jean was the victim of a clear “Spear Phishing Attack.” The bad actor used

Social Engineering tactics, such as “urgency” to get Jean to send “Alison” the spreadsheet as

soon as possible. The bad actor was also disguised as Alison’s work email

alison@m57.biz<tuckgeorge@gmail.com>. This tricked Jean into believing that she was

communication with Alison the whole conversation.

No other parties or employees were involved in this case.

Recommendations

Based on the results, Jean was responsible for leaking the confidential document but did not leak

it with any bad intentions. Jean had control of the document but did not have the proper

knowledge and awareness. I do not recommend pressing any charges against Jean.

Alison and Jean both told the truth in their interviews. Alison was unaware of the situation

because Jean was never in communication with the real Alison. I do not recommend pressing any

charges against Alison.

My recommendation to M57.Biz as a whole, is to invest into a cyber security team that develops

and trains their employees on proper cyber usage and awareness against threats and

vulnerabilities in the cyber environment. This organization is a virtual company; therefore, it is

important to ensure their employees are properly trained and know the proper practices of

safeguarding their organization’s vital information from bad actors.

11

References

Forensics Investigation of Document Exfiltration involving Spear Phishing: The M57 Jean Case.

(2016, October 4). Retrieved from https://resources.infosecinstitute.com/forensics-investigation-

document-exfiltration-involving-spear-phishing-m57-jean-case/

US-CERT (2008). Computer Forensics. Retrieved from US-CERT website:

https://www.us-cert.gov/sites/default/files/publications/forensics.pdf