Documente Academic
Documente Profesional
Documente Cultură
CSOL-590: Module 7
Ted Huskey
Table of Contents
Abstract 3
Forensic Examination
Readiness 4
Evaluation 4
Collection 5
Analysis 5
Presentation 6-11
Review 12
Conclusion 12
2
Abstract
M57.biz is a small online company with less than 10 employees. Lacking a brick
and mortar presence, employees work from home or local retail spaces and use
available public WiFi for their Internet access. Although there are weekly face-to-
bulleting board. The company Chief Operations Office (CFO) was the only
person with access to the spreadsheet and claimed she did not post the
preserve evidence (NIJ, 1994). For the M57.biz case, evidence was collected,
interviews taken and analysis performed. Acting on orders, she thought were
from the company president, the M57.biz Chief Financial Officer (CFO) created
of the evidence suggests M57.biz president’s email account was spoofed and a
(undetermined) bad actor was able to take control, direct the CFO to email the
3
Computer forensics examination is a six-stage process and is very helpful in
determining the facts of the case and formed the basis of the recommendation to
the court.
Readiness Stage
computer forensics, particularly with court cases, the validity of data or evidence
Readiness includes training and testing of the expert but also education of fellow
date. But readiness is not limited to just the witnesses, readiness includes
training and preparing clients (Forensics Control, 2018). The examiner used in in
the M57.biz case was at a very high state of readiness having just completed his
Evaluation Stage
Starting off in the right direction with the proper guidance is critical to a
4
know when the spreadsheet was created, how did it get to a competitors
Collection Stage
The collection stage is where the rubber hits the road. Proper handling and
legal proceedings (Strickland, 2018). Physical evidence (imaged hard drive files
from the suspected laptop and a printout of the subject spreadsheet) was
times and evidence was transported using only bonded and licensed courier
Analysis Stage
No one stage is more important than any of the others but the consequence of
free of errors. Center to the analysis stage are the tools used. Two forensic
analysis tools were considered for this case: Access Data’s Forensic Toolkit and
Sleuth Kit Autopsy. Given the ease of use, appropriateness for format of the
evidence files and the examiners familiarity with the software, Autopsy was used
various analysis are performed which allows the examiner to discuss with the
5
client to gain better understanding of the data and in turn adjust the analysis to
get the most useable data in the allotted time (Yusoff, Ismail and Hassan, 2011).
Presentation Stage
The results of the examination of M57.biz are presented in the following report.
CEO
Digital Detective Services
6
Contents Page
Case Background
Evidence
Data Collection
Data Analysis
Legal Aspects
Facts
Findings
Recommendation
7
Case Background
M57.biz is a small web based company with less than 10 employees. It is
essentially a virtual corporation with a majority of employees working out of their
homes using laptops and their interactions are primarily electronic – emails or
chat.
A document containing company sensitive information was posted on line. The
document was emailed by the CFO to the president. The CFO claimed she was
directed to do so by the company president but the president claimed she did not
request or receive the document
Evidence
Three pieces of evidence were provided: a printout of the subject spreadsheet, a
M57.biz presentation and an EnCase formatted image of the CFO’s laptop
The spreadsheet was a single page with ‘M57.biz company’ typed at the top and
listed the company’s employees ‘first name, last name, position, salary and SSN
The Power Point presentation provided amplifying company information. The
imagine of the CFO’s laptop was provided in two EnCase formatted files.
Data Collection
Data integrity and chain of custody were of prime importance and the first
consideration when conducting data collection and analysis. EnCase was used
to recover all evidence/data from the CFO’s laptop and EnCase files were
created and provided as part of the evidence package. The files were uploaded
onto an exclusive and case specific workstation
Data Analysis
Analysis was a two-step process. First Sleuth Kit Autopsy was used to analyze
the image and display the results for further analysis then the investigators
painstaking manually analyzed the Autopsy generated data using keyword and
8
file types searches that targeted ‘suspect’ areas (e.g. xls, pst, spreadsheet,
Starbucks ..) looking for clues (see Figure 1).
Figure 1
Legal Aspects
Consistent with company policy, the CFO’s laptop is company property and as
such was imaged for evidence then returned to the employee without the need of
a warrant.
Data integrity and evidentiary chain of custody were of prime importance and the
investigators were keenly aware of the legal implications and ramifications of
their analysis. The investigators were professional and in complete compliance
with all legal and regulatory measures particularly with regard to rules of
evidence.
Evidence chain of custody was maintained through the use of a dedicated
desktop workstation assigned exclusively to this case (no other activities were
conducted). The workstation kept in an access-controlled room and only
authorized users were given access. When transportation was required, only
licensed and bonded couriers were used.
9
Facts of the Case
At 16:39 on 7/19/2008, M57.biz CFO (Jean) received an email from the company
president (Alison) requesting a spreadsheet with company data. Jean complied
and emailed the spreadsheet as directed (see Figure 2).
Figure 2
Examination of the revealed Alison’s email account had been spoofed (by
simsong) (see Figure 3).
Figure 3
Case Findings
Although the actual point of intrusion or intruder have not been identified using
the available evidence, M57.biz president’s email account was spoofed. The
likely point of intrusion was the use of an alias email address of alex@m57.biz’ in
place of the president’s actual emails address ‘alison@m57.biz that started
appearing in the hours leading up to the request of the spreadsheet (see Figure
4).
10
Figure 4
Recommendations
Based on the available evidence, sensitive M57.biz information was sent from
the company CFO’s email account at the direction of the company president.
The company’s president’s email account was spoofed making the CFO a victim
of a well-crafted attack. The attack was possible due to poor network
management and weak cyber policies.
Recommend no punitive action be taken against the CFO. To avoid future
occurrences, recommend M57.biz beef up their cyber/network security polices
and (if still a viable company) establish a brick and motor presence to enable
employees to conduct more business on site and less out in town using non-
secure WiFi.
11
Review Stage
Every forensic examination presents learning opportunities for not only the client
but for the investigator as well. Poor training and weak Internet usage policies
coupled with heavy reliance/use of unsecure WiFi hotspots exposed M57.biz to a
spoofing attack that resulted in the theft of sensitive company information. Once
these deficiencies are corrected, M57.biz can look forward to a more secure and
private future.
Conclusion
Computer forensics plays a greater and greater role in cyber security. Being able
to collect and analyze the data in such a matter that is admissible in a court of
law is vitally important to convict the bad actors and prevent future occurrences.
12
References
13