M57 JEAN DIGITAL FORENSIC REPORT PDF

Preview

Summary

M57-Jean digital forensics scenario example reoirt...

Description

Gordy Module 7 Final Assignment

1

M57 JEAN DIGITAL FORENSIC REPORT Jeff Gordy December 6, 2018 University of San Diego CSOL 590

Gordy Module 7 final assignment 2 Digital Forensic Report TABLE OF CONTENTS

Digital Forensic Report.................................................................2 Abstract....................................................................................... 4 Section 1 Information...................................................................5 1.1

Investigator................................................................................5

1.2 Forensics Examiner........................................................................5 1.3 Offence.........................................................................................5 1.4 Accused........................................................................................5

Section 2 Background...................................................................5 Section 3 Questions Relevant to the Case......................................6 Section 4 Software Utilized...........................................................6 4.1 Hypervisor....................................................................................6 4.2 Operating System..........................................................................6 4.1 Forensic Analysis...........................................................................6 4.1 Forensic Plugins............................................................................6

Section 5 Evidence Collected.........................................................7 Section 6 Legal Concerns..............................................................7 Section 7 Forensic Examination of Evidence...................................8 Section 8 Timeline........................................................................ 9 Section 9 Observations...............................................................15 Section 10 Forensic Examiner’s Conculsion..................................16 Section 11 Chain of Custody........................................................16 Works Cited................................................................................ 17

Gordy Module 7 final assignment 3

Gordy Module 7 final assignment 4 ABSTRACT

This digital forensic report will document the findings of examiner Jeff Gordy on the laptop hard drive image provided by head investigator Ashton Mozano. The primary user of the laptop computer imaged is Jean Jones the CFO of M57.biz. Mrs. Jones is accused of exfiltrating sensitive company information to a competitor over email. Examiner Gordy inspected the hard drive image using the open-source tool Autopsy and confirmed the file in question was delivered by Mrs. Jones to an email account outside of the corporate network. The question then naturally transitions to whether or not Mrs. Jones knew she was exfiltrating data. This report will show that while it is possible, and perhaps even likely, that Mrs. Jones was complicit in the crime, there exists no definitive proof found by examiner Gordy which would prove Mrs. Jones had criminal intent. However, it will also be shown that there are many behaviors and actions identified on the computer that raise suspicion and further investigation is recommended.

Gordy Module 7 final assignment 5 SECTION 1 INFORMATION 1.1 INVESTIGATOR

Ashton Mozano, J.D. 1.2 FORENSICS EXAMINER

Jeff Gordy a cyber security student with the University of San Diego 1.3 OFFENCE

Corporate Data Exfiltration 1.4 ACCUSED

Jean Jones

SECTION 2 BACKGROUND

M57.biz is a hip web start-up developing a body art catalog. The company is a de-centralized virtual corporation with employees working out of their houses or locations with public internet access and collaborating with online tools. Most documents are exchanged via email. The company has a current staff of nine personnel, ten employees were hired within the first year. Jean Jones the CFO for M57.biz is suspected of exfiltrating sensitive employee information to one of M57.biz’s competitors. A spreadsheet containing confidential information was posted as an attachment in the "technical support" forum of a competitor's website. The spreadsheet came from CFO Jean's computer. In this presentation I will be covering the practices I used to collect data for the case, the tools and methods I used to analyze the data, legal aspects I had to consider, the evidence chain of custody, my findings, and a recommendation to the court.

Gordy Module 7 final assignment 6 SECTION 3 QUESTIONS RELEVANT TO THE CASE

Questions 1

When did Jean create this spreadsheet?

2

How did it get from her computer to the competitor’s website?

3

Who else from the company is involved?

SECTION 4 SOFTWARE UTILIZED

As described in section five I am not the person who imaged the hard drive and therefore there is no imaging software present in this list. Below is a list of software products and version numbers used during the course of this investigation. 4.1 HYPERVISOR

VirtualBox 5.2.12 running on macOS High Sierra 10.13.6 4.2 OPERATING SYSTEM

Windows 10 64-bit version 1803 4.1 FORENSIC ANALYSIS

Autopsy 64-bit version 4.9.1 4.1 FORENSIC PLUGINS

FileHistory Autopsy add-on module by Mark McKinnon

Gordy Module 7 final assignment 7 SECTION 5 EVIDENCE COLLECTED

It is important to note that the as the forensic investigator I did not image the original hard drive. I was given a copy of the drive image in the Encase File Format for analysis. While this file format is commonly referred to as an E01 file format that is somewhat of a misnomer as the actual file format is formally called the Encase Image File Format. This file format splits the drive image into multiple files typically at the 640 MB mark. The chunks each have a header with case information, then a series of 32 KB data blocks followed by a cyclical redundancy check after each data block, and then finally finished with an MD5 sum for the entire 640 MB chunk. This image of the drive will be split into files ending in E01, E02, E03 … EXX. However, since the first file always ends with E01 the format has come to be known by this identifier.

SECTION 6 LEGAL CONCERNS

Digital Evidence Law tends to surround two key issues: authenticity and integrity. Authenticity is tied to integrity in that authentic digital evidence is digital evidence which can be shown to have integrity. The evidence was handled in a manner that did not modify it in any way from the original. In our case the detective performing the drive imaging process used cryptographic hashes to determine that the source drive and the destination image used for analysis are identical. For forensic investigation I used the well-known and legally proven software Autopsy to perform analysis of the disk image. This software is guaranteed to not modify the contents of the image in any way. Ease of modification is a concern in the digital world and using software that can be audited for correctness or has been audited by a third party is important for the digital forensic investigator. The other two legal aspects we have to consider are relevance and reliability. According to our professor digital evidence, or electronic evidence, is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital

Gordy Module 7 final assignment 8 evidence, a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay, and whether a copy is acceptable, or the original is required. Once digital evidence is proven to have authenticity, integrity and is relevant we can assert that it can be relied upon in the court. In our case the drive image was not altered in any way after I took custody of the drive image. All steps can be reproduced with an identical copy of the drive and the software indicated in the presentation. A final concern for the court is my ability to testify opinions about the evidence. Federal Rule of Evidence 702 states that “A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if: a) The expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue; b) The testimony is based on sufficient facts or data; c) The testimony is the product of reliable principles and methods; and d) The expert has reliably applied the principles and methods to the facts of the case.” [ CITATION USG14 \l 1033 ]

SECTION 7 FORENSIC EXAMINATION OF EVIDENCE

This case is a case of suspected corporate data exfiltration via email. As email communication was indicated as the exfiltration point, I spent the majority of my time in the Communications tab and Time Line viewer in Autopsy 4.9.1. The communications tool inspects the computer drive image looking for email and social media communication.

Gordy Module 7 final assignment 9

The timeline tool allows the investigator to see all events that Autopsy has extracted from the computer in sequential order. This view helped uncover many aspects of the timeline for me. An example of the timeline view can be seen below.

After identifying the email which contained the exfiltrated spreadsheet I worked through the timeline tool to look at the 4 hours before and after the email. After finding any piece of digital evidence that I deemed to be significant to the case I would perform the same set of operations looking at the four hours before and after the new event. By going through this exercise with each piece of evidence it is my opinion that we can establish a useful timeline of events.

Gordy Module 7 final assignment 10

SECTION 8 TIMELINE

“Time and date stamps on files can be powerful evidence tying the defendant to the computer and the computer to the crime. Nevertheless, time and date stamps have limitations: Their accuracy is directly dependent on the accuracy of the computer’s internal clock, they are tied to a particular time zone, and they can be easily manipulated” [ CITATION Gon07 \l 1033 ]. The timestamps shown below are from Jean’s computer and are in her local time zone. No evidence of date or time manipulation was found on the computer. • 6/12/2008 15:13:51 - Alison creates the original excel document • 7/18/2008 6:11:05 – Jean and Alison have a lengthy AIM chat where Jean indicates in a joke that she has a second job: o m57jean (6:11:05 AM):

must be that second job I moonight at... ha ha.

• 7/19/2008 16:23:26 – Jean opens Firefox. Jean typically uses Internet Explorer to access email. • 7/19/2008 16:31:00 – Jean asks Alison if she will use Alex or Alison email address. This predates any use of Alex by Alison.

• 7/19/2008 16:32:51 – First email from [email protected] to Jean. At this point it looks like the attacker has taken control of Alison’s normal account and has Alison sending with the Alex account.

Gordy Module 7 final assignment 11

• 7/19/2008 16:33:21 – VMWare Installation log shows it successfully installed software

• 7/19/2008 16:39:57 – Email from Alison to Jean mentions a potential investor asking for information for background checks.

Gordy Module 7 final assignment 12

• 7/19/2008 16:43:48 – Email from Alex (Alison) to Jean asking about programmers and if she has heard anything from them • 7/19/2008 16:43:48 – Email from Alex (Alison) to Jean saying “Whoops. It looks like my email was misconfigured” and provides a corrected email address. • 7/19/2008 18:22:45 – [email protected] using the reply address [email protected] emails Jean spoofing the email address name field as the full email address of Alison ([email protected]) and says the VC guy is being very insistent. They need the file now.

Gordy Module 7 final assignment 13

• 7/19/2008 18:26:18 - A 256MB Flash Drive is connected to the computer • 7/19/2008 18:27:42 – File m57biz.xls is accessed in C:\Documents and Settings\Jean\Desktop\m57biz.xls

Gordy Module 7 final assignment 14 • 7/19/2008 18:28:00 - Jean sends the reply email with the spreadsheet attached to ([email protected]) [email protected] which is really going to the xy.dreamhostps.com domain.

• 7/19/2008 18:28:02 – Jean accesses a shortcut to VMware Shared Folders • 7/19/2008 18:28:03 – Jean accesses m57biz.xls again • 7/19/2008 18:30:28 – Jean visits the advertising.com domain using Internet Explorer. This may just be inadvertent from an imbedded ad but putting here in case it is the competitor. • 7/19/2008 10:03:40 – [email protected] originating from the xy.dreamhostps.com domain emails Jean spoofing the email address name field as the full email address of Alison ([email protected]) and says Thanks I’ll handle from here. Once again don’t tell anyone.

Gordy Module 7 final assignment 15

At this point in the timeline the exfiltration is complete. Jean emails back stating “Sure thing” and the next day her actions begin to be uncovered by her coworkers as they realize personal information about them is posted on the competitors website. SECTION 9 OBSERVATIONS

I observed normal business computer use such as business email, AIM chats, web searches related to potential product development. Intermingled with this business use was obvious personal use (e.g. handbag shopping) along with concerning use of VMWare tools, large external drives, and switching Internet browsers. The key observation for me that stands out as malicious is the email from Jean to Alison asking about the [email protected] email address prior to any communication from that address to Jean. This is the closest I was able to get to identifying concrete criminal intent. Based on my analysis of the evidence collected I recommend the prosecuting attorney request additional testimony from Jean specifically asking the following questions: 1. Why do you switch between Firefox and Internet Explorer? 2. What was the purpose of connecting the external drive at 18:26:18? 3. How did you know to email [email protected]?

Gordy Module 7 final assignment 16 4. What is the purpose of VMWare Tools on your computer? 5. What does this chat statement mean in your AIM Message Log from 7/18 m57jean (6:11:05 AM):

must be that second job I moonight at... ha ha.

SECTION 10 FORENSIC EXAMINER’S CONCULSION

It is my expert opinion that Jean was phished and was not complicit in the exfiltration of private data to the competitor There are many unanswered questions for me. I believe that there is more to Jean’s story and she may be playing both attacker and victim. However, given the lack of clarity surrounding some of the circumstances and activity my official position is that Jean was phished and was a victim. This is due to the following facts: 1. Jean stated that she sent the file to Alison. 2. For most non-technical users, the file looks to be requested by Alison and sent to Alison. 3. Jean is not purported to be an expert in digital communication but has a background in accounting. 4. Jean redacted portions of the email messages at the request of the attacker which made it harder for Alison to detect the data exfiltration and react faster.

SECTION 11 CHAIN OF CUSTODY

Jeff Gordy - 11/19/2018 2:07 PM – nps-2008-jean.E01 Downloaded from University of San Diego File Server to Analysis Machine’s Hard Drive Jeff Gordy - 11/28/2018 6:45 AM – Autopsy Case Opened and nps-2008-jean.E01 image is accessed and loaded for automated ingest analysis. All ingest options are selected. Jeff Gordy - 11/28/2018 1:52 PM – Autopsy Communications Tab Accessed Jeff Gordy - 11/28/2018 4:25 PM – Initial Analysis Concluded Jeff Gordy - 11/28/2018 5:04 PM – Report Written

Gordy Module 7 final assignment 17 Jeff Gordy - 11/28/2018 5:49 PM – Autopsy Case Closed

WORKS CITED

Gonzales, A., Schofield, R., & Hagy, D. (2007). Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors. Washington, DC: National Institue of Justice. U.S. Government. (2014, December 1). Federal Rules of Evidence. Retrieved from USCourts.org: http://www.uscourts.gov/sites/default/files/Rules%20of%20Evidence....