M57.biz report

Hill, Bennie A Mr CTR

Mirc 1st street San Diego CA

Background to the C ase

The case against defendant Jean Story, an employee at M57.biz, derives from

confidential information being leaked to the firm’s competitors. M57.biz claims that a

confidential spreadsheet, which contained the names and salaries of the company’s key

employees, was found posted to the comments section of one of the firm’s competitors. The firm

also claims that Jean was the only employee with that spreadsheet on her laptop. Jean states she

believes she was hack and does not know how the information left her laptop. I was given a disk

image of Jean’s Laptop and asked to answer the following questions:

Questions1 Was the data stole from Jean’s laptop?2 Did Jean release confidential information to a competitor?3 Did Jean intentionally release confidential information to a competitor?

List of Criminal Offenses

The criminal offences facing the defendant are:

Offense1 Violation of The Privacy Act of 1974,

o Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by the Privacy Act or by rules or regulations established there under, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

Readiness

Forensic readiness is an important and occasionally overlooked stage in the examination

process. Readiness will include appropriate training, to ensure that my services are among the

2

most reliable services available. I have acquired the following certifications and kept them up to

date:

GIAC Certified Forensic Examiner

(GCFE)

GIAC Certified Forensic Analyst

(GCFA)

AccessData Certifies Examiner

(ACE)

Certified Forensic Computer

Examiner (CFCE)

Computer Hacking Forensic

Investigator (CHFI)

EnCase Certified Examiner (EnCe)

GIAC Reverse Engineering Malware

(GREM)

GIAC Network Forensic Analyst

(GNFA)

GIAC Advanced Smartphone

Forensics (GASF)

GIAC Cyber Threat Intelligence

(GCTI)

To ensure reliability of software and equipment, monthly updates and testing have been

conducted. The two programs (FTK and Autopsy) utilized and any supporting software

platforms have been updated to their latest version. The test include white, grey and black box

testing methods. FTK and Autopsy are tested in each method three times. For example FTK was

utilized during a white box testing scenario 3 times in the month of October 2018, as well as a

black and grey box scenarios. This is done to ensure that the programs are running how they

should be. If there was an error within the program, they would be corrected accordingly.

To ensure all measures of analysist are conducted in accordance with current law,

monthly legal checks have been conducted. Also legality checks are be conducted prior to

3

preparation for any forensic investigation. The checks include review of all current and new laws

and also highlight any old laws that might apply to the current investigation. Constitutional law

was be reviewed for privacy, search and seizure, and 1st amendment violations. Tort law was

analyzed for invasion of privacy and downstream liability violations. Also contract law, along

with evidence law were examined to ensure that the identification of evidence and identity

management was handle in the right way. Finally the dealing with unexpected issues (e.g., what

to do if indecent images of children are found present during a commercial job) and any

unexpected Issue that might have arose during the investigation, (e.g., images of child

pornography were found), would have resulted in an immediate stoppage of the investigation.

The issues that caused the halt would then be examined to the extent needed to determine if the

issue would constituent another crime or a hindrance to the investigation. If so, the proper

authorities would have been contacted. This does not mean the company would have been the

first to be notified, especially if it was a crime non-related to that of which the investigation

cover. The investigation would not commence again until the proper authorities granted that

authorization.

Evaluation

The Company, M57.biz, provided a disk image of the employee’s laptop for evaluation.

Sensitive company information was leaked and published by a competitor. The sensitive

information only existed on this one employee’s laptop. M57.Biz wants the laptop to be analyzed

for any data that could prove if the information was leaked purposely or not. All forensic

analysis and protection of the data was assigned to be conducted by Bennie Hill. Bigwig Inc

designated to be in charge of all facility security. An alternate warm site was set up in case a

4

natural disaster or a fire occurred at the original site. The alternate site had manned security to

ensure the data inside was not compromised.

Collection

Authorities acquire Jean’s laptop on the 21 July 2008. I was provided with a copy of the

warrant that authorized the authorities to confiscate Ms. Jean’s property on that date. After

confirmation that the data was obtained legally, I took possession of the disk image of Jean’s

laptop. Once the original evidence was received, the data was copied to a secure hard-drive so as

to ensure the integrity of that data was not compromised. The Hard-drive was protected by a

program called BitLocker to Go. This program provides protection to mobile hard drives such as

USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the

NTFS, FAT16, FAT32, or exFAT file systems. BitLocker also requires a password to access the

data within. The data from the Disk image was analyzed at a secure computer forensics

laboratory. When the hard-drive was not in the physical position of authorized handlers it was

stored in a two drawer GSA approved safe. Only individuals with authorized access to the hard

drive had the code for the safe. Authorized personnel consisted of:

Bennie Hill

The safe is located in a secure facility, which has 24 hour security coverage. The data on the

disk image was only reviewed or handled by authorized personnel. After the assessment was

completed, all data was given back to the proper authority. All examination, storage, and

transferences of the data on the disk image has been document for future review.

5

Analysis

The analysis of the data started with locating the company’s sensitive information that

was leaked. Once found, that information was analyzed and the date of creation and last

modification was recorded. All activity conducted around that time frame was consolidated on

the program Autopsy and analyzed. All data involved with communications, e.g. email, chat, and

any other forms of information sharing was analyzed. Then created documents, such as word,

excel spreadsheets, ect, in that time frame were analyzed and documented. Then all downloaded

media files, such as pictures, videos, or recordings, were analyzed. Finally all webpage history

would be analyzed for any suspicious activity.

Examination Details and Results

Using both the FTK and Autopsy software I was able to acquire information pertaining

the release of the M57.Biz confidential spread sheet. After finding the confidential spreadsheet

that was leak, I acquired it’s modification date, which was 20 July 2008. I then searched all data

in a 3 month time frame around that date. First I analyzed all of the email communication, which

produced key information pertaining to the release of the confidential spread sheet. In an email

chain between jean@m57.biz (possibly defendant Jean) and alsion@m57.biz (possibly Allison

Smith, Jean’s boss at M57.biz) the confidential spread sheet was transmitted. The email chain

between the two emails, started with alsion@m57.biz requesting that jean@m57.biz create the

confidential spreadsheet. Then alsion@m57.biz requested that jean@m57.biz send the

confidential spreadsheet. The individual from the jean@m57.biz email sent the confidential

spreadsheet to alsion@m57.biz email. However upon further analysis, whenever the

alsion@m57.biz email address requested for the creation and the sending of the confidential

information, the Return-Path on the email header was allocated to an email

6

simsong@xy.dreamhostps.com. And when jean@m57.biz replied to the original message that

requested for the confidential spreadsheet, the email address tuckgorge@gmail.com displayed in

the original message header (as displayed below):

The fact that the Return-Path email was different than the alison@m57.biz email and the original

message requesting for the confidential information came from tuckgorge@gmail.com, and used

alison@m57.biz as a display name, lends to the possibility that an email spoofing attack was

conducted. Email spoofing is when an email header is modified to make the recipient of the

email believe it came from a source other than the actual source.

The following are the key email traffic between the email address jean@m57.biz and

alsion@m57.biz, with annotations of when the header had been alter:

7

 Sender Reciever Emailsjean@m57.biz Alison@m57.biz Are you going to use alex@m57.biz or

Alison@m57.biz? Alex@m57.biz jean@m57.biz Hi, Jean have you started putting together the

financial projections yet?Alex@m57.biz jean@m57.biz (sent 10 emails with various news postings and

links)Alex@m57.biz jean@m57.biz This one, obviously.

Alison@m57.biz Return-Path: simsong@xy.dreamhostps.com

jean@m57.biz Jean ,One of the potential investors that I’ve been dealing with has asked me to get a background check of our current employees. Apparently they recently had some problems at some other company they funded.Could you please put together for me a spreadsheet specifying each of our employees, their current salary, and their SSN?Please do not mention this to anybodyThanks.(ps: because of the sensitive nature of this, please do not include the text of this email in your message to me. Thanks)

Alison@m57.biz jean@m57.biz Have you heard anything yet from Alice, Bob and Carol? They were all supposed to start last week.

Alison@m57.biz jean@m57.biz Whoops. It looks like my email was misconfigured. My email is Alison@m57.biz, not alex. Sorry about that.

Jean@m57.biz alex So are you going to get this email?

Jean@m57.biz alex Not yet

Jean@m57.biz Alison@m57.biz Sure thing.

Jean@m57.biz Alison@m57.biz I’m confused

Alison@m57.biz jean@m57.biz Yes, I got this email

Alison@m57.biz jean@m57.biz Well, make it happen

Alison@m57.biz jean@m57.biz What’s a “sure thing”?

Alison@m57.biz jean@m57.biz Sorry; I don’t know why I sent that to you. (in regards to her 10 emails about news)

Alison@m57.biz jean@m57.biz Please stop this email train

Alison@m57.biz Really: tuckgorge@gmail.com

jean@m57.biz Hi, Jean.I’m sorry to bother you, but I really need that information now--- this VC guy is being very insistent. Can you please reply to this email with the information I requested --- the names, salaries, and social security numbers(SSNs) of all our current employees and intended hires?Thanks,Alison

8

Jean@m57.biz Alison@m57.biz Really: tuckgorge@gmail.com

I’ve attached the information that you have requested to this email message. (attachment has confidential spreadsheet)

Alison@m57.biz Really: tuckgorge@gmail.com

jean@m57.biz Jean,Thanks for the file. I’ll handle it from here. Once again, please don’t tell anyone about this.

Conclusion

Answers to aforementioned questions:

1. Was the data stolen

2. from Jean’s laptop? No, the data was not stolen from her laptop.

3. Did Jean release confidential information to a competitor? Yes, she emailed the

information to tuckgorge@gmail.com email.

4. Did Jean intentionally release confidential information to a competitor? No, I can not

confirm that Jean intentionally released the confidential information.

Recommendations

1. It is possible that the Defendant, Jean, was a victim of email spoofing, so I cannot

recommend that Jean be found guilty in the case against her.

2. I recommend that further investigation be conducted into Alison’s digital property, to see

if she had any further knowledge of the compromise that took place.

3. I also recommend further investigation into the owners of the AIM account names

alisonm57 and m57jean. There were some suspicious messages between the two accounts

shortly before the compromised occurred.

9

ReferenceBosworth, Seymour, et al. (2009) Computer Security Handbook. John Wiley & Sons.

Conklin, Wm Arthur, et al. (2015) CompTIA Security : Exam Guide (Exam SYO-401).

McGraw-Hill.

The United States Department of Justice

https://www.justice.gov/jm/eousa-resource-manual-142-judicial-remedies-and-penalties-

violating-privacy-act

10