CSOL-590, Cyber Incident Response and Computer Network Forensics, Fall 2018
I was introduced to the network forensics technics and incident response during Fall 2018 by professor Thoma Plunketta. The course name was CSOL-590-Cyber Incident Response and Computer Network Forensics. This course was very interesting as I was learning for the first time how to conduct a basic investigation that involves the use of forensic tools such us Autopsy or AccessData FTK Imager and be able to follow an email trail to pinpoint issues and truth by using a true example. No book was required for this course.
The process used to collect data, to analyze them, and the tools used were all part of the learning experience. And proving that the chain of custody of evidence was kept intact coupled with event timeline were very critical to establish the truth. The content in this section will go at length in practical terms using M57.BIZ as the company to do the forensic examination following a leak and publication by an unauthorized company of a Microsoft Excel spreadsheet of confidential information. In this leak, Jean, the CFO of M57.BZI was accused of leaking the data, and digital forensic will prove his innocence or guilt.
M57.BIZ is a start-up company in the business of developing a body art catalog. In its few weeks after inception, they realized on July 20, 2008, at 16:53:19 that a Microsoft Excel spreadsheet containing confidential information of nine of their employees, including name, salary, and social security number, was fraudulently posted on a competitor's website as an attachment. Neither Alison Smith, the company CEO nor Jean, the CFO had any knowledge the way the spreadsheet ended up that way. I was assigned to investigate the case as a Computer Forensic Investigator. To analyze the data from Jean, who is being suspected to be the source of the leaking, I will use Autopsy, a forensic tool kit, to uncovering data, including deleted files.
Cyber forensics, also known as Digital forensics or computer forensics, is the process of removing data and information from a computer or personal computing device, which will serve as digital evidence to prove and legally prosecute cybercrime and cybercriminals. According to the US-CERT (2008), "Forensics also is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts."
Chain of custody
Chain of custody is the documented history related to specific pieces of evidence. The chain of custody’s main goal is to preserve the integrity of the evidence; without it, the court may find the evidence inadmissible. According to INFOSEC (n.d.), "The chain of custody in digital forensics can also be referred to as the forensic link, the paper trail, or the chronological documentation of electronic evidence. It indicates the collection, sequence of control, transfer, and analysis. It also documents each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer."
M57.BIZ is a start-up company in business of developing body art catalog. In its few weeks after inception, they realized on July 20, 2008 at 16:53:19 that a Microsoft Excel spreadsheet containing confidential information of nine of their employees including name, salary, and social security number was fraudulently posted on a competitor's website as an attachment. I was assigned to investigate the case as a Computer Forensic Investigator. To analyze the data from Jean who is being suspected to be the source of the leaking, I will use Autopsy, a forensic tool kit, to uncovering data, including deleted files
Question asked relevant to the case
To legally access Jean’s data, relevant questions were asked to both Alison Smith and Jean in the form of an interview. It went like the following:
I don't know what Jean is talking about.
I never asked Jean for the spreadsheet.
I never received the spreadsheet by email.
Alison asked me to prepare the spreadsheet as part of a new funding round.
Alison asked me to send the spreadsheet to her by email.
That's all I know.
Search, and seize, and transport of evidence
Since access to data may require log in credentials, I asked Alison and Jean to provide me with their email addresses and passwords. After obtaining a search warrant as prescribed by the DOJ document so to comply with the law, a search warrant was obtained to gain access to Jean's computer. According to Jarrett, Bailie, Hagen, & Judish (2002), the “investigator should carefully consider the appropriate goals in drafting the warrant to ensure that sufficient evidence may be collected according to the warrant" (p. 63). Following this, a hard drive was taken, and a copy of the said spreadsheet was given to me.
Evidence to search for
Based on the nature of the case surrounding the publication of a spreadsheet, I will be looking for the following in the seized hard drive:
(a). The outlook file for email communication
(b). The Microsoft Excel spreadsheet file
(c). Check the deleted files to find out if any relevant file was deleted
(d). Check for the file creation timeline and the last modification and who made it.
(e). Who reported the incident to the M57.BIZ team?
(f). Locate the sent-out email containing the spreadsheet file and download it
(g). Locate the spreadsheet file in the hard drive and download it
(h). Compare both files and see if they match.
After the hard drive was obtained, I managed to create an image of it using Autopsy to help when analyzing. Below is a screenshot of the program and the content of the image.
Fig 1: Email trail in Autopsy view
List of criminal offenses
No criminal offense was found except the sharing of confidential information with no prior authorization. My goal here is to determine if Jean intentionally shared this information or that he was a victim of a computer hack or something in that nature.
I used Autopsy to analyze and extract some pertinent information that was critical to establish facts.
(a) The email trail communication
(b). The Microsoft Excel spreadsheet file found on Jean’s Computer
(c). The email to which Jean attached the spreadsheet and sent over to a wrong email address.
Chain of custody unaltered evidence
Chain of custody is the documented history related to specific pieces of evidence. In this case, the evidence is the E01 file created off the hard drive that was seized during the search. Here I’m providing the MD5 hash of the image created:
MD5 verification hash: 78a52b5bac78f4e711607707ac0e3f93
Based on the digital evidence obtained and analyzed, Alison, the President of the company, has created an excel file on June 12, but I could not tell if this original file contained the list of all employees. It may only be used as a template. But at some point, this list or at least the file was shared with Jean, the CFO who updated the file on July 19 to include the employees of M57.BIZ. This was shared via means other than email, as there was no trace of it in the analyzed evidence.
Fig 2: Proof the original file was created by Alison
Mr. Alison's email address was firstname.lastname@example.org, and Jean was email@example.com. On July 19, 2008, at 18:21, Jean received an email from a person he thought was his boss, Alison, the president of the company as the email appeared to be from him (firstname.lastname@example.org <email@example.com>).
This was a classical email spoof attack. Jean was tricked into believing he was sending an email to the president while he was exposing company confidential data to an external individual. And that is how this info was ended up being published on a third-party website.
Fig 3: Wrong email Address
Fig 4: Timeline
Based on my findings, I will say Jean was a bit negligent but will not recommend pressing charges against him. Alison, on the other hand, was aware of the spreadsheet being prepared since he was the one who gave the template to the CFO, and probably it was at his request.
No charges should be pressed against Alison neither since he never sent the info to a 3rd party person. He had certainly an internal discussion about the need to have a financial document of employees but never, ever sent it out to the outside world. Also, he never received the spreadsheet either after Jean made some changes to it.
Jarrett, M., Bailie, M.W., Hagen, E., & Judish, N. (2002). Searching and seizing computers and obtaining electronic evidence in criminal investigations. Searching and Seizing Computers [pdf file]. Retrieved from Justice website Searching and Seizing Computers and Obtaining Electronic Evidence
INFOSEC (n.d.). Computer Forensics: Chain Of Custody. Retrieved from INFOSEC website: Computer Forensics: Chain of Custody
US-CERT (2008). Computer Forensics. Retrieved from US-CERT website:
Computer forensics is one of the areas that require a proven level of professionalism and ethical underpinning from the forensic investigators, as this is touching the legal aspect of issues that can be of a matter of survival. It is not fun to be convicted and sentenced for something one did not do. The level of importance is also exacerbated by the fact that digital forensic may lead to some conflicting situations with the United States 4th amendment of the constitution (The right to privacy). Since the computer, which is the cornerstone item during an investigation, can be used as a piece of evidence, unfortunately, computer forensic examination poses a recurring 4th amendment problem. For example, a computer storage media can reveal facts relevant to an investigation, but what will happen if the investigation uncovers other data that has nothing to do with the current investigation yet incriminating the suspect with other crimes. This is where the professional conduct of the investigator and its ethical compass are so important.
Cyber investigations, as I came to understand, require a good knowledge of laws, practices, and forensic tools to carry out successfully a computer forensic. During the course, I discovered quite a lot of forensics tools, each with some particularity. Computer-Aided Investigative Environment, CAINE, SANS Investigative Forensic Toolkit, SIFT, Autopsy, and FTK Imager are just a few examples. Another source of great help for an investigator that I came to discover is the Scientific Working Group on Digital Evidence, SWGDE. This group's goal is to bring together law enforcement, academic, and commercial organizations to develop guidelines and standards for the recovery, preservation, and examination of digital evidence. In my opinion, this is a very excellent resource to consider when conducting a forensic investigation. I have learned, for example, that during evidence handling, if a computer is turned off, do not turn that on, or before powering a computer down, consider the potential of encryption software being installed on the computer or as part of the operating system. If present, appropriate forensic methods should be used to capture the encrypted data before the computer is powered down. Just with these two examples, I can see the need to consult this source during an investigation.
With the increase in data exchange via a variety of digital devices, investigators are relying more on these media to provide the strongest possible proof a case can provide. No long ago, investigators could not use text messages in our phones for digital forensics because these phones were not smart, therefore lacking this feature. But now a trail of text messages from a cell phone can be crucial in convicting or freeing a suspect.
After going through this course, I feel professionally equipped with new knowledge that provides me with a renewed view of digital devices and do note some obligation to act ethically. Anti-forensics, for example, is unprofessional and ethically wrong since its goal is to temper with the integrity of data to mislead forensic investigator.
Before this course, my view on medias such hard drives, CD/DVD, computers, smartphones, was that they were necessary instruments to manage data, nothing else. Now, I understand, the story does not end there. I'm now aware these electronics can be of use to meet other needs way more than their traditional goals. They can be used as evidence, a key material providing a smoking gun to a legal issue in the court of law.