1

Computer Forensic Examination Report

Matthew Chiappone

University of San Diego

CSOL 590: Cyber Incident Response and Computer Network Forensics

Prof. Moore

12/13/2021
 2

Computer Forensic Examination Report

Table of Contents

Preparation………...………………………………………………….…………….….... Pg 03

Background and Case Information………………………………….…………………... Pg 04

Evidence Collection...………….…………………………………….………….………. Pg 06

Analysis and Findings…………………………………………………………...………. Pg 07

Findings Report…….…...………………………………………………………………... Pg 09

Final Review……………………………………………………………………………... Pg 17

References……………………………………………………………...…………............. Pg 18
 3

Preparation

Each forensic investigation begins with ensuring everything is ready and updated before

the analysis starts. This includes determining who is involved in the chain of custody of the

evidence. What the original purpose is, and what constitutes the completion of the analysis. What

responsibilities everyone has and defining each member's overarching responsibility of

maintaining adequate logs and process integrity until completion Any questions were asked and

clarified before the investigation began, including who the pertinent members of each party are.

All members catalog events in a consistent manner throughout the entire process. The technology

used by each person must be updated and processed before any analysis is performed.

Forensic investigators technology

The analysis lab

● The software used for this forensic investigation is Autopsy version 4.19.2 for

Windows 64-bit (Basis Technology, n.d. -a) (latest version available)

● The laptop used is Windows 64 with all updates and security patches as of the

date of this report.

● Microsoft Excel was used to verify the provided spreadsheet given by the client

against spreadsheets found within the target forensic images.

● The VM is Windows 64 created off a clean template. Each investigation is

performed on a new clean VM so cross-contamination is avoided.

● The laptop and VM are protected with separate passwords and they are changed

prior to any new investigation to ensure access only by members of the analysis
 4

staff directly involved. Physical access to the laptop is restricted solely to the

forensic investigator.

● The forensic laptop and VM are encrypted along with any media used for

evidence gathered and provided to the client.

Training

In preparation for this investigation, a refresher training course on Autopsy was

attended and provided by Basis Technology (Basis Technology, n.d. -b). The

training was to ensure understanding of any new advancements of features in the

version used.

Legal Considerations

All forensic analysis is performed according to current state and federal laws. In

this case the investigation was performed by the private company M57.

Verification of signed use policy before investigation.

“Private corporations investigating their own employees may not adhere to

most of the legal constraints discussed above. Frequently, private

corporations require employees to sign computer use policies that include

stipulations regarding the monitoring of computer activities. In these

cases, employees typically resign their privacy rights.“ (Pollitt et al., 2004,

398)

Background and Case Information

The company M57 is investigating an incident where employee confidential information

was found on a competitor’s website. The information contained employee salary and social

security numbers. The spreadsheet containing the information was only on one of the company's
 5

officers' computers. M57 wants to know how the information made it to the website and what

was the sequence of events that occurred before the information was leaked.

Initial information

● Confidential information was found on a competitor's websites. The employee,

Jean, was the originator and sole internal possessor of the information in question.

● M57 conducted internal interrogations of both Jean the CFO and Alison the

President of the company. The summary below was provided by M57.

○ Alison (President)

■ I don’t know what Jean is talking about.

■ I never asked Jean for the spreadsheet.

■ I never received the spreadsheet by email

○ Jean (CFO)

■ Alison asked me to prepare the spreadsheet as part of new funding

round.

■ Alison asked me to send the spreadsheet to her by email.

■ That's all I know.

● M57 provided a copy of the spreadsheet in question.

● M57 wants to know

○ When did Jean create this spreadsheet?

○ How did it get from her computer to a competitor's website?

○ Who else from the company is involved?

 6

Evidence Collection

The hard drive forensic image was created by M57 in the EnCase E01 format and

was provided along with the spreadsheet containing the confidential information. M57

provided an encrypted external USB drive along with the passwords and keys to unlock

the drive. The image creation was all done by M57 as did the initial interrogation of the

employees. The representative for M57 was instructed to “Save the original materials:

You should always work on copies of the digital evidence as opposed to the original. This

ensures that you are able to compare your work products to the original that you

preserved unmodified.” (Obbayi, 2019) This ensures any analysis or forensic

investigation can be run again and repeatable against the data to ensure consistency.

Chain of custody is vital to the integrity of the investigation. Both parties

“Document date, time, and any other information of receipt. Recording the timestamps of

whoever has had the evidence allows investigators to build a reliable timeline of where

the evidence was prior to being obtained.” (Obbayi, 2019) The chain of custody was

cataloged and tracked by M57 and the forensic investigator. Signatures and date and time

stamps were collected and recorded upon delivery of the USB drive. Once the evidence

and final report was created, the information was copied to the original encrypted USB

drive and returned to M57. Again, Signatures and date and time stamps were collected

and recorded upon delivery.

This investigation only involved the one computer hard drive in question and no

further data or collection was necessary. The original image creation date and

interrogation recordings were maintained by M57 and provided as a reference point for

the start of the chain of custody in this investigation.

 7

Analysis and Findings

The investigation and analysis were straightforward. The findings showed that Jean had

responded to what appeared to be a request from Alison the president of M57. After analysis, the

header information in the email metadata revealed the actual email address was

[email protected] spoofing Alison’s email address. It appears that Jean did not

review the actual sender’s email address which was subsequently shown as [email protected]

(mailto:[email protected]). The findings for Jean and Alison are:

Jean

● Created the spreadsheet after the second follow up spoofed email.

○ The spreadsheet contained the exact information provided by M57

○ The date and timestamp of last modified date coincided with the timeline

○ The same file on her desktop was attached in the email and sent to the

spoofed email address

● Her responses were as though she was contacting Alison and not acting in a

malicious manner.

● Did not encrypt, delete, or try to hide any evidence of the file or sending the file.

● Emails were intact and not deleted or removed.

● When questioned by an employee she responded as though she did not know

anything about the information being leaked.

● Is guilty of creating and sending the confidential information

● Not guilty of malicious intent

Alison

● Did not request the information via email

 8

● Given the responses and emails did not appear to have any knowledge of the

request

● Did not receive the spreadsheet via email

● Was not involved in the release of the confidential information

Other Employees

● No other employees were involved in releasing the confidential information

Jean did not try to hide her actions or remove any evidence of what transpired. She acted

in line with her answers to the interrogation in that she believed that Alison requested the

information and she provided it through a spreadsheet. Although Jean was guilty of sending

confidential and PII information she was not guilty of malicious intent. It was negligent on her

part by not following up with Alison and confirming the request, or not confirming the email

requests address. The presentation below outlines the timeline of events, the sender, the email

header data and the spoofer’s email address.

 M57 Report

Forensic Examiner: Matt Chiappone

M57 Investigation and

Findings Report

—
 Reason: Leaked information

Offense

Confidential employee information was found on a competitor’s

website. The information had Social Security numbers and salary
information.

Accused

Jean (CFO) Alison Smith (President)

Only M57 employee with access In question for requesting

to the spreadsheet and information on spreadsheet
information found on from Jean.
competitor’s website.
Contents

Background
1

Questions and Clarifications 1

Evidence Provided 2

Evidence Searched for and Examination Details 3

Analysis Results 5

Conclusion 5
Background
M57 has found confidential information on a competitor’s website. The sole employee with
access to the spreadsheet is Jean, the CFO. The initial investigation by M57 found that Jean
said that Alison had requested the spreadsheet in question. Alison denied all knowledge of this
request and said she did not request this information from Jean. The digital forensic disk image
of Jean’s hard drive was created by M57 and provided to me along with the spreadsheet in
question.

The forensic analysis was performed with Autopsy Digital Forensics software. The only image or
disk provided was the single hard drive forensic image. I did not have access to the original
laptop or hard drive.

Questions and Clarifications

The interrogation was conducted by M57. Jean and Alison were questioned about the incident.

Was the image collected from the original laptop?

Yes, and the original laptop was unused during the duration of the investigation.

Was the Image collected with a write-blocker?

Yes, the image was collected with a write-blocker.

What information was needed for the outcome of this investigation?

Was Jean, Alison, or both involved in the release of this information. Who was responsible
for the information being leaked? What was the timeline of events for the file creation to
when it was found on the competitors website?
Evidence Provided
The original forensic image was created by M57 in the EnCase E01 format. The forensic image
jeanm57.E01 and spreadsheet was provided on an encrypted USB drive. It was signed for by
both parties upon original delivery to me. The spreadsheet information is

The computer hardware was retained by M57.

A single USB drive with serial number FRU463846sH was the only drive used for evidence
transportation.

The interrogation recordings and information were performed and maintained by M57, and a
summary of findings was provided to me.

The summary of the investigation is:

Alison (President):

I don't know what Jean is talking about.

I never asked Jean for the spreadsheet.

I never received the spreadsheet by email.

Jean (CFO):

Alison asked me to prepare the spreadsheet as part of new funding round.

Alison asked me to send the spreadsheet to her by email.

That's all I know.

Their account information:

Alison (President):

[email protected] ; password: "ab=8989

Jean (CFO):

[email protected] ; password: gick*1212

Evidence Searched for and Examination Details

The client wanted to know the answer to these questions:

When did Jean create this spreadsheet?

How did it get from her computer to competitor's website?

Who else from the company is involved?

Per the clients request the search focused on the spreadsheet in question, the timeline for the
creation, and when the file was sent to a third party. The file name provided by M57 matched
the file on Jean’s computer eliminating the need for file-by-file scanning or analysis.

During the forensic analysis of the image of Jean’s hard drive the sequence of events was
pieced together.

An initial email was sent to Jean by an unknown individual posing as Alison on 7-19-2008 at
16:39 PDT. The email stated that one of the investors needed information about current and
potential employees. It asked for a file to be created containing the salary and social security
numbers of the employees. Investigation of the email headers and data showed the return email
address as [email protected]. The email appeared to Jean as coming from
[email protected]

The same unknown individual with the same email address [email protected]
posing as Alison sent a follow up email on 7-19-2008 at 18:22 PDT to Jean stating an urgency
for the information requested.
Jean replied to the sender ([email protected]) with the attached file in question,
m57biz.xls. Below is a screenshot of the summary emails sent between the two parties,
[email protected] and [email protected].

The creation and last modified date were directly after a second email request was made from
what Jean incorrectly believed to be Alison’s email address. The file was created 7-19-2008 at
18:28 PDT.

The content of the file attached were verified against the file provided. The screenshot below is
from the summary report and the Social Security Numbers were blocked out.

It shows the file contents pulled from the attachment cache within Microsoft Outlook, which is the
email program used by M57.

The email chain was just between those two email addresses and no other internal employees
were involved or included on the emails.

The replies from Jean show that she thought the emails were going to Alison and the requests
were valid. The evidence shows that Jean did not delete, try to hide, show collusion, or show
malicious intent.
Analysis Results
The evidence and information were obtainable without the use of any external tools or software.
The image provided had all relevant material including date and time stamps and data in
question. The integrity of the data was maintained by the creation of the forensic image. The file
comparisons were exact matches and since the data was found on a third-party website the file
comparison was performed against the data, not the exact file uploaded. The emails were in-tact
within Outlook on the machine.

Conclusion
The evidence shows that Jean was the creator of the spreadsheet in question. Jean sent the file
to whom she believed was Alison. Jean did not act in a malicious manner but is guilty of sending
the information to the outside individual. Jean was targeted directly and no other employee was
involved in sending or creating the spreadsheet in question.
 17

Final Review

The investigation was completed quickly, efficiently, and within scope. Since there was

only a single drive image and a comparison spreadsheet timeline, development was simple and is

reproducible. M57 creating the initial forensic image and performed the interrogations saving

both time and cost. No encryption or deletion of files was encountered, and the interactions

related to the investigations stayed between the 3 individuals determined to be involved in the

incident Jean, Alison, and simsong (Spoofer). The chain of custody was maintained and

accounted for as there was only one internal client for M57 and a single forensic investigator.
 18

References

Basis Technology. (n.d. -a). Autopsy - Digital Forensics. https://www.autopsy.com/

Basis Technology. (n.d. -b). Training. Autopsy. https://www.autopsy.com/support/training/

Obbayi, L. (2019, July 6). Computer forensics: Chain of custody [updated 2019]. Infosec

Resources. https://resources.infosecinstitute.com/topic/computer-forensics-chain-custody/

Pollitt, M., Caloyannides, M., & Shenoi, S. (2004). In I. Ray (Ed.), Data and Applications

Security XVII: Status and Prospects. Springer US.

https://link.springer.com/content/pdf/10.1007%2F1-4020-8070-0_28.pdf