RUNNING HEADER: CSOL590 FINAL PROJECT ASSIGNMENT
Computer Forensic Examination Report:
M57.biz Case
Student: Frank Ahan
Institution: University of San Diego
Instructor: Ron Fulton, M.S.
Class: CSOL-590-004-FA21
Date: 9 December 2021
COMPUTPER FORENSIC EXAMINIATION REPORT 2
Table of Contents
INTRODUCTION .......................................................................................................................................................... 3
BACKGROUND TO THE CASE ................................................................................................................................. 3
EVIDENCE AND TOOLS USED ................................................................................................................................. 3
ANALYSIS .................................................................................................................................................................... 4
FINDINGS ..................................................................................................................................................................... 4
CONCLUSION AND RECOMMENDATIONS ......................................................................................................... 11
REFERENCE ............................................................................................................................................................... 12
COMPUTPER FORENSIC EXAMINIATION REPORT 3
Introduction
The purpose of this report is to explain the processes and tools used to analyze the digital
evidence that was submitted to the digital forensics analyst. Then run through the analysis,
explain the findings, and offer recommendations.
Background to the Case
What prompted this case, and the investigation was that confidential information was
posted on M57.biz’s competitors “technical support” forum as an attachment. How did said
attachment end up on that website?
Two witnesses were interviewed Alison, President of M57.biz and Jean, CFO of M57.biz.
The following was gathered from those interviews.
• Alison has and had no knowledge of any requests for Jean to send information found on
the spreadsheet in question. Second, Alison said she never received said spreadsheet from
Jean.
• Jean received an email from Alison requesting for information and the spreadsheet as part
of a new funding round which was to be sent to Alison to her email address.
Email addresses of the witnesses were obtained along with the login credentials. Alison’s
email address is alison@m57.biz and Jean’s email address is jean@m57.biz.
Evidence and Tools Used
A bit-for-bit image of the hard drive of the employee question was provided and used.
• http://downloads.digitalcorpora.org/corpora/drives/nps-2008-m57-jean/nps-2008-
jean.E01
• http://downloads.digitalcorpora.org/corpora/drives/nps-2008-m57-jean/nps-2008-
jean.E02
COMPUTPER FORENSIC EXAMINIATION REPORT 4
By using the provided image, it provided an exact clone of the original hard drive without
the danger of losing any information or accidentally changing any information from of the original
hard drive which is the digital evidence. By being bit-for-bit, all the data is the same and deleted
information and logs will be kept intact. The hashes are provided in the supplementary analysis
report to prove that everything is a legitimate image of the original files.
A combination of FTK Imager and Autopsy, both digital forensics platforms were used to
process the image file. Before uploading the image files, other sample files were used to test that
the programs were working well and as intended. These programs are fully licensed and used
according to their purposes. All the processes have been documented and are provided within the
supplementary analysis report, in accordance with the reporting aspect of chain of custody for
digital evidence.
Analysis
Once the image file was uploaded and analyzed, the email files were found, and a discovery
process was started. The email with the attachment in question was found and any relevant
conversation or thread emails were also analyzed. The text and the headers were looked at to help
with the analysis of the events and how things happened. By using the emails, a timeline was able
to be put together to get a clearer picture of the succession of events and eventually explain how
the information was exfiltrated from the company and ultimately end up on the competitor’s
website.
Findings
This first email seems to be the start of the events.
COMPUTPER FORENSIC EXAMINIATION REPORT 5
Figure 1: First email
In the text it shows the request for the background check with a timestamp of 2008-07-19
116:39:57
Figure 2: Text of the initial Email
When looking at the header files it reveals that the return path of this email is different than
who is meant to be the receiver which is the email account alison@m57.biz and rather going to
simsong@xy.dreamhostps.com.
COMPUTPER FORENSIC EXAMINIATION REPORT 6
Figure 3: Header information showing different email address
Second email received by Jean, who assumed it was Alison comes two hours later putting
pressure on Jean to send over the file urgently.
Figure 4: Second email, urgency requested
COMPUTPER FORENSIC EXAMINIATION REPORT 7
Figure 5: Second email text
Looking at the header of the email again shows that it is not from alison@m57.biz but from
simsong@xy.dreamhostps.com but also another email address of tuckgorge@gmail.com is found.
Figure 6: Header information
COMPUTPER FORENSIC EXAMINIATION REPORT 8
Then a third email thanking Jean for the file and asking her not to let anyone know that
such a file was sent, was received.
Figure 7: Third Email
From looking at the text, seems as though the imposter got sloppy and showed the
tuckgorge@gmail.com in the message itself.
Figure 8: Text of third email in question
Again, the header shows that it is coming from and going to the
simsong@xy.dreamhostps.com email address.
COMPUTPER FORENSIC EXAMINIATION REPORT 9
Figure 9: Header Information
What is interesting though, it seems as though some of the email correspondence was still
going back and forth from Jean to Alison legitimately. But because of this outside thread was
unknown to Alison she sent back a confused message.
Figure 10: Confused Message
COMPUTPER FORENSIC EXAMINIATION REPORT 10
Figure 11: Text
Figure 12: From legitimate address
COMPUTPER FORENSIC EXAMINIATION REPORT 11
Conclusion and Recommendations
After reviewing the evidence in particular the emails correspondence back and forth from
Jean and Alison. It looks like Jean jean@m57.biz was the victim of email spoofing thinking it was
the President of the company Alison alison@m57.biz asking for sensitive information on a
spreadsheet. Common tactics used by malicious actors were found, such as putting urgency
pressure on the victim to send information as soon as possible, and also asking the victim to not
let anyone know as it is a confidential matter. These should have been flags for the victim and
should have reached out to Alison directly by other means of communication, perhaps with a SMS
message or a phone call. There were correspondences going between Jean and the Spoofer and
other messages between Jean and Alison, where Alison is confused of the messages. Finally, as
the different engineers are hearing that their information has been posted somewhere reach out to
Jean to figure out what is going on. This tipped off Jean that something was amiss and reported it
to the proper authorities.
As a recommendation for the organization going forward to avoid the reoccurrence of such
events, we recommend that M75.biz use tools that are available to avoid email spoofing and filter
them out, so they do not reach the users inboxes. Provide training going forward to users to spot
and detect spoofing, but also to reach out by other means if a message or a request seems off.
Lastly, use tools to be able to allow for Data Loss Protection, and block the sending of personal
identifiable information through unsecure means and through attachments.
COMPUTPER FORENSIC EXAMINIATION REPORT 12
Reference
AY, O. (2020, May 29). Digital Forensics Investigation Jurisprudence: Issues of Admissibility of
Digital Evidence. Www.Heraldopenaccess.Us. Retrieved December 6, 2021, from
https://www.heraldopenaccess.us/openaccess/digital-forensics-investigation-
jurisprudence-issues-of-admissibility-of-digital-evidence
GeeksforGeeks. (2020, June 2). Chain of Custody - Digital Forensics. Retrieved December 6,
2021, from https://www.geeksforgeeks.org/chain-of-custody-digital-forensics/
Murphy, M. (2015, February 25). Digital Forensic Evidence. YouTube. Retrieved December 6,
2021, from https://www.youtube.com/watch?v=nySje7f9Mdg