Digital Forensic Report — M57 Jean/ Allison Case — Data Breach of “M57.biz”

Executive Summary:

M57.biz is a popular website startup that is creating a collection of body art online. A spreadsheet containing confidential information was posted as an attachment in the “technical support” forum of a competitor’s website. The spreadsheet came from CFO Jean’s computer. Only a select few personnel, including the CFO Jean, have access to this material. After the data breach, brief interviews were conducted and Alison denied any knowledge on the spreadsheet and pleaded not guilty, and has not requested Jean, the CFO for the spreadsheet in question. Whereas Jean, the CFO, had stated that Alison instructed Jean that the spreadsheet be sent via email in preparation for a new funding round.

Chain of custody

Proper chain of custody was preserved from evidence collection onwards. (Please refer Table 1) The evidence matches that which was uncovered at the scene of the crime. It was always under the custody of a person accountable. [1] The actions involved in this incident were violating Intellectual and privacy law and were against company policy. The system was taken into custody after data from it was recorded on the scene. Jean’s laptop computer’s hard drive was digitally cloned in accordance with company policy. In this case, m57.biz was considered as a private employee and not a government agency. Assuring a voluntary surrender of the evidence, consent and access to the computer was provided, without violating the right to privacy of the suspect. To ensure the validity and reliability of the collected evidence, the data from the storage device was collected using a write-blocker, FTK Imager was used to create an exact forensic replica of the data on the hard disk which eliminates any possibilities of altering of the duplicated data.

Table 1 : Chain of Custody

Objectives

This report’s main objective is to investigate into a criminal case involving corporate espionage and the unauthorized disclosure of sensitive personally identifiable information. Forensic Toolkit (FTK version 4.2.1) was used to review the primary evidence file (nps-2008-jean.E01), a digital clone of a suspect’s personal computer’s hard disk.

While collecting the evidence, privacy of the employees was not violated [2] as the suspect’s computer was voluntarily submitted for forensic investigations on the scene. Even when sent and received in a corporate environment, if the emails include personal information (such as name, email address, position, and others), [3] the GDPR is applicable and is violated in this incident.

The drive forensics replica was investigated for relevant information without erasing the data using specialized tools to examine how and when the data was delivered to the rival company. 2 copies of the disk clone were obtained as backup and labelled with tags (#2343–1-nps-2008-jean, #2343–2-nps-2008-jean) one copy (nps-2008-jean-2343–1) was burned into a DVD. The second copy was used for the investigation purposes, after confirming their MD5 hashes matched (see Appendix — x), and the hash file was labeled with the tag #2343–3 and was burned into a CD. All backup copies were stored in the safe of the security department.

Software Used

The examination report was completed after taking the forensic image which was processed separately.

Hypervisor: VirtualBox v6.1.40 hosted on windows 11 Pro v22H2

VM OS: Windows 10 Pro v22H2

Forensic Analysis : Forensic Toolkit v4.2.1

Outlook Viewer : CoolUtils PST reader 4.2.0.11

Synopsis of Case Facts

The disk clone was stored in the Encase File Format. Although this file format is sometimes termed an E01 file format, this is a little bit of a misnomer as the official name of the file format is the Encase Image File Format. The disk image is divided into many files using this file type usually around the 640 MB threshold. Each chunk starts with a header containing case information, then has a sequence of 32 KB data blocks, followed by cyclical redundancy checks after each data block, and ends with an MD5 sum for the full 640 MB chunk. [4] These disk images will be divided into files with the extensions E01, E02, E03… EXX.

Since the spreadsheet in question was sent via email, the investigation narrowed down to examining the email trails first. The CoolUtils PST reader provides a standalone platform for opening PST files so that MS Outlook installation on a computer system is not necessary. The program enables users to view their messages, notes, contacts, drafts, and scheduled tasks. [5] Outlook Viewer was utilized to examine the email conversations of Jean and Alison.

Timeline of events

Timestamps can be important pieces of evidence that can establish a connection between the accused and the computer and the offense for which it was used. Nevertheless, there are limitations on time and date stamps: They are restricted to a certain time zone, and the accuracy of the computer’s internal clock directly affects their precision, which is also easily modifiable. [6] Below timestamps and events in Table 2 were extracted from the evidence, and they correlate to Jean’s local time zone, and the data had not been tampered with. (File checksums matched, as verified in Appendix (i) of this report.)

Highlights of the incident are as follows:

Findings

The spreadsheet that contains details about an employee’s social security number and salary details is seen in the image below.

Figure 1 The leaked spreadsheet with confidential information

The document’s creation time and its last saved times are two months apart, which is unusual, and the file contains Allison as the Author of the file. Additionally, it indicates that Alison created the file two months ago.

Figure 2 Properties of the leaked spreadsheet

Given that the emails sent between Jean and Alison and other pertinent individuals are the primary focus of the inquiry. The email account of the company’s CEO, Jean, which is jean@m57.biz was analyzed, and the platform she uses for email clients is Microsoft Outlook. The organization’s domain is M57.biz, as apparent from the email address, which is reserved for the purpose of authority and is in line with strict strategies/policies and safety measures provided by the organization.

A threat actor had spoofed the organization emails in a spear phishing attack, to target the CFO, Jean, into disclosing confidential data. The details requested are Personally identifiable information and should not be disclosed to 3rd parties without reviewing a MSA and doing proper vendor security assessments. In this scenario, the sense of urgency and the suspicious request to not disclose the task to anyone are red flags, confirming this could be a phishing email.

The email domain had been spoofed, and the return path was later changed to tuckgorge@hotmail.com which originated from the xy.dreamhostps.com domain, (IP addresses involved: 208[.]97[.]132[.]81 ), (Please see Appendix x), leaking the confidential information.

Conclusion

It can be deduced from the available evidence that the CEO, Jean was phished and was not directly associated with the leak of confidential information to the threat actor. Suspect’s statement matches with the evidence as the email was spoofed[7], It can be recommended that the organization initiate proper security awareness training at least twice a year, to comply with industry standards like PCI-DSS, HIPAA, NIST, ISO, the Sarbanes-Oxley reporting requirements etc. and conduct security awareness training for all staff members[8]. Also, set up DMARC[9], SPF[10], DKIM[11] security in their mail servers since the spear phishing campaign was launched by spoofing the email domains.

Appendix

Verifying the integrity of the Forensic Image

One of the most used hash algorithms is the 128-bit MD5 algorithm. It was intended to be used as a cryptographic hash function, but due to the risk of vulnerabilities being exploited, it is now solely used to verify data integrity. Forensic images have a considerable potential of being altered or damaged, throughout the chain of custody. Encase (*.E01) files store the hash inside the file at image creation, making it possible to compare the Stored verification hash and the computed hash. It should be explicitly stated that for the evidence to be usable to the investigation, the hash tags must match.

Figure 3 Mounted Image file was verified for integrity

Verification scans confirmed that the hashes matched, and the data had not been tempered with, hence the data can be presented to the court as evidence.

Figure 4 Hashes matched

Verifying the integrity of the outlook.pst file

Table 3 Hashes of the outlook.pst matched

Sensitive information has been requested to be sent via email. Subject: “background checks.”

Figure 5 email: background checks : initial

Jean expresses skepticism and inquires through email about Alison using another email

Figure 6 email: RE: which email address are you using?

There is a confusion on why Jean sent “Sure thing,” which was previously to confirm sending of the data.

Figure 7 email: RE: background checks : last

The threat actor urgently requests sensitive information again, the Return-Path has been altered to “tuckgorge@gmail.com”.

Figure 8 email: Please send me the information now

Jean sends confidential information to the attacker via email.

Figure 9 email: RE: Please send me the information now

The threat actor expresses gratitude to Jean for sharing the data.

Figure 10 email: Thanks

Jean receives an email from Alison stating that something strange is going on.

Figure 11 email :are you around today?

Header analysis of phishing emails

Figure 12 Headers of phishing email 1 : “background checks”

Figure 13 Headers of email : “please send me the information now”

References

[1] A. Badiye, N. Kapoor, and R. G. Menezes, “Chain of Custody,” StatPearls, Feb. 2022. Available: https://www.ncbi.nlm.nih.gov/books/NBK551677/

[2] “Employee privacy rights at work | International Bar Association.” https://www.ibanet.org/article/c2238c90-d0af-400e-a97e-a8da76d2eb8f

[3] “How does the GDPR affect email? — GDPR.eu.” https://gdpr.eu/email-encryption/

[4] “Encase E01 File Format Explained — Disk Image Forensics.” https://www.forensicsware.com/blog/e01-file-format.html

[5] “7 Best Ways to Open a PST File Without Outlook in 2022.” https://www.coolutils.com/blog/5-easy-ways-to-open-pst-file-without-outlook/

[6] “Digital Evidence in the Courtroom: A Guide For Law Enforcement and Prosecutors | Office of Justice Programs.” https://www.ojp.gov/ncjrs/virtual-library/abstracts/digital-evidence-courtroom-guide-law-enforcement-and-prosecutors

[7] “What is Email Spoofing? How to Identify a Spoofed Email | CrowdStrike.” https://www.crowdstrike.com/cybersecurity-101/spoofing-attacks/email-spoofing/

[8] “Ultimate Guide: Security Awareness Training | KnowBe4.” https://www.knowbe4.com/security-awareness-training

[9] M. Kucherawy and E. Zwicky, “Domain-based Message Authentication, Reporting, and Conformance (DMARC),” Mar. 2015, doi: 10.17487/RFC7489.

[10] S. Kitterman, “Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1,” Apr. 2014, doi: 10.17487/RFC7208.

[11] S. Kitterman, “Cryptographic Algorithm and Key Usage Update to DomainKeys Identified Mail (DKIM),” Jan. 2018, doi: 10.17487/RFC8301.