1

Bournemouth University

DIGITAL FORENSICS FUNDAMENTALS (COMP5061)

Digital Investigation Assessment

Professor: Fudong Li

Submitted by

Name

Date
 2

Part 1

Statement to the Jury about Data Integrity and Its Relevancy to a Digital Forensic

Investigation

Your honor, ladies and gentlemen of the jury, the “Global Data Privacy Laws” provide a

detailed explanation of international data privacy. According to international privacy law, the

term "data integrity" primarily refers to the coherence, accuracy, and timeliness of information,

along with the thoroughness of a specific dataset. It is crucial to consistently oversee this aspect

from the initial data acquisition and storage phases to the point of transfer or deletion.

In a business context, evaluating data integrity is essential for determining the

trustworthiness of operational data. This assessment directly impacts the confidence with which

the data can be utilized for activities such as analysis and decision-making. Data integrity serves

as a measure of the reliability of information related to sales, inventory, marketing, finance, and

customer, influencing the overall quality of these crucial business components. Data integrity

guarantees that the presented information accurately reflects the real situation. For instance,

inaccuracies in inventory data could lead to undesirable stock levels, causing stockouts or

financial losses due to excess or wasted stock.

Within finance teams, the precision of held data plays a pivotal role in shaping the

efficiency of critical activities like budgeting, forecasting, analysis, and bank reconciliation.

Finance professionals are subject to intense scrutiny from stakeholders and regulatory bodies,

making them susceptible to substantial repercussions if inaccuracies are present in their

numerical data.

Digital data can be stored in diverse formats, such as mobile devices, cloud storage, hard
 3

drives, and USB drives. Each format presents unique challenges, necessitating specialists to

possess suitable tools and techniques for accessing and analyzing the data effectively. Digital

data is susceptible to easy alteration, emphasizing the crucial role of ensuring data integrity

during forensic investigations. Forensic experts should apply diverse skills and techniques to

maintain the original state of the data, guaranteeing that it remains untouched and unaltered

throughout the investigative process.

Digital forensics is essential for investigating, indicting, and recovering from cybercrime.

It plays a vital role by providing crucial evidence that aids in identifying and apprehending

cybercriminals. Such digital evidence is acceptable in court and can be used to establish and

support a case. Digital forensics is useful for entities other than law enforcement, such as

enterprises, educational institutions, and medical facilities. It assists in the identification of

vulnerabilities in their systems and networks that may have been targeted in data breaches.

Digital forensics becomes a proactive technique in preventing future data breaches and securing

sensitive information by recognizing and resolving these flaws. In the event of data loss,

corruption, or theft within an organization, digital forensic specialists can recover the data and

take additional measures to protect intellectual property.

Evidential integrity necessitates that digital evidence undergoing examination remains

unchanged in any way by the digital forensic examiner. The integrity of digital evidence must be

maintained at all stages of its management. When possible, investigators or digital forensics

professionals should strive to establish that digital evidence remains unchanged throughout the

identification, collection, and acquisition phases. It is critical in the forensics laboratory to treat

digital evidence in a way that preserves the evidence's integrity.

 4

Part 2: Technical Witness Report

Examination of Evidence of a Hard Drive Containing a Forensic Evidence Image Copy

“Item 650-457-42715-1.”

Background Information

On July 5, 2008, Alison Smith, the President of a business named m57.biz, informed law

enforcement that she was receiving phone calls from an individual attempting to extort money.

The extortionist threatened to disclose confidential information about m57.biz to a competitor.

Ms. Smith initially dismissed these threats as not being serious.

Around July 21, 2008 (exact date uncertain), Alison Smith observed confidential

information about m57.biz employees posted on a competitor's website. This information

included names, Social Security Numbers, and current salary details from m57.biz. Ms. Smith

promptly reported this incident to law enforcement, providing information that pointed towards

the possible involvement of the Chief Financial Officer, identified as Jean Jones.

On July 22, 2008, an Affidavit was submitted and sworn in the presence of the Honorable

Magistrate Joseph Albert Wapner. Subsequently, a Search Warrant was issued to search the

location identified as the residence of Jean Jones. (m57.biz has a lenient "work from home"

policy, enabling many employees to carry out their tasks from their own residences.

Consequently, a "work computer" assigned to Jean Jones by m57.biz is kept at her residence.)

During the search, several computers, including multiple portable hard drives, were seized.

In August 2008, Forensic Examiner Dewey Cheatem concluded a digital forensic

examination on the confiscated evidence. The examination resulted in the discovery of a file
 5

named m57biz.xlsx, which seemed to contain duplicated information from the competitor's

website. Subsequently, based on this finding, Jean Jones was charged with extortion. In 2009,

she underwent a trial and was convicted of extortion. Jean Jones is presently serving her sentence

in a federal prison.

Newly discovered evidence in the ongoing criminal investigation may lead to a

reconsideration of Jean Jones's case, potentially resulting in a new trial. To support the prospect

of a retrial, the jury has requested second forensic examination of Jean Jones's computer’s hard

disk and present a report.

This is a report made after a digital forensic analysis on the evidence image extracted

from the computer belonging to Jean Jones, designated as evidence item 650-457-42715-1.

Special Agent G. Mann requested the forensic examination to uncover any information

indicating Jean Jones' potential involvement in extortion. The investigation also aims to ascertain

whether the spreadsheet labeled "m57biz.xlsx" was generated on Jean Jones' computer hard drive

and if it transitioned from her computer to be published on a competitor's website. Furthermore,

the request seeks any pertinent details that may suggest the need to investigate individuals

associated with m57.biz in connection with this criminal inquiry.

Evidence Summary

The evidence item 650-457-42715-1, identified as “nps-2008-jean.E01” and

nps-“2008-jean.E02,” underwent examination from December 15, 2023, to December 25,

2023. It is important to highlight that the examination of the evidence file nps-2008-

jean.E02 was not feasible. This limitation arose because the forensic tool utilized for the

examination did not support the image file. Following consultation with the case inspector

and legal counsel, the examination proceeded, focusing solely on inspecting the evidence
 6

image nps-2008-jean.E01.

On December 15, 2023, information concerning the suspicious file "m57biz.xlsx"

was uncovered through a metadata examination of the Excel file. Additionally, a review of

the user's sent and received email messages revealed a potential method for information

leakage. On the same day, the registry files of both the system and the users, along with data

pertaining to all users, underwent scrutiny. A comprehensive examination of the entire

evidence image was conducted to identify any other potential evidence contributing to a

holistic understanding. Furthermore, various attack vectors were considered, leading to the

formulation of hypotheses. These hypotheses were tested and resolved on December 19,

2023, before the evidence was returned.

The hash value documented in the chain of custody was

"78cf5a38b39dcd16c1b6c1fa1746d6f5," while the hash value discovered during the

examination of the evidence was "78a52b5bac78f4e711607707ac0e3f93." This discrepancy

arose because only the initial evidence image was employed for the examination. Additional

noteworthy hash values include the MD5 hash of the Excel file, identified as "e23a 4eb7

f256 2f53 e88c 9dca 8b26 a153" during the examination, raising suspicions of potential

leakage to a competitor company.

The evidence hard drive contains an image copy of a SYX Sytemax computer tower,

black with a grey front panel, identified by serial number 3XCD54ZX89. This drive was

handed over by John Anderson to the digital forensic examiner on December 15, 2023, at

10:00 AM, and subsequently returned on December 19, 2019, at 05:00 PM. The evidence

image named "nps-2008-jean.E02" could not be subjected to examination. This limitation

arose as the standard tool used for the examination did not support the image format. Further
 7

analysis with alternative tools was not pursued to maintain adherence to the standard

practices and legal requirements for digital examinations.

Examination Tools Examination

Several technologies were used in the inquiry, including Autopsy (version 4.13.0), an

open-source digital forensic platform developed for in-depth examinations. Additionally, the

extraction and parsing of information (keys, values, data) from the Registry were carried out

using the open-source program RegRipper (version 2.8) for further analysis. The toolkit also

featured OpenStego (version 0.7.3), a steganography application capable of embedding data

and watermarking. These tools were selected based on their alignment with industry

standards and widespread acceptance in the digital forensics domain.

For the examination of the digital evidence labeled "nps-2008-jean.E01," Autopsy

was employed to gather pertinent information. RegRipper CLI tool was utilized to analyze

and examine the files in the system registry, including, security, SAM, Software, System

and the “NTUSER.DAT” files of the users’ system. The crucial role of the OpenStego tool

was evident in the steganalysis process, focusing on the extraction of concealed data

embedded within images.

By studying the logical file system, critical data such as sent and received email

messages, the detected suspicious Excel file, the user's general activity, and other significant

information about files in the evidence picture were uncovered. Files suspected of

encrypting were examined to determine the presence of concealed data. Furthermore, the

user's deleted data was examined, confirming that forensic techniques could recover these

files from the hard disk even if the user had attempted to remove them.
 8

To speed up the study, unnecessary items such as operating system program files,

downloads required for application functionality, and sample photographs and videos with

modest file sizes were eliminated from the steganalysis. By reducing the scope to files with

more potential significance to the study, this concentrated strategy attempted to increase

efficiency.

Analysis

Temporal Analysis

Sequential listing of pertinent events:

1. Based on the Examination Request, it is evident that on July 5, 2008, Alison Smith,

the President of the business identified as m57.biz, informed law enforcement about

receiving threatening phone calls. The caller sought to extort money from her,

threatening to disclose confidential information about m57.biz to a competitor.

Despite Ms. Smith initially dismissing these threats as non-serious, the subsequent

events suggest that m57.biz may have been targeted by an attacker. This incident

could serve as an early indication of an impending attack, with the possibility that the

attacker might be an insider or an outsider.

2. On July 19, 2008, at 1931H, “[email protected]” sent emails to “[email protected]” using the

“alex” as the username. In response, [email protected] sent an email to "alex" bringing

attention to this observation.

3. On July 19, 2008, at 1939H, “[email protected]” sent an email to “[email protected]”

requesting the provision of an Excel sheet containing Social Security Numbers for

background checks. The subject line of the email was "background checks." While no
 9

tampering or spoofing of this email was observed, it is noted that this email might not

have originated from the actual [email protected], given that her emails were appearing

under the username "alex," as depicted in Figure 1.

4. On July 19, 2008, at 19:43H, user [email protected] acknowledged that there was a

misconfiguration in the user's email and sent a message to “[email protected]” stating, "My

email is ‘[email protected],’ not Alex. Sorry about that." This communication serves as

additional evidence indicating that the previous message might not have originated from

“[email protected]” – who is the original user.

5. On July 19, 2008, at 21:22H, “[email protected]” received another email purportedly from

“[email protected],” demanding the specified document. However, it was noted that the

email address was spoofed, and the actual sender was “[email protected].” There are

no indications in the email messages to suggest that Jean was aware of this

miscommunication. Additionally, the findings indicate that “[email protected]” did

not initiated any conversation (refer to Figure 2).

6. It is noted that “[email protected]” replied to spoofed email address from the Excel sheet on

July 19, 2008, at 21:28H (refer to Figure 3).

7. The user "[email protected]" replied to the email with the subject "Thanks" on July

20, 2008, at 01:03H, confirming that the secret information had reached an unauthorized

user. It is now clear that this user may have disclosed sensitive information on the

competitor's website. This user's identity is unknown, although possibilities include being

a competitor's employee, a dissatisfied employee, or a hired worker.

8. At 20:10H on July 20, 2008, “[email protected]” commenced an email thread discussing the
 10

exposure of confidential data. Subsequently, at 20:11:45 EDT on the same day,

"[email protected]" raised inquiries to "[email protected]" regarding her personal information,

including details such as salary and Social Security Number (SSN). The email exchange

suggests that the confidential information was revealed on a website around 20:10H on

July 20, 2008.

9. The Examination Request notes, "On about 21 July 2008 (exact date uncertain), Alison

Smith noticed confidential information regarding m57.biz employees posted on a

competitor's website. This information consists of names, Social Security Numbers, and

current salary information at m57.biz." Given the absence of other observed attack vectors

or a conclusive approach for the information leak, it is highly probable that the malicious

user [email protected] employed email spoofing to obtain and subsequently leak the

attached information.

Relational Analysis

The infiltrator might have been a dissatisfied employee of m57.biz, a hired attacker, or an

individual from a competitor's company. In this specific instance, the malicious user, identified

as [email protected], employed email spoofing by falsifying the email address of

“[email protected]” and beseeching the file that was containing private data. The malevolent user

likely initiated a form of phishing attack to manipulate the email address of “[email protected]”

and dispatched an email to “[email protected]” requesting the spreadsheet. Exploiting the confusion

arising from email addresses and usernames, the attacker sent a fraudulent email posing as

[email protected], seeking the spreadsheet again. This tactic may have aimed to receive the

requested attachment directly in the inbox of the malicious user. [email protected] might have

unknowingly fallen for the ruse and sent the requested information in response to the malicious
 11

user, resulting in the leakage of sensitive data. Subsequently, the attacker likely posted the

obtained information on the competitor's website.

Functional Analysis

The evidence strongly suggests the high likelihood of the attack's successful

execution, as discerned through both temporal and relational analyses. The sequence of

events reveals pertinent insights. At 2008-07-19 19:31H, the email address [email protected]

experienced misconfiguration. Subsequently, at 2008-07-19 19:39H, “[email protected]”

received an email from “[email protected]” requesting the spreadsheet despite the

misconfiguration. Although the misconfiguration was recorded at 2008-07-19 19:43:48

EDT, the email concerning the spreadsheet was not addressed within the same thread.

Finally, at 2008-07-19 21:22H, [email protected] received the spoofed email, and the user

responded with the attachment, culminating in the success of the attack.

From a technical standpoint, the attack is technically feasible. A malicious user could

employ a phishing attack to deceive the user of the email address [email protected], leading

to the observed events. To ensure the comprehensive investigation of the case, it is essential

to gather additional information concerning all the implicated users, particularly

[email protected] and [email protected]. Additionally, examining the mail servers

utilized by the business is crucial to verify the feasibility and capability of the attack. This

comprehensive approach will contribute to a more thorough understanding of the

circumstances surrounding the incident.

Conclusions

 [email protected] is identified as the sender of the attachment m57biz.xls, containing

sensitive information like Social Security Numbers (SSN) and workers’ wages.
 12

Nevertheless, it can be acknowledged that the user was unaware of spoofing emails.

Certainly, there is no evidence pointing to the user’s awareness of the

communication was being directed to an incorrect email address.

 The "m57biz.xls" spreadsheet was identified in two directories. (1) "/img nps-2008-

jean.E01/vol vol2/Documents and Settings/Jean/Local Settings/Application

Data/Microsoft/Outlook/outlook.pst" and (2) "/img nps-2008-jean.E01/vol

vol2/Documents and Settings/Jean/Desktop/m57biz.xls." They were found both on

Jean’s computer hard drive and as an email attachment at “[email protected]”. The file

was created by "Alison Smith" on "2008-06-12" by and copied to Jean's computer

hard drive "2008-07-19," and updated on "2008-07-20."

 The spoofing emails were form "[email protected]" copied from

"[email protected]" to "[email protected]" indicating that “[email protected]” was

used to divulge private data, which was posted on the website of the competitor. It is

probable that the attacker adeptly reconfigured the email address "[email protected]"

through a spear-phishing tactic, followed by email spoofing, in order to acquire

critical information from the “[email protected].”

 From the existing digital evidence, it can be concluded that m57 employees were

unaware that they were being targeted by a malicious user. However, it is advisable

to conduct a thorough examination of the devices associated with "[email protected]."

This investigation aims to uncover details about the email misconfiguration that took

place on July 19th and 20th, 2008. Such an inquiry is crucial for validating the

characteristics of the spear-phishing attack and the sequence of events leading to the

misconfiguration of the email address. Employing this rigorous approach is intended

 13

to provide a complete and clear picture, eliminating any uncertainties regarding the

actions of the user "[email protected]."

 14

References

A cyber forensic process summary. (2012). Cyber Forensics, 283–295.

https://doi.org/10.1002/9781119203452.ch13
Geradts, Z. (2017). Forensic digital evidence. Forensic Evidence Management, 141–150.
https://doi.org/10.4324/9781315154916-12
Jafari, F., & Satti, R. S. (2015). Comparative analysis of digital forensic models. Journal of
Advances in Computer Networks, 3(1), 82–86. https://doi.org/10.7763/jacn.2015.v3.146
Perner, P. (2020). Novel methods for forensic multimedia data analysis: Part II. Digital Forensic
Science. https://doi.org/10.5772/intechopen.92548
Says:, O., Garfinkel, S., Rahul, & Hemanth. (n.d.). 2009 M57-Jean. Digital Corpora.
https://digitalcorpora.org/corpora/scenarios/m57-jean/
 15

Appendix

File System Examination

There were numerous files and directories within the evidence image hold significant

importance:

 m57biz.xls

This Excel spreadsheet comprises sensitive information, including employee salaries and

Social Security Numbers for the business "m57.biz." The data was discovered to have been

leaked and appeared on the competitor's website. The file is located in two directories: "/imgnps-

2008-jean.E01/vol vol2/Documents and Settings/Jean/Desktop/m57biz.xls." and "/img nps-2008-

jean.E01/vol2/DocumentsandSettings/Jean/LocalSettings/ApplicationData/Microsoft/Outlook/

outlook.pst"

In both directories, the MD5 hash value for this file is "e23a4eb7f2562f53e88c9dca

8b26a153." The file's author and creator are attributed to "Alison Smith," who crafted it on

"2008-06-12," saved it to Jean's Desktop on "2008-07-19," and last modified it on "2008-07-20."

Unfortunately, there is insufficient data available to comprehend how Jean acquired this

spreadsheet initially.

 SAM registry file

The SAM (Security Accounts Manager) registry file, situated in the

"Windows/system32/config" directory, was extracted and subjected to analysis using

the RegRipper tool. The analysis revealed the existence of several other users on the

same system. Notably, besides Jean, another user named Devon had accessed their

account on the system. It was observed that the users had not altered their passwords
 16

and had not experienced any failed login attempts.

 SOFTWARE registry file:

Similar to the SAM registry file, this file is also located in the directory

"Windows/system32/config" and encompasses information about installed and executed

software. Notably, during the month of July (07), it was observed that the Microsoft Office

application, specifically EXCEL.exe software, was used very recently.

 SYSTEM registry file:

This file is similarly situated in the directory "Windows/system32/config" and indicates

that multiple removable devices were connected to the system between July 20 and July 21.

 E-Mail Messages:

This directory compiles all the emails found in the evidence image, obtained through

a forensic examination using the Autopsy tool. The email messages have provided insights

into the actual events that transpired on July 20 and 21. These messages encompass

conversation threads involving email addresses such as “[email protected],”

“[email protected],” and other pertinent employees, non-employee users, and potential

attackers.
 17

Figures

Figure 1: “2008-07-19 19:39H” – Original mail requesting the excel sheet

Figure 2: “2008-07-19 21:22H” – Spoofed mail requesting the excel sheet

 18

Figure 3: “2008-07-19 21:28H” – Sending file to wrong user

19