A forensic disk image for evidence of corporate espionage.

at
Categories
Tags

Examine a forensic disk image for evidence of corporate espionage. Read the scenario document carefully, as you may consider it interview notes with your client. This represents a more complex scenario than Investigation 01 and thus contains a greater degree of irrelevant data. Be sure to give yourself plenty of time to perform the examination, and be sure to take advantage of Autopsy’s features to assist your disambiguation.

Instructions
You’ll need to use the following resources to complete the assignment:

Investigation 02 Sample Evidence*
Autopsy the open-source forensic suite* (or another suite, such as EnCase or FTK.)
(Optional) Download and use the report template (See the Investigation and Forensics Challenge module for the templates)
*Accessed via the Virtual Lab.

After reading the Investigation 02 Scenario, open your forensic tool and import the sample evidence into the tool. Begin a forensic report and begin your search. As you do, be sure to take special note of these answers to these questions. These questions represent those that need to be answered to arrive at a logical conclusion to this scenario. They are provided here, but in the future, you will be required to decide these questions on your own.

 

Scenario
This scenario takes place circa 2008.

M57.biz is a hip web start-up developing a body art catalog. They’ve pulled in over $3 million in funding with a net return of $10 million. The company is small, with only seven employees, including founder Alison Smith. Alison was co-founder with her long-time partner Raoul Perdoga, but she recently forced him out of the business following a nasty break-up.

Current employees are:

President: Alison Smith
CFO: Jean Jones
Programmers: Bob Blackman, Carol Canfred, David Daubert, Emmy Arlington
Marketing: Gina Tangers, Harris Jenkins
BizDev: Indy Counterching
Despite their recent success, they have a decentralized office. Most people work at home or on the road. Communication and collaboration are primarily by email through their own @m57.biz domain. This worked fine until a spreadsheet containing confidential proprietary company information was posted as an attachment in the technical support forum of a competitor’s website.

The spreadsheet came from CFO Jean’s computer, but she denies any knowledge of the leak. She says that Alison asked her to prepare the spreadsheet as part of a new funding effort and to email it to her. Alison denies she ever asked for the spreadsheet and never received a copy by email. A recreation of the spreadsheet table is found below for you to use.

 

Questions
When did Jean create the spreadsheet? Jean asserts that she created the spreadsheet after Alison had asked for it by email.
How did the spreadsheet get from Jean’s computer to the competitor’s website? Jean says she emailed it to Alison but denies ever visiting the competitor’s website.
Is anyone else from the company involved? What about people who are not in the company? What possible motive could they have?
If what Jean says is true, what steps can we take to continue our investigation?

Sample Solution

Forensic Examination of M57.biz Disk Image for Evidence of Corporate Espionage

Introduction

This report details the forensic examination of a disk image obtained from Jean’s computer at M57.biz, a web startup. The investigation aims to determine the origin and potential leak of a confidential company spreadsheet containing proprietary information posted on a competitor’s website.

Tools and Methodology

The examination was conducted using Autopsy, an open-source forensic suite. The following methods were employed:

  • Image Acquisition: A forensic copy of Jean’s disk image was acquired using industry-standard techniques to ensure data integrity.
  • File System Analysis: The file system was analyzed to identify relevant files, including emails, documents, and browsing history.
  • Timeline Analysis: A timeline of file creation, modification, and access was established to understand the sequence of events.
  • Keyword Searching: The disk image was searched for keywords related to the competitor’s website and the leaked spreadsheet.

Analysis of Questions

1. When did Jean create the spreadsheet?

Autopsy’s timeline analysis can reveal the creation date of the spreadsheet file. Additionally, timestamps within the spreadsheet metadata might indicate the last edited time.

2. How did the spreadsheet get from Jean’s computer to the competitor’s website?

There are several possibilities:

  • Email: Investigate emails originating from Jean’s computer for the specific spreadsheet file attached and addressed to someone outside the company or a suspicious email address. Analyze email headers for any anomalies suggesting tampering.
  • Web Upload: Check Jean’s browsing history for visits to the competitor’s website around the time of the leak. Analyze downloaded and uploaded files during those browsing sessions.
  • External Device Transfer: The spreadsheet could have been transferred to an external device (USB drive, etc.) and then uploaded to the competitor’s website from another machine. Examine timestamps of file access on the disk image for external drives.

3. Is anyone else from the company involved? What about people outside the company?

  • Internal Involvement:
    • Analyze email communication between Jean and other employees, particularly those with potential access to the spreadsheet or knowledge of the competitor’s website. Look for suspicious attachments or conversations related to confidential information.
    • Investigate the browsing history of other employees’ computers (if available) for visits to the competitor’s website around the leak time.
  • External Involvement:
    • Consider disgruntled ex-employees or individuals with a motive to harm M57.biz. Investigate past employee terminations or grievances.

4. If Jean is truthful, what steps can be taken?

If the investigation reveals no evidence of Jean’s involvement in the leak, further investigation is necessary:

  • Secure Systems: Analyze system logs for potential security vulnerabilities that could have allowed unauthorized access to Jean’s computer or the company network. Implement stronger password policies and consider multi-factor authentication.
  • Employee Training: Educate employees about cybersecurity best practices, including data security and the dangers of phishing attacks.
  • Review Data Sharing Practices: Review the company’s policies regarding data sharing and access controls. Implement stricter protocols for handling confidential information.

Additional Considerations

  • Deleted files: Utilize data recovery techniques to identify any relevant deleted files on Jean’s disk image that might shed light on the leak.
  • Network traffic analysis (if available): Analyze network traffic logs for suspicious activity around the time of the leak, such as unauthorized uploads or data exfiltration attempts.

Conclusion

The forensic examination of Jean’s disk image can provide valuable evidence to determine the source of the leak. By analyzing timestamps, email communication, browsing history, and potential system vulnerabilities, a clearer picture can emerge. Further investigation into other employees and external actors might be necessary depending on the initial findings.

This question has been answered.

Get Answer