Ask a question from expert

Ask now

NIST CFReDS Project: Data Leakage Case Study

The assignment requires the identification of hash values of images, acquisition and verification hash value matching, identification of partition information of PC image, explanation of installed OS information, identification of timezone setting, computer name, list of all accounts in OS except system accounts, identification of last user to logon into PC, last recorded shutdown date/time, information of network interface(s) with DHCP assigned IP address, identification of applications installed by the suspect, list of application execution logs, list of system on/off and user logon/logoff traces, identification of web browsers used, directory/file paths related to web browser history, websites accessed by the suspect, list of search keywords using web browsers, and identification of application used for e-mail communication.

104 Pages17475 Words474 Views
   

Added on  2022-11-22

About This Document

This document is a case study of data leakage in the NIST CFReDS project. It describes the behavior of the suspect and the target systems and devices used. The document also provides information on digital forensics practice points and answers to questions about the scenario. The subject of the document is computer forensics and the type of assignment is a case study.

NIST CFReDS Project: Data Leakage Case Study

The assignment requires the identification of hash values of images, acquisition and verification hash value matching, identification of partition information of PC image, explanation of installed OS information, identification of timezone setting, computer name, list of all accounts in OS except system accounts, identification of last user to logon into PC, last recorded shutdown date/time, information of network interface(s) with DHCP assigned IP address, identification of applications installed by the suspect, list of application execution logs, list of system on/off and user logon/logoff traces, identification of web browsers used, directory/file paths related to web browser history, websites accessed by the suspect, list of search keywords using web browsers, and identification of application used for e-mail communication.

   Added on 2022-11-22

BookmarkShareRelated Documents
NIST CFReDS Project
(Computer Forensic Reference Data Sets)
NIST CFReDS:
Data Leakage Case
Software and Systems Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899
July 23, 2018
NIST CFReDS Project: Data Leakage Case Study_1
Table of Contents
1. SCENARIO OVERVIEW.......................................................1
2. TARGET SYSTEMS AND DEVICES..........................................2
3. DETAILED BEHAVIOR OF THE SUSPECT..................................3
4. ACQUIRED DATA INFORMATION...........................................8
5. DIGITAL FORENSICS PRACTICE POINTS................................11
6. QUESTIONS AND ANSWERS ABOUT THE SCENARIO..................12
7. HISTORY.....................................................................51
Last Saved 2022-11-22 II CFReDS Data Leakage Case
NIST CFReDS Project: Data Leakage Case Study_2
Last Saved 2022-11-22 III CFReDS Data Leakage Case
NIST CFReDS Project: Data Leakage Case Study_3
1.SCENARIO OVERVIEW
‘Iaman Informant’ was working as a manager of the technology development division at a famous
international company OOO that developed state-of-the-art technologies and gadgets.
One day, at a place which ‘Mr. Informant’ visited on business, he received an offer from ‘Spy
Conspirator’ to leak of sensitive information related to the newest technology. Actually, ‘Mr.
Conspirator’ was an employee of a rival company, and ‘Mr. Informant’ decided to accept the offer for
large amounts of money, and began establishing a detailed leakage plan.
‘Mr. Informant’ made a deliberate effort to hide the leakage plan. He discussed it with ‘Mr. Conspirator’
using an e-mail service like a business relationship. He also sent samples of confidential information
though personal cloud storage.
After receiving the sample data, ‘Mr. Conspirator’ asked for the direct delivery of storage devices that
stored the remaining (large amounts of) data. Eventually, ‘Mr. Informant’ tried to take his storage devices
away, but he and his devices were detected at the security checkpoint of the company. And he was
suspected of leaking the company data.
At the security checkpoint, although his devices (a USB memory stick and a CD) were briefly checked
(protected with portable write blockers), there was no evidence of any leakage. And then, they were
immediately transferred to the digital forensics laboratory for further analysis.
The information security policies in the company include the following:
(1) Confidential electronic filesa should be stored and kept in the authorized external storage devices
and the secured network drives.
(2) Confidential paper documents and electronic files can be accessed only within the allowed time
range from 10:00 AM to 16:00 PM with the appropriate permissions.
(3) Non-authorized electronic devices such as laptops, portable storages, and smart devices cannot be
carried onto the company.
(4) All employees are required to pass through the ‘Security Checkpoint’ system.
(5) All storage devices such as HDD, SSD, USB memory stick, and CD/DVD are forbidden under
the ‘Security Checkpoint’ rules.
In addition, although the company managed separate internal and external networks and used DRM
(Digital Rights Management) / DLP (Data Loss Prevention) solutions for their information security, ‘Mr.
Informant’ had sufficient authority to bypass them. He was also very interested in IT (Information
Technology), and had a slight knowledge of digital forensics.
In this scenario, find any evidence of the data leakage, and any data that might have been generated from
the suspect’s electronic devices.
2.TARGET SYSTEMS AND DEVICES
a All the seed files (confidential files used in the scenario) were created based on MS Office files randomly selected from
Govdocs1 (https://digitalcorpora.org/corpora/files). The seed files are available online at NIST/CFReDS web-site.
Last Saved 2022-11-22 1 NIST CFReDS Data Leakage
Case
NIST CFReDS Project: Data Leakage Case Study_4
Target Detailed Information Note
Personal
Computer
(PC)
HW Type Virtual System VMWare v11
CPU 1 Processer (2 Core)
RAM 2,048 MB
HDD Size 20 GB
File System NTFS
IP Address 10.11.11.129 NAT
SW
(OS)
Operating
System
Microsoft Windows 7
Ultimate (SP1)
English (64 bits)
MSDN imageb (not
activated)
SW
(Apps
)
Web - MS Internet Explorer
- Google Chrome
Latest versions
if possible
Document Microsoft Office Word, Excel,
PowerPoint
MSDN imagec (not
activated)
Cloud - Google Drive
- Apple iCloud
Auto Syncing is ON
if possible
E-mail Microsoft Outlook NIST.gov mail serverd
Anti-
forensics
- CCleaner
- Eraser
Latest versions
if possible
Removabl
e Media
#1
(RM#1) e
HW Type USB removable storage
device
Mfg. SanDisk Vendor ID = 0x0781
Model Cruzer Fit
Serial No. 4C530012450531101593 Unique serial number
Size 4 GB
File System exFAT
Volume
label
Authorized USB
Removabl
e Media
#2
(RM#2)
HW Type USB removable storage
device
Mfg. SanDisk Vendor ID = 0x0781
Model Cruzer Fit
Serial No. 4C530012550531106501 Unique serial number
Size 4 GB Partitioned 1 GB only
File System FAT32
Volume
label
IAMAN $_@
Removabl
e Media
#3
(RM#3)
HW Type CD-R
Size 700 MB
File System UDF Created by Windows
7
Volume
label
IAMAN CD
b SHA-1 hash value: 1693B6CB50B90D96FC3C04E4329604FEBA88CD51
c SHA-1 hash value: 377F1F97DBE99104CF053DF3632377F07C9310C7
d NIST e-mail accounts: iaman.informant@nist.gov, spy.conspirator@nist.gov
e Authorized USB memory stick ( confidential electronic files of the company)
Last Saved 2022-11-22 2 NIST CFReDS Data Leakage
Case
NIST CFReDS Project: Data Leakage Case Study_5
Smart
Device
- - - Future workf
3.DETAILED BEHAVIOR OF THE SUSPECT
Regarding developing user and system artifacts, we tried to keep simple as much as possible. For
efficiency of both developing and analyzing images, it was designed to avoid complicated operations and
create various meaningful artifacts from the viewpoint of digital forensics.
Detailed behavior of the suspect is described as a text (below table) and visual diagram.
Step Date/Time Action Additional Description Note
Norm
al
~ 2015-03-22 Install OS Windows 7 Ultimate
Configure settings Set the timezone to (UTC-05)
Eastern Time
Install Apps (1) Microsoft Office
(2) Microsoft Internet Explorer
(3) Google Chrome
Latest versions if possible
Create/Download
business data
Electronic documents
(Word, Excel, PowerPoint...)
Company’s common files
Email Microsoft Outlook with NIST e-mail
account
iaman.informant@nist.gov
Create user
accounts
“admin11” login count: 2
“ITechTeam” login count: 0
“temporary” login count: 1
D-2 2015-03-23
13:29
Receive an e-mail spy.conspirator@nist.gov
iaman.informant@nist.gov
[ Subject: Hello, Iaman ]
“How are you doing?”
2015-03-23
14:01
~
2015-03-23
14:21
Prepare a crime
(data leakage)
Searching the leakage methods
through web-browsers:
- Microsoft Internet Explorer
- Google Chrome
Google, Bing search engine
-------------------------------------------
Chrome
1) data leakage methods
2) leaking confidential
information
3) information leakage cases
4) intellectual property theft
5) how to leak a secret
------------------------------------------- IE
11
6) file sharing and tethering
7) DLP DRM
8) e-mail investigation
9) what is windows system
artifacts
10) investigation on windows
machine
11) windows event logs
12) cd burning method in
Windows
13) external device and
forensics
-------------------------------------------
Chrome
14) cloud storage
15) digital forensics
16) how to delete data
17) anti-forensics
18) system cleaner
19) how to recover data
20) data recovery tools
2015-03-23
14:31
Connect USB ‘RM#1’ USB memory stick
2015-03-23
14:36
Search keywords Searching confidential data using
Windows Search function
Keyword: “secret”
2015-03-23
14:37
Open files [secret_project]_proposal.docx
[secret_project]_design_concept.pp
t
Open and read files
2015-03-23
14:39
Copy & open files Copying confidential files from
‘RM#1’ to ‘PC’
“\Desktop\S data”
f Smart devices and Apple OS X system can be considered in the future work.
Last Saved 2022-11-22 3 NIST CFReDS Data Leakage
Case
NIST CFReDS Project: Data Leakage Case Study_6
[ RM#1 ]
RM#1\Secret Project Data\proposal\[secret_project]_proposal.docx
RM#1\Secret Project Data\design\
[secret_project]_design_concept.ppt
[ PC ]
%UserProfile%\Desktop\S data\[secret_project]_proposal.docx
%UserProfile%\Desktop\S data\
[secret_project]_design_concept.ppt
2015-03-23
14:39
Disconnect USB Ejecting ‘RM#1’
2015-03-23
14:39
Configure settings Show ‘file name extensions’ in
Windows Explorer
2015-03-23
14:41
Rename files All names and extensions are
changed
(e.g., xlsx jpg, docx mp3...)
[secret_project]_detailed_propos
al.docx
landscape.png
[secret_project]_design_concept.
ppt
space_and_earth.mp4
2015-03-23
14:44
Send an e-mail iaman.informant@nist.gov
spy.conspirator@nist.gov
“Successfully secured.”
2015-03-23
15:14
Receive an e-mail spy.conspirator@nist.gov
iaman.informant@nist.gov
[ Subject: Good job, buddy ]
“Good, job. I need a more
detailed data about this
business.”
2015-03-23
15:19
Send an e-mail iaman.informant@nist.gov
spy.conspirator@nist.gov
“This is a sample.”
(space_and_earth.mp4)
2015-03-23
15:20
Receive an e-mail spy.conspirator@nist.gov
iaman.informant@nist.gov
“Okay, I got it. I’ll be in
touch.”
2015-03-23
15:26
Receive an e-mail spy.conspirator@nist.gov
iaman.informant@nist.gov
[ Subject: Important request
]
“I confirmed it. But, I need a
more data. Do your best.”
2015-03-23
15:27
Send an e-mail iaman.informant@nist.gov
spy.conspirator@nist.gov
“Umm... I need time to
think.”
2015-03-23
16:00
Search and
download Apps
Searching cloud storage services
using Chrome
2015-03-23
16:00
Install Apps (1) Google Drive
(2) Apple iCloud
2015-03-23
16:05
Login cloud service Login Google Drive service with an
account
(iaman.informant.personal@gmail.
com)
2015-03-23
16:23
Connect
network drive
Connecting secured shared
network drive
\\10.11.11.128\
secured_drive
2015-03-23
16:24
Search files Traversing directories and files
using Windows Explorer
2015-03-23
16:26
Connect
network drive
Mapping network drive (v:) \\10.11.11.128\
secured_drive
2015-03-23
16:26
Open files (secret_project)_pricing_decision.xl
sx
[secret_project]_final_meeting.pptx
Open and read files
2015-03-23
16:28
Copy & open files Copying confidential files from a
network drive to ‘PC’
“\Desktop\S data”
[ Network Drive ]
Secret Project Data\pricing decision\
(secret_project)_pricing_decision.xlsx
Secret Project Data\final\[secret_project]_final_meeting.pptx
[ PC ]
%UserProfile%\Desktop\S data\
(secret_project)_pricing_decision.xlsx
%UserProfile%\Desktop\S data\[secret_project]_final_meeting.pptx
2015-03-23
16:29
Disconnect
network drive
Unmapping network drive (v:) \\10.11.11.128\
secured_drive
2015-03-23
16:30
Rename files All names and extensions are
changed
(e.g., xlsx jpg, docx mp3...) (secret_project)_pricing_decision.
xlsx
happy_holiday.jpg
[secret_project]_final_meeting.pp
tx
do_u_wanna_build_a_snow_man.mp
3
2015-03-23
16:32
Upload files Uploading some files to Google
Drive and sharing them
happy_holiday.jpg
do_u_wanna_build_a_snow_man.mp
3
2015-03-23
16:38
Send an e-mail iaman.informant@nist.gov
spy.conspirator@nist.gov
[ Subject: It’s me ]
“Use links below.”
2015-03-23
16:41
Receive an e-mail spy.conspirator@nist.gov
iaman.informant@nist.gov
“I got it.”
2015-03-23
16:42
Delete files Deleting files from Google Drive
Last Saved 2022-11-22 4 NIST CFReDS Data Leakage
Case
NIST CFReDS Project: Data Leakage Case Study_7
2015-03-23
16:43
Misc. Personal web-browsing using IE During approx. 15 minutes
D-1 2015-03-24
09:26
Receive an e-mail spy.conspirator@nist.gov
iaman.informant@nist.gov
[ Subject: Last request ]
“This is the last request. I
want to get the remaining
data.”
2015-03-24
09:30
Send an e-mail iaman.informant@nist.gov
spy.conspirator@nist.gov
“Stop it! It is very hard to
transfer all data over the
internet!”
2015-03-24
09:33
Receive an e-mail spy.conspirator@nist.gov
iaman.informant@nist.gov
“No problem. U can directly
deliver storage devices that
stored it.”
2015-03-24
09:35
Send an e-mail iaman.informant@nist.gov
spy.conspirator@nist.gov
“This is the last time..”
2015-03-24
09:38
Connect USB ‘RM#1’ USB memory stick
2015-03-24
09:40
Copy files Copying confidential files ‘RM#1’
to ‘PC’
[ RM#1 ]
RM#1\Secret Project Data\design\[secret_project]_design_concept.ppt
RM#1\Secret Project Data\design\[secret_project]_detailed_design.pptx
RM#1\Secret Project Data\design\[secret_project]_revised_points.ppt
RM#1\Secret Project Data\proposal\
[secret_project]_detailed_proposal.docx
RM#1\Secret Project Data\proposal\[secret_project]_proposal.docx
[ PC ]
%UserProfile%\Desktop\S data\Secret Project Data\design\
[secret_project]_design_concept.ppt
%UserProfile%\Desktop\S data\Secret Project Data\design\
[secret_project]_detailed_design.pptx
%UserProfile%\Desktop\S data\Secret Project Data\design\[secret_project]_revised_points.ppt
%UserProfile%\Desktop\S data\Secret Project Data\proposal\
[secret_project]_detailed_proposal.docx
%UserProfile%\Desktop\S data\Secret Project Data\proposal\[secret_project]_proposal.docx
2015-03-24
09:40
Disconnect USB Ejecting ‘RM#1’
2015-03-24
09:47
Connect
network drive
Secured shared network drive \\10.11.11.128\
secured_drive
2015-03-24
09:47
Copy files Copying confidential files from a
network drive to ‘PC’
[ Network Drive ]
Secret Project Data\design\[secret_project]_detailed_design.pptx
Secret Project Data\final\[secret_project]_final_meeting.pptx
Secret Project Data\pricing decision\
(secret_project)_market_analysis.xlsx
Secret Project Data\pricing decision\(secret_project)_market_shares.xls
Secret Project Data\pricing decision\
(secret_project)_price_analysis_#1.xlsx
Secret Project Data\pricing decision\
(secret_project)_price_analysis_#2.xls
Secret Project Data\pricing decision\
(secret_project)_pricing_decision.xlsx
Secret Project Data\progress\[secret_project]_progress_#1.docx
Secret Project Data\progress\[secret_project]_progress_#2.docx
Secret Project Data\progress\[secret_project]_progress_#3.doc
Secret Project Data\proposal\[secret_project]_detailed_proposal.docx
Secret Project Data\technical review\
[secret_project]_technical_review_#1.docx
Secret Project Data\technical review\
[secret_project]_technical_review_#1.pptx
Secret Project Data\technical review\
[secret_project]_technical_review_#2.docx
Secret Project Data\technical review\
[secret_project]_technical_review_#2.ppt
Secret Project Data\technical review\
[secret_project]_technical_review_#3.doc
Secret Project Data\technical review\
[secret_project]_technical_review_#3.ppt
[ PC ]
%UserProfile%\Desktop\S data\Secret Project Data\design\
[secret_project]_detailed_design.pptx
%UserProfile%\Desktop\S data\Secret Project Data\final\[secret_project]_final_meeting.pptx
%UserProfile%\Desktop\S data\Secret Project Data\pricing decision\
(secret_project)_market_analysis.xlsx
%UserProfile%\Desktop\S data\Secret Project Data\pricing decision\
(secret_project)_market_shares.xls
%UserProfile%\Desktop\S data\Secret Project Data\pricing decision\
(secret_project)_price_analysis_#1.xlsx
%UserProfile%\Desktop\S data\Secret Project Data\pricing decision\
(secret_project)_price_analysis_#2.xls
%UserProfile%\Desktop\S data\Secret Project Data\pricing decision\
(secret_project)_pricing_decision.xlsx
%UserProfile%\Desktop\S data\Secret Project Data\progress\
[secret_project]_progress_#1.docx
%UserProfile%\Desktop\S data\Secret Project Data\progress\
[secret_project]_progress_#2.docx
%UserProfile%\Desktop\S data\Secret Project Data\progress\
[secret_project]_progress_#3.doc
%UserProfile%\Desktop\S data\Secret Project Data\proposal\
[secret_project]_detailed_proposal.docx
%UserProfile%\Desktop\S data\Secret Project Data\technical review\
[secret_project]_technical_review_#1.docx
%UserProfile%\Desktop\S data\Secret Project Data\technical review\
[secret_project]_technical_review_#1.pptx
%UserProfile%\Desktop\S data\Secret Project Data\technical review\
[secret_project]_technical_review_#2.docx
%UserProfile%\Desktop\S data\Secret Project Data\technical review\
[secret_project]_technical_review_#2.ppt
%UserProfile%\Desktop\S data\Secret Project Data\technical review\
[secret_project]_technical_review_#3.doc
%UserProfile%\Desktop\S data\Secret Project Data\technical review\
[secret_project]_technical_review_#3.ppt
2015-03-24
09:50
~
2015-03-24
09:56
Rename files All names and extensions are
changed
(20 files in “%UserProfile%\
Desktop\S data\
Secret Project Data\”)
(secret_project)_market_analysis
.xlsx
new_years_day.jpg
[secret_project]_progress_#3.do
c
my_friends.svg
2015-03-24
09:58
Connect USB ‘RM#2’ USB memory stick
2015-03-24
09:59
Copy files Copying confidential files to
‘RM#2’
Copy a directory “%UserProfile%\
Desktop\S data\Secret Project
Data\” including sub-dirs and
files to RM#2
2015-03-24
10:00
Verify files Traversing directories and files in
‘RM#2’ using Windows Explorer
Open a file
(winter_whether_advisory.zi
p)
2015-03-24
10:02
Disconnect USB Ejecting ‘RM#2’
2015-03-24
10:07
Delete files Deleting directories and files from
‘PC’
“\Desktop\S data”
Normal deletion: [Shift] +
[Delete]
2015-03-24
10:07
Misc. Personal web-browsing and
searching anti-forensic methods
(Chrome, IE)
During approx. 4 hours
2015-03-24
14:28
Misc. Launching a game (‘Solitaire’)
Last Saved 2022-11-22 5 NIST CFReDS Data Leakage
Case
NIST CFReDS Project: Data Leakage Case Study_8

End of preview

Want to access all the pages? Upload your documents or become a member.

Related Documents
(Solution) Digital Forensics : PDF
|22
|2968
|39

Digital Forensics: Steps Taken as an Expert Forensic Examiner
|14
|4268
|500

Portable Hard Drive vs Compact Disc (CD) for Construction Information System
|9
|1642
|431

(solved) Forensic Report PDF
|12
|2983
|38

Strict Digital Forensic Approach of Investigation
|9
|2616
|38

Digital Forensic Technology: Evidence Recovery and Future Challenges
|8
|2390
|82