Digital Forensics Report: Data Breach Investigation & Analysis

Verified

Added on 2023/06/12

AI Summary

This report details a digital forensics investigation into a potential intellectual property theft by a contract employee at Exotic Mountain Tour Services (ETMS). The investigation focuses on two suspicious emails and a USB drive found on the employee's desk. The analysis utilizes ProDiscover for disk image analysis and Hex Workshop for hex editing to recover and reconstruct potentially corrupted image files. The report outlines the steps taken to identify, recover, and analyze the data, including searching for specific file signatures, rebuilding file headers, and reconstructing fragmented files. Key findings indicate the employee's attempt to leak data to a third party, with recovered image files serving as crucial evidence. The report references various academic sources on digital forensics techniques and tools.

[Document title]
[Document subtitle]
[DATE]
[Company name]
[Company address]

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Table of Contents
Task 1.........................................................................................................................................2
Task 2.........................................................................................................................................4
Abstract..................................................................................................................................4
Introduction............................................................................................................................4
Analysis conducted................................................................................................................5
Findings................................................................................................................................16
References............................................................................................................................18

Task 1
WinHex is the forensic tool used to alter he values of the files, the altered values are done in
order to either repair files or even encrypt them so that only person knowing the correct order
would be able to decrypt the text. In order to recover the text from the current file following
operations would be done:
Modify Data-> “left shift by 1-bit option”
Output:

Modify Data-> “32-bit byte swap”
Output and decrypted text:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Task 2
Abstract
The current case in this investigation is about the possible theft by a contract employee of
Intellectual property of company Exotic Mountain Tour Services (ETMS). The company who
has just finished an extensive survey of place and customers with Superior Bicycles, LLC
have formulated critical business data that can if leaked would result in severe loss of revenue
to both the organization and undue advantage to competitors. The leak came into picture
when two emails of the contract employee came into scrutiny of all the emails, the emails
clearly shows the malicious intensions of the employee. The USB drive was also found on the
desk on which the contract employee was used to operate while working in the organization.
This investigation is about the email that was captured along with the USB drive that is found
on the desk of the contract employee.
Introduction
The software used in forensic industry for analyzing the disk images from physical drives is
ProDiscover, though there are several other software available in the market but ProDiscover
is one the finest around with number of features available at the forensic expert disposal,
though only few of them are being used majorly for the forensic purposes only. One of the
important aspect of the ProDiscover is that using the special hardware that provide the option
of Write Lock, we can make the exact copy of the storage device without altering the original
disk in any manner. This feature is also available on the remote clients as well, no matter how
much subject to the change the hard drive is the ProDiscover can easily make the image of
the storage.
Another important tool that is being used by the forensic experts around the world is Hex
Workshop, it is the hex editor that can easily edit, copy, delete, paste, insert over any
hex/binary data. This software is developed by BreakPoint Company, the software can be
used to visualization and can work as any modern text-based editor of binary just like any
word processor. As the data in its native structure can be used to work on binary values, the
data can be viewed in different ways like in tree view structure etc. Another useful feature of
the software is that it can perform the arithmetic and logical operations over the data, the data
can be found using the search feature in hexadecimal and native binary form. Generating

checksums and digest is another important aspect of this software tool. The reporting feature
can be used to generate the extensive report in the HTML or RTF formats.
Analysis conducted
In the initial findings we found that there were two emails that were being communicated
outside the official circle of the organization ETMS. Apart from this the USB drive was
found on the desk of the contract employee Bob Aspen. With the following data at hand we
need to find some important aspects and assumptions which need to be taken care of in order
to retrieve the required data communicated and search for concrete evidence against the Bob.
There were two emails that were intercepted by the filter at the organization which were
being communicated to terrysadler@groowy.com and other one to baspen@aol.com, which
matches the record of contract employee Bob Aspen. The timestamp and the date of the
message sent also align by the time the contract employee was employed in the section of the
office that is 4th Feb 2007 9:21 PM and 5:17 AM.
The email sent to terrysadler@groowy.com from the Jim Shu was forwarded to the
baspen@aol.com mail of the contract employee, the timestamp verifies that the Jim Shu
account is from western location on earth as the timestamp of the later than the timestamp
used by terrysadler@groowy.com, as the timestamps are being assigned by the servers not the
users, this is the reason the timestamp are being off to each other.
The next email in the conversation asking the bob to alter the data in the image so that the
filter at the company doesn’t pick up as well as the .jpg extension was changed to the .txt and
as the file was about the kayaks. The last message conversation received is that the bob
cannot receive this message from terrysadler@groowy.com.
Search for and Recovering Digital photography Evidence
In this section we would be recovering the corrupted image from the USB drive provided by
the EMTS, the initial recovering process would be searching for “FIF” string as “FIF” would
lead to graphical recoverable files, whereas JFIF and JPEG would lead to several other image
files that might be there over the USB drive earlier. These not so important clusters or files
are known as false positives and might lead to lot of extra time in verifying the individual
files and might delay us in finding the right file that we were looking for.

We would now create a project in ProDiscover and include the image file provided named as
C10InChp.eve, in order to do so following are the steps that are being followed:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1. We would now run the ProDiscover in Administrator user account in order to have full
rights over the protected images. We would create new project named: C10InChp
2. We now add the image to the project using the option Add-> Image file, we browse to the
location of the file C10InChp.eve and add it to the project.

3. To retrieve the data, we would use the cluster-based search on this image and pattern used
will be “FIF” as discussed earlier. The parameters that would be selected is Case
Sensitive under ASCII.

4. We would now first check the keyword that matched the criteria “FIF” and marked in
blue color in the screenshot below.
5. We would now select the first occurrence of the “FIF” and double click it to check the
location of the key in order to directly jump to the respective memory location.
6. In order to come back to the original screen for the location where “FIF” is found, it will
represent it as the cluster number along with the file name in which it is found.