Digital Forensics Report: IT Company Data Theft Investigation
VerifiedAdded on 2020/03/16
|9
|2616
|38
Report
AI Summary
This report details a digital forensics investigation into a hypothetical case involving an IT company employee suspected of stealing and selling company data. The investigation follows a strict digital forensic approach, including a phase-by-phase analysis while maintaining a proper chain of custod...
Read More
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Digital Forensics
Abstract
The report presents a hypothetical case involving an employee working for an IT OEM
company that is primarily into Networking Hardware and Solutions. The employee is
believed to be have stolen data and sold it off to the open market. The report below follows a
strict digital forensic approach of investigation and approaches the case in a phase by phase
manner while maintaining a proper chain of custody.
1
Abstract
The report presents a hypothetical case involving an employee working for an IT OEM
company that is primarily into Networking Hardware and Solutions. The employee is
believed to be have stolen data and sold it off to the open market. The report below follows a
strict digital forensic approach of investigation and approaches the case in a phase by phase
manner while maintaining a proper chain of custody.
1
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Digital Forensics
Table of Contents
Abstract......................................................................................................................................1
Introduction................................................................................................................................4
Background................................................................................................................................4
Scope of Engagement.................................................................................................................5
Forensic Tools........................................................................................................................5
Investigation Process..............................................................................................................5
Overall File System....................................................................................................................7
Email System Analysis..........................................................................................................7
Documents Folder..................................................................................................................8
Internet Browser Analysis......................................................................................................8
Findings..................................................................................................................................8
Conclusion.................................................................................................................................9
References................................................................................................................................10
2
Table of Contents
Abstract......................................................................................................................................1
Introduction................................................................................................................................4
Background................................................................................................................................4
Scope of Engagement.................................................................................................................5
Forensic Tools........................................................................................................................5
Investigation Process..............................................................................................................5
Overall File System....................................................................................................................7
Email System Analysis..........................................................................................................7
Documents Folder..................................................................................................................8
Internet Browser Analysis......................................................................................................8
Findings..................................................................................................................................8
Conclusion.................................................................................................................................9
References................................................................................................................................10
2
Digital Forensics
Introduction
In the past few years, an entirely new breed of crime scenes has erupted, one that happens
electronically within the cyber world. Traditional method of investigations, analysis and
scrutiny does not apply in these new worlds. Therefore, a type of tool in the form a new
domain was invented and this is where Digital Forensics came into the picture. From violent
criminals, to terrorists and drug-lords and to even white-collar employees all are making use
of technology to facilitate their offenses and also to avoid apprehension. Both organized and
non-organized criminal groups have entered the cyberspace. Internal part of an organization
or enterprise are no exception and this is exactly what happened in the case of the suspect in
this report. The report would provide a background of the case and then would go into detail
about the investigation process via forensic medium involving the tools to be used, the
process to be followed including the analysis and detailed findings.
Background
In the scenario, the suspect is an employee of an IT company which deals in Networking
based solution for Home and Business clients. The suspect plays are at designation of the
team lead. He had privilege to access sensitive data whose stealing can bring millions of
dollars losses to the company. This came into light when the company came to know that its
unique features which were not even released in the product so far, had already been captured
by its competitors who are had already released its product. The product had very close
similarities with its product’s unique features which were still in development phase. The
company admitted that there has been an Intellectual Property theft either some external
intrusion or a leakage from an internal employee. On investigation, it was found that there
had been no recent external security breach. Hence, it came to this conclusion that there has
been an internal breach. On further internal investigation, it found that leakage is possible in
the research and development department. Further scrutinization revealed that some of the
employees had access to use USB drive and were also allowed to take them back to home.
The investigation narrowed down to a single employee who had access to some confidential
data of the company. The company was convinced that the employee had played a key role in
data stealing and decide to catch him by showing a fake case and they were successful in
catching them red-handed. Preliminary investigation found that he had indeed stole the
confidential information and might had also got the login credentials of other employees. The
3
Introduction
In the past few years, an entirely new breed of crime scenes has erupted, one that happens
electronically within the cyber world. Traditional method of investigations, analysis and
scrutiny does not apply in these new worlds. Therefore, a type of tool in the form a new
domain was invented and this is where Digital Forensics came into the picture. From violent
criminals, to terrorists and drug-lords and to even white-collar employees all are making use
of technology to facilitate their offenses and also to avoid apprehension. Both organized and
non-organized criminal groups have entered the cyberspace. Internal part of an organization
or enterprise are no exception and this is exactly what happened in the case of the suspect in
this report. The report would provide a background of the case and then would go into detail
about the investigation process via forensic medium involving the tools to be used, the
process to be followed including the analysis and detailed findings.
Background
In the scenario, the suspect is an employee of an IT company which deals in Networking
based solution for Home and Business clients. The suspect plays are at designation of the
team lead. He had privilege to access sensitive data whose stealing can bring millions of
dollars losses to the company. This came into light when the company came to know that its
unique features which were not even released in the product so far, had already been captured
by its competitors who are had already released its product. The product had very close
similarities with its product’s unique features which were still in development phase. The
company admitted that there has been an Intellectual Property theft either some external
intrusion or a leakage from an internal employee. On investigation, it was found that there
had been no recent external security breach. Hence, it came to this conclusion that there has
been an internal breach. On further internal investigation, it found that leakage is possible in
the research and development department. Further scrutinization revealed that some of the
employees had access to use USB drive and were also allowed to take them back to home.
The investigation narrowed down to a single employee who had access to some confidential
data of the company. The company was convinced that the employee had played a key role in
data stealing and decide to catch him by showing a fake case and they were successful in
catching them red-handed. Preliminary investigation found that he had indeed stole the
confidential information and might had also got the login credentials of other employees. The
3
Digital Forensics
company took his system into custody for which he claimed that it had only his personal data.
With the help FTK, a bit stream of USB disk and his hard disk will be performed to find
further useful proofs for proving his guilt or innocence.
Scope of Engagement
The objective of this report is to carry out a forensic investigation into the allegations made
against the ‘suspect’ for stealing company secrets and selling it off in the open market or to
competitors. The report is only meant to analyse, scrutinize and present the facts and findings
regarding the case. The report is not meant to pass a judgement on its own, although the
documentary evidence provided here would court admissible. The report would follow
common forensic practices and ensure that the original data is not tampered in anyway,
although there is always a scope of minor modifications.
Forensic Tools
PRTK from Accessdata to recover and crack passwords for commonly password protected
files such as PDF or Word. A live CD is an important tool for accurate data acquisition.
Helix3 Pro built on top of Ubuntu or FTK Live CD are the tools that focuses on incident
response and computer forensics. It’s among the most popular live CDs used for both
windows and Linux based forensic investigations. Apart from that, FTK for Analysis,
UniversalViewer for viewing all kinds of images, Commandline and VMWare Workstation.
All tools are legally acquired and fully functional until their trial completion date (Maawali,
2017).
Operating System: Windows 10 Pro. Guest (Suspect’s) Operating System: Windows 7 SP1
Investigation Process
Following steps had been followed for investigation
Data acquisition - This phase is a 3-step process involving following steps:
Create data acquiring plan - In this step, analyst provides a priority to sources, then
creates a sequence in which data will be acquired. The basis of priority is determined
4
company took his system into custody for which he claimed that it had only his personal data.
With the help FTK, a bit stream of USB disk and his hard disk will be performed to find
further useful proofs for proving his guilt or innocence.
Scope of Engagement
The objective of this report is to carry out a forensic investigation into the allegations made
against the ‘suspect’ for stealing company secrets and selling it off in the open market or to
competitors. The report is only meant to analyse, scrutinize and present the facts and findings
regarding the case. The report is not meant to pass a judgement on its own, although the
documentary evidence provided here would court admissible. The report would follow
common forensic practices and ensure that the original data is not tampered in anyway,
although there is always a scope of minor modifications.
Forensic Tools
PRTK from Accessdata to recover and crack passwords for commonly password protected
files such as PDF or Word. A live CD is an important tool for accurate data acquisition.
Helix3 Pro built on top of Ubuntu or FTK Live CD are the tools that focuses on incident
response and computer forensics. It’s among the most popular live CDs used for both
windows and Linux based forensic investigations. Apart from that, FTK for Analysis,
UniversalViewer for viewing all kinds of images, Commandline and VMWare Workstation.
All tools are legally acquired and fully functional until their trial completion date (Maawali,
2017).
Operating System: Windows 10 Pro. Guest (Suspect’s) Operating System: Windows 7 SP1
Investigation Process
Following steps had been followed for investigation
Data acquisition - This phase is a 3-step process involving following steps:
Create data acquiring plan - In this step, analyst provides a priority to sources, then
creates a sequence in which data will be acquired. The basis of priority is determined
4
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Digital Forensics
by two factors: Likely value and volatility. They facilitate in determining which
source to be prioritized and which to be acquired.
Acquiring data - Before collecting any data, it is required to decide the need to collect
data in a form which can be used for future legal proceedings. Hence, a clear strategy
should be implemented to avoid allegations of improper handling of evidence. The
data can be of two types: volatile and non-volatile data. Following steps shows how to
deal with these types of data:
a. Non-volatile data - this data comes from computer hard-drive. While
dealing with this kind of data, this procedure can be used. First of all, the
suspect’s system is powered-off. Then, FTK Live disk is created using
FTKprogram. Thereafter, hard-drive disk of suspect is acquired. A
consideration is given as to whether the examiner is writing to FAT16 or
FAT32 because DOS program cannot read/write to drives of other file
systems. Electronic cryptographic technique called hash will be used for
generating electronic fingerprint of a single file and also of the entire hard
drive. DOS utility’s FTK is used to create MD5 hash value of the evidence
found at the time of acquisition.
b. Volatile data - This data comes from memory of computer.
Verification of acquired data- Hash value is of prime importance because it is
imperative for evidentiary purposes for the hash values to exist. Without hash values, there
would not be any way to be certain that the acquired image is an original copy of the hard
drive. This would result in the entire evidence being tampered or inadmissible in court. A
write-blocker or a Live CD can be used to gather an exact image of the hard disk drive. The
image of the HDD would then possibly be an exact copy and hence can be used for further
investigation. At the same time, the investigator needs to create a detailed log at each and
every step of data collection and analysis. At the same time, tagging and bookmarking would
need to be done (Lara, 2017).
Acquisition of data - This phase has three steps:
Assessment phase - This step involves getting authorization to perform computer
investigation. IT involves processes like assessing case, interview people and results
documentation. Conducting in-depth analysis of crime scene and prioritize actions
and justification of required resources.
5
by two factors: Likely value and volatility. They facilitate in determining which
source to be prioritized and which to be acquired.
Acquiring data - Before collecting any data, it is required to decide the need to collect
data in a form which can be used for future legal proceedings. Hence, a clear strategy
should be implemented to avoid allegations of improper handling of evidence. The
data can be of two types: volatile and non-volatile data. Following steps shows how to
deal with these types of data:
a. Non-volatile data - this data comes from computer hard-drive. While
dealing with this kind of data, this procedure can be used. First of all, the
suspect’s system is powered-off. Then, FTK Live disk is created using
FTKprogram. Thereafter, hard-drive disk of suspect is acquired. A
consideration is given as to whether the examiner is writing to FAT16 or
FAT32 because DOS program cannot read/write to drives of other file
systems. Electronic cryptographic technique called hash will be used for
generating electronic fingerprint of a single file and also of the entire hard
drive. DOS utility’s FTK is used to create MD5 hash value of the evidence
found at the time of acquisition.
b. Volatile data - This data comes from memory of computer.
Verification of acquired data- Hash value is of prime importance because it is
imperative for evidentiary purposes for the hash values to exist. Without hash values, there
would not be any way to be certain that the acquired image is an original copy of the hard
drive. This would result in the entire evidence being tampered or inadmissible in court. A
write-blocker or a Live CD can be used to gather an exact image of the hard disk drive. The
image of the HDD would then possibly be an exact copy and hence can be used for further
investigation. At the same time, the investigator needs to create a detailed log at each and
every step of data collection and analysis. At the same time, tagging and bookmarking would
need to be done (Lara, 2017).
Acquisition of data - This phase has three steps:
Assessment phase - This step involves getting authorization to perform computer
investigation. IT involves processes like assessing case, interview people and results
documentation. Conducting in-depth analysis of crime scene and prioritize actions
and justification of required resources.
5
Digital Forensics
Data Collection - This phase includes identification and securing of device present at
the crime scene. In addition to this, interview is conducted with the resources who
may have information regarding the examination. These resources can be end users of
the compute system, manager, person who allocates computers to employees, etc. the
likely sources of data at this stage include workstations such as network devices,
computer systems and laptops. These devices usually have internal storage device
which accept media i.e. CDs, DVDs and various types of ports such as USB, Firewire
etc. that is the external media and devices. Since logging and intrusion detection
systems were active, chances are that they might not have valuable information even
if they are not configured. As a result of which, network administrator should hand-
over the system so that logs can be attained.
Post-acquisition
Examination – After collecting data, next phase is data examination involving assessment and
extraction of relevant information from gathered data.
Overall File System
A laboratory is prepared with at least Windows 7 on it along with the tools mentioned
earlier, installed and configured.
The evidence files are then copied to this laboratory computer which was cloned
using Helix Pro and FTK.
Deleted files would be recovered by FTK. These deleted files would contain file data,
including all the names of the files along with their date and timestamp, also their
logical and physical size with the complete path. Keywords and text searches would
be fuelled based on the investigator as well as the background of the case. Graphics
files and document files would be opened and viewed using the
‘UniversalFileViewer’. Slack and Unallocated space would be searched. All the
essential evidentiary files would be copied to a secure medium and further protected
with write protection tools.
FTK is used carve images and documents from unallocated space. A total of 290
Megabytes of data is retrieved here amounting to a total of 7009 images.
Email System Analysis
6
Data Collection - This phase includes identification and securing of device present at
the crime scene. In addition to this, interview is conducted with the resources who
may have information regarding the examination. These resources can be end users of
the compute system, manager, person who allocates computers to employees, etc. the
likely sources of data at this stage include workstations such as network devices,
computer systems and laptops. These devices usually have internal storage device
which accept media i.e. CDs, DVDs and various types of ports such as USB, Firewire
etc. that is the external media and devices. Since logging and intrusion detection
systems were active, chances are that they might not have valuable information even
if they are not configured. As a result of which, network administrator should hand-
over the system so that logs can be attained.
Post-acquisition
Examination – After collecting data, next phase is data examination involving assessment and
extraction of relevant information from gathered data.
Overall File System
A laboratory is prepared with at least Windows 7 on it along with the tools mentioned
earlier, installed and configured.
The evidence files are then copied to this laboratory computer which was cloned
using Helix Pro and FTK.
Deleted files would be recovered by FTK. These deleted files would contain file data,
including all the names of the files along with their date and timestamp, also their
logical and physical size with the complete path. Keywords and text searches would
be fuelled based on the investigator as well as the background of the case. Graphics
files and document files would be opened and viewed using the
‘UniversalFileViewer’. Slack and Unallocated space would be searched. All the
essential evidentiary files would be copied to a secure medium and further protected
with write protection tools.
FTK is used carve images and documents from unallocated space. A total of 290
Megabytes of data is retrieved here amounting to a total of 7009 images.
Email System Analysis
6
Digital Forensics
Suspect made use of Microsoft Outlook on his computer for email management. When this
mailbox was raided using FTK, everything appeared routine and nothing seemed out of place.
However, there were a large number of deleted emails that contained attachments. These
attachments were primarily documents. There were no texts included in these emails and only
had document as attachments. The most problematic part of all was that these documents
were sent to the suspect's personal account. However, all of these mails were deleted and this
is where FTK had to carve the document files so as to add them to the case.
Documents Folder
Suspect had several hundreds of files in the documents folder. However, most of them were
confidential and were tagged accordingly. However, some of the files were password
protected. They were password protected with Microsoft Word. The password protected files
would be copied separately and AccessData’s PRTK or Password Recovery Tool Kit would
be utilized to recover the passwords. PRTK would make use of dictionary to try and crack the
passwords of the password protected file. Since, there are nearly 100 files with password
protection, there needs to be another filtration method needed to filter the most crucial ones.
Accordingly, three files stuck out the most as their actual location was in Temporary internet
folder. These files were successfully cracked and they contained documentary evidence of
transaction between the suspect and a third-party individual indicating illegal transfer of
intellectual property of the company in exchange for ‘check’ in US currency (EnCase®
Forensic v7, 2015).
Internet Browser Analysis
Suspect primarily utilized Internet Explorer for day to day internet browsing. Fortunately,
internet explorer runs on difficult settings and is set to keep the internet browsing history and
cache files indefinitely. This gave us a lot of room to work so as to pinpoint the browsing
history of the victim and finding any fault. Using FTK, cached data and website history
stored in the History and the Temporary History Files folder was analysed and found that the
suspect had visited Mediafire.com. A dtSearch of the keyword ‘Mediafire’ reveals several
links to Mediafire and among some of these links contained the highly confidential files that
caused the damage among the competitors. The agreement signed by the suspect prohibits
such actions by the Suspect.
7
Suspect made use of Microsoft Outlook on his computer for email management. When this
mailbox was raided using FTK, everything appeared routine and nothing seemed out of place.
However, there were a large number of deleted emails that contained attachments. These
attachments were primarily documents. There were no texts included in these emails and only
had document as attachments. The most problematic part of all was that these documents
were sent to the suspect's personal account. However, all of these mails were deleted and this
is where FTK had to carve the document files so as to add them to the case.
Documents Folder
Suspect had several hundreds of files in the documents folder. However, most of them were
confidential and were tagged accordingly. However, some of the files were password
protected. They were password protected with Microsoft Word. The password protected files
would be copied separately and AccessData’s PRTK or Password Recovery Tool Kit would
be utilized to recover the passwords. PRTK would make use of dictionary to try and crack the
passwords of the password protected file. Since, there are nearly 100 files with password
protection, there needs to be another filtration method needed to filter the most crucial ones.
Accordingly, three files stuck out the most as their actual location was in Temporary internet
folder. These files were successfully cracked and they contained documentary evidence of
transaction between the suspect and a third-party individual indicating illegal transfer of
intellectual property of the company in exchange for ‘check’ in US currency (EnCase®
Forensic v7, 2015).
Internet Browser Analysis
Suspect primarily utilized Internet Explorer for day to day internet browsing. Fortunately,
internet explorer runs on difficult settings and is set to keep the internet browsing history and
cache files indefinitely. This gave us a lot of room to work so as to pinpoint the browsing
history of the victim and finding any fault. Using FTK, cached data and website history
stored in the History and the Temporary History Files folder was analysed and found that the
suspect had visited Mediafire.com. A dtSearch of the keyword ‘Mediafire’ reveals several
links to Mediafire and among some of these links contained the highly confidential files that
caused the damage among the competitors. The agreement signed by the suspect prohibits
such actions by the Suspect.
7
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Digital Forensics
Findings
Analysis of the computer resulted in the recovery of a total of 7500 files of essential
evidentiary value or of key investigative interests. These recovered files include:
480 Documents containing confidential information of sensitive matter.
Among the 480 Documents, 70 contains the name of the suspect and contain
personally identifiable information.
Among the 70 Documents, 3 passwords protected word files contain evidence that
directly links the suspect with the illegal transaction that he did with the third party.
These evidences include company IP secrets as well as complete profile of the suspect
along with the address, name, bank account details, swift/micr code, email address,
phone number and others necessary to initiate transaction. Password for the said files
were: hello, password and confidential respectively in small caps.
7009 image files - Among these image file contains; 14 TIFF images show checks
being drawn in the name of the suspect from third party individuals.
Conclusion
The report shows that digital forensics is a continuous evolving process. The provided rules
and regulations act as a guided help to the involved resources. This will ensure that integrity
of assessed and investigated evidence are maintained. The credibility of procedure cannot be
stressed much. With the help of proficient tools and knowledge, the forensic expert can
provide required and useful service to both law body and company. Even though, forensic
may not provide concrete evidence of the crime, but it provides key information which can
help in solving nearly impossible puzzle. The difficulty level of examiner’s job vary with
cases. Hence in addition to tested forensic tools, an in-depth training as per the industry
standard should also be provided while dealing with digital evidence. The above report can
be concluded with certainty that the suspect or at least the suspect’s computer was used to
carry out the said illegal activity. The key revelations come from the email and internet
browser analysis with the help of FTK toolkit. However, given the nature and circumstance
of evidence gathered, it’s highly probable the suspect himself is the convict.
8
Findings
Analysis of the computer resulted in the recovery of a total of 7500 files of essential
evidentiary value or of key investigative interests. These recovered files include:
480 Documents containing confidential information of sensitive matter.
Among the 480 Documents, 70 contains the name of the suspect and contain
personally identifiable information.
Among the 70 Documents, 3 passwords protected word files contain evidence that
directly links the suspect with the illegal transaction that he did with the third party.
These evidences include company IP secrets as well as complete profile of the suspect
along with the address, name, bank account details, swift/micr code, email address,
phone number and others necessary to initiate transaction. Password for the said files
were: hello, password and confidential respectively in small caps.
7009 image files - Among these image file contains; 14 TIFF images show checks
being drawn in the name of the suspect from third party individuals.
Conclusion
The report shows that digital forensics is a continuous evolving process. The provided rules
and regulations act as a guided help to the involved resources. This will ensure that integrity
of assessed and investigated evidence are maintained. The credibility of procedure cannot be
stressed much. With the help of proficient tools and knowledge, the forensic expert can
provide required and useful service to both law body and company. Even though, forensic
may not provide concrete evidence of the crime, but it provides key information which can
help in solving nearly impossible puzzle. The difficulty level of examiner’s job vary with
cases. Hence in addition to tested forensic tools, an in-depth training as per the industry
standard should also be provided while dealing with digital evidence. The above report can
be concluded with certainty that the suspect or at least the suspect’s computer was used to
carry out the said illegal activity. The key revelations come from the email and internet
browser analysis with the help of FTK toolkit. However, given the nature and circumstance
of evidence gathered, it’s highly probable the suspect himself is the convict.
8
Digital Forensics
References
EnCase® Forensic v7. (2015). Retrieved from
http://www.digitalintelligence.com/files/EnCase7_Specifications.pdf
LAra, S. (2017). Significant Changes in Trapezoid and Trapezium Contact in the
Scaphotapezio-Trapezoidal Joint as a Function of Kinematic Movement. Retrieved 8
October 2017, from http://citeseerx.ist.psu.edu/viewdoc/download?
doi=10.1.1.258.7228&rep=rep1&type=pdf
Maawali, W. (2017). The little secret on Digital Forensics | Eagle Eye Digital Solutions |
Muscat Oman. Digi77.com. Retrieved 8 October 2017, from
https://www.digi77.com/the-little-secret-on-digital-forensics/
9
References
EnCase® Forensic v7. (2015). Retrieved from
http://www.digitalintelligence.com/files/EnCase7_Specifications.pdf
LAra, S. (2017). Significant Changes in Trapezoid and Trapezium Contact in the
Scaphotapezio-Trapezoidal Joint as a Function of Kinematic Movement. Retrieved 8
October 2017, from http://citeseerx.ist.psu.edu/viewdoc/download?
doi=10.1.1.258.7228&rep=rep1&type=pdf
Maawali, W. (2017). The little secret on Digital Forensics | Eagle Eye Digital Solutions |
Muscat Oman. Digi77.com. Retrieved 8 October 2017, from
https://www.digi77.com/the-little-secret-on-digital-forensics/
9
1 out of 9
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.