Running Head: COMPUTER FORENSIC EXAMINATION REPORT 1

Computer Forensic Examination Report

Michael Keller

University of San Diego

December 10, 2018

COMPUTER FORENSIC EXAMINATION REPORT 2

Abstract

This writing focuses on a simulated forensics analysis case provided by the University of

San Diego. Inclusive of the analysis, the writing addresses the background of the case at hand

regarding a small start-up business and the improper disclosure of Personal Identifiable

Information. It also provides key information in relation to legal concerns that may be

considered during this investigation or while in a court of law. Several key data protection and

privacy laws are identified as being potentially relevant. The forensics analysis process is then

discussed and also provides the findings of the case. These findings are used to provide a

recommendation to the court of law regarding the innocence of the suspected perpetrator

identified in the sample case.

COMPUTER FORENSIC EXAMINATION REPORT 3

Table of Contents

Background 4

Legal Considerations 4

Evidence Collection Process 5

Analysis 6

Results 7

Recommendations 8
COMPUTER FORENSIC EXAMINATION REPORT 4

Background

This investigation involves a small start-up company, M57.biz, which ultimately saw the

disclosure of Personal Identifiable Information, or PII, of its employees. This case involves a

specific exchange between company President Alison Smith and Chief Financial Officer Jean

Jones. Initial interviews revealed that Jean Jones, by request of Alison Smith, was to produce a

document listing all employees of M57.biz, their positions, salary, and Social Security Number.

The disparity in this case is that Alison Smith denies ever asking for such a document to

be created and sent to her while Jean Jones admits to performing the task at the direction of

Alison Smith. As a result, a copy of the document containing this sensitive data was stolen and

made public. This investigation was conducted to determine whether or not Jean Jones

intentionally disclosed sensitive information or was subjected to some form of foul play.

Legal Considerations

Data protection and privacy has been an extremely sensitive and major issue in the United

States. Several federal laws exist aimed at protecting people’s privacy and their information.

Some laws that could be factored into this case include the following:

 Privacy Act of 1974: This law governs the collection, maintenance, use, and

dissemination of information. Although this directly applies to federal agencies, this law

has seen ratifications updating the law and can be applied to practically any organization

(United States Department of Justice, n.d.).

 Electronic Communications Privacy Act: This law has seen several changes since its

inception in 1986. Ultimately, this law protects against illegal interception of a wire,

oral, or electronic communication (Electronic Privacy Information Center, n.d.).

COMPUTER FORENSIC EXAMINATION REPORT 5

 Computer Fraud and Abuse Act: This law is a federal anti-hacking law aimed at

criminalizing the act of accessing computers without authorization or in excess of

authorization (Electronic Frontier Foundation, n.d.).

Various other data protection laws exist that could also be considered. Additional considerations

that could be considered from a legal aspect include M57.biz’s own policies, such as existing

policies, non-disclosure policies, and any relevant rules or regulations internal to the business

related to data protection and PII disclosure. With M57.biz’s Acceptable Use Policy,

procurement of a disk image of the source drive is permitted due to the expressed written consent

to monitoring by all staff members of the organization inclusive of Jean Jones and no reasonable

expectation of privacy is expected on devices owned or intended for use by M57.biz.

Evidence Collection Process

A genuine disk image of Jean Jones’ computer was provided to the forensics investigation

team courtesy of the University of San Diego. In addition to the disk image received, both a

MD5 and a SHA-1 hash of the disk image was received and verified against the hash of the

provided disk image, constituting the copy as a genuine and true copy of the original disk. MD5

and SHA-1 hash values are provided below:

 MD5: 78a52b5bac78f4e711607707ac0ef93

 SHA-1: ba7dc57e08bb6e3393aee15c713ae04feadcd181

Two forensics analysis programs were used in this evolution. FTK Imager and Autopsy were

used, with Autopsy being the primary choice of software for analysis. Autopsy was chosen as

the primary due to it’s ability to access drive data, unallocated space, and deleted files in addition

to providing user-friendly functionality which included identifying data by type and source,

making the investigation process easier.

COMPUTER FORENSIC EXAMINATION REPORT 6

Analysis

Forensic analysis of the drive consisted of analysis of all files, programs, and unallocated

memory present on the image that was a result of the deletion of files. Unallocated memory

analysis did not reveal any files of significance. Programs that were installed on the host system

were determined to be authentic and true and no indications of malware were present.

File analysis determined an approximate timeline of events. Emails exchanged between Jean

Jones and Alison Smith were analyzed and a timeline of approximately July 6, 2008 to July 21,

2008 is indicated.

Investigation of this email change showed a distinct change regarding Alison Smith’s

email address in which Jean Jones was communicating with. The images below display’s the

first email address change which appears to be legitimate but really is not. When Alison Smith’s

email address again changes, the specific message requesting the document is seen in addition to

another unknown email address.

COMPUTER FORENSIC EXAMINATION REPORT 7

Results

The forensic analysis of Jean Jones’ computer disk image presented four key points. These

points are:

1. Jean Jones’ computer was not running any variation of malware. All installed programs

were verified to be authentic and genuine processes.

2. Analysis of files did not reveal any pertinent information indicating that Jean Jones was

using PII for malicious purposes.

3. Analysis of unallocated space, or deleted files which left space tagged for rewriting of

new data, did not reveal any data of significance or could not be recovered.

4. Email header evaluations revealed that Jean Jones was likely complying with the request

of a user appearing to be Alison Smith. Email header analysis discovered the host

address and routing of emails did not originate from the M57.biz domain while the

request for PII was being made. The user appeared to be legitimate, as the presented
COMPUTER FORENSIC EXAMINATION REPORT 8

name and email address which Jean received emails from “Alison” where in line with

previously received messages.

Recommendations

With these points taken into consideration, it is the recommendation of this investigation that

Jean Jones did not release the PII knowingly nor with malicious intent and performed her duties

within the scope of her job. Forensics analysis concludes that Jean Jones’ computer and drive

was not the source of this breach of confidentiality and was likely the result of a malicious

attacker spoofing email headers to impersonate a legitimate user of the M57.biz domain.
COMPUTER FORENSIC EXAMINATION REPORT 9

References

Electronic Frontier Foundation. Computer Fraud and Abuse Act Reform. Retrieved from

https://www.eff.org/issues/cfaa

Electronic Privacy Information Center. (n.d.). Electronic Communications Privacy Act (ECPA).

Retrieved from https://epic.org/privacy/ecpa/

United States Department of Justice. (n.d.). Privacy Act of 1974. Retrieved from

https://www.justice.gov/opcl/privacy-act-1974