Cyber Forensic Investigation Report, Thesis of Business Accounting

A report of a cyber forensic investigation conducted by D&B investigations on behalf of an oil company. The investigation was carried out on the personal device of a research engineer who was suspected of exfiltrating proprietary information and distributing it to rival companies. The report details the forensic analysis steps taken using the Electronic Evidence Examiner (E3) program, the incident explanation, summary of investigation, and supplemental data. The report concludes that the engineer did access and store company proprietary information on his personal computer for personal financial gain.

Typology: Thesis

2023/2024

Available from 01/13/2024

helperatsof-1
helperatsof-1 🇺🇸

4.2

(5)

14K documents

1 / 19

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
C-840
Cyber Forensic
Table of Contents
I. Overview…………………………………..3 a.
Forensic Analysis Steps………………3
II. Incident Explanation……………………12
III. Summary of Investigation………………12
IV. Supplemental Data/E3 Generated Report 13
I. Overview
On April 1st, 2021, D&B investigations was contacted by the Oil Company to investigate
on their behalf due to the company’s research engineer John Smith exfiltrating proprietary
information and distributing it to rival companies. D&B’s investigation team went on-site to
collect forensic evidence from John’s device and gave me the evidence for forensic analysis.
To analyze the image file taken from John Smith’s device, I used Electronic Evidence
Examiner (E3), which allowed me to analyze all of John’s files and directories.
a. Forensic Analysis Steps
Using the Electronic Evidence Examiner (E3) program, I was able to analyze the
contents of John’s Smith’s device. I named the case file “JustinMcGee1052952” and
imported the image file “JSmith 1GB” using the image file auto detect feature in the
image file evidence category.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13

Partial preview of the text

Download Cyber Forensic Investigation Report and more Thesis Business Accounting in PDF only on Docsity!

C-

Cyber Forensic

Table of Contents I. Overview…………………………………..3 a. Forensic Analysis Steps……………… II. Incident Explanation…………………… III. Summary of Investigation……………… IV. Supplemental Data/E3 Generated Report 13 I. Overview On April 1st, 2021, D&B investigations was contacted by the Oil Company to investigate on their behalf due to the company’s research engineer John Smith exfiltrating proprietary information and distributing it to rival companies. D&B’s investigation team went on-site to collect forensic evidence from John’s device and gave me the evidence for forensic analysis. To analyze the image file taken from John Smith’s device, I used Electronic Evidence Examiner (E3), which allowed me to analyze all of John’s files and directories. a. Forensic Analysis Steps Using the Electronic Evidence Examiner (E3) program, I was able to analyze the contents of John’s Smith’s device. I named the case file “JustinMcGee1052952” and imported the image file “JSmith 1GB” using the image file auto detect feature in the image file evidence category.

  • Figure 1: Creating a new case in E

Figure 4: Selecting the image file “JSmith 1GB” from “Local Disk (C:) for importing. After selecting the image file, I proceeded through the content analysis wizard to configure my preferences. I selected sort data and index keywords to ensure the data was searchable and easier to analyze. From there, I also set my data analyzing options and finished importing the forensic image.

Figure 5: Setting my preferences in the content analysis wizard for the image file. Sort data and index keywords have been enabled. Figure 6: Setting my data analyzing options. Everything is checked except for XDBF Storages. Advanced options and Image Analyzer Options will remain default.

Figure 8: Using the ctrl-f search function to locate proprietary data on John Smith’s computer Figure 9: Image of John Smith’s documents folder holding the proprietary content along with pictures of various luxury items and an article on opening an off-shore bank account in the Cayman Islands.

Figure 10: Evidence of John Smith possessing company proprietary data After discovering the proprietary information on John’s computer, I began going over the rest of his files. Among the proprietary document were several other concerning files including images of luxury items such as cars and houses, an image of a suitcase full of cash, and an article describing how to open an off-shore bank account in the Cayman Islands. The names of the images were also concerning. For instance, the image of the luxury car was titled “next car.jpg” and the image depicting the suitcase full of money was titled “Payday.jpg”. The images, as well as screen captures of the articles have been included in this report.

Figure 13: Image of contact information for a luxury real estate company Figure 14: Image of article with information about opening an off-shore bank account in the Cayman Islands

II. Incident Explanation In the incident report, a research engineer employed by the Oil Company, John Smith, illegally exfiltrated proprietary company information for personal financial gain by distributing the information to rival organizations. The analysis that was done has made it evident that John Smith did access and store company proprietary information on his personal computer. The other documents in his computer show that his intentions with the information were to sell it to the company’s competitors for his own personal financial gain. Some of the documents in his hard drive that exhibit his intentions include several pictures of luxury items such as cars and houses, and an informative article explaining how to open an overseas bank account in the Cayman Islands. According to my analysis of John Smith’s hard drive, below is a detailed list of my findings:

  • A company proprietary document was found in the Documents directory of John’s user profile titled “Fracking Water Pollution- Company Proprietary.pdf” (fig. 10)
  • Several images of luxury items such as cars, and houses were also located in the Documents directory. The images were titled “Payday.jpg”, which depicted a large bag of cash (fig. 10), and “Next Car.jpg” depicting a very expensive vehicle.
  • Another document that was found was titled “How to Open an Offshore Bank Account in Cayman Islands.docx” (fig. 14) III. Summary of Investigation During the investigation done on behalf of the Oil Company, I executed a forensic analysis of John Smith’s device from an image file provisioned by the investigative team. I was assigned to locate any proprietary information on John’s computer, as well as any other incriminating evidence, and return my findings to the Oil Company. The analysis was performed using the Electronic Evidence Examiner(E3) program. Based on the completed analysis, and the evidence I have gathered, I was able to conclude the investigation and develop a final report. Proprietary files were in fact found on John’s computer, located in /Users/jsmith/Documents (fig. 8 and 9). Several images and document evidence were also found on the device depicting potential luxury items to purchase after selling the information to a rival organization.

Figure 16: Continuing log file, setting preferences for the case, mounting the disk image with the preferences set while creating the case. E3 begins sorting the data.

Figure 17: Continuing the report, after the content analysis is completed, I query the sorted files with the expression “proprietary”. The search engine begins looking for any matches.

Figure 19: Continuing the report, after collecting all the evidence for the case, I create a simple RTF report using E3’s reporting feature.

Figure 18: Continuing the report, the log begins to lists all filesystem evidences that I chose to be added to the case file.

Figure 20: The report is finished with the last item in the evidence list being “STRAIT LANE.pdf” containing the contact information for luxury housing. Note from the uploader: Word of advice for anyone that does a thorough job with the assignment, but gets it sent back to you for revision. Upload a separate copy of the E3 generated report. I had my assignment sent back 4 times because they didn’t tell me explicitly that the report needed to be separate, which is why screenshots of the report are included in this document. Good luck!