











Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A report of a cyber forensic investigation conducted by D&B investigations on behalf of an oil company. The investigation was carried out on the personal device of a research engineer who was suspected of exfiltrating proprietary information and distributing it to rival companies. The report details the forensic analysis steps taken using the Electronic Evidence Examiner (E3) program, the incident explanation, summary of investigation, and supplemental data. The report concludes that the engineer did access and store company proprietary information on his personal computer for personal financial gain.
Typology: Thesis
1 / 19
This page cannot be seen from the preview
Don't miss anything!












Table of Contents I. Overview…………………………………..3 a. Forensic Analysis Steps……………… II. Incident Explanation…………………… III. Summary of Investigation……………… IV. Supplemental Data/E3 Generated Report 13 I. Overview On April 1st, 2021, D&B investigations was contacted by the Oil Company to investigate on their behalf due to the company’s research engineer John Smith exfiltrating proprietary information and distributing it to rival companies. D&B’s investigation team went on-site to collect forensic evidence from John’s device and gave me the evidence for forensic analysis. To analyze the image file taken from John Smith’s device, I used Electronic Evidence Examiner (E3), which allowed me to analyze all of John’s files and directories. a. Forensic Analysis Steps Using the Electronic Evidence Examiner (E3) program, I was able to analyze the contents of John’s Smith’s device. I named the case file “JustinMcGee1052952” and imported the image file “JSmith 1GB” using the image file auto detect feature in the image file evidence category.
Figure 4: Selecting the image file “JSmith 1GB” from “Local Disk (C:) for importing. After selecting the image file, I proceeded through the content analysis wizard to configure my preferences. I selected sort data and index keywords to ensure the data was searchable and easier to analyze. From there, I also set my data analyzing options and finished importing the forensic image.
Figure 5: Setting my preferences in the content analysis wizard for the image file. Sort data and index keywords have been enabled. Figure 6: Setting my data analyzing options. Everything is checked except for XDBF Storages. Advanced options and Image Analyzer Options will remain default.
Figure 8: Using the ctrl-f search function to locate proprietary data on John Smith’s computer Figure 9: Image of John Smith’s documents folder holding the proprietary content along with pictures of various luxury items and an article on opening an off-shore bank account in the Cayman Islands.
Figure 10: Evidence of John Smith possessing company proprietary data After discovering the proprietary information on John’s computer, I began going over the rest of his files. Among the proprietary document were several other concerning files including images of luxury items such as cars and houses, an image of a suitcase full of cash, and an article describing how to open an off-shore bank account in the Cayman Islands. The names of the images were also concerning. For instance, the image of the luxury car was titled “next car.jpg” and the image depicting the suitcase full of money was titled “Payday.jpg”. The images, as well as screen captures of the articles have been included in this report.
Figure 13: Image of contact information for a luxury real estate company Figure 14: Image of article with information about opening an off-shore bank account in the Cayman Islands
II. Incident Explanation In the incident report, a research engineer employed by the Oil Company, John Smith, illegally exfiltrated proprietary company information for personal financial gain by distributing the information to rival organizations. The analysis that was done has made it evident that John Smith did access and store company proprietary information on his personal computer. The other documents in his computer show that his intentions with the information were to sell it to the company’s competitors for his own personal financial gain. Some of the documents in his hard drive that exhibit his intentions include several pictures of luxury items such as cars and houses, and an informative article explaining how to open an overseas bank account in the Cayman Islands. According to my analysis of John Smith’s hard drive, below is a detailed list of my findings:
Figure 16: Continuing log file, setting preferences for the case, mounting the disk image with the preferences set while creating the case. E3 begins sorting the data.
Figure 17: Continuing the report, after the content analysis is completed, I query the sorted files with the expression “proprietary”. The search engine begins looking for any matches.
Figure 19: Continuing the report, after collecting all the evidence for the case, I create a simple RTF report using E3’s reporting feature.
Figure 18: Continuing the report, the log begins to lists all filesystem evidences that I chose to be added to the case file.
Figure 20: The report is finished with the last item in the evidence list being “STRAIT LANE.pdf” containing the contact information for luxury housing. Note from the uploader: Word of advice for anyone that does a thorough job with the assignment, but gets it sent back to you for revision. Upload a separate copy of the E3 generated report. I had my assignment sent back 4 times because they didn’t tell me explicitly that the report needed to be separate, which is why screenshots of the report are included in this document. Good luck!