Csol 590 Final Paper
Csol 590 Final Paper
Csol 590 Final Paper
Michael Keller
Abstract
This writing focuses on a simulated forensics analysis case provided by the University of
San Diego. Inclusive of the analysis, the writing addresses the background of the case at hand
regarding a small start-up business and the improper disclosure of Personal Identifiable
Information. It also provides key information in relation to legal concerns that may be
considered during this investigation or while in a court of law. Several key data protection and
privacy laws are identified as being potentially relevant. The forensics analysis process is then
discussed and also provides the findings of the case. These findings are used to provide a
recommendation to the court of law regarding the innocence of the suspected perpetrator
Table of Contents
Background 4
Legal Considerations 4
Analysis 6
Results 7
Recommendations 8
COMPUTER FORENSIC EXAMINATION REPORT 4
Background
This investigation involves a small start-up company, M57.biz, which ultimately saw the
disclosure of Personal Identifiable Information, or PII, of its employees. This case involves a
specific exchange between company President Alison Smith and Chief Financial Officer Jean
Jones. Initial interviews revealed that Jean Jones, by request of Alison Smith, was to produce a
document listing all employees of M57.biz, their positions, salary, and Social Security Number.
The disparity in this case is that Alison Smith denies ever asking for such a document to
be created and sent to her while Jean Jones admits to performing the task at the direction of
Alison Smith. As a result, a copy of the document containing this sensitive data was stolen and
made public. This investigation was conducted to determine whether or not Jean Jones
intentionally disclosed sensitive information or was subjected to some form of foul play.
Legal Considerations
Data protection and privacy has been an extremely sensitive and major issue in the United
States. Several federal laws exist aimed at protecting people’s privacy and their information.
Some laws that could be factored into this case include the following:
Privacy Act of 1974: This law governs the collection, maintenance, use, and
dissemination of information. Although this directly applies to federal agencies, this law
has seen ratifications updating the law and can be applied to practically any organization
Electronic Communications Privacy Act: This law has seen several changes since its
inception in 1986. Ultimately, this law protects against illegal interception of a wire,
Computer Fraud and Abuse Act: This law is a federal anti-hacking law aimed at
Various other data protection laws exist that could also be considered. Additional considerations
that could be considered from a legal aspect include M57.biz’s own policies, such as existing
policies, non-disclosure policies, and any relevant rules or regulations internal to the business
related to data protection and PII disclosure. With M57.biz’s Acceptable Use Policy,
procurement of a disk image of the source drive is permitted due to the expressed written consent
to monitoring by all staff members of the organization inclusive of Jean Jones and no reasonable
A genuine disk image of Jean Jones’ computer was provided to the forensics investigation
team courtesy of the University of San Diego. In addition to the disk image received, both a
MD5 and a SHA-1 hash of the disk image was received and verified against the hash of the
provided disk image, constituting the copy as a genuine and true copy of the original disk. MD5
MD5: 78a52b5bac78f4e711607707ac0ef93
SHA-1: ba7dc57e08bb6e3393aee15c713ae04feadcd181
Two forensics analysis programs were used in this evolution. FTK Imager and Autopsy were
used, with Autopsy being the primary choice of software for analysis. Autopsy was chosen as
the primary due to it’s ability to access drive data, unallocated space, and deleted files in addition
to providing user-friendly functionality which included identifying data by type and source,
Analysis
Forensic analysis of the drive consisted of analysis of all files, programs, and unallocated
memory present on the image that was a result of the deletion of files. Unallocated memory
analysis did not reveal any files of significance. Programs that were installed on the host system
were determined to be authentic and true and no indications of malware were present.
File analysis determined an approximate timeline of events. Emails exchanged between Jean
Jones and Alison Smith were analyzed and a timeline of approximately July 6, 2008 to July 21,
2008 is indicated.
Investigation of this email change showed a distinct change regarding Alison Smith’s
email address in which Jean Jones was communicating with. The images below display’s the
first email address change which appears to be legitimate but really is not. When Alison Smith’s
email address again changes, the specific message requesting the document is seen in addition to
Results
The forensic analysis of Jean Jones’ computer disk image presented four key points. These
points are:
1. Jean Jones’ computer was not running any variation of malware. All installed programs
2. Analysis of files did not reveal any pertinent information indicating that Jean Jones was
3. Analysis of unallocated space, or deleted files which left space tagged for rewriting of
new data, did not reveal any data of significance or could not be recovered.
4. Email header evaluations revealed that Jean Jones was likely complying with the request
of a user appearing to be Alison Smith. Email header analysis discovered the host
address and routing of emails did not originate from the M57.biz domain while the
request for PII was being made. The user appeared to be legitimate, as the presented
COMPUTER FORENSIC EXAMINATION REPORT 8
name and email address which Jean received emails from “Alison” where in line with
Recommendations
With these points taken into consideration, it is the recommendation of this investigation that
Jean Jones did not release the PII knowingly nor with malicious intent and performed her duties
within the scope of her job. Forensics analysis concludes that Jean Jones’ computer and drive
was not the source of this breach of confidentiality and was likely the result of a malicious
attacker spoofing email headers to impersonate a legitimate user of the M57.biz domain.
COMPUTER FORENSIC EXAMINATION REPORT 9
References
Electronic Frontier Foundation. Computer Fraud and Abuse Act Reform. Retrieved from
https://www.eff.org/issues/cfaa
Electronic Privacy Information Center. (n.d.). Electronic Communications Privacy Act (ECPA).
United States Department of Justice. (n.d.). Privacy Act of 1974. Retrieved from
https://www.justice.gov/opcl/privacy-act-1974