Data Leakage Case | My Assignment Tutor

Data Leakage Case The purpose of this work is to learn various types of data leakage, and practice its investigation techniques. Scenario Overview ‘Iaman Informant’ was working as a manager of the technology development division at a famous international company OOO that developed state-of-the-art technologies and gadgets. One day, at a place which ‘Mr. Informant’ visited on business, he received an offer from ‘Spy Conspirator’ to leak of sensitive information related to the newest technology. Actually, ‘Mr. Conspirator’ was an employee of a rival company, and ‘Mr. Informant’ decided to accept the offer for large amounts of money, and began establishing a detailed leakage plan. ‘Mr. Informant’ made a deliberate effort to hide the leakage plan. He discussed it with ‘Mr. Conspirator’ using an e-mail service like a business relationship. He also sent samples of confidential information though personal cloud storage. After receiving the sample data, ‘Mr. Conspirator’ asked for the direct delivery of storage devices that stored the remaining (large amounts of) data. Eventually, ‘Mr. Informant’ tried to take his storage devices away, but he and his devices were detected at the security checkpoint of the company. And he was suspected of leaking the company data. At the security checkpoint, although his devices (a USB memory stick and a CD) were briefly checked (protected with portable write blockers), there was no evidence of any leakage. And then, they were immediately transferred to the digital forensics laboratory for further analysis. The information security policies in the company include the following: Confidential electronic files should be stored and kept in the authorized external storage devices and the secured network drives.Confidential paper documents and electronic files can be accessed only within the allowed time range from 10:00 AM to 16:00 PM with the appropriate permissions.Non-authorized electronic devices such as laptops, portable storages, and smart devices cannot be carried onto the company.All employees are required to pass through the ‘Security Checkpoint’ system.All storage devices such as HDD, SSD, USB memory stick, and CD/DVD are forbidden under the ‘Security Checkpoint’ rules. In addition, although the company managed separate internal and external networks and used DRM (Digital Rights Management) / DLP (Data Loss Prevention) solutions for their information security, ‘Mr. Informant’ had sufficient authority to bypass them. He was also very interested in IT (Information Technology), and had a slight knowledge of digital forensics. In this scenario, find any evidence of the data leakage, and any data that might have been generated from the suspect’s electronic devices. [Please note: If you have any issues clicking on the links to download the files, please “right click” and choose to “save as”.] Target Systems and Devices TargetDetailed InformationPersonal Computer(PC)TypeVirtual SystemCPU1 Processer (2 Core)RAM2,048 MBHDD Size20 GBFile SystemNTFSIP Address10.11.11.129Operating SystemMicrosoft Windows 7 Ultimate (SP1)Removable Media #1(RM#1)*TypeUSB removable storage deviceSerial No.4C530012450531101593Size4 GBFile SystemexFATRemovable Media #2(RM#2)TypeUSB removable storage deviceSerial No.4C530012550531106501Size4 GBFile SystemFAT32Removable Media #3(RM#3)TypeCD-RSize700 MBFile SystemUDF * Authorized USB memory stick for managing confidential electronic files of the company. Acquired Data Information Personal Computer (PC) – ‘DD’ Image pc.7z.001, pc.7z.002, pc.7z.003 (total 5.05 GB compressed by 7zip)Imaging S/WFTK Imager Formatconverted from VMDK Removable Media #1 (RM#1) – ‘EnCase’ Image rm#1.E01 (total 74.5 MB compressed by EnCase)Imaging S/WFTK Imager (write-blocked by Tableau USB Bridge T8-R2)Image FormatE01 (Expert Witness Compression Format) * The RM#1 is not required to Removable Media #2 (RM#2) – ‘DD’ Image rm#2.7z (total 219 MB compressed by 7zip)Imaging S/WFTK Imager (write-blocked by Tableau USB Bridge T8-R2)Image FormatDD Removable Media #3 (RM#3) – ‘DD’ Image rm#3-type2.7z (total 78.6 MB compressed by 7zip)Imaging S/WFTK Imager + bchunk ( FormatDD converted from ‘RAW ISO + CUE’ Additional Data Information Seed Files Download Linksseed-files.7z (total 150 MB compressed by 7zip) – hashFile Information– Seed files stored in RM#1 and a shared network drive– Base files for creating seed files were randomly selected from Govdocs1– The first page of each seed file was manually added– Seed file list and hash values Digital Forensic Practice Points The followings are the summary of detailed practice points related to above images. Practice PointDescriptionUnderstandingTypes of Data Leakage– Storage devices      > HDD (Hard DiskDrive), SSD (Solid State Drive)      > USB flash drive, Flash memory cards      > CD/DVD (with Optical Disk Drive)– Network Transmission      > File sharing, Remote Desktop Connection      > E-mail, SNS (Social Network Service)      > Cloud services, MessengerWindows Forensics– Windows event logs– Opened files and directories– Application (executable) usage history– CD/DVD burning records– External devices attached to PC– Network drive connection traces– System Caches– Windows Search databases– Volume Shadow CopyFile System Forensics– FAT, NTFS, UDF– Metadata (NTFS MFT, FAT Directory entry)– Timestamps– Transaction logs (NTFS)Web Browser Forensics– History, Cache, Cookie– Internet usage history (URLs, Search Keywords…)E-mail Forensics– MS Outlook file examination– E-mails and attachmentsDatabase Forensics– MS Extensible Storage Engine (ESE) Database– SQLite DatabaseDeleted Data Recovery– Metadata based recovery– Signature & Content based recovery (aka Carving)– Recycle Bin of Windows– Unused area examinationUser Behavior Analysis– Constructing a forensic timeline of events– Visualizing the timeline Questions What are the hash values (MD5 & SHA-1) of all images?Does the acquisition and verification hash value match?Identify the partition information of PC image.Explain installed OS information in detail.(OS name, install date, registered owner…)What is the timezone setting?What is the computer name?List all accounts in OS except the system accounts: Administrator, Guest, systemprofile, LocalService, NetworkService. (Account name, login count, last logon date…)Who was the last user to logon into PC?When was the last recorded shutdown date/time?Explain the information of network interface(s) with an IP address assigned by DHCP.What applications were installed by the suspect after installing OS?List application execution logs.(Executable path, execution time, execution count…)List all traces about the system on/off and the user logon/logoff.(It should be considered only during a time range between 09:00 and 18:00 in the timezone from Question 4.)What web browsers were used?Identify directory/file paths related to the web browser history.What websites were the suspect accessing? (Timestamp, URL…)List all search keywords using web browsers. (Timestamp, URL, keyword…)List all user keywords at the search bar in Windows Explorer. (Timestamp, Keyword)What application was used for e-mail communication?Where is the e-mail file located?What was the e-mail account used by the suspect?List all e-mails of the suspect. If possible, identify deleted e-mails.(You can identify the following items: Timestamp, From, To, Subject, Body, and Attachment)[Hint: just examine the OST file only.]List external storage devices attached to PC.Identify all traces related to ‘renaming’ of files in Windows Desktop.(It should be considered only during a date range between 2015-03-23 and 2015-03-24.)[Hint: the parent directories of renamed files were deleted and their MFT entries were also overwritten. Therefore, you may not be able to find their full paths.]What is the IP address of company’s shared network drive?List all directories that were traversed in ‘RM#2’.List all files that were opened in ‘RM#2’.List all directories that were traversed in the company’s network drive.List all files that were opened in the company’s network drive.Find traces related to cloud services on PC.(Service name, log files…)What files were deleted from Google Drive?Find the filename and modified timestamp of the file.[Hint: Find a transaction log file of Google Drive.]Identify account information for synchronizing Google Drive.What a method (or software) was used for burning CD-R?When did the suspect burn CD-R?[Hint: It may be one or more times.]What files were copied from PC to CD-R?[Hint: Just use PC image only. You can examine transaction logs of the file system for this task.]What files were opened from CD-R?Identify all timestamps related to a resignation file in Windows Desktop.[Hint: the resignation file is a DOCX file in NTFS file system.]How and when did the suspect print a resignation file?Where are ‘Thumbcache’ files located?Identify traces related to confidential files stored in Thumbcache.(Include ‘256’ only)Where are Sticky Note files located?Identify notes stored in the Sticky Note file.Was the ‘Windows Search and Indexing’ function enabled? How can you identify it?If it was enabled, what is a file path of the ‘Windows Search’ index database?What kinds of data were stored in Windows Search database?Find traces of Internet Explorer usage stored in Windows Search database.(It should be considered only during a date range between 2015-03-22 and 2015-03-23.)List the e-mail communication stored in Windows Search database.(It should be considered only during a date range between 2015-03-23 and 2015-03-24.)List files and directories related to Windows Desktop stored in Windows Search database.(Windows Desktop directory: UsersinformantDesktop)Where are Volume Shadow Copies stored? When were they created?Find traces related to Google Drive service in Volume Shadow Copy.What are the differences between the current system image (of Question 29 ~ 31) and its VSC?What files were deleted from Google Drive?Find deleted records of cloud_entry table inside snapshot.db from VSC.(Just examine the SQLite database only. Let us suppose that a text based log file was wiped.)[Hint: DDL of cloud_entry table is as follows.]        CREATE TABLE cloud_entry        (doc_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER,        doc_type INTEGER, removed INTEGER, size INTEGER, checksum TEXT, shared INTEGER,        resource_type TEXT, PRIMARY KEY (doc_id));Why can’t we find Outlook’s e-mail data in Volume Shadow Copy?Examine ‘Recycle Bin’ data in PC.What actions were performed for anti-forensics on PC at the last day ‘2015-03-25’?Recover deleted files from USB drive ‘RM#2’.What actions were performed for anti-forensics on USB drive ‘RM#2’?[Hint: this can be inferred from the results of Question 53.]What files were copied from PC to USB drive ‘RM#2’?Recover hidden files from the CD-R ‘RM#3’.How to determine proper filenames of the original files prior to renaming tasks?What actions were performed for anti-forensics on CD-R ‘RM#3’?Create a detailed timeline of data leakage processes.List and explain methodologies of data leakage performed by the suspect.Create a visual diagram for a summary of results.


Leave a Reply

Your email address will not be published. Required fields are marked *