Incident Response and Computer Network Forensics

07/19/2021

I found CSOL 590 course content to be very compelling towards my understanding the importance of planning and responding to incidence while using forensics to illuminate attack mechanisms and for prosecution/termination of those in violation of laws or security policies. While researching incident response for nuclear power situations, I found great comfort in the Department of Energy (DOE) commitment to protecting our nation's energy by forming the Integrated Joint Cybersecurity Coordination Center (iJC3). The iJC3 provides 24/7 situational awareness of evolving cybersecurity threats, operational status, and associated risks to DOE Mission Essential Functions. The iJC3 provides nuclear energy companies like NuScale together with DOE timely accurate cybersecurity situational awareness and incident response for the security of nuclear materials and protection of people and environment. The mission of the DOE (2020) clearly reflects this sentiment: "The mission of the Energy Department is to ensure America's security and prosperity by addressing its energy, environmental and nuclear challenges through transformative science and technology solutions."
A cyber security professional must consider many ethical and professional duties surrounding incidence response (IR) and forensic evaluation and especially with relation to nuclear security. Foremost they have the duty to be trustworthy as this is the basis of any IR team. IR and forensic teams must conduct coordinated vulnerability disclosure cooperating with stakeholders to remediate the security vulnerability and minimize harm associated with disclosure. Key ethical and professional behaviors to consider when working in nuclear are adhering to the confidentiality policy, knowing your authorizations and areas of responsibility, and acknowledge the many IR communicators in timely manner including returning confirmation of a request.

M57.biz Computer Forensic Examination Report
Background
M57.biz is a hip web start-up developing a body art catalog. It has $3M in seed funding; now closing $10M round, 2 founder/owners, 10 employees hired first year.
Current staff
• President: Alison Smith
• CFO: Jean
• Programmers: Bob, Carole, David, Emmy
• Marketing: Gina, Harris
• BizDev: Indy
A few weeks into inception a confidential spreadsheet that contains the names and salaries of the company's key employees was found posted to the "comments" section of one of the firm's competitors. The spreadsheet only existed on one of M57's Chief Financial Officers (CFO) -Jean.
Jean says that she has no idea how the data left her laptop and that she must have been hacked. As investigator I have been given a disk image of Jean's laptop. My job is to figure out how the data was stolen-or if Jean isn't as innocent as she claims. To conduct an effective and efficient investigation, I used of the Forensic Tool Kit Imager software (FTK Imager) in order to recover the files emails of Jean.Though Jean is already been questioned about the data leakage and she denied her involvement. However, in order to follow the complete procedure.
Here is the list of questions Questions:

  • Who else use your computer beside you? e.g. Family?
  • Do you use this computer for corporate work? or personal?
  • How often do you change your password?

Search and seizer and transport of evidence
A request was filed for legal authorities to give the investigator access of her devices. The warrant was issued for the search and seizer of device which may be analyzed and serve as digital evidence, in order to convict or exonerate her. Upon the search and seizer of the hard disk which may provide digital evidence, the acquired materials were carefully package and a chain of custody was efficiently established; so, to ensure the integrity of the evidence.
Exhibit submitted for Analysis: Jean's hard disk

MD5 verification hash code of Jean's machine MD5 Hash: 78a52b5bac78f4e711607707ac0e3f93 SHA1 Hash: Ba7dc57e08bb6e3393aee15c713ae04feadcd181

Evidence to Search for
Based on the nature of the case and all that which have been made against the accused (CFO: Jean), to begin analysis of the obtained evidence, the search for data of probative value to the investigation will be in the area of; (A) acquiring the browsing data B) investigate the email conversation specially between Jean and Alison, (C) The acquisition of files deleted from the laptop, AOL chatting history D) Timelines of emails and email envelop headers information
Legal Issues (if Any)
During this investigation Jean was very co-operative and had no issues in providing the laptop for investigation. However, there could be a possibly if she could have denied to give access? Then there could be a legal implication and if needed the investigator have to crack password and decryption etc. Investigator would be using various tools to crack the passwords and encryption etc.Examination Details
Data collection is actually the first step in the process of examining information aka data.

  • What's available?
    • A copy of Jean's computer's hard drive
    • A copy of spreadsheet with names/salaries of the company
  • Note: Jean's (Chief Financial Officer)'s laptop Image is available:
    • nps-2008-jean.E01(EnCase format)
  • Software and Hardware required for data collection/analyzation
    • Hardware - Laptop (MAC) with VirtualBox + extension
    • Windows 10 Image
    • Internet Connectivity
  • I installed couple of tools on VirtualBox running Windows 10 Image
    • FTK Imager version 4.1.1.1
    • Autopsy 4.7.0
My goal was to recover or find the "PST" file of outlook that will give me the email conversation details between Alison and Jean.FTK Imager and Evidence Item:
As soon I added an evidence item "image of Jean's disk". I was able to locate the spreadsheet file (M57biz.xls). It was on desktop directory and can see the creation data as 20/07/2008

How did spreadsheet go to Competitor's Forum?
We know email is the no# 1 threat vector hence we started looking at first. We located the "PST" outlook file within Jean's profile -Then exported the "PST" file for further analysis and then we were able to view her email conversation with other staff including the CEO Alison. We concluded that Jean was phished for the spreadsheet information. The usertuckgorge@gmail.com spoofed as Alison to get the email of list from Jean.
The below email is the evidence where Jean is sending unintentionally to someone who has From address correct (Alison's ) but Mailto: address is of gmail which is of hacker.
Email sent to hacker with attachment: (Check the mailto: address)

Acknowledgement from Hacker

Initial Conversation (Persuading her to Send that information)

Email Message Tracking

This email tracking helps to identify where the email was originated and what route it followed to reach the mailbox of Jean. The email header clearly giving the MTA ip address and how it came from Google's gmail rather than the mail server of M57.biz .
Anyone less infected?
No one else from the company was directly involved. The evidence shows that it was a targeted spear phishing attack which would imply that Alison was the only intended target

Result and Analysis

  • Jean (CFO) was innocent and she didn't do this act intentionally perhaps she was a victim of spear phishing.
  • She was deceived by the sender's address and she thought it was Alison
  • I looked at the complete trail of her email conversation with Alison and I couldn't find anything intentional
  • My recommendation is to have "Email Security Gateway" installed at the company (M57.biz) to block phish, spam, malwares etc.
  • My request to court: Please clear Jean from any charges related to this case
Additionally, I recommend further investigation to follow the trail of email, email gateway to reach to the culprit. DMARC, SPF and DKIM should be compulsory for all the organization for prevention of such attacks References
FTK Imager: https://accessdata.com/product-download
Autopsy : https://www.sleuthkit.org/autopsy/
Case Detail: M57.Bizhttps://downloads.digitalcorpora.org/corpora/drives/nps-2008-m57-jean/M57-Jean.ppt
https://www.lifewire.com/free-windows-password-recovery-tools-2626179
Reflection
This examination report was a very interesting assignment for me since I work on email security :) . This examination we did is refer as "BEC or Business Email Compromise". BEC attacks are rising in Europe perhaps all over the world where executives are the targets.It was great to do the forensics analysis of a BEC attack , it helped me to understand professionally and ethical how a typical business email compromise impact an organization.During this course I learnt lot about incident response. All organizations must have an incident response plan that includes incident detection in addition to a response. We live in a disruptive digital era. Establishing an effective security strategy results in an effective response to unexpected but inevitable contingencies.Corporations must mandate and assemble a rapid response team to handle security incidents. It can be composed of a single person or a group of people properly trained within the organization. That team has responsibilities in monitoring, incident handling and reporting when a security breach is identified or an attack has been detected.
Share
Ranjan Kunwar - Capstone
All rights reserved 2021
Powered by Webnode
Create your website for free!