UNSW COMP6445
Student: z5678whodoweappreciate
Name: John Citizen
m57biz Forensic
Investigation
/r/ma
sterh
acker
Contents
Contents
Preliminaries ............................................................................................................................................................... 1
Case Summary .......................................................................................................................................................... 1
Declaration .................................................................................................................................................................. 2
Assumptions & Limitations ....................................................................................................................................... 3
Background ................................................................................................................................................................ 4
Forensic Preparation ................................................................................................................................................. 5
Questions .................................................................................................................................................................... 6
Q1 - [… an employee is defrauding the company] Is there any evidence to support this? ....................... 6
Conclusion .................................................................................................................................................................. 9
Appendix .................................................................................................................................................................. 10
0. Seizure to Acquisition Time Discrepancy .............................................................................................. 10
1. ExifTool analysis of ABCTech Receipts ................................................................................................. 11
2. Timeline ....................................................................................................................................................... 12

Page 1 of 17
Preliminaries
1. I am a digital forensics investigator at Jim's Cyber Forensics Consulting.
2. I have been an intern for 5 weeks
3. this report made sense to me when I wrote it
4. trust me, I am a master hacker bc I use kali

Case Summary
This report covers the investigation of a fictitious company m57biz over a 17-day period from Monday 16th
November 2009 to Friday 11th December 2009. Pat McGoo (CEO) of m57biz has suspected that an
employee is defrauding the company and has reached out to Jim's Cyber Forensics Consulting to
investigate this claim. In this report, disk images of company machines and removable storage mediums
belonging to employees will be forensically analysed to draw remarks pertaining the validity of this claim.
The investigation observes four potential cases of misconduct that fall under either civil or criminal law.
1. Selling of company property for personal gain
2. Selling of company secrets
3. Blackmail with malicious intent
4. Unauthorised monitoring / surveillance

Page 2 of 17
Declaration
1. I have read and understood the Uniform Civil Procedure Rules 2005 - Schedule 7 - Expert Witness
Code of Conduct and agree to be bound by its terms.
2. My opinions expressed in this report are based wholly or substantially on my specialised knowledge
referred to in this report.
3. I have made all enquires that I believe are desirable and appropriate and no matters of significance
which I regard as relevant have, to my knowledge, been withheld in this report
4. All outcomes drawn during this investigation were obtained solely from the forensic analysis of the
artifacts provided, and are not to be copied or used out of the context of this investigation
5. Good faith policy or something..?

Page 3 of 17
Assumptions &
Limitations
It should be noted that we (Jim's Cyber Forensics Consulting) were not responsible for the acquisition of
the disk images that were forensically analysed, but rather were supplied with disk images. Consequently,
it is possible that the image acquisition process may have compromised the integrity of the source. Whilst
the authenticity of the received disk images is beyond our control, utmost care and precaution was taken
to continually preserve the integrity of the received disk images.
Whilst the disks from company machines and removable storage mediums were physically seized on 11th
December 2009, images were only obtained in early 2011 (Dating 13th Jan to 20th Feb) – see Appendix 0).
It is not confirmed as to whether the integrity of the source was compromised during this period of delay.
It will be assumed that the disk images exactly match the contents of the devices at the time of seizure in
2009 and will be considered to be verified copies that were acquired with forensically sound processes.
During the investigation, results and applications outputs were cross-checked between different software
to establish forensic soundness within the investigative processes. Whilst it is possible that all utilised tools
produce invalid results or fail to produce any result, it is however extremely unlikely.
We assume the definition of “defraud” from the Cambridge Dictionary1 under the following meaning:
“to take something illegally from a person, company, etc., or to prevent someone
from having something that is legally theirs by deceiving them”


1 https://dictionary.cambridge.org/dictionary/english/defraud
Page 4 of 17
Background
• This is the computer background

• m57biz is a patent search company – which provides the service of verifying if a client’s idea or
prospective design has already been patented.
• The company started business on Monday 16th November 2009, with 4 employees
o Pat McGoo – CEO
o Terry Johnson – IT Administrator
o Jo Smith – Patent Researcher
o Charlie Brown - Patent Researcher
• The company is based in California, given the phone number area code prefix of 831
• It should be noted that in 2009, the approximate cost of hard disk storage was US$0.09/GB2, and
the approximate cost of flash storage was US$2.26/GB3




2 https://jcmit.net/diskprice.htm
3 https://jcmit.net/flashprice.htm
Page 5 of 17

Forensic Preparation
The following disk images were received as part of this investigation and were verified against their
expected MD5 checksums. A checksum is a mathematically computed value generated from the contents
of a file to ensure the integrity of the file. If the generated checksum of a file matches the reference
checksum, then it is assumed that the file has not been modified or tampered with when compared to the
reference file.
Filename MD5 Checksum
charlie-2009-12-11.E01 a459f1aa45941ad4fa22d5cb9d35f7fc
charlie-work-usb-2009-12-11.E01 8c23941655b3313f4a31a1a66085be86
pat-2009-12-11.E01 ccea8df1463b2adc8a9b6c8ab9563675
terry-2009-12-11-002.E01 cf383e86dc37d4d70c9ad1ce987b61be
terry-work-usb-2009-12-11.E01 941997b1b9e7a1217351d483c12dc29b

These verified copies contain a complete dump of the disk / drive, which is inclusive of all active and
deleted files, in addition to any artifacts found in the unused / unallocated space.
Unless otherwise stated, the timestamps in this report will be relative to US Pacific Standard Time (PST),
which is UTC -8.

Page 6 of 17
Questions
Q1 - [… an employee is defrauding the company] Is there any evidence to support this?
If so, what is the evidence?
Table 1 - Hard Drive Receipt

Receipt A Receipt B


File ABCTECH_RECEIPT.jpg ABCTECH_RECEIPT_pat.jpg
Path
[Inbox]
5815441D-00000027.eml
[Sent Items]
6DF15AF1-00000002.eml
Send/Recv
RECV
19/11/09 11:28:27 (GMT -08:00)
SEND
19/11/09 13:04:10 (GMT -08:00)
MD5 51a72bf38097a5fbd08ecc283e6f9c44 101880370d00ba48a1e0b7b93460a9a9

Upon analysis of the acquired disks, evidence was found in support of the claim that an employee is
defrauding the company. As demonstrated in Table 1, an extraction of Terry’s computer (terry-work-2009-
12-11.E01) revealed two emails with attachments of a similar store receipt, each listing a “40GB HDD” line
item. Receipt A (ABCTECH_RECEIPT.jpg) prices the storage medium at US$2.50/GB, whilst Receipt B
(ABCTECH_RECEIPT_pat.jpg) prices the device at US$7.50/GB.
In 2009, the cost per gigabyte for storage was US$0.09/GB for mechanical hard disks, and US$2.26/GB
for flash storage. Whilst Receipt A is possibly valid despite the higher cost per gigabyte, it is unreasonable
to consider Receipt B as legitimate given the tripled cost per gigabyte as compared to 2009 storage prices.

Page 8 of 17
Figure 3 - Terry's Craigslist Listings


Figure 3 illustrates the Autopsy5 forensic analysis tool (v4.19.3) having extracted Craigslist emails
regarding successful postings of sales classifieds that include a ‘Dell 17” Monitor’ and ‘Dell Computer’
(posted 25th November 2009). Having replaced Jo’s corporate computer on 20th November 2009 with the
premise of diagnosing and repairing an issue (See Attachment Error! Reference source not found.),
suspicion is raised concerning the timeliness of sequentially acquiring a computer, listing a computer as
for sale and then requesting new equipment.
Given the nature of Terry’s role as an IT administrator, there is an expectancy for Terry to be able to
manage the IT inventory wisely and to possess the technical competency to repurpose a spare computer
into a ‘server’ computer. The selling of a monitor and computer is suspicious, given the request to acquire
the same type of equipment - the sequence of events suggest that Terry is attempting to sell the company
computer (and other assets) for personal gain. Whilst it is possible that the computer and monitor for sale
was not the same computer and monitor taken in for repair, the identicality of their brands support the
suspicion.
Given strong evidence of receipt tampering, we conclude that Terry has attempted to defraud the
company by submitting a tampered reimbursement claim. We additionally believe that Terry has attempted
to sell off company equipment for personal benefit.
* redacted content *


5 https://www.sleuthkit.org/autopsy
Page 9 of 17
Conclusion
We conclude by agreeing with the claim that an employee has been
defrauding the m57biz company, and draw evidence that suggests Terry
as the culprit. Furthermore, our forensic analysis concludes that there is
indeed evidence illegal or fraudulent activity performed by both Charlie
and Terry, separately.


Page 10 of 17
Appendix
0. Seizure to Acquisition Time Discrepancy


Page 11 of 17
1. ExifTool analysis of ABCTech Receipts
Metatag Receipt A Receipt B
JFIF Version 1.01 1.01
Profile CMM Type Apple Computer Inc. Apple Computer Inc.
Profile Version 2.2.0 2.2.0
Profile Class Display Device Profile Display Device Profile
Color Space Data RGB RGB
Profile Connection Space XYZ XYZ
Profile Date Time 2009:02:25 11:26:11 2009:02:25 11:26:11
Profile File Signature acsp acsp
Primary Platform Apple Computer Inc. Apple Computer Inc.
CMM Flags Not Embedded, Independent Not Embedded, Independent
Device Manufacturer Apple Computer Inc. Apple Computer Inc.
Device Attributes Reflective, Glossy, Positive, Color Reflective, Glossy, Positive, Color
Rendering Intent Perceptual Perceptual
Connection Space
Illuminant
0.9642 1 0.82491 0.9642 1 0.82491
Profile Creator Apple Computer Inc. Apple Computer Inc.
Profile ID 0 0
Profile Description Generic RGB Profile Generic RGB Profile
Green Matrix Column 0.35335 0.67363 0.09064 0.35335 0.67363 0.09064
Media White Point 0.95047 1 1.0891 0.95047 1 1.0891
Red Matrix Column 0.4543 0.24191 0.01489 0.4543 0.24191 0.01489
Blue Matrix Column 0.15665 0.08446 0.71957 0.15665 0.08446 0.71957
Profile Copyright
Copyright 2007 Apple Inc., all
rights reserved.
Copyright 2007 Apple Inc., all
rights reserved.
Chromatic Adaptation
1.04788 0.02292 -0.0502 0.02957
0.99049 -0.01706 -0.00923
0.01508 0.75165
1.04788 0.02292 -0.0502 0.02957
0.99049 -0.01706 -0.00923
0.01508 0.75165
Exif Byte Order Big-endian (Motorola, MM) Big-endian (Motorola, MM)
Orientation Horizontal (normal) Horizontal (normal)
X Resolution 72 72
Y Resolution 72 72
Resolution Unit inches inches
Exif Image Width 366 366
Exif Image Height 270 270
Encoding Process Baseline DCT, Huffman coding Baseline DCT, Huffman coding
Bits Per Sample 8 8
Color Components 3 3
Y Cb Cr Sub Sampling YCbCr4:4:4 (1 1) YCbCr4:2:0 (2 2)
Image Size 366x270 366x270
Megapixels 0.099 0.099

Page 12 of 17
2. Timeline
Time Charlie Pat Terry
Mon, 16 Nov 2009 Employment Commences
Thu, 19 Nov 2009
10:39:24 -0800
Google Search for
"steganography"

Thu, 19 Nov 2009
10:42:17 -0800
Download Invisible
Secrets 2.1

Wed, 19 Nov 2009
10:43:32 -0800
Install Invisible Secrets
Tue, 24 Nov 2009
13:19:22 -0800
Google Search for "7zip"
Tue, 24 Nov 2009
13:19:32 -0800
Download 7-Zip
Tue, 24 Nov 2009
13:57:05 -0800
Google Search for "hex
editor"

Tue, 24 Nov 2009
13:40:45 -0800
Run Invisible Secrets 2.1
(2nd execution
according to deleted
prefetch)

25 Nov - 29 Nov Holidays
Mon, 30 Nov 2009
08:48:17 -0800
Run Invisible Secrets 2.1
(4th time according to
prefetch)

Wed, 02 Dec 2009
13:04:29 -0800
Email to
jaime@project2400.com

Wed, 02 Dec 2009
13:25:45 -0800
Email to
jamie@project2400.com

Thu, 03 Dec 2009
09:17:39 -0800
Extract skl0g




学霸联盟