Digital Forensics Investigation Report On Intellectual Property Theft Case

Background Information on Digital Forensics Investigation

Question:

Discuss about the Digital Forensics for Home and Business Clients.

In the past few years, an entirely new breed of crime scenes has erupted, one that happens electronically within the cyber world. Traditional method of investigations, analysis and scrutiny does not apply in these new worlds. Therefore, a type of tool in the form a new domain was invented and this is where Digital Forensics came into the picture. From violent criminals, to terrorists and drug-lords and to even white-collar employees all are making use of technology to facilitate their offenses and also to avoid apprehension. Both organized and non-organized criminal groups have entered the cyberspace. Internal part of an organization or enterprise are no exception and this is exactly what happened in the case of the suspect in this report. The report would provide a background of the case and then would go into detail about the investigation process via forensic medium involving the tools to be used, the process to be followed including the analysis and detailed findings.

In the scenario, the suspect is an employee of an IT company which deals in Networking based solution for Home and Business clients. The suspect plays are at designation of the team lead. He had privilege to access sensitive data whose stealing can bring millions of dollars losses to the company. This came into light when the company came to know that its unique features which were not even released in the product so far, had already been captured by its competitors who are had already released its product. The product had very close similarities with its product’s unique features which were still in development phase. The company admitted that there has been an Intellectual Property theft either some external intrusion or a leakage from an internal employee. On investigation, it was found that there had been no recent external security breach. Hence, it came to this conclusion that there has been an internal breach. On further internal investigation, it found that leakage is possible in the research and development department.  Further scrutinization revealed that some of the employees had access to use USB drive and were also allowed to take them back to home. The investigation narrowed down to a single employee who had access to some confidential data of the company. The company was convinced that the employee had played a key role in data stealing and decide to catch him by showing a fake case and they were successful in catching them red-handed. Preliminary investigation found that he had indeed stole the confidential information and might had also got the login credentials of other employees. The company took his system into custody for which he claimed that it had only his personal data. With the help FTK, a bit stream of USB disk and his hard disk will be performed to find further useful proofs for proving his guilt or innocence.

Investigation Process and Tools Used

The objective of this report is to carry out a forensic investigation into the allegations made against the ‘suspect’ for stealing company secrets and selling it off in the open market or to competitors. The report is only meant to analyse, scrutinize and present the facts and findings regarding the case. The report is not meant to pass a judgement on its own, although the documentary evidence provided here would court admissible. The report would follow common forensic practices and ensure that the original data is not tampered in anyway, although there is always a scope of minor modifications.

PRTK from Accessdata to recover and crack passwords for commonly password protected files such as PDF or Word. A live CD is an important tool for accurate data acquisition. Helix3 Pro built on top of Ubuntu or FTK Live CD are the tools that focuses on incident response and computer forensics. It’s among the most popular live CDs used for both windows and Linux based forensic investigations. Apart from that, FTK for Analysis, UniversalViewer for viewing all kinds of images, Commandline and VMWare Workstation. All tools are legally acquired and fully functional until their trial completion date (Maawali, 2017).

Operating System: Windows 10 Pro. Guest (Suspect’s) Operating System: Windows 7 SP1

Following steps had been followed for investigation

Data acquisition – This phase is a 3-step process involving following steps:

• Create data acquiring plan – In this step, analyst provides a priority to sources, then creates a sequence in which data will be acquired. The basis of priority is determined by two factors: Likely value and volatility. They facilitate in determining which source to be prioritized and which to be acquired.
• Acquiring data – Before collecting any data, it is required to decide the need to collect data in a form which can be used for future legal proceedings. Hence, a clear strategy should be implemented to avoid allegations of improper handling of evidence. The data can be of two types: volatile and non-volatile data. Following steps shows how to deal with these types of data:

1. Non-volatile data – this data comes from computer hard-drive. While dealing with this kind of data, this procedure can be used. First of all, the suspect’s system is powered-off. Then, FTK Live disk is created using FTKprogram. Thereafter, hard-drive disk of suspect is acquired. A consideration is given as to whether the examiner is writing to FAT16 or FAT32 because DOS program cannot read/write to drives of other file systems. Electronic cryptographic technique called hash will be used for generating electronic fingerprint of a single file and also of the entire hard drive. DOS utility’s FTK is used to create MD5 hash value of the evidence found at the time of acquisition.
2. Volatile data – This data comes from memory of computer.

• Verification of acquired data- Hash value is of prime importance because it is imperative for evidentiary purposes for the hash values to exist. Without hash values, there would not be any way to be certain that the acquired image is an original copy of the hard drive. This would result in the entire evidence being tampered or inadmissible in court. A write-blocker or a Live CD can be used to gather an exact image of the hard disk drive. The image of the HDD would then possibly be an exact copy and hence can be used for further investigation. At the same time, the investigator needs to create a detailed log at each and every step of data collection and analysis. At the same time, tagging and bookmarking would need to be done (Lara, 2017).

Acquisition of data – This phase has three steps:

• Assessment phase – This step involves getting authorization to perform computer investigation. IT involves processes like assessing case, interview people and results documentation. Conducting in-depth analysis of crime scene and prioritize actions and justification of required resources.
• Data Collection – This phase includes identification and securing of device present at the crime scene. In addition to this, interview is conducted with the resources who may have information regarding the examination. These resources can be end users of the compute system, manager, person who allocates computers to employees, etc. the likely sources of data at this stage include workstations such as network devices, computer systems and laptops. These devices usually have internal storage device which accept media i.e. CDs, DVDs and various types of ports such as USB, Firewire etc. that is the external media and devices. Since logging and intrusion detection systems were active, chances are that they might not have valuable information even if they are not configured. As a result of which, network administrator should hand-over the system so that logs can be attained.  

Examination – After collecting data, next phase is data examination involving assessment and extraction of relevant information from gathered data.

• A laboratory is prepared with at least Windows 7 on it along with the tools mentioned earlier, installed and configured.
• The evidence files are then copied to this laboratory computer which was cloned using Helix Pro and FTK.
• Deleted files would be recovered by FTK. These deleted files would contain file data, including all the names of the files along with their date and timestamp, also their logical and physical size with the complete path. Keywords and text searches would be fuelled based on the investigator as well as the background of the case. Graphics files and document files would be opened and viewed using the ‘UniversalFileViewer’. Slack and Unallocated space would be searched. All the essential evidentiary files would be copied to a secure medium and further protected with write protection tools.
• FTK is used carve images and documents from unallocated space. A total of 290 Megabytes of data is retrieved here amounting to a total of 7009 images.

Suspect made use of Microsoft Outlook on his computer for email management. When this mailbox was raided using FTK, everything appeared routine and nothing seemed out of place. However, there were a large number of deleted emails that contained attachments. These attachments were primarily documents. There were no texts included in these emails and only had document as attachments. The most problematic part of all was that these documents were sent to the suspect’s personal account. However, all of these mails were deleted and this is where FTK had to carve the document files so as to add them to the case.

Suspect had several hundreds of files in the documents folder. However, most of them were confidential and were tagged accordingly. However, some of the files were password protected. They were password protected with Microsoft Word. The password protected files would be copied separately and AccessData’s PRTK or Password Recovery Tool Kit would be utilized to recover the passwords. PRTK would make use of dictionary to try and crack the passwords of the password protected file. Since, there are nearly 100 files with password protection, there needs to be another filtration method needed to filter the most crucial ones. Accordingly, three files stuck out the most as their actual location was in Temporary internet folder. These files were successfully cracked and they contained documentary evidence of transaction between the suspect and a third-party individual indicating illegal transfer of intellectual property of the company in exchange for ‘check’ in US currency (EnCase® Forensic v7, 2015).

Suspect primarily utilized Internet Explorer for day to day internet browsing. Fortunately, internet explorer runs on difficult settings and is set to keep the internet browsing history and cache files indefinitely. This gave us a lot of room to work so as to pinpoint the browsing history of the victim and finding any fault. Using FTK, cached data and website history stored in the History and the Temporary History Files folder was analysed and found that the suspect had visited Mediafire.com. A dtSearch of the keyword ‘Mediafire’ reveals several links to Mediafire and among some of these links contained the highly confidential files that caused the damage among the competitors. The agreement signed by the suspect prohibits such actions by the Suspect.

Analysis of the computer resulted in the recovery of a total of 7500 files of essential evidentiary value or of key investigative interests. These recovered files include:

• 480 Documents containing confidential information of sensitive matter.
• Among the 480 Documents, 70 contains the name of the suspect and contain personally identifiable information.
• Among the 70 Documents, 3 passwords protected word files contain evidence that directly links the suspect with the illegal transaction that he did with the third party. These evidences include company IP secrets as well as complete profile of the suspect along with the address, name, bank account details, swift/micr code, email address, phone number and others necessary to initiate transaction. Password for the said files were: hello, password and confidential respectively in small caps.
• 7009 image files – Among these image file contains; 14 TIFF images show checks being drawn in the name of the suspect from third party individuals.

Conclusion

The report shows that digital forensics is a continuous evolving process. The provided rules and regulations act as a guided help to the involved resources. This will ensure that integrity of assessed and investigated evidence are maintained. The credibility of procedure cannot be stressed much. With the help of proficient tools and knowledge, the forensic expert can provide required and useful service to both law body and company. Even though, forensic may not provide concrete evidence of the crime, but it provides key information which can help in solving nearly impossible puzzle. The difficulty level of examiner’s job vary with cases. Hence in addition to tested forensic tools, an in-depth training as per the industry standard should also be provided while dealing with digital evidence. The above report can be concluded with certainty that the suspect or at least the suspect’s computer was used to carry out the said illegal activity. The key revelations come from the email and internet browser analysis with the help of FTK toolkit. However, given the nature and circumstance of evidence gathered, it’s highly probable the suspect himself is the convict.

References

EnCase® Forensic v7. (2015). Retrieved from https://www.digitalintelligence.com/files/EnCase7_Specifications.pdf

LAra, S. (2017). Significant Changes in Trapezoid and Trapezium Contact in the Scaphotapezio-Trapezoidal Joint as a Function of Kinematic Movement. Retrieved 8 October 2017, from https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.258.7228&rep=rep1&type=pdf

Maawali, W. (2017). The little secret on Digital Forensics | Eagle Eye Digital Solutions | Muscat Oman. Digi77.com. Retrieved 8 October 2017, from https://www.digi77.com/the-little-secret-on-digital-forensics/