Data Leakage Case
The purpose of this work is to learn various types of data leakage, and practice its investigation techniques.
Scenario Overview
Target Systems and Devices
Target | Detailed Information | |
---|---|---|
Personal Computer (PC) |
Type | Virtual System |
CPU | 1 Processer (2 Core) | |
RAM | 2,048 MB | |
HDD Size | 20 GB | |
File System | NTFS | |
IP Address | 10.11.11.129 | |
Operating System | Microsoft Windows 7 Ultimate (SP1) | |
Removable Media #1 (RM#1)* |
Type | USB removable storage device |
Serial No. | 4C530012450531101593 | |
Size | 4 GB | |
File System | exFAT | |
Removable Media #2 (RM#2) |
Type | USB removable storage device |
Serial No. | 4C530012550531106501 | |
Size | 4 GB | |
File System | FAT32 | |
Removable Media #3 (RM#3) |
Type | CD-R |
Size | 700 MB | |
File System | UDF |
Acquired Data Information
Personal Computer (PC) – 'DD' Image
Download Links | pc.7z.001, pc.7z.002, pc.7z.003 (total 5.05 GB compressed by 7zip) - hash |
Imaging S/W | FTK Imager 3.4.0.1 |
Image Format | converted from VMDK |
Personal Computer (PC) – 'EnCase' Image
Download Links | pc.E01, pc.E02, pc.E03, pc.E04 (total 7.28 GB compressed by EnCase) - hash |
Imaging S/W | EnCase Imager 7.10.00.103 |
Image Format | E01 (Expert Witness Compression Format) converted from VMDK |
Removable Media #1 (RM#1) – 'EnCase' Image
Download Links | rm#1.E01 (total 74.5 MB compressed by EnCase) - hash |
Imaging S/W | FTK Imager 3.3.0.5 (write-blocked by Tableau USB Bridge T8-R2) |
Image Format | E01 (Expert Witness Compression Format) |
Removable Media #2 (RM#2) – 'DD' Image
Download Links | rm#2.7z (total 219 MB compressed by 7zip) - hash |
Imaging S/W | FTK Imager 3.3.0.5 (write-blocked by Tableau USB Bridge T8-R2) |
Image Format | DD |
Removable Media #2 (RM#2) – 'EnCase' Image
Download Links | rm#2.E01 (total 243 MB compressed by EnCase) - hash |
Imaging S/W | EnCase Imager 7.09.00.111 (write-blocked by Tableau USB Bridge T8-R2) |
Image Format | E01 (Expert Witness Compression Format) |
Removable Media #3 (RM#3) – 'Raw / CUE' Image
Download Links | rm#3-type1.7z (total 92.8 MB compressed by 7zip) - hash |
Imaging S/W | FTK Imager 3.3.0.5 |
Image Format | RAW ISO / CUE (sometimes BIN / CUE)* |
Removable Media #3 (RM#3) – 'DD' Image
Download Links | rm#3-type2.7z (total 78.6 MB compressed by 7zip) - hash |
Imaging S/W | FTK Imager 3.3.0.5 + bchunk (http://he.fi/bchunk) |
Image Format | DD converted from ‘RAW ISO + CUE’ |
Removable Media #3 (RM#3) – 'EnCase' Image
Download Links | rm#3-type3.E01 (total 90.2 MB compressed by EnCase) - hash |
Imaging S/W | EnCase Imager 7.09.00.111 |
Image Format | E01 (Expert Witness Compression Format) |
Additional Data Information
Seed Files
Download Links | seed-files.7z (total 150 MB compressed by 7zip) - hash |
File Information |
- Seed files stored in RM#1 and a shared network drive - Base files for creating seed files were randomly selected from Govdocs1 - The first page of each seed file was manually added - Seed file list and hash values |
Digital Forensic Practice Points
The followings are the summary of detailed practice points related to above images.
Practice Point | Description |
---|---|
Understanding Types of Data Leakage |
- Storage devices > HDD (Hard DiskDrive), SSD (Solid State Drive) > USB flash drive, Flash memory cards > CD/DVD (with Optical Disk Drive) - Network Transmission > File sharing, Remote Desktop Connection > E-mail, SNS (Social Network Service) > Cloud services, Messenger |
Windows Forensics |
- Windows event logs - Opened files and directories - Application (executable) usage history - CD/DVD burning records - External devices attached to PC - Network drive connection traces - System Caches - Windows Search databases - Volume Shadow Copy |
File System Forensics |
- FAT, NTFS, UDF - Metadata (NTFS MFT, FAT Directory entry) - Timestamps - Transaction logs (NTFS) |
Web Browser Forensics |
- History, Cache, Cookie - Internet usage history (URLs, Search Keywords…) |
E-mail Forensics |
- MS Outlook file examination - E-mails and attachments |
Database Forensics |
- MS Extensible Storage Engine (ESE) Database - SQLite Database |
Deleted Data Recovery |
- Metadata based recovery - Signature & Content based recovery (aka Carving) - Recycle Bin of Windows - Unused area examination |
User Behavior Analysis |
- Constructing a forensic timeline of events - Visualizing the timeline |
Questions
-
What are the hash values (MD5 & SHA-1) of all images?
Does the acquisition and verification hash value match? - Identify the partition information of PC image.
-
Explain installed OS information in detail.
(OS name, install date, registered owner…) - What is the timezone setting?
- What is the computer name?
- List all accounts in OS except the system accounts: Administrator, Guest, systemprofile, LocalService, NetworkService. (Account name, login count, last logon date…)
- Who was the last user to logon into PC?
- When was the last recorded shutdown date/time?
- Explain the information of network interface(s) with an IP address assigned by DHCP.
- What applications were installed by the suspect after installing OS?
-
List application execution logs.
(Executable path, execution time, execution count...) -
List all traces about the system on/off and the user logon/logoff.
(It should be considered only during a time range between 09:00 and 18:00 in the timezone from Question 4.) - What web browsers were used?
- Identify directory/file paths related to the web browser history.
- What websites were the suspect accessing? (Timestamp, URL...)
- List all search keywords using web browsers. (Timestamp, URL, keyword...)
- List all user keywords at the search bar in Windows Explorer. (Timestamp, Keyword)
- What application was used for e-mail communication?
- Where is the e-mail file located?
- What was the e-mail account used by the suspect?
-
List all e-mails of the suspect. If possible, identify deleted e-mails.
(You can identify the following items: Timestamp, From, To, Subject, Body, and Attachment)
[Hint: just examine the OST file only.] - List external storage devices attached to PC.
-
Identify all traces related to ‘renaming’ of files in Windows Desktop.
(It should be considered only during a date range between 2015-03-23 and 2015-03-24.)
[Hint: the parent directories of renamed files were deleted and their MFT entries were also overwritten. Therefore, you may not be able to find their full paths.] - What is the IP address of company’s shared network drive?
- List all directories that were traversed in ‘RM#2’.
- List all files that were opened in 'RM#2’.
- List all directories that were traversed in the company’s network drive.
- List all files that were opened in the company’s network drive.
-
Find traces related to cloud services on PC.
(Service name, log files...) -
What files were deleted from Google Drive?
Find the filename and modified timestamp of the file.
[Hint: Find a transaction log file of Google Drive.] - Identify account information for synchronizing Google Drive.
- What a method (or software) was used for burning CD-R?
-
When did the suspect burn CD-R?
[Hint: It may be one or more times.] -
What files were copied from PC to CD-R?
[Hint: Just use PC image only. You can examine transaction logs of the file system for this task.] - What files were opened from CD-R?
-
Identify all timestamps related to a resignation file in Windows Desktop.
[Hint: the resignation file is a DOCX file in NTFS file system.] - How and when did the suspect print a resignation file?
- Where are ‘Thumbcache’ files located?
-
Identify traces related to confidential files stored in Thumbcache.
(Include ‘256’ only) - Where are Sticky Note files located?
- Identify notes stored in the Sticky Note file.
-
Was the ‘Windows Search and Indexing’ function enabled? How can you identify it?
If it was enabled, what is a file path of the ‘Windows Search’ index database? - What kinds of data were stored in Windows Search database?
-
Find traces of Internet Explorer usage stored in Windows Search database.
(It should be considered only during a date range between 2015-03-22 and 2015-03-23.) -
List the e-mail communication stored in Windows Search database.
(It should be considered only during a date range between 2015-03-23 and 2015-03-24.) -
List files and directories related to Windows Desktop stored in Windows Search database.
(Windows Desktop directory: \Users\informant\Desktop\) - Where are Volume Shadow Copies stored? When were they created?
-
Find traces related to Google Drive service in Volume Shadow Copy.
What are the differences between the current system image (of Question 29 ~ 31) and its VSC? -
What files were deleted from Google Drive?
Find deleted records of cloud_entry table inside snapshot.db from VSC.
(Just examine the SQLite database only. Let us suppose that a text based log file was wiped.)
[Hint: DDL of cloud_entry table is as follows.]
CREATE TABLE cloud_entry
(doc_id TEXT, filename TEXT, modified INTEGER, created INTEGER, acl_role INTEGER,
doc_type INTEGER, removed INTEGER, size INTEGER, checksum TEXT, shared INTEGER,
resource_type TEXT, PRIMARY KEY (doc_id)); - Why can’t we find Outlook’s e-mail data in Volume Shadow Copy?
- Examine ‘Recycle Bin’ data in PC.
- What actions were performed for anti-forensics on PC at the last day '2015-03-25'?
- Recover deleted files from USB drive ‘RM#2’.
-
What actions were performed for anti-forensics on USB drive ‘RM#2’?
[Hint: this can be inferred from the results of Question 53.] - What files were copied from PC to USB drive ‘RM#2’?
-
Recover hidden files from the CD-R ‘RM#3’.
How to determine proper filenames of the original files prior to renaming tasks? - What actions were performed for anti-forensics on CD-R ‘RM#3’?
- Create a detailed timeline of data leakage processes.
- List and explain methodologies of data leakage performed by the suspect.
- Create a visual diagram for a summary of results.
Answers
Look at the answers [PDF, MS-Word] (document v1.32 - last updated at July 23, 2018)