Investigation 02 Sample Evidence - Autopsy the open-source

Purpose

In this assignment, you will examine a forensic disk image for evidence of corporate espionage. Read the scenario document carefully, as you may consider it interview notes with your client. This represents a more complex scenario than Investigation 01 and thus contains a greater degree of irrelevant data. Be sure to give yourself plenty of time to perform the examination, and be sure to take advantage of Autopsy's features to assist your disambiguation.

Instructions

You'll need to use the following resources to complete the assignment:

• Investigation 02 Sample Evidence*
• Autopsy the open-source forensic suite* (or another suite, such as EnCase or FTK.)
• (Optional) Download and use the report template (See the Investigation and Forensics Challenge module for the templates)

*Accessed via the Virtual Lab.

After reading the Investigation 02 Scenario, open your forensic tool and import the sample evidence into the tool. Begin a forensic report and begin your search. As you do, be sure to take special note of these answers to these questions. These questions represent those that need to be answered to arrive at a logical conclusion to this scenario. They are provided here, but in the future, you will be required to decide these questions on your own.

Scenario

This scenario takes place circa 2008.

M57.biz is a hip web start-up developing a body art catalog. They've pulled in over $3 million in funding with a net return of $10 million. The company is small, with only seven employees, including founder Alison Smith. Alison was co-founder with her long-time partner Raoul Perdoga, but she recently forced him out of the business following a nasty break-up.

Current employees are:

• President: Alison Smith
• CFO: Jean Jones
• Programmers: Bob Blackman, Carol Canfred, David Daubert, Emmy Arlington
• Marketing: Gina Tangers, Harris Jenkins
• BizDev: Indy Counterching

Despite their recent success, they have a decentralized office. Most people work at home or on the road. Communication and collaboration are primarily by email through their own @m57.biz domain. This worked fine until a spreadsheet containing confidential proprietary company information was posted as an attachment in the technical support forum of a competitor's website.

The spreadsheet came from CFO Jean's computer, but she denies any knowledge of the leak. She says that Alison asked her to prepare the spreadsheet as part of a new funding effort and to email it to her. Alison denies she ever asked for the spreadsheet and never received a copy by email. A recreation of the spreadsheet table is found below for you to use.

Questions

1. When did Jean create the spreadsheet? Jean asserts that she created the spreadsheet after Alison had asked for it by email.
2. How did the spreadsheet get from Jean's computer to the competitor's website? Jean says she emailed it to Alison but denies ever visiting the competitor's website.
3. Is anyone else from the company involved? What about people who are not in the company? What possible motive could they have?
4. If what Jean says is true, what steps can we take to continue our investigation?