Data Corp Analysis
Casey Jackman
Objectives
This analysis will provide detailed information about recovered evidence, display data (files and
folders) deemed relevant to said case—including file name types and brief descriptions, and
finally a conclusion of the findings.
Approach
To ensure that only relevant information is presented as evidence in this case, I will first strive to
understand the policies of DataCorp, specifically what information would imply that a law, or
company policy has been violated. I will then systematically filter through the provided disk
images for files and/or directories that seem relevant to the previously mentioned policies.
Relevant Information
Image DSC Floppy 1
File Name
Trending
Pubring
File Type
Py (Python)
Pkr (pubic keyring)
Secring
Skr (pretty good
privacy)
Description
Open source software for analyzing data
Arty Snitch artsnitch@hotmail.com
Bart Smoot <bartsmoot@hotmail.com>
PGP file – pretty good privacy
Image DSC Floppy 2
File Name
Trivial
Spoofer
Employee_data
Oratab
Defaults
OLE Streams
File Type
Pl (perl Script)
Py(Python)
Xls (excel 97)
Db(database)
Pl(perl script)
Object Link and
Description
User and password information from perl script
Python script to spoof emails from email servers
Username, SS#, and Birthday of 28 employees
File created during db access
Script used to manipulate database; data accessed
Multiple OLE Streams for streaming and saving data from a
Embedding
database
Image 1
File Name
Picolo
File Type
Py (python
executable)
bartsmoot579267922 Xml
(extensible
markup)
Various
Steganography
image ext
Description
Installation and directory of open software data analysis software
Found in received files from messenger, confirms sending of
program "shreditpc.msi”; and downloading media content at
work. Files sent from arty to bart
Distinctly marked foleder with images. Indicates that data was
being hidden with images using Steganography
Image 2
File Name
Notes
File Type
Rtf(rich text
file)
Skr (pretty
good
privacy)
Txt(text)
Eula
.gif/jpg/html Web cache
Secring
Description
This file was self described as “secret” Includes pgp information
password: secretstuff
my pw:b4r7y1
pgp key: smo0tk3y
PGP file – pretty good privacy
End user license agreements – unauthorized software
Hundreds of cached web ads and html of non related sites
Analysis of Information
It is clear from the evidence provided in the previous section that many company policies have
been violated by both Art and Bart. The following include the violated policy combined with the
suggestive evidence that the policy has been violated
…No employee shall participate in the installation and/or use of personal or open source
software on Company computers.
The open source Python software, Picolo, was found to have been installed on Image 2 as well
the Trending.py file that was discovered on floppy disk 1
…Accessing of database information by employees is prohibited unless required for job functions
that are expressly authorized in job descriptions
Perl Scripts were discovered on Floppy Image 2, defaults.pl . This script had used Oratab
function, indicating that a database had been accessed and data was retrieved. Evidence of OLE
streams were also found. Other End User License Agreements were found on both images
suggesting unnecessary software installations.
In no case shall employees use company resources to conduct personal business.
Chat histories were discovered on Image 1 with correspondence between Art and Bart. These
conversations included brief descriptions of work machines being used to download non-work
media. An attempt to send a Microsoft installer program, shreditpc.msi, was also found.
ShreditPC most likely an application used to permanently destroy files.
PGP (Pretty Good Pricy) was also found on both floppy disk and a Hard Disk images suggesting
that files were encrypted on a disk at work. A self-incrementing text file was found deep in the
the file directory with username and password credentials for PGP, Notes.txt . Simple Keyring
files were also discovered a floppy disk, connecting the disk to the PGP installation on the client
machine.
Finally, it appears that data was being hidden in images using Steganography, a directory was
found with this Steganography as the title and images were near the file with appended file
extensions, masking the true file type.