Data Corp Analysis
CASEY JACKMAN
Evidence
Conclusion
Objectives
 This analysis will provide detailed information about
recovered evidence, display data (files and folders)
deemed relevant to said case—including file name
types and brief descriptions, and finally a conclusion
of the findings.
Approach
 To ensure that only relevant information is
presented as evidence in this case, I will first strive to
understand the policies of DataCorp, specifically
what information would imply that a law, or
company policy has been violated. I will then
systematically filter through the provided disk
images for files and/or directories that seem relevant
to the previously mentioned policies.
Floppy 1
File Name
File Type
Description
Trending
Py (Python)
Open source software for analyzing data
Pubring
Pkr (pubic
keyring)
Arty Snitch artsnitch@hotmail.com
Bart Smoot <bartsmoot@hotmail.com>
Secring
Skr (pretty
PGP file – pretty good privacy
good privacy)
Floppy 2
File Name
File Type
Description
Trivial
Pl (perl Script)
User and password information from perl script
Spoofer
Py(Python)
Python script to spoof emails from email servers
Employee_d Xls (excel 97)
ata
Username, SS#, and Birthday of 28 employees
Oratab
Db(database)
File created during db access
Defaults
Pl(perl script)
Script used to manipulate database; data accessed
OLE
Streams
Object Link and Multiple OLE Streams for streaming and saving data
Embedding
from a database
HD 1: Arty Snitch
File Name
File Type
Description
Picolo
Py (python Installation and directory of open software data analysis
executable) software
bartsmoot57 Xml
9267922
(extensible
markup)
Found in received files from messenger, confirms sending
of program "shreditpc.msi”; and downloading media content
at work. Files sent from arty to bart
Steganograp Various
hy
image ext
Distinctly marked foleder with images. Indicates that data
was being hidden with images using Steganography
HD 2: Bart Smoot
File
Name
Notes
File Type
Description
Rtf(rich
text file)
This file was self described as “secret” Includes pgp
information
password: secretstuff
my pw:b4r7y1
pgp key: smo0tk3y
Secring
Skr
(pretty
good
privacy)
Txt(text)
PGP file – pretty good privacy
Eula
.gif/jpg/ Web
html
cache
End user license agreements – unauthorized software
Hundreds of cached web ads and html of non related
sites
Notes.doc
 Blast, repartitioning didn’t work on this drive. I’ll
just hide it deep.
 remember, password is secretstuff
 my pw:b4r7y1
 pgp key: smo0tk3y
Messaging History
Analysis
 “…No employee shall participate in the installation
and/or use of personal or open source software on
Company computers.”
 The open source Python software, Picolo, was found
to have been installed on Image 2 as well the
Trending.py file that was discovered on floppy disk 1
 “…Accessing of database information by employees
is prohibited unless required for job functions that
are expressly authorized in job descriptions”
 Perl Scripts were discovered on Floppy Image 2,
defaults.pl . This script had used Oratab function,
indicating that a database had been accessed and
data was retrieved. Evidence of OLE streams were
also found. Other End User License Agreements
were found on both images suggesting unnecessary
software installations.
Analysis
 "In no case shall employees use company resources
to conduct personal business.”
 Chat histories were discovered on Image 1 with
correspondence between Art and Bart. These
conversations included brief descriptions of work
machines being used to download non-work media.
An attempt to send a Microsoft installer program,
shreditpc.msi, was also found. ShreditPC most likely
an application used to permanently destroy files.
Analysis
 PGP (Pretty Good Pricy) was also found on both
floppy disk and a Hard Disk images suggesting that
files were encrypted on a disk at work. A selfincrementing text file was found deep in the the file
directory with username and password credentials
for PGP, Notes.txt . Simple Keyring files were also
discovered a floppy disk, connecting the disk to the
PGP installation on the client machine.
Analysis
 Finally, it appears that data was being hidden in
images using Steganography, a directory was found
with this Steganography as the title and images were
near the file with appended file extensions, masking
the true file type. This file was encrypted with PGP.