Security Resource Hub
Digital Forensics

Topic 4: Forensic Case-Studies

Complete & Continue Next Lesson Learn More

CASE STUDY 1

Assume that you just received a report from an employee at the IT Help Desk for the organization you work for. In the report, the employee states that she received a call from a user who claims that her email account was hacked and is used to send fraudulent emails to many people.

Forensic Conclusion:

As with all incident response and investigations, the first stage is triage, and part of that is determining whether any evidence can be found to confirm that the reported event took place.

Two actions should take place:

  1. Review any unusual login activity to the account in question.

  2. Determine if any outbound email that looks suspicious was sent from the account.

Both can be accomplished by reviewing system logs, such as authentication and email logs. The authentication log may list the date and time, IP addresses, successful and failed attempts, etc. The email log will reveal timestamps, subject lines, and recipient addresses.

If there is indeed an indication that there is a problem, a few things need to happen:

  1. Force a password reset on the affected account, ensure that all established sessions are terminated, and review any mail filtering and forwarding rules set for the account. This will ensure the attacker loses access to the account and cannot immediately regain it. It will also ensure that simple password-reset schemes fail.

  2. Contact the user and obtain a copy of the phishing messages sent. If that does not immediately yield results, use privileged access to access the victim's email and pull copies of the fraudulent emails.

  3. If fraudulent activity was indeed noticed in the authentication logs, review if the IP address from which the attacker logged in to the account is also used to access other accounts. If so, these accounts must be treated as compromised, and steps (1) and (2) are executed for them.

  4. Check the email logs to see if anyone who received the fraudulent emails replied to them. If so, contact those users to inform them and ask them what information they sent. Their answers may lead to additional actions.

  5. Depending on the scale of the event, a notification to ALL users may be warranted.

CASE STUDY 2

In 2002, Lisa Marie Roberts was imprisoned for murdering her girlfriend. The prosecution had cell records purportedly showing she used her phone where the body was found. Roberts claimed she was innocent, saying the call was made many miles away while driving on a highway. Roberts’ attorney urged her to plead guilty without seeing the evidence. This led to Roberts accepting a 15-year sentence for manslaughter. After years of continuing to assert her innocence, a public defender picked up Lisa’s case. The defense analyzed DNA evidence found on Robert’s girlfriend’s body, discovering that it belonged to a male who had been a suspect. A thorough analysis of the cell records showed that the cell tower her phone connected to was miles away from the murder scene. The defense’s experts used this to illustrate the inherent inaccuracy of relying solely on historical cell tower logs. In 2014, U.S. District Judge Malcolm F. Marsh threw out Roberts’ guilty plea, stating that “the presentation of expert testimony at trial, concerning the variables impacting the reliability of cell tower evidence to pinpoint a caller’s location, likely would have changed the outcome of the trial.” After 12 years, Roberts was released from prison.

Forensic Conclusion

Wireless devices are becoming an ever-growing part of our lives. Each time we use them for convenience, they record a part of our day. Companies and law enforcement are increasingly using this data to create a timeline of our locations and actions that previously would have disappeared. Investigators should be careful to use this information responsibly and interpret it accurately. If not, what you thought would lead to digital heaven could send you straight to a digital cell.