Forensics Investigation of Document Exfiltration Involving Spear Phishing

[Aerosol]

Humans are often the weakest link in the security chain. In his book The Art of Deception, renowned hacker Kevin Mitnick explains how innate human tendencies are exploited to the attacker’s advantage. It is a misconception that hackers seek to exploit convoluted vulnerabilities beyond comprehension of nontechnical employees. In fact, a meticulous hacker would begin by locating the simplest vulnerability such as an untrained employee who may unwittingly divulge critical information. In this case study, we will investigate a similar situation pertaining to an email phishing attack.

Scenario: A document is leaked on the Internet which contains confidential information about M57?s employees such as SSN, salaries and positions in the company. This sensitive Excel sheet has mysteriously appeared on a competitor’s website. Jean, the CFO, is believed to be involved since she had access to this file. She claims that the president Alison Smith asked explicitly for this information. However, Alison denies having asked for it or having received it.

Role: Computer Forensics Investigator

Purpose: You are required to investigate the claims and determine how the documents ended up on the competitor’s website.

Evidence Disk: You can obtain the EnCase image of the M57-Jean case here: part1 and part2. [Courtesy: Digital Corpora]

Tools used: You can download Paraben’s Email Examiner here.

Tasks performed: During the course of this investigation, you will be required to perform the following tasks:

• Mount evidence image and locate the PST file pertaining to the case
  
• Extract information from the PST file
  
• Study email headers to hunt for discrepancies
  
• Perform document metadata analysis
  
• Create a timeline of critical events that lead to the leak
  
• Build a context to aid proceedings in the court of law
  

Delineating Email Headers

Before we go ahead, it would be prudent to discuss the importance of email headers in cases like this. Email headers store plenty of information relevant to a specific email message. Usually, these are hidden and only the ‘text’ (body) of the email is shown to the recipient. Recipients do however have the option of explicitly viewing the header of any email in many local and web-based email clients.

Firstly, and this is important, email headers are not always veracious and can be easily forged. Accordingly, the only part of an email header you can trust is the part generated by your service, that is, the ‘Received’ part. Now that you know what can and cannot be trusted about an email header, let us understand the various parts of it.

• Return-Path: After receiving an email when you click ‘Reply To’, to send your reply, this is the address that your reply will be sent to.
  
• Delivery-Date: The date on which your email client or service received the email.
  
• Message-ID: This is a unique identifier attached to this message when it was created.
  
• Content-Type: This will specify the formatting of the message which could be plaintext or HTML.
  
• X-Spam-Status and X-Spam-Level: These are used to specify a spam score for this message.
  
• Received: Reading these lines from bottom to top will tell you the servers that the message traveled through while it was in transit.
  
• Priority: This is used to assign a priority to the message and is often abused by spammers to mark their spam as “urgent”.
  

We have avoided self-explanatory parts of the header such as ‘From’, ‘Subject’, ‘Date’, ‘To’ and ‘Body’. Again, the ‘From’ field is easily forged and should never be relied upon.

Locating artifacts on the disk that are relevant to the case

We commence investigation by replicating the image provided to us and then mounting the replica for analysis. The image is in the proprietary EnCase format. You can mount this image using a variety of forensics software including ‘Autopsy’ which is a GUI front-end for the Sleuth kit tools [Figure 1].

Figure 1

If you lack access to forensics software capable of mounting this EnCase image format, it is suggested that you convert these images to a more general ‘dd’ format [Figure 2]. You can do so using the procedure described in one of our previous papers.

[im]http://resources.infosecinstitute.com/wp-content/uploads/123114_2142_ForensicsIn2.png

Figure 2

As evident from the scenario, this case revolves around a bunch of emails that were sent to and from Jean’s computer. After preliminary analysis of the disk, we know that Jean was using Microsoft Outlook Express as her email client. We know that Outlook Express stores the details of emails, calendar events, tasks, and journal on local disk in the form of a Personal Storage Table (PST). This PST file is located at:

C:Documents and Settings/Jean/Local Settings/Application Data/Microsoft/Outlook/outlook.pst

We make a copy of this PST file for further analysis [Figure 2]. If you are using Autopsy, simply ‘export’ this file [Figure 1].

Analyzing the PST file on a Linux box

There are a variety of tools that you can use for the purpose of analyzing this PST file. On a Linux box, you can use ‘readpst’ along with the switch ‘-S’ to ensure that the messages are stored in appropriate files and folders as named in the PST file. The switch ‘-o’ is used to specify the directory where these messages will be extracted.

readpst -S -o /root/del_pst/ outlook.pst

Figure 3

As expected, the messages extracted from the PST file were stored in the ‘del_pst’ folder, as specified, and are numbered and separated on the basis of where they belong (e.g., ‘Inbox’, ‘Outbox’, ‘Sent Items’, etc) [Figure 4].

Figure 4

You can now use any email client to read these messages. In fact, here we are simply using the Linux ‘cat’ command to display the raw contents of one of these emails. Notice that this shows us both the header and the text of the message [Figure 5].

Figure 5

After a quick glance inside ‘Sent Items’, we are able to ascertain that the sensitive document in question was attached as part of email 16 [Figure 6].

Figure 6

If this PST file contained a few messages, then this crude method of searching through the emails for evidence would suffice. However, in our case, the PST file contains hundreds of emails, and it is better to use a GUI email forensics tool that can facilitate quicker analysis with ease.

Analyzing the PST file on a Windows box

There are several tools available that allow you to view the contents of PST files in Windows. For the purposes of this case, you are free to use any of these as long as they also show the headers of the email. We are using Paraben’s Email Examiner which has a GUI and is capable of loading the messages just as you would see them in an email client like Outlook [Figure 7]. It also has the option of recovering deleted emails. Begin analyzing the PST file using Email Examiner in this manner:

‘New Case’ ->’Add New Evidence’ -> ‘Auto-detect e-mail database’ -> Load the PST file

Figure 7

The first few mails are from Jean testing that the email client is properly set up. Next, there are several ‘Google Alert’ mails that are not relevant to the case.

Note: In Email Examiner, go to ‘RFC Header’ to view header of the message and ‘Text’ to view the body [Figure 7].

Figure 8

The president, Alison Smith, had her email configured to the name of ‘Alison57?, as evident from the emails received from her on 07/07/2008 [Figure 8]. Also, in the aftermath on 07/21/2008, the emails received from the real Alison also suggest that her email is configured to the name ‘Alison57? [Figure 9].

Figure 9

So our first intuition is that all other emails configured to the names of “Alex” or “alison@m57.biz” are those sent by the attacker trying to masquerade as Alison. Note however that it is not difficult for an attacker to obtain the name configured in Alison’s email. For instance, the attacker could have lured Alison into replying to one of his emails, in which case, he would be aware of the fact that Alison uses the name “Alison57?. Nevertheless, the attacker did not go through this trouble, and instead simply used the name “Alex” and spoofed the ‘sender address’ to Alison’s actual email address. It is possible that he figured that the ‘sender address’ of alison@m57.biz would be enough to phish Jean—which was indeed the case.

Furthermore, on 07/07/2008, in her second email to Jean, Alison explicitly asked Jean not to forward spam links to her as she had “no way of knowing whether they are from Jean or a hacker”. Hence, another indication that emails on 07/20/2008 were sent by an attacker is that they included spam emails that Alison would not have forwarded given her attitude towards such mails.

Moreover, we immediately notice that 2 of these emails have the ‘Return-Path’ set to ‘tuckgorge@gmail.com’, which is a dead giveaway [Figure 10].

Figure 10

Document Metadata Analysis

The document is an Excel sheet containing confidential details of employees such as SSN, salaries, and departments [Figure 11].

Figure 11

There are several ways to analyze the metadata stored in this document. The easiest way is to open the document in MS Excel 2013 and view the ‘properties’ [Figure 12]. You can also use the tool ‘FOCA’ to view this metadata.

Figure 12

As is evident, the document was created by the president, Alison Smith, on 06/12/2008 at 8:43 PM. The document was last modified by Jean on 07/20/2008—the day of the attack—at 6:58 AM.

Note: The Excel sheet contained an image [Figure 11] and so we ran some tests to detect steganography. However, after preliminary analysis, the image was not found to contain any hidden messages. Please feel free to run your own tests.

Timeline of Significant Events Relevant to the Leak

Based on our analysis, we can now construct a timeline of significant events surrounding the document exfiltration which would help in comprehending how the information leaked out.

DATE	TIME	EVENT
07/07/2008	09:32:01 AM	Jean received emails from Alison, the president, with name “Alison57?
07/20/2008	05:03:23 AM	Attacker sends first email masquerading as Alison and asks about “financial plans”, possibly to establish false identity
07/20/2008	05:03:24 AM	Attacker sends 4 spam emails, possibly for the purpose of distraction
07/20/2008	05:10:36 AM	Attacker makes the first request for the sensitive information in an email with subject line “background checks”
07/20/2008	05:14:03 AM	Jean is doubtful and sends email inquiring about the email Alison is using
07/20/2008	05:14:28 AM	Jean confirms that she will send the requested information and replies with “Sure thing.”
07/20/2008	06:56:11 AM	Attacker makes second request for the sensitive information and shows urgency; the Return-Path is modified to ‘tuckgorge@gmail.com’
07/20/2008	06:58:00 AM	Jean ‘last modified’ the XLS document
07/20/2008	06:58:47 AM	Jean sends the sensitive XLS file to ‘tuckgorge@gmail.com’
07/20/2008	10:33:55 AM	The attacker sends an email to thank Jean for sending the information
07/21/2008	05:16:35 AM	The real Alison sends an email to Jean inquiring what she is doing
07/21/2008	05:26:38 AM	Alison sends email to Jean telling her “something strange is going on”

Document Exfiltration Cause Analysis

So how did the file end up on the competitor’s website? In all probability, the attacker obtained the email ID of Alison Smith from M57?s website and used it to send a forged email to Jean asking for the confidential information. Jean fell for the trap and modified an XLS document according to the information requested by the attacker. In the last couple of emails to Jean, the attacker modified the ‘Reply-To’ path to receive Jean’s reply on his Gmail address which was tuckgorge@gmail.com. After Jean sent the sensitive document to this address, the attacker made it public by attaching it on the ‘comments’ section of a competitor’s website. The attacker could be a disgruntled former employee or a job candidate turned down by M57. In an email on 07/07/2008, Alison refers to a tattooed woman whom M57 turned down for a job. She does have motive to hurt M57, but further investigation is needed before anything can be said about the attacker’s identity.

Conclusion

This case underscores the gravity of security training and awareness for employees within a company. It is unclear whether M57 took measures to educate employees about phishing attacks and security practices in general. To a trained eye, there were several clues during the phishing attack that suggested malice. However, Jean overlooked them simply because the email seemed to have been sent from Alison’s email address. The attack was unsophisticated and the leak could have been easily averted. Since a particular employee was targeted in this case, you may call this a spear phishing attack. Also, since CFO is a senior position in a company, you may also call this whaling.

This paper was written for the purpose of explaining the investigation. However, while formulating your report at the end of the investigation, you would want to avoid certain aspects of this explanation. In particular, avoid adding unsubstantiated conclusions or offering personal opinions about the character of personnel involved. For instance, intuition tells us that Jean might have revealed this information unwittingly and not out of ill-intent. However, you would avoid stating that in the report since you lack evidence to exculpate Jean. Moreover, giving opinions about the case is the job of expert witnesses. You, as a forensics investigator, should simply investigate and present facts of the case that are backed by evidence.

References

[1] Bill Nelson, Amelia Phillips, and Christopher Steuart. Email Investigations. In “Guide to Computer Forensics and Investigations”, Cengage Learning, 2009.

[2] Crocker, D., “STANDARD FOR THE FORMAT OF ARPA INTERNET TEXT MESSAGES”, STD 11, RFC 822, August 1982.

Source