INCIDENT REPORT 24601 – DREW PATRICK 1

Acme Construction Company

Incident Report Number 24601 – Drew Patrick

ISE640 Investigation – Digital Forensics

SNHU – Professor DeSpain

March 07, 2022

Joe Fernald
INCIDENT REPORT 24601 – DREW PATRICK 2

Contents

Executive Summary ............................................................................................................ 3

Legal Concerns ................................................................................................................... 4

Processes and Procedures ................................................................................................... 6

Chain of Custody ................................................................................................................ 8

Forensic Team Investigation Notes ................................................................................... 10

Resource Needs................................................................................................................. 11

Hardware ....................................................................................................................... 11

Software ........................................................................................................................ 11

Forensic Data Collection and Analysis Methods .............................................................. 13

Investigation Findings....................................................................................................... 15

Conclusion ........................................................................................................................ 18

References ......................................................................................................................... 19
INCIDENT REPORT 24601 – DREW PATRICK 3

Executive Summary

As the Acme Construction Company (ACC) Cybersecurity Analyst, I must report that we

suspect that Drew Patrick, a senior manager in the Research and Development group, committed

intellectual property theft.

Based on information provided by Human Resources (that Mr. Patrick plans to leave

ACC for a competitor) and a Forensic Notes (SNHU) report provided by the ACC IT department,

there is enough evidence to believe that Mr. Patrick committed the following acts that violated

ACC policies:

• Remotely accessed Research and Development (R&D) databases, copied large amounts

of proprietary product plans and specification data to a desktop system

• Used a Peer-to-Peer (P2P) application to export data from corporate databases to IP

addresses of systems that are not part of the ACC inventory

• Exchanged emails and Instant Message (IM) chat sessions that contained proprietary

information with non-ACC employees

• Accessed the dark web to search for ways to sell ACC proprietary information

• Tried to cover up all these actions

Mr. Patrick also violated intellectual property laws.

We plan to use this evidence to request that our senior management and the ACC legal

counsel start civil and criminal proceedings against Mr. Patrick.

Legal Concerns

There are two legal issues with which Acme Construction Company must deal.

The first problem is theft of intellectual property. The other concern to make sure that

ACC can prove beyond a reasonable doubt that the suspect (Drew Patrick) is guilty of the theft.

There are three primary statutes (among others) under which we could choose to

prosecute Mr. Patrick. The first statute is 18 U.S. Code § 1030 - Fraud and related activity in

connection with computers (Legal Information Institute, n.d.). The second statute is 18 U.S.

Code § 1831 - Economic Espionage (Legal Information Institute, n.d.). The third statute is the

Defend Trade Secrets Act (ABA, 2016).

All three statutes cover theft of intellectual property and unauthorized (or exceeding)

access to protected computers to obtain trade secrets or other items of value. These laws also

apply to any parties receiving stolen information.

Forensic data revealed that Mr. Patrick allegedly violated ACC corporate policies and

both statutes by the following actions:

• He started to collect proprietary information in anticipation of leaving ACC to

work for a competitor

• Used a P2P application to transfer data outside the ACC network

• Attempted (unsuccessfully) to access encrypted databases remotely

• Contacted parties external to ACC and discussed proprietary documents

• Emails that discussed a “quid pro quo” agreement of a senior management

position in exchange for ACC trade secrets

The ACC legal counsel wants to hand over a “bulletproof” package of evidence to law

enforcement and the prosecution. We must make sure you that we followed all accepted
INCIDENT REPORT 24601 – DREW PATRICK 5

investigative procedures, make sure we handled all the forensic evidence properly, and we

accurately reported your findings.

Since we must rely on expert testimony (the Forensic team), any evidence they uncover

must pass the Daubert Standard (Legal Information Institute, n.d.). Judges use the Daubert

Standard to decide if expert testimony is valid, based on the following criteria:

• Theories and techniques used were previously tested

• Peers published and reviewed the evidence collection, processing, and handling

processes

• Quantifiable margin of error

• Operational standards exist and keep current

• Members of the related community accept the techniques

Processes and Procedures

In this case, the ACC HR department had reason to suspect Mr. Patrick planned to leave

ACC for a position in another company and take proprietary ACC information with him. The HR

department requested that the IT department look for any unusual activity on systems or files to

which Mr. Patrick can access. This was the beginning of the internal investigation, with IT

discovering indication of suspicious activity on the part of Mr. Patrick.

Dealing with employees accused of theft is difficult. You must have a policy in place in

which you can investigate the accused employees without violating their constitutional rights.

Even if an employee is guilty and terminated, a lack or misuse of the policies leaves you

vulnerable to a wrongful termination suit. If you plan to prosecute the accused employee

criminally, the guidelines and laws become more important.

To perform an effective and legal employee investigation, an organization must do the

following (Johnson, n.d.):

1. Assign someone to investigate the employee. In the ACC. As the cybersecurity

practitioner, you lead the investigation, with support from IT, HR, and the

corporate counsel.

2. Start investigating immediately. In addition to having fresh evidence, you send a

message to other employees that we do not tolerate any malfeasance and acted

upon quickly. The ACC IT department collected all available information and

passed it to the digital Forensic team immediately.

3. How to handle employees under investigation. There are two choices – monitor

their activity to strengthen your case or suspend employees (with pay) until you
INCIDENT REPORT 24601 – DREW PATRICK 7

complete the investigation. In this case, since we know Mr. Patrick intends to

leave ACC, leave him in his position and covertly monitor his activity.

4. Keep investigation details confidential to only those who must know. Establish

guidelines under which the investigators and employees must abide to mitigate

the chance of the employee hearing rumors about the investigation.

5. Assure protection from retaliation to any employees interviewed during the

investigation.

6. Decide what to do with employees at the conclusion of the investigation. If they

are innocent, reinstate them. If the employees are guilty, you can either discipline

(demand restitution, suspension, place an incident record in the employee’s HR

file) or terminate them.

7. Seek recovery of any loss. With intellectual property theft (as in the ACC case),

you involve corporate counsel and law enforcement to determine if there are

grounds for civil or criminal prosecution. Also, contact your insurance company

to see if insurance covers any monetary loss caused by the incident.

Chain of Custody

A proper evidential chain of custody is key to preserving evidence and mitigating the risk

of evidence contamination. A failure in either can render forensic evidence inadmissible in a

criminal trial.

In digital forensics, the chain of custody describes procedures related to the collection of

evidence, and the sequences of analysis, control documentation, and transfer (Obbayi, 2021).

First, make sure that you properly catalog documentation. Details include the item, who

transferred custody to whom, the time and date of exchanges, and a list of who accessed any

items or files.

The procedure to use in establishing a proper chain of custody include (Obbayi, 2021):

• Save all original materials, do your work on copies so you can compare your

work against the original.

• Photograph physical evidence.

• Screen capture digital content to help establish the chain of custody.

• Document all details of evidence exchange – this establishes a consistent time

frame. If there is a time gap, investigate to see what happened.

• To ensure that our clone is an exact duplicate (including any slack space), use bit-

for-bit clones of physical evidence (such as physical drives). Perform hash tests

on all the cloned media.

Because physical evidence is fragile, there are things you must consider related to

procedures and preservation, such as:

• Never use the original evidence in developing procedures – always make sure to

make copies. This helps you to restart from uncompromised evidence if you must

revise your procedures.

• Make sure any evidence storage device that you use is forensically clean before

acquiring evidence. Malware could move from an unclean disk to your evidence

and taint it.

• If you discover anything that is beyond the scope of the current legal authority,

thoroughly document it and alert someone in authority. You may need extra legal

authority to process the evidence. Include the following items in your report:

o Reporting agency identity

o Case number or another unique identifier

o Name of investigator

o Submitter name or identity

o Receipt and report dates

o Explanatory list of the items you presented for analysis (such as make,

model, and serial number)

o Signature and identification of the examiner

o List and description of the steps you used taken during the examination

(such as string or image searches, and any recovered deleted files)

o Conclusions you reached from further examination

The following section contains the report created by the ACC Forensic team.
INCIDENT REPORT 24601 – DREW PATRICK 10

Forensic Team Investigation Notes

The chain of custody documentation commenced by gathering information about the

Western Digital 500 GB Hard Drive (serial number NB497356F) from Mr. Patrick’s computer.

The disk was bit-for-bit copied using FTK software, which preserves the contents of the

original hard drive. To prove exact duplication, we generated and compared the hashes from each

drive.

The system ran a Windows-based Operating System and used an NTFS disk format.

The Forensic team analyzed the disk using both Autopsy and Windows Forensic Tool

chest software. Sort and index functions narrowed the scope of files that required further

analysis. The file types found on the disk included the following: SQL, Excel, email, chat, and

HTML.

The Forensic team also analyzed slack pace on the disk to look for hidden data.
INCIDENT REPORT 24601 – DREW PATRICK 11

Resource Needs

To perform a proper data forensic investigation, you need a combination of specialized

hardware, software, and an area to perform your tests.

The forensics team requires a secure and controllable area to perform their analysis. The

more secure and controllable of an environment you have makes testing easier and leads to more

reliable results.

The following lists of hardware and software are the standard accepted data forensic tools

(Patterson, 2016):

Hardware

• Forensic Bridge (write blockers) – Used for safe connection and extraction of data from

different types of storage media.

• FRED (Forensic Recovery of Evidence Device) – Specialized workstations you connect to

networks to analyze data transmitting across networks.

• SHADOW – Device that allows you to perform a quick copy of a drive while you are at the

scene of a cybersecurity breach.

• Duplication Device – Specialized evidence-grade system that contains inputs to duplicate

various types of media (such as hard disks, USB flash drives, SD Memory Cards, or Mobile

[IoT] devices).

• Evidence Scanners – Portable scanners designed to perform screen and video captures, and

record video from the incident site.

Software

• FTK Imager (FTK Imager, 2022) – The FTK Imager is specialized software used to make

forensic copies of evidence, such as bit-by-bit copies of media. FTK Imager includes hash
INCIDENT REPORT 24601 – DREW PATRICK 12

comparisons to prove that the copy is an exact duplicate of the original drive. You can store

these images on private or network storage devices.

• The Sleuth Kit – Contains applications that locate and recover hidden/deleted files and detect

changes to system files on Windows and Linux systems.

• Wireshark – Wireshark software collects, analyzes, and presents packet data captured on

network links.

• CAINE – Linux software that contains integrated memory, mobile, and network-forensic

tools.

• Registry Recon – Software designed to rebuild the Windows registry of a compromised

system.

• COFEE – Microsoft software used by law enforcement in extracting and documenting data

during forensic investigations.

• Volatility – Memory forensics software used to extract data contained in system RAM.
INCIDENT REPORT 24601 – DREW PATRICK 13

Forensic Data Collection and Analysis Methods

The method the ACC Forensic team used in its investigation followed the NIST (National

Institute of Standards and Technology) standard of digital forensic investigation. The

investigation steps include (Kent, 2008):

• Media – This is the first step of the investigation. You identify and extract incident data

from compromised systems (such as file servers, Network Management Systems, and

firewalls).

• Examination – Examining data involves using specialized software and hardware tools,

hoping to find pieces of data (such as network, mobile, email, system logs, packet traces)

that relate to the investigation.

• Analysis – The analysis phase is where data starts to turn into information and starts to

become evidence. You look at all the collected data to find commonalities (such as user

IDs, IP addresses, network or system alerts, spikes in network utilization) that deviate

from the provided baselines. From there, you can form your hypotheses as to the who,

what, when, where, why, and how of the security incident.

• Reporting – In the reporting stage, you have fully-formed evidence, are ready to

demonstrate proof of your hypothesis, and present it to the relevant parties (management,

law enforcement).

To perform these tasks, the ACC Forensic team used the following tools (SNHU):

• FTK software made a bit-by-bit copy of Mr. Patrick’s company issued system. We

compared the hash values of both drives to ensure exact replication of the original

drive.
INCIDENT REPORT 24601 – DREW PATRICK 14

• Autopsy and Windows Forensic Tool chest examined all the sort and index

functions to narrow the list of files we must analyze. Also, the software tools

examined data stored in the slack space of disk clusters.

• Analyzed logs from Snort software, Intrusion Detection and Prevention Systems

(IDPS), system logs, and other SIEM tools for anomalies.

Investigation Findings

After an intensive forensic investigation, the ACC Forensic team found the following

(SNHU):

• The HR department had reason to believe that Drew Patrick, a senior manager for

Acme Construction, planned to leave his position to work for another company.

Before leaving ACC, Mr. Patrick collected extensive amounts of trade secrets,

technical data, and other intellectual property, presumably to bring with him to his

new employer. This data gives the new employer an unfair competitive advantage.

• ACC uses Snort software as part of its Security Incident Event Management (SIEM)

tool suite, which also includes IDPS systems. The Security Operations Center (SOC)

manages these tools.

• The IT department maintains the Active Directory and (encrypted) Research and

Development databases.

The Forensics team used the above-mentioned information and their analysis to discover

the following:

• The SIEM discovered potential P2P traffic originating from the IP address associated

with Mr. Patrick’s computer. It sent alerts to the SOC team. None of the destination IP

addresses belonged to ACC systems. Using P2P applications violates ACC use

policies.

• File names transferred from R&D databases contained intellectual property created by

the team Mr. Patrick managed.

• Active Directory logs failed to show that Mr. Patrick logged on to his system during

the times the P2P application was active. However, an anonymous account existed on

the system and was active when file transfers occurred.

• ACC requires two-factor authentication to access its network and servers.

• ACC does not allow data sharing between systems.

• Server logs showed that Mr. Patrick logged into the R&D database many times in the

weeks preceding the file transfers.

• IDPS logs showed that Mr. Patrick’s ACC computer copied files related to this

investigation, which violates ACC use policies (all data must reside only on the file

servers).

• Access logs from the R&D servers verified that Mr. Patrick’s user ID initiated the file

copies.

• The Forensic team examined log files from the ACC email server, and the Domain

Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) servers.

• Verified Physical access logs.

• After analyzing packet capture logs from the firewalls and IDPS systems, the

Forensic team determined conclusively that the intellectual property file transfers

originated from Mr. Patrick’s system.

• The Forensics discovered enough evidence that Mr. Patrick accessed systems without

the authorization necessary to perform his daily tasks and transmitted and stored

intellectual property.

• Forensic analysis also found the following file information:

o Microsoft Outlook – Emails that we discovered contained references to

proprietary information. Some of the recipients were non-ACC employees.

The email text showed promises of proprietary design information in

exchange for a senior management position.

o AOL Instant Messenger – We recovered chat conversations that contained

information about possessing ACC proprietary documents.

o SQL – Log files from SQL database servers showed proprietary information

and remote connections to an SQL server. Also, there were two unsuccessful

attempts to access encrypted SQL database files.

o Microsoft Excel – Discovered files containing parts lists and specifications

concerning proprietary equipment on the hard disk.

o HTML: Web browser cache data we recovered showed that Mr. Patrick

accessed the dark web and created an email account

(constructionseller@darkweb.com) for dark web correspondence. We also

discovered dark web searches for brokers of trade secrets. The browser cache

also uncovered YouTube searches for “selling intellectual property” and

“selling on the dark web”. Further analysis discovered that recovered internet

browser history revealed images related to SQL database file encryption, and

how to exploit SQL server vulnerabilities.

o SLACK SPACE (hidden data and temporary files at the end of disk clusters) –

Slack space analysis revealed hidden information on web-based searches for

“advertising stolen data” and “hacking SQL servers”.

Conclusion

The forensic report indicated that all the intellectual property file transfers, dark web

activity, and data hidden on Mr. Patrick’s hard disk led us to conclude that he attempted to sell

intellectual property to competitors. These acts violated company policies and intellectual

property laws.

We plan to turn this report over to legal authorities. They can use it as evidence in civil

and criminal prosecution of Mr. Patrick.

References

ABA. (2016, 09 20). Explaining the Defend Trade Secrets Act. Retrieved from American Bar

Association:

https://www.americanbar.org/groups/business_law/publications/blt/2016/09/03_cohen/

Congress. (1996, 10 11). Espionage Act of 1996. Retrieved from United States Congress:

https://www.congress.gov/104/plaws/publ294/PLAW-104publ294.pdf

FTK Imager. (2022). Retrieved from Exterro: https://www.exterro.com/ftk-

imager#:~:text=FTK%C2%AE%20Imager%20is%20a,(FTK%C2%AE)%20is%20warra

nted.

Infosec. (n.d.). The Imaging Process. Retrieved from Infosec Learning:

https://lab.infoseclearning.com/labs

Johansen, G. (2017). Digital Forensics and Incident Response. Birmingham, UK: Packt

Publishing.

Johnson, K. (n.d.). How to Conduct a Workplace Investigation on Employee Theft. Retrieved

from CHRON: https://smallbusiness.chron.com/conduct-workplace-investigation-

employee-theft-16652.html

Kent, C. (2008). Guide to Integrating Forensic Techniques into Incident Response. Retrieved

from National Institute of Standards and Technology:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-86.pdf

Legal Information Institute. (n.d.). 18 U.S. Code § 1030 - Fraud and related activity in

connection with computers. Retrieved from Cornell Law School:

https://www.law.cornell.edu/uscode/text/18/1030
INCIDENT REPORT 24601 – DREW PATRICK 20

Legal Information Institute. (n.d.). 18 U.S. Code § 1831 - Economic Espionage. Retrieved from

Cornell Law School: https://www.law.cornell.edu/uscode/text/18/1831

Legal Information Institute. (n.d.). Daubert Standard. Retrieved from Cornell Law School:

https://www.law.cornell.edu/wex/daubert_standard

Obbayi, L. (2021, 07 18). Computer Forensics: Chain of Custody. Retrieved from Infosec

Institute: https://resources.infosecinstitute.com/topic/computer-forensics-chain-custody/

Patterson, D. (2016, 12 21). Digital forensics: A cheat sheet. Retrieved from TechRepublic:

https://www.techrepublic.com/article/digital-forensics-the-smart-persons-guide/

Siewert, P. (2014, 06 19). WHAT IS THE ‘FORENSIC METHODOLOGY’? Retrieved from Pro

Digital Forensic Consulting: https://prodigital4n6.com/what-is-the-forensic-methodology/

SNHU. (n.d.). ISE 640 Final Project Forensic Notes. Retrieved from Southern New Hampshire

University: https://learn.snhu.edu/content/enforced/951908-ISE-640-Q3529-OL-TRAD-

GR.22TW3/Course%20Documents/ISE%20640%20Milestone%20One%20Guidelines%

20and%20Rubric.pdf

Vacca, J. a. (2010). System Forensics, Investigation, and Response. Jones and Bartlett Learning.