Sam Smith vs. Muffin Man Muffins:

Investigation into Trade Secrets

John Krochka

Project Plan - Project Goals

• Exhibit knowledge of file systems analysis on two different file systems from different manufacturers (e.g. Microsoft and Apple). One of which is unfamiliar.
• Exhibit knowledge on how to use intrusion prevention and detection systems.

Project Plan - Location

All steps of this project were performed at the investigator’s house, except the loading of the “evidence” onto the drives, which was done at the house of a different IT professional.

Project Plan - Used Hardware

For the purposes of this project the following pieces of hardware were used:

• A SanDisk Cruzer USB Drive (formatted to NTFS)
• A LaCie Mobile Hard Drive (formatted to HFS+)
• A Dell Laptop

Project Plan - Design Tasks

The tasks during the planning phase were to:

• Come up with a sample case to facilitate the investigation
• Find an IT professional to load the evidence onto drives
• Find files to load onto the drives
• Come up with a scenario that would require use of an intrusion detection and prevention system

Project Plan - Implementation

For the implementation phase, the plan was to;

1. Allow an IT professional hide the prepared “evidence” items.
2. Use the Autopsy program to investigate the drives and find the “evidence” items.
3. Conduct an email header analysis to find an IP address for the Snort Intrusion Detection and Prevention System rules.
4. Create said Snort rules.

Project Plan - Testing

For the testing phase of the project, the plan was to;

1. Validate the found “evidence” from the implementation phase by collecting the hash values of the “evidence” items.
2. Create email traffic to test the Snort rules created in the implementation phase.

Project Plan - Documentation

For documentation a running activity log was created to mark which activities occurred when over the project’s duration. After the project was completed this presentation and a final report were created for an in depth look at the process behind the project.

Project Description - Sample Case

• Sam Smith is an employee at Muffin Man Muffins
• Sam Smith is alleged to have engaged in trading company secrets to a rival competitor, Brittney’s Bakery.
• Muffin Man Muffins wants an investigation conducted on the suspect, Sam Smith’s, hard drive and flash drive for evidence of misconduct.
• In addition to this, Muffin Man Muffins has requested an investigation of the suspect’s emails and to have measures put in place so that the company can be alerted of any other incidents of misconduct.

Project Description - Hardware Setup

To set up the hardware the flash drive needed to be formatted to NTFS and the Mobile Drive, that was used as the suspect’s hard drive, needed to be formatted to HFS+. To do this the Paragon Partition Manager software was used. Then for investigation purposes the devices were plugged into the laptop.

Project Implementation - Investigating Hard Drive

To start investigating the hard drive, Paragon’s HFS+ for Windows software was used to do a basic look and make sure the files weren’t in plain sight. The “evidence” was not in plain sight.

Project Implementation - Investigating Hard Drive cont.

Next, the drive was loaded into the Autopsy program for further investigation. Once the drive was loaded, It was observed that there was a hidden file labeled .trade secrets. Inside said folder were pictures of muffin ingredients and a recipe, all with a . at the front of their file names. In the HFS file system file names that start with a period become hidden files.

Project Implementation - Investigating Flash Drive

To start investigating the suspect’s flash drive file explorer was used to make sure the “evidence” files were not in plain sight. The “evidence” files were not.

Project Implementation - Investigating Flash Drive Cont.

Continuing on, the flash drive was loaded into autopsy and the same folders were investigated which revealed temporary files which mirrored the “evidence” files on the suspect’s hard drive. In NTFS files systems deleted files are kept in unallocated space and can still be recovered by investigators.

Project Implementation - Creating Snort Rules

To create the Snort rules the email header of an email sent by the suspect to the third party for trading secrets was investigated. In the header IP addresses were found which turned into the following Snort rules:

​

Project Testing - Hash Values

Before

After

The Autopsy program automatically creates hash values for all files on a drive once it is loaded. To verify the evidence has not been changed the ingest module for hashing must be reran. This method was used to test the validity of the autopsy investigation.

Project Testing - Testing Snort Rules

To test the Snort rules, snort was ran in verbose mode. Then an email was sent from the suspect’s email to the third party and the alert log and var/log/snort was viewed.

Conclusion

Through the investigative process it can be concluded that the suspect, Sam Smith had put trade secrets onto a flash drive presumably intended for distribution. This is corroborated by the fact that there was an email to a company in competition with Muffin Man Muffins with the same trade secrets. In addition the Snort Intrusion Detection and Prevention System was used to ensure that any repeat incidents would be noticed.

References

Carrier, B. (2015). File system forensic analysis. Addison-Wesely.

HFS+ for Windows by Paragon Software: Paragon Software. Paragon Software Group. (n.d.). Retrieved July 3, 2022, from https://www.paragon-software.com/us/home/hfs-windows/#

Leheida, T. (2022, March 23). How to hide folders and files on Mac. Setapp. Retrieved July 3, 2022, from https://setapp.com/how-to/hide-files-and-folders-on-mac

Paragon Partition Manager Community Edition: Paragon software. Paragon Software Group. (n.d.). Retrieved July 3, 2022, from https://www.paragon-software.com/us/free/pm-express/#

Shipley, T. G., & Bowker, A. (2014). Investigating internet crimes: An introduction to solving crimes in Cyberspace. Syngress.

​

​