๐งฉ Digital Forensic Investigation into Unauthorized Data Exfiltration at ABC Company
Coursework: PUSL3133 โ Digital Forensics & Malware Analysis
Category: Blue Team | Digital Forensics | Email Analysis | Evidence Acquisition
Timeline: November 2024 โ December 2024
Tools Used: FTK Imager, Autopsy, Volatility, Kernel PST Viewer, Wireshark, MXToolbox
๐ Project Report
This project involved conducting a comprehensive digital forensic investigation into a suspected internal data breach at ABC Company, simulating a real-world corporate security incident. The goal was to apply formal forensic methodologies to collect, preserve, and analyze digital evidence related to unauthorized data access and exfiltration via email systems and network activity.
๐ฏ Project Objectives:
Quantify the Scope of the Breach: Identify the volume and sensitivity of data compromised to assess potential damage.
Preserve Forensic Integrity: Follow chain-of-custody protocols to ensure digital evidence remained legally admissible.
Attribution Analysis: Determine whether the threat originated internally or externally using forensic artifacts and user activity logs.
Security Enhancement: Propose actionable technical and procedural improvements to prevent similar incidents in the future.
๐ Investigation Process & Technical Highlights:
1. Digital Evidence Acquisition
Used FTK Imager to create bit-for-bit forensic disk images, ensuring accuracy and reproducibility of the evidence.
Captured hash values, timestamps, and metadata to validate integrity throughout the analysis.
Collected relevant artifacts including system logs, browser history, email files (.PST), and encrypted file containers.
2. Email Forensics & Steganography Detection
Leveraged Autopsy, Kernel PST Viewer, and MXToolbox to parse and analyze stored email data.
Conducted email header analysis to:
Identify signs of email spoofing and unauthorized sender identity.
Detect authentication failures related to SPF, DKIM, and DMARC configurations.
Flagged embedded attachments suspected of hiding exfiltrated data, and conducted steganography checks to uncover concealed payloads.
3. Network Activity Correlation
Despite the lack of .pcap files, used correlated timestamps and DNS lookup tools to track suspicious IP activity.
Analyzed inbound and outbound email communications and mapped these to known malicious indicators using VirusTotal and threat intel databases.
Identified external IPs with history of abuse and potential links to threat actor infrastructure.
๐ก Findings & Key Insights:
Confirmed a successful email-based data exfiltration, where confidential documents were attached to spoofed emails and sent to an external unauthorized domain.
Authentication misconfigurations were found, making ABC Companyโs email server vulnerable to spoofing and phishing.
Lack of endpoint controls allowed potentially sensitive files to be exfiltrated without triggering alarms.
๐ ๏ธ Recommendations:
Technical Mitigations:
Enforce SPF, DKIM, and DMARC protocols to validate incoming/outgoing emails.
Deploy endpoint DLP (Data Loss Prevention) mechanisms and advanced EDR agents.
Implement real-time monitoring and anomaly detection for sensitive file access.
Organizational Measures:
Launch cybersecurity awareness training with emphasis on phishing and suspicious email recognition.
Develop a clear incident response playbook with email breach scenarios.
Schedule periodic email audits and internal penetration tests targeting exfiltration paths.
โ๏ธ Challenges & Solutions:
Data Gaps: Network traffic captures were unavailable. Overcame this by using metadata and timestamps to reconstruct user actions.
Evidence Integrity: Ensured all files were analyzed under strict forensic conditions, maintaining chain of custody for each artifact.
Tool Coordination: Effectively used a combination of tools across disk imaging, email parsing, and threat verification to develop a cohesive investigative narrative.
๐ง Skills Demonstrated:
Expert use of FTK Imager, Autopsy, and Volatility for deep forensic analysis
Proficient in email header parsing, metadata interpretation, and protocol-level threat detection
Strong understanding of data confidentiality principles, forensic integrity, and incident handling frameworks
Capable of writing high-quality technical documentation and delivering findings to both technical and non-technical audiences
๐ Outcome & Impact:
This project served as a hands-on simulation of a professional digital forensics engagement. It provided a real-world opportunity to:
Detect and reconstruct unauthorized access and data exfiltration
Apply industry-standard forensic techniques aligned with legal and ethical standards
Deliver a complete forensic report that could be used for executive briefings or legal action
The experience reinforced practical skills in email forensics, forensic imaging, network correlation, and security consulting, establishing a strong foundation for working in DFIR, SOC, or compliance-focused cybersecurity roles.
Get visibility from recruiters & peers