🔍 Forensics Case Report #1: The Jean M57 Investigation
This is my first forensic case write-up and part of a personal learning series focused on developing digital forensic analysis skills. In this series, I will analyze real-world disk images using tools such as Autopsy on Kali Linux, reconstruct digital events, and report findings.
This first case is the M57 Jean scenario from Digital Corpora, where I downloaded a copy of a hard drive image and was tasked with discovering how a sensitive spreadsheet may have been leaked. I documented the steps that I took, from setting up the case in Autopsy, to understanding Windows XP file structure, to interpreting email evidence and drawing conclusions.
Case Summary
Case Name: M57 Jean Investigation
Analyst: Daniel Weninger
Date: 2025-05-17
Tool Used: Autopsy (running on Kali Linux virtual machine)
Image Source: nps-2008-jean.E01
& nps-2008-jean.E02
Client Concern:
A first-round funder of M57 is concerned that confidential employee data, including social security numbers and salaries, was leaked. You are tasked with investigating a disk image from Jean's computer and answering the following:
-
When was the spreadsheet created?
-
How did it leave Jean’s computer and end up on a competitor’s website?
-
Who else from the company may have been involved?
Basic File Structure Reference (Windows XP)
To navigate efficiently, I reviewed the standard Windows XP file structure. This helped locate user-specific data such as emails and desktop files, especially under:
C:/Documents and Settings/Jean/
Findings
1. Spreadsheet Creation
File location:C:/Settings/Jean/Desktop/m57biz.xls
Metadata analysis:
The spreadsheet’s metadata in Autopsy shows it was created on July 19, 2008 at 9:28 PM.
2. How It Was Transmitted
During file system analysis, the presence of Microsoft Outlook artifacts suggested Jean used Outlook for email communication. Based on research of how Outlook stores data in Windows XP, I navigated to:
Here, I located an Outlook Personal Storage Table (PST) file.
Recovered Email Content:
Conclusion:
Jean sent the spreadsheet as an attachment to two addresses:
-
alison@m57.biz (legitimate work address)
-
tuckgorge@gmail.com (external Gmail account)
The Gmail account is not company-authorized and is suspicious.
3. Who Else Is Involved
The email address tuckgorge@gmail.com is external and not associated with the m57.biz domain.
While Alison (President) denies requesting or receiving the spreadsheet, forensic analysis of the PST file located at:
reveals an email sent from alison@m57.biz to jean@m57.biz requesting sensitive employee information. Jean replied to this message, attaching the file m57biz.xls
, and addressed the response to both alison@m57.biz and tuckgorge@gmail.com.
This suggests that the original request came from Alison’s corporate email, and the spreadsheet was sent to both Alison and an external party. Further analysis of mail server logs and internal access controls is recommended to verify sender authenticity and determine the ownership and access history of the email accounts.
Conclusion
-
- Jean created the spreadsheet on July 19, 2008 at 9:28 PM.
-
- She emailed the spreadsheet that evening in response to a request that appeared to come from Alison but included a Gmail address.
-
- While Jean likely acted in good faith, it’s highly suspicious that:
-
- Alison sent the spreedsheet to a Gmail account.
-
- Alison denies involvement despite the email chain coming from her work address.
-
-
- Alison is likely involved in the data exfiltration or at least responsible for mishandling sensitive data by using an unapproved channel.