Investigation Dashboard

Case nist-data-leakage · Evidence: /evidence/nist-data-leakage
Executive Summary

📂8 sources (43 disk, 2 other)
🔍167 tool calls
⏱️30 minutes elapsed
🚨10 findings (5 critical, 5 high)
10 confirmed
🤔0 inference
1 hypothesis ruled out
🔒 SHA-256 hashes

The attack timeline spans 2015-02-15 to 2015-03-25. The earliest activity was Data Source: Secret Project Accessed from Network Share \\10.11.11.128\SECURED_DRIVE (2015-02-15). The investigation subsequently uncovered Resignation Letter Created After Anti-Forensic Cleanup; Premeditated Data Theft: Search History Shows Systematic Research on Leaking and Anti-Forensics. The most recent activity was Eraser 6 Executed for Secure Deletion on 2015-03-25 (2015-03-25).

Key Threats
  • Insider Threat: User "Iaman Informant" Exfiltrating Secret Project Data via USB
  • Google Drive Exfiltration via Personal Gmail: iaman.informant.personal@gmail.com
  • Premeditated Data Theft: Search History Shows Systematic Research on Leaking and Anti-Forensics
  • Data Source: Secret Project Accessed from Network Share \\10.11.11.128\SECURED_DRIVE
  • Resignation Letter Created After Anti-Forensic Cleanup

0
Total Findings
0
Critical
0
High
0
Medium
0
Confirmed
0
Inference
0
Sources
0
Tool Calls
Severity Breakdown
Critical (5) High (5)
⚠ Critical Findings
  • Insider Threat: User "Iaman Informant" Exfiltrating Secret Project Data via USB
  • Google Drive Exfiltration via Personal Gmail: iaman.informant.personal@gmail.com
  • Premeditated Data Theft: Search History Shows Systematic Research on Leaking and Anti-Forensics
    2015-03-25T14:31:53Z
  • Data Source: Secret Project Accessed from Network Share \\10.11.11.128\SECURED_DRIVE
    2015-02-15T21:52:08Z — 2015-03-22T14:52:21Z
  • Resignation Letter Created After Anti-Forensic Cleanup
    2015-03-25T14:20:09Z — 2015-03-25T15:28:33Z
⚔ MITRE ATT&CK Coverage
Reconnaissance
Resource Development
Initial Access (1)
Execution
Persistence (1)
Privilege Escalation (1)
Defense Evasion (4)
Credential Access
Discovery
Lateral Movement
Collection (4)
Command and Control
Exfiltration (3)
Impact (1)
Inhibit Response Function
Evasion
Impair Process Control
Initial Access (1)Persistence (1)Privilege Escalation (1)Defense Evasion (4)Collection (4)Exfiltration (3)Impact (1)
12 techniques across 10 findings
★ IOC Summary
External IPs0
Internal IPs1
File Paths3
Hashes0
Emails4
Investigation Metadata
Case IDnist-data-leakage
Evidence Root/evidence/nist-data-leakage
Report Generated2026-04-20T07:37:40
Investigation Start2026-04-20T07:07:05
Investigation End2026-04-20T07:37:07
Total Processing1053.7s
Audit Log/root/.mulder/cases/nist-data-leakage.audit.jsonl

Evidence Hashes

SHA-256 hashes recorded at ingestion — verify with sha256sum <file>
4 FILES Hashes computed during evidence ingestion. Compare against your local copies to confirm integrity.
FileSHA-256Size
cfreds_2015_data_leakage_pc.E01 e6365e44f1004252171acb73e6779be05277cbd57d09d7febed22d2463a956a9 2.0 GB
cfreds_2015_data_leakage_rm1.E01 a14150a21bc1e3700b51912c2ab20cd9587ad3e27ee67475af64508a7e760121 74.6 MB
cfreds_2015_data_leakage_rm2.E01 25215f9bcb51ceee9147886ed3f5c13ef148de634fc5114491e0f8dad8b15696 243.2 MB
cfreds_2015_data_leakage_rm3.E01 336e1307721ef5f63679379961d1716b74f986e69df8c40117d9cea7858d512b 90.2 MB

Investigation Report

Case nist-data-leakage

NIST CFReDS 2015 Data Leakage Investigation Report

Background

This investigation examines four forensic disk images from the NIST Computer Forensic Reference Data Sets (CFReDS) 2015 Data Leakage scenario: a Windows 7 PC workstation and three removable media devices (two USB drives and one CD-R). The investigation was initiated to determine whether classified project data was improperly accessed, copied, or exfiltrated from organizational systems, and to identify any anti-forensic measures employed to conceal such activity.

The evidence was processed using a comprehensive forensic toolkit including The Sleuth Kit (TSK) for filesystem analysis, bulk_extractor for data carving, and carved prefetch/LNK file analysis for execution and access timeline reconstruction. Registry and EVTX analysis was limited due to technical constraints with the multi-segment E01 disk image format.

Incident Timeline

The investigation reveals a methodical, premeditated insider threat operation spanning approximately six weeks, from mid-February to late March 2015.

Phase 1 — Research and Planning (Prior to February 15, 2015)

User "Iaman Informant" (username: informant, work email: iaman.informant@nist.gov) conducted extensive web research into data theft methodologies and anti-forensic countermeasures. Search history recovered from the PC reveals hundreds of searches including "how to leak a secret," "information leakage cases," "intellectual property theft," "anti-forensic tools," "cd burning method," "security checkpoint cd-r," and "DLP DRM." The user systematically researched how forensic investigators analyze Windows machines, including searches for "windows event logs," "Forensic Email Investigation," "what is windows system artifacts," and "external device and forensics." This research demonstrates clear premeditation and sophisticated awareness of forensic detection capabilities.

Phase 2 — Data Collection and Exfiltration (February 15 – March 22, 2015)

On February 15, 2015, at approximately 21:52 UTC, the user copied classified "Secret Project Data" from an internal network file share (\\10.11.11.128\SECURED_DRIVE, mapped as drive V:) to a USB drive labeled "Authorized USB" (rm1, exFAT filesystem). LNK file analysis confirms the following files were copied to E:\RM#1\Secret Project Data\:
- Design documents: [secret_project]_design_concept.ppt, [secret_project]_detailed_design.pptx, [secret_project]_revised_points.ppt
- Proposal documents: [secret_project]_detailed_proposal.docx, [secret_project]_proposal.docx (originally created December 19, 2014)

The user also installed Google Drive Sync (downloaded from the internet) and configured it with a personal Gmail account (iaman.informant.personal@gmail.com) distinct from their work email. The Google Drive sync folder was established at Users\informant\Google Drive\, and prefetch evidence confirms the GOOGLEDRIVESYNC.EXE executable was run. Additionally, the user downloaded icloudsetup.exe, suggesting Apple iCloud was also considered as an exfiltration channel.

On March 22, 2015, at 14:52:21 UTC, the user again accessed the network share to retrieve additional files, including pricing decision documents and files from a "final" directory.

A second USB drive (rm2, FAT32) contains deleted files organized in project management folder categories (design, pricing, progress, proposal, technical) that mirror the secret project structure, indicating it was previously used to transport data. Notably, six "diary" text files were found in the deleted technical folder. A CD-R (rm3) was also burned using Windows' built-in CD burning feature, containing Word documents with embedded images processed in Adobe Photoshop CS.

Phase 3 — Anti-Forensic Cleanup and Resignation (March 25, 2015)

On March 25, 2015, the user conducted a systematic cleanup operation during a single session:

  • 14:41:03 UTC — Outlook opened (single execution)
  • 14:50:14 UTC — Eraser 6.2.0.2962 installer downloaded and executed
  • 14:58:35 UTC — CCleaner64.exe accessed for system cleanup
  • 15:13:30 UTC — Eraser.exe executed (2 runs) for secure file deletion
  • 15:22:07 UTC — Internet Explorer used (possibly checking for remaining traces)
  • 15:28:33 UTC — Resignation_Letter_(Iaman_Informant).xps created

Both the Eraser and CCleaner installers were subsequently deleted from Users\informant\Desktop\Download\, though their Zone.Identifier alternate data streams confirm they were downloaded from the internet. The Google Drive sync databases (snapshot.db, sync_config.db) were also deleted to destroy evidence of what files were synchronized to the cloud.

Key Findings

1. Systematic Data Exfiltration via Multiple Channels (CRITICAL)
The insider exfiltrated classified project data through at least four channels: USB drive (rm1 "Authorized USB"), Google Drive (personal Gmail account), CD-R (rm3), and a second USB drive (rm2, files subsequently deleted). This multi-channel approach demonstrates operational security awareness and intent to ensure data availability outside the organization.

2. Premeditated Intent Demonstrated by Search History (CRITICAL)
Web search history containing over 900 searches across data theft planning, exfiltration methods, anti-forensic tools, and counter-investigation research constitutes compelling evidence of deliberate, premeditated intent. The user specifically researched how to bypass physical security with a CD-R and how to evade forensic detection.

3. Network Share as Data Source (CRITICAL)
The classified data originated from a secured network file share at \\10.11.11.128\SECURED_DRIVE, which was mapped as drive V: on the informant's PC. LNK file timestamps provide precise access times for this resource.

4. Anti-Forensic Countermeasures Deployed (HIGH)
The user downloaded and executed Eraser 6 (secure deletion), CCleaner (system cleanup), and manually deleted installer files, Google Drive databases, and files from USB rm2. The deliberate destruction of evidence occurred during the same session in which the resignation letter was created.

5. Personal Gmail Used for Cloud Exfiltration (CRITICAL)
The Google Drive installation was configured with iaman.informant.personal@gmail.com, a personal Gmail account separate from the work account, ensuring exfiltrated data would remain accessible after departure from the organization.

Impact Assessment

The data impact is significant. Classified project documents including design specifications (PPT/PPTX), detailed proposals (DOCX), and pricing decisions (XLSX) were exfiltrated. The documents appear to represent a complete project portfolio with strategic, technical, and financial information. The use of multiple exfiltration channels (USB, cloud, CD-R) increases the likelihood that the data has been disseminated beyond the insider's immediate control.

The anti-forensic cleanup was partially effective — Google Drive sync logs and databases were destroyed, preventing definitive determination of all files synchronized to the cloud. However, the cleanup was incomplete: prefetch files, LNK file artifacts, bulk_extractor carved data, and web search history all survived, providing a comprehensive reconstruction of the insider's activities.

Recommendations

  1. Immediate Actions: Revoke all access credentials for user iaman.informant@nist.gov. Disable the personal Gmail account's access to any organizational OAuth integrations. Preserve the Google Drive account content via legal process.

  2. Network Investigation: Audit all access to \\10.11.11.128\SECURED_DRIVE to determine the full scope of data accessed by this user and whether any other users may have been involved.

  3. Device Recovery: Forensically examine all personal devices associated with the suspect. Subpoena Google for the contents of iaman.informant.personal@gmail.com Google Drive storage.

  4. Policy Improvements: Implement DLP controls to monitor and restrict bulk file transfers to removable media and cloud storage services. Enforce USB device whitelisting. Monitor for anti-forensic tool installation via endpoint detection.

  5. Legal Considerations: The evidence supports referral for criminal investigation. The premeditation demonstrated by web searches, the multi-channel exfiltration approach, the anti-forensic cleanup, and the resignation timing collectively establish intent.

Conclusion

This investigation conclusively establishes that user "Iaman Informant" (iaman.informant@nist.gov) conducted a premeditated insider theft of classified project data from the organization's secured network share. The user methodically researched data theft and anti-forensic techniques, exfiltrated data through multiple channels (USB drives, Google Drive with a personal Gmail account, and a CD-R), deployed anti-forensic tools (Eraser 6 and CCleaner) to destroy evidence, and created a resignation letter as their final act. Despite the cleanup efforts, sufficient forensic artifacts survived to reconstruct the complete timeline and scope of the data theft. The investigation found no evidence of external attackers or a second independent incident — all activity is attributable to the single insider threat actor.

Attack Timeline

4 events ordered chronologically
2015-02-15
2015-02-15T21:52:08Z — 2015-03-22T14:52:21Z
Data Source: Secret Project Accessed from Network Share \\10.11.11.128\SECURED_DRIVE
critical confirmed
bulk.winlnk
2015-03-25
2015-03-25T14:20:09Z — 2015-03-25T15:28:33Z
Resignation Letter Created After Anti-Forensic Cleanup
critical confirmed
bulk.winlnk, bulk.winprefetch
2015-03-25T14:31:53Z
Premeditated Data Theft: Search History Shows Systematic Research on Leaking and Anti-Forensics
critical confirmed
bulk.url_searches, bulk.url
2015-03-25T14:50:14Z — 2015-03-25T15:13:30Z
Eraser 6 Executed for Secure Deletion on 2015-03-25
high confirmed
bulk.winprefetch

Findings

10 findings across 8 evidence sources
critical confirmed Insider Threat: User "Iaman Informant" Exfiltrating Secret Project Data via USB

User account "informant" (full name "Iaman Informant" per resignation letter filename) on the PC has copied classified "Secret Project Data" to a USB drive labeled "Authorized USB" (rm1, exFAT). The USB contains:
- Secret Project Data/design/[secret_project]_design_concept.ppt
- Secret Project Data/design/[secret_project]_detailed_design.pptx
- Secret Project Data/design/[secret_project]_revised_points.ppt
- Secret Project Data/proposal/[secret_project]_detailed_proposal.docx
- Secret Project Data/proposal/[secret_project]_proposal.docx
- A duplicate copy exists under "RM#1/" directory on the same USB
- Temp file ~$ecret_project]_proposal.docx indicates active editing

The PC shows LNK files confirming the user accessed these files:
- Users/informant/AppData/Roaming/Microsoft/Office/Recent/[secret_project]_design_concept.LNK
- Users/informant/AppData/Roaming/Microsoft/Windows/Recent/[secret_project]_proposal.lnk
- Users/informant/AppData/Roaming/Microsoft/Windows/Recent/(secret_project)_pricing_decision.xlsx.lnk

Evidence strength:
2 refs
Related: Anti-Forensic Tool Installation: Eraser 6 and... Cloud Storage Exfiltration Channel: Google...
tsk.filelist
T1052.001T1074.001

Evidence Chain

tc_8e82fae8 run_fls 17672ms
tc_a3962ede run_fls 8011ms
Sources: tsk.filelist
Evidence Refs: tc_8e82fae8, tc_a3962ede
critical confirmed Google Drive Exfiltration via Personal Gmail: iaman.informant.personal@gmail.com

The Google Drive sync configuration on the PC reveals the insider used a personal Gmail account for data exfiltration:

From bulk_extractor email carving (PC image, offset 7024636280):

Config:
Email: iaman.informant.personal@gmail.com
Sync root: \\?

This confirms the Google Drive installation was configured with the suspect's personal Gmail, not their work email (iaman.informant@nist.gov). The sync folder at Users/informant/Google Drive/ contained files (happy_holiday.jpg - now deleted). The sync databases (snapshot.db, sync_config.db) were deliberately deleted to destroy evidence of which files were synced to the cloud.

Key email addresses identified:
- Work: iaman.informant@nist.gov (Outlook configured with this)
- Personal Gmail for exfiltration: iaman.informant.personal@gmail.com
- Contact in documents: wayne.longman@att.net (found on rm2 and rm3)
- Government contact: Eric_P._Lauer@omb.eop.gov

Evidence strength:
2 refs
bulk.email
T1567.002T1078.001

Evidence Chain

tc_1a840139 search 14ms
tc_5ba33c9e search 32ms
Sources: bulk.email
Evidence Refs: tc_1a840139, tc_5ba33c9e
critical confirmed Premeditated Data Theft: Search History Shows Systematic Research on Leaking and Anti-Forensics

User "informant" conducted extensive web searches demonstrating premeditation and intent to steal data and evade detection. Key searches by frequency:

Data Theft Planning:
- "file sharing and tethering" (n=491)
- "information leakage cases" (n=47)
- "how to leak a secret" (n=6)
- "intellectual property theft" (n=6)
- "leaking confidential information" (n=2)
- "data leakage methods" (n=1)

Exfiltration Methods Researched:
- "cloud storage" (n=6)
- "google drive" (n=10)
- "apple icloud" (n=1)
- "cd burning method" (n=64)
- "cd burning method in windows" (n=53)
- "security checkpoint cd-r" (n=1) — researching how to get CD through physical security

Anti-Forensics Research:
- "anti-forensic tools" (n=85)
- "anti-forensics" (n=1+)
- "ccleaner" (n=65)
- "eraser" (n=51)
- "how to delete data" (n=5)
- "system cleaner" (n=5+)

Counter-Investigation Research:
- "e-mail investigation" (n=88)
- "Forensic Email Investigation" (n=78)
- "what is windows system artifacts" (n=79)
- "external device and forensics" (n=65)
- "investigation on windows machine" (n=64)
- "windows event logs" (n=61)
- "digital forensics" (n=1+)
- "DLP DRM" (n=90) — researching Data Loss Prevention

Data Recovery Awareness:
- "data recovery tools" (n=4+)
- "how to recover data" (n=2+)

The Google search parameter contains the Google Search EI timestamp: ei=3VUQVYH3FMO1sQTf1YGwBw — this encodes to approximately March 2015.

Evidence strength:
2 refs
Related: Data Source: Secret Project Accessed from...
bulk.url_searchesbulk.url
T1119T1567.002T1052.001

Evidence Chain

tc_a09de574 get_raw_output 865ms
tc_f0a90efb run_bulk_extractor 876971ms
Time: 2015-03-25T14:31:53Z
Sources: bulk.url_searches, bulk.url
Evidence Refs: tc_a09de574, tc_f0a90efb
critical confirmed Data Source: Secret Project Accessed from Network Share \\10.11.11.128\SECURED_DRIVE

LNK file analysis reveals the secret project data originated from a network file share:
- Network path: \10.11.11.128\SECURED_DRIVE
- Mapped as drive: V:
- Files accessed at 2015-03-22T14:52:21Z:
- Secret Project Data\pricing decision(secret_project)_pricing_decision.xlsx (modified 2015-01-29T20:3x)
- Secret Project Data\final directory

USB "Authorized USB" (rm1) LNK timestamps show data copy to drive E: occurred on 2015-02-15:
- E:\RM#1\Secret Project Data\design\ accessed 2015-02-15T21:52:08Z
- E:\RM#1\Secret Project Data\proposal\ accessed 2015-02-15T21:52:12Z
- E:\RM#1\Secret Project Data\proposal[secret_project]_proposal.docx accessed 2015-02-15T21:52:20Z (file originally modified 2014-12-19T19:53:46Z)

The informant accessed the secure network drive and copied classified project documents including design specifications, proposals, and pricing decisions to a personal USB drive.

Evidence strength:
2 refs
Related: Premeditated Data Theft: Search History Shows...
bulk.winlnk
T1039T1005T1052.001

Evidence Chain

tc_58800ff3 search 13ms
tc_f0a90efb run_bulk_extractor 876971ms
Time: 2015-02-15T21:52:08Z — 2015-03-22T14:52:21Z
Sources: bulk.winlnk
Evidence Refs: tc_58800ff3, tc_f0a90efb
critical confirmed Resignation Letter Created After Anti-Forensic Cleanup

The resignation letter was the final artifact created during the insider's last session:

LNK file evidence:
- Resignation_Letter_(Iaman_Informant).xps created at 2015-03-25T15:28:33Z
- CCleaner64.exe LNK accessed at 2015-03-25T14:58:35Z (CCleaner installed 2015-03-13T11:10:26Z)

Complete session timeline on March 25, 2015:
1. 14:20:09 - Task engine started
2. 14:31:53 - Console host
3. 14:41:03 - Outlook opened (1 run)
4. 14:42:47 - Windows Media Player
5. 14:50:14 - Eraser 6 INSTALLER executed
6. 14:50:17-14:54:29 - Installer components (.NET, ASP.NET)
7. 14:57:18 - VSS service
8. 14:58:35 - CCleaner64.exe accessed (cleanup performed)
9. 15:13:30 - Eraser.exe executed (secure deletion, 2 runs)
10. 15:22:07 - Internet Explorer (14 total runs)
11. 15:28:33 - Resignation_Letter_(Iaman_Informant).xps CREATED

The user systematically: (1) installed cleanup tools, (2) ran secure deletion, (3) ran CCleaner, (4) browsed for any remaining traces, then (5) created the resignation letter as their final act.

Evidence strength:
2 refs
Related: Eraser 6 Executed for Secure Deletion on 2015-03-25
bulk.winlnkbulk.winprefetch
T1070.004T1070

Evidence Chain

tc_e42120ea correlate_across_sources 3973ms
tc_e765ef43 search 25ms
Time: 2015-03-25T14:20:09Z — 2015-03-25T15:28:33Z
Sources: bulk.winlnk, bulk.winprefetch
Evidence Refs: tc_e42120ea, tc_e765ef43
ATT&CK: T1070.004, T1070
high confirmed Anti-Forensic Tool Installation: Eraser 6 and CCleaner Downloaded and Executed

User "informant" downloaded and installed two anti-forensic/cleanup tools:

  1. Eraser 6.2.0.2962 - Secure deletion tool
  2. Downloaded to: Users/informant/Desktop/Download/Eraser 6.2.0.2962.exe (DELETED, Zone.Identifier present - downloaded from internet)
  3. Installed to: Program Files/Eraser/
  4. Prefetch files confirm execution: ERASER 6.2.0.2962.EXE-BE552234.pf and ERASER.EXE-CE61944A.pf
  5. Task list at: Users/informant/AppData/Local/Eraser 6/Task List.ersy

  6. Shortcuts created on Public Desktop and Start Menu

  7. CCleaner v5.04 - System cleanup tool

  8. Downloaded to: Users/informant/Desktop/Download/ccsetup504.exe (DELETED, Zone.Identifier present)
  9. Prefetch confirms execution: CCLEANER64.EXE-779BD542.pf and CCSETUP504.EXE-6BA2F6A1.pf
  10. Shortcut on Public Desktop (DELETED)

Both installer files were subsequently deleted, likely to hide evidence of the tools. The Eraser tool can securely delete files making recovery impossible, and CCleaner removes browser history, temp files, and other forensic artifacts.

Evidence strength:
2 refs
Related: Insider Threat: User "Iaman Informant"... Cloud Storage Exfiltration Channel: Google...
tsk.filelist
T1070.004T1485

Evidence Chain

tc_8e82fae8 run_fls 17672ms
tc_8e73d148 search 6ms
Sources: tsk.filelist
Evidence Refs: tc_8e82fae8, tc_8e73d148
ATT&CK: T1070.004, T1485
high confirmed Cloud Storage Exfiltration Channel: Google Drive Sync Installed and Active

User "informant" installed Google Drive Sync as an additional data exfiltration channel:
- Downloaded: Users/informant/Downloads/googledrivesync.exe (with Zone.Identifier - internet download)
- Installed: Program Files (x86)/Google/Drive/googledrivesync.exe
- Prefetch confirms execution: GOOGLEDRIVESYNC.EXE-841A0D94.pf
- Local sync folder: Users/informant/Google Drive/ (contained happy_holiday.jpg - DELETED)
- Drive databases: Users/informant/AppData/Local/Google/Drive/user_default/ (snapshot.db, sync_config.db - DELETED)
- Sync log exists: Users/informant/AppData/Local/Google/Drive/user_default/sync_log.log
- Desktop shortcut to Google Drive (DELETED)
- IE DOM Store contains drive.google[1].xml - accessed Google Drive via browser
- Also downloaded: icloudsetup.exe - suggesting iCloud was considered as another channel

The deletion of the Google Drive databases (snapshot.db, sync_config.db) indicates deliberate cleanup of sync history.

Evidence strength:
2 refs
Related: Insider Threat: User "Iaman Informant"... Anti-Forensic Tool Installation: Eraser 6 and...
tsk.filelist
T1567.002T1048

Evidence Chain

tc_8e82fae8 run_fls 17672ms
tc_2f0a4dbc search 14ms
Sources: tsk.filelist
Evidence Refs: tc_8e82fae8, tc_2f0a4dbc
ATT&CK: T1567.002, T1048
high confirmed Deleted Data on USB rm2 (FAT32): Previously Stored Secret Project Folders

The FAT32 USB drive (rm2) contains deleted files organized in the same folder structure as the secret project data, indicating it was previously used to store/transport sensitive data before deletion:

Deleted folders and files found in $OrphanFiles:
- design/winter_storm.amr, design/winter_whether_advisory.zip
- PRICIN~1 (pricing)/my_favorite_cars.db, my_favorite_movies.7z, new_years_day.jpg, super_bowl.avi
- progress/my_friends.svg, my_smartphone.png, new_year_calendar.one
- proposal/a_gift_from_you.gif, landscape.png
- TECHNI~1 (technical)/diary_#1d.txt through diary_#3p.txt (6 diary files)
- Many deleted image files: amalfi.bmp, barn.gif, etc.

The folder names (design, pricing, progress, proposal, technical) mirror project management categories. The "diary" files in the TECHNI~1 folder may contain sensitive technical notes. The volume label "IAMAM $_@" appears corrupted. Files were deleted but recoverable from FAT32 orphan entries.

Evidence strength:
1 ref
tsk.filelist
T1070.004T1074.001

Evidence Chain

tc_45ce2bb6 run_fls 2271ms
Sources: tsk.filelist
Evidence Refs: tc_45ce2bb6
high confirmed Eraser 6 Executed for Secure Deletion on 2015-03-25

Prefetch analysis confirms Eraser 6 was installed and used for secure file deletion:
- ERASER 6.2.0.2962.EXE installer: Last run 2015-03-25T14:50:14Z (1 run)
- ERASER.EXE application: Last run 2015-03-25T15:13:30Z (2 runs)

Timeline of March 25, 2015 activity:
- 14:41:03 - Outlook opened (1 run)
- 14:42:47 - Windows Media Player (1 run)
- 14:50:14 - Eraser 6 installer executed
- 14:50:17 - Setup.exe (related to Eraser install)
- 15:13:30 - Eraser.exe executed (secure deletion performed)
- 15:22:07 - Internet Explorer (browsing continued)

The Eraser installation and execution occurred within the same session, indicating deliberate and immediate use of the tool to destroy evidence. The task list at Users/informant/AppData/Local/Eraser 6/Task List.ersy may reveal what was targeted for deletion.

Evidence strength:
2 refs
Related: Resignation Letter Created After Anti-Forensic Cleanup
bulk.winprefetch
T1070.004T1485

Evidence Chain

tc_7a772ef2 search 62ms
tc_e765ef43 search 25ms
Time: 2015-03-25T14:50:14Z — 2015-03-25T15:13:30Z
Sources: bulk.winprefetch
Evidence Refs: tc_7a772ef2, tc_e765ef43
ATT&CK: T1070.004, T1485
high confirmed CD-R (rm3) Contains Image Files - Used as Data Exfiltration Medium

The CD-R disk image (rm3) was detected with high entropy (7.65) by fls, initially suggesting encryption. String analysis reveals the CD-R contains JPEG image files:

  • EXIF data shows Eastman Kodak Company KODAK DIGITAL SCIENCE DC260 camera
  • Image timestamps: 2003:09:24 15:33:42 and 2003:12:10 17:27:44
  • LEAD Technologies Inc. V1.01 image library markers
  • Adobe Photoshop CS processed images

Bulk_extractor carved from rm3:
- 60 domain entries, 3 email entries, 6 EXIF entries, 11 RFC822 entries (Library of Congress catalog data)
- 75 URL entries including digitalcorpora.org, whitehouse.gov, hdl.loc.gov references

The user researched "cd burning method in windows" (n=53) and "security checkpoint cd-r" (n=1), showing deliberate planning to use a CD-R to bypass physical security. The Windows Burn staging directory at Users/informant/AppData/Local/Microsoft/Windows/Burn/Burn/ contains deleted entries confirming CD burning activity.

The RFC822 data contains Library of Congress catalog records, suggesting the CD-R may contain both innocuous reference materials and potentially hidden/steganographic data to pass through security checkpoints.

Evidence strength:
4 refs
strings.outputbulk.exiftsk.filelist
T1052.001T1027

Evidence Chain

tc_5da8e1fc run_strings 1157ms
tc_5bf124dc search 9ms
tc_8b5d41ec run_bulk_extractor 4297ms
tc_3f2e9f88 search 13ms
Sources: strings.output, bulk.exif, tsk.filelist
Evidence Refs: tc_5da8e1fc, tc_5bf124dc, tc_8b5d41ec, tc_3f2e9f88
ATT&CK: T1052.001, T1027
✓ Ruled Out (Negative Findings)

These hypotheses were explicitly tested and no supporting evidence was found.

  • No Evidence of External Attacker or Second Independent Incident
    Counter-hypothesis analysis was performed to look for evidence of activity outside the primary insider threat narrative: 1. User account audit: Three user accounts exist (admin11, informant, temporary). The admin11 account shows only system setup activity. The temporary account was accessed on...

MITRE ATT&CK Coverage

12 techniques identified across findings
0
Techniques
0
Tactics
0
Findings Mapped
Reconnaissance
Resource Development
Initial Access1
Execution
Persistence1
Privilege Escalation1
Defense Evasion4
Credential Access
Discovery
Lateral Movement
Collection4
Command and Control
Exfiltration3
Impact1
Inhibit Response Function
Evasion
Impair Process Control
Initial Access
1T / 1F
T1078.001
Default Accounts
1 finding
Google Drive Exfiltration via Personal Gmail:...
Persistence
1T / 1F
T1078.001
Default Accounts
1 finding
Google Drive Exfiltration via Personal Gmail:...
Privilege Escalation
1T / 1F
T1078.001
Default Accounts
1 finding
Google Drive Exfiltration via Personal Gmail:...
Defense Evasion
4T / 7F
T1027
Obfuscated Files or Information
1 finding
CD-R (rm3) Contains Image Files - Used as Data...
T1070
Indicator Removal
1 finding
Resignation Letter Created After Anti-Forensic Cleanup
T1070.004
File Deletion
4 findings
Anti-Forensic Tool Installation: Eraser 6 and CCleaner...
Deleted Data on USB rm2 (FAT32): Previously Stored...
Eraser 6 Executed for Secure Deletion on 2015-03-25
Resignation Letter Created After Anti-Forensic Cleanup
T1078.001
Default Accounts
1 finding
Google Drive Exfiltration via Personal Gmail:...
Collection
4T / 5F
T1005
Data from Local System
1 finding
Data Source: Secret Project Accessed from Network Share...
T1039
Data from Network Shared Drive
1 finding
Data Source: Secret Project Accessed from Network Share...
T1074.001
Local Data Staging
2 findings
Insider Threat: User "Iaman Informant" Exfiltrating...
Deleted Data on USB rm2 (FAT32): Previously Stored...
T1119
Automated Collection
1 finding
Premeditated Data Theft: Search History Shows Systematic...
Exfiltration
3T / 8F
T1048
Exfiltration Over Alternative Protocol
1 finding
Cloud Storage Exfiltration Channel: Google Drive Sync...
T1052.001
Exfiltration over USB
4 findings
Insider Threat: User "Iaman Informant" Exfiltrating...
Premeditated Data Theft: Search History Shows Systematic...
Data Source: Secret Project Accessed from Network Share...
CD-R (rm3) Contains Image Files - Used as Data...
T1567.002
Exfiltration to Cloud Storage
3 findings
Cloud Storage Exfiltration Channel: Google Drive Sync...
Google Drive Exfiltration via Personal Gmail:...
Premeditated Data Theft: Search History Shows Systematic...
Impact
1T / 2F
T1485
Data Destruction
2 findings
Anti-Forensic Tool Installation: Eraser 6 and CCleaner...
Eraser 6 Executed for Secure Deletion on 2015-03-25

Indicators of Compromise

Extracted from finding descriptions
0
Total IOCs
0
External IPs
0
File IOCs
0
Emails
Network IOCs (1)
TypeValueContextActions
Internal IP 10.11.11.128 Data Source: Secret Project Accessed from Network Share \\10.11.11.128\SECURED_D VT
File IOCs (3)
TypeValueContextActions
Path /Windows/Recent/[secret_project]_proposal.lnk Insider Threat: User "Iaman Informant" Exfiltrating Secret Project Data via USB
Path /Windows/Recent/(secret_project)_pricing_decision.xlsx.lnk Insider Threat: User "Iaman Informant" Exfiltrating Secret Project Data via USB
Path /Windows/Burn/Burn/ CD-R (rm3) Contains Image Files - Used as Data Exfiltration Medium
Email IOCs (4)
TypeValueContextActions
Email iaman.informant.personal@gmail.com Google Drive Exfiltration via Personal Gmail: iaman.informant.personal@gmail.com
Email iaman.informant@nist.gov Google Drive Exfiltration via Personal Gmail: iaman.informant.personal@gmail.com
Email wayne.longman@att.net Google Drive Exfiltration via Personal Gmail: iaman.informant.personal@gmail.com
Email eric_p._lauer@omb.eop.gov Google Drive Exfiltration via Personal Gmail: iaman.informant.personal@gmail.com

Evidence Browser

Browse raw extracted evidence analyzed during the investigation
Select a source
Select a source from the tree to view raw evidence output.

Evidence Sources

45 ingested sources from /evidence/nist-data-leakage
Source Name Extractor Lines Hash Referenced By
tsk.fsstat sleuthkit 0 sha256:empty...
tsk.fsstat sleuthkit 0 sha256:empty...
tsk.fsstat sleuthkit 0 sha256:empty...
tsk.fsstat sleuthkit 0 sha256:empty...
tsk.partitions sleuthkit 8 sha256:32ea60ffc...
tsk.partitions sleuthkit 9 sha256:d78c079fd...
tsk.partitions sleuthkit 10 sha256:bb36f7a96...
bulk.domain bulk_extractor 237 sha256:7f2969b7d...
bulk.email bulk_extractor 12 sha256:1bdd1a0ef... 2 findings
bulk.exif bulk_extractor 21 sha256:09098ee14... 1 finding
bulk.rfc822 bulk_extractor 41 sha256:7b1ed102d...
bulk.url bulk_extractor 300 sha256:3a0a6c310... 1 finding
bulk.url_services bulk_extractor 21 sha256:d6d9f112b... 1 finding
bulk.domain bulk_extractor 237 sha256:9168d16a1...
bulk.email bulk_extractor 16 sha256:ef562ec12... 2 findings
bulk.exif bulk_extractor 27 sha256:dbb0e2cf2... 1 finding
bulk.rfc822 bulk_extractor 41 sha256:6d4d26d34...
bulk.url bulk_extractor 288 sha256:f70af79df... 1 finding
bulk.url_services bulk_extractor 19 sha256:51f3c250d... 1 finding
bulk.domain bulk_extractor 189 sha256:5f5a8ceb9...
bulk.exif bulk_extractor 20 sha256:1ef0ad99e... 1 finding
bulk.url bulk_extractor 207 sha256:7c2eaba62... 1 finding
bulk.url_services bulk_extractor 14 sha256:806222e1f... 1 finding
tsk.filelist sleuthkit 51 sha256:f0793bf37... 5 findings
tsk.filelist sleuthkit 27 sha256:ad06f7552... 5 findings
tsk.filelist sleuthkit 104709 sha256:bd2811168... 5 findings
bulk.alerts bulk_extractor 11 sha256:07fa904ea...
bulk.domain bulk_extractor 366644 sha256:485b0050d...
bulk.email bulk_extractor 6532 sha256:c8a13c43e... 2 findings
bulk.ether bulk_extractor 6 sha256:f683c999d...
bulk.exif bulk_extractor 793 sha256:63d12aba6... 1 finding
bulk.ip bulk_extractor 29 sha256:2fd20c26d...
bulk.packets bulk_extractor 166 sha256:3bb3f17b6...
bulk.rfc822 bulk_extractor 7326 sha256:7a46e5685...
bulk.tcp bulk_extractor 15 sha256:2659e25b3...
bulk.url bulk_extractor 421750 sha256:3fe3f66b3... 1 finding
bulk.url_facebook-address bulk_extractor 19 sha256:4cdbd4c41... 1 finding
bulk.url_searches bulk_extractor 155 sha256:9a2653153... 1 finding
bulk.url_services bulk_extractor 3637 sha256:7ab76c48a... 1 finding
bulk.winlnk bulk_extractor 466 sha256:be8c34223... 3 findings
bulk.winpe bulk_extractor 28636 sha256:800c82fac...
bulk.winpe_carved bulk_extractor 28630 sha256:533ff73ae...
bulk.winprefetch bulk_extractor 155 sha256:669008868... 3 findings
binwalk.scan binwalk 0 sha256:empty...
strings.output strings 10090 sha256:1a80600f5... 1 finding

Investigation Performance

Tool usage, processing time, and token estimates
0
Tool Calls
0
Unique Tools
1053.7s
Processing Time
~20k
Est. Tokens
Tool Distribution
Token Breakdown
Input Tokens (est.)3,400
Output Tokens (est.)17,087
Total Tokens (est.)20,487
Activity Sparkline
Avg Processing Time by Tool
search
0.1s avg · 45x
extract_file_by_inode
0.0s avg · 12x
submit_finding
0.0s avg · 11x
get_raw_output
0.5s avg · 9x
check_extraction_status
0.0s avg · 9x
run_mmls
0.1s avg · 8x
run_fls
4.0s avg · 7x
get_completed_results
0.0s avg · 6x
start_extraction_batch
0.0s avg · 5x
find_defense_evasion._search(all)
0.0s avg · 5x
run_fsstat
0.0s avg · 4x
run_bulk_extractor
244.5s avg · 4x
find_persistence_mechanisms._search(all)
0.1s avg · 3x
correlate_across_sources
3.6s avg · 3x
run_evtx_parser
0.0s avg · 2x
run_registry_parser
4.3s avg · 2x
lookup_attack_technique
0.2s avg · 2x
run_plaso
0.0s avg · 2x
list_directory
0.0s avg · 1x
get_carved_iocs
0.0s avg · 1x
list_files
0.2s avg · 1x
parse_browser_history
1.7s avg · 1x
parse_lnk_files
0.0s avg · 1x
parse_prefetch_detailed
0.0s avg · 1x
get_file_metadata
0.0s avg · 1x
analyze_execution_timeline
0.0s avg · 1x
find_execution_evidence
0.1s avg · 1x
find_defense_evasion
0.1s avg · 1x
find_persistence_mechanisms._query(registry.system)
0.2s avg · 1x
find_persistence_mechanisms._query(registry.software)
0.0s avg · 1x
find_persistence_mechanisms._query(volatility.svcscan)
0.0s avg · 1x
assess_recovery._query(tsk.filelist)
0.4s avg · 1x
assess_recovery
0.5s avg · 1x
find_persistence_mechanisms._query(tsk.filelist)
0.2s avg · 1x
find_persistence_mechanisms
0.8s avg · 1x
find_data_exfiltration_indicators._query(bulk.url)
2.1s avg · 1x
find_data_exfiltration_indicators._query(bulk.email)
0.1s avg · 1x
find_data_exfiltration_indicators._query(bulk.domain)
0.7s avg · 1x
find_data_exfiltration_indicators._search(all)
0.0s avg · 1x
find_data_exfiltration_indicators
3.8s avg · 1x
run_binwalk
0.1s avg · 1x
run_strings
1.2s avg · 1x
list_sources
0.0s avg · 1x
audit_evidence_coverage
3.9s avg · 1x
audit_tool_coverage
0.0s avg · 1x
submit_narrative
0.0s avg · 1x
Top Longest Operations
ToolDurationParams
run_bulk_extractor 877.0s {"features": null, "image_path":...
run_bulk_extractor 49.4s {"features": null, "image_path":...
run_bulk_extractor 47.4s {"features": null, "image_path":...
run_fls 17.7s {"image_path":...
run_registry_parser 8.4s {"hive": null, "image_path":...
run_fls 8.0s {"image_path":...
run_bulk_extractor 4.3s {"features": null, "image_path":...
correlate_across_sources 4.0s {"sources": null, "t_end": "2015-03-25T16:00:00Z", "t_start": "2015-03-25T14:00:00Z"}
audit_evidence_coverage 3.9s {}
find_data_exfiltration_indicators 3.8s {}

Audit Trail

Complete provenance chain from evidence to findings
ID Tool Duration Timestamp Actions
tc_5104db86 run_mmls 0ms 2026-04-20T07:07:05
tc_092aa81d run_mmls 0ms 2026-04-20T07:07:05
tc_f233ad5f run_mmls 0ms 2026-04-20T07:07:05
tc_190fe067 run_mmls 0ms 2026-04-20T07:07:05
tc_0f336061 run_fsstat 37ms 2026-04-20T07:07:05
tc_a25edf4d run_fsstat 45ms 2026-04-20T07:07:05
tc_9099537f run_fsstat 54ms 2026-04-20T07:07:05
tc_5de6e543 run_fsstat 61ms 2026-04-20T07:07:05
tc_11b95ba8 list_directory 10ms 2026-04-20T07:08:05
tc_ea19aa03 run_mmls 0ms 2026-04-20T07:08:22
tc_9a6f961f run_mmls 58ms 2026-04-20T07:08:22
tc_fd39b06c run_mmls 79ms 2026-04-20T07:08:22
tc_b585e65f run_mmls 539ms 2026-04-20T07:08:23
tc_aed9abe2 get_raw_output 16ms 2026-04-20T07:08:39
tc_03904672 start_extraction_batch 9ms 2026-04-20T07:09:03
tc_ef472312 run_fls 0ms 2026-04-20T07:09:03
tc_def77779 run_fls 0ms 2026-04-20T07:09:03
tc_53042a9d run_fls 0ms 2026-04-20T07:09:03
tc_f31f5919 run_evtx_parser 0ms 2026-04-20T07:09:03
tc_5a1812c9 run_registry_parser 70ms 2026-04-20T07:09:03
tc_01d71982 run_fls 0ms 2026-04-20T07:09:03
tc_8b5d41ec run_bulk_extractor 4297ms 2026-04-20T07:09:07
tc_891fe934 run_bulk_extractor 47423ms 2026-04-20T07:09:50
tc_90ab9e1d run_bulk_extractor 49409ms 2026-04-20T07:09:52
tc_74f8e0ac check_extraction_status 0ms 2026-04-20T07:15:08
tc_119462c1 lookup_attack_technique 370ms 2026-04-20T07:15:22
tc_66e476d9 lookup_attack_technique 1ms 2026-04-20T07:15:22
tc_48f0a27c get_completed_results 0ms 2026-04-20T07:15:32
tc_80d39335 start_extraction_batch 3ms 2026-04-20T07:15:48
tc_813abd0c search 17ms 2026-04-20T07:15:50
tc_258c75fe search 19ms 2026-04-20T07:15:50
tc_45ce2bb6 run_fls 2271ms 2026-04-20T07:15:55
tc_a3962ede run_fls 8011ms 2026-04-20T07:16:01
tc_25375d98 get_raw_output 13ms 2026-04-20T07:16:02
tc_52d99ace get_raw_output 6ms 2026-04-20T07:16:02
tc_b5977048 search 8ms 2026-04-20T07:16:02
tc_8e82fae8 run_fls 17672ms 2026-04-20T07:16:11
tc_282dc8d7 check_extraction_status 0ms 2026-04-20T07:16:19
tc_06397d2f check_extraction_status 0ms 2026-04-20T07:16:19
tc_b1dd985e search 491ms 2026-04-20T07:16:20
tc_2590b8b1 get_completed_results 0ms 2026-04-20T07:16:29
tc_56693577 get_raw_output 26ms 2026-04-20T07:16:44
tc_f65cc54c start_extraction_batch 2ms 2026-04-20T07:16:44
tc_99218e10 search 24ms 2026-04-20T07:16:44
tc_8ffa2850 run_evtx_parser 0ms 2026-04-20T07:16:48
tc_d9bb2ff3 run_registry_parser 8436ms 2026-04-20T07:16:52
tc_36ccd8ed search 13ms 2026-04-20T07:17:15
tc_8cdbf7fb search 7ms 2026-04-20T07:17:15
tc_e2f7e1d2 search 19ms 2026-04-20T07:17:15
tc_1a69e280 extract_file_by_inode 76ms 2026-04-20T07:17:51
tc_fc0cb311 extract_file_by_inode 11ms 2026-04-20T07:17:51
tc_e7c7bdd4 extract_file_by_inode 10ms 2026-04-20T07:17:51
tc_35fe0ef1 extract_file_by_inode 10ms 2026-04-20T07:17:51
tc_5988598e extract_file_by_inode 11ms 2026-04-20T07:17:51
tc_7d274baa extract_file_by_inode 10ms 2026-04-20T07:17:51
tc_cdfcbe83 check_extraction_status 0ms 2026-04-20T07:18:07
tc_4aa5a35d check_extraction_status 0ms 2026-04-20T07:18:07
tc_a0d0a40e search 12ms 2026-04-20T07:18:07
tc_278c835d get_completed_results 0ms 2026-04-20T07:18:21
tc_8e73d148 search 6ms 2026-04-20T07:18:21
tc_b689eb61 search 14ms 2026-04-20T07:18:21
tc_59e03ec1 search 9ms 2026-04-20T07:18:37
tc_0a132019 search 2ms 2026-04-20T07:18:37
tc_2f0a4dbc search 14ms 2026-04-20T07:18:54
tc_dfec4b82 search 385ms 2026-04-20T07:18:55
tc_4cd41924 search 71ms 2026-04-20T07:18:55
tc_1303a9ff start_extraction_batch 1ms 2026-04-20T07:19:25
tc_95fe0452 search 384ms 2026-04-20T07:19:25
tc_aa19e2bc run_plaso 0ms 2026-04-20T07:19:26
tc_9212041d search 445ms 2026-04-20T07:19:34
tc_9997fe2a search 390ms 2026-04-20T07:19:34
tc_ca178013 get_raw_output 8ms 2026-04-20T07:19:45
tc_d4830ecb extract_file_by_inode 50ms 2026-04-20T07:20:01
tc_77d3f675 extract_file_by_inode 47ms 2026-04-20T07:20:01
tc_1d945bfa extract_file_by_inode 45ms 2026-04-20T07:20:01
tc_72213782 extract_file_by_inode 11ms 2026-04-20T07:20:11
tc_b2adc71e extract_file_by_inode 9ms 2026-04-20T07:20:11
tc_9745705c extract_file_by_inode 10ms 2026-04-20T07:20:11
tc_40653a4e check_extraction_status 0ms 2026-04-20T07:20:23
tc_d7910557 check_extraction_status 0ms 2026-04-20T07:20:23
tc_3652fcff get_completed_results 0ms 2026-04-20T07:20:31
tc_a61d52fa get_carved_iocs 9ms 2026-04-20T07:20:48
tc_5291e215 list_files 219ms 2026-04-20T07:20:51
tc_f0a90efb run_bulk_extractor 876971ms 2026-04-20T07:23:40
tc_26406cd7 submit_finding 18ms 2026-04-20T07:25:41
tc_dc89b1b6 submit_finding 15ms 2026-04-20T07:25:41
tc_2744c03a submit_finding 8ms 2026-04-20T07:25:41
tc_8fab22ea parse_browser_history 1704ms 2026-04-20T07:27:15
tc_9406406c parse_lnk_files 8ms 2026-04-20T07:27:18
tc_54c44784 parse_prefetch_detailed 8ms 2026-04-20T07:27:19
tc_f1171b09 get_file_metadata 20ms 2026-04-20T07:28:19
tc_da5ddf4f start_extraction_batch 1ms 2026-04-20T07:28:19
tc_5ba33c9e search 32ms 2026-04-20T07:28:19
tc_674feae9 run_plaso 0ms 2026-04-20T07:28:20
tc_1a840139 search 14ms 2026-04-20T07:28:37
tc_2f62a564 search 354ms 2026-04-20T07:28:37
tc_cf6ecb1d search 48ms 2026-04-20T07:28:38
tc_92f66c62 submit_finding 18ms 2026-04-20T07:29:17
tc_a665b279 submit_finding 13ms 2026-04-20T07:29:17
tc_e4fa43e9 check_extraction_status 0ms 2026-04-20T07:29:28
tc_ea52dd3b check_extraction_status 0ms 2026-04-20T07:29:28
tc_4c84dee6 search 64ms 2026-04-20T07:29:29
tc_0be67609 get_completed_results 0ms 2026-04-20T07:29:36
tc_8ec19e6b get_completed_results 0ms 2026-04-20T07:29:36
tc_7f95ad52 get_raw_output 1261ms 2026-04-20T07:29:51
tc_a09de574 get_raw_output 865ms 2026-04-20T07:29:56
tc_ba91d733 get_raw_output 822ms 2026-04-20T07:29:57
tc_d66598a3 submit_finding 30ms 2026-04-20T07:30:32
tc_6eef4b0b search 389ms 2026-04-20T07:30:32
tc_d611dcad search 30ms 2026-04-20T07:30:32
tc_7a772ef2 search 62ms 2026-04-20T07:30:43
tc_1a425167 search 8ms 2026-04-20T07:30:43
tc_9266c2e8 search 51ms 2026-04-20T07:30:43
tc_c628e259 search 33ms 2026-04-20T07:30:55
tc_1da1f94b search 15ms 2026-04-20T07:30:55
tc_c37fde7d search 128ms 2026-04-20T07:30:55
tc_070de789 search 14ms 2026-04-20T07:30:55
tc_e765ef43 search 25ms 2026-04-20T07:31:04
tc_5336fff7 analyze_execution_timeline 45ms 2026-04-20T07:31:30
tc_ef397932 find_execution_evidence 59ms 2026-04-20T07:31:30
tc_a55bb002 find_defense_evasion._search(all) 65ms 2026-04-20T07:31:30
tc_0fe83b6b find_defense_evasion._search(all) 17ms 2026-04-20T07:31:30
tc_9195d01b find_defense_evasion._search(all) 13ms 2026-04-20T07:31:30
tc_678a8d49 find_defense_evasion._search(all) 7ms 2026-04-20T07:31:30
tc_d80266aa find_defense_evasion._search(all) 15ms 2026-04-20T07:31:30
tc_1fab1b85 find_defense_evasion 135ms 2026-04-20T07:31:30
tc_36471300 find_persistence_mechanisms._query(registry.system) 247ms 2026-04-20T07:31:31
tc_7de23766 find_persistence_mechanisms._query(registry.software) 29ms 2026-04-20T07:31:31
tc_105724f7 find_persistence_mechanisms._query(volatility.svcscan) 47ms 2026-04-20T07:31:31
tc_73c061d6 assess_recovery._query(tsk.filelist) 447ms 2026-04-20T07:31:31
tc_29c2d9ee find_persistence_mechanisms._search(all) 99ms 2026-04-20T07:31:31
tc_748bcf64 assess_recovery 538ms 2026-04-20T07:31:31
tc_a98d38ce find_persistence_mechanisms._search(all) 68ms 2026-04-20T07:31:31
tc_642e3477 find_persistence_mechanisms._search(all) 21ms 2026-04-20T07:31:31
tc_f1479d3e find_persistence_mechanisms._query(tsk.filelist) 176ms 2026-04-20T07:31:31
tc_1008789e find_persistence_mechanisms 813ms 2026-04-20T07:31:31
tc_a765f481 find_data_exfiltration_indicators._query(bulk.url) 2114ms 2026-04-20T07:31:32
tc_99539923 find_data_exfiltration_indicators._query(bulk.email) 79ms 2026-04-20T07:31:33
tc_a80fd328 find_data_exfiltration_indicators._query(bulk.domain) 712ms 2026-04-20T07:31:34
tc_39ba8036 find_data_exfiltration_indicators._search(all) 16ms 2026-04-20T07:31:34
tc_12b6f43a find_data_exfiltration_indicators 3821ms 2026-04-20T07:31:34
tc_3f2e9f88 search 13ms 2026-04-20T07:31:52
tc_58800ff3 search 13ms 2026-04-20T07:31:52
tc_979f1a80 run_binwalk 50ms 2026-04-20T07:31:52
tc_5da8e1fc run_strings 1157ms 2026-04-20T07:31:53
tc_bed0eca3 submit_finding 19ms 2026-04-20T07:32:35
tc_a24f0cb9 submit_finding 9ms 2026-04-20T07:32:35
tc_07b64fc4 search 16ms 2026-04-20T07:32:35
tc_60d6b7f0 get_raw_output 1794ms 2026-04-20T07:32:48
tc_3a8a2acd search 439ms 2026-04-20T07:32:48
tc_eebf70ef search 8ms 2026-04-20T07:32:48
tc_ca1c7e62 search 11ms 2026-04-20T07:33:03
tc_5bf124dc search 9ms 2026-04-20T07:33:03
tc_5cf36b34 search 13ms 2026-04-20T07:33:03
tc_f412bac6 search 123ms 2026-04-20T07:33:29
tc_3e2e5520 search 378ms 2026-04-20T07:33:29
tc_796bbc72 submit_finding 14ms 2026-04-20T07:33:30
tc_6ce71a3b search 372ms 2026-04-20T07:33:45
tc_6c3c0a5e correlate_across_sources 3793ms 2026-04-20T07:33:55
tc_e42120ea correlate_across_sources 3973ms 2026-04-20T07:34:11
tc_e9ec2ae3 correlate_across_sources 3124ms 2026-04-20T07:34:14
tc_b18cff19 submit_finding 19ms 2026-04-20T07:34:57
tc_d5e08a6f submit_finding 8ms 2026-04-20T07:34:58
tc_6e896247 list_sources 12ms 2026-04-20T07:35:15
tc_bf7909e9 audit_evidence_coverage 3917ms 2026-04-20T07:35:42
tc_99f0fe36 audit_tool_coverage 20ms 2026-04-20T07:35:48
tc_77d9f228 submit_narrative 20ms 2026-04-20T07:37:07

Each finding traces back to the specific tool calls that produced the supporting evidence.

Insider Threat: User "Iaman Informant" Exfiltrating Secret Project Data via USB 2 refs
1
run_fls
{ "image_path": "/evidence/nist-data-leakage/pc/cfreds_2015_data_leakage_pc.E01", "partition_offset": 206848 }
tc_8e82fae8
17672ms
2
run_fls
{ "image_path": "/evidence/nist-data-leakage/rm1-usb-exfat/cfreds_2015_data_leakage_rm1.E01", "partition_offset": 32 }
tc_a3962ede
8011ms
Google Drive Exfiltration via Personal Gmail: iaman.informant.personal@gmail.com 2 refs
1
search
{ "max_results": 50, "query": "scarter", "regex": false, "source": null }
tc_1a840139
14ms
2
search
{ "max_results": 50, "query": "Informant", "regex": false, "source": "bulk.email" }
tc_5ba33c9e
32ms
Premeditated Data Theft: Search History Shows Systematic Research on Leaking and Anti-Forensics 2 refs
1
get_raw_output
{ "after_id": 0, "limit": 500, "source_name": "bulk.url_searches" }
tc_a09de574
865ms
2
run_bulk_extractor
{ "features": null, "image_path": "/evidence/nist-data-leakage/pc/cfreds_2015_data_leakage_pc.E01", "max_depth": null...
tc_f0a90efb
876971ms
Data Source: Secret Project Accessed from Network Share \\10.11.11.128\SECURED_DRIVE 2 refs
1
search
{ "max_results": 20, "query": "secret_project", "regex": false, "source": "bulk.winlnk" }
tc_58800ff3
13ms
2
run_bulk_extractor
{ "features": null, "image_path": "/evidence/nist-data-leakage/pc/cfreds_2015_data_leakage_pc.E01", "max_depth": null...
tc_f0a90efb
876971ms
Resignation Letter Created After Anti-Forensic Cleanup 2 refs
1
correlate_across_sources
{ "sources": null, "t_end": "2015-03-25T16:00:00Z", "t_start": "2015-03-25T14:00:00Z" }
tc_e42120ea
3973ms
2
search
{ "max_results": 50, "query": "atime", "regex": false, "source": "bulk.winprefetch" }
tc_e765ef43
25ms
Anti-Forensic Tool Installation: Eraser 6 and CCleaner Downloaded and Executed 2 refs
1
run_fls
{ "image_path": "/evidence/nist-data-leakage/pc/cfreds_2015_data_leakage_pc.E01", "partition_offset": 206848 }
tc_8e82fae8
17672ms
2
search
{ "max_results": 30, "query": "Eraser", "regex": false, "source": "tsk.filelist" }
tc_8e73d148
6ms
Cloud Storage Exfiltration Channel: Google Drive Sync Installed and Active 2 refs
1
run_fls
{ "image_path": "/evidence/nist-data-leakage/pc/cfreds_2015_data_leakage_pc.E01", "partition_offset": 206848 }
tc_8e82fae8
17672ms
2
search
{ "max_results": 30, "query": "Google Drive", "regex": false, "source": "tsk.filelist" }
tc_2f0a4dbc
14ms
Deleted Data on USB rm2 (FAT32): Previously Stored Secret Project Folders 1 refs
1
run_fls
{ "image_path": "/evidence/nist-data-leakage/rm2-usb-fat32/cfreds_2015_data_leakage_rm2.E01", "partition_offset": 128 }
tc_45ce2bb6
2271ms
Eraser 6 Executed for Secure Deletion on 2015-03-25 2 refs
1
search
{ "max_results": 10, "query": "ERASER", "regex": false, "source": "bulk.winprefetch" }
tc_7a772ef2
62ms
2
search
{ "max_results": 50, "query": "atime", "regex": false, "source": "bulk.winprefetch" }
tc_e765ef43
25ms
CD-R (rm3) Contains Image Files - Used as Data Exfiltration Medium 4 refs
1
run_strings
{ "min_length": 10, "target_path": "/evidence/nist-data-leakage/rm3-cdr/cfreds_2015_data_leakage_rm3.E01" }
tc_5da8e1fc
1157ms
2
search
{ "max_results": 10, "query": "Kodak", "regex": false, "source": "strings.output" }
tc_5bf124dc
9ms
3
run_bulk_extractor
{ "features": null, "image_path": "/evidence/nist-data-leakage/rm3-cdr/cfreds_2015_data_leakage_rm3.E01", "max_depth"...
tc_8b5d41ec
4297ms
4
search
{ "max_results": 20, "query": "burn", "regex": false, "source": "tsk.filelist" }
tc_3f2e9f88
13ms

Tool Call Details

↑↓ navigate open esc close
Copied to clipboard