ISSC455_Week7_Final_Mitchell K
docx
keyboard_arrow_up
School
American Military University *
*We aren’t endorsed by this school
Course
455
Subject
Information Systems
Date
Apr 3, 2024
Type
docx
Pages
43
Uploaded by SuperHumanMoonGoldfish41
JLA P
HISHING
A
TTACK
ISSC455 Digital Forensics:
Investigation Procedures and Response
Karisma Mitchell
Professor Brian Burnett
1 | P a g e
3/24/2024
<Case Number: ISSC455-20-000X>
ISSC455-20-000X Forensic Report
Documents Properties
Title
ISSC455-20-000X Forensic Report
Version
1.0
Authors
Karisma Mitchell
Reviewed By
Prof. Brian Burnett
Approved By
Prof. Brian Burnett
Classification
Confidential: For Educational Purposes Only
Version Control
Version
Date
Authors
Description
1.0
03/2024
Karisma Mitchell
Final Draft
Disclaimer
The information contained in this report, APUS ISSC455 Report JLA Phishing Attack, is intended for training and learning purposes only and is not for the purpose of providing digital forensic investigation recommendations. The scenario leading to this report is provided by Shanken Security Solutions and has been approved for use as Education Purposes Only. If this report is found, please delete, shred (if hardcopy) or report to classroomsupport@apus.edu
for further instructions if delete or shred are not available.
APUS AND PROFESSOR JOHNNY JUSTICE DISCLAIM ALL LIABILITY AND
RESPONSIBILITY FOR ANY ERRORS OR OMISSIONS IN THE CONTENT
CONTAINED IN THIS REPORT.
Contents
2 | P a g e
ISSC455-20-000X Forensic Report
Contents
TABLE OF FIGURES
..................................................................................................................................................
4
1.0 SCOPE
.....................................................................................................................................................................
6
1.1 P
URPOSE
..............................................................................................................................................................
6
1.2 T
EAM
O
VERVIEW
................................................................................................................................................
6
1.3 E
XECUTIVE
S
UMMARY
........................................................................................................................................
6
2.0 NARRATIVE
..........................................................................................................................................................
7
3.0 FINDINGS
...............................................................................................................................................................
9
3.1 Q
UICK
V
IEW
........................................................................................................................................................
9
3.2 E
MAIL
1: S
ABRE
P
ROJECT
- O
CTOBER
15, 2019 - 1938 HOURS
.....................................................................
10
3.3 E
MAIL
2: S
ABRE
P
ROJECT
- O
CTOBER
15, 2019 - 1947 HOURS
.....................................................................
12
3.4 JLAENTREPRISE.
COM
D
OMAIN
C
REATED
- O
CTOBER
15, 2019 - 2054 HOURS
.......................................
14
3.5 E
MAIL
3: S
ABRE
P
ROJECT
- O
CTOBER
15, 2019 - 2258 HOURS
.....................................................................
16
3.6 E
MAIL
4: S
ABRE
P
ROJECT
- O
CTOBER
16, 2019 - 0653 HOURS
.....................................................................
19
3.7 E
MAIL
5: S
ABRE
P
ROJECT
- O
CTOBER
17, 2019 - 1123 HOURS
.....................................................................
21
3.8 E
MAIL
6: JLA E
NTERPRISE
AND
S
ABRE
P
ROJECT
- O
CTOBER
17, 2019 - 1209 HOURS
..............................
23
3.9 E
MAIL
7: S
ABRE
P
ROJECT
- O
CTOBER
17, 2019 - 1325 HOURS
.....................................................................
25
3.10 E
MAIL
8: S
ABRE
P
ROJECT
- O
CTOBER
17, 2019 - 1337 HOURS
...................................................................
27
3.11 E
MAIL
9: JLA E
NTERPRISE
AND
S
ABRE
P
ROJECT
- O
CTOBER
17, 2019 - 1431 HOURS
............................
29
3.12 E
MAIL
10: S
ABRE
P
ROJECT
W
IRING
I
NSTRUCTION
- O
CTOBER
17, 2019 – 1443 HOURS
..........................
30
3.13 E
MAIL
11: S
ABRE
P
ROJECT
W
IRE
T
RANSFER
- O
CTOBER
17, 2019 - 1445 HOURS
...................................
31
3.14 E
MAIL
12: S
ABRE
P
ROJECT
W
IRE
T
RANSFER
- O
CTOBER
17, 2019 - 1459 HOURS
...................................
32
3.15 E
MAIL
13: S
ABRE
P
ROJECT
W
IRING
I
NSTRUCTION
- O
CTOBER
17, 2019 - 1506 HOURS
..........................
35
3.16 E
MAIL
14: S
ABRE
P
ROJECT
W
IRE
T
RANSFER
- O
CTOBER
17, 2019 - 1542 HOURS
...................................
36
3.17 E
MAIL
15: S
ABRE
P
ROJECT
W
IRING
I
NSTRUCTION
- O
CTOBER
19, 2019 - 1202 HOURS
..........................
38
3.18 P
HISHING
S
CAM
S
ENT
TO
JLA E
NTERPRISE
C
ONSULTANT
- O
CTOBER
19, 2019 - 2233 HOURS
..............
41
4.0 CONCLUSION
.....................................................................................................................................................
42
4.1 E
MAIL
1: - J
UNE
01, 2019 - 0710 HOURS
........................................................................................................
42
4.2 E
MAIL
2: - A
UGUST
02, 2019 - 1808 HOURS
...................................................................................................
43
5.0 RECOMMENDATIONS
......................................................................................................................................
44
APPENDIX A: WIRING INSTRUCTIONS (FRAUDULENT EAST HUN CHIU ACCOUNT)
.......................
45
3 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
4 | P a g e
ISSC455-20-000X Forensic Report
Table of Figures
Figure 1 - Email 1 - Michael SCOTT to Jim Halpert (Start of Phishing Attempt)
........................
10
Figure 2 - jimhalpert@jlaenterprise.com auto-forwards to officeman1987a@gmail.com and SCOTT’s IPv6 address
..................................................................................................................
10
Figure 3 - IPv6 Geographical Location - 2601:98a:100:57b:206f:26a1:323a:fb5c
.......................
11
Figure 4 - jimhalpert@jlaenterprise.com auto-forwards to officeman1987a@gmail.com and SCOTT’s IPv4 address
..................................................................................................................
12
Figure 5 - IP Address Lookup Details - 83.110.250.231
...............................................................
12
Figure 6 - IPv4 Geographical Location - 83.110.250.231
.............................................................
13
Figure 7 - Email 2 - Michael SCOTT to Jim Halpert (Covering Mistake)
....................................
13
Figure 8 - MX Query - JLAENTREPRISE.COM
.........................................................................
14
Figure 9 - Whois Information (jlaentreprise.com)
.........................................................................
14
Figure 10 - IP Geographical Location - 50.63.202.52 (jlaentreprise.com)
....................................
15
Figure 11 - michael@dssvc.com email to dwightschrute68@gmail.com and SCOTT’s IPv6 address
..........................................................................................................................................
16
Figure 12 - Email 3 - Michael SCOTT to Dwight Schrute (Phishing Employee)
.........................
17
Figure 13 - Email 3 - Michael SCOTT to Dwight Schrute (Phishing Employee) (continued)
.....
18
Figure 14 - IP Address Lookup Details - 23.239.21.243
...............................................................
19
Figure 15 - IPv4 Geographical Location - 23.239.21.243
.............................................................
19
Figure 16 - Email 4 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Phishing Attempt)20
Figure 17 - jhalpert@jlaentreprise.com used an IPv4 address from a location previously used by SCOTT’s email account
.................................................................................................................
21
Figure 18 - IPv4 Geographical Location - 83.110.250.20
.............................................................
21
Figure 19 - Email 5 - Jim Halpert (Counterfeit Account) to Michael SCOTT and Dwight Schrute (Confirm Payment)
........................................................................................................................
22
Figure 20 - abernard@jlaenterprise.com auto-forwards to andybernard@abcglobal.com
............
23
Figure 21 - IPv4 Geographical Location - 192.155.90.47
.............................................................
23
Figure 22 - Email 6 - Dwight Schrute (Counterfeit Account) to Andy Bernard and Jim Halpert (Legitimacy)
..................................................................................................................................
24
Figure 23 - jhalpert@jlaentreprise.com to dwightschrute68@gmail.com
.....................................
25
Figure 24 - Email 7 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Correspondence over Email)
....................................................................................................................................
25
Figure 25 - Email 7 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Correspondence over Email) (continued)
.................................................................................................................
26
Figure 26 - abernard@jlaentreprise.com to dwightschrute68@gmail.com and nee.beesly@gmail.com
.................................................................................................................
27
Figure 27 - Email 8 - Andy Bernard (Counterfeit Account) to Dwight Schrute and Pam Beesly.28
Figure 28 - Email 9 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Establishing Legitimacy)
....................................................................................................................................
29
Figure 29 - abernard@jlaenterprise.com auto-forwards to andybernard@abcglobal.com
............
30
Figure 30 - IPv4 Geographical Location - 173.230.128.135
.........................................................
30
Figure 31 - Email 10 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Wiring Instructions)
..................................................................................................................................
30
5 | P a g e
ISSC455-20-000X Forensic Report
Figure 32 - X-Originating-IP: 192.81.133.156 (Mail Server in California)
..................................
31
Figure 33 - IPv4 Geographical Location - 192.81.133.156
...........................................................
31
Figure 34 - Email 11 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Wire Transfer)31
Figure 35 - X-Originating-IP: 45.33.17.101 (Mail Server)
...........................................................
32
Figure 36 - IPv4 Geographical Location - 45.33.17.101
...............................................................
32
Figure 37 - Email 12 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Wire Transfer Second Email)
................................................................................................................................
33
Figure 38 - Email 12 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Wire Transfer Second Email) (continued)
............................................................................................................
34
Figure 39 - X-Originating-IP: 83.110.250.20
................................................................................
35
Figure 40 - Email 13 - Jim Halpert (Counterfeit Account) to Pam Beesly (Real Account) (Signed
by Dwight Schrute)
........................................................................................................................
35
Figure 41 - X-Originating-IP: 23.239.21.244
................................................................................
36
Figure 42 - IP Address Lookup Details - 23.239.21.244
...............................................................
36
Figure 43 - Email 14 - Dwight Schrute (Counterfeit Account) to Andy Bernard (abcglobal.com email)
.............................................................................................................................................
37
Figure 44 - X-Originating-IP: 83.110.250.232
..............................................................................
38
Figure 45 - IPv4 Geographical Location - 83.110.250.232
...........................................................
38
Figure 46 - IP Address Lookup Details - 83.110.250.232
.............................................................
39
Figure 47 - Email 15 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Real Account)
....
39
Figure 48 - Email 15 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Real Account) (continued)
.....................................................................................................................................
40
Figure 49 - Jim Halpert (Real Account) to Kevin Malone about Phishing Scam
..........................
41
Figure 50 – IPv6 Geographical Location - 2601:98a:100:57b:206f:26a1:323a:fb5c
....................
42
Figure 51 - IP Geographical Location – 23.239.21.243
................................................................
43
Figure 52 - IPv6 Geographical Location - 2601:98a:100:57b:206f:26a1:323a:fb5c
....................
43
1.0 Scope
1.1 Purpose
In accordance with the contract signed between American Public University System (APUS) and JLA Enterprise, APUS conducted secondary analysis on report
findings provided by Dr. Kevin Malone titled “Attempted 10/15/2019 Fraud against JLA Enterprise Examination Report” along with all necessary evidence associated with that analysis. APUS’s findings are in section three and provided in chronological order predicated on Coordinated Universal Time (UTC), all other times will be identified appropriately. APUS’s investigation is designed to provide nonbiased additional analysis of Dr. Malone’s initial conclusion.
6 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
1.2 Team Overview
The following APUS team members were assigned to conduct the secondary analysis on the report findings provided by Dr. Kevin Malone:
Team Role
Name
Chief Consultant
Prof. Brian Burnett
Chief Cyber Security Researcher
Karisma Mitchell
Senior Cyber Security Researcher
Susan Jones
Senior Cyber Security Researcher
Damon Phillips
Table 1 - Team Overview
1.3 Executive Summary
Over a 48-hour period between October 15 - 17, 2019, Michael SCOTT (Managing
Partner, DSS Venture Partners LTD and former consultant to JLA Enterprise) attempted to extort $2.3M USD via wire transfer to a bank in East Hun Chiu from JLA Enterprise using a sophisticated phishing scam. SCOTT crafted 15 emails, created a counterfeit JLAENTREPRISE.COM domain, and five counterfeit email accounts with the purpose of building reputability to attempt to defraud JLA Enterprise. SCOTT fabricated email responses to ensure the individuals in the email chain would believe HE was not involved. On October 17, 2019, at 0237 hours, JLA Enterprise personnel identified the counterfeit domain triggering an internal investigation and seeking external professional assistance.
2.0 Narrative
On October 15, 2019, at 1938 hours, Michael SCOTT (Managing Partner, DSS Venture Partners LTD and former consultant to JLA Enterprise) accidentally sent an email to Jim Halpert (General Manager, JLA Enterprise) at jhalpert@jlaenterprise.com to confirm JLA Enterprise requested $2.3M USD from an East Hun Chiu based company, who was investing in JLA Enterprise research through Dwight Schrute (former subcontractor to DSS Venture Partners LTD and current Business Partner and Investor in JLA Enterprise). The money was to be transferred to JLA Enterprise’s East Hun Chiu trading account upon closing. SCOTT requested the wire instructions and said HE would forward them to HIS business partner Dwight Schrute. At 1947 hours, SCOTT identified HIS mistake and replied to HIS original email at 1938 hours to explain HE wrote Jim Halpert in error. Within the email, HE mentioned that Dwight Schrute wrote to SCOTT and the account is being set up to wire to JLA Enterprise. At 2054 hours, the counterfeit domain 7 | P a g e
ISSC455-20-000X Forensic Report
JLAENTREPRISE.COM was registered with GoDaddy.com, LLC. At 2058 hours, SCOTT sent an email chain to Dwight Schrute containing an email discussion related to the wire transfer of $2.3M USD to an East Hun Chiu Bank and two individuals who will manage the account (Dwight Schrute and Pam Beesly). On October 16, 2019, at 0653 hours, SCOTT sent an email from HIS counterfeit Jim Halpert (jhalpert@jlaentreprise.com) account to Dwight Schrute and Pam Beesly. The counterfeit email was designed to appear as if Jim Halpert was telling Dwight Schrute that HE (as Jim Halpert) discussed with Michael (SCOTT), that JLA Enterprise will need to transfer $2.3M USD to an East Hun Chiu trading account. SCOTT also attached wiring instructions.
On October 17, 2019, at 0237 hours, JLA Enterprise personnel identified the counterfeit domain triggering an internal investigation and seeking external professional assistance. At 1123 hours, SCOTT sent an email response from HIS counterfeit Jim Halpert account to SCOTT’s and Dwight Schrute’s legitimate email
accounts, while sending a carbon copy to the counterfeit Jim Halpert email address (officeman198a7@gmail.com). SCOTT’s original email sent at 0534 hours, questioned if the East Hun Chiu bank routing number was in place and if the transfer would be completed by Friday or Monday when the bank was open. SCOTT’s fraudulent response thanked HIMSELF and asked if the transfer of $2.3M USD would come in a one-time transfer since they had waited a long time for the money.
On October 17, 2019, at 1209 hours, SCOTT sent another counterfeit email, however this time posing as Dwight Schrute (dwightschrute68@gmail.com) with the goal of establishing further legitimacy for the wire transfer. The email addressed to Andy Bernard (CEO and Founder of JLA Enterprise) and Jim Halpert stated Dwight Schrute’s company now runs the East Hun Chiu investor, since the DSS contract with JLA Enterprise had already expired. At 1325 hours, SCOTT sent
an email to Dwight Schrute from HIS counterfeit Jim Halpert email account. The email contained information regarding the money transfer and expressed to maintain contact with him directly.
On October 17, 2019, at 1337 hours, SCOTT sent another counterfeit email, however this time posing as Andy Bernard (abernard@jlaentreprise.com) addressed to Dwight Schrute’s and Pam Beesly’s legitimate email accounts while sending a carbon copy to HIS counterfeit Jim Halpert email address (jhalpert@jlaentreprise.com). SCOTT (as Andy Bernard) stated he would read all the emails again and provide an answer later that day. However, he (as Andy Bernard) asked Dwight Schrute to acknowledge the new wiring instructions as 8 | P a g e
ISSC455-20-000X Forensic Report
confirmed by Jim Halpert. He asked Dwight Schrute to work directly with him (Jim Halpert) on the project. At 1431 hours, SCOTT sent a second email to Andy Bernard from HIS counterfeit Dwight Schrute email account with hopes of Andy Bernard approving the wire transfer to Dwight Schrute. SCOTT’s fraudulent email stated that SCOTT was becoming a nuisance by emailing and texting via WhatsApp 2 to 3 times a day asking for the progress of the money transfer. SCOTT
was attempting to convince Andy Bernard that he (Dwight Schrute) would still pay
SCOTT even though on past contracts, HE did not perform appropriately by Dwight Schrute.
On October 17, 2019, at 1443 hours, SCOTT sent an email from HIS counterfeit Dwight Schrute email account to Andy Bernard’s legitimate email account and HIS
counterfeit Jim Halpert and Pam Beesly email accounts. SCOTT’s fraudulent email
as Dwight Schrute attempted to make Andy Bernard believe he (Dwight Schrute) spoke with SCOTT and confirmed the East Hun Chiu account was available for JLA Enterprise to transfer the money. At 1445 hours, SCOTT sent another email using HIS counterfeit Dwight Schrute email account to Andy Bernard, and carbon copied HIS counterfeit Pam Beesly email account. In the email, HE intended to get Andy Bernard to approve wiring to a specific account as identified in a previous email. HE asked Andy to reply and confirm. At 1459 hours, SCOTT sent an email from HIS counterfeit Dwight Schrute email account to HIS counterfeit Pam Beesly
and a carbon copy to Andy Bernard’s and Jim Halpert’s legitimate email account. In the email chain, SCOTT attempted to get the final confirmation between JLA Enterprise and Pam Beesly to transfer $2.3M USD. On October 17, 2019, at 1506 hours, SCOTT sent an email from HIS counterfeit Jim Halpert email account to Pam Beesly and Dwight Schrute and a carbon copy to
HIS counterfeit Andy Bernard email account to confirm the money transfer. Within
the email, SCOTT made the mistake of signing as Dwight Schrute rather than Jim Halpert. At 1542 hours, SCOTT sent an email to Andy Bernard’s legitimate email account from HIS Dwight Schrute’s counterfeit email account to confirm his (Andy Bernard’s) request to send the funds to JLA Enterprise’s Wells Fargo account.
On October 19, 2019, at 1202 hours, SCOTT sent an email from HIS counterfeit Jim Halpert email account to Dwight Schrute and Pam Beesly and carbon copied HIS counterfeit Andy Bernard email account. SCOTT’s email asked Dwight Schrute and Pam Beesly if the money transfer of $2.3M USD was still on track and
if they had the bank routing number to complete the transaction. SCOTT continued
to push for immediate confirmation in each email sent. At 2233 hours, Jim Halpert forwarded an email chain to Dr. Kevin Malone (Technical Consultant, JLA 9 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Enterprise), where Dwight Schrute wrote on October 17, 2019, at 0237 hours, stating, any email containing “JLAENTREPRISE.COM” is a fake email. JLA Enterprise started their initial investigation into the phishing scam. On November 02, 2019, Dr. Malone contacted APUS to request secondary forensic analysis on his findings.
3.0 Findings
3.1 Quick View
The table below is designed to provide a quick view of all the identified findings Each link will take you to the section with a detailed report of the findings.
#
Findings Title
3.2
Email 1: Sabre Project - October 15, 2019 - 1938 hours
3.3
Email 2: Sabre Project - October 15, 2019 - 1947 hours
3.4
JLAEntreprise.com Domain Created - October 15, 2019 - 2054 hours
3.5
Email 3: Sabre Project - October 15, 2019 - 2258 hours
3.6
Email 4: Sabre Project - October 16, 2019 - 0653 hours
3.7
Email 5: Sabre Project - October 17, 2019 - 1123 hours
3.8
Email 6: JLA Enterprise and Sabre Project - October 17, 2019 - 1209 hours
3.9
Email 7: Sabre Project - October 17, 2019 - 1325 hours
3.10
Email 8: Sabre Project - October 17, 2019 - 1337 hours
3.11
Email 9: JLA Enterprise and Sabre Project - October 17, 2019 - 1431 hours
3.12
Email 10: Sabre Project Wiring Instruction - October 17, 2019 – 1443 hours
3.13
Email 11: Sabre Project Wire Transfer - October 17, 2019 - 1445 hours
3.14
Email 12: Sabre Project Wire Transfer - October 17, 2019 - 1459 hours
3.15
Email 13: Sabre Project Wiring Instruction - October 17, 2019 - 1506 hours
3.16
Email 14: Sabre Project Wire Transfer - October 17, 2019 - 1542 hours
3.17
Email 15: Sabre Project Wiring Instruction - October 19, 2019 - 1202 hours
3.18
Phishing Scam Sent to JLA Enterprise Consultant - October 19, 2019 - 2233 hours
10 | P a g e
ISSC455-20-000X Forensic Report
3.2 Email 1: Sabre Project - October 15, 2019 - 1938 hours
On October 15, 2019, at 1938 hours, Michael SCOTT (Managing Partner, DSS Venture Partners LTD and former consultant to Flow Pharma) accidentally sent an email to Jim Halpert (General Manager, JLA Enterprise) at jhalpert@jlaenterprise.com to confirm JE (Forensic Comment: APUS believes JE stands for JLA Enterprise) requested $2.3M USD from an East Hun Chiu based company, who was investing in JLA Enterprise research through Dwight Schrute (former subcontractor to DSS Venture Partners LTD and current Business Partner and Investor in JLA Enterprise). The money was to be transferred to JLA Enterprise’s EHC (Forensic Comment: APUS believes EHC stands for East Hun Chiu) trading account upon closing. SCOTT requested the wire instructions and said HE would forward them to HIS business partner Dwight Schrute.
Analyzing the raw email message information, APUS determined the email was auto-forwarded by Halpert’s jlaenterprise.com email account to officeman1987a@gmail.com (Halpert’s personal email account) The email message originated (“x-originating-ip” located in the raw email header) from 2601:98a:100:57b:206f:26a1:323a:fb5c, a Scranton, PA, USA, Comcast Internet Protocol Version 6 (IPv6) address (Figure 2 and 3).
11 | P a g e
ISSC455-20-000X Forensic Report
Figure 1 - Email 1 - Michael SCOTT to Jim Halpert (Start of Phishing Attempt)
Figure 2 - jimhalpert@jlaenterprise.com auto-forwards to officeman1987a@gmail.com and SCOTT’s
IPv6 address IPv6
Figure 3 - IPv6 Geographical Location - 2601:98a:100:57b:206f:26a1:323a:fb5c
12 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
3.3 Email 2: Sabre Project - October 15, 2019 - 1947 hours
On October 15, 2019, at 1947 hours, SCOTT identified HIS mistake and replied to HIS original email at 1938 hours to explain HE wrote Jim Halpert in error. Within the email, HE mentioned that Dwight Schrute wrote to SCOTT and the account is being set up to wire to JD (Forensic Comment: APUS believes JD is a typo for JE for JLA Enterprise). Analyzing the raw email message information, the email was delivered to officeman1987a@gmail.com (Figure 4). The message originated (“xoriginating-ip” located in the raw email header) from 83.110.250.231, an Emirates Telecommunications Corporation, United Arab Emirates (Figure 5 and 6).
The timestamp on the message in Figure 4 is Tuesday, October 16, 2019, 3:38:14 AM, indicated that SCOTT’s local client is operating in the +0800 (UTC+8) time zone, which corresponds with East Hun Chiu local time and HIS signature block location. SCOTT sent the message to cover up the mistake made in Email 1. In this
second message, SCOTT changed HIS IP address, which indicates a VPN or Proxy; however, Figure 5 below reported the IP was not a proxy or VPN.
Figure 4 - jimhalpert@jlaenterprise.com auto-forwards to officeman1987a@gmail.com and SCOTT’s
IPv4 address
Figure 5 - IP Address Lookup Details - 83.110.250.231
13 | P a g e
ISSC455-20-000X Forensic Report
Figure 6 - IPv4 Geographical Location - 83.110.250.231
Figure 7 - Email 2 - Michael SCOTT to Jim Halpert (Covering Mistake)
3.4 JLAENTREPRISE.com Domain Created - October 15, 2019 - 2054 hours
On October 15, 2019, at 2054 hours, the counterfeit domain JLAENTREPRISE.COM (Forensic Comment: Switching the er to re) was registered and set up to use Microsoft Office 365/online Outlook mail according to 14 | P a g e
ISSC455-20-000X Forensic Report
an MX (Mail eXchange) query that shows JLAENTREPRISE.COM was registered
as “jlaentreprise-com.mail.protection.outlook.com.” It is very significant since Outlook 365 includes “x-originating-ip” headers on all sent messages, which include the IP address sending the messages. According to WHOIS (Figure 9), the jlaentreprise.com domain was registered with
GoDaddy.com, LLC and a creation date of October 15, 2019 at 2054 hours. Figure 10 displays the geographical location as Scottsdale, AZ, coinciding with GoDaddy.com, LLC headquarters
Figure 8 - MX Query - JLAENTREPRISE.COM
Figure 9 - Whois Information (jlaentreprise.com)
15 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 10 - IP Geographical Location - 50.63.202.52 (jlaentreprise.com)
16 | P a g e
ISSC455-20-000X Forensic Report
3.5 Email 3: Sabre Project - October 15, 2019 - 2258 hours
On October 15, 2019, at 2258 hours, SCOTT sent an email chain to Dwight Schrute containing an email discussion related to the wire transfer of $2.3M USD to an East Hun Chiu Bank and highlighting the two individuals who will manage the account (Dwight Schrute and Pam Beesly). The email SCOTT sent to Dwight Schrute was from an IPv6 address (2601:98a:100:57b:206f:26a1:323a:fb5c), showing Scranton, PA. Also of note SCOTT sent this email from HIS legitimate micahel@dssvc.com address.
Figure 11 - michael@dssvc.com email to dwightschrute68@gmail.com and SCOTT’s IPv6 address
(Forensic Comment: Due to size of email, it has been split into two images, Figure 12 and 13).
Figure 12 - Email 3 - Michael SCOTT to Dwight Schrute (Phishing Employee)
17 | P a g e
ISSC455-20-000X Forensic Report
Figure 13 - Email 3 - Michael SCOTT to Dwight Schrute (Phishing Employee) (continued)
3.6 Email 4: Sabre Project - October 16, 2019 - 0653 hours
On October 16, 2019, at 0653 hours, SCOTT sent an email from HIS counterfeit Jim Halpert account to Dwight Schrute and Pam Beesly (Forensic Comment: APUS confirmed in later emails that nee.beesly@gmail.com belongs to Pam Beesly). SCOTT included on carbon copy HIS email (michael@dssvc.com) and the counterfeit email addresses for Andy Bernard (abernard@jlaentreprise.com) and Jim Halpert (officeman198a7@gmail.com). In the email, Jim Halpert (Forensic Comment: APUS believes SCOTT wrote this email) told Dwight he discussed with Michael SCOTT, that JE (Forensic Comment: APUS believes JE to be JLA Enterprise) will need the $2.3M USD transferred to a trading account in EHC (Forensic Comment: APUS believes EHC to be East Hun Chiu) bank and attached the wiring instructions (Appendix A).
The message originated (“x-originating-ip” located in the raw email header) from 23.239.21.243, Hosting Services, Inc, located in Fremont, CA, which is confirmed as a VPN as shown in Figure 14 and 15. This is the first attempt by SCOTT to use 18 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
a VPN. Since SCOTT used several different emails, the VPN showed a different location than when HE emailed directly from michael@dssvc.com.
Figure 14 - IP Address Lookup Details - 23.239.21.243
Figure 15 - IPv4 Geographical Location - 23.239.21.243
19 | P a g e
ISSC455-20-000X Forensic Report
Figure 16 - Email 4 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Phishing Attempt)
3.7 Email 5: Sabre Project - October 17, 2019 - 1123 hours
On October 17, 2019, at 1123 hours, SCOTT sent an email response from HIS counterfeit Jim Halpert account to SCOTT’s and Dwight Schrute’s legitimate email
accounts, while sending a carbon copy to the counterfeit Jim Halpert email address (officeman198a7@gmail.com). SCOTT’s original email sent at 0534 hours (Figure
19), questioned if the BR# (Forensic Comment: APUS believes BR# is bank routing number) was in place and if the transfer would be completed on Friday or Monday when the bank is open. SCOTT’s fraudulent response thanked HIMSELF and asked if the transfer of $2.3M USD would come in a one-time transfer since they had waited a long time for the money.
The message originated (“x-originating-ip” located in the raw email header and Figure 17) from 83.110.250.20, an Emirates Telecommunications Corporation, 20 | P a g e
ISSC455-20-000X Forensic Report
United Arab Emirates (Figure 18). The email chain in Figure 19 further confirmed SCOTT created both counterfeit Jim Halpert accounts (jhalpert@jlaentreprise.com and officeman198a7@gmail.com).
Figure 17 - jhalpert@jlaentreprise.com used an IPv4 address from a location previously used by
SCOTT’s email account
Figure 18 - IPv4 Geographical Location - 83.110.250.20
21 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 19 - Email 5 - Jim Halpert (Counterfeit Account) to Michael SCOTT and Dwight Schrute
(Confirm Payment)
3.8 Email 6: JLA Enterprise and Sabre Project - October 17, 2019 - 1209 hours
On October 17, 2019, at 1209 hours, SCOTT sent another counterfeit email, however this time posing as Dwight Schrute (dwightschrute86@gmail.com) with the goal of establishing further legitimacy for the wire transfer (Forensic Comment: SCOTT’s first email using the counterfeit Dwight Schrute email account). In the email, SCOTT (as Dwight Schrute) asked Dr. Jim (Forensic Comment: APUS believes this to be Jim Halpert) to be the contact person with Prof. Kapoor (Vice-chancellor, East Hun Chiu University Medical School) (Forensic Comment: SCOTT is using this part of the email message to establish HE is Dwight Schrute and knows a project that JLA Enterprise is working). In the second part of the email, SCOTT stated his (Dwight Schrute’s) company now runs the East Hun Chiu investor, since the DSS contract with JLA Enterprise had already expired. The message originated (“x-originating-ip” located in the raw email header and Figure 20) from 192.155.90.47, a Microsoft Corporation, an outbound outlook mail server in Newark, NJ (Figure 21).
22 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 20 - abernard@jlaenterprise.com auto-forwards to andybernard@abcglobal.com
Figure 21 - IPv4 Geographical Location - 192.155.90.47
Figure 22 - Email 6 - Dwight Schrute (Counterfeit Account) to Andy Bernard and Jim Halpert
(Legitimacy)
23 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
3.9 Email 7: Sabre Project - October 17, 2019 - 1325 hours
On October 17, 2019, at 1325 hours, SCOTT sent an email to Dwight Schrute from
HIS counterfeit Jim Halpert email account. The email contained information regarding the money transfer and how there were new wiring instructions. SCOTT and expressed to maintain contact with him directly. The email SCOTT sent to Dwight Schrute was from an IPv6 address (2601:98a:100:57b:206f:26a1:323a:fb5c), showing Scranton, PA, a location used to
send emails in section 3.2 Email 1: Sabre Project - October 15, 2019 - 1938 hours and section 3.5 Email 3: Sabre Project - October 15, 2019 - 2258 hours
Figure 23 - jhalpert@jlaentreprise.com to dwightschrute68@gmail.com
Figure 24 - Email 7 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Correspondence over Email)
24 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 25 - Email 7 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Correspondence over Email)
(continued)
25 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
3.10 Email 8: Sabre Project - October 17, 2019 - 1337 hours
On October 17, 2019, at 1337 hours, SCOTT sent another counterfeit email, however this time posing as Andy Bernard (abernard@jlaentreprise.com) addressed to Dwight Schrute’s and Pam Beesly’s legitimate email accounts while sending a carbon copy to the counterfeit Jim Halpert email address (jhalpert@jlaentreprise.com). Andy Bernard (Forensic Comment: The email account is controlled by SCOTT) stated HE (as Andy Bernard) would read all the emails again and provide an answer later that day. However, HE (as Andy Bernard)
asked Dwight Schrute to acknowledge the new wiring instructions as confirmed by
Dr. Jim (Forensic Comment: APUS believes this to be Jim Halpert). Andy Bernard asked Dwight Schrute to work directly with him on the project. The message originated (“x-originating-ip” located in the raw email header and Figure 26) 83.110.250.20. The same IPv4 address used during section 3.7 Email 5: Sabre Project - October 17, 2019 - 1123 hours and section 3.9 Email 7: Sabre Project - October 17, 2019 - 1325 hours. The IPv4 address is now associated with SCOTT, Jim Halpert’s counterfeit email account and Andy Bernard’s counterfeit email account.
Figure 26 - abernard@jlaentreprise.com to dwightschrute68@gmail.com and nee.beesly@gmail.com
26 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 27 - Email 8 - Andy Bernard (Counterfeit Account) to Dwight Schrute and Pam Beesly
3.11 Email 9: JLA Enterprise and Sabre Project - October 17, 2019 - 1431 hours
On October 17, 2019, at 1431 hours, SCOTT sent a second email to Andy Bernard from HIS counterfeit Dwight Schrute with hopes of Andy Bernard approving the wire transfer to Dwight Schrute. SCOTT’s fraudulent email stated that SCOTT was
becoming a nuisance by emailing and texting via WhatsApp 2 to 3 times a day asking for the progress of the money transfer. SCOTT was attempting to convince Andy Bernard that he (Dwight Schrute) would still pay SCOTT even though on past contracts, HE did not perform appropriately by Dwight Schrute. SCOTT as Dwight Schrute even offered to call the government office to help move along the $2.3M USD money transfer.
27 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 28 - Email 9 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Establishing Legitimacy)
3.12 Email 10: Sabre Project Wiring Instruction - October 17, 2019 – 1443 hours
On October 17, 2019 at 1443 hours, SCOTT sent an email from HIS counterfeit Dwight Schrute email account to Andy Bernard’s legitimate email account and HIS
counterfeit Jim Halpert and Pam Beesly email accounts. SCOTT’s fraudulent email
as Dwight Schrute attempted to make Andy Bernard believe he (Dwight Schrute) spoke with SCOTT and confirmed the East Hun Chiu account was available for JLA Enterprise to transfer the money. The message originated (“x-originating-ip” located in the raw email header and Figure 29) 173.230.128.135, a Microsoft Corporation mail server, Atlanta, GA (Figure 30).
Figure 29 - abernard@jlaenterprise.com auto-forwards to andybernard@abcglobal.com
28 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 30 - IPv4 Geographical Location - 173.230.128.135
Figure3
1 - Email 10 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Wiring Instructions)
29 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
3.13 Email 11: Sabre Project Wire Transfer - October 17, 2019 - 1445 hours
On October 17, 2019 at 1445 hours, SCOTT sent another email using HIS counterfeit Dwight Schrute email account to Andy Bernard, and carbon copied HIS
counterfeit Pam Beesly email account. In the email, HE intended to get Andy Bernard to approve wiring to a specific account as identified in a previous email. HE asked Andy to reply and confirm. The message originated (“x-originating-ip” located in the raw email header and Figure 32) 192.81.133.156, a different mail server for Microsoft Corporation in Fremont, CA (Figure 33).
Figure 32 - X-Originating-IP: 192.81.133.156 (Mail Server in California)
Figure 33 - IPv4 Geographical Location - 192.81.133.156
Figure 34 - Email 11 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Wire Transfer)
3.14 Email 12: Sabre Project Wire Transfer - October 17, 2019 - 1459 hours
On October 17, 2019 at 1459 hours, SCOTT included an email chain (Wiring Instruction) with confirmation on the wire instructions from Andy Bernard and 30 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Pam Beesly. At the beginning of the email chain (Figure 38), SCOTT included Andy Bernard’s response confirming the wire instructions from an email discussion between 1445 hours and 1455 hours. The next two emails in the chain (Figure 37 and 38), Dwight Schrute wrote to Pam Beesly explaining that JLA Enterprise would like the wire transfer to go to the East Hun Chiu account (Appendix A) and not the Wells Fargo account. Pam Beesly replied expressing that if the company is not blacklisted the transfer to the East Hun Chiu account should be fine. Pam went on to explain the necessary information needed regarding contract paperwork and banking information to make the transfer possible. In the last part of the email chain (Figure 37), SCOTT included an email from HIS counterfeit Pam Beesly email account to Andy Bernard mentioning the wire transfer to the East Hun Chiu account was not good to go, to keep with the original
wire transfer and HE (as Pam Beesly) would update if there was more information.
The final email (Figure 37), SCOTT emailed HIS counterfeit Pam Beesly email account and carbon copied the real Andy Bernard email account using HIS counterfeit Dwight Schrute email account. In this email, as Dwight Schrute, SCOTT told Andy Bernard they will be sending the wire to HIS (as Dwight Schrute) account as confirmed. The message originated (“x-originating-ip” located in the raw email header and Figure 35) 45.33.17.101, another Microsoft Corporation mail server in Dallas, TX, (Figure 36).
Figure 35 - X-Originating-IP: 45.33.17.101 (Mail Server)
Figure 36 - IPv4 Geographical Location - 45.33.17.101
31 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 37 - Email 12 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Wire Transfer Second
Email)
32 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
33 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 38 - Email 12 - Dwight Schrute (Counterfeit Account) to Andy Bernard (Wire Transfer Second
Email) (continued)
34 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
3.15 Email 13: Sabre Project Wiring Instruction - October 17, 2019 - 1506 hours
On October 17, 2019, at 1506 hours, SCOTT sent an email from HIS counterfeit Jim HALPERT email account to Pam BEESLY and Dwight SCHRUTE and a carbon copy to HIS counterfeit Andy BERNARD email account to confirm the money transfer. Within the email, SCOTT made the mistake of signing as Dwight SCHRUTE rather than Jim HALPERT. The message originated (“x-originating-ip” located in the raw email header and Figure 39) from 83.110.250.20, an Emirates Telecommunications Corporation, United Arab Emirates.
Figure 39 - X-Originating-IP: 83.110.250.20
Figure 40 - Email 13 - Jim Halpert (Counterfeit Account) to Pam Beesly (Real Account) (Signed by
Dwight Schrute)
3.16 Email 14: Sabre Project Wire Transfer - October 17, 2019 - 1542 hours
On October 17, 2019, at 1542 hours, SCOTT sent an email to Andy Bernard’s abcglobal.net email account from HIS counterfeit Dwight Schrute email account. 35 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
In the email, Andy Bernard responded to Pam Beesly (Figure 43) asking for the funds to be transferred to JLA Enterprise’s Wells Fargo account in California. As Dwight Schrute, SCOTT responded to Andy Bernard to confirm the transaction to JLA Enterprise’s Wells Fargo account and asked Andy to send the “Contract Agreement” by replying to the email request. The message originated (“xoriginating-ip” located in the raw email header and Figure 41) from 23.239.21.244, an IP address that is considered high risk and a VPN, (Figure 42). (Forensic Comment: IP Geographical Location unknown).
Figure 41 - X-Originating-IP: 23.239.21.244
Figure 42 - IP Address Lookup Details - 23.239.21.244
36 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 43 - Email 14 - Dwight Schrute (Counterfeit Account) to Andy Bernard (abcglobal.com email)
3.17 Email 15: Sabre Project Wiring Instruction - October 19, 2019 - 1202 hours
On October 19, 2019, at 1202 hours, SCOTT sent an email from HIS counterfeit Jim Halpert email account to Dwight Schrute and Pam Beesly and carbon copied HIS counterfeit Andy Bernard email account. In the email, SCOTT (as Jim Halpert) asked Pam and Dwight if the money transfer of $2.3M USD was still on track and if they had the BR# (Forensic Comment: APUS believes BR# is bank routing number)(Appendix A) to complete the transaction. HE later asked once the contract and instructions were provided, would the wire transfer for $2.3MM be good to go. At the end of the email, HE asked for them to confirm immediately. The message originated (“x-originating-ip” located in the raw email header and Figure 44) from 83.110.250.232, an Emirates Telecommunications Corporation, United Arab Emirates (Figure 45), an IP address that is considered low risk and not
a VPN (Figure 46).
Figure 44 - X-Originating-IP: 83.110.250.232
37 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 45 - IPv4 Geographical Location - 83.110.250.232
Figure 46 - IP Address Lookup Details - 83.110.250.232
38 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 47 - Email 15 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Real Account)
Figure 48 - Email 15 - Jim Halpert (Counterfeit Account) to Dwight Schrute (Real Account) (continued)
39 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
3.18 Phishing Scam Sent to JLA Enterprise Consultant - October 19, 2019 - 2233 hours
On October 19, 2019, at 2233 hours, Jim Halpert forwarded an email chain to Dr. Kevin Malone (Technical Consultant, JLA Enterprise), where Dwight Schrute wrote on October 17, 2019, at 0237 hours, stating, any email containing “JLAENTREPRISE.COM” is a fake email. In this forwarded email Halpert explained to Dr. Malone that multiple fake email address personal and JLA Enterprise existed. He also highlighted that there were fake Dwight Schrute and Andy Bernard emails as well. Figure 49 - Jim Halpert (Real Account) to Kevin Malone about Phishing Scam
40 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
4.0 Conclusion
APUS reviewed two additional emails sent by SCOTT months before HE attempted this phishing
scam to show that IP addresses and locations throughout the findings in the report are directly linked to SCOTT.
4.1 Email 1: - June 01, 2019 - 0710 hours
On June 01, 2019, at 0710 hours, SCOTT sent an email to Andy Bernard from an IPv6 address (2601:98a:100:57b:206f:26a1:323a:fb5c), showing Scranton, PA, a location used to send emails in section 3.2 Email 1: Sabre Project - October 15, 2019 - 1938 hours and section 3.5 Email 3: Sabre Project - October 15, 2019 - 2258 hours.
Figure 50 – IPv6 Geographical Location - 2601:98a:100:57b:206f:26a1:323a:fb5c
4.2 Email 2: - August 02, 2019 - 1808 hours
On August 02, 2019, at 1808 hours, SCOTT sent an email to Andy Bernard that had an IP address of 23.239.21.243 (a mail server) located in Fremont, CA with an IPv6 address (2601:98a:100:57b:206f:26a1:323a:fb5c), showing Scranton, PA, a location used to send emails in section 3.2 Email 1: Sabre Project - October 15, 2019 - 1938 hours and section 3.5 Email 3: Sabre Project - October 15, 2019 - 2258 hours.
41 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Figure 51 - IP Geographical Location – 23.239.21.243
Figure 52 - IPv6 Geographical Location - 2601:98a:100:57b:206f:26a1:323a:fb5c
5.0 Recommendations
APUS concurs with Dr. Kevin Malone's recommendations as outlined below:
1.
A 2-factor approach be established in advance to handle any transfer of funds. Use at least 2-communication channels (Phone, E-mail, Text Messages, Secure Chat).
2.
Use Corporate e-mail addresses only.
3.
Leveraging secure messaging technology, such as Signal and Wire, when available.
If needed, this APUS forensic report is written with the intent of being referred to potential law enforcement agencies for further investigation.
42 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
ISSC455-20-000X Forensic Report
Appendix A: Wiring Instructions (Fraudulent EAST HUN CHIU Account)
43 | P a g e
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help