NIST Data Leakage Investigation — Incident Report

The suspect is identified as "Iaman Informant," a user with a local account named "informant" on the PC. The resignation letter file "Resignation_Letter_(Iaman_Informant).docx" was found on the informant user's Desktop (inode 23554) and in Windows/Office Recent Items, with an active temp file "~$signation_Letter_(Iaman_Informant).docx" (deleted) indicating it was open during the incident. An XPS version was also present (inode 72008). The user profile at Users/informant contains NTUSER.DAT (inode 521), Outlook data, and full browser/cloud tool installations. Two user accounts exist on the PC: "admin11" (likely the primary employee) and "informant" — the latter is the exfiltrating actor.

The informant user accessed and staged multiple confidential "secret project" documents from the PC, as evidenced by LNK files in both Windows Recent and Office Recent folders:
- (secret_project)_pricing_decision.xlsx (Office Recent inode 4219; Windows Recent inode 4249)
- [secret_project]_design_concept (Office Recent inode 71947)
- [secret_project]_final_meeting.pptx (Office Recent inode 7508; Windows Recent inode 4166)
- [secret_project]_proposal (Windows Recent inode 70401; Office Recent inode 71235)
- secret.lnk (Windows Recent inode 70488)
- winter_whether_advisory.zip (Windows Recent inode 20180) — later found deleted on RM2 USB

The presence of LNK entries in both Office Recent and Windows Recent confirms actual file opens, not just filesystem navigation. The secret project covers design concepts, final meeting presentations, proposals, and pricing decisions — indicating highly sensitive business intelligence was targeted.

Evidence confirms at least four exfiltration vectors used by the informant:

1. USB exFAT Drive (RM1): 74.6 MB image; bulk_extractor found emails, URLs, EXIF data, and ZIP content including government document fragments.

2. USB FAT32 Drive (RM2): 243.2 MB image; fls recovered 13+ windows of deleted files including folders: design/ (winter_storm.amr, winter_whether_advisory.zip), PRICIN~1/ (my_favorite_cars.db, my_favorite_movies.7z, super_bowl.avi), progress/ (my_friends.svg, my_smartphone.png, new_year_calendar.one), proposal/ (a_gift_from_you.gif, landscape.png), TECHNI~1/ (diary_#1d.txt through diary_#3p.txt). All files deleted from USB after use.

3. CD-R (RM3): 90.2 MB ISO image; bulk_extractor found government document fragments with NASA GSFC URLs (nodis3.gsfc.nasa.gov, n=36), DOE (sc.doe.gov, n=16), Whitehouse.gov, PNAS.org, and email addresses mmeyer@mail.hq.nasa.gov, mmun@loc.gov, th276a@nih.gov.

4. Google Drive: googledrivesync.exe downloaded to informant's Downloads (inode 72145 with Zone.Identifier). Google Drive installed under Users/informant/AppData/Local/Google/Drive/ with sync_log.log, snapshot.db, sync_config.db all deleted post-use. Google Drive shortcut on Desktop (inode 75066) also deleted.

5. iCloud: icloudsetup.exe downloaded (inode 72096 with Zone.Identifier). iCloud Control Panel 4.0.6.28 installer cache found deleted from ProgramData/Apple/Installer Cache/. Apple Software Update present in informant AppData.

winter_whether_advisory.zip appears in both the PC (Windows Recent LNK) and RM2 USB ($OrphanFiles), directly linking the two.

Bulk_extractor analysis of the removable media confirms government agency documents were exfiltrated:

Email addresses embedded in documents on removable media:
- mmeyer@mail.hq.nasa.gov (NASA HQ) — found in RM2 and RM3 (inside a ZIP/Word document)
- mmun@loc.gov (Library of Congress) — found in RM2 and RM3
- th276a@nih.gov (National Institutes of Health) — found in RM3 CDR

URL patterns in RM3 CDR documents:
- nodis3.gsfc.nasa.gov (n=36) — NASA Goddard Space Flight Center NODIS system
- www.sc.doe.gov (n=16) — Department of Energy Science
- www.whitehouse.gov — White House
- www.pnas.org — Proceedings of the National Academy of Sciences
- digitalcorpora.org (n=63)

The presence of multiple government agency email addresses embedded in Office documents stored on the removable media confirms that confidential government or contractor documents were taken off-site. RFC822 artifact analysis found library-catalog style records on RM3 ("Subject: Portraits of three Indians (half-length)") suggesting Library of Congress catalog records.

LNK file artifacts recovered from the PC via bulk_extractor winlnk scanner reveal that the informant accessed a network file share containing secret project data:

Network path: \10.11.11.128\secured_drive\Secret Project Data\final
Mapped drive letter: V:
Access time: 2015-03-22T14:52:21Z

This establishes that the secret project files resided on an internal network file server at IP 10.11.11.128, mounted as drive V: under the name 'secured_drive'. The informant browsed to the 'Secret Project Data\final' subdirectory, consistent with accessing finalized project documents before exfiltrating them to removable media. The LNK creation/modification/access times all show 2015-03-22T14:52:21Z, indicating this was the access event.

The suspect is definitively identified as 'Iaman Informant' (iaman.informant@nist.gov), a NIST (National Institute of Standards and Technology) employee:

1. Outlook OST file path recovered from bulk.email: 'Outlook\iaman.informant@nist.gov.ost' — confirms the informant's corporate email address at NIST
2. Additional NIST email addresses in bulk.domain: '6f-b1df9935415b@nist.gov' (ExchangeLabs format) with /o=ExchangeLabs — confirms NIST uses Microsoft Exchange Online (Office 365)
3. Network file server 10.11.11.128 ('secured_drive') referenced alongside nist.gov in bulk.domain
4. Username on PC: 'informant' with NTUSER.DAT at inode 521
5. Resignation letter on Desktop: 'Resignation_Letter_(Iaman_Informant).docx'
6. USB drives with labels consistent with the name: 'IAMAN $_@' (RM2 FAT32) and 'IAMAN CD' (RM3 CDR)

This is a NIST employee who used their work PC to stage and exfiltrate confidential project data before submitting their resignation.

LNK artifacts identify three removable media devices used for exfiltration, all labeled with the suspect's alias:

1. RM1 ('Authorized USB', E:\RM#1) — exFAT USB drive:
2. Accessed 2015-02-15T21:52:12Z: E:\RM#1\Secret Project Data\proposal\
3. Accessed 2015-02-15T21:52:20Z: E:\RM#1\Secret Project Data\proposal[secret_project]_proposal.docx (file wtime: 2014-12-19T19:53:46Z)

4. Accessed 2015-02-15T21:52:08Z: E:\RM#1\Secret Project Data\design\

5. RM2 ('IAMAN $_@', E:) — FAT32 USB drive:

6. Volume label confirmed in fls: 'IAMAN $_@ (Volume Label Entry)'
7. Accessed 2015-03-24T04:00:00Z: E:\Secret Project Data\design\winter_whether_advisory.zip (file wtime: 2014-12-16T16:10:26Z)
8. Multiple deleted folders recovered: design, PRICIN~1, progress, proposal, TECHNI~1

9. All contents deleted after use

10. RM3 ('IAMAN CD', D:) — CD-R disc:

11. Volume label: 'IAMAN CD'
12. Accessed 2015-03-24T20:40:55Z: D:\de\winter_whether_advisory.zip (file wtime: 2014-12-16T16:10:26Z)
13. Contains government document fragments (NASA, NIH, Library of Congress)

Earliest exfiltration: 2015-02-15 (RM1 USB). Last exfiltration: 2015-03-24 (RM2/RM3). Anti-forensic cleanup: 2015-03-25.

Prefetch artifacts and winlnk cross-correlation establish a detailed execution timeline:

2015-02-15 (~21:52 UTC):
- First USB exfiltration: Accessed E:\RM#1\Secret Project Data\proposal[secret_project]_proposal.docx on 'Authorized USB' (RM1)
- Files with wtime as early as 2014-12-19 — data was prepared months earlier

2015-03-22 (primary access day):
- 14:34:31 UTC — 'informant' user DIRECTORY CREATED in MFT (account newly created)
- 14:34:55 UTC — Informant's Desktop browsed
- 14:52:21 UTC — Network share \10.11.11.128\secured_drive\Secret Project Data browsed (drive V:)
- 14:52:21 UTC — (secret_project)_pricing_decision.xlsx accessed from network share
- 15:03:23 UTC — Outlook opened (iaman.informant@nist.gov)
- 15:11:51 UTC — Google Chrome opened (multiple instances, browsing)
- 15:54:04 UTC — admin11 account Quick Launch accessed
- 15:56:07 UTC — 'temporary' user account Quick Launch accessed

2015-03-24:
- 14:05:12 UTC — Internet Explorer ran (12 runs)
- 15:21:38 UTC — VSSVC.EXE (Volume Shadow Copy) ran (4 runs)
- 18:31:55 UTC — STIKYNOT.EXE (Sticky Notes) ran (2 runs) - notes during resignation letter writing
- 18:48:40 UTC — Resignation Letter accessed in Word (creation)
- 18:59:30 UTC — Resignation Letter opened/edited in Word
- 19:09:51 UTC — WINWORD.EXE last ran (2 total runs)
- 20:40:55 UTC — 'IAMAN $_@' USB accessed (winter_whether_advisory.zip on E:)
- 20:57:00 UTC — 'IAMAN CD' (RM3 CDR) accessed: D:\Koala.jpg
- 20:58:06 UTC — Browsing root of 'IAMAN CD' disc
- 21:02:47 UTC — DEVICEDISPLAYOBJECTPROVIDER.EXE ran (USB device display)

2015-03-25 (anti-forensic cleanup day):
- 10:18:15 UTC — CLRGC.EXE (CLR GC, possibly Google Drive sync)
- 13:07:49 UTC — SVCHOST.EXE ran
- 13:24:10 UTC — SYSTEM registry hive accessed (MFT)
- 14:20:09 UTC — TASKENG.EXE (Task Scheduler, 23 runs)
- 14:31:53 UTC — CONHOST.EXE ran (12 runs) — command-line session
- 14:41:03 UTC — OUTLOOK.EXE ran (1 run) — final email sent
- 14:41:13 UTC — IE History folder MSHist012015032520150326 created (browsing)
- 14:42:47 UTC — WMPLAYER.EXE ran (1 run) — played media file
- 14:47:29 UTC — Ad tracking GIF downloaded (web browsing)
- 14:50:14 UTC — Eraser 6.2.0.2962.EXE installer ran (installation)
- 14:50:17 UTC — SETUP.EXE ran (Eraser installer)
- 14:50:53 UTC — TMP5B99.TMP.EXE ran (installer temp)
- 14:51:29 UTC — UIAutomationClient.dll created (Eraser .NET dependency)
- 14:52:57 UTC — NGEN.EXE ran (.NET compilation for Eraser)
- 14:54:21 UTC — ASPNET_REGIIS.EXE ran (ASP.NET registration)
- 14:57:18 UTC — VSSVC.EXE ran (6 runs) — Volume Shadow Copy activity
- 14:58:35 UTC — CCleaner64.exe LNK accessed (CCleaner ran)
- 15:13:30 UTC — ERASER.EXE ran (2 runs) — secure file deletion
- 15:15:54 UTC — ccc0fa1b9f86f7b3.customDestinations-ms accessed (Jump List for an application)
- 15:21:31 UTC — menu_sync_anim_2x.gif (web browsing after cleanup)
- 15:21:40 UTC — GOOGLEDRIVESYNC.EXE-841A0D94.pf CREATED — Google Drive ran AFTER cleanup!
- 15:22:07 UTC — IEXPLORE.EXE ran (14 runs)
- 15:28:33 UTC — Resignation_Letter_(Iaman_Informant).xps LNK accessed — LAST DOCUMENTED ACTION

A prefetch artifact for GoogleDriveSync was discovered created AFTER the CCleaner and Eraser cleanup activities:

• MFT record: 'GOOGLEDRIVESYNC.EXE-841A0D94.pf' created at 2015-03-25T15:21:40Z
• This is the Windows Prefetch file for Google Drive Sync, meaning Google Drive Sync was EXECUTED at 15:21:40 on March 25
• CCleaner ran at 14:58:35 and Eraser ran at 15:13:30
• Google Drive sync ran at 15:21:40 — TEN MINUTES AFTER Eraser was used to wipe files

This means that either:
1. Google Drive continued auto-syncing files from the 'My Drive' folder AFTER the cleanup, potentially uploading additional data to Google Cloud
2. Or the informant manually ran Google Drive Sync as a final exfiltration step after clearing local traces

The informant account at Users/informant/AppData/Local/Google/Drive/ had sync_log.log, snapshot.db, and sync_config.db deleted — but the sync CONTINUED before the final logoff. The Google Drive shortcut was also deleted from the Desktop (inode 75066).

Data exfiltrated via Google Drive remains unrecovered as the sync database files were deleted.

The informant deliberately deleted cloud synchronization artifacts after exfiltration, indicating awareness of forensic investigation:

Google Drive:
- sync_log.log (inode 75035): listed as both present and deleted (r/- * 0) — overwritten
- snapshot.db (inode 75039): deleted (-/r )
- sync_config.db (inode 75040): deleted (-/r )
- sync_config.db-wal (inode 73727): deleted
- sync_config.db-shm (inode 73728): deleted
- snapshot.db-shm (inode 73726): deleted
- Google Drive.lnk on Desktop (inode 75066): deleted (-/r *)
- cloud_graph/dict_2.db-wal (inode 73730): deleted
- cloud_graph/dict_2.db-shm (inode 73731): deleted

iCloud:
- iCloud Control Panel 4.0.6.28 installer cache: deleted from ProgramData/Apple/Installer Cache/
- Chrome History for informant: History database absent; only History-journal remains (inode 62907)

All RM2 USB files were also deleted from the FAT32 drive after copying, recovered only as $OrphanFiles.

This systematic deletion of sync logs, configuration databases, browser history, and cloud shortcuts demonstrates planned anti-forensic activity to conceal the scope of exfiltration.

Bulk_extractor URL search histogram extracted from the PC image reveals the informant's premeditated anti-forensic research. The top search queries found in browser history (counts indicate frequency across sessions/pages):

• 'file sharing and tethering' (n=491) — researched exfiltration methods
• 'DLP DRM' (n=90) — researched Data Loss Prevention and Digital Rights Management (evasion)
• 'e-mail investigation' (n=88) — researched email forensics
• 'anti-forensic tools' (n=85) — directly researched tools to cover tracks
• 'Forensic Email Investigation' (n=78) — researched email forensics investigation methods
• 'ccleaner' (n=65) — researched the specific wiping tool later installed
• 'external device and forensics' (n=65) — researched USB/external device forensics
• 'cd burning method' (n=64) — researched CD-R burning (method used with RM3)

This search pattern demonstrates premeditation, research into cover-up techniques, and active evasion of DLP controls. The informant deliberately studied how digital forensics investigations work before committing the theft.

Two data-wiping anti-forensic tools were installed on the PC and later uninstalled/deleted, indicating a deliberate attempt to erase evidence of the data theft:

1. CCleaner: Installed at Program Files/CCleaner/ (directories and files all deleted: -/d * 75246, -/r * 75248 CCleaner.exe, -/r * 75250 CCleaner64.exe). Desktop shortcut also deleted: Users/Public/Desktop/CCleaner.lnk (-/r * 75306). CCleaner web page cached in informant's IE Temporary Internet Files. LNK file for CCleaner64.exe shows last access 2015-03-25T14:58:35Z.

2. Eraser: Desktop shortcut deleted: Users/Public/Desktop/Eraser.lnk (-/r * 75235). Eraser is a secure file overwriting tool that prevents recovery.

3. CONHOST.EXE prefetch: atime 2015-03-25T14:31:53Z, 12 runs — indicates command-line tool use on 2015-03-25.

4. Browser history confirms informant searched: 'anti-forensic tools' (n=85), 'ccleaner' (n=65), 'external device and forensics' (n=65). CCleaner cache pages stored in informant's IE Temporary Internet Files (inode 75119, 71565, 75162).

The CCleaner LNK timestamp of 2015-03-25T14:58:35Z establishes that anti-forensic tool usage occurred on March 25, 2015.

Outlook.exe ran on the morning of the anti-forensic cleanup day:

1. OUTLOOK.EXE prefetch: atime 2015-03-25T14:41:03Z, 1 run — Outlook opened just 17 minutes before starting the Eraser installation
2. LNK for OUTLOOK.EXE at 2015-03-22T15:03:23Z — also opened on the main file access day
3. Outlook profile: iaman.informant@nist.gov (Office 365 ExchangeLabs)
4. Outlook.srs file at Users/informant/AppData/Roaming/Microsoft/Outlook/Outlook.srs (inode 62951) confirms active Outlook profile
5. NIST uses Microsoft Exchange Online (Office 365) as confirmed by /o=ExchangeLabs format in email artifacts

The timing suggests the informant may have emailed documents to a personal address before deleting evidence. This cannot be confirmed without email content (PST/OST file) but the single run of Outlook immediately before starting the wiping process is highly suspicious. No PST/OST files were found in the fls listing (they may have been encrypted or stored elsewhere).

EXIF metadata extracted from JPEG files on all three removable media shows images taken with an Eastman Kodak DIGITAL SCIENCE DC260 (V01.00) camera:

• RM3 CDR: Kodak DC260 EXIF at offset 1,310,146
• RM2 FAT32: Kodak DC260 EXIF at offsets 4,912,578 and 27,555,388
• RM1 exFAT: Kodak DC260 EXIF at offset 1,093,257; Adobe Photoshop CS processed image

The Kodak DC260 is a late 1990s/early 2000s digital camera commonly used for document digitization and archival photography. Combined with RFC822 catalog records found on RM3 ('Subject: Portraits of three Indians (half-length)') consistent with Library of Congress catalog entries, these images likely represent digitized/photographed government documents and archival records.

One RM2 image has SHA1 hash: aab7ebb56ec75ae3da1534c300ac65637f96b9a9 (Adobe Photoshop CS processed).