DIGITAL FORENSICS

Table of Contents
Abstract............................................................................................................................................................................... 2
Introduction........................................................................................................................................................................ 2
Incident Response............................................................................................................................................................3
Breach Response.........................................................................................................................................................3
Hunting............................................................................................................................................................................ 4
Network knowledge......................................................................................................................................................4
Intelligence..................................................................................................................................................................... 4
Intelligent Alerting........................................................................................................................................................4
Identification of the breach............................................................................................................................................5
How the data was breached...........................................................................................................................................5
Preserving the evidence.................................................................................................................................................6
Constructing the crime....................................................................................................................................................7
Timeline of the events.................................................................................................................................................9
Research Methodology...................................................................................................................................................9
Tracking the intruder.......................................................................................................................................................9
Damage to Adobe...........................................................................................................................................................10
Conclusion and Recommendations...........................................................................................................................10
References.......................................................................................................................................................................11

1
Abstract

Network forensics is an essential element in running a system securely and successfully. It helps to provide
protection to the data hold by the system and ensure the daily security operations workflow runs smoothly.
According to Guan (2014), Network Forensic mainly involves discovering and collecting admissible information
within a network that is hit by an outsider. The information can be presented in court to prosecute the criminal.
Investigating a breach in a network is dually sophisticated and cost a lot of money. Even a minor forensic
preparation can cost an institution equal to a major incident.

This paper will discuss the investigated results of a security breach of the network of a software company
Adobe. Adobe is a U.S. multinational company providing the services of photoshop, image editing, graphic
editing, acrobat reader, and many more. Before 2011 adobe was locally saving its users' data, but with the
advancement in technology, it shifted to cloud storage, which also made Adobe vulnerable (Bell, 2018).

In November 2013, a week before the official announcement of the breach, a journalist, Brain Krebs, and
security expert Alex Holden found 40 G.B. of content on a criminal server which believed to belong to Adobe.
They informed Adobe immediately, which afterward took the action (Steve, 2013). According to Adobe, some
38 million user's data was compromised in the incident, which cost the company a huge sum of money.

Considering the nature and amount of loss the company has incurred, this paper will suggest strong internal
control and use encrypted methods to store its customers' data. Furthermore, the administrators must opt not
to be lazy regarding security, in fact, this security breach was not because the hackers were super competent
but because the administrators of the data were lazy to act on time.

Introduction

Adobe Inc. is a computer software company that is incorporated in America. From its inception, it has focused
on creating multimedia and creative software. Among many, the company's prominent software are;
photoshop, adobe acrobat reader, adobe flash, and Adobe Creative Suite (Adobes Website). The current
market value of Adobe Inc. is 20.76 billion U.S. dollars, and it has more than twenty one thousand employees
spanning over many countries (Adobe Website). Fotolia, Workfront, Marketo, Mixmo, and more are
subsidiaries of Adobe Inc.

The security breach of Adobe Inc was first observed by a security analyst Krebs and an independent journalist
and researcher, Holden. They found a 40 G.B. source code on a server that was believed to be used by a

2
cyber hacker previously.

Figure 1 (source code was stolen from Adobe) (Privacy Risk Advisor)

The hackers were identified to be the ones who have previously hacked into LexisNexis and Bradstreet
(Marciano, 2013). In this breach, approximately the data of 38 million users was compromised. During the
investigation, it was found that among the victims were the government, military, educational institutions, FBI,
and NASA. The hackers stole encrypted passwords, email addresses, and credit card numbers (Kocieniewski,

2013)

Figure 2 (ColdFusion code found on the criminal server) (Privacy Risk Advisor)
3
Incident Response

There are certain steps that an organization needs to take when a breach occurs.

Breach Response

“when an organization discovers or is notified of a breach, time becomes of the essence. The organization's
immediate focus becomes moving quickly from detection to containment. Before initiating an investigation,
there are few questions that need to be answered. This process is often called breach response and involves
investigation, analysis, and forensics (Goldfarb, 2014).

 Since when the intruders have been using the network illegally?
 Are the intruders still using the network illegally?
 What is the impact of the intrusion?
 What type of data is compromised?

An accurate, cohesive, lossless data of record is required to answer all of the questions properly.

Hunting

It is possible that a network at any time may get unusual or suspected activity. Sometimes this type of unusual
activity may be an indicator of a threat, but other times, the intruders keep their profile low and act subtly
(Goldfarb, 2014). If such an activity is detected successfully within an organization, it is easy; otherwise, it is
very difficult to catch the source of the activity. Hunting is a technique used by experts in different ways to track
the suspected activity by closely observing the traffic data. Most of the time, the tools used for this purpose are
Wireshark. The best analyst will want to issue targeted, precise, incisive queries designed to extract the proper
forensics data rapidly, with minimal noise (Park, 2014)

Network knowledge

Network knowledge provides important data points to the decision-maker and executive. Business decisions
should be based on facts, and facts come from accurate, precise data of record, the network forensics data
(Kaur et al., 2018). When business decision-makers or executives need answers, it is best to provide answers
based on ground truth.

Intelligence

When leveraged properly, actionable intelligence can provide additional enrichment and maturity to a security
operations program, as well as aid in the improved detection of intrusions. There are two time-based aspects
here – historical and ongoing. We can run IOCs against our historical data to check for evidence of intrusions

4
present on the network from the past on through the current day. In addition to that, we should also monitor for
evidence of intrusions on an ongoing basis and raise an event to the alert queue when we see that evidence
(Kaur et al., 2018). 

Intelligent Alerting

If the intelligent attacker needs to be found, intelligent questions need to be asked. Asking intelligent questions
requires two fundamental components. The first required component is that the data be collected and its
associated meta-data extracted and indexed for rapid search (Mounteer). The second required component is a
robust query language that allows the analyst to ask incisive, targeted, precise, intelligent questions of the
data. It is likely not a surprise that a mature, scalable, powerful network forensics solution provides both of
these required components. In the absence of that capability, many organizations struggle to issue queries
powerful enough to identify suspicious and malicious activity designed to behave subtly and fly under the radar
(Goldfarb, 2014).”

Identification of the breach

Adobe Inc, one of the dominant providers of software applications, announced on October 3, 2013, that its
security system was breach and 2.9 million of user’s data was compromised. A week before the official
announcement by Adobe Inc, the incident was first observed by Krebs and Holden. They found a stash of
source code trove on a previously used server by some cyber criminals. A while after discovering the data on
the criminal server, security officer Krebs shared some of the screenshots of the server's sources with Adobe
Inc. The intruders were able to decipher the source code and its weakness. It was easy to get access to the
users’ data after penetrating into the source code (Steve, 2013). To understand the repercussions of the
breach, it is sufficient to quote the words of one of the identifiers of the data breach, Alex Holden: "this data
breach is one of the worst in U.S. history because the source code of an end-user product such as Adobe
Reade and Adobe Publisher was breached and leaked. This allows additional attack vectors to be discovered
and viruses to be written for which there are no defenses." According to Halen, this data might be in
possession of the cybercriminals for at least two months (Higgins, 2013). According to experts, the aim of the
attackers may be two fold, they may either sell the data to a third party and make quick money, or they may
keep it to themselves and use it in future breaches (Higgins, 2013).

How the data was breached

During the investigation, the investigators found out that one password can easily be broken among every six
passwords due to the hashing system used by Adobe Inc. This resulted in the mash-up of the customer I.D.
with the algorithm. The company did not take care of its user passwords by employing a high standard of
security system, the passwords were easily breakable, which make them vulnerable. “Hashed version of the
password along with the associated email I.D. has been searched on the internet to check the list of the people
5
who are using the same password. There were hundreds of users who were using the same password. It has
been found that some of the accounts have social security numbers as their passwords. There were thousands
of instances in which people wrote a hint for a password as same as Adobe or same as identity card number or
bank account. Brain Krebs, an investigating reporter, said that it seems Adobe did not put much of the efforts to
save their customers' valuable information. He also said that the approaches used in most of the organizations,
including the larger ones, are still relying on the older ways of security to protect the password of their
customers (Duby, 2013).”

Following are some of the reasons identified by Duby (2013), which led to the incident.

“what went wrong probably the 16 characters passwords cannot protect us anymore.

 Adobe did not match their password protection up to industry standards because hackers could
exploit that. Also, in the case of the stored passwords, the users' password hints were in
cleartext.
 Hints used were really weak and easily exploitable by the third parties.
 Hints made the discovery of passwords easy not only for the Adobe account but also for the
other websites.
 Usage of paraphrases or long passwords makes it difficult for the hackers to hack.
 Recycling of the same passwords for multiple places should not be practice for avoiding the
hacking of the account.”

Preserving the evidence

After the report of the misuse of information, Adobe Ince immediately deployed all the sources, internal and
external, in preventing any further harm to consumer data and hence the company's reputation. During the
initial investigation, it was revealed that the intruders accessed Adobe user names and passwords. A further
investigation found out that millions of customers' encrypted credit card numbers and debit card numbers,
expiry dates, and much other valuable information were compromised. The investigation failed to show
whether the intruders have accessed decrypted credit or debit card numbers and passwords (Arkin, 2013).
Meanwhile, Adobe posted a public apology to its customers for the unfortunate incident and informed them
about the steps it was taking. Some of the highlights of the actions taken by Adobe are as follows;

 To prevent any further mishap, the company reset the compromised passwords of the relevant
Adobe ID accounts.
 It also asked another user to change their passwords so, in case if their accounts were
compromised.
 The company notified customers whose credit card or debit card number was hacked and asked
them not to take any step unless the company notified it.
6
  The company also offered a one-year complimentary credit monitoring membership for
customers whose information was compromised in the incident.
 They sought relevant banks' help in curbing the situation by closely looking for any suspicious
activity in their users’ accounts.
 The company sought the help of federal investigating agencies and other law enforcement
agencies to catch the criminals and punish them according to law.

According to the investigation Adobe Acrobat, Cold Fusion, Cold Fusion Builder, and other Adobe products
were illegally accessed. There was no further risk to customers' data. “It is unclear if there are any zero-day
exploits targeting any Adobe product. However, as always, it is recommended that customers run only
supported versions of the software, apply all available security updates, and follow the advice in the Acrobat
Enterprise Toolkit and the Cold Fusion lockdown guide. These steps will help in mitigating attacks targeting
older, unpatched, or improperly configured deployment of Adobe product. ” All the data the investigators
collected during the investigation were digitally signed and saved to a CD-ROM.

Constructing the crime

With the help of the evidence assembled during the investigation, investigators were successful in showing that
the method employed and the criminals were the same who had earlier intruded LexisNexis and Bradstreet.
The attackers exploited many of the Adobes application chiefs among them were Acrobat reader and cold
fusion. The evidence collected from the crime server and traces left behind by the criminals showed how the
criminals have exploited the data and when they broke into the system (Duby, 2013). The investigators failed to
show whether the attack happened because of an insider's negligence. Unfortunately, Adobe did not have any
monitoring framework on its internal subnets; it had only installed monitoring systems on the borders.
Therefore, the investigators could not detect any network activity inside the system, which is a significant blind
spot. It was also revealed during the examination that Adobe had issued security updates a couple of months
ago to extract any cold fusion weaknesses of the application. According to Privacy Risk Advisor (2013), "many
networks apparently run outdated versions of the software, leaving them vulnerable to compromise. This
indeed may have also been the vector that attackers used to infiltrate Adobe's own networks; Arkin said the
company has not yet determined whether the servers that were breached were running Clod Fusion but
acknowledged that the attackers appear to have gotten their foot in the door through ‘some type of out of date
software.” Duby (2013) in his paper while describing the reasons for the security breach, has listed a number of
the prior minor incident which should have prompted Adobe to take a timely action.

2007 Intruders accessed user computer files through the Adobe Reader bug.

2008 A number of websites were hacked and ultimately infected computers by

7
 installing unwanted flash players

2009 A weak security system in reader let hackers to user computers

2010 “attackers created malicious PDF attachments to hack into several companies,
including Adobe."

2011 “bug gave hackers remote access to customers computers, with the help of the
flash player."

2012 “Hackers gained access to Adobe’s security verification system by tapping into its
internal servers.”

Table 1

Two of the applications of Adobe “Adobe Flash Player” and “Acrobat Reader” ranked in the second position in
most vulnerable software in 2009. “After which Adobe Reader stood in the first position among most vulnerable
programs in 2010. In the following year, this position was taken by Adobe Flash Player. Keeping the view, the
history of Adobe the breach of 2013 should not surprise the company. On the other hand, the Adobe products
are used on a large scale, which is another reason for ending up in bad people's hands. Adobe security history
suggests that the organization has to take a long, hard look in the mirror.

8
 ”
Figure 3 (cause and effect analysis of Adobe breach), (Samuel Liles, 2013)

Timeline of the events

Date Event Summary

Mid Aug when Krebs informed Adobe about the breach, they told him that they believe the
hackers have accessed the source code back in mid August

On September 17, Adobe was investigating a possible data breach. The investigation started after Adobe
got an alert saying that one of its hared derive has reached its full capacity. While looking
into this matter, Adobe found out that someone has accessed their database
unauthorizedly (Kerbonsecurity, 2016).

In late September, Krebs discovered the leak in the Adobe security system.

Oct 3 Adobe officially confirmed that its security was breached, which it was investigating since
September 17. Further, the chief security officer of Adobe, Brad Arkin, apologized to its
users and asked them to take precautionary measures.

9
Research Methodology

Due to a lack of information on the relevant topic, a lot of secondary data has been used in this paper. The
material for this paper was taken from different sources. All of the material is taken down from the internet,
which includes, google scholar, Jstor, HeinOnline, blogs, websites, and news articles. Although there was not
much about the incident, because of which this paper heavily relies on google scholar and blog posts.

Tracking the intruder

It took almost two months for the victim organization to realize that its system was compromised and the data
of millions of users was taken away. Upon realization, the organization Adobe contacted federal investigation
agencies and law enforcement agencies to track down the intruders. Because of its large numbers of users
and diverse products, it was difficult to pinpoint the security system's leak. All the investigation found was a
general overview of the damage and a possible gateways through which the intruders might have stolen the
data. However, in another story, a group of people and some websites who would like to host spammers made
a coalition to launch a "distributed denial of service attack," which is considered the largest attack on the
internet (Krebonsecurtiy, 2016). The group leader was a Dutchman named Kamphuis, also known as the
"prince of cyberbunker republic." In the same year, he was arrested based on the evidence of his chat catalog
in which he was running a campaign to cause a terror attack on different internet platforms. Although he was
not jailed for long after his public denial of involvement in the campaign, he was just sent to jail for a total of
240 days, including his waiting time of extradition (Krebonsecurity, 2016).

Damage to Adobe

“According to the Poem 2013 cost of data breach study, the average cost of a breached record is $ 188. This
means that based on the 38 million Adobe customers that had their sensitive information stolen, the total cost
amounts to above $714 million. Putting that amount aside for a moment, the cost just to mail notification letters
to the 38 million customers affected is above $17 million. These amounts, needless to say, are significant.
However, for a company such as Adobe, these amounts, as significant as they may be, will not force Adobe
out of business even if they do not have a cyber or data breach insurance policy. Though this may not be the
case with other business or organization who may have the financial ability to sustain such significant costs
that occur when a data breach happens (Data Breach Insurance).

Lawyers have suggested that the most significant commercial implication for Adobe is the theft of its source
code. Initially, the impact of theft of the source code will not be felt by Adobe for some time. When a data
breach happens, one of the ‘hidden and unknown costs’ is financial impact or loss.

The Adobe data breach involves many issues, such as stolen customer sensitive data, reputational damage,
legal and P.R. issues, intellectual property theft, and network security failure (Privacy Risk Advisor).

10
Initially, a class action suit was filed in California against Adobe, which according to Pauli 2015 was resolved
out of court. Adobe paid an undisclosed amount to settle claims and face of U.S. dollar 1.2 million in legal fees
(Pauli, 2015). According to Krebs on security, Adobe paid one million U.S. dollars to settle the lawsuit.

Conclusion and Recommendations

“Network Forensics investigations are complex and time consuming, and forensic readiness reduces the per-
incident costs. Developing forensics readiness in conjunction with an information security program improves an
organization's overall security posture and helps integrate proper evidence handling into an organization's
incident handling capabilities.

There are a few things Adobe has to take care of to prevent further breaches of its security system. First, it
should remind its customers not to use the same password twice. Second, customers should use a more
complex and long password with a unique hint in case if they are assigning one. Third, perhaps the most
important, the administrators of the data should not be lazy in handling the data. Ultimately the data breach of
Adobe was not due to the ingenuity of hackers, but because of the lazy inaction of the administrators at
Adobe.”

References

Privacy Risk Advisors, “Adobe to announce source code, customer data breach”, <
https://www.privacyrisksadvisors.com/case-studies/adobe/> accessed on January 13, 2021

Kocieniewski, David (2013) “Adobe announces security breach”, The New York Times,<
https://www.nytimes.com/2013/10/04/technology/adobe-announces-security-breach.html accessed on January
14, 2021

Control Risks, “Five Case Studies with Digital Evidence in Corporate Investigations”, <
https://www.controlrisks.com/campaigns/compliance-and-investigations/five-case-studies-of-interest-to-
corporate-investigators> accessed on January 13, 2021

Kaur, Prabhjot et. al. (2018) “Network Forensic Process Model and Framework: An Alternative Scenario”,
ResearchGate,

11
<https://www.researchgate.net/publication/324409632_Network_Forensic_Process_Model_and_Framework_A
n_Alternative_Scenario> accessed on January 13, 2021

Mounteer, John “Network Forensics 101”, NYSTEC, < https://www.nystec.com/insights/network-forensics-

101/> Accessed on January 13, 2021

Steve, Security (2013) “Facts About the Adobe Data Breach” < https://blog.cygilant.com/blog/bid/326184/facts-
about-the-adobe-data-breach Accessed on January 12, 2021

Higgins, Jackson Kelly (2013) “Hacking the Adobe Breach” Dark Reading,
<https://www.darkreading.com/attacks-breaches/hacking-the-adobe-breach/d/d-id/1140620> accessed on
January 12, 2021

Duby, Gaurav (2014) “Adobe Security Breach” Slide Share,

<https://www.slideshare.net/GauravFouzdar/adobe-security-breach-30650671> accessed on January 13, 2021

Arkin, Brad (2013) “Important Customer Security Announcement” Adobe Blog,

<https://blog.adobe.com/en/publish/2013/10/03/important-customer-security-announcement.html#gs.qhuq3e>
accessed on January 13, 2021

Liles, Samuel (2013) “Adobe Data Brach (on going analysis)” SV EOTI, <http://selil.com/?
s=2013+Adobe+Data+breach> accessed on January 13, 2021

Krebs on Security (2016) “Adobe Fined $1M in Multistate Suit Over 2013 Breach: No Jail for Spamhaus
Attacker” < https://krebsonsecurity.com/2016/11/adobe-fined-1m-in-multistate-suit-over-2013-breach-no-jail-for-
spamhaus-attacker/#:~:text=Nov%2016 ,Adobe%20Fined%20%241M%20in%20Multistate%20Suit%20Over
%202013,No%20Jail%20for%20Spamhaus%20Attacker&text=The%20intruders%20also%20made%20off,On
%20Monday%2C%20Nov.> accessed on January 13, 2021

Data Breach Insurance, “Adobe Data Breach Insurance Case Study”,

<https://databreachinsurancequote.com/data-breach-insurance-2/adobe-data-breach-insurance-case-study/>
accessed on January 13, 2021

Pauli, Darren (2015) “Adobe pays US$1.2M plus settlements to end 2013 breach class action” The Register,
<https://www.theregister.com/2015/08/17/adobe_settles_claims_for_data_breach/#:~:text=The%20breach
%20occurred%20when%20hackers,plus%20customers'%20credit%20card%20numbers.> accessed on
January 13, 2021

Goldfarb, Joshua (2014) “Network Forensic: Use Cases In the Enterprise” Fireeye,
<https://www.theregister.com/2015/08/17/adobe_settles_claims_for_data_breach/#:~:text=The%20breach

12
%20occurred%20when%20hackers,plus%20customers'%20credit%20card%20numbers.> accessed on
January 13, 2021

Bell, Terena (2018) “Adobe’s CSO talks security, the 2013 breach, and how he sets priorities” CSO,
<https://www.theregister.com/2015/08/17/adobe_settles_claims_for_data_breach/#:~:text=The%20breach
%20occurred%20when%20hackers,plus%20customers'%20credit%20card%20numbers.> accessed on
January 13, 2021

Guan, Yong (2014) “Network Forensics” Science Direct,

<https://www.theregister.com/2015/08/17/adobe_settles_claims_for_data_breach/#:~:text=The%20breach
%20occurred%20when%20hackers,plus%20customers'%20credit%20card%20numbers.> accessed on
January 13, 2021

13