The document discusses browser fingerprinting, which is a method used by websites to uniquely identify browsers based on their configuration details. It explains that while most browsers are configured similarly, small differences in things like installed fonts, default languages, screen size etc. can act as a unique fingerprint. This data is collected by websites to track users across the web and deliver personalized content. The document also notes that browser fingerprinting is controversial from a privacy perspective and has led to the development of anti-tracking tools. It provides examples of the type of configuration details that make up a browser's fingerprint and how this data can be used for identification, tracking and security purposes like fraud detection.

1. BROWSER FINGERPRINTING
1
BROWSER FINGERPRINTING
2
Browser Fingerprinting
American Military University
ISSC630
1 May 2022
The hacking process is said to have started in the year 2013,
November, this is when these attackers were able to first breach
the OPM networks. This group or an attacker, was basically
referred to as XI. This name was used by the data breach report
of the congressional OPM. Though the XI were not capable of
accessing any personnel data at that time, they were able to
exfiltrate manuals as well as IT system architecture informati on.
In actual life, the fingerprints of an individual are unique to
only you. When it comes to the online world, it becomes the
browser configurations that might end up pointing to a person.
Though most of individuals tend to utilize similar browsers,
their hardware or software configurations tend to be quite

2. different in that they are in a position to act effectively as the
IDs of the users.
The browser fingerprinting enables an individual to acquire the
granular information regarding every single parameter of the
said configuration. For example, it might make it possible to
learn the type of default language that has been set for the
browser by the user, get to identify the installed fonts among
others. Like the human fingerprint, the browser of an individual
is known for having a set of traits that are unique and once that
might be traced back to the user as well as anything that they
get end up doing on the internet. Whenever a person ends up
browsing via the internet, most of the web portals get to capture
some amount of the said information, like the size of the screen,
the type of the browser to provide an appropriate experience
(Durey, et.al, 2021, July).
Additionally, browser fingerprinting might as well be utilized
for identification in addition to tracking. Websites can record
all sorts of data regarding an individual through use of their
fingerprint, then have it connected to other fingerprints that are
same with an aim of getting a picture that is precise of the
user’s browsing behavior as well as their websites activities.
The main objective of using the fingerprinting browser is to
acquire the most information in relation to their identity and
personality, getting to know a person’s website visitor
depending on their own browser configuration. This becomes
quite of great use in case it is put within the context of
cybersecurity in addition to prevention of fraud, whereby,
specific parameters might be immediately pointing to
configurations that are suspicious. For example, the
fingerprinting browser might be able to detect when the users
depend on spoofing or emulators. Tool, who is supposed to
advance one’s suspicions regarding their intentions on the users
website.
Since the said fingerprints are quite unique, they as well operate
as the user IDs. This permits the advertisers as well as the
marketers to monitor the users all over the web in addition to

3. delivering the targeted content depending on the outline
activities of a person. It is also of extreme importance to
understand that the browser fingerprinting happens to be a
practice that is contentious, which is the reason as to why
different several privacy advocacies groups have ended up
developing anti-fingerprinting as well as anti-tracking tools
plus techniques. The actual swirls in addition to lines
configuration, known for making up an individual’s fingerprints
are perceived to be unique to a person. In a similar way, a
user’s browsers fingerprinting can be defined as a set of
information that is gathered from a person’s laptop or a phone
every time it is utilized, enabling the advertisers to
automatically link back to the user (Pugliese, et.al, 2020).
The Fingerprinting browser is perceived to be a term that is
umbrella definition for means if identifying a particular browser
through querying. The JavaScript CSS as well as APIs features
are practicing the same all-over different domains within
making use of cookies. For example, being able to understand
the version of the operating system that is in use, might result
into zero-day attacks or lead to know. This is achievable
through regular utilization of the User Agent queries. There are
several organizations that are proprietary fonts such as Google
Sans. When the proprietary font gets installed on the system of
a user, it becomes an effective bet that the user works for the
said organization or the fact that they had the font pirated. This
is capable of being tested maybe in CSS or the JS.
The browser fingerprinting happens to be a permissionless as
well as a stateless technique used in generating an identifier on
their own server side in addition to using an available, strong to
utilize the available storage on the side of the client plus have it
stored. As a result of all these, it is very possible to utilize
these browser fingerprinting in ensuring that the hackers and
any attackers are traced.
The most popular method that the websites use in obtaining a
user’s data is through use of cookies. Cookies are small text
files packets that are stored by a computer, which tends to

4. comprise of a particular data that might offer the websites data
to enhance the experience of the users. The websites are known
for remembering in addition to tracking the personal computers
as well as devices through having the cookies loaded onto the
computer of a person. Each time a person gets to visit any
website, the browser automatically downloads cookies. When
the same website is visited once again, the browser ends up
assessing the data packets in addition to providing the user with
an experience that is personally customized (Iqbal, et.al, 2021,
May).
The am I unique website is a comprehensive list that is made up
of 19 points of data. The attributes that are most significant
constitutes of; enabled cookies, the platform that is currently in
use, the kind of the browser in addition to its version as well as
the computer that is in use by the user, in addition to if the
tracking of cookies of the computer have been blocked.
References
Durey, A., Laperdrix, P., Rudametkin, W., & Rouvoy, R. (2021,
July). FP-Redemption: Studying browser fingerprinting
adoption for the sake of web security. In International
Conference on Detection of Intrusions and Malware, and
Vulnerability Assessment (pp. 237-257). Springer, Cham.
https://link.springer.com/chapter/10.1007/978-3-030-80825-
9_12
Iqbal, U., Englehardt, S., & Shafiq, Z. (2021, May).
Fingerprinting the fingerprinters: Learning to detect browser
fingerprinting behaviors. In 2021 IEEE Symposium on Security
and Privacy (SP) (pp. 1143-1161). IEEE.
https://ieeexplore.ieee.org/abstract/document/9519502/
Pugliese, G., Riess, C., Gassmann, F., & Benenson, Z. (2020).
Long-Term Observation on Browser Fingerprinting: Users’
Trackability and Perspective. Proc. Priv. Enhancing Technol.,
2020(2), 558-577.
https://sciendo.com/downloadpdf/journals/popets/2020/2/article
-p558.pdf

5. CYBER CASES 2
CYBER CASES 2
CYBER CASES
American Military University
ISSC630
15 May 2022
Introduction
The report documents the investigation procedure followed by
the forensic agents and the investigative offices on the incident
and the recent evidence that was found on a suspect’s computer
related to child pornography. The client claimed not to be part
of the incident and that it was an ad that popped on his
computer. The below research will document the procedures
that were followed to obtain and prove that the accusation
brought against the suspect incriminates him of the incident.
This is by going through the forensic procedure of securing and
obtaining evidence digitally. To provide concrete evidence to
the court, an investigation and examination of the incident were
carried out to obtain pieces of evidence to be used in criminal

6. justice.
Literature review
First, the computer was taken and the digital devices that were
related to the suspect to help in the investigation. The
investigator brought in a forensic team to handle the collection
and examination of the devices to determine whether there will
be enough evidence pointing to the suspect's involvement in the
child pornography cases “(Du et al., 2020). The forensic team
had to check the email, and online chats, tracking the IP
addresses in the devices to establish a pattern that can be used
during the investigation process. The browsers and search
histories will also be among the areas that will be investigated
for relevant evidence related to the case.
Seizing devices to avoid manipulation of the information that is
stored in the devices. This is done by turning off the devices,
turning off the device to preserve the cell tower information
that could be used to locate other accomplishes that may be
related to the case. Securing the evidence to avoid the changes
of data that is in the device before the evaluation and retrieval
of information to be presented as evidence in the court of law
(Arshad et al., 2018). The forensic team placed the evidence in
antistatic packaging such as envelopes and cardboard boxes.
Plastics were avoided as they can convey electricity or allow a
buildup of humidity and destroy the evidence.
The evidence is taken into the forensic laboratory for
examination to retrieve the relevant information that might be
stored in the computer, and which can be used in court as
evidence. The qualified analyst will follow the following
procedure to retrieve information from the presented digital
evidence. Preventing contamination. Before analyzing the data,
a backup of the original files and information is created. When
analyzing data from the suspect device the information should
be kept in a clean storage device to secure the informatio n (Du
et al., 2020).
The forensic team isolated the wireless device in a different
chamber where the analysis would be carried out. This is to

7. prevent connection to any network and keeps evidence as
pristine as possible. the device is connected to analysi s software
within the chamber this is to safeguard the evidence from
digitally manipulating the information.
The analyst installs a write block software that prevents any
changes on the device (Murthy et al., 2021). The select
extraction method is applied, and the analyst determined the
model of the device select extraction software designed to Parse
the data most completely. The experts conduct an analysis of
the content contained in the device including current files,
internet history, logs, cookies, and deleted files. The forensic
team has software that can be used to recover the deleted files
that were removed and can be used as evidence.
The investigators had to carry out other investigations apart
from awaiting the forensic reports to ensure that had enough
evidence to be used against the suspect. In child porn cases
investigators rely on electronic evidence. however, they also
carried out interviews with the alleged offender, the people he
was close to, and the family members to have a better
understanding of the suspect. This background check helps the
investigator to understand the full potential and the length the
offender is willing to go when it comes to this type of case.
The report from the forensic came back and the investigative
officer went through the evidence recovered. The evidence
indicated the following: the first evidence was the suspect's
fingerprint was found on the device that was found in his
possession (Murthy et al., 2021). The forensic team examined
the digital footprints and found there were no cookie ads that
related to child pornography. The analyst found emails that
were related to a discussion of child porn and the IP address
that the group was using, the evidence also revealed encrypted
messages that were sent to various users regarding child porn.
The investigative officers tracked down the addresses and
stumped upon more evidence related to the child porn case. The
internet history also presents evidence of the search history of
the suspect that is also related to the case. The group has bank

8. accounts that were used to pay for child traffickers (Arshad et
al., 2018). To add to the evidence was the shipment of little
girls that were found which also had a connection to the
suspect. This evidence all proved that the suspect was involved
in illegal business and would face trial for the charges brought
against the offenders.
We focus on the new evidence and put aside the primary cases
to allow the team to close the cases. upon closure, the team will
embark on the primary case focus on the OPM attack. The
decision is based on the evidence presented we would proceed
with the child pornography case where the evidence has been
presented and the suspect is in custody. The decision to focus
on this case is due to the breakthrough in the case and the case
is a critical issue that affects the lives of many youths in the
society (Arshad et al., 2018). Having cracked open the case it is
best to see it through and close the case for a better and safer
environment for the children and the youths to live in society.
Safety of the citizens especially the youth is essential hence it
required attention when the opportunity presents itself. The
investigation will be ongoing to ensure the entire criminal
organization has been captured and the cases and incidents
related to child kidnapping, trafficking, and child pornography
are cubed and reduced in society.
References
Arshad, H., Jantan, A. B., & Abiodun, O. I. (2018). Digital
Forensics: Review of Issues in Scientific Validation of Digital
Evidence. Journal of Information Processing Systems, 14(2),
346–376. https://doi.org/10.3745/JIPS.03.0095
Du, X., Hargreaves, C., Sheppard, J., Anda, F., Sayakkara, A.,
Le-Khac, N.-A., & Scanlon, M. (2020). SoK: Exploring the
State of the Art and the Future Potential of Artificial
Intelligence in Digital Forensic Investigation. Proceedings of
the 15th International Conference on Availability, Reliability,
and Security”, 1–10. https://doi.org/10.1145/3407023.3407068

9. Murthy, S., Fontela, P., & Berry, S. (2021). Incorporating Adult
Evidence Into Pediatric Research and Practice. JAMA.
https://doi.org/10.1001/jama.2020.25007
2
1
Assignment 8
American Military University
ISSC630
29 May 2022
Question one
All of the OPM court case defendants have been found guilty,
and the trial has closed. As part of the agreement, they all
agreed to identify the Chinese Central Government as the
perpetrator of the attack. Consequently, identifying the Chinese
government as the perpetrator will result in various
consequences. First, it will provide the impression that a bold
statement is being sent to the entire globe, and it will act as a
template for future approaches to comparable challenges. Due to
the fact that the Chinese have already disputed the allegations
and emphasized their innocence, they will respond swiftly to the
revelation (Gootman, 2016). This will result in an avalanche of
counter-accusations. The establishment of multinational
coalitions will also be a possible outcome. All of China's allies
will support it in this attempt, whereas the United States' allies
will denounce China and cast doubt on its reputation.

10. The Far East, particularly China, has already been implicated in
espionage attempts in France, Germany, and the United
Kingdom. Therefore, there is a possibility that all of China's
espionage victims will join forces. The United States will
respond to any espionage attacks by putting in place its own
countermeasures, as all other countries do. Significant
technological advancements will also be made to prevent a
repetition of similar disasters. As a result, digital hostilities
between China and the United States will intensify, likewise
applicable to their allies.
Cyberwar is not merely a potential but a fact. The cyber conflict
has emerged as a new form of human conflict. This is because
every industrialized nation engages in espionage for various
reasons. Every nation views espionage as a serious trespass, and
the only response is always counterespionage. This gives rise to
a significant conflict that finally escalates into a full-scale
cyberwar. These conflicts culminate in diplomatic conflicts that
heighten tensions between nations.
In terms of technology, weapons, and information, every
country aspires to be better than the next. The only way to
achieve dominance is to build better technology than your
competitors, and to do so; you must first understand the scope
of your competitors' technology. No single country will publicly
reveal its technological achievements and levels, and espionage
is the only way to make such discoveries. Cyber battles are
sparked by espionage, and hostilities always result in alliances.
An unprecedented technical arms race will be comparable to the
Cold War. Due to the constant competition between countries in
terms of technological advancement, this is the case. This will
need the creation of cutting-edge countermeasures. National
military capabilities can be improved by having one national
technological leader in place, says Austin (2016). This is highly
reminiscent of the Cold War era's push for military dominance.
New advanced technologies such as quantum computing and
anti-satellite warfare will be at the forefront of the
technological arms race. This is due to the perception that

11. quantum computing is the only cybersecurity solution.
As a result, many countries, allies, and adversaries will invest
in it. Numerous countries, including the “United Kingdom, the
European Union, Russia, China, Japan, and the United States of
America”, have made significant investments in developi ng
quantum technology (Wallden & Keshafi, 2019). Other major
technological companies, including “Intel, Microsoft, IBM, and
Google, have established quantum hardware and software
development labs” (Wallden and Keshafi, 2019). This suggests
that the technology arms race has begun, and the future contains
even more unexpected developments. Breakthroughs in quantum
technology will propel technological growth to unprecedented
heights, rendering current technologies obsolete.
If quantum technology becomes a reality, the Internet of Things,
social engineering, and other associated technologies will
inevitably decline. This is due to the impression that the
complexity and power of quantum technologies are much
superior to contemporary technology, which includes the
Internet of Things and social engineering. The potency and
fault-tolerance of quantum technology will, if not render IoT
technologies completely unusable, at least reduce their utility.
This is because it will be a viable offensive and defensive
cybersecurity solution, elevating cyber warfare to a new level.
Positively, it will facilitate the efficient transmission of data
and information and the rapid resolution of extremely
complicated problems.
Question two
Even when international relations policies permit naming and
shaming, it is not always appropriate. First, naming and
shaming can affect a country's reputation. When a nation's
reputation is in jeopardy, it will turn to any form of retaliation
because it cannot tolerate humiliation (Terman, 2017).
According to (Bawden, 2016), public shaming has been met
with suspicion, indicating that certain nations are uncomfortable
with it. There is no assurance that naming and shaming would
coerce compliance or induce regret.

12. Consequently, its usefulness is questionable. Furthermore, it
can severely backfire. To name and shame may be detrimental if
the leaders of the target country claim that the report is an
attempt to intimidate them or a hostile act. As a result, the
narrative will shift to one of witch-hunting and the targeted
nation will gain some support. It does not matter whether
international relations allow it, because naming and shaming is
not appropriate.
References
Austin, G. (2016). Shaping the Cyber Arms Race of the Future.
ADM. (https://dokumen.tips/documents/shaping-the-cyber-arms-
race-of-the-future-shaping-the-cyber-arms-race-of-the-
future.html?page=1).
Bawden, Tom. ‘COP-21: Paris deal far too weak to prevent
devastating climate change, academics warn’, Independent, 8
Jan. 2016, http://www.independent.co.uk/environment/climate-
change/cop21-paris-deal-fartooweakto-prevent-devastating-
climate-change-academics-warn-a6803096.html.
Gootman, S. (2016, October). OPM Hack: The Most Dangerous
Threat to the Federal Government Today. Journal of Applied
Security Research, 11(4), 517-525.
https://doi.org/10.1080/19361610.2016.1211876
Terman, R. (2017). Rewarding resistance: Theorizing defiance
to international norms. Unpublished Manuscript.
Wallden, P., & Kashefi, E. (2019). Cybersecurity in the
quantum era. Commun. ACM, 62(4), 120.
PERSONNEL MANAGEMENT ON HACKING 2
PERSONNEL MANAGEMENT ON HACKING 2

13. Personnel Management on Hacking
American Military University
ISSC630
8 May 2022
Introduction
The office of personnel management having encountered cyber -
related attacks launched an investigation on the incidents that
are gaining significant fame in this generation. Harking has
become a common crime according to the office of personnel
management reports. To cub this crime from gaining roots we
launched an investigation on cybercrime specifically hacking
that target specific people in society. This report was to present
the relevant evidence that has been presented following the
previous reports in the progress related to this investigation. His
is presented to ensure the culprits involved in cybercrimes face
federal charges for their actions in a judicial manner.
The criminals through hacking were able to obtain personal
information of the citizens which made them targets of
blackmail and extortion due to the vulnerability of the accessed
information. The hackers used malware planted into the systems
that gave them access to the information of the targeted people
they had in mind. We followed this malware since they were
easy to detect and had a signature that related to the person who
performed the hack. Following the footprints and signatures
left behind by the hackers, gave us the clue on how to find and
track the hackers. the federal government put tabs on the
internet in case of any unusual activities to help trap the
hackers.
Key findings
Digital footprints if one of the ways that help the federal
government IT personnel follow and investigate matters

14. concerning cyber-attacks. During the operation of criminal
attacks, the government looks for fingerprints that can be used
to incriminate criminals as evidence during the presentation of a
case in court (Hanser, 2020). We collected this evidence as the
investigations were ongoing and stored in the evidence room.
This evidence can be used to track back the individuals that
were related to the attack. The digital footprints left by the
hackers and the malware that was used to carry out the attack
had IP addresses that were used to pin down where the hacking
process was being done. The reports indicated the origin of the
hack was related to Chinese citizens and one from Pakistan.
The federal instigators had to carry out more investigations to
find out more about the hackers who were caught. This they did
through interrogation to find out more information related to the
case. Interrogation is a way of obtaining information from
criminals that will help the investigators present evidence
beyond doubt in a criminal proceeding (Lu et al., 2021). By
using psychological aspects of interrogation, it was clear that
the groups related to the attack have committed more attacks
before the current attacks that were committed. Psychological
profiling helped to determine why the attacks were being
carried out and establish profiles for the suspects and
connections to certain groups.
Search warrants are required in an investigation to gain access
to the information or a place where the investigation officers
are optimistic to find the crucial evidence that can be used in
the court to incriminate a suspect during prosecution (Hanser,
2020). This allows the police to search for evidence even
without the occupant’s consent. This is required for a fourth
amendment search and is subject to a few exceptions. The
reasonableness search generalizes the search and is not limited
to a particular place. Anticipatory warrants are used for cases
where the police have probable cause and they are sure evidence
will be found in that place. By presenting the key findings that
were related to the case to the judge, this is the footprints and
the IP addresses to be able to obtain a search warrant to help the

15. investigative officers find more evidence to help have a stronger
argument against the criminals.
In this case, after pinpointing the IP address of the hackers the
investigators had to obtain an anticipatory warrant that would
give access to the residence where that address pointed. This
gave a clear pass to search and arrest the people within that
premises (Kacker, 2021). The address led to the four suspects
who the investigator anticipates would be the participants in the
cyberattacks related to the hacking. The officers breached the
residence upon pieces of evidence that would help prove the
participants were involved in the criminal activity of hacking
and cyber-attacks.
The evidence that was found at the crime scene were hard drives
that were used to store personal information after the hacking
process was completed. The forensic officers bagged the drives
to be taken to the lab for examination and retrieval of evidence
that could be used in court. Various computers in the room
indicated the people who were in that room were more than the
four people found in the residence (Lu et al., 2021). The
computers had the digital signatures that were used to carry out
the attacks on the internet. The malware that was used was
stored in flash disks that were easily portable and simple to
connect to a server or personal computer.
Personal fingerprints in the servers that were hacked were also
found in the room where the group carried out their attacks.
These were fingerprints related to the Pakistan citizen who was
the one inserting the malware into the servers that were being
attacked by the group. They had video surveillance footage that
was removed from the cameras in the places that they were
hacking. This was clear evidence of the criminal activities the
group was involved in. These videos presented in court will
help us find justice for the people who fell victim to these
criminals.
The forensic team had to collect all the evidence abstained in
that room for processing to help the investigative officers
connect the dots in their case. After processing the evidence

16. presented and from the reports, the data indicated that the
criminals were part of the hacking group and others are
involved and the fingerprint of all the participants was used to
identify who the participants were in the cyber-attack (Kacker,
2021). A case was filled and the evidence collected was
presented in the court to open a case for the criminals since
there was enough digital and physical evidence that tied the
individuals to the crime.
Conclusion
The office of personnel management through an accumulation of
the small pieces of evidence finally had a breakthrough on the
case that led to arresting the criminals. Cyber-attacks are a hard
case to crack as seen in various reports. It is time and resource -
consuming, attaining digital evidence can be time-consuming
since there are protocols to be followed to obtain the evidence.
The use of search warrants is helpful in an investigation. Thi s
allows the police and investigative officers to crack their cases
open. Obtaining evidence is key to winning cases. In this case,
the search warrant helped to gain access to the criminals and to
attain the evidence that was required to open a case for the
individuals involved in cyber-attacks.
References
Hanser, R. D. (2020). Gang-related cyber and computer crimes:
Legal aspects and practical points of consideration in
investigations. International Review of Law, Computers &
Technology, 25(1-2), 47–55.
https://doi.org/10.1080/13600869.2011.594656
Kacker, P. (2021). GAP INDIAN JOURNAL OF FORENSICS
AND BEHAVIOURAL SCIENCES ROLE OF FORENSIC
PSYCHOLOGY IN CYBER INVESTIGATION.
https://www.gapijfbs.org/res/articles/(14-
18)%20ROLE%20OF%20FORENSIC%20PSYCHOLOGY%20IN
%20CYBER%20INVESTIGATION.pdf
Lu, Y., Van Ouytsel, J., & Temple, J. R. (2021). In-person and
cyber dating abuse: A longitudinal investigation. Journal of

17. Social and Personal Relationships, 38(12), 3713–3731.
https://doi.org/10.1177/02654075211065202
2
United States Office of Personnel Management (OPM) Incident
American Military University
ISSC630
17 April 2022
The US Office of Personnel Management (OPM) announced in
July 2015 that it had been the target of a successful cyber -
attack. The data that was leaked included extensive information
about background investigations, security clearance applications
and investigations, and fingerprint cards. The digital data
breach was one of the most significant in history and its effects
continue to be felt by both federal employees and their families.
This post will provide a summary of the key aspects
surrounding the case as well as some key or critical pieces of
data found by investigators. Next, it will analyze what could
have been done differently during this investigation based on
this specific situation as well as share insight into investigative
procedures. Lastly, it will give a few suggestions on what could
be done better in terms of future such incidents.
Summary of Key Aspects of the Case

18. The OPM hack was an attack that began at least as far back as
October 2014. It wasn't until May 2015 that the US government
publicly acknowledged it had occurred. The hackers were able
to obtain personal data on more than 22 million individuals.
This included the names, addresses, and Social Security
numbers of 4.2 million people; information regarding 1.1
million background investigations; and approximately 21.5
million sets of fingerprints, including 1.1 million that were not
available elsewhere in federal databases or other sources
(Finklea et al., 2015). In June 2015, the Office of Personnel
Management announced that it had begun work to implement
new security protocols and that the breach had not been fully
contained.
Key or Critical Pieces of Data Found
Investigators were able to retrieve the malware used by the
hackers. This "malware" had a unique signature; this is like
when you have a computer virus, just as with malware, it will
have some type of "signature" that identifies it. With this
specific cyber-attack, it was a set of tools used known as
"Dewdrop." They were able to identify those responsible for the
attack by looking at the digital footprints they left behind. This
included where they came from and where they went after they
committed their crime or crimes. One of the more interesting
things found was the way in which they were able to keep this
breach under wraps for so long. They had been able to mask
their tracks and hide their locations. It wasn't until they tried to
move their data that they were caught (Finklea et al., 2015).
They were moving it over the internet, something that normally
is an easy task with all the tools available today. However,
because of how clean this hackers work was, it made it easier
for them to be caught as every time you go online you have a
unique identifier (IP address). Investigators were able to
identify four people responsible for this attack, three from
China and another from Pakistan.
In terms of what could have been done differently, investigators
were able to identify the individuals responsible for the attack

19. and locations they were based out of. However, to stop this type
of crime from happening again, it would be helpful to get a
better understanding as to why they are doing this. Their
reasoning is most likely going to give us some insight into how
we can prevent similar attacks in the future. It is difficult to say
whether investigators will ever be able to uncover a motive for
this attack (Finklea et al., 2015). Even though they were able to
identify who committed the attack and where they were located,
they were unable to get any information as far as why they did
it or how much data was taken before it was discovered.
In terms of search warrants and evidence that would be
collected, investigators would need to gather certain types of
information. Their first step is to identify the malicious code
and who created it as well as where it originated from. Once
they have determined who is responsible for this breach, they
will gather all available digital data related to the case. This
includes phone logs, financial records, emails, IP addresses
used, social media accounts/profiles (Facebook and Twitter),
and device data such as computer fingerprints or any digital
artifacts left behind on a computer or mobile device.
Suggestions for Future Investigations
In terms of future investigations and how they could be
improved, the OPM should make sure they have adequate
security measures in place to prevent future breaches. They
could also improve their communication with investigators to
make sure they know when things happen and provide adequate
information as soon as possible. Investigators should also make
sure that an investigation has enough manpower to
expeditiously complete a project.
I am not sure if there were any things that could have been done
differently but I think we can all agree it was an incredibly
large breach in terms of the amount of people impacted by this
attack. It could have been prevented by establishing better
security measures. This is concerning to me as more and more
sensitive data is stored on the internet and many companies do
not have adequate security measures in place. Although OPM

20. worked quickly to notify individuals who were potentially
impacted by this breach, I believe they could have done a better
job of contacting all those potentially impacted by this attack. It
is difficult to say whether investigators will ever be able to
uncover a motive for this attack. Even though they were able to
identify who committed the attack and where they were located,
they were unable to get any information as far as why they did
it or how much data was taken before it was discovered.
References
Finklea, K., Christensen, M. D., Fischer, E. A., Lawrence, S.
V., & Theohary, C. A. (2015, July). Cyber intrusion into US
office of personnel management: In brief. LIBRARY OF
CONGRESS WASHINGTON DC CONGRESSIONAL
RESEARCH SERVICE.
https://apps.dtic.mil/sti/citations/ADA623611
1
2
PSYCHOLOGICAL ASPECTS BEHIND THE OMP ATTACK
American Military University

21. ISSC630
24 April 2022
PSYCHOLOGICAL ASPECTS BEHIND THE OMP ATTACK
In June 2015, the US OPM stated that their data innovation
frameworks had been attacked through cyberspace. The personal
information of 4.2 million current and former government
employees may have been compromised due to this incident.
OPM then discovered a variety of cyber-attacks during the same
month that compromised the information of 21.5 million
individuals who had records in databases, including background
checks on potential housing candidates
This breach was one of the most significant to occur in a
governance framework in recent memory. The Einstein
framework of the Office of Country Security (DHS) was used to
identify this incident. As part of its Einstein framework, the
DHS keeps a close eye on government Internet use for any signs
of potential cyber threats (Fruhlinger, 2020). The attackers were
able to get in using security credentials belonging to a KeyPoint
Government
Solution
s salesperson. This person did “federal background checks and
worked on OPM frameworks” to get access to OPM frameworks

22. (Hinck & Maurer,2019).
“At an insights conference, an admiral, executive of the
National Security Organization (NSA), and chief of the U.S.
Cyber Command, Michael Rogers, did not reveal who may be
responsible for the hack (es)” (Hinck & Maurer,2019).
However, James Clapper (Chief of National Insights) said the
next day in the same speech that China was the leading suspect
in the breaches. If China had access to the material gleaned
during the attack, it was unclear how it may utilize it.
Only a few experts disagreed with the theory that China is
compiling a comprehensive list of government officials to
identify US government officials and what their specific roles
are. Spearphishing emails may trick recipients into establishing
an interface or connection that will provide access to the
general computer framework, which is another option for
discovering the data.
Yu Pingan
The FBI charged Chinese malware broker Yu Pingan for his role
in distributing malware. The allegations say that Pingan
supplied hackers with malware that enabled them to gain access
to many US-based computer networks. The Sakula Trojan was
also included in this group. On August 21st, at Los Angeles
International Airport, he was taken into custody by LAPD
officers. Two unidentified hackers were said to have
collaborated with Pingan on a harmful attack against U.S. firm

23. networks between April 2011 and January 2014 (Fruhlinger,
2020).
One of the tools used in the OPM attack was also used in an
Anthem data compromise in 2015. Pingan pled guilty to his
role in the plot. Sakula was used to help him breach OPM, he
acknowledged. However, even though he was not explicitly tied
to the OPM attack, the same malware he used in Anthem led
authorities to suspect him of involvement in that incident.
The deep panda group
Hacker group Deep Panda is supported by the Chinese
government. They were thought to have been involved in the
OPM issue. “Patterns uncovered in the Internet's address book,
known as the domain registration system, connect Deep Panda
to the Anthem and Premera breaches” (Finnemore, & Hollis,
2016). Deep Panda often registers similar-looking domains on
the web that closely resemble the ones they want to use as a
redirect. Wellpoint may be found at we11point.com. Anthem
used to be known by this name.
Because of the OPM breach, iSIGHT discovered a trend of
similar-sounding names being used to create these bogus
domains. According to domain registration data, several similar
OPM websites were also found. Despite the evidence
discovered, they still had some doubts and other reasons to
believe that they weren't responsible.

24. X1 & X2
The Congressional OPM data breach report named two groups:
X1 and X2. They merely called themselves these organizations
since they didn't want to say who was responsible or even know
who they were. Exfiltrating manuals and the IT system
architecture were the only things the X1 gang could not get its
hands on. The attackers' attempts to infiltrate the networks of
multiple contractors (such as USIS and KeyPoint) doing
background checks on federal personnel with access to OPM
computers were well-documented by December of that year.
OPM intended to perform a system reset in March 2014 to
eliminate any intruders from the system. As an alternative, an
entirely different group, X2, could gain access to the system by
exploiting the credentials of a different resource.
However, this vulnerability went undetected, and as a result,
when the whole system was purged, it was not deleted. X1 and
X2 have not been identified as belonging to the same
organization or even a single individual. They may still work
together even if they aren't the same person. THIS BELIEF
WAS FORMED because X1 had obtained information that may
have been advantageous to X2's goals. Deep Panda (as
previously discussed) was also unclear as to whether he was one
of them.
Psychological profiles

25. Understanding why certain crimes are committed , establishing
profiles of prospective suspects, and connecting crimes to
individuals or groups will continue to be important to its
success. Behavior analysis employs both inductive and
deductive approaches. In deductive investigations, a suspect's
characteristics may be hypothesized based on the investigation
of certain components of the case. According to inductive
reasoning, a suspect has the characteristics of an offender
because of their generalization from empirical research.
Analyzing behavior patterns and comparing them is an
important element of behavioral science. Criminals may not be
aware that their actions are comparable to others'. According to
the definition, "signature actions are generally indications of
some desire or drive the suspect seeks to appease" (Rogers,
2016).
When Deep Panda does criminal conduct, they follow the same
procedure. As a result, they were suspected of involvement
based on their profile. Although X2's domain names (Steve
Rogers', Tony Stark's, etc.) looked to have some wit, it was hard
to tell. These names may represent a certain style. Using these
names to showcase their work and/or to guarantee that what
they produced is remembered by others, they may have done so.
Behavioral analyses may also be used to determine whether a
criminal or a group of criminals are responsible for various
crimes. An investigator would be looking for a comparable

26. modus operandi (MO) or conduct in these scenarios. MOs have
learned behaviors that might alter as a person grows older or
improves their abilities.
Because of this, other people may have been led to assume that
they are the same person. If OPM was about to do a complete
system reset, X1 may have learned of this and could not access
the system. The individual or group would then have to develop
a new strategy to preserve their position in the system after they
realize this may happen.
They may have had to alter their entry strategy to accomplish
this. There is a chance that X2 may have been spotted earlier if
they had used the same technique. X1 was able to install
keyloggers after gaining in using legitimate employees'
credentials. There is a possibility that X1 and X2 are the same
individuals because X2 had also utilized personnel credentials
(Soesanto, 2019). The only way to remain in was to modify at
least a portion of their MO. This backdoor and a means of
maintaining their access were created with the aid of malware.
Conclusion
The OPM hack was a complex case, as evidenced by the
preceding paragraphs. Psychological profiles are a tool for
analyzing people's thoughts and feelings. However, they can
only help if there is actual evidence to back up their claims.
Two people can come to different conclusions based on how
they profile. Rather than a fact, an individual's profile is more

27. of a hypothesis in need of verification. It's only a personal
viewpoint if that's the case.
It is also possible that those who profile may not consider all of
the relevant factors. For example, a profiler unfamiliar with
technology may be unable to make certain connections that a
profiler knowledgeable about technology can. To facilitate these
connections, it may be helpful to have two people working
together. Then, it may be easier to reach a conclusion and
gather the relevant evidence.
References
The OPM hack explained: Bad security practices meet China's
Captain America | CSO Online
Finnemore, M., & Hollis, D. B. (2016). Constructing norms for
global cybersecurity. American Journal of International

28. Law, 110(3), 425-479. retrieved from: Constructing Norms for
Global Cybersecurity | American Journal of International Law |
Cambridge Core
Fruhlinger, J. (2020). The OPM Hack Explained: Bad Security
Practices Meet China’s Captain America| CSO Online. Chief
Security Officer (CSO) by International Data Group (IDG),
February, 12, 2020.retrieved from: CSO | Security news,
features and analysis about prevention, protection and business
innovation. (csoonline.com)
Hinck, G., & Maurer, T. (2019). Persistent enforcement:
criminal charges as a response to nation-state malicious cyber
activity. J. Nat'l Sec. L. & Pol'y, 10, 525. retrieved from:
Persistent Enforcement: Criminal Charges as a Response to
Nation-State Malicious Cyber Activity 10 Journal of National
Security Law and Policy 2019-2020 (heinonline.org)
Rogers, M. K. (2016). Psychological profiling as an
investigative tool for digital forensics. In Digital Forensics (pp.
45-58). Syngress. retrieved from: Psychological profiling as an
investigative tool for digital forensics - ScienceDirect
Soesanto, S. (2019). The Evolution of US Defense Strategy in
Cyberspace (1988–2019). ETH Zurich. retrieved from: The
Evolution of US Defense Strategy in Cyberspace (1988 – 2019)
- Research Collection (ethz.ch)
Instructions

29. To complete this assignment, you will need to answer the below
questions. Please complete the questions in a Word document
and then upload the assignment for grading. When assigning a
name to your document please use the following format (last
name_FinalReport). Use examples from the readings, lecture
notes and outside research to support your answers. The
assignment must be a minimum of 6-full pages in length with a
minimum of 3-outside sources. Please be sure to follow APA
guidelines for citing and referencing source. Assignments are
due by 11:59 pm Eastern time on Sunday.
1) This is a culmination of the past 8 weeks of work. The case is
closed and you need to turn in a final report. Please take a look
at this page and read how to outline the report: Intro to Report
Writing for Digital Forensics
https://www.sans.org/digital-forensics-incident-
response/blog/2010/08/25/intro-report-writing-digital-forensics/
2) In essence, you will be combining the information from
Assignments 2, 3, 4, 5, 6, and 8. The Case Summary is the key
part of this report where you sum up all of your work. The
Forensics Acquisition and Exam Preparation will need to be a
mixture of some content identified already and some
"imagination". Findings and Report will be a combination of the
case and its key aspects/facts. And then you got your
conclusion. I know this is a bit of a stretch and is going to

30. require some "imagination" on parts, but I want you to properly
understand what types of documents that you will be
experiencing in these investigations.