Documents

Example Report 1 MTK

Description
Example report created with Forensic tool
Categories
Published
of 9
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  Page 1 of 9 INVESTIGATOR: M. T. Kelly AGENCY: SDSO/CATCH DATE OF FOLLOW-UP: 3/28/2008 PEER REVIEW: DATE OF PEER REVIEW:  APPROVED BY: DATE OF APPROVAL: CASE NUMBER: 05-FR-0011 BEAT NUMBER  C A T C H Computer and Technology Crime High-Tech Response Team CITY: Corona, CA FORENSIC COMPUTER EXAMINATION REPORT CODE SECTION AND DESCRIPTION (ONE INCIDENT ONLY) INCIDENT DATE:  1/26/2005 LOCATION OF INCIDENT Corona, CA INVESTIGATOR ARJIS AGENCY/DIVISION DATE OF FOLLOW-UP M. T. Kelly 0703 SDSO/CATCH 4/6/2005 PRIMARY VICTIM’S NAME PRIMARY SUSPECT’S NAME SUSPECT’S DOB / AGE RANGE Fraley, Linda Manriquez, Selenne I have examined and forensically analyzed three computers seized by me on 1/26/2005 at 206 S. Buena Vista Ave., Space 26, Corona, CA. For details of the seizure, see the Forensic Computer Seizure Report by me dated 2/10/2005. On 2/10/2005 I received a CATCH Forensic Service request from Detective W. Stephenson; this request was assigned Forensic Case Number 05-FR-0011. Stephenson requested that the three computers seized on 1/26/2005 be analyzed for any references to Linda Fraley (the victim), Washington Mutual Bank, Dell, Victoria’s Secret, feelnvoodoo74@yahoo.com, supexptz007@yahoo.com and Teresa Carrillo. On 2/10/2005 I retrieved three computers from CATCH Evidence in order to forensically image each computer. On 2/15/2005 I prepared one Maxtor HDD to hold the Encase forensic images from the computers by formatting the drive and creating a single partition. This was accomplished without errors. The CATCH BCN for the drive is P0688. Each computer was photographed prior to the start of the forensic imaging process. All seals were found to be intact. Each computer was also photographed during the imaging process to document the computer’s condition and progress of the forensic imaging process. At the completion of the forensic imaging process, all digital photographs were transferred to Compact Disk in accordance with CATCH Policy. Each computer was forensically imaged using Encase version 4.20 and by attaching the Hard Disk Drive (HDD) to an A-Card write blocking device. This device’s firmware has been previously updated to prevent writing to any hard drives attached to it; the write blocking behavior has been previously tested and verified for this device. The results of the imaging process can be seen below. On completion of the imaging of the HDD, the computer was re-assembled. On 2/16/2005 I returned all computers to CATCH Evidence. During the time the computers were in my possession, they were maintained in my locked office at CATCH. COMPUTER F-1 eMachine Model W-3050, S/N CA7481001795 CATCH BCN E-1078 Upon receipt of this computer, all seals were found to be intact. After photographing, the single HDD was removed from the computer and also photographed. No defects were noted. After  FOLLOW-UP INVESTIGATION  Page 2 of 9 CASE NUMBER: 05-FR-0011 CODE SECTION: REPORT DATE: 4/6/2005 INVESTIGATOR: M. T. Kelly AGENCY: SDSO/CATCH DATE OF FOLLOW-UP: 3/28/2008 PEER REVIEW: DATE OF PEER REVIEW:  APPROVED BY: DATE OF APPROVAL: removing the HDD, I connected the computer to a monitor, keyboard, mouse and power and accessed the BIOS, obtaining the following settings. (All local dates and times were obtained from my Nextel Cellular Telephone.) SYSTEM DATE: 2/25/2005 LOCAL DATE: 2/15/2005 SYSTEM TIME: 1100 HRS LOCAL TIME: 1100 HRS COMPUTER MEDIA:  One Seagate Model ST380011A HDD, serial number 5JVGRC28; 80 GB. This HDD was connected to the Primary Master IDE bus, jumpered as Cable Select. PHYSICAL EXAMINATION:  The HDD had no obvious physical defects and appeared to function normally. LOGICAL EXAMINATION:  The HDD was forensically imaged with Encase version 4.20; this software is specifically designed for use in computer forensics and is licensed to CATCH. The drive imaged normally, with no anomalies noted. Encase reported the acquisition and verification MD5 hashes for this drive as E4BD202CEC863825C5FB6C2278D92183. (An MD5 hash is a computer    algorithm used to calculate a “digital fingerprint” of the forensic image. The hash value is calculated during the acquisition of the forensic image, and then again during the verification of the forensic image, insuring a duplicate digital image of the srcinal drive.) FINDINGS:  For the purposes of this analysis, this HDD was named eMachines HDD. There were two partitions found on eMachines HDD: one NTFS partition with no volume name and a size of 69.6 GB and one FAT32 partition with a volume name “RECOVERY” and a volume size of 2.9 GB. The FAT32 partition appears to be a hidden partition created by the computer manufacturer; it appears to contain files necessary to recover from a system failure. Encase interpreted this partition as the “C” drive. The NTFS partition is the bootable partition on the eMachines HDD; Encase interpreted this partition as the “D” drive. All further references are to data contained on the NTFS partition. Based on information recovered from the Window Registry located on the NTFS partition, eMachines HDD had the Windows XP operating system with Service Pack 2 installed on 1/3/2005 at 1524 hours. The registered owner and organization were blank. The operating system was configured to use the Pacific Standard Time Zone and appeared to be configured correctly. The registry did not contain any network setting information such as IP address, subnet mask or default gateway. The computer name was recorded as “YOUR-81D81111F9” and the primary domain name was recorded as “MSHOME.” The last good shutdown date and time were recorded as 1/25/2005 at 11:35:40. The following user accounts were identified: Administrator, ASPNET,  FOLLOW-UP INVESTIGATION  Page 3 of 9 CASE NUMBER: 05-FR-0011 CODE SECTION: REPORT DATE: 4/6/2005 INVESTIGATOR: M. T. Kelly AGENCY: SDSO/CATCH DATE OF FOLLOW-UP: 3/28/2008 PEER REVIEW: DATE OF PEER REVIEW:  APPROVED BY: DATE OF APPROVAL: Guest, HelpAssistant, Owner and Support_388945a0. Of these accounts, only the Owner account appeared to be active on the system. The Last Logon date and time for this account was recorded as 1/25/2005 at 11:34:52. There were no shared folders and no mapped network drives listed in the registry for this computer. I conducted the following keyword searches on all computers: Linda Fraley, Washington Mutual Bank, Dell, www.dell.com, Victoria’s Secret, feelnvoodoo74@yahoo.com, supexptz007@yahoo.com, and Teresa Carrillo. The only search hits on eMachines HDD on any of the search terms were related to Dell or www.dell.com. The following text fragments were located based on the search terms identified above. Each text fragment was found in unallocated space, as indicated: Comment: Recovered text fragment for search term Dell showing contents of Order From Dell (deleted e-mail.) Physical Location 5,352,107,520 Logical Size 67,478,810,624 Physical Size 67,478,810,624 File Offset 167839577 Length 2086 Inbox&MsgId=9754_949212_60106_1287_2399_0_344_4487_1636742387&PREV=1&inc=&num=&Idx=7&Search=&YY=   47803&order=down&sort=date&pos=0&view=a&head=b onmouseover= window.status='From: melissa_harlan @dell.com, Subject: Dell Order Summary for order number #154982914';return true onmouseout= win dow.status=window.defaultStatus;return true >Previous</a> | <a href= /ym/ShowLetter?bo x=Inbox&MsgId=9754_949212_60106_1287_2399_0_344_4487_1636742387&NEXT=1&inc=&num=&Idx=7&Search=&Y  Y=47803&order=down&sort=date&pos=0&view=a&head=b onmouseover= self.status='From: melissa_harlan @dell.com, Subject: Dell Order Summary for order number #154982856';return true onmouseout= win dow.status=window.defaultStatus;return true >Next</a> | <a href= /ym/ShowFolder?box=Inb ox&YY=47803&order=down&sort=date&pos=0&view=a&head=b onmouseover= window.status='Folder: Inbox' ;return true onmouseout= window.status=window.defaultStatus;return true >Back to Messages</a></span><span class= last ><a href= /ym/ShowLetter/file.txt?box=Inbox&MsgId=9754_949212_60106_12 87_2399_0_344_4487_1636742387&bodyPart=1&filename=file.txt&save=1&download=1&YY=47803&order=down &sort=date&pos=0&view=a&head=b >Save Message Text</a></span></div>·±QœÒ·Dell's Order Status In quiry line: 1-800-433-9014. ·· ]··Qty Part # Description --- -------- ---------------------- ----------------------- 1 221-6967 AximX50v, Intel 624MHz, 128MBROM64MB SDRAM, 3.7iVGA, 802 .11b, BT 1 310-5946 USB Cradle for Dell AximX50 Handheld 1 950-4194 No Warranty, Year 2 and 3 1 960-2820 Technical Support, Electronics, Initial Year 1 960-3490 Type 11 Contract-Handh eld Ad vance Exchange 1Yr Limited Warranty. 1 313-3046 3D Game CD Kit, Special Promo Bundle, for Dell AximX50v </tt></pre> ·&ÞIÛ·<tr><td class=label nowrap>Date:</td><td>Sun, 26 Dec 2004 19:08:48 -0600</td></tr></table>··…·˜·<tr> <td><font face='arial' size='2'>Email Address: </font></td> <td><font face='arial' size='2'><b>FEELNVOODOO74@YAHOO.COM</b></font></td></tr    ·çš<Ï·<TABLE CELLPADDING='0' CELLSPACING='0' BORDER='0' WIDTH='671'>  Comment: Recovered text fragment for search term Dell showing contents of e-mail to Way Chong from Dell re: Membership account (deleted e-mail.) Physical Location 5,352,107,520 Logical Size 67,478,810,624 Physical Size 67,478,810,624 File Offset 167874700 Length 1234 ALIGN='LEFT' BGCOLOR='#00339A' WIDTH='150' ROWSPAN='2'><A target= _blank HREF='http://www.del l.com/' ><IMG SRC='http://membership.dell.com/myaccount/images/masthead_dell2.jpg' WIDTH='150'  FOLLOW-UP INVESTIGATION  Page 4 of 9 CASE NUMBER: 05-FR-0011 CODE SECTION: REPORT DATE: 4/6/2005 INVESTIGATOR: M. T. Kelly AGENCY: SDSO/CATCH DATE OF FOLLOW-UP: 3/28/2008 PEER REVIEW: DATE OF PEER REVIEW:  APPROVED BY: DATE OF APPROVAL: HEIGHT='57' VSPACE='0' BORDER='0' ></A></TD> ·· ¤“·</TR> ·z™E¶·Dear Way Chong, ·ãO‰Å·<formname= showLetter method=post action= /ym/ShowLetter?Search=&Idx=5&YY=78532&order =down&sort=date&pos=0&view=a&head=b >·°:ÀÔ·To learn more about how we use your information, see our <a href= http://us.ard.yahoo.com/SIG=129oqm13t/M=224039.2020109.3495275.1958505/D=mail/S=15 0500004:FOOT2/EXP=1105425938/A=1052425/R=5/SIG=11b5p6lhe/*http://privacy.yahoo.com/privacy/us/ma il/ target= _top >Privacy Policy</a></small></center> ·–jéã·<tr bgcolor= #efefef ><td id=ygmalinks class=ygmabk width= 100% colspan=3><font face= arial,helvetica,sans-serif size= -2 ><a href= http://us.ard.yahoo.com/SIG=129i8fba3/M=289534.5473431.6553392.5333790/D=mail/S=150500004: HEADR/EXP=1105425938/A=2378664/R=0/SIG=10mgpruen/*http://www.yahoo.com target= _top ><font colo r=#000000>Yahoo!</font></a>&nbsp; <a href= http://us.ard.yahoo.com/SIG=1·<input type=text name=p size=12 title= Enter search terms here >·ªÖפ·<input type= hidden name= .done Comment: Recovered text fragment for search term Dell showing contents of e-mail with Dell Order numbers (deleted e-mail.) Physical Location 5,352,107,520 Logical Size 67,478,810,624 Physical Size 67,478,810,624 File Offset 167930723 Length 1174 Associated Order Number: 154982872 ·oG?··<formname=compose method=post action= /ym/Compose ?box=Inbox&Mid=9747_945403_59723_1286_2521_0_343_4703_2380752443&inc=&Search=&YY=38330&order=dow n&sort=date&pos=0&view=a&head=b >·&(·!·<tr><td class=label nowrap>Subject:</td><td><a href= #at tachments ><img src= http://us.i1.yimg.com/us.yimg.com/i/mail/clip.gif width=11 height=16 borde r=0 align=top></a>Dell Order Summary for order number #154982856</td></tr></table>·?*â1·<li v alue= 0 >As Inline Text</li>·)·h¥·<TITLE>Dell - Home Systems</TITLE> ·R ݤ·<input type= hidden name= .done value= http://us.f513.mail.yahoo.com/ym/ShowLetter?MsgId=3655_956801_60872_1326_2 846_0_346_11220_2260659682&order=down&inc=&sort=date&view=a&head=b&box=Inbox&YY=78532 ></form> ·N/KH·<TD HEIGHT='17' VALIGN='middle' BGCOLOR='#CCDAF0'><A target= _blank HREF='http://acc essories.us.dell.com/sna/index.asp?customer_id=19' ><IMG SRC='http://membership.dell.com/myaccou nt/images/sna.gif' WIDTH='122' HEIGHT='17' ALT='' BORDER='0' ></A></TD> ·Ñ˜Kj·<div id= ca lendarshortcuts class= shortcuts > <strong><a target= _top name= calendarshortcuts >Calendar Shortcuts</a></strong>  Comment: Recovered text fragment for search term Dell showing contents of e-mail with Dell Order numbers (deleted e-mail.) Physical Location 5,352,107,520 Logical Size 67,478,810,624 Physical Size 67,478,810,624 File Offset 167987925 Length 75 top></a>Dell Order Summary for order number #154982807</td></tr></table> Comment: Recovered text fragment showing e-mail from Dell regarding Order #154982872. Physical Location 5,352,107,520 Logical Size 67,478,810,624 Physical Size 67,478,810,624 File Offset 167970695 Length 367 <a href= /ym/ShowLetter?box=Inbox&MsgId=9726_952900_60489_1286_2613_0_345_4831_2990278946&NEXT=1 &inc=&num=&Idx=6&Search=&YY=45104&order=down&sort=date&pos=0&view=a&head=b onmouseover= self.st atus='From: melissa_harlan@dell.com, Subject: Dell Order Summary for order number #154982872';re turn true onmouseout= window.status=window.defaultStatus;return true >Next</a>  
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks