Вы находитесь на странице: 1из 13

March 13, 2014

Page 1 of 4
Bellingham Police Department
Longarm Case Report
12805349 ASSIST OTHER AGENCY
Primary
Author: GITTS, LES
Location: 505 GRAND AV
Incident Date: Feb 14, 2012 3:00PM
Date Reported: Feb 14, 2012 3:02PM
Press Summary:
BPD is assisting another agency with CSI processing.
HEADER
Appvd: 145
March 13, 2014
Page 2 of4
Bellingham Police Department
Longarm Case Report
12805349 ASSIST OTHER AGENCY
Investigator:
Not assigned
ASSOCIATES
Primary
Author: GITTS, LES Rpt date: Feb 14, 2012 3:02PM Appvd: 145
C1 ROSSMILLER. SCOTT A
Drivers:
Bus Address: 311 GRAND AV
Bus Phone: (360) 676-6650
Cell Phone:
DOB:
Lie. St:
Ethnicity: Unknown
R1 WHATCOM COUNTY SHERIFF'S OFFICE. 311 G
DOB:
Drivers:
Res Address:
Bus Address: 311 GRAND AV
Res Phone:
Cell Phone:
Lie. St:
Bus Phone: (360) 676-6650
Ethnicity:
Age: Sex: M Race: W Ht: Wt:
Eyes: Hair:
City: Bellingham State: WA Zip: 98225
Age: Sex: Race: Ht: Wt:
Eyes: Hair:
City: State: WA Zip:
City: BELLINGHAM State: WA Zip: 98225
March 13, 2014
Page 3 of 4
Bellingham Police Department
Longarm Case Report
12805349 ASSIST OTHER AGENCY
Primary Author: GITTS, LES Rpt date: Feb 14, 2012 3:02 PM
Investigator:
Not assigned
NARRATIVE
Appvd: 145
On this date, I was contacted by Lt. SCOTT ROSSMILLER (C1) of the WHATCOM COUNTY SHERIFF'S OFFICE (R1), asking
for assistance with some computer forensics work.
Lt. Rossmiller asked if we could assist them by "mirroring" data contained on a laptop hard drive, onto a clean hard drive, which
will be used for their forensics work. Lt. Rossmiller indicated they did not want us to view or extract any data on the target hard
drive, just simply copy (mirror) the data onto the clean hardrive.
I took possession of the hardrives and noted the "target hard rive" was to be preserved for later latent fingerprint processing, so
notations were made to protect this hard rive for this later processing. Both hardrives were placed in anti-static bags for data
preservation and impounded for processing.
March 13, 2014
Page 4 of 4
Bellingham Police Department
Longarm Case Report
12805349 ASSIST OTHER AGENCY
Primary
Author: GITTS. LES Rpt date: Feb 14, 2012 3:02PM
Found I Seized Article: Computer Hardware/Software
Description: Computer hardrive unit
Serial#: NECABTD00006 SK 1st Color: Silver
Impounded: Feb 14, 2012 03:16PM
Notified:
Investigator:
Not assigned
PROPERTY
.Appvd: 145
Brand: TOUGHBOOK
Model: CF 29 L Value: Owner: WHATCOM COUNTY SHERIFF'S OFFI
Features: hardrive unit removed from toughbook laptop computer
Found I Seized
Description: computer hardrive unit
Serial #: NECABT000006 0 6A
Brand: TOUGHBOOK
Model: CF 29 L
Features: clean- working unit
Article: Computer Hardware/Software
1st Color: Silver
Value:
Impounded: Feb 14, 2012 03:16PM
Notified:
Owner: WHATCOM COUNTY SHERIFF'S OFFI
(
March 13, 2014
page 1 of2
Bellingham Police Department
Longarm Case Report
12805349 ASSIST OTHER AGENCY
Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Feb 16, 2012 8:41 AM
Investigator:
Not assigned
NARRATIVE
- Appvd: 145
On this date (02/16/012), I removed impound numbers 105180 and 105181 from out of evidence on the request of Evidence and
Ide Gitts. I was asked to the contents from 105180 and restore them onto 105181
Prior to removing 105181 from out of it's evidence bag, I put on nitrile evidence gloves to handle the evidence. I then removed
the hard drive from out of the evidence bag and found that it was a Hitachi HTS541 08 80GB IDE hard drive still in a tough book
enclosure. I removed the hard drive from the tough book enclosure and attached it to a FireChief write blocking device. The hard
drive was placed into a read/write bay of the FireChief and EnCase Forensic Edition software was initiated to forensically wipe
the hard drive in preparation for receiving the forensic image of 105180. EnCase reported that the total number of sectors on this
hard drive was 156,301 ,488. EnCase then forensically wiped the hard drive by replacing all readable bytes of data from the hard
drive with a known hex value (OOh). Once this was done, a checksum of the hard drive was performed to confirm that every
readable byte was overwritten with the OOh hex value. When this process was complete, EnCase reported that the forensic wipe
was successful. 156,301,488 total sectors were wiped with zero read, write, or verify errors. This hard drive was then set aside
and will be referred to as "TARGET" from this point on.
With nitrile evidence gloves on, I then removed the hard drive from out of evidence box 105180 and found it to also be enclosed
in the same type of tough book enclosure. I handled the enclosure by touching the corners as much as possible to prevent
destroying any fingerprints that may have been on the enclosure. The hard drive was found to also be a Hitachi HTS541 08 80GB
IDE hard drive. This hard drive was then removed from the enclosure and attached to an UltraBiock (Tableau) write blocking
device that prevents any data from being written to, deleted from, or otherwise, altered on the media attached to it. I then initiated
a computer forensic program called FTK Imager (AccessData) and obtained an independent MD5 hash value of the hard drive
, . ., which to compare to the acquisition MD5 hash value to ensure that a successful forensic image had been obtained. This
.. ....rd drive will be referred to as "SOURCE" from this point on. FTK Imager reported that the SOURCE hard drive also had
156,301,488 total sectors.
When FTK Imager finished obtaining an independent MD5 hash for the SOURCE hard drive, it reported an MD5 hash value of
01e8-2145-b762-12fc-a439-68de-12f7-6220 with a sector count of 156,301,488 and zero bad sectors.
While the SOURCE hard drive was still attached to the UltraBiock write blocking device, FTK Imager was closed and another
computer forensic program called EnCase (Guidance Software) was initiated. EnCase was then used to obtain a forensic image
of the SOURCE hard drive. EnCase also reported the same number of sectors on the SOURCE hard drive and also listed the
hard drive serial number as MPB4LAX6HK074G.
When EnCase completed it's acquisition process, EnCase reported that zero errors had occurred and reported an identical
acquisition MD5 hash value than what was reported during the independent MD5 hash process. This is an indication that
EnCase successfully acquired a forensic image of the SOURCE hard drive. EnCase then verified the forensic image by
obtaining yet another MD5 hash value of the data that was written (the actual forensic image) to verify that what was written was
the same as what was read from the SOURCE hard drive. When this process was complete, EnCase reported an identical
verification MD5 hash value as the independent and acquisition hashes.
With the SOURCE hard drive still attached to the Ultrablock write blocking device, I initiated another computer forensic program
called Win Hex (x-ways forensics) and obtained a post MD5 hash value of the SOURCE to verify that the data on the SOURCE
had not been altered during the independent and acquisition processes. When this was complete, Win hex reported an identical
MD5 hash value indicating that the original SOURCE hard drive had not been altered.
While wearing Nitrile gloves, I removed the SOURCE hard drive from the UltraBiock write blocking device and placed it back into
the toughbook enclosure. I then placed the SOURCE hard drive back into the evidence box that it came in and sealed the top.
~ took the TARGET hard drive that had previously been forensically wiped and attached it to a read/write bay that was
1ocated in a "FireChief' hard drive shuttle. The read/write bay allows for data to be read from and written to the media attached to
it. Once the TARGET hard drive was attached to the read/write bay, I initiated EnCase and restored the forensic image onto the
TARGET hard drive. This copies the data from the forensic image onto the TARGET hard drive in the same manner that it was
read on the SOURCE hard drive. EnCase was also instructed to forensically wipe any remaining sectors on the TARGET hard
March 13, 2014
Page 2 of 2
Bellingham Police Department
Longarm Case Report
Investigator:
Not assigned
urive however, the number of sectors on the SOURCE hard drive and the number of sectors on the TARGET hard drive were
the same so there should not have been any "remaining sectors".
Upon completion of the restore process, EnCase reported that the restore was completed with zero read/write/verify errors and
that the correct number of total sectors were restored (156,301 ,488). EnCase also reported a different restored MD5 hash value
than what was reported from the original SOURCE hard drive (c0a9-812b-6915-26ac-edc2-c1 08-a0d6-608f). The cause for the
different MD5 hash is not known at this time. A representative of the WCSO came to the Bellingham Police Department to
retrieve 105180 and 105181 before I had a chance to determine the reason for the mismatched MD5 hash value or to start the
restore process over.
The contents of the forensic image, 105180, and 105181 are unknown as they were not viewed at the request of the WCSO.
March 13, 2014
Page 1 of 1
Bellingham Police Department
Longarm Case Report
12805349 ASSIST OTHER AGENCY
Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Feb 29, 2012 1 :25 PM
Investigator:
Not assigned
NARRATIVE
Appvd: 155
On this date at approximately 1151 hours, I received a phone call from Chief Inspector Steve Cooley of the Whatcom County
Sheriff's Office regarding the restored hard drive that was created on 02/22/2012. Cooley stated that their IT department was not
able to boot up the drive and asked if there was another way to view the contents. I told Cooley that I still had the original
forensic image of the source hard drive and that I would be able to mount the image for him allowing him to view the contents as
if it were attached to my system. Cooley stated that would be fine and responded to my office. 1211 hours, Cooley arrived and
was let to my office.
I loaded the forensic image into EnCase Forensic Edition software and explained to Cooley the basics about how to navigate
around the program to view the contents of the image. I then removed myself from the area and did not look at what Cooley was
examining. While Cooley was looking at the contents of the forensic image, I was available in the area (other side of office or
hallway) to answer questions about how to locate or view certain types of data. When Cooley was done, I closed EnCase without
saving.
Cooley had the restored target drive with him and I was able to compare the contents of the forensic image and the restored
hard drive. Upon doing so, it was found that at least the last few sectors of data on the forensic image did not copy over. Cooley
and I discussed the possible reasons why this could have happened and it was decided that a different target hard drive would
be brought to me so that the restore process could be attempted again.
Before leaving, the restored target hard drive was removed from my computer forensic system and given back to Cooley who
stated that he would return at a later date with a different target hard drive. I also advised Cooley that the new target hard drive
had to have at least 156,301,488 total sectors and why. Cooley stated that he understood and would make sure that the person
')plying him with the new target hard drive knew this as well.
March 13, 2014
Page 1 of 2
Bellingham Police Department
Longarm Case Report
12805349 ASSIST OTHER AGENCY
Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Mar 5, 2012 2:30 PM
Investigator:
Not assigned
NARRATIVE
Appvd: 145
Chief Inspector Cooley (Whatcom County Sheriff's Office) returned to the Bellingham Police Department with two Panasonic
Tough book laptop computers and asked if I would be able to try a restore again using one of the hard drives in the laptops that
he brought in. Inspector Cooley brought two in case one didn't work. This was done based on a prior conversation we had during
his last visit. Investigator Cooley also asked if it would be possible to locate encrypted data on the forensic image and attempt to
bypass the security of that encrypted data in asistance for their investigation.
As Inspector Cooley was leaving my office, I realized that this hadn't been previously cleared with my immediate supervisor so
notified Evidence and Identification Supervisor Gitts about the two toughbook laptop computers and requested forensic work. I
was instructed to place the two laptops into evidence for safe storage until the proper authorization could be obtained. I was
advised not to initiate any work on this matter at this time.
Both laptops were impounded for safekeeping (105553 and 105554)
March 13, 2014
Page 2 of 2
Bellingham Police Department
Longarm Case Report
Investigator:
Not assigned
12805349 ASSIST OTHER AGENCY
PROPERTY
Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Mar 5, 2012 2:30 PM Appvd: 145
Found I Seized
Description: Panasonic Toughbook laptop
Serial #: 6AKSB05442
Brand: PANASONIC
Model: TOUGHBOOK CF-2
Features:
Found I Seized
Description: Panasonic Toughbook Laptop
Serial#: 5KKSA75561
Brand: PANASONIC
Model: TOUGBOOK CF-29
Features:
Article: Computer Hardware/Software
1st Color:
Value:
Impounded: Mar 05, 2012 02:36PM
Notified:
Owner: WHATCOM COUNTY SHERIFF'S OFFI
Article: Computer Hardware/Software
1st Color:
Value:
Impounded: Mar 05, 2012 02:37 PM
Notified:
Owner: WHATCOM COUNTY SHERIFF'S OFFI
March 13, 2014
Page 1 of 1
Bellingham Police Department
Longarm Case Report
12805349 ASSIST OTHER AGENCY
Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Mar 22, 2012 2:06 PM
Investigator:
Not assigned
NARRATIVE
Appvd: 175
I received notification from Evidence and ID supervisor Gitts that authorization for the processing and restoration were approved.
On 03/22/2012, I attached a new HOD from out of one of the spare Tough book laptop computers (impound 105553) to a
MacBook pro laptop computer that I use in my computer forensic lab. I then initiated a LINUX operating system called Paladin
that was specifically created for computer forensics by Sumari and forensically wiped the HOD. This forensic wipe was verified
by Paladin. The computer was then rebooted into Windows XP and another computer forensic program called EnCase (v4.22a)
was initiated. The forensic image file associated with this case was loaded into EnCase and restored to the forensically wiped
HOD. When EnCase had completed this restore, EnCase reported that the restored HDD had an MD5 hash value of
01e8-2145-b762-12fc-a439-68de-12f7-6220. This is an identical MD5 hash value that was obtained when the forensic image
was obtained indicating that a successful restore had been accomplished. The restored HDD was then removed from the
computer and re-inserted into the Toughbook protective sleeve and then placed back into the spare Toughbook laptop computer
(impound 1 05553).
On Inspector Cooley's request, this spare laptop with the restored copy of the HDD was booted to ensure that it correctly booted
into an operating system. When the login screen for Windows appeared, I shut the laptop down and placed it back into evidence.
I also placed the second Toughbook laptop into evidence (impound 105554) as it would not be needed. I then called Inspector
Cooley on his cell phone and left a message for him advising him of the successful restore. I also told Inspector Cooley that the
laptop with the restored HOD was impound number 105553.
Inspector's second request for the examination of the forensic image for encrypted data and possible decryption of same will
have to be done at a later date due to other priority examinations in the queue.
Page 1 of 1
Incident History for: BP12006950
Case Number: 12B05349
Entered: Feb 14,2012
Dispatched:
En route:
On scene:
Closed: Feb 14,2012
Bellingham Police Department
CAD Report
3:1l:OOPM
Incident Op ID:
Dispatch Op ID:
3:1l:OOPM
927
Initial Type: CNBP
Disposition:
Final Type: 900
Police Block:
Location: 505 GRAND A V
Name: 145
Address:
Phone:
Time Operator Type
3:11 :14PM 927
3:11:14PM 927
ASNCAS
ADVISD
Unit Text
$BP12005349
D/73 T/511
Officer:
March 13, 2014
'Computer Forensic Examination Case Log 11 8
Date I Time Action
t-.
f\Aol;;Q! Tq;2 D /I A- W
1
pe L (f:4c1'Y
1
6/rJ , ok:I/I> -
, f?o4;r k+ ,Ue-/ Dszo
CJe;rv\ce

411+ 1 rJ B '
, l+DD
Mode. ) ; I+ 'IS :)L..} I z&-o H- C) sAo o
. vF6_
I 0??>3&[\
\5h['?ui/LJ.}Jr -bi-d
7'/)J oS o o
Detective Scott Matsudaira #164
Page __ of __
Computer Forensic Examination Case Log 11 8
Date I Time Action
?
Detective Scott Matsudaira #164 Page of
----