CFR410

Final Assignment
Austin Ticknor
University of Advancing Technology
4/22/2016

Table of Contents:
Page one

Introduction, Chain of Evidence, Disclaimer, and MD5 hash values

Page two

MD5 hash values continued and evidence revealed in photo

Page three

Suspects accessing the illegal material

Page four

Prime suspect revealed for accessing sales website and no.1 suspect

cleared
Page five

The second opinion comparison begins and suspect and/or suspects

confirmed
Page six

Additional details

Page seven Final confirmation of suspect revealed and identified and conclusion
Page eight

Reference Page

On 04/21/2016, Detective Diane Barrett of the Phoenix Police Department

contacted the Arizona Information Network (AIN) to request a forensic analysis with
an investigation into theft and possession of Child Pornography. The goal of the
procedure is to identify where the illegal images are located and who had
possession of them as well as who is responsible for the sale of the stolen computer.
For this forensic examination, the files I have been given are a total of 7 .pcap
files all contained within a single zipped file. That was given to (AIN) on a USB flash
drive.
Disclaimer: A .pcap file is basically a network capture file that contains
network traffic information about which computers have been accessing what
website or other computer via the internet or web connections. A .pcap file can be
created by capturing web traffic from a network tool such as Wireshark or Network
Miner.
The Chain of Custody for the evidence in question is labeled as follows. From:
Phoenix Police. By: Diane Barrett. Date: 04/21/2016. Time: 2:00 PM. To: AIN
Evidence Locker #4. Tracking number: 1Z9X44120345579776 UPS.
To make sure that the files I received are not modified copies of the original
files themselves, I checked each file for their MD5 hash values and made sure that

each copy was a match to its original counterpart. For this comparison I will be
using the tool, MD5 Summer version 1.2.0.11

Based on this comparison of 2 sets of MD5 hash values, it can be said that the
copied files are a perfect match to the original files.
The first thing I did to start the forensic analysis of the pcap files was to open
the tool called Network Miner version 2.0. I then placed the 7 files that I was given
into the tool for analysis. I then decided that because this was a crime of images
that I would sweep the images of each file looking for the child pornography to
document. I found one illicit image hiding in plain sight and was very hard to notice
due to its small picture size. But I found it.

I was able to look at the file location and use its tracking spot to find the IP address
that it came from.

The IP address in question was 98.137.88.84. So I proceeded to look up this address

to confirm that the photo came from the computer ties to the address.

And as it turns out not only did the IP address contain traffic and the TCP protocol
that matched the pictures data, but also I found that Charlie and Terry has both
accessed the picture. Jos name was nowhere near the IP address. Thus the illegal
material on the computer could not have come from Jo. Jo is clean of any
involvement.
Since Charlie and Terry had sent the picture around, they both have their hands
dirty for processing illegal material. Since only one photo was found, it is likely that
more are on this pcap file, but are unable to be found due to special measures of an
unknown nature that were taken.
As for who sold the laptop, I checked the sessions tab and specified Craigslist in the
search, and only one name came up in the search. Terry.

Terry has been on Craigslist many different times, so its only fair to surmise that it
was he who sold the laptop. Its unsure why he sold the laptop, but its somewhat
likely that Terry stole the laptop and sole it with child pornography that he put on
there. But to make sure this is the case and the Network miner tool isnt broken, I
decided to get a second opinion on the subject by parsing the files with a second
tool for comparison. The second tool is called Wireshark version 2.0.2.
So what I did then was put the 7 .pcap files into Wireshark for analysis to
make sure that the information found here is the same or different from Network

Miner. The first comparison I needed to make was to make sure that the IP address
carrying the one image that was found dies indeed contain the image and was
indeed accessed by Terry and Charlie with an IP address match up. So what I did
was put in a filter for TCP protocol and used it to scroll down until I found the IP
address that contained the illegal material. I then proceeded to check the IP address
that was interacting back and forth with the Illicit IP address and compared it with
network miner. From what I saw in Wireshark, The IP address that contained the
image in Network Miner has been interacting with an IP address associated with the
employee Charlie and no one else.

This is strange because Network Miner says that both Charlie and Terry had
access to the image. Which can only mean one thing. That Charlie and Terry both
had access to it but Charlie had greater access to it before the computer was sold
off on Craigslist by Terry.
To confirm this theory, I went back to Wireshark and looked up the online
traffic involving Craigslist. This way we can double confirm that Terry is indeed the
one who sold the computer.

Next, I compared the IP address of craigslist to the one found accessing it

back and forth on Wireshark.

Also just to make sure that the traffic seen on the screen is accurate, I scrolled down
into the details of the IP address connections.

As we can see here, by comparing the IP address finding on network miner

and Wireshark together, we get the exact same results. Terry accessed Craigslist it
is likely that only he could have sold the computer.

My conclusion is as follows, Jo is most likely innocent of even being anywhere

near the suspected illegal child porn because his name and IP address did not
appear anywhere near the one child porn image that was found on the 7 files. The
likely people suspected of possessing the child porn are Charlie and Terry because
both their IP addresses came up as having accessed the image in question. Terry is
most likely the one who sold the stolen computer on Craigslist because his name
was the only one that came up with Craigslist in its history. Finally I was unable to
find any other images besides the one that I specified in the report. If any others
exist on the file, they must have been hidden so well that I was unable to find the
others. Thus, I recommend that Terry be arrested and charged with theft and intent

to sell stolen property as well as charges of possession of child porn. In addition,

Charlie should be charged with possession of child pornography.
Reference Page:

PCAP Files Are Great Arn't They?? (2012, December 15). Retrieved April 24, 2016,
from https://www.trustwave.com/Resources/SpiderLabs-Blog/PCAP-Files-Are-GreatArn-t-They--/

How to Use Wireshark to Capture, Filter and Inspect Packets. (n.d.). Retrieved April
24, 2016, from http://www.howtogeek.com/104278/how-to-use-wireshark-tocapture-filter-and-inspect-packets/