You are on page 1of 13

UNIT 10 LAB CFR101:

USE THIS TEMPLATE TO REPORT YOUR FINDINGS ON THE PROVIDED


IMAGE FILE
Forensic Analysis Report
Jonathan Ellis
Report #: 11302015811
Case Agent: Ellis
Examiner: Jonathan Ellis
Description:
REQUESTED EXAMINATION
On 11/30/2015 at approximately 08:00 hours, I was working in my capacity
as a police detective in the Computer Crimes Unit when I received a request
from Detective Griffits #007 to search A Toshiba Laptop contained in items of
digital evidence seized pursuant to search warrant #PHX11302015811 and
Phoenix Cyber Investigation Office report #11302015811.
CHAIN OF CUSTODY
On 11/30/2015, I took custody of item #EVID11302015811 from Detective
Griffits #007 and transported it to a secured facility for examination. The
property remained in my custody at the secured facility until the completion
of the examination. On 11/30/2015, I returned item #EVID11302015811 to
Evidence e Locker: #6.
ITEMS EXAMINED
Item Number: #EVID11302015811
Device Description: Black Toshiba Laptop
Make: Toshiba
Model: Satellite Radius
IMEI: N/A
SIM: N/A
Item Number: #EVID11302015811
Device Description: Black Toshiba Laptops Hard Drive
Make: Western Digital
Model: Unknown
Number of HDD: 1
Total Capacity: 80GB
Phoenix Cyber Investigation Office

Page 1 of 13

ACQUISITION
On 11/30/2015, I at 08:20 hours utilized FTK Imager 3.1.2.0 to acquire Item
#EVID11302015811, with the following description:
HDD: 1
Drive Type: Physical Drive
Drive Make: Western Digital
Drive Model: Unknown
Image File Name: WinXp_NTFS
Verified MD5 Hash: bce3d2a088b15a398183e2b603ab920a
PREVIEW/INITIAL EXAMINATION
I utilized FTK Imager 3.1.2.0 to examine the forensic copies of each piece of
evidence acquired. The initial examination included looking in both allocated
space (areas of the hard drive assigned specific files) and unallocated space
(areas of the hard drive containing files that have been deleted from the file
system and no longer accessible to the user).
I previewed the file structure of the drive and identified the following
partitions and corresponding partition sizes. The total number of partitions
on Item #EVID11302015811 is 1. The total bytes allocated to the visible
partitions are 4194856960. The total bytes unallocated to a partition are
8,192 bytes. I also identified the non-default user account names and
related SID-RID numbers. I examined the primary user account library
folders, including documents, pictures, videos, and downloads. I noted the
following:
Partition 1 Name: NONAME
Partition 1 Size: 4,194,856,960
Partition 2 Name: N/A
Partition 2 Size: N/A
User Account 1 Name: Administrators: Anonymous2013
SID-RID: S-1-5-18
Notable User Account Documents, Pictures, etc.: Documents: 19, Family
Pictures: 9, Work Pictures 12, Encrypted files: 24 (with CryptNet)
Phoenix Cyber Investigation Office

Page 2 of 13

User Account 2 Name: Dom Cobb


SID-RID: S-1-5-18
Notable User Account Documents, Pictures, etc.:
User Account 2 Name: Default User
SID-RID: N/A
Notable User Account Documents, Pictures, etc.:
NOTABLE APPLICATIONS
Item #EVID11302015811 contains more than 29 folders in the Program Files
directory with user applications. I looked for known encryption, anti-forensic
software, and steganographic applications. I found the found the following
applications to be of evidentiary value and I noted the following:

CCleaner
CyoHash
Eraser
Cryptnet

FILE SIGNATURE ANALYSIS


Using Autopsy 3.1.3, I examined 46 items marked with Extension
Mismatch, thus indicating a possible mismatch of the file extension with
known file signatures. I reviewed the file extensions and found nothing of
evidentiary value OR noted the following:
TIMELINE ANALYSIS
Using Autopsy 3.1.3, I sorted all files on items #EVID11302015811 by the
Created date/time stamp. I examined files created between 11/30/2015 and
12/1/2015 and I noted the following:

Phoenix Cyber Investigation Office

Page 3 of 13

NOTABLE LINK FILES


Using Autopsy 3.1.3, I sorted all files on the system by file type and searched
for link files (LNK) and discovered notable files during the course of my
examination.
LINK FILE 1: Ariadne2010.lnk
File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My
Pictures\Ariadne2010.jpg

Notable MAC time: 2013-12-04 09:02:00


LINK FILE 2: Arthur2010.lnk
File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My
Pictures\Arthur2010.jpg

Notable MAC time: 2013-12-04 09:02:25


LINK FILE 3: daniel-tarullo.lnk
Filepath/directory:C:\Documents and Settings\Anonymous2013\My Documents\Downloads\Family Pics\da
niel-tarullo.jpg

Notable MAC time: 2013-12-04 09:03:46


LINK FILE 4: decoded.lnk
Phoenix Cyber Investigation Office

Page 4 of 13

File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\decoded.pdf


Notable MAC time: 2013-12-04 08:55:43
LINK FILE 5: faith.txt.lnk
File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\faith.txt
Notable MAC time: 2013-12-04 09:25:09
LINK FILE 6: false flag exposed.lnk
File path/directory:
C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\false flag exp

Notable MAC time: 2013-12-04 09:11:27


LINK FILE 7: false flag.lnk
File path/directory:
C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\false flag.bmp

Notable MAC time: 2013-12-04 09:10:09


LINK FILE 8: Family Pics.lnk
File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\Downloads\Family Pics
Notable MAC time: 2013-12-04 09:03:46
LINK FILE 9: feinstein false flag.lnk
File path/directory:
C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\feinstein false flag.bmp

Notable MAC time: 2013-12-04 09:14:44


LINK FILE 10: Google2.lnk
File path/directory:
C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\Google2.bmp

Notable MAC time: 2013-12-04 08:55:08


LINK FILE 11: health care false flag.lnk
File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work
Pics\health care false flag.bmp

Notable MAC time: 2013-12-04 09:16:16


LINK FILE 12: Janet_Yellen.lnk
File path/directory:
C:\Documents and Settings\Anonymous2013\My Documents\Downloads\Family Pics\Janet_Yellen

Notable MAC time: 2013-12-04 09:03:51


LINK FILE 13: more false flags.lnk
Phoenix Cyber Investigation Office

Page 5 of 13

File path/directory:
C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\more false flags.bmp

Notable MAC time: 2013-12-04 09:17:36

LINK FILE 14: My Pictures.lnk


File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My Pictures
Notable MAC time: 2013-12-04 08:55:08
LINK FILE 15: pw.lnk
File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\pw.txt
Notable MAC time: 2013-12-04 08:58:34
LINK FILE 16: the list cobbdominic2010@gmail.lnk
File path/directory:
C:\Documents and Settings\Anonymous2013\My Documents\the list - cobbdominic2010@gmail.pdf

Notable MAC time: 2013-12-04 08:54:19


LINK FILE 17: wake up.lnk
File path/directory:
C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\wake up.bmp

Notable MAC time: 2013-12-04 09:17:01


LINK FILE 18: Work Pics.lnk
File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics
Notable MAC time: 2013-12-04 09:10:09
LINK FILE 19: my favorite movies.txt.lnk
File path/directory: C:\Documents and Settings\Anonymous2013\My Documents\my favorite movies.txt
Notable MAC time: 2013-12-04 10:17:17
LINK FILE 20: WinXP_NTFS.E01.txt.lnk
File path/directory: J:\WinXP_NTFS\WinXP_NTFS.E01.txt
Notable MAC time: 2013-12-04 10:59:47
LINK FILE 21: WinXP_NTFS.lnk
File path/directory: J:\WinXP_NTFS
Notable MAC time: 2013-12-04 10:59:47
NOTABLE INTERNET ARTIFACTS
I searched the suspect device for notable internet usage artifacts, including
Internet Explorer index.dat files, Temporary Internet cache files, and cookies.
In addition to Internet Explorer, I searched for artifacts related to other
browsers such as Firefox, Chrome, Safari, etc.
Phoenix Cyber Investigation Office

Page 6 of 13

I recovered the following notable index.dat files.


INDEX.DAT
Username: Anonymous2013
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
Settings/History/History.IE5/index.dat

Notable MAC time:


2013-12-04 08:50:53 MST
..
INDEX.DAT
Username: Anonymous2013
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
Settings/History/History.IE5/MSHist012013120420131205/index.dat

Notable MAC time:


2013-12-04 08:54:02 MST

INDEX.DAT
Username: Anonymous2013
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
Settings/Temp/History/History.IE5/index.dat

Notable MAC time: 2013-12-04 10:47:54 MST

INDEX.DAT
Username: Anonymous2013
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
Settings/Temp/History/History.IE5/MSHist012013120420131205/index.dat

Notable MAC time: 2013-12-04 09:08:08 MST

COOKIES:

Phoenix Cyber Investigation Office

Page 7 of 13

I recovered the following (368) notable cookie files. Seen in attached


cookies document separate from this document.
File path/directory:
Notable MAC time:
File path/directory:
Notable MAC time:
NOTABLE HTML FILES:
I utilized Autopsy 3.1.3 to sort all entries by file type and searched for HTML
files, and discovered 314 HTML files but only 2 notable files during the course
of my examination.
HTML FILES

Name: main.html

File path/directory: /img_WinXP_NTFS.E01/Documents and


Settings/Anonymous2013/Local Settings/Application Data/Google/Chrome/User
Data/Default/Extensions/aohghmighlieiainnegkcijnfilokake/0.5_0/main.html
Notable MAC time: 2013-12-03 21:18:33 MST
Name: craw_window.html
File path/directory: /img_WinXP_NTFS.E01/Documents and
Settings/Anonymous2013/Local Settings/Application Data/Google/Chrome/User
Data/Default/Extensions/nmmhkkegccagdldgiimedpiccmgmieda/0.0.5.0_0/html/craw_window.ht
ml
Notable MAC time: 2013-12-03 21:18:31 MST

Phoenix Cyber Investigation Office

Page 8 of 13

NOTABLE COMPOUND FILES


I reviewed the evidence for compound files and discovered twenty office files
including MS word documents, excel and power point files none of which
were notable files. I also discovered 4 PDF files, one of which was notable
(see below).
COMPOUND FILES
Name: The List
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/My
Documents/Downloads/The List.zip
Notable MAC time: 2013-12-04 09:06:57 MST
Name: Eraser Documentation
File path/directory: /img_WinXP_NTFS.E01/Program Files/Eraser/Eraser
Documentation.pdf Notable MAC time: 2012-03-29 18:09:56 MST

Unallocated Space /CARVED FILES


I utilized Autopsy 3.1.3 to search unallocated space and carved files based
on the known file extensions, file signatures, and or hash values. I recovered
the following file types with respective quantities:
CARVED FILES:
Type of File: Exchange Database Files
File Signature: application/octet-stream
File Path: /img_WinXP_NTFS.E01/$CarvedFiles/f0000000.edb
Unallocated Files:
Type of File: EO1
File Signature: application/octet-stream
File Path: /img_WinXP_NTFS.E01//$Unalloc/Unalloc_15854_15187968_2083790848
NOTABLE GRAPHIC FILES
I utilized Autopsy 3.1.3 to review approximately 713 graphic image files. I
bookmarked two graphic images due to content related to the investigation
Phoenix Cyber Investigation Office

Page 9 of 13

within the scope of this search, including depictions of persons who appear
to be under the age of eighteen years engaged in sexually exploitative acts.
The complete list of bookmarked items is included in the HTML or PDF
version of this report and includes exported graphic images.
GRAPHIC FILES
Name: 0D63CL2J/17DD5487C27FDCE8C26AB7BACD2681[1].jpg
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
Settings/Temp/Temporary Internet Files/Content.IE5/0D63CL2J/17DD5487C27FDCE8C26AB7BACD2681[1].jpg

Notable MAC time: 2013-12-04 09:07:36 MST


Name: img004b.jpg
File path/directory:
/img_WinXP_NTFS.E01/WINDOWS/Help/Tours/htmlTour/img004b.jpg
Notable MAC time: 2006-02-28 05:00:00 MST

NOTABLE VIDEO FILES


I utilized Autopsy 3.1.3 to review approximately twenty video files. I
bookmarked two video files due to content related to the investigation within
the scope of this search, including depictions of persons who appear to be
under the age of eighteen years engaged in sexually exploitative acts.
The complete list of bookmarked items is included in the HTML or PDF
version of this report and includes exported graphic images.
VIDEO FILES
Name: mdlib.wmv
File path/directory:
/img_WinXP_NTFS.E01/WINDOWS/Help/Tours/WindowsMediaPlayer/Video/mdlib.wmv

Notable MAC time: 2006-02-28 05:00:00 MST


Name: nuskin.wmv
File path/directory:
/img_WinXP_NTFS.E01/WINDOWS/Help/Tours/WindowsMediaPlayer/Video/nuskin.wmv
Notable MAC time:
Phoenix Cyber Investigation Office

Page 10 of 13

2006-02-28 05:00:00 MST

NOTABLE ENCRYPTED FILES


I utilized Autopsy 3.1.3 to review approximately one encrypted files. I
bookmarked the (1) encrypted files due to file names or directories that
appear to be related to the investigation within the scope of this search.
ENCRYPTED FILES
Name: The List
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/My
Documents/Downloads/The List.zip
Notable MAC time: 2013-12-04 09:06:57 MST

NOTABLE RECYCLE BIN FILES


I utilized Autopsy 3.1.3 to review approximately 32 in the recycle bin. I
bookmarked two recycled files due to content related to the investigation
within the scope of this search, including depictions of persons who appear
to be under the age of eighteen years engaged in sexually exploitative acts.
RECYCLED FILES
USER SID-RID: S-1-5-21-1390067357-1547161642-725345543-1004
Notable MAC time: 2013-12-04 07:35:43 MST
USER SID-RID:
S-1-5-21-1390067357-1547161642-725345543-1004
Notable MAC time: 2013-12-04 07:42:00 MST
MEMORY ACQUISITION AND ANALYSIS
On 11/30/2015, I utilized Autopsy 3.1.3 to acquire one item , with the
following description:
RAM and VOLATILE SYSTEM DATA
Phoenix Cyber Investigation Office

Page 11 of 13

Name: AcLayers.dll
File path/directory: /img_WinXP_NTFS.E01/WINDOWS/AppPatch/AcLayers.dll
Notable MAC time: 2006-02-28 05:00:00 MST

VOLUME SHADOW COPIES


I utilized Autopsy 3.1.3 to review approximately 18 in the volume shadow
storage.

Phoenix Cyber Investigation Office

Page 12 of 13

Phoenix Cyber Investigation Office

Page 13 of 13