UNIT 10 LAB CFR101: USE THIS TEMPLATE TO REPORT YOUR FINDINGS ON THE PROVIDED IMAGE FILE

Forensic Analysis Report Forensic Group of UATReport #: 01Case Agent: FrankExaminer: Dustin CaviascaDescription: Autopsy 3.0.8 and Encase 6.18.0.59

REQUESTED EXAMINATION

On 11/17/14 at approximately 5:00PM hours, I was working in my capacity as a police detective in the Computer Crimes Unit when I received a request from Detective FRANK #000 to search EVIDENCE REQUESTED contained in items of digital evidence seized pursuant to search warrant SEARCH WARRANT NUMBER and AGENCY NAME report DR NUMBER.

CHAIN OF CUSTODY

On MM/DD/YYYY, I took custody of item ITEM NUMBER from PROPERTY AND EVIDENCE/CASE AGENT and transported it to a secured facility for examination. The property remained in my custody at the secured facility until the completion of the examination. On MM/DD/YYYY, I returned item ITEM NUMBER to PROPERTY AND EVIDENCE/LOCKER NUMBER/ CASE AGENT.

ITEMS EXAMINED

Name WinXP_NTFS_E01Description Folder, Internal, Hidden, SystemLast Accessed 12/03/13 01:33:30PMFile Created 12/03/13 01:33:30PMLast Written 12/03/13 01:33:30PMEntry Modified 12/03/13 01:33:30PMFile Acquired 12/05/13 05:36:50PMLogical Size 344Initialized Size 344Physical Size 344Starting Extent 0WinXP_NTFS-C262146,288File Extents 1Permissions •References 0Physical Location 1,073,753,376Physical Sector 2,097,174Evidence File WinXP_NTFS

UAT FORENSICS Page 1 of 17

File Identifier 11Code Page 0Full Path WinXP_NTFS\WinXP_NTFS\$ExtendIs Internal •Sequence ID 11

PermissionsName Id Property Permissions

System S-1-5-18 Allow [R] [W] [Sync]Administrators S-1-5-32-544 Allow [R] [W] [Sync]Administrators S-1-5-32-544 OwnerAdministrators S-1-5-32-544 Group

Hash PropertiesName Value

Hash SetHash Category

ACQUISITION

Name WinXP_NTFSActual Date 12/05/13 05:36:50PMTarget Date 12/05/13 05:36:50PMFile Path E:\Forensic Images\WinXP_NTFS\Evidence\WinXP_NTFS.E01Case Number WinXP_NTFSEvidence Number WinXP_NTFSExaminer Name F. Griffitts 867Notes Acquired from WD 80GB HDDDrive Type FixedFile Integrity Completely Verified, 0 ErrorsAcquisition MD5 bce3d2a088b15a398183e2b603ab920aVerification MD5 bce3d2a088b15a398183e2b603ab920aGUID 2ccff37456e0af4098153363103e0d3eEnCase Version 6.15System Version Windows 7Raid Stripe Size 0Error Granularity 64Process ID 0Index File C:\Program Files\EnCase6\Index\WinXP_NTFS-

2ccff37456e0af4098153363103e0d3e.IndexRead Errors 1

UAT FORENSICS Page 2 of 17

Missing Sectors 0CRC Errors 0Compression GoodTotal Size 4,194,860,032 Bytes (3.9GB)Total Sectors 8,193,086Disk Signature 00000000Partitions Valid

Read ErrorsStart Sector Sectors

8,193,080 6

See the Device Info Report attached as a supplementary file for further details.

PREVIEW/INITIAL EXAMINATION

C:\/\\?\Volume{6f314ddf-5c59-11e3-92bf-806d6172696f}\ 5b 0 480 E:\/\\?\Volume{fff85cc0-5dd9-11e3-a21c-806d6172696f}\ 19 -1 7598 StorageJ:\/\\?\Volume{d7acc3e0-5cfa-11e3-a3ca-6470022d4948}\ 78 -1 8197 Storage

Type SAM UsersId S-1-5-21-1390067357-1547161642-725345543-

1004Encrypted •Name Anonymous2013Primary GroupId 513Logon date 12/04/13 10:45:04AMPassword Set 12/03/13 08:56:29PMCountry Code 0Code Page 0Failed Logons 0Logon count 12

Groups513

Permissions20044 S-1-5-21-1390067357-1547161642-725345543-

1004F07FF S-1-5-32-5442035B S-1-1-0

Account OptionsLOCKOUTPASSWD_CANT_CHANGEWORKSTATION_TRUST_ACCOUNT

UAT FORENSICS Page 3 of 17

Type SAM UsersId S-1-5-21-1390067357-1547161642-725345543-

1005Encrypted •Name Dom CobbName2 Dom CobbPrimary GroupId 513Logon date 12/05/13 11:34:59AMPassword Set 12/04/13 08:19:47AMLast failed logon 12/05/13 11:34:54AMCountry Code 0Code Page 0Failed Logons 0Logon count 4

Groups513

Permissions20044 S-1-5-21-1390067357-1547161642-725345543-

1005F07FF S-1-5-32-5442035B S-1-1-0

Account OptionsPASSWD_CANT_CHANGEWORKSTATION_TRUST_ACCOUNT

NOTABLE APPLICATIONS

CCleaner , CyoHash, and Eraser

UAT FORENSICS Page 4 of 17

TIMELINE ANALYSIS

Activity is seen in 2004 , 2006, 2008, 2013.

UAT FORENSICS Page 5 of 17

KEY WORD SEARCH

I conducted key word searches for search terms known to be related CRIME WITHIN SCOPE OF WARRANT, including the following terms. The number of hits reviewed is indicated below:

FlagNumber of Hits: 374

Child:Number of Hits:328

None of these terms appeared on the suspect device in a manner that would suggest these words word used as search terms or file names.

NOTABLE LINK FILES

Using Autopsy, I sorted all files on the system by file type and searched for link files (LNK) and discovered OR did not discover notable files during the course of my examination.

Found 64 lnk files.

Recent Documents

PathC:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\false flag exposed.bmpNamefalse flag exposed.bmpPath ID3321Date/Time2013-12-04 09:11:27Source File Path/img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Recent/false flag exposed.lnk

UAT FORENSICS Page 6 of 17

Recent Documents

PathC:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\health care false flag.bmpNamehealth care false flag.bmpPath ID3326Date/Time2013-12-04 09:16:16Source File Path/img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Recent/health care false flag.lnk

NOTABLE INTERNET ARTIFACTS

I searched the suspect device for notable internet usage artifacts, including Internet Explorer index.dat files, Temporary Internet cache files, and cookies. In addition to Internet Explorer, I searched for artifacts related to other browsers such as Firefox, Chrome, Safari, etc.

UAT FORENSICS Page 7 of 17

LINK FILE TECHNICAL NOTES:

Link files are those which link to recent files. These link files are used on the “Recent Items” in Vista and Windows7. They are to be found in the following locations:

Windows 7 \Users\UserName\AppData\Roaming\Microsoft\Windows\Recent \Users\UserName\AppData\Roaming\Microsoft\Office\Recent \Users\UserName\AppData\Local\Media Player\currentDatabase_###.wmdb

Each link file has its own Created, Modified and Accessed dates and within each link file, there are Created, Modified and Accessed dates which belong to the target file. In addition, if the target file still exists on the media, that file has its own three dates.

When a target file is opened and a link file is created, the created date of the link file remains the date that target file was first accessed during the lifetime of that link file. If the target file is opened subsequently, the Created Date of the link file remains the same.

Once a link file has been created for a target file with a given filename, during the lifetime of that link file, if another target file of the same name is accessed from a different location, the original link file for that given filename is updated. The Created Date for the link file remains the same. The link file name and the Created Date are the only artifacts from the original link file; all the internal detail of the link file is overwritten.

The Modified Date of the link file represents the time when the related target file was last opened (as opposed to when it was closed).

I recovered the following OR did not recover any notable index.dat files.

27 INDEX.DAT Files Found:

They all belong to the RegRipper.

I recovered the following OR did not recover any notable cached files.

CACHE FILES

Could not be located.

UAT FORENSICS Page 8 of 17

INDEX.DAT TECHNICAL NOTES

The main history files used by Internet Explorer are the index.dat files located under the path:

Users\(UserName)\AppData\Local\Microsoft\Windows\ (with multiple subdirectories at this path).

Individual index.dat files are also maintained for daily and weekly Internet activity in subfolders under the History.IE5 subdirectory. In addition to Internet history, Internet Explorer also stores information about files opened or saved by a particular user on the local machine. These local file access entries reflect registered files (files having a registered file type within the registry) accessed with an associated application.

I recovered the following OR did not recover any notable cookie files.

COOKIES

UAT FORENSICS Page 9 of 17

CACHE TECHNICAL NOTES

The location of cached archives varies from browser to browser. Microsoft Internet Explorer stores cache data in the following subfolders:

Users\UserName\AppData\Local\Microsoft\Windows\Temporary Internet Files

Internet Explorer automatically saves a copy of each web page that is viewed, including images, text, and multimedia elements in a folder named Temporary Internet Files. Cached files are maintained by Internet Explorer in individual subfolders in order to increase the speed of Internet browsing. There is a single index.dat file (or contents.dat in later versions of IE) located in the Content.IE5 folder. The job of this index.dat file is to keep track of the contents of each subfolder. Information maintained in the index.dat under the Content.ie5 folder includes the URL (complete URL address of the Web Cache entry to include the name of the artifact), Host (Domain host of the URL), and Last Accessed Date.

NOTABLE HTML FILES:

I utilized AUTOPSY 3.0.8 to sort all entries by file type and searched for HTML files, and discovered OR did not discover notable files during the course of my examination.

HTML FILES: Did not discover any notable files

NOTABLE COMPOUND FILES

Compound files are files that fall within the general category of larger files containing or comprised of one or more smaller files. Examples include MS Word, Excel or other MS Office files; layered graphic image files; PFD files; or ZIP, RAR and other archive files. I reviewed the evidence for compound files and discovered the following OR did not discover any notable files.

COMPOUND FILES

Name /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/My Documents/Downloads/The List.zip/Family Pics

Modified 2013-12-04 09:05:47 MST Accessed 2013-12-04 09:05:47 MST Created 2013-12-04 07:52:54 MST Changed 0000-00-00 00:00:00 MD5 Not calculated Internal ID 15861

UAT FORENSICS Page 10 of 17

COOKIES TECHNICAL NOTES

A “cookie” is a small data file, created by a Web server, that is stored on your computer either temporarily for that session only or permanently on the hard disk (persistent cookie). Cookies provide a way for the Web site to identify users and keep track of their preferences. Cookies are commonly used to "maintain the state" of the session as a user browses around on the site. Thus, when utilizing certain interactive sections of a website, the website can “remember” your preferences the next time you return to the site. Cookies are typically found under the path:

Users\(UserName)\AppData\Roaming\Microsoft\Windows\Cookies

Note: the presence of a particular cookie in a user's “Cookies” folder is not a definitive indication that the user actually visited the website in question, as “third-party” cookies can be placed there by websites that are advertising on the page that the user is visiting. However, by comparing the cookies with the URLs in the Internet History folder, one can determine that the user, "wheels," specifically visited these websites.

CARVED FILES

I utilized AUTOPSY 3.0.8 to search unallocated space and carve or recover various files based on the known file extensions, file signatures, and/or hash values. I recovered the following file types with respective quantities:

Name /img_WinXP_NTFS.E01//$Unalloc/Unalloc_15859_15187968_2083790848 Modified 0000-00-00 00:00:00 Accessed 0000-00-00 00:00:00 Created 0000-00-00 00:00:00 Changed 0000-00-00 00:00:00 MD5 Not calculated Internal ID 15860

NOTABLE GRAPHIC FILES

I utilized Autopsy 3.0.8 to review approximately 13 graphic image files. I bookmarked NUMBER graphic images due to content related to the investigation within the scope of this search, including depictions of persons who appear to be under the age of eighteen years engaged in sexually exploitative acts.

The complete list of bookmarked items is included in the HTML or PDF version of this report and includes exported graphic images.

GRAPHIC FILES

UAT FORENSICS Page 11 of 17

NOTABLE VIDEO FILES

I utilized AUTOPSY 3.0.8 to review approximately 20 video files. I bookmarked NUMBER video files due to content related to the investigation within the scope of this search, including depictions of persons who appear to be under the age of eighteen years engaged in sexually exploitative acts.

The complete list of bookmarked items is included in the HTML or PDF version of this report and includes exported graphic images.

VIDEO FILES

UAT FORENSICS Page 12 of 17

THUMBS.DB AND THUMBSCACHE.DB TECHNICAL NOTES

In Windows XP, a user could select the ability to view documents and files as thumbnail images in Windows Explorer. When this was done, Windows created a small database, in that particular folder, called a “thumbs.db.” This database stored the thumbnail-sized graphic in a .jpg format, while retaining the original extension. A Thumbs.db file is generated for every graphic image file in the local directories of those original images. Thumbs.db files are low resolution replications of the image files stored on a computer. Even after an original image is deleted, the thumbnail file remains in the original file folder.

In Windows Vista, the user has four selections to make for viewing documents and files as thumbnails: Small Icons, Medium Icons, Large Icons, Extra Large Icons. Thumbs.db files are no longer created in each folder where the data was viewed. Instead, there is a single folder structure within each user’s home folder that holds individual files that track all the viewed items based on the icon size selected. All of the thumbnail images in Win7 are located at \User\<user>\AppData\Local\Microsoft\Windows\Explorer. This folder contains six files, four of which store thumbnails and two of which are administrative. The four files are:

Thumbscache_32.db Thumbscache_96.db Thumbscache_256.db Thumbscache_1024.db

WINDOWS MEDIA PLAYER DATABASE

Unable to locate

NOTABLE ENCRYPTED FILES

I utilized AUTOPSY 3.0.8 to review approximately NUMBER OF ENCRYPTED encrypted files. I bookmarked NUMBER encrypted files due to file names or directories that appear to be related to the investigation within the scope of this search.

ENCRYPTED FILES

Unable to locate

NOTABLE RECYCLE BIN FILES

I utilized AUTOPSY 3.0.8 to review approximately NUMBER FILES in the recycle bin. I bookmarked NUMBER recycled files due to content related to the investigation within the scope of this search, including depictions of persons who appear to be under the age of eighteen years engaged in sexually exploitative acts.

RECYCLED FILES

UAT FORENSICS Page 13 of 17

WINDOWS MEDIA PLAYER TECHNICAL NOTES

“CurrentDatabase_360.wmdb is a Windows Media Player database or “catalog” that Media Player creates or updates when a user asks Media Player to search a disk for media. The resulting database contains a list of files that were recently played or updated in the user’s Library.

MEMORY ACQUISITION AND ANALYSIS

On MM/DD/YYYY, I/ANOTHER AGENT utilized AUTOPSY 3.0.8 to acquire Item ITEM NUMBER, with the following description:

RAM and VOLATILE SYSTEM DATA

VOLUME SHADOW COPIES

Unable to locate

UAT FORENSICS Page 14 of 17

$RECYCLE.BIN TECHNICAL NOTES

The default Recycle Bin function for a Windows 7 computer is to move deleted files to a folder named \Recycle.Bin\%SID%\ for the currently logged on user. The first time a user deletes an item, Windows creates the Recylce bin directory for that user account on the system (identified by that user’s unique SID). Every user’s Recycle bin directory also contains a hidden system file named $I30. The $I30 file tracks the original location of deleted files and folders. The $I30 file remains available (to restore deleted files) until the user empties the recycle bin. At that point, the $I30 file is moved into unallocated space.

PAGEFILE.SYS TECHNICAL NOTES

RAM is a limited resource, whereas virtual memory is, for most practical purposes, unlimited. There can be many processes, each one having its own 2 GB of private virtual address space. When the memory that is in use by all the existing processes exceeds the amount of available RAM, the operating system moves pages (4 KB pieces) of one or more virtual address spaces to the hard disk, thus freeing that RAM frame for other uses. In Windows systems, these “paged out” pages are stored in one or more files that are named pagefile.sys in the root of a partition. There can be one such file in each disk partition

http://support.microsoft.com/kb/2267427

NOTABLE OS AND REGISTRY FILES

SAM (Security Accounts Manager):

Using AUTOPSY 3.0.8, I examined the Windows Registry “SAM” file. The SAM file is a local security database that contains local users and group information, including User Name, SID Unique Identifier, Logon Count, Last Logon Time, and Last Password Change Time (This is the same information that was obtained via Encase’s Initialize Case script). I noted that user “USER NAME” had a RID of “1000,” a logon count of NUMBER, last logon time on MM/DD/YYYY HH:MM:SS, and last password change on MM/DD/YYYY HH:MM:SS.

SOFTWARE: Anonymous2013nk T:M000003ECiFisttV thAnonymous2013gC'mgC'mhbin@

Using AUTOPSY 3.0.8, I examined the Windows Registry “SOFTWARE” file, which stores application and software settings, user profile path information, and Windows settings. The SOFTWARE file maintains Microsoft Windows Product information, including the install date of MM/DD/YYYY HH:MM:SS, Product Name of OS VERSION, Registered Owner “NAME” and CSDVersion Service Pack 1. NTUSER.DAT:

Using Registry Viewer, I examined the Windows Registry “NTUSER.DAT” file for the user “NAME.”

UAT FORENSICS Page 15 of 17

SHADOW COPY TECHNICAL NOTES Windows Vista/7 uses a “Volume Shadow Service” to copy data and allow users to recover and/or restore previous versions of files. Although the “restore previous versions” option is only available in the Business, Enterprise and Ultimate editions of Windows Vista, the volume shadow copy service continues to run in the Home Basic and Home Premium versions of Vista. By default, 15% of the drive is dedicated to the volume shadow copy service in all Vista versions.

Shadow Explorer is a utility that allows the examiner to view these restore points by showing the available point-in-time copies, browsing through the shadow copies, and retrieving those stored versions of files and folders.

SYSTEM:

/Documents and Settings/Anonymous2013/NTUSER.DAT

Using AUTOPSY 3.0.8, I examined the Windows Registry “SYSTEM” file, which stores common system information settings.

Using Registry Viewer, I examined the Windows Registry SYSTEM file, which contains system information such as time zone settings, “Mounted Devices,” (devices currently or previously attached to the computer) and “USBSTOR,” (stores the contents of the product and device ID values, and possibly serial numbers, of any USB device that has been connected to the system).

Mounted Devices – The Mounted Devices subkey stores a database of current and prior mounted volumes in the NTFS file system. This subkey indicated multiple additional volumes previously mounted as DRIVE LETTERS OR NAMES, which were not partitions currently on the examined hard drive. The inference is that either the suspect has removable external drives that were not discovered pursuant to this search or there exist hidden/encrypted volumes on this hard drive that were not discovered at this time.

USBSTOR: (System\CurrentControlSet00#\Enum) – I noted the following attached devices located in this subkey, which showed the following “Friendly Name” of:

Unable to Locate

UAT FORENSICS Page 16 of 17

NTUSER.DAT TECHNICAL NOTES

The NTUSER.DAT file contains information regarding a corresponding user and includes such information as the Protected Storage System Provider (PSSP) sub-key, typed URLs, and recent document lists.

Protected Storage System Provider - The Microsoft\Protected Storage System Provider sub-key (PSSP) stores confidential user information specific to Microsoft applications, such as: usernames and passwords for Internet websites, a record of Internet queries, and e-mail passwords for Microsoft Outlook or Outlook Express mailboxes. In addition, the PSSP stores form data entered by the user while entering a website or completing a form on the Internet.

RecentDocs - a most recently used list pointing to shortcuts located in the recent directory. In addition to the most recently used list of all programs\files, the key contains subkeys (identified by file extension) of the most recently used files of a particular file extension.

OpenSavePidIMRU/OpenSave MRU/Last Visited MRU – The OpenSave key maintains a list of recently opened or saved files via Windows Explorer "Open” and “Save” dialog boxes (a .txt, .pdf, .jpg or other file that is recently opened or saved from within a web browser such as Internet Explorer). Documents that are opened or saved via Microsoft Office programs are not maintained in this list.

This is consistent with the information obtained in the Mounted Devices subkey above, suggesting that the suspect has additional media that were not discovered. TIMEZONE INFORMATION: (ControlSet001/Control/TimeZoneInformation: UTC-420 or Mountain Standard Time with a Daylight Bias of -60 minutes or Arizona Time)

VIRUS SCAN

Using AUTOPSY 3.0.8, I selected Item ITEM NUMBER and utilized the “Mount Image to Drive” function in order to view the evidence file as a virtual logical drive on the government computer. The disk mounting utility mounts images of hard drives or CDs as read-only drives, which allows the use of third party tools on the evidence file. With the evidence mounted as an emulated disk, I scanned the drive for virus and malware with AVAST version 2014.9.0.2013 with virus definition version 140228-0 (containing 2,289,309 virus definitions). The anit-virus software reported NUMBER OR no infected files.

SUMMARY

I concluded that there were files and actions that prove that this partition could have been used for a conspiracy.

UAT FORENSICS Page 17 of 17