Professional Documents
Culture Documents
Page 1 of 13
ACQUISITION
On 11/30/2015, I at 08:20 hours utilized FTK Imager 3.1.2.0 to acquire Item
#EVID11302015811, with the following description:
HDD: 1
Drive Type: Physical Drive
Drive Make: Western Digital
Drive Model: Unknown
Image File Name: WinXp_NTFS
Verified MD5 Hash: bce3d2a088b15a398183e2b603ab920a
PREVIEW/INITIAL EXAMINATION
I utilized FTK Imager 3.1.2.0 to examine the forensic copies of each piece of
evidence acquired. The initial examination included looking in both allocated
space (areas of the hard drive assigned specific files) and unallocated space
(areas of the hard drive containing files that have been deleted from the file
system and no longer accessible to the user).
I previewed the file structure of the drive and identified the following
partitions and corresponding partition sizes. The total number of partitions
on Item #EVID11302015811 is 1. The total bytes allocated to the visible
partitions are 4194856960. The total bytes unallocated to a partition are
8,192 bytes. I also identified the non-default user account names and
related SID-RID numbers. I examined the primary user account library
folders, including documents, pictures, videos, and downloads. I noted the
following:
Partition 1 Name: NONAME
Partition 1 Size: 4,194,856,960
Partition 2 Name: N/A
Partition 2 Size: N/A
User Account 1 Name: Administrators: Anonymous2013
SID-RID: S-1-5-18
Notable User Account Documents, Pictures, etc.: Documents: 19, Family
Pictures: 9, Work Pictures 12, Encrypted files: 24 (with CryptNet)
Phoenix Cyber Investigation Office
Page 2 of 13
CCleaner
CyoHash
Eraser
Cryptnet
Page 3 of 13
Page 4 of 13
Page 5 of 13
File path/directory:
C:\Documents and Settings\Anonymous2013\My Documents\My Pictures\Work Pics\more false flags.bmp
Page 6 of 13
INDEX.DAT
Username: Anonymous2013
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
Settings/Temp/History/History.IE5/index.dat
INDEX.DAT
Username: Anonymous2013
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
Settings/Temp/History/History.IE5/MSHist012013120420131205/index.dat
COOKIES:
Page 7 of 13
Name: main.html
Page 8 of 13
Page 9 of 13
within the scope of this search, including depictions of persons who appear
to be under the age of eighteen years engaged in sexually exploitative acts.
The complete list of bookmarked items is included in the HTML or PDF
version of this report and includes exported graphic images.
GRAPHIC FILES
Name: 0D63CL2J/17DD5487C27FDCE8C26AB7BACD2681[1].jpg
File path/directory: /img_WinXP_NTFS.E01/Documents and Settings/Anonymous2013/Local
Settings/Temp/Temporary Internet Files/Content.IE5/0D63CL2J/17DD5487C27FDCE8C26AB7BACD2681[1].jpg
Page 10 of 13
Page 11 of 13
Name: AcLayers.dll
File path/directory: /img_WinXP_NTFS.E01/WINDOWS/AppPatch/AcLayers.dll
Notable MAC time: 2006-02-28 05:00:00 MST
Page 12 of 13
Page 13 of 13