Scribd Logo
Upload

Welcome to Scribd!

  • Incident Response Final Project

    Uploaded by

    api-413364164
    148 views8 pages

    Original Title

    incident response final project

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    148 views8 pages

    Incident Response Final Project

    Uploaded by

    api-413364164

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Final Project

    Jeffrey Ryan

    Evidentiary Report
    Case of Brandy Vela, Texas City, Texas
    OFFICIAL USE ONLY
    Ryan Digital Forensic Services Case # 16-1-00074

    Evidentiary Report Brief Summary


    Computer Forensics Agency Ryan Digital Forensic Services
    Computer Forensics Examiner Jeffrey Ryan
    Computer Forensics Examiner License A17396 Texas
    Number
    Computer Forensics Report Author Jeffrey Ryan
    Case Number 16-1-00074
    Objective To determine extent of cyberbullying against
    victim using victim’s personal computer.
    Date of Request December 21, 2017
    Requester Texas City Police Department
    Date/Time Report Completed January 20, 2017 / 13:20 CST

    Background to the Case


    Brandy Vela was a Texas City, Texas teenager that committed suicide on November 29, 2016
    after a history of cyberbullying. The Texas City Police Department is searching for digital clues
    as to who the perpetrators are. Part of the investigation includes performing a computer forensics
    examination of Brandy Vela’s personal computer by a licensed examiner in the state of Texas.
    Brandy Vela’s computer has been provided to Ryan Digital Forensic Services, courtesy of the
    Texas City Police Department, to perform the examination.

    Evidence Submitted
    Item # Description
    1 Personal Desktop Computer

    Data Collection Process


    Examination System Specifications (“FRED SR”, 2017)
    CPU / RAM Dual Xeon E5-2620 / 32 GB DD4 2133 MHz
    Operating System Windows 10 Professional
    OS Drive 256 GB SSD
    Imaging Bay UltraBay with hardware write-blocker
    Storage Chassis 15 HDDs (3 sets of 5 drives) each set RAID 5
    Forensic Duplication Software FTK Imager v3.4.3.3 by AccessData
    Forensic Analysis Software Suite EnCase Forensic v7.12.00.49 by Guidance
    Software
    Forensic Analysis Software (Additional) Internet Evidence Finder v6.6 by Magnet
    All examination system hardware and software is fully licensed and registered to Ryan Digital
    Forensic Services. All examination system hardware and software was verified to be functioning

    Page 2 of 8
    OFFICIAL USE ONLY
    OFFICIAL USE ONLY
    Ryan Digital Forensic Services Case # 16-1-00074

    correctly pursuant to Ryan Digital Forensic Services policies and procedures on December 31,
    2016.
    Examined System Specifications
    Computer Case Hewlett Packard Z200 mid-tower
    CPU / RAM Intel Core i5-4570 / 8 GB DD4 2133 MHz
    Operating System Windows 7 Home Premium
    Storage Drive(s) Hitachi 250 GB HDD 7200 RPM
    Model: HDS721025CLA382
    Serial Number: JPA370H91VTLZL
    Network Card Intel 10/100 Ethernet Card
    MAC Address: 00-03-47-17-2A-71
    Internet Browser(s) installed Internet Explorer v11.0.10240.16384

    Pictured below are Brandy Vela’s computer case and the HDD contained within.

    Page 3 of 8
    OFFICIAL USE ONLY
    OFFICIAL USE ONLY
    Ryan Digital Forensic Services Case # 16-1-00074

    The examined system was opened on January 2, 2017 and important components of the
    examination inventoried (hardware specifications, storage devices, and networking devices). One
    (1) Hitachi 250 GB HDD was discovered. The HDD cables were disconnected and the HDD was
    removed from the computer case.
    The HDD was then attached to the examination system imaging bay with the protection of a
    hardware based write-blocker to preserve data on the HDD. FTK Imager software was used to
    create the image of the HDD in an EnCase Forensic compatible format (.E01 file extension) and
    saved on RAID protected drives in the storage chassis.
    The screenshot below (Figure 1) shows the image verification performed by FTK Imager.

    Figure 1 HDD Image Verification

    Once the HDD was removed, the case was powered up to verify BIOS (Basic Input/Output
    System) was working correctly and the date/time were accurate (Moulin, 2015).
    Data Extraction and Examination Process
    Examination of Brandy Vela’s computer HDD image began on January 2, 2017 and concluded
    on January 13, 2017. A working copy of the initial image was created for all analysis activities.
    EnCase Forensic was used for the physical and logical data extraction portions of this
    examination. Physical data extraction was performed to determine the partition table, the type of
    file system used, and possible unused space on the HDD (US Department of Justice, 2014).

    Page 4 of 8
    OFFICIAL USE ONLY
    OFFICIAL USE ONLY
    Ryan Digital Forensic Services Case # 16-1-00074

    There was one (1) partition discovered, an NTFS file system, typical of the operating system
    installed (Windows 7 Home Premium), and no unused space was discovered.
    Logical data extraction was performed to determine directory structure, filenames, file sizes, and
    file date/time stamps. Deleted files and unallocated space were recovered.
    Examination of the extracted data primarily involved timeframe analysis and application/file
    analysis.
    Internet Evidence Finder (IEF) (Figure 2) was used for the recovery and analysis of Internet
    artifacts on Brandy Vela’s HDD image, particularly artifacts relating to Facebook Chat,
    Facebook Wall Posts/Comments, and Facebook pictures. All of the findings using IEF were
    verified with EnCase Forensics.

    Figure 2 Internet Evidence Finder (Example Screenshot)

    Encrypted/Deleted Files
    The examination of Brandy Vela’s computer HDD image did not reveal any encrypted folders or
    files. Thirty-six deleted files were recovered and examined but none of them were relevant to this
    case.

    Examination findings
    A timeline of events could be constructed by searching the Temporary Internet Files folder and
    web cache.
    Facebook Chat Messages
    Facebook Chat saves individual chat messages as text files with a filename pattern of p_[number
    string]=[number][1].txt (i.e. p_100000580204632=2[1].txt). Each text file is a JSON (JavaScript
    Object Notation) script that includes a single chat message, the message sender’s name and
    Facebook profile number, the message recipient’s name and Facebook profile number, and the
    date and time the chat message was sent (Mutawa et al, 2011). The date and time stamp was in
    UNIX format which is the number of seconds since January 1, 1970 UTC. All text files matching

    Page 5 of 8
    OFFICIAL USE ONLY
    OFFICIAL USE ONLY
    Ryan Digital Forensic Services Case # 16-1-00074

    the naming pattern were found and each one analyzed to extract all of the information stated
    previously and convert the date/time stamp to central standard time (UTC -06:00).
    The search resulted in 688 text files (Facebook Chat messages) between the dates of March 3,
    2016 and November 29, 2016. A total of 615, or 89.4%, of those chat messages occurred on or
    after April 4, 2016. The graph below (Figure 3) shows the spread of chat messages over the
    specified period of time and how the quantity increased in early April 2016.

    Number of Facebook Chat Messages


    60

    50

    40

    30

    20

    10

    Figure 3 Daily Facebook Chat Message Frequency

    The chat messages were sent by twelve (12) Facebook members but a high percentage were sent
    by two people, Facebook profile numbers 1639956012 and 1590024379. See attachment 2 to
    view the contents of all Facebook Chat messages found in this examination.
    Facebook Wall Posts, Status Updates, and Comments
    Several of Brandy Vela’s Facebook Wall posts, status updates, and comments were recovered by
    examining the Temporary Internet Files folder and web cache (“How Important are Facebook
    Artifacts”, 2014). A total of 97 wall posts and comments from Facebook profiles 1639956012
    and 1590024379 were included as an attachment to this report. Several of the wall posts and
    comments take place on the same date as Facebook Chat messages, noted in the attachment. See
    attachment 3 to view the contents.
    Facebook Pictures
    Facebook saves pictures in the Temporary Internet Files folder and web cache with a unique
    filename pattern similar to Facebook Chat message files (“How Important are Facebook
    Artifacts”, 2014). The pattern for Facebook picture files is [number]_[number]_[number]_n.jpg
    (i.e. 86302_8259349192_3922_n.jpg). The middle number is the Facebook profile number of the
    member that uploaded the picture. A total of 28 pictures were recovered that contained the

    Page 6 of 8
    OFFICIAL USE ONLY
    OFFICIAL USE ONLY
    Ryan Digital Forensic Services Case # 16-1-00074

    profile numbers 1639956012 and 1590024379. Some of the Facebook pictures were uploaded on
    the same date as Facebook Chat messages, noted in the attachment. See attachment 4 to view the
    picture contents.

    Files Identified and Found


    1. Facebook Chat Messages
    Location: C:\Users\Brandy\AppData\Local\Microsoft\Windows\Temporary Internet
    Files\
    Quantity: 688
    Signatures: See attachment 2 for each file’s MD5 and SHA1 hash values.
    File Contents: See attachment 2.

    2. Facebook Wall posts, status updates, comments


    Location: C:\Users\Brandy\AppData\Local\Microsoft\Windows\Temporary Internet
    Files\
    Quantity: 97
    Signatures: See attachment 3 for each file’s MD5 and SHA1 hash values.
    File Contents: See attachment 3.

    3. Facebook Pictures
    Location: C:\Users\Brandy\AppData\Local\Microsoft\Windows\Temporary Internet
    Files\
    Quantity: 28
    Signatures: See attachment 4 for each file’s MD5 and SHA1 hash values.
    File Contents: See attachment 4.

    4. Deleted Files
    Location: Varies
    Quantity: 36
    Signatures: Not computed. Not relevant to case.
    File Contents: Not included. Not relevant to case.

    Conclusion
    Brandy Vela suffered cyberbullying for nine months from several different Facebook forms of
    communication culminating in her suicide on November 29, 2016. A full computer forensic
    examination of her personal computer HDD showed a collection of Facebook chat messages,
    Facebook wall posts/comments, and Facebook pictures that together can be constructed into a
    clear timeline of events, beginning in early March, 2016, dramatically increasing in early April
    2016, and ceasing on November 29, 2016, at least on her personal computer. Harassment may

    Page 7 of 8
    OFFICIAL USE ONLY
    OFFICIAL USE ONLY
    Ryan Digital Forensic Services Case # 16-1-00074

    have also been experienced using other digital devices but they are outside the scope of this
    examination.

    Attachments
    1. Chain of Custody Form
    2. Facebook Chat Message Files*
    3. Facebook Wall Posts, Comments, Files*
    4. Facebook Picture Files*
    * Non-existent files. Displayed for demonstration purposes of assignment.
    References
    (2017) FRED SR – The Complete Forensic Hardware Solution. Retrieved from
    https://www.digitalintelligence.com/products/fredsr/
    Moulin, J. (May 11, 2015) Digital Forensics / Incident Response Forms, Policies, and
    Procedures. Retrieved from https://www.joshmoulin.com/digital-forensics-incident-response-
    forms-policies-and-procedures/
    US Department of Justice (August 1, 2014) Forensic Examination of Digital Evidence: A Guide
    for Law Enforcement.
    Mutawa et al. (December 2011) Forensic artifacts of Facebook’s instant messaging service.
    Retrieved from
    https://www.researchgate.net/publication/241635819_Forensic_artifacts_of_Facebook's_instant_
    messaging_service
    (2014) How Important are Facebook Artifacts? Retrieved from https://www.magnetforensics.com/wp-
    content/uploads/2014/01/MF_whitepaper_facebook.pdf?submissionGuid=2b338878-09c8-43db-9904-
    360a8f05f623

    Page 8 of 8
    OFFICIAL USE ONLY

    You might also like