Professional Documents
Culture Documents
Jeffrey Ryan
Evidentiary Report
Case of Brandy Vela, Texas City, Texas
OFFICIAL USE ONLY
Ryan Digital Forensic Services Case # 16-1-00074
Evidence Submitted
Item # Description
1 Personal Desktop Computer
Page 2 of 8
OFFICIAL USE ONLY
OFFICIAL USE ONLY
Ryan Digital Forensic Services Case # 16-1-00074
correctly pursuant to Ryan Digital Forensic Services policies and procedures on December 31,
2016.
Examined System Specifications
Computer Case Hewlett Packard Z200 mid-tower
CPU / RAM Intel Core i5-4570 / 8 GB DD4 2133 MHz
Operating System Windows 7 Home Premium
Storage Drive(s) Hitachi 250 GB HDD 7200 RPM
Model: HDS721025CLA382
Serial Number: JPA370H91VTLZL
Network Card Intel 10/100 Ethernet Card
MAC Address: 00-03-47-17-2A-71
Internet Browser(s) installed Internet Explorer v11.0.10240.16384
Pictured below are Brandy Vela’s computer case and the HDD contained within.
Page 3 of 8
OFFICIAL USE ONLY
OFFICIAL USE ONLY
Ryan Digital Forensic Services Case # 16-1-00074
The examined system was opened on January 2, 2017 and important components of the
examination inventoried (hardware specifications, storage devices, and networking devices). One
(1) Hitachi 250 GB HDD was discovered. The HDD cables were disconnected and the HDD was
removed from the computer case.
The HDD was then attached to the examination system imaging bay with the protection of a
hardware based write-blocker to preserve data on the HDD. FTK Imager software was used to
create the image of the HDD in an EnCase Forensic compatible format (.E01 file extension) and
saved on RAID protected drives in the storage chassis.
The screenshot below (Figure 1) shows the image verification performed by FTK Imager.
Once the HDD was removed, the case was powered up to verify BIOS (Basic Input/Output
System) was working correctly and the date/time were accurate (Moulin, 2015).
Data Extraction and Examination Process
Examination of Brandy Vela’s computer HDD image began on January 2, 2017 and concluded
on January 13, 2017. A working copy of the initial image was created for all analysis activities.
EnCase Forensic was used for the physical and logical data extraction portions of this
examination. Physical data extraction was performed to determine the partition table, the type of
file system used, and possible unused space on the HDD (US Department of Justice, 2014).
Page 4 of 8
OFFICIAL USE ONLY
OFFICIAL USE ONLY
Ryan Digital Forensic Services Case # 16-1-00074
There was one (1) partition discovered, an NTFS file system, typical of the operating system
installed (Windows 7 Home Premium), and no unused space was discovered.
Logical data extraction was performed to determine directory structure, filenames, file sizes, and
file date/time stamps. Deleted files and unallocated space were recovered.
Examination of the extracted data primarily involved timeframe analysis and application/file
analysis.
Internet Evidence Finder (IEF) (Figure 2) was used for the recovery and analysis of Internet
artifacts on Brandy Vela’s HDD image, particularly artifacts relating to Facebook Chat,
Facebook Wall Posts/Comments, and Facebook pictures. All of the findings using IEF were
verified with EnCase Forensics.
Encrypted/Deleted Files
The examination of Brandy Vela’s computer HDD image did not reveal any encrypted folders or
files. Thirty-six deleted files were recovered and examined but none of them were relevant to this
case.
Examination findings
A timeline of events could be constructed by searching the Temporary Internet Files folder and
web cache.
Facebook Chat Messages
Facebook Chat saves individual chat messages as text files with a filename pattern of p_[number
string]=[number][1].txt (i.e. p_100000580204632=2[1].txt). Each text file is a JSON (JavaScript
Object Notation) script that includes a single chat message, the message sender’s name and
Facebook profile number, the message recipient’s name and Facebook profile number, and the
date and time the chat message was sent (Mutawa et al, 2011). The date and time stamp was in
UNIX format which is the number of seconds since January 1, 1970 UTC. All text files matching
Page 5 of 8
OFFICIAL USE ONLY
OFFICIAL USE ONLY
Ryan Digital Forensic Services Case # 16-1-00074
the naming pattern were found and each one analyzed to extract all of the information stated
previously and convert the date/time stamp to central standard time (UTC -06:00).
The search resulted in 688 text files (Facebook Chat messages) between the dates of March 3,
2016 and November 29, 2016. A total of 615, or 89.4%, of those chat messages occurred on or
after April 4, 2016. The graph below (Figure 3) shows the spread of chat messages over the
specified period of time and how the quantity increased in early April 2016.
50
40
30
20
10
The chat messages were sent by twelve (12) Facebook members but a high percentage were sent
by two people, Facebook profile numbers 1639956012 and 1590024379. See attachment 2 to
view the contents of all Facebook Chat messages found in this examination.
Facebook Wall Posts, Status Updates, and Comments
Several of Brandy Vela’s Facebook Wall posts, status updates, and comments were recovered by
examining the Temporary Internet Files folder and web cache (“How Important are Facebook
Artifacts”, 2014). A total of 97 wall posts and comments from Facebook profiles 1639956012
and 1590024379 were included as an attachment to this report. Several of the wall posts and
comments take place on the same date as Facebook Chat messages, noted in the attachment. See
attachment 3 to view the contents.
Facebook Pictures
Facebook saves pictures in the Temporary Internet Files folder and web cache with a unique
filename pattern similar to Facebook Chat message files (“How Important are Facebook
Artifacts”, 2014). The pattern for Facebook picture files is [number]_[number]_[number]_n.jpg
(i.e. 86302_8259349192_3922_n.jpg). The middle number is the Facebook profile number of the
member that uploaded the picture. A total of 28 pictures were recovered that contained the
Page 6 of 8
OFFICIAL USE ONLY
OFFICIAL USE ONLY
Ryan Digital Forensic Services Case # 16-1-00074
profile numbers 1639956012 and 1590024379. Some of the Facebook pictures were uploaded on
the same date as Facebook Chat messages, noted in the attachment. See attachment 4 to view the
picture contents.
3. Facebook Pictures
Location: C:\Users\Brandy\AppData\Local\Microsoft\Windows\Temporary Internet
Files\
Quantity: 28
Signatures: See attachment 4 for each file’s MD5 and SHA1 hash values.
File Contents: See attachment 4.
4. Deleted Files
Location: Varies
Quantity: 36
Signatures: Not computed. Not relevant to case.
File Contents: Not included. Not relevant to case.
Conclusion
Brandy Vela suffered cyberbullying for nine months from several different Facebook forms of
communication culminating in her suicide on November 29, 2016. A full computer forensic
examination of her personal computer HDD showed a collection of Facebook chat messages,
Facebook wall posts/comments, and Facebook pictures that together can be constructed into a
clear timeline of events, beginning in early March, 2016, dramatically increasing in early April
2016, and ceasing on November 29, 2016, at least on her personal computer. Harassment may
Page 7 of 8
OFFICIAL USE ONLY
OFFICIAL USE ONLY
Ryan Digital Forensic Services Case # 16-1-00074
have also been experienced using other digital devices but they are outside the scope of this
examination.
Attachments
1. Chain of Custody Form
2. Facebook Chat Message Files*
3. Facebook Wall Posts, Comments, Files*
4. Facebook Picture Files*
* Non-existent files. Displayed for demonstration purposes of assignment.
References
(2017) FRED SR – The Complete Forensic Hardware Solution. Retrieved from
https://www.digitalintelligence.com/products/fredsr/
Moulin, J. (May 11, 2015) Digital Forensics / Incident Response Forms, Policies, and
Procedures. Retrieved from https://www.joshmoulin.com/digital-forensics-incident-response-
forms-policies-and-procedures/
US Department of Justice (August 1, 2014) Forensic Examination of Digital Evidence: A Guide
for Law Enforcement.
Mutawa et al. (December 2011) Forensic artifacts of Facebook’s instant messaging service.
Retrieved from
https://www.researchgate.net/publication/241635819_Forensic_artifacts_of_Facebook's_instant_
messaging_service
(2014) How Important are Facebook Artifacts? Retrieved from https://www.magnetforensics.com/wp-
content/uploads/2014/01/MF_whitepaper_facebook.pdf?submissionGuid=2b338878-09c8-43db-9904-
360a8f05f623
Page 8 of 8
OFFICIAL USE ONLY