Office of the Attorney General

High Tech Crimes Bureau -Chicago

September 26, 2006

Detective William Martin

Schiller Park Police Department
9526 West Irving Park Road
Schiller Park, IL 60176

Dear Detective Martin,

This CD contains the report of the forensic examination of the evidence submitted by your office
on 07/21/2006.

We have created hyperlinks to relevant findings of this examination. These hyperlinks will
appear in blue and placing the mouse cursor on the blue portion as described above will take you
to that particular section of the report.

We hope that this method will make your examination of our report easy for you. You can start
reading by clicking on this link – Report of Digital Forensic Examination.

If you have any questions about the forensic examination of your evidence or this report, please
feel free to contact me at 312-814-3762.

Sincerely,

Shahna G. Monge, EnCE

Senior Computer Evidence Recovery Technician
 Office of the Attorney General
High Tech Crimes Bureau
Regional Computer Forensic Lab - Chicago
Forensic Report – 09/18/2006

RCFL Case Number: HTCB-06-01-1028

Case Agent: Detective William Martin

Schiller Park Police Department

Forensic Examination Performed by: Shahna G. Monge, EnCE

Senior Computer Evidence Recovery Technician
Illinois Attorney General’s Office
High Tech Crime Bureau
Chicago, IL 60601

Case Classification: Computer Tampering

Suspect (Case Name): Annabel Melongo

High Tech Crimes Bureau: A.A.G. David Haslett, Bureau Chief

Deputy Chief of Investigations Daniel Ferraro
Deputy Chief Michael Sullivan – ICAC Coordinator
A.A.G. Abigail Abraham, Prosecutor
A.A.G. Kyle French, Prosecutor
A.A.G. Elizabeth Lepic, Prosecutor

Forensic Procedure Summary:

The hard drive from the computer system relating to this case was locked (write-protected) via
the use of the Encase Fast Bloc IDE to SCSI imaging device. The hard drive was then imaged to
a separate hard drive within the forensic computer. The ZIP media was imaged to the same hard
drive within the forensic computer, and a separate file was created for each ZIP disk. The ZIP
media was acquired though Encase’s network acquisition and the ZIP drive was locked to
prevent writing to the media through Encase in DOS mode before the acquisition was begun.
The CD media was imaged to the same hard drive within the forensic computer, and a separate
file was created for each CD. The forensic CD drive does not have writing capabilities. The
USB thumb drive was imaged to the same hard drive within the forensic computer. The thumb
drive was write-blocked by the use of a Windows registry change that prohibits any writes being
made to any media connected via USB.

1
This imaging process entailed the creation of an evidence file (disk image) in which the hard
drive/ZIP/CD/USB thumb drive were recreated sector by sector in a forensic environment
utilizing forensic software licensed and registered to Shahna G. Monge, Senior Computer
Evidence Recovery Technician and/or the Illinois Attorney General.

This process allowed the forensic examination to proceed without altering any of the original
files from the suspect media, and also preserved File, Disk and Volume Slack. This also allowed
the unallocated sectors of the disk to be searched and examined. The process detailed above also
allowed for forensic examination of RAM Slack.

Forensic Report Summary:

I reviewed the case files provided by Detective Martin, Schiller Park Police Department. After
review of the search warrant, it was determined that I would attempt to recover any information
that would constitute evidence of the offense Computer Tampering and also determine
ownership/control and/or dominion over the data.

The forensic examination was completed and forensic reports are listed under their respective
names and were provided as separate documents (files) to Detective Martin.

During the course of the examination I observed the following:

Please refer to the included Forensic Report for detailed information regarding the following.

Two link files were found in the Recycle Bin for a network connection to Save A Life
Foundation.
Log files for the program Go To My PC were discovered. Go To My PC is a program that
allows remote access to another computer.
A log file for the Jakarta service were discovered that contained entries for the specific date
and time of the intrusion. Jakarta is a project to create an open-source java-based server.
Connection settings were found in the Microsoft network connections phonebook resident on
the laptop computer.
Within a restore point “snapshot” that was automatically created by the computer, there was
a text document discovered named “domain.txt” that contains information relating to a
computer on the domain savealifefou.
A cookie file containing IP information for comcast server with IP 24.15.202.102 was
discovered. File last written 04/28/06 09:43:13hrs.
Several instances of the IP 24.15.202.102 were discovered on the evidence. Please see the
forensic report for further details.
The URL f·t·p·:·/·/·7·0·.·1·4·2·.·2·5·1·.·2·4·2·/·· was found in the registry in the folder
"TypedURLs" for Windows user Administrator. It also shows that an FTP session (or file
transfer protocol) session was initiated by the Windows user Administrator for the IP
70.142.251.242.

2
 The IP shown of 24.15.202.102 was located in the registry in the folder "TypedURLs". It is
shown as it was typed by the Windows user Administrator.
The URL h·t·t·p·:·/·/·w·w·w·.·g·o·t·o·m·y·p·c·.·c·o·m·/··· was found in the registry in the folder
"TypedURLs" by the Windows user Administrator.
The URL h·t·t·p·:·/·/·m·a·i·l·.·s·a·l·f·.·o·r·g·/··· was found in the registry in the folder
"TypedURLs" for Windows user Administrator.
What appears to be user name and password (carol@salf.org:herman·) for the website
www.salf.org:2095/Webmail. was found in the Protected Storage System Provider folder
for SID (System ID) that corresponds to Windows user Administrator.
s·g·h·o·l·a·r·@·s·a·l·f·.·o·r·g···s·g·h·o·l·a·r·8·8·9·9··· appears to be information typed in at URL
shown of http://70.142.251.241/
The URL of f·t·p·:·/·/·7·0·.·1·4·2·.·2·5·1·.·2·4·2·/·d·o·c·u·m·e·n·t·s··· was found in the registry in
the folder "TypedURLs" for Windows user Administrator. It also shows that an FTP
session (or file transfer protocol) session was initiated by the Windows user Administrator
for the IP 70.142.251.242 and the folder "documents"
The executable file for the setup of the program Go To My PC, which allows remote access
to other computers, was discovered under the Administrator account on the laptop
computer.
The executable file for the program Go To My PC, which allows remote access to other
computers, was discovered under the Administrator account on the laptop computer.
Several web pages (.htm) files were discovered that showed emails associated with
melongo_Annabel@yahoo.com and what appears to be Annabel Melongo’s Roosevelt
University email account that contain references to different individuals with Save A Life
Foundation. Please see the forensic report for more detailed information. These pages
can also be viewed separately and can be found in the folder named “Email”.
One Word document was discovered that contained the name “Saquan Gholar”
Connection information for “scantron” was discovered shown in a java script page contained
within a folder named "new version", located on a USB thumbdrive.
A URL was discovered for http://70.236.105.150 that was titled Scantron System.
A URL was discovered for http://70.142.251.241 that was titled SALF Scantron System.
Several different files that appear to relate to ID cards for various SALF employees were
discovered. This information was found in a folder on a USB thumbdrive named "TMP".
Several images that appear to be parts of a website associated with Save A Live Foundation
were discovered. These images were found in a folder named "IMAGES", which was
located on a USB thumbdrive.
Several different files were discovered that appear to be database items from Save A Life
Foundation.
Several images, documents and one web page were discovered that contain information
relating to ownership/control and/or dominion over the data.
The Recycle Bin report is also included that shows files that were contained in the recycle
bin before it was emptied.

The Media Report can be found here and it contains information pertaining to the evidence that
was turned over to our lab for analysis.

3
The Duplicate Digital Evidence (DDE), created on CD, will remain in the ESR until termination
of this investigation. The DDE created on the forensic computer hard drive will be erased in
preparation for future unrelated examinations.

The original evidence is to be returned to Detective Martin for retention.

Appendix A

Appendix B

Reporting Examiner: Shahna G. Monge, EnCE

Senior Computer Evidence Recovery Technician
Office of the Illinois Attorney General – High Tech Crime Bureau
188 W. Randolph, Chicago, IL

4
APPENDIX A – FORENSIC TERMINOLOGY

The following is utilized throughout reports prepared by Computer Evidence Recovery Technicians in the
High Tech Crimes Bureau at the Illinois Attorney General’s Office.

Terminology is provided via:

♦ Industry Standard
♦ IACIS - International Association of Computer Investigative Specialists
♦ Training and Education
♦ SafeBack Software, Sydex, Inc.
♦ Expert Witness, Forensic Software, ASRDATA
♦ EnCase Forensic Software, Guidance Software, Inc.

ROM

• Read Only Memory. Chips that contain a permanent program that is "burned in" at the factory and
maintained when the power to the computer is turned off. As its name implies, the information on
the chips can only be read and not written to (i.e. Your computer cannot store information in these
chips). They usually contain small programs and data that are needed to boot the computer.

RAM

• Random Access Memory. Each computer has a certain amount of volatile read/write memory
locations whose contents are lost when the power is turned off. The operating system, programs
and drivers are all loaded into RAM at the same time.

BIOS

• The Basic Input Output System of a PC. This is usually a number of machine code routines that
are stored in ROM and available for execution at boot time. The "boot strap loader" is contained in
ROM and is the first code to execute when the computer is turned on. The BIOS contains
commands for reading the physical disks sector by sector.

Physical Disk

• The terms "volume", "drive" and "disk" are often used interchangeably, "disk", "disk drive" and
"drive" refer to a physical device while "volume" refers to a logical device. A physical disk is an
actual piece of hardware that you can hold in your hand. It could be a floppy disk, hard disk, Zip
Disk or any other piece of physical media.
 Logical Volume

• A logical volume is a concept, not a physical device. Early PC disks contained only one volume
(e.g. "C"). As drives grew larger, it became convenient to partition a single physical drive into a
set of logical "volumes". Each volume consists of an area on a physical disk drive that DOS or
Windows treats as a separate "disk drive". There can be any number (up to 24, as in C-Z) of these
logical volumes on a physical disk and they show up as drive "C", "D", "E" in DOS.

Drive Geometry

• A physical drive is usually composed of any number of rapidly rotating platters with a set of
read/write heads for each side of each platter. Each platter is divided into a series of concentric
rings called tracks. Each track is further divided into sectors. Each sector is then divided into
bytes. The number and position of these structures is referred to as the drive geometry.

Track

• Each platter on a disk is divided into thin concentric bands called Tracks. There is no physical
structure associated with a track. Tracks are established when the disk is low level formatted.
Tracks are numbered sequentially starting with track 0 on the outermost part of the platter, moving
inwards.

Head

• There is one head for every side of every platter in a disk drive. They ride very close to the surface
of the platter and allow information to be read from and written to the platter. The heads are
attached to an arm, which is in turn attached to a head stack assembly. Normally, all heads move
together and are positioned on the same logical track together. Heads are numbered sequentially
from zero.

Cylinder

• A cylinder, like a track, is a logical term and does not refer to a physical piece of hardware. In
other words, you can't open a disk drive cover and see the "cylinders". A cylinder refers to the set
tracks on every side of every platter that are at the same head position, as if an actual cylindrical
cross-section had been taken out of the whole drive. If a drive contains 4 heads, a cylinder refers to
all the information that is available to all the heads while on a single track.

Sector

• A sector is a group of bytes within a track and is the smallest group of bytes that can be addressed
on a drive. There are normally tens or hundreds of sectors within each track. The number of bytes
in a sector can vary, but it is almost always 512 on drives built in the U.S. Sectors are numbered
sequentially within a track, starting at 1. The numbering restarts on every track, so that "track 0,
sector 1" and "track 5, sector 1" refer to different sectors.
Absolute Sectors

• Early disk drives would contain a known number of cylinders, heads and sectors and these
numbers would refer to actual hardware present in the drive. The BIOS would address the disk
controller directly and translate absolute sector numbers into C-H-S before writing to or reading
from the disk. As disk capacities increased to unforeseen sizes, manufacturers and software
developers were forced to change the stated number of cylinders, heads and sectors in order to
trick the BIOS into addressing the additional space.

Boot Sector

• The very first sector of a physical disk (absolute sector 0) is called the boot sector. It contains
machine code to enable the computer to find the partition table and the operating system. One of
the first things a computer does when it starts up is to load this code into memory and execute it.
This "boot code" has a very simple task. Its job is to read the partition table at the end of sector 0
and decide how the disk is laid out, and which partition contains the bootable operating system.

Partition Table

• The partition table describes every logical volume on a disk, its location on the disk, and whether
or not the partition is bootable. Only one partition can be "bootable" at a time. This is indicated by
a single byte in the partition table. In fact, the entire logical layout of the disk is determined by
about 100 bytes of information. The boot code determines which logical volume is the "boot
volume" and reads the first sector of that partition. The first sector of each partition is therefore
called the "Partition Boot Sector".

Partition Waste Space

• After the boot sector of a partition, it is customary to skip the rest of the track and start the volume
on the next track. This results in tens or even hundreds of sectors going to waste. However, since
this area is inaccessible to all but low-level disk viewers, it can contain hidden information.

Partition Boot Sector

• The first sector of every partition is itself a boot sector with another partition table. This table has
a duplicate copy of the partition entry for that volume that contains a sector offset into the current
partition where the logical volume begins. The first sector of the volume is called the partition
boot sector. It contains code that is different from the boot sector code described earlier. The job
of the partition boot code is to find a file in the root directory (io.sys in the case of DOS) which is
then loaded and run to continue the boot process at a higher level.
Evidence File

• Each file is an exact, sector by sector, copy of a floppy, hard disk or other media. When the file is
created the user inputs information relevant to the investigation and this file is then archived inside
the Evidence File along with the contents of the disk. Every byte of the file is verified using a 32
bit CRC.

Cyclical Redundancy Check (CRC)

• Each Disk Image File (Evidence File) is encrypted and CRC-checked. The integrity of the file is
verified and occurs as the Image File is read. Forensic Programs utilized will not process any
Image File in which the Integrity is not verified and confirmed, using the below Polynomial
computations which confirm the file has not been altered:

• 16-bit CRC – Polynomial: x16+x15+x2+x1

• 32-bit CRC – Polynomial: x32+x26+x23+x22+x16+x12x11+x10+x8+x7+x5+x4+x2+x+1

Compression

• Compression algorithm to achieve an average of 50% size reduction. If most of the disk is unused,
the compression ratio can be much higher. Compression NEVER has any effect on the final
evidence, and compressed blocks are checked for validity in the same way as uncompressed ones.

File Allocation Table (FAT)

• The FAT is an array of numbers that sits near the beginning of a DOS volume. These numbers can
be 1½ bytes (12 bits), 2 bytes (16 bits) or 4 bytes (32 bits) long depending on the size of the
volume. This is why volumes are sometimes referred to as FAT12, FAT16 or FAT32.

• Each entry in the FAT corresponds directly to one cluster and there is always one FAT entry for
every cluster. Each entry is either a code indicating that the cluster is free, the cluster is bad or that
this is the last cluster in a file. If it is not one of these codes, then the number refers to the next
cluster in the chain belonging to a file. The first cluster in the chain for a file, is recorded in the
directory entry for that file.

• The FAT is therefore a one way linked list of clusters for every file in a volume.

Cluster

• A cluster is a group of sectors in a logical volume that is used to store files and directory entries.
Because DOS maintains information about each cluster in the FAT and the FAT must be relatively
small, clusters usually contain more than one sector so that total number of clusters is manageable
and space is used more efficiently on the volume. Clusters must contain a number of sectors that is
a power of 2 (i.e. 2, 4, 8, 16, etc…)

Directory Entries

• A directory is treated just like a file on FAT volumes. Each directory contains a starting cluster
and can be expanded or contracted as files are added or removed from the directory. Each file in
the directory is represented by a 32 byte entry in a table. In other words, the contents of a directory
“file” are an array of records containing information about the files in the directory. Each entry in
the directory can be either a file or another directory. In this way, a "tree" structured can be built.
 • A 32-byte entry contains enough space for an 8.3 character file name. Windows 95 implements
long file names by chaining together a number of entries and using the space to store the
additional characters in the file name.

Root Directory

• On FAT12 and FAT16 volumes, the root directory resides at a fixed location on the drive and
contains a maximum number of entries that is determined when the volume is formatted. The
number of files and directories in the root directory of such a volume is limited, but the number
and size of all subdirectories is essentially unlimited, because they are treated like normal files and
can expand if space is available on the volume. On FAT32 volumes, the root directory is also
treated like a file and can contain any number of files or subdirectories.

Logical File Size

• Most operating systems, including DOS and Windows, keep track of the exact size of a file in
bytes. This is the logical size of the file and is the number that you see in the directory listing for a
file. This number is different from the physical file size (described below).

Physical File Size

• The physical size of a file is the amount of space that the file occupies on the disk. A file or
directory always occupies a whole number of clusters, even if it does not completely fill that
space. A file always takes at least one cluster, even if it is empty. Therefore, even if a file has a
logical size of only five bytes, its physical size is one cluster

File Slack

• The space between the logical end and the physical end of file is called the file slack. Example
would be that of a 1024 byte size cluster, containing 2-cluster file with a physical size of
2048,bytes. The logical end of file, in this example, comes before the physical end of the second
cluster. The remaining bytes are remnants of previous files or directories.
RAM Slack

• The space from the end of the file to the end of the containing sector is called RAM slack. Before
a sector is written to disk, it is stored in a buffer somewhere in RAM. If the buffer is only partially
filled with information before being committed to disk, remnants from the end of the buffer will
be written to disk. In this way, information that was never "saved" can be found in RAM Slack on
disk. Although not as big an issue concerning Windows version 98 2nd edition and NTFS.

America OnLine – AOL

• On line service provider, not to be confused with Internet Service Provider (ISP), although an
AOL user can access the Internet via AOL, AOL is an On Line Service with it’s own Chat,
Messaging and Email service.

Internet Service Provider – ISP

• An Internet Service Provider is a direct link into the Internet using an assorted number of Internet
Browsers, including but not limited to Netscape, Internet Explorer, etc.

Message Digest 5 - MD5 Hash

• A “Digital Fingerprint” of the files contents regardless of the file name, path or associated dates.
Odds of any two files having the same HASH value, but not being the same are:

o 2128 or
o 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456
o or 1 in 340 billion, billion, billion, billion

• Compared to fingerprints which are

• 1 in 6,400,000,000 (“Galton” Study) or
• 1 in 100,000,000,000,000,000 or 100 billion, billion (“Osterburg” Study)
Windows Swap File

• Microsoft Windows-based computer operating systems utilize a special file to write data when
additional random access memory is needed. In Windows, Windows 95 and Windows 98, these
are called Windows Swap Files. In Windows NT and Windows 2000 they are called Windows
Page Files but they have essentially the same characteristics as Windows Swap Files. Swap files
are potentially huge and most computer users are unaware of their existence. The size of these
files can range from 20 million bytes to over 200 million bytes and the potential exists for these
huge files to contain remnants of word processing, E-Mail messages, Internet browsing activity,
database entries and almost any other work that may have occurred during past Windows work
sessions. This situation creates a significant security problem because the potential exists for data
to be transparently stored within the Windows Swap File without the knowledge of the computer
user. This can occur even if the work product was stored on a computer network server. The result
is a significant computer security weakness that can be of benefit to the computer forensics
specialist. Windows Swap Files can actually provide the computer forensics specialist with
investigative leads that might not otherwise be discovered.

• Windows Swap Files are relied upon by Windows, Windows 95, and Windows 98 to create
"virtual memory"; i.e., using a portion of the hard disk drive for memory operations. The storage
area is important to the computer forensics specialist for the same reason that file slack and
unallocated space are important, i.e., large volumes of data exist for which the computer user
likely has no knowledge. Windows Swap Files can be temporary or permanent, depending on the
version of Windows involved and settings selected by the computer user. Permanent swap files are
of more interest to a computer forensics specialist because they normally store larger amounts of
information for much longer periods of time.

• Large permanent swap files can hold vast quantities of data and should be targeted early in the
examination by the computer forensics specialist to identify leads relative to past uses of the
subject computer.

• The permanent swap file in Windows 3.1 and some later versions is called 386SPART.PAR and it
typically has a system attribute, which makes it invisible to standard DOS or Windows programs.
The file usually can be found in the root directory of the drive designated in the Virtual Memory
dialog box. Another place to look is in the Windows subdirectory or the Windows\System
subdirectory.

• The permanent swap file in Windows 95 and Windows 98 is called WIN386.SWP. It is also
usually located in the root directory of the drive designated in the Virtual Memory dialog box. A
permanent swap file will not be found on most computers running Windows 95 or Windows 98. In
Windows 95 and Windows 98, the default is usually set for the swap file to be dynamic and it
shrinks and expands as necessary. When a dynamic swap file is involved, its file size is reduced to
zero and the file's content is released to unallocated space. Thus, the contents of the dynamic swap
file must be analyzed along with the other data stored in this space. This requires the use of
specialized computer forensics software tools to capture the data stored in the unallocated space,
which is normally associated with previously 'deleted' files.

• In Windows NT, the Windows Page File is named PAGEFILE.SYS and such files are treated as
permanent (static) swap files.

Permanent swap files can be viewed like any other file with software utilities.
 APPENDIX B - Computer Forensic Examination Procedures

These procedures are established as the High Tech Crime Bureau, Forensic Computer Evidence Recovery
standards to ensure that competent, professional forensic examinations are conducted. These procedures are also
accepted as standard, and required by the International Association of Computer Investigative Specialists, IACIS.

It is acknowledged that almost all-forensic examinations of computer media are different and that each
cannot be conducted in the exact same manner for numerous reasons, however there are four essential requirements
of a competent forensic examination. These are:

♦ Forensically sterile media must be used.

♦ The examination must maintain the integrity of the original media.
♦ Positive hardware / software control must be maintained for all attempts to write to the examined media.
♦ Printouts / exhibits resulting from the examination must be properly marked, controlled and transmitted.

The Computer Forensic Investigator or examiner must demonstrate and maintain the highest standards of
ethical conduct and therefore:

♦ Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved.
♦ Thoroughly examine and analyze the evidence in a investigation or case.
♦ Conduct examinations based upon established, validated principles.
♦ When applicable or required to render an opinion, do so having a basis that is demonstratively reasonable,
sound and based upon accurate level of training, experience or other factual basis.
♦ Not withhold any findings, whether inculpatory or exculpatory, that would cause the facts of a investigation or
case to be misrepresented or distorted.
♦ Never misrepresent credentials, education, training, and experience or membership status.

Further it is understood that in many instances a completed examination of all the data may not be
authorized, possible, necessary or conducted for various reasons. These should be documented as such. Examples of
limited examinations are as follows:

♦ Scope limited by Search Warrant

♦ Examination must be made on scene, without seizing equipment or media
♦ Media size is vast, such as a network server, etc.
♦ Weight of evidence already recovered is so overwhelming, making further searching and processing
unnecessary.
♦ Due to hardware, software, operating system or other reason beyond examiner's control.

The following are recommended procedures for conducting a complete examination of computer media,
dependent upon type of media examined. (Hard Disk Drive (HDD) / Removable Media, etc.):

1. Forensically sterile recovery conditions. All control media utilized during the examination is to be freshly
prepared, completely wiped of non-essential data, and while not normally required, should be consistent to
procedures regarding destruction of data pursuant to:

Department of Defense Directive #5020.22 (22-M and related supplements)

DOD Industrial Security Program
Dated December 8, 1980

Scanned for viruses and verified before use.

2. All forensic software utilized is licensed to, or authorized for use by, the examiner and/or agency.
1
3. The original computer is physically examined. A specific description of the hardware is made and noted, along
with anything unusual found during the physical examination.
4. Hardware / software precautions are taken during the examination to prevent the transference of viruses,
destructive programs, or other inadvertent writes to/from the examined media and other media used for the
examination.
5. The contents of the CMOS, as well and the internal clock are checked and the correctness of the date and time
is noted.
6. A duplicate image (Bit Stream, Sector by Sector, Etc.) of the original media is made. The duplicate image is
used for the actual examination. A detailed description of the process and identification of the hardware,
software and media is documented, and retained as Work Product / Processing Procedures (may be exempt as
"Investigative Procedures" from Freedom of Information requests)
7. The copy of the original HDD is logically examined and a description of what was found or observed is
documented.
8. The boot record data, and user defined system configuration and operation command files are examined and
findings documented.
9. All recoverable deleted files are restored. The first character of the restored files is changed from the system
standard of a HEX E5 to an Examiner unique character, such as "_", for identification and evidence purposes.
10. A listing of all the files contained on the examined media, whether they contain potential evidence or not, is
made.
11. Unallocated space is examined for lost or hidden data.
12. Slack area of user data files in the root directory and each sub-directory (if present) is examined.
13. The contents of each user data file in the root directory and each sub-directory (if present) are examined.
14. Password protected files are defeated (when possible), unlocked and examined.
15. Printouts of all apparent evidentiary data, along with file information, location and other information relevant
to the data and its recovery. All exhibits in which Child Pornography or other contraband material is present
are to be properly marked, secured and transmitted as required.
16. Executable programs of specific interest should be examined. User data files that could not be accessed by
other means are examined at this time.
17. Document comments and findings.