Digital Forensics Analysis Report

Prepared for the Texas City Police Department

This is a fictional report. All information contained

herein has been invented to illustrate the format
and content of an actual report. Because the
substantiating evidence is not true, neither are
the conclusions and recommendations made
at the conclusion.

July 10, 2017

Prepared by Marc Leeka

Confidential Information

Revision Summary

Date Revision History Comments

07/05/2017 1.0 Original final draft
07/10/2017 1.1 Timeline evidence appended pp 12-13
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Table of Contents

Executive summary ........................................................................................................................ ii

Introduction .....................................................................................................................................1
Instructions ......................................................................................................................................1
Evidence Acquisition ......................................................................................................................2
Table 1: Evidence storage media inventory ........................................................................2
Evidence Collection Procedure .......................................................................................................2
Table 2: Evidence storage device hash value information...................................................3
Analysis ...........................................................................................................................................3
Figure 1: Google email access from subjects computer ....................................................4
Figure 2: bfine98@gmail.com email access from subjects computer ...............................4
Figure 3: Partial Internet browser image recovered from subjects computer ....................5
Table 3: Facebook web browsing artifacts recovered from subjects computer ................5
Figure 4: Internet browser URLs recovered from subjects cellular telephone ..................6
Figure 5: Internet image URLs recovered from subjects cellular telephone .....................7
Figure 6: Internet image creation detail from subjects cellular telephone ........................7
Figure 7: Text messaging detail recovered from subjects cellular telephone ....................8
Table 4: Text messaging detail recovered from subjects cellular telephone (partial) .......8
Conclusions .....................................................................................................................................9

Appendix A: Education and Professional Qualifications .............................................................10

Appendix B: Software tools utilized for collection and examination ...........................................10
Appendix C: Detail summary of anonymous cell phone messages ..............................................11
Appendix D: 6-month Timeline of anonymous text messages and harassing pictures ................12
Appendix D: 30-day Timeline of anonymous text messages and harassing pictures ...................14

References .....................................................................................................................................11

i
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Executive Summary

The examination found direct and compelling digital forensic evidence that Brandy Vela had
been harassed and cyberbullied.
Velas home computer contained a Facebook image composed of her altered picture and her
personal cellular telephone number with an invitation to call at any time.
Velas cell phone contained internet images composed of an unknown naked woman and
Velas personal cellular telephone number and an invitation to call at any time.
Velas cell phone contained anonymous text messages of a bullying and harassing nature.
The social media pictures and text messages were consistent with the time of Velas request
of police and school authorities to help find the perpetrators responsible for the harassment.

ii
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Introduction
On November 29, 2016, 18-year-old Brandy Vela of Texas City, Texas, committed suicide. Vela
shot herself in the chest in front of her family members after receiving abusive text messages
about her weight. (Russell, 2016)

The family reported that someone set up fake social media accounts containing pictures of
Brandy Vela offering sexual acts. Viewers posted negative comments and Vela was harassed
with telephone calls and text messages. Officials from the Texas City Independent School
District tried to track those responsible for harassing Vela but were unsuccessful. Vela changed
her phone number and filed a report with police about the bogus accounts but the bullying
persisted.

The Texas City Police has opened a criminal investigation to determine if she was the victim of
cyberbullying.

Instructions
Marc Leeka was hired by the Texas City Police Department to conduct a computer forensics
analysis of Velas home computer and Velas cellular telephone.

The Texas City Police Department directed Leeka to examine the computer and cellphone and
report any evidence of communications to the victim that can be described as harassment or
cyberbullying.

Texas Penal Code 42.07 defines harassment as when someone does any of the following to
another: (Theoharis)
intentionally communicates an obscene proposal, or
threatens, or
makes a call or sends a message designed to harass, annoy, alarm, embarrass, or torment.

Texas Penal Code 33.07 makes it either a felony or misdemeanor to commit the crime of online
impersonation by acting with intent to harm, defraud, or intimidate by:
creating a page on a website site, or
sending messages in the guise of someone else without that person's permission.

Texas Educational Code 37.218 defines cyberbullying as a person using any electronic
communication device to engage in bullying or intimidation.

The scope of our analysis did not include:

providing an opinion on the chain of custody prior to receipt of source materials by Leeka, or
after the materials had been returned to police custody after examination.

1
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

First-person interviews with family members to determine ownership and usage patterns of
the evidence. The Texas City Police Department provided statements from family members
taken at the crime scene on November 29.
Determination of social media account ownership that posted images of the subject Vela.
Authentication of Brandy Vela images.

Evidence Acquisition
I employed industry-standard tools and procedures throughout the handling, processing and
analysis of the evidence.

I was given access to two electronic devices at the Texas City police department premises on
Wednesday, November 30, 2016, at 9:35am. The original property bag tamperproof seals were
unbroken when I received the items in the presence of Corporal Neal Mora. Corporal Mora
accompanied me to an office in the building and was present for the entire duration of my data
preservation process.

A chain of custody was established upon acquiring and opening the two property evidence bags.
I recorded the model and serial number of the computer and the cellphone. I removed the hard
drive from the computer and recorded the model and serial number. The computer and hard drive
serial numbers matched the property evidence record. (Merrill, 2015)

I opened the Faraday bag that contained the Samsung cellular telephone and recorded the model,
serial number and the IMEI code. The cellphone and IMEI serial numbers I recorded matched
the property evidence record. The Samsung phone remained in the Faraday bag for the entirety
of my acquisition procedure.

Device Make/Model Device Serial Number Description Capacity Device Name

Samsung Galaxy Note RV1D86934PA Cellular telephone IMEI SD chip 16GB SGH-T889
II model SGH-T889 354340055456844
Dell Vostro 220 service tag 3W7SML1
computer
Western Digital hard WXF1A4081159 160GB OS
drive WD1600BEVT
Table 1: Evidence storage media inventory

Evidence Collection Procedure

I examined the computer hard drive first. I attached a FastBloc Field Edition Write-Blocking
Device to the computer hard drive. NIST has certified the product as forensically valid. I
connected the FastBloc to a Paraben Mobile Field Kit running software version 4.30 to create a
raw DD image of the evidence onto a previously wiped hard drive. (Paraben, 2015) The image
was verified by its hash value. A working copy of the original drive was then created using FTK

2
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Imager version 3.4.3 onto a different previously wiped hard drive. The image was verified by its
hash value and that value precisely matched the value generated independently by the Paraben
Mobile Field Kit. All subsequent analysis was performed on the working copy forensic image,
not on the original media or the original forensic image acquisition.

I examined the Samsung cellphone in the Faraday bag next. I attached the appropriate SAM-1
adapter cable from my Paraben Mobile Field Kit to the cellphone and powered on the cellphone.
The Samsung cellular telephone was secured with a numeric passcode. The subjects parents
provided the passcode to the police officer when the telephone was taken: 0918. I used Paraben
Device Seizure software version 6.80.5420.20132 to make a complete image of the mobile phone
logical and physical memory consisting of the flash memory, the SD memory chip and the SIM
card onto the previously wiped hard drive. Without powering off the cellphone, I made a
working copy using the same software.

Because this was an Android device, my mobile kit made three configuration settings (i.e.,
unlock the file system) to the phone required to extract the information. I made no other changes
to the cellphone configuration. (Fisher, 2017)

Device MD5 Hash Value SHA1 Hash Value

\\.\PHYSICALDRIVE1\Partition 1 29691d4f8c7ac395dc9edc4eabf6a7e9 614de66f118e81fb77b6a82af8a14ba91072e91f
[156MB]\OS [NTFS]\[root]\
\\.\PHYSICALDRIVE1\Partition 1 fbccf14d504b7b2dbcb5a5bda75bd93b d59fc84cdd5217c6cf74785703655f78da6b582
[15.62MB]\SGH-T889\[root]\ b
Table 2: Evidence storage device hash value information

I completed my work at 12:50pm. Corporal Mora and I returned to the property evidence room
where the items were resealed, paperwork was completed and checked back into custody. The
hard drive and cell phone images were analyzed later at my office.

Analysis
Computer Workstation Analysis

After reviewing the Texas City Police Department employment agreement and documentation, I
was satisfied that I had legal authorization to review the computer contents. The father granted
written permission to review the computer and cellphone. The subject was 18-years-old at the
time of her death. The father stated that he was not aware that the subject owned another
computer, cellular telephone or other electronic devices that might contain important evidence.

I used EnCase Forensic software version 8.05 to analyze the computer hard drive. The subjects
Dell Vostro 220 computer contained the Microsoft 7 Home Edition operating system. The
computer contained one user profile name owner and there was no password required to log
into the profile. The computer was not encrypted. The computer system log showed that it had
been powered off at 9:35am on November 29, 2016, and had not been powered on thereafter.

3
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

The shutdown log time entry was consistent with the fathers statement that the subject sent an
email to the family at 8:47am stating that she would kill herself.

Analysis of the internet browser files, including deleted browser files, showed activity almost
every day for the last six months.

Figure 1: Google email access from subjects computer

The subjects computer contained extensive Google.com web browser data. The subjects father
told the investigating detectives that the subject had reported harassment since April 2016. The
subjects father told the investigating detectives that he believed the subject had only one email
address: bfine98@gmail.com. The web address history would be consistent with someone who
visited Google.com often to view their email.

There was also extensive Facebook.com web browser data. The subject had a Facebook account
and her father said she updated it regularly and visited her friends Facebook pages. The web
address history would be consistent with someone who visited Facebook.com often.

Figure 2: bfine98@gmail.com email access from subjects computer

4
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

A search of the computer showed extensive use of the email address bfine98@gmail.com. There
was no other email address that appeared with significant frequency. A word search of the email
contents, including deleted messages, did not find any pattern of sent or received messages that
appeared to be of a bullying nature or abusive.

Figure 3: Partial Internet browser image recovered from subjects computer

A search for deleted graphic images found thousands of generic Internet website gifs and jpgs
that are automatically saved when the computer connects to a website. We recovered one deleted
image that showed the subjects face and a message DYW2 party with a fat chick hungry for
us followed by the subjects cellular telephone number. (Figure 3) The image was a
horizontally-stretched copy of the subjects Facebook home page picture with an overlaid
message. The file date stamp was October 2, 2016, at 17:16:41. The subjects parents had
reported an offensive social media graphic to the Texas City police and to her high school
administration staff in October 2016.

We filtered a search for files, including deleted files, which included the word facebook and
produced an extensive list. Facebook pages identify authors and how the viewer arrived at the
page. We produced a list of Facebook pages visited that can be used to identify the Facebook
authors who posted bullying images of the subject. We were also able to narrow the Facebook
pages to the date the offensive graphic image was viewed.

Facbook URL Date

https://www.facebook.com/profile.php?id=100014149719064&hc_ref=NEWSFEED Nov 26, 2017
https://www.facebook.com/sandra.swanson?hc_ref=NEWSFEED&fref=nf Nov 25, 2017
https://www.facebook.com/adeline.swanson Nov 15, 2017
https://www.facebook.com/ profile.php?id=100014149719064&hc_ref=PHOTO Nov 5, 2017
https://www.facebook.com/adeline.swanson Nov 4, 2017
https://www.facebook.com/mary.vela Oct 22, 2017
https://www.facebook.com/ profile.php?id=114309929719064&hc_ref=PHOTO Oct 2, 2017
Table 3: Facebook web browsing artifacts recovered from subjects computer (partial)

5
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

We did not find any unusual software applications installed on the computer. A scan of the
computer was negative for viruses, malware or remote control agents. Because my analysis and
findings were required immediately and I was limited to 24 hours, I did not scan the computer
for information that the subject could have hidden by using anti-forensic techniques. The subject
was an 18-year-old female and her father told detectives that her computer skills were average.
Furthermore the subject was not accused of any criminal activity. There was no indication that
further inspection would have found additional information.

Cellular Telephone Analysis

We used Paraben Device Seizure software version 6.80.5420.20132 to analyze the cellular
telephone logical and physical image. The subjects cellphone contained the Android version 4.1
operating system.

Figure 4: Internet browser URLs recovered from subjects cellular telephone

The subjects cellular telephone contained extensive Facebook.com web browser data, consistent
with her home computer.

A search for deleted graphic images found hundreds of generic Internet website gifs and jpgs that
are automatically saved when the computer connects to a website. The subjects cellular
telephone has a smaller memory capacity than her home computer, and the Android operating
system manages the internet cache more aggressively than Microsoft Windows, therefore we
recovered fewer file images and the oldest images were permanently unrecoverable.

6
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Figure 5: Internet image recovered from subjects cellular telephone

We recovered one image that showed an image of a naked woman with the subjects cellular
telephone number. (Figure 5) The image was not of the subject.

Figure 6: Internet image creation detail from subjects cellular telephone

The Internet image was created on the subjects cellular telephone on August 28, 2016, at
22:44:02.

Recovering cell telephone text message history is complicated by two factors: (1) users tend to
delete long message threads because they do not want to scroll through tens or hundreds of
messages, and (2) the cell phones Android operating system aggressively reclaims the space
where the messages were stored, thus eliminating an opportunity to recover deleted text
messages. (Fisher, 2017)

7
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Figure 7: Text messaging detail recovered from subjects cellular telephone

Cell phones retain a detailed information summary of received and sent text messages, including
telephone numbers and date/time stamps. Newer cell phone operating systems match inbound
and outbound telephone numbers to numbers stored in the telephones contact database.

Unidentified messages can be received from anonymous applications that mask the telephone
number of the sender or other identifiable information. (Figure 7) The exact date and time of
inbound messages can, however, be traced by the carriers activity records. (Fisher, 2017)

Day Date Time

Monday Aug 1 17:59:43

Friday Sep 2 19:22:11

Friday Oct 7 18:48:56

Friday Nov 25 16:51:34

Table 4: Text messaging detail recovered from subjects cellular telephone (partial)

8
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Conclusions
Based on the log and file activity evidence collected from the computer hard drive and the
cellular phone, I believe that the electronic items were not altered from the time they were
powered off until the time I had access to the items.

The computer and cellular telephone showed extensive activity for the email address
bfine98@gmail.com and there was no evidence of another email address.

There was no evidence of bullying or harassing messages sent to the email address
bfine98@gmail.com.

A bullying image that appears to have been a doctored copy of a photo from the subjects
Facebook was recovered from the computer workstation.

A list of Facebook pages visited can be used to identify the Facebook author(s) who posted
bullying images of the subject. Facebook maintains a record of page owners even after a page or
account has been deleted.

A list of text message receipt timestamps can be used to identify the anonymous senders by
obtaining service provider records. Those records will identify the IP and equipment MAC
address of the sender.

A timeline that combines the subjects internet social media activity, the receipt of 18
anonymously-sent text messages that were of a threatening nature, and the presence of graphic
images that had been previously deleted but still stored on the devices is consistent with the
subjects reports of abusive messaging.

It is my finding that the information I have submitted in my report is authentic. It is my opinion

that the two devices I examined were not altered in any way from the time they were seized to
the time that I made my initial data collection. I believe the information contained in my report
accurately documents information from the subjects cell phone and computer workstation.

9
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Appendix A: Education and Professional Qualifications

Marc R. Leeka

Computer forensic certified examiner 18 years

Houston Police Department (1989-2009)
Houston Police Department forensic investigator (1999-2009)
B.S. Computer Science, Rice University (1988)
M.S. in Digital Forensics, Sam Houston State Univ (2011)
Advanced Examiner Courses: US Secret Service Natl Computer Forensics Inst
Virtual Academy Cyber Certification: FBI Cyber Shield Alliance Program
Federal Virtual Training Environment: Department of Homeland Security
Training Coordinator Greater Houston Regional Computer Forensics Laboratory
Led more than 2,000 computer forensic examinations
Certified as Instructor for EnCase Forensic software
Certified Paraben software training graduate and has attended annual update training

Appendix B: Software tools utilized for collection and examination

Paraben Mobile Field Kit software version 4.30

FTK Imager version 3.4.3
EnCase Forensic software version 8.05
Paraben Device Seizure software version 6.80.5420.20132
FastBloc Field Edition Write-Blocking Device

10
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Appendix C: Detail summary of anonymous cell phone messages

Day Date Time

Monday May 2 16:31:12

Tuesday Jun 14 17:42:00

Monday Aug 1 17:59:43

Friday Sep 2 19:22:11

Friday Oct 7 18:48:56

Saturday Oct 15 11:21:17

Sunday Oct 16 12:04:22

Tuesday Oct 18 17:33:01

Tuesday Oct 25 17:10:34

Friday Nov 4 18:04:55

Wednesday Nov 9 17:05:40

Saturday Nov 12 13:00:07

Saturday Nov 12 13:04:22

Sunday Nov 13 11:07:39

Sunday Nov 13 14:49:49

Saturday Nov 19 13:04:04

Thursday Nov 24 16:58:40

Friday Nov 25 16:51:34

11
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Appendix D: Timeline of anonymous text messages and harassing pictures

12
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

Appendix E: Timeline of anonymous text messages and harassing pictures

13
CSOL 590 Module 7 Assignment: Fictional Evidentiary Report Marc Leeka

References
Russell, R. (2016, December 1). Family: Cyberbullying led to teen's suicide. Retrieved July 1,
2017, from http://www.khou.com/news/family-cyberbullying-led-to-teens-suicide/360371459

Theoharis, M. (n.d.). Cyberbullying Laws in Texas. Retrieved July 8, 2017, from

http://www.criminaldefenselawyer.com/resources/cyberbullying-laws-texas.htm

Merrill Legal Solutions. (2015). Maintaining the Chain of Custody in Civil Litigation. Retrieved
July 2, 2017, from
http://pdfserver.amlaw.com/legaltechnology/Merrill_Chain_of_Custody_White_Paper.pdf

Mutawa, N., Bryce, J., Franqueira, V., & Marrington, A. (2016). Forensic investigation of
cyberstalking cases using Behavioural Evidence Analysis. In Proceedings of the Third Annual
DFRWS Europe. Retrieved July 7, 2017, from https://www.dfrws.org/sites/default/files/session-
files/paper_forensic_investigation_of_cyberstalking_cases_using_behavioural_evidence_analysi
s.pdf

Ball, C. (2006) Power Persuasion. Retrieved June 25, 2017, from

http://www.craigball.com/PowerPersuasion_July%202007.pdf

Stroz Friedberg. (2016, March 26). Report of Digital Forensic Analysis in: Ceglia v. Zuckerberg.
Retrieved July 7, 2017, from
https://www.wired.com/images_blogs/threatlevel/2012/03/celiginvestigation.pdf

Coalfire Systems. (2015, November 15). Digital Forensics Analysis Report. Retrieved July 7,
2017, from http://www.adflegal.org/content/docs/ADF_Forensic_Analysis_Report-09282015.pdf

Using Image Analyzer with EnCase Forensic. EnCase training video at

https://www.guidancesoftware.com/video/webinar/using-image-analyzer-with-encase-forensic

Fisher, K. (2015, August 15). Paraben's Device Seizure 7 (DS7) Training - Examinations.
Retrieved July 8, 2017, from https://www.youtube.com/watch?v=VwtLHBbMj-s

Fisher, K. (2015, August 15). Paraben's Device Seizure 7 (DS7) Training - Acquisitions.
Retrieved July 8, 2017, from https://www.youtube.com/watch?v=xKebl3d-cTc

Conversation with EnCase product specialist Michael Mark on June 26, 2017.

Conversation with Paraben lead support technician Kevin Fisher on July 3, 2017.

14