{"id":336,"date":"2026-01-23T18:13:21","date_gmt":"2026-01-23T18:13:21","guid":{"rendered":"https:\/\/sites.wp.odu.edu\/christiane-galang\/?p=336"},"modified":"2026-04-21T18:27:09","modified_gmt":"2026-04-21T18:27:09","slug":"case-study-for-digital-forensics","status":"publish","type":"post","link":"https:\/\/sites.wp.odu.edu\/christiane-galang\/2026\/01\/23\/case-study-for-digital-forensics\/","title":{"rendered":"Case Study for Digital Forensics"},"content":{"rendered":"\n<p>Case Identifier: CASE-2003-16732<br>Case Investigator: Christiane Joy Galang<br>Identity of the submitter: Richard Smith<br>Date of Receipt: 2\/15\/2025<\/p>\n\n\n\n<p>Items for Examination:<br>iPhone 16 Pro<br>128 GB<br>Model Number: MYMC3LL\/A<br>Serial Number: HQM56HX5XV<br>iOS 26.1<br>MacBook Air M2<br>8GB<br>Serial Number: GK1JYKGVQM<br>macOS Sequoia Version 15.6.1<\/p>\n\n\n\n<p>Procedures<br>U.S. official Richard Smith has been raising suspicion in and out of the office. They suspect him of contacting Russian officials.<br>Judge Evan Waters issued a search warrant that allows us to collect an iPhone and a MacBook from the suspect to gather evidence for our investigation.<\/p>\n\n\n\n<p>Softwares Used for iPhone:<br>Cellebrite UFED: used for file-system extractions and analyzing messages, contacts, and call logs. It can also generate reports for the courts.<br>Magnet AXIOM: data acquisition<br>Autopsy: keyword search for \u201cRed Ralph.\u201d<br>Steps:<br>&#8211; Once the search warrant was granted, the phone and the laptop were taken to the digital forensics lab for examination.<br>&#8211; The phone was connected to Cellebrite UFED. We created a new case to run the extraction. We navigated to contacts to locate \u201cRed Ralph\u201d and noted the phone number associated with it. We then navigated to messages to find the text confirming the lunch meeting on 2\/15\/2025. We also checked call logs for calls to and from \u201cRed Ralph.\u201d<br>&#8211; Magnet AXIOM was used as a second tool to confirm the number and messages from \u201cRed Ralph.\u201d<br>&#8211; Autopsy is used for hash lookup and keyword search for \u201cRed Ralph,\u201d phone number variants, and keywords such as \u201clunch\u201d and \u201cmeeting.\u201d<\/p>\n\n\n\n<p><br>Documented evidence:<br>Phone number: +7 (997-376-4414)<br>Contact name: Red Ralph<br>Message: Meet me at the restaurant at 1900 on 2\/15\/2025 to further discuss this topic.<br>Softwares used for MacBook:<br>&#8211; FTK Imager<br>Using FTK Imager, we were able to search the MacBook\u2019s data files. We analyzed emails between Mr. Smith and Red Ralph. We also ensured that a forensic image was created to avoid altered data in the MacBook. We discovered emails between Mr. Smith and redralph@gmail.com.<br>Email showed:<\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" width=\"217\" height=\"385\" src=\"https:\/\/sites.wp.odu.edu\/7c12d88d-45ec-47e2-b809-667137550f7b\"><\/p>\n\n\n\n<p>Conclusion:<br>After conducting a deep investigation of these two devices, we found evidence that Richard Smith and a Russian official were in contact about serious government secrets. Using the iPhone 16 Pro and the MacBook Air 2, we were able to find a Russian phone number linked to \u201cRed Ralph\u201d revealing conversations about secrets. There were also Emails concerning packages or letters sent between parties. The tools used for the investigation were Cellebrite UFED, Magnet AXIOM, Autopsy, and FTK Imager for the laptop. These tools helped confirm the interaction between Smith and \u201cRed Ralph.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Case Identifier: CASE-2003-16732Case Investigator: Christiane Joy GalangIdentity of the submitter: Richard SmithDate of Receipt: 2\/15\/2025 Items for Examination:iPhone 16 Pro128 GBModel Number: MYMC3LL\/ASerial Number: HQM56HX5XViOS 26.1MacBook Air M28GBSerial Number: GK1JYKGVQMmacOS Sequoia Version 15.6.1 ProceduresU.S. official Richard Smith has been raising&#8230; <a class=\"more-link\" href=\"https:\/\/sites.wp.odu.edu\/christiane-galang\/2026\/01\/23\/case-study-for-digital-forensics\/\">Continue Reading &rarr;<\/a><\/p>\n","protected":false},"author":29875,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","wds_primary_category":0},"categories":[6,1],"tags":[],"_links":{"self":[{"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/posts\/336"}],"collection":[{"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/users\/29875"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/comments?post=336"}],"version-history":[{"count":2,"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/posts\/336\/revisions"}],"predecessor-version":[{"id":340,"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/posts\/336\/revisions\/340"}],"wp:attachment":[{"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/media?parent=336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/categories?post=336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/christiane-galang\/wp-json\/wp\/v2\/tags?post=336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}