2. Forensic Expert Report

Case Identifier: CYSE 407 Final                                                                                                                                                  

Case Investigator:  John Cover

Identity of the Submitter: John Cover

Date of Receipt: 12/10/2022

Purpose of Report:

This report was created to determine if there was any correspondence between a government official, Senator Smith and a user identified as Red Ralph and whether there was any evidence to suggest that Senator Smith and Red Ralph were responsible for setting up Senator’s Smith’s opponent and leaving a tip that the candidate was taking bribes and didn’t declare the income with the IRS by depositing several millions of dollars in their account from an off-shore account.

Items for Examination:

Owner of items for examination: US Official: Senator Smith

Personal Laptop Computer:

Serial Number: e6xyZ 432

Make: 412

Model: Hewlet-Packard

Cellular Device:

Serial Number: RFCR714L5DL

Make: A32

Model: Galaxy

Findings and Report (Forensic Analysis):

     Cellular Device:

On today’s date, December 10, 2022, I retrieved a search warrant through the US District Courts in Washington, D.C. to examine the cellular device and the personal laptop computer of a US Official.

The tools used to examine cellular device:

                Sim Card

                Oxygen Forensic Detective (Digital Mobile Forensic Software)

Once the tools were acquired, and the search warrant obtained, the examination began.

Because the device was still on and locked, the first step I took is to ensure that any evidence to be gleaned from the phone would be adequately preserved, processed and would be admissible in court. The phone was on and we made sure to keep it that way to avoid a shutdown that might alter the files on the phone. We used a Faraday box/bag and external power supply that is designed to isolate mobile devices from network communications and at the same time, ensure the safe transportation of evidence to the laboratory. I will also put in airplane mode to keep it from connecting to any network.

Once we arrived at the lab, we began the process to determine the best way to examine the cell phone and to preserve the integrity of the evidence. I will attempt a physical acquisition and try to copy the entire physical storage (Flash memory) of the mobile device. A hash value will be generated to ensure the data. This acquisition allows the examiner to uncover the deleted files and data, obviously with the help of some tools. The manufacturer prevents the direct access and reading of physical memory, so forensic tools have to overwrite the bootloader to get access.

I acted by using the Oxygen Forensics application for the data extraction. Upon gaining access, I began viewing the extraction with Oxygen.

Using the Sim Card that I retrieved from the cellular phone and connected it to the sim card reader at the lab. I was also able to retrieve the SD Card in the phone and I created an image of the SD drive. On the phone I discovered a text message that shows a confirmation of a lunch meeting on 2/15/2022 from a user identified as “Red Ralph”. The SD card had files and data to examine. The original data from the sim card is preserved by the elimination of write requests to the sim during the analysis.

Each phone number and text message were examined and documented when discovered. Upon examining the data that was on the sim card and the physical memory of the phone I discovered the following text message:

Documented Message:

                Phone Number: +7 (922) 555-1543

                Contact Name: Red Ralph

                Message: Can we discuss details soon?

Personal Laptop Computer:

On December 10, 2022, I began the forensic acquisition/imaging process of the laptop computer. The creation and capture of an image of an operating system (OS) from a reference computer is for the purpose of deploying it to another computer or network of computers in the forensics lab. I will especially focus on finding the emails with .pst or .ost files to view any and all emails.

After connecting the original media in the laptop to the hardware write-blocker via USB 3.0 to my examination machine, I began the imaging process. Once the imaging had been completed and was then documented, I used the application and began viewing the image at which time I discovered at least three text messages to the device from another person, identified as Red Ralph. The software provided the phone number and contact name of any text messages that were received or sent.

Documented Message:

                To: Name: Senator Smith

                Date: February 21, 2016

                Contact Name: Red Ralph

                Message: Let me know when you are ready for me to discuss about taking out the Big Apple.

Documented Message:

                To: Name: Senator Smith

                Date: February 22, 2016

                Contact Name: Red Ralph

                Message: Thank you for meeting. Transfer the money by 06:00 by Friday.

Documented Message:

                To: Name: Senator Smith

                Date: February 26, 2016

                Contact Name: Red Ralph

Message: Thank you for the cooperation. Meet me at the outpost on Saint Patrick’s Day at 0700 hours EST. The objective will be complete 30 minutes before.

Once the email was analyzed and documented, I was also able to view previously deleted files shown below through the use of the application notebook.

File named “Objective Complete”

                                Senator smith, the objective is complete. The Big Apple has been taken out.

File Named “Smith to Ralph”

It was great doing business with you. Now the election can continue just as planned. You have done great.

During the examination, I did string searches, graphic image searches, and recovered some erased files.

Through the use of FTK application, I did search strings search tools use match and/or indexing algorithms to search digital evidence at the physical level to locate specific text strings. They are designed find all instances of the text strings. The search strings used in this examination were: Red Ralph, Big Apple, Classified, Government Documents. The results indicated the emails and text message mentioned above and I also discovered several deleted zip files of classified material that web logs show were uploaded to a file sharing site. It is not clear if they were downloaded by anyone. The files that I was able to retrieve showed information about Senator’s Smith’s opponent to include their address, phone numbers, bank account numbers and their schedule and where they were anytime of the day.

I also made a graphic image search to see if there were any images of classified materials on either the phone or the laptop. I did find a .jpg and when opened showed a picture of Senator’s Smith opponent in the next election. The .jpg was labeled “Big Apple”.

Conclusion:

In conclusion to the report, no original media was damaged, manipulated, or changed in anyway. Refer to the detailed report containing all the steps taken to acquire the evidence presented in this report and the chain of custody report.

Hardware that was used to recover files:

                Faraday Box/Bag and External Power Supply

                Sim Card Reader

                Hardware Wright Blocker

                USB 3.0

Software that was used to recover files:

                Oxygen Forensic

                FTK

Evidence includes:

Three email conversation from a user named Red Ralph

Two deleted and retrieved emails. One from the user identified as Red Ralph and the other from the user identified as Senator Smith.

A .jpg image of Senator’s Smith’s opponent in the upcoming election.

Recovered classified documents included personal information about Senator’s Smith’s opponent in the upcoming election.

The evidence seems to suggest that Senator Smith along with Red Ralph were working together to come up with a way to discredit Senator Smith’s opponent in the upcoming election. The IRS was notified by an anonymous tip that Senator’s Smith’s opponent was taking bribes and didn’t report the income to the IRS. The IRS investigated and found large sums of undeclared money in the candidate’s bank account without any explanation as to where it came from. Further examination of the deposits is warranted, to try and determine where the money came from and who sent the money to the opponent’s account. Further examination is warranted as to how Senator Smith was able to collect the personal information of her opponent.

Curriculum Vitae:

Education and Training:

                Auburn University, Alabama Bachelors of Science

Alabama State Police, Alabama Questioned Documents Examiner Training, Certified Examiner

                Lectures:

                                Office of the Attorney General – Annual Conference

                                Alabama Treasury Department Investigations

                Professional Affiliations:

                                Southern Association of Forensic Scientist, Question Documents Member

Billings to date: $1,200.00