📄 Extracted Text (11,126 words)
2019-010614 (LIMA 0384) — Forensic Notes — LITS Leonard
Forensic Request for Examination of Two Desktops from Bureau of Prisons (BOPs)
Desktops seized by SA at MCC
Desktops collected by ASAC and transported to the Forensic Laboratory in Crystal City, VA.
ASAC Forensically Imaged the two Desktops
All imaging information has been loaded to LIMA Case #0384 by ASAC
Images of Hard Drives copied to Apricorn Hard Drive SN: 101300010379 by ASAC
Apricorn Hard Drive sent to LITS Leonard in Dallas, TX by ASAC
FedEx Tracking # 775965711635
Hard Drive delivered to Dallas Field Office
Images copied to Forensic Workstation (X26747)
Image Information:
Z6E8K1EV.E01 -Seagate Z6E8K1EV from 0214 207270
-SHAl: 465c7bf5f62aebb6c98ecfc60534110f56274c25
-MD5: 13e7ad6132719bae78d849e3fb914cc2
Z6E8M349.E01 -Seagate Z6E8M349 from 0214 207268
-SHA1: 465c7bf5f62aebb6c98ecfc60534110f56274c25
-MD5: 13e7ad6132719bae78d849e3fb914cc2
Search Authority is Administrative
Case Created in EnCase 8.07.00.93
Images added to EnCase
Images Verified Successfully
Z6E8M349 - Completely Verified, 0 Errors
Acquisition MD5: 13e7ad6132719bae78d849e3fb914cc2
Verification MD5: 13e7ad6132719bae78d849e3fb914cc2
EFTA00128267
Acquisition SHA1: 465c7bf5f62aebb6c98ecfc60534110f56274c25
Verification SHA1: 465c7bf5f62aebb6c98ecfc60534110f56274c25
Z6E8K1EV - Completely Verified, 0 Errors
Acquisition MDS: 48f956e5ddab702d48177534ec96d026
Verification MD5: 48f956e5ddab702d48177534ec96d026
Acquisition SHA1: be9791bce5978ccdf3111a54eac84606739c0424
Verification SHA1: be9791bce5978ccdf3111a54eac84606739c0424
Run Timezone EnScript (Timezone Info Prior to Processing (V1.1).EnScript) in EnCase
Z6E8K1EV: Eastern Standard Time
Z6E8M349: Eastern Standard Time
Timezone changed for Z6E8K1EV and Z6E8M349 in EnCase
Z6E8M349 — Export Event Logs — Exported Successfully
Z6E8K1EV — Export Event Logs — Exported Successfully
Z6E8M349 — Export Windows Search Database — Exported Successfully
Z6E8K1EV — Export Windows Search Database — Exported Successfully
Process Z6E8M349 and Z6E8K1EV for System Info Parser
Z6E8M349 Completed Successfully
Z6E8K1EV Completed Successfully
Exported BOP Users for Z6E8M349 into Excel spreadsheet
Exported BOP Users for Z6E8K1EV into Excel spreadsheet
Z6E8M349 System Information:
Product Name Windows 7 Professional
Current Version 6.1
Current Build Number 7601
Registered Owner Federal Bureau of Prisons
EFTA00128268
Registered Organization U.S. Department of Justice
Install Date Tue, 02 Jun 2015 21:26:39 GMT
Shutdown Time Mon, 05 Aug 2019 16:36:42 GMT
Z6E8K1EV System Information:
Product Name Windows 7 Professional
Current Version 6.1
Current Build Number 7601
Registered Owner Federal Bureau of Prisons
Registered Organization U.S. Department of Justice
Install Date Thu, 14 Jun 2018 12:19:30 GMT
Shutdown Time Sat, 10 Aug 2019 19:16:12 GMT
Bookmark System Information for Z6E8M349
Bookmark Time Zone Information for Z6E8M349
Bookmark User Accounts for Z6E8M349
Bookmark Network Information for Z6E8M349
Bookmark USB Devices for Z6E8M349
Bookmark System Information for Z6E8K1EV
Bookmark Time Zone Information for Z6E8K1EV
Bookmark User Accounts for Z6E8K1EV
Bookmark Network Information for Z6E8K1EV
Process Z6E8K1EV for Windows Event Log Parser
Completed Successfully
Process Z6E8M349 Windows Event Log Parser
Completed Successfully
EFTA00128269
Process Z6E8K1EV for Windows Artifact Parser
Completed Successfully
Process Z6E8M349 Windows Artifact Parser
Completed Successfully
Z6E8M349 - Mount File Structure for Software Registry
Warning Banner Present in Registry
REGISTRY HIVE\Microsoft\Windows\Current Version\Policies\System\
Warning Banner Bookmarked
Z6E8K1EV - Mount File Structure for Software Registry
Warning Banner Present in Registry
REGISTRY HIVE\Microsoft\Windows\Current Version\Policies\System\
Warning Banner Bookmarked
Use Access Data Forensic Toolkit (FTK) 7.1.0.290 to check for Volume Shadow Copies:
Z6E8M349 — No Restore Points/Volume Shadows
Z6E8K1EV — No Restore Points/Volume Shadows
Use Z6E8K1EV System Event Log to establish baseline of Login/Logoff activity using the Customer
Experience Improvement Program. This can later be verified against the Security Event Log.
Logon/Logoff Information for Z6E8K1EV from System Event Log
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/8/2019 6:54:29 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
EFTA00128270
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 12:15:31AM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 12:31:49 AM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1062
User: Thomas, Michael
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 6:29:36 AM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1062
User: Thomas, Michael
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 6:30:24 AM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1015
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 10:51:49 AM
Event ID: 7002
EFTA00128271
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1015
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 10:53:13 AM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1033
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 4:01:50 PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1033
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 4:29:54 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1017
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 4:57:41 PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
EFTA00128272
SID: S-1-5-21-3548300276-3289552418-2794689317-1017
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 4:58:42 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 5:06:12 PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 5:08:46 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1017
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 5:33:13 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
EFTA00128273
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 6:35:35 PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 6:36:27 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1017
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 6:52:36 PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1017
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 6:53:51PM
Event ID: 7001
Task Category: (1101)
User: SYSTEM
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 8:29:29 PM
Event ID: 7002
Task Category: (1102)
EFTA00128274
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 8:32:44 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 9:28:15 PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 9:29:37 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1017
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 11:38:30 PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1017
EFTA00128275
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 11:40:28 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: 5-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/10/2019 10:31:40 AM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1126
User: Tova Noel
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/10/2019 1:25:59 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207270.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-3548300276-3289552418-2794689317-1018
User:
Use Z6E8M349 System Event Log to establish baseline of Login/Logoff activity using the Customer
Experience Improvement Program. This can later be verified against the Security Event Log.
Logon/Logoff Information for Z6E8M349 from System Event Log
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/8/2019 3:59:37 PM
Event ID: 7001
Task Category: (1101)
Level: Information
EFTA00128276
Computer: SHU-0214207268.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1061
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 12:11:23 AM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1061
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 12:45:04 AM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1244
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 6:15:27 AM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1244
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 6:17:25 AM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1078
User:
EFTA00128277
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 12:14:01PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1078
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 12:31:14 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1078
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 3:08:04 PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1078
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 3:12:39 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1173
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/9/2019 9:37:44 PM
EFTA00128278
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1173
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/10/2019 12:36:56 AM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1102
User: Thomas, Michael
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/10/2019 5:14:13 AM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1102
User: Thomas, Michael
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/10/2019 6:03:33 AM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1102
User: Thomas, Michael
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/10/2019 8:55:12 AM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207268.BOP.GOV
EFTA00128279
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1102
User: Thomas, Michael
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/10/2019 9:21:25 AM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1028
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/10/2019 2:13:48 PM
Event ID: 7002
Task Category: (1102)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logoff Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1028
User:
Log Name: System
Source: Microsoft-Windows-Winlogon
Date: 8/10/2019 2:15:20 PM
Event ID: 7001
Task Category: (1101)
Level: Information
Computer: SHU-0214207268.BOP.GOV
Description: User Logon Notification for Customer Experience Improvement Program
SID: S-1-5-21-1823249720-3210992811-1527010081-1173
User:
Z6E8M349 User Account Logged in at potential time of death is Thomas, Michael
BOP Account: bop19012 SID: S-1-5-21-1823249720-3210992811-1527010081-1102
Z6E8K1EV User Accout Logged in at potential time of death is Tova Noel
BOP Account: bop61232 SID: S-1-5-21-3548300276-3289552418-2794689317-1126
EFTA00128280
Spoke with ASAC providing update regarding users logged in from 8/10/19 at 12:00:00 AM
through the morning. Will provide similar update to case agent.
Use Magnet AXIOM Process 3.4.1.15164
Add the Z6E8M349 image and Z6E8K1EV image into AXIOM Process
Z6E8M349 contains three partitions:
Partition 1 (EXT-family, 165.85MB)
Partition 2 (Microsoft NTFS, 95MB) — System Reserved
Partition 3 (Microsoft NTFS, 465.51 GB)
Unpartitioned Space
Z6E8K1EV contains one partition:
Partition 1 (Microsoft NTFS, 465.76)
Unpartitioned Space
Search archives and mobile backups is turned on
Calculate hash values is turned off to speed up processing time.
Processing Started
Z6E8M349 Processed Successfully
Z6E8K1EV Experienced a Timeout Error during Processing
Stuck at 15.5% processing on All Files and Folders for 4 hours
Data Processor #9 timeout info:
Current search item: Data Processor 9: Searching
[ROOTAWindows\MEMORY.DMP at offset 54525952
See Timeoutlnfo 8-14 Log for additional information
Attached to Notes
Magnet AXIOM Processing Canceled for Z6E8K1EV
Magnet AXIOM Closed
EFTA00128281
Magnet AXIOM Examine 3.4.1.15164 Launched
2019-010614 Case Loaded
Continuing processing for Z6E8K1EV canceled
Processing Completed
Will need to run AXIOM Process on Z6E8K1EV in a separate case.
AXIOM Examine checking Indices
AXIOM Examine is locked up and not responding
AXIOM Examine is closed and re-launched
2019-010614 Case is loaded
AXIOM Examine checking Indices
AXIOM Examine is locked up and not responding
AXIOM Processing will be performed again for both images.
Continue Examination in EnCase 8.07.00.93
Note: Full EnCase Processing has not been completed at this time.
Process Recover Folders for Z6E8M349
Completed Successfully
Process Recover Folders for Z6E8K1EV
Completed Successfully
Export Logical Evidence File of Michael Thomas user's profile (bop19012) on Z6E8M349
Named BOP19012.L01
Export Logical Evidence File of Tova Noel user's profile (bop61232) on Z6E8K1EV
Named BOP61232.L01
Email used by BOP is called GroupWise
GroupWise Email can be cached locally to a system if configured to do so
EFTA00128282
Path for cached email \ USERACCOUT\AppData \Local\ Novell\Groupwise\USERACCOUNT
Checked GroupWise Email for Michael Thomas (bop19012) on Z6E8M349
No Cached Email
Checked GroupWise Email for Tova Noel (bop61232) on Z6E8K1EV
No Cached Email
One GWErrorLog.txt — Attachment Error on 6/26/2019
Use Magnet AXIOM Process 3.4.1.15164
Add the BOP19012 Logical Evidence File to AXIOM Process
Search archives and mobile backups is turned on
Calculate hash values is turned off to speed up processing time
Uncheck "Find more artifacts" to speed up processing time.
Attempts to locate and parse SQLite Databases
Processing Started
Processing Completed Successfully
Summary:
Start Time: Aug 14, 2019 12:27:09
End Time: Aug 14, 2019 12:28:38
Search Duration: 00:01:18
Indexing Duration: 00:00:00
Search Outcome: Success
Final results of search:
AutoRun Items: 1 items
Carved Archives (content not searched): 96 items
Carved Audio: 1 items
Classifieds URLs: 171 items
Cloud Services URLs: 4 items
Edge/Internet Explorer 10-11 Content: 20373 items
Edge/Internet Explorer 10-11 Cookies: 514 items
Edge/Internet Explorer 10-11 Daily/Weekly History: 846 items
Edge/Internet Explorer 10-11 Dependency Entries: 15 items
EFTA00128283
Edge/Internet Explorer 10-11 Main History: 3138 items
Facebook URLs: 26 items
File System Information: 1 items
Flash Cookies: 17 items
Google Analytics First Visit Cookies: 14 items
Google Analytics First Visit Cookies Carved: 14 items
Google Analytics Referral Cookies: 14 items
Google Analytics Referral Cookies Carved: 13 items
Google Analytics Session Cookies: 4 items
Google Analytics Session Cookies Carved: 4 items
Google Searches: 8 items
Identifiers: 14 items
Internet Explorer Cookies: 1761 items
Internet Explorer Favorites: 17 items
Internet Explorer Typed URLs: 8 items
Jump Lists: 81 items
Keyword Searches: 4 items
LNK Files: 526 items
MRU Folder Access: 1 items
MRU Opened/Saved Files: 4 items
MRU Recent Files & Folders: 90 items
MUICache: 92 items
Network Share Information: 3 items
Parsed Search Queries: 102 items
PDF Documents: 5 items
Pictures: 5342 items
Potential Browser Activity: 82 items
Prefetch Files - Windows XP/Vista/7: 7 items
RTF Documents: 3 items
Shellbags: 95 items
Social Media URLs: 18 items
Startup Items: 1 items
Tax Site URLs: 1 items
Text Documents: 628 items
UserAssist: 58 items
Videos: 34 items
VLC Recently Played Files: 3 items
WebKit Browser Web History (Carved): 3 items
Word Documents: 22 items
Add the BOP61232 Logical Evidence File to AXIOM Process
Search archives and mobile backups is turned on
Calculate hash values is turned off to speed up processing time.
Uncheck "Find more artifacts" to speed up processing time.
EFTA00128284
Attempts to locate and parse SQLite Databases
Processing Started
Processing Completed Successfully
Summary:
Start Time: Aug 14, 2019 12:38:52
End Time: Aug 14, 2019 12:40:14
Search Duration: 00:01:08
Indexing Duration: 00:00:00
Search Outcome: Success
Final results of search:
Audio: 4 items
AutoRun Items: 1 items
Carved Archives (content not searched): 58 items
Carved Audio: 50 items
Classifieds URLs: 671items
Edge/Internet Explorer 10-11Content: 17682 items
Edge/Internet Explorer 10-11Cookies: 468 items
Edge/Internet Explorer 10-11Daily/Weekly History: 2172 items
Edge/Internet Explorer 10-11Dependency Entries: 57 items
Edge/Internet Explorer 10-11Main History: 4602 items
Facebook URLs: 5 items
File System Information: 1 items
Flash Cookies: 6 items
Google Analytics First Visit Cookies: 11items
Google Analytics First Visit Cookies Carved: 11items
Google Analytics Referral Cookies: 11items
Google Analytics Referral Cookies Carved: 10 items
Google Analytics Session Cookies: 6 items
Google Analytics Session Cookies Carved: 6 items
Google Maps: 7 items
Google Searches: 446 items
Identifiers: 13 items
Internet Explorer Cookies: 1667 items
Internet Explorer Favorites: 17 items
Internet Explorer Typed URLs: 9 items
Jump Lists: 53 items
LNK Files: 112 items
MRU Folder Access: 4 items
MRU Opened/Saved Files: 16 items
MRU Recent Files & Folders: 34 items
MUICache: 62 items
Network Share Information: 3 items
EFTA00128285
Parsed Search Queries: 84 items
PDF Documents: 10 items
Pictures: 3551 items
Potential Browser Activity: 172 items
RTF Documents: 1 items
Shellbags: 91items
Social Media URLs: 14 items
Startup Items: 1 items
Tax Site URLs: 1 items
Text Documents: 588 items
UserAssist: 40 items
Videos: 8 items
WebKit Browser Web History (Carved): 1 items
Word Documents: 13 items
Continue Examination in EnCase 8.07.00.93
Export RECENT Folder for Michael Thomas (bop19012) on Z6E8M349
Review JumpLists in JumpList Explorer v0.5.0.0
Export RECENT Folder for Tova Noel (bop61232) on Z6E8K1EV
Review JumpLists in JumpList Explorer v0.5.0.0
Process File Signature Analysis for Z6E8M349
Completed Successfully
Process File Signature Analysis on Z6E8K1EV
Completed Successfully
Process Protected File Analysis for Z6E8M349
Completed Successfully
Process Protected File Analysis for Z6E8K1EV
Completed Successfully
Review the Michael Thomas user profile (bop19012) on Z6E8M349
Low Activity for the user during the time frame on Z6E8M349
"SHU 30 CHECK SHEET (CONDENSED) l.docx" in \Documents\Groupwise
File Created 8/10/19 12:39:31 Last Modified 8/10/19 12:43:33
EFTA00128286
File is a Check Sheet for each 30 minutes, but is not filled out.
Only File with Time Stamp Information on the day of question.
" —$U 30 CHECK SHEET (CONDENSED)_1.docx" in \ Documents\Groupwise
File Created 8/10/19 12:40:28 Last Modified 8/10/19 12:40:28
Tilde is commonly associated as backup files of a file that was opened or is still
currently opened.
Possibly indicates the file was saved to the Groupwise location and opened, but
never populated.
Review the Tova Noel profile (bop61232) on Z6E8K1EV
Low Activity for the user during time frame on Z6E8K1EV
No Work Files with Time Stamp Information on the day of question within profile.
Process Thumbnail Creation for Z6E8M349
Completed Successfully
Process Thumbnail Creation for Z6E8K1EV
Completed Successfully
Recycle Bin for S-1-5-21-1823249720-3210992811-1527010081-1102 on Z6E8M349 examined
Only contains DESKTOP. FILE — System File
No User Files
Recycle Bin for SID: S-1-5-21-3548300276-3289552418-2794689317-1126 on Z6E8K1EV
examined
Only contains DESKTOP. FILE — System File
No User Files
Use Magnet AXIOM Examine 3.4.1.15164
Load "AXIOM - BOP19012 - Z6E8M349" Case for BOP19012 User Profile
Time Zone settings changed to EST (with Daylight Savings)
Build Timeline
EFTA00128287
Completed Successfully
Build Connections
Completed Successfully
Load "AXIOM - BOP61232 - Z6E8K1EV" Case for BOP61232 User Profile
Time Zone settings changed to EST (with Daylight Savings)
Build Timeline
Completed Successfully
Build Connections
Completed Successfully
Both Physical Images of the BOP desktops will be processed through AXIOM. The processing of the user
profiles is to examine user activity on the computers while the lengthy processing is conducted for the
hard drive images.
Review "AXIOM - BOP19012 - Z6E8M349" Case in Magnet AXIOM Examine 3.4.1.15164
Network Usage with BOP Applications
http://sallyport.bop.gov/inst/nym/corrsvc/docs/Daily%20Fire%20&%20Security%20For
m.pdf
file:///KIBOPAPPS/Roster/Ver3.1/Roster.accde
file:///I:/GROUPS/SHAREDOC/SHU PAPERWORK, LOCATOR, HARDCOPY/1 - SHU
LOCATOR 2019(HARDCOPY).docx
Google Search for "suzuki gsx-r 1000 motorcycle for sale" 8/10/19 01:00:52
Google Search for "suzuki gsx-r 750 motorcycle for sale" on 8/10/19 01:00:52
Bing Search for "cycletrader" on 8/10/19 01:00:24
Bing Search for "espn" on 8/10/19 06:15:03
Internet Usage is consistent with search times
No recorded usage between 01:03:20 and 06:04:30
Edge/Internet Explorer History records File Access within Windows Explorer
EFTA00128288
file:///C/Users/bop19012/Desktop/SHU ORDERLY REQUEST 42214.rtf
8/10/2019 12:44:53 AM
Not Located on the Desktop
Potential other files accessed — will continue in depth search
Artifacts indicating that the user profile was used to watch Django Unchained 2012 DVDSCR XVI,
but this took place in 5/12/2019 12:00:30 PM
Three Network Shares:
\\NYMC_APPS_SERVER\APPS
\\NYMC_GRPS_SERVER\GRPS
NYMC_HOME_SERVER\ HOME\ HOME \BOP19012
Review "AXIOM - BOP61232 - Z6E8K1EV" Case in Magnet AXIOM Examine 3.4.1.15164
Network Usage with BOP Applications
\\NYMC_APPS_SERVER\APPS\BOPAPPS\RosterWer3.1\Roster.accde
Google Search for "epp" on 8/10/2019 04:31:33
Google Search for "unum insurance" on 8/10/2019 04:36:00
Google Search for " usajobs" on 8/10/2019 04:39:01
Google Search for "furniture bronx ny" on 8/10/2019 04:48:23
Google Search for "ashleys furniture" on 8/10/2019 04:52:12
Google Search for "KENYATTA TAISTE" on 8/10/2019 05:38:55
Google Search for "latest on epstein in jail" on 8/10/2019 05:42:56 & 8/10/2019 05:52:29
Google Search for "latest on omar amanat" on 8/10/2019 05:53:02
Google Search for "law enforcement discounts" on 8/10/2019 06:17:23
Bing Search for "calendar 2019" on 8/10/2019 4:33:13 AM
Internet Usage: 8/10/19 03:56:00 to 8/10/19 06:19:12
Three Network Shares:
\\Nymc_Apps_sERvER\Apps
EFTA00128289
\\NYMC_GRPS_SERVER\GRPS
\\Nymc_HomE_sERvER\HomE\momE\ BOP61232
Briefed ASAC on preliminary findings.
Phone conference with ASAC and Case Agent regarding preliminary findings.
Use Magnet AXIOM Process 3.4.1.15164
Add the Z6E8M349 image into AXIOM Process
Z6E8M349 contains three partitions:
Partition 1 (EXT-family, 165.85MB)
Partition 2 (Microsoft NTFS, 95MB) — System Reserved
Partition 3 (Microsoft NTFS, 465.51 GB)
Unpartitioned Space
Search archives and mobile backups is turned on
Calculate hash values is turned off to speed up processing time.
Uncheck "Find more artifacts" to speed up processing time.
Attempts to locate and parse SQLite Databases
Processing Started
Processing Completed Successfully
Summary:
Start Time: Aug 14, 2019 12:42:01
End Time: Aug 15, 2019 02:47:05
Search Duration: 14:04:51
Indexing Duration: 00:00:50
Search Outcome: Success
Final results of search:
$LogFile Analysis: 17080 items
AmCache Device Containers: 39 items
EFTA00128290
AmCache Driver Binaries: 270 items
AmCache Driver Packages: 17 items
AmCache File Entries: 807 items
AmCache Pnp Devices: 96 items
AmCache Program Entries: 152 items
AmCache Shortcuts: 1202 items
Audio: 3352 items
AutoRun Items: 888 items
Backpage Ads: 4 items
Carved Archives (content not searched): 11656 items
Carved Audio: 2655 items
Carved Video: 1346 items
Carved WebM Video: 59 items
Classifieds URLs: 54311 items
Cloud Services URLs: 65 items
Craigslist Ads: 20 items
CW Documents: 15 items
Dating Sites URLs: 16 items
Edge/Internet Explorer 10-11Content: 2623231 items
Edge/Internet Explorer 10-11Cookies: 64396 items
Edge/Internet Explorer 10-11Daily/Weekly History: 224242 items
Edge/Internet Explorer 10-11Dependency Entries: 4903 items
Edge/Internet Explorer 10-11Downloads: 123 items
Edge/Internet Explorer 10-11Main History: 340974 items
Email Attachments: 6 items
EML(X) Files: 324 items
Encrypted Files: 175 items
Encryption / Anti-forensics Tools: 7 items
Excel Documents: 126 items
Facebook Chat: 379 items
Facebook Pages: 11items
Facebook URLs: 2475 items
File Associations: 2173 items
File System Information: 3 items
Firefox Add-ons: 1 items
Firefox Bookmarks: 13 items
Firefox Cache Records: 11312 items
Firefox Cookies: 794 items
Firefox Favlcons: 27 items
Firefox FormHistory: 8 items
Firefox Input History: 1 items
Firefox SessionStore Artifacts: 238 items
Firefox Web History: 175 items
Firefox Web Visits: 230 items
Flash Cookies: 4890 items
Gmail Webmail: 210 items
Google Analytics First Visit Cookies: 3420 items
Google Analytics First Visit Cookies Carved: 8876 items
EFTA00128291
Google Analytics Referral Cookies: 3187 items
Google Analytics Referral Cookies Carved: 7584 items
Google Analytics Session Cookies: 1816 items
Google Analytics Session Cookies Carved: 4525 items
Google Analytics URLs: 682 items
Google Analytics URLs Carved: 278 items
Google Maps: 764 items
Google Maps Queries: 247 items
Google Maps Tiles: 714 items
Google Searches: 19466 items
Google WebP Images: 37 items
Hangul Word Processor: 2 items
Identifiers: 3177 items
IE InPrivate/Recovery URLs: 18 items
Installed Microsoft Programs: 304 items
Installed Programs: 225 items
Internet Explorer Cookies: 219421 items
Internet Explorer Daily History: 2 items
Internet Explorer Favorites: 4147 items
Internet Explorer Main History: 11items
Internet Explorer Typed URLs: 1968 items
IP Addresses - Audio/Video Calls: 1 items
Jump Lists: 14133 items
Keyword Searches: 213 items
Known DLLs: 56 items
LNK Files: 52485 items
Malware/Phishing URLs: 43 items
MRU Folder Access: 441 items
MRU Opened/Saved Files: 2441items
MRU Recent Files & Folders: 9614 items
MUICache: 22994 items
Network Interfaces (Registry): 2 items
Network Profiles: 3 items
Network Share Information: 707 items
Operating System Information: 2 items
Parsed Search Queries: 16364 items
PDF Documents: 1895 items
Photoshop Files: 90 items
Pictures: 866412 items
Pornography URLs: 1 items
Potential Browser Activity: 66631 items
Potential Facebook Pictures: 2063 items
PowerPoint Documents: 81items
Prefetch Files - Windows XP/Vista/7: 294 items
QuickBooks Files: 77 items
Rebuilt Webpages: 38485 items
Remote Desktop Protocol: 54 items
RTF Documents: 1150 items
EFTA00128292
Safari History: 3 items
Shellbags: 18841 items
Shipping Site URLs: 266 items
Social Media URLs: 2511 items
Startup Items: 273 items
System Services: 905 items
Tax Site URLs: 316 items
Text Documents: 86855 items
Timezone Information: 1 items
Torrent URLs: 8 items
USB Devices: 156 items
User Accounts: 278 items
UserAssist: 9903 items
Videos: 5588 items
VLC Recently Played Files: 78 items
Web Video Fragments: 32 items
WebKit Browser Web History (Carved): 250 items
Windows Event Logs: 350501items
Windows Logon Banner: 1 items
Word Documents: 3665 items
WordPerfect Files: 12 items
Yahoo! Non-Encrypted Chat: 417 items
Use Magnet AXIOM Examine 3.4.1.15164
Load "AXIOM - Z6E8M349" Case for Z6E8M349 Image
Time Zone settings changed to EST (with Daylight Savings)
Build Timeline
Completed Successfully
Build Connections
Completed Successfully
Use Magnet AXIOM Process 3.4.1.15164
Add the Z6E8K1EV image into AXIOM Process
Z6E8K1EV contains one partition:
Partition 1 (Microsoft NTFS, 465.76)
EFTA00128293
Unpartitioned Space
Search archives and mobile backups is turned on
Calculate hash values is turned off to speed up processing time.
Uncheck "Find more artifacts" to speed up processing time.
Attempts to locate and parse SQLite Databases
Processing Started
Experienced a Timeout Error during Processing
Stuck at 15.5% processing on All Files and Folders for 3 hours
Data Processor #9 timeout info:
Current search item: Data Processor 9: Searching (ROOT]\Windows\MEMORY.DMP at
offset 54525952
See Timeoutlnfo 8-15 Log for additional information
Attached to Notes
Consulted with SSA regarding Timeout Error.
SSA= noted that a logical image could be created of the user profile and windows folder for analysis
Launch EnCase 8.07.00.93 and open 2019-010614 Case
Z6E8K1EV Image opened
All Files Selected for Image
MEMORY.DMP unselected
Only BOP 19012 user checked
Program Files and Program Files (x86) unchecked
Size is over 300GBs
"ao" unchecked as it is empty
Recycle Bin not checked as user bop19012 had no files in Recycle Bin
Acquire Logical Evidence File
EFTA00128294
Set as 101 with Compression
Approximately 150GB of data
Begin Image Creation
Completed Successfully
Use Magnet AXIOM Process 3.4.1.15164
Add the Z6E8K1EV Logical image into AXIOM Process
Search archives and mobile backups is turned on
Calculate hash values is turned off to speed up processing time.
Uncheck "Find more artifacts" to speed up processing time.
Attempts to locate and parse SQLite Databases
Processing Started
Processing Completed Successfully
Summary:
Start Time: Aug 15, 2019 13:12:45
End Time: Aug 15, 2019 15:16:12
Search Duration: 02:03:15
Indexing Duration: 00:00:14
Search Outcome: Success
Final results of search:
$LogFile Analysis: 16649 items
AmCache Device Containers: 23 items
AmCache Driver Binaries: 262 items
AmCache Driver Packages: 16 items
AmCache File Entries: 636 items
AmCache Pnp Devices: 95 items
AmCache Program Entries: 139 items
AmCache Shortcuts: 1118 items
Audio: 689 items
AutoRun Items: 604 items
Carved Archives (content not searched): 361 items
Carved Audio: 1063 items
Carved Video: 657 items
EFTA00128295
Carved WebM Video: 9 items
Classifieds URLs: 1446 items
Cloud Services URLs: 13 items
CSV Documents: 2 items
Edge/Internet Explorer 10-11Content: 90701 items
Edge/Internet Explorer 10-11Daily/Weekly History: 8754 items
Edge/Internet Explorer 10-11Main History: 18062 items
Email Attachments: 2 items
EML(X) Files: 6 items
Encrypted Files: 5 items
Encryption / Anti-forensics Tools: 4 items
Excel Documents: 88 items
Facebook URLs: 89 items
File Associations: 2126 items
File System Information: 1 items
Firefox SessionStore Artifacts: 122 items
Flash Cookies: 444 items
Google Analytics First Visit Cookies Carved: 622 items
Google Analytics Referral Cookies Carved: 548 items
Google Analytics Session Cookies Carved: 344 items
Google Analytics URLs: 2 items
Google Analytics URLs Carved: 2 items
Google Maps: 16 items
Google Maps Queries: 7 items
Google Searches: 714 items
Google WebP Images: 1 items
Hangul Word Processor: 1 items
Identifiers: 893 items
Installed Microsoft Programs: 300 items
Installed Programs: 194 items
Internet Explorer Favorites: 14 items
Known DLLs: 56 items
LNK Files: 3059 items
Malware/Phishing URLs: 4 items
Network Interfaces (Registry): 2 items
Network Profiles: 3 items
Operating System Information: 2 items
Parsed Search Queries: 931items
PDF Documents: 229 items
Photoshop Files: 23 items
Pictures: 115767 items
Pornography URLs: 1 items
Potential Browser Activity: 17325 items
PowerPoint Documents: 5 items
Prefet
ℹ️ Document Details
SHA-256
93cd55b29df5d5a111782958027daa82b7fc40c4e4ad8e663ee79734888cfb31
Bates Number
EFTA00128267
Dataset
DataSet-9
Document Type
document
Pages
66
Comments 0