JLane Week 6 Forensic Report

doc

School

Champlain College *

*We aren’t endorsed by this school

Course

360

Subject

Information Systems

Date

Dec 6, 2023

Type

doc

Pages

8

Uploaded by PrivateAnt18368

Report
Forensic Analysis Report Case Number: 18CSP01234 Suspect: Christina “Tina” Oodle Examiner: Janielle Lane Agency: Champlain College Police Department Date of Report: Week 6 – October 8, 2023
Case Information: Department: Champlain College Police Department Incident Number: 18CSP01234 Investigator: Janielle Lane Victim: Walter Emerson Suspect: Christina “Tina” Oodle Date of Incident : 5/12/2018 Location: Burlington, VT area Nature of Incident: 13 V.S.A. § 2002 – False Pretenses Attachments: Chain of custody documentation; Copy of Evidence Handling Protocols; Evidence images Evidence: Evidence Number Item Name Size Description 3 Seagate Momentus.E01 49.68 GB Forensic image of Hard Drive 4 Toshiba Laptop DESKTOP-T5DSQ80 Initial Complaint: Walter Emerson presented to the CCPD at approximately 1600 on May 16,2018. He wished to file a report regarding $1,500 missing from his Bank of Vermont checking account. Mr. Emerson noted the transactions when reviewing his bank statement. One check for $500 was cashed at “Burlington Check Cash”, and the other check for $1,000 was cashed at a business in Winooski. Mr. Emerson reports never visiting either of these locations at any point in the past. Mr. Emerson reports that he recently made friends with an individual online that he has been communicating frequently with through both e-mail and Facebook from May 1, 2018 until approximately May 12, 2018. This individual, believed to be Christina “Tina” Oodle, had mentioned financial struggles to Mr. Emerson in the past, and he had subsequently mailed her checks on three separate occasions; two checks in the amount of $75 each, and one for $275. Mr. Emerson reports that upon receipt of the last check, he has not been able to connect with Ms. Oodle via any method. He reports that she is the only other individual who could have access to his account information. On May 15, 2018, Officer Jackson responded to a call for possible theft at City Market. Upon responding, Officer Jackson was given a description of the suspect, who had since fled the scene, 2
by the reporter, an employee named Mr. Scout. The suspect was described as a tall, slender female, with brown, shoulder-length hair. Shortly after, Officer Jackson came upon a pedestrian fitting that description, who when approached gave her name as Ms. Christina Oodle; DOB 2/25/1980. Ms. Oodle admitted that she had fled from City Market, but not because of committing theft, but because she felt “harassed”. Ms. Oodle eventually admitted to taking a pack of gum from the store, and presented to Officer Jackson. Visual confirmation was made by Mr. Scout via a drive-by with another officer, and Ms. Oodle was taken into custody for the charge of Retail Theft. Upon processing Burlington Police Department, it was found that Ms. Oodle had an active warrant for her arrest and she was transported and lodged at the Chittenden Regional Correctional Facility. The following possessions were on Ms. Oodles’ person at the time of her processing, and were secured in evidence shortage at CRCF. A black Toshiba laptop Black Eddie Bauer backpack A pair of Black husky gloves A Gerber pocket knife; grey Blank checks #187-191 o Made out to “Tina Oodle”, with “Walter Emerson” typed in the signature area, dated for 5/14/18 o Routing number (101011001); Account number (10012300123) Pack of gum Piece of white paper with “Water Emerson” written in 6 different sizes/fonts – none matched the signature on the checks. The report made by Mr. Walter Emerson to CCPD on 5/16/18 referenced two checks coming from his bank account that were not written by him. Check#185 ($500), and #186 ($1,500), that fall in sequential order with the blank checks that were in Ms. Oodles’ possession at the time of her arrest. The accounting and routing number of the aforementioned checks are the same as checks #185 and 186, from Mr. Emerson’s account. This directly connects Ms. Oodle to the fraudulent checks from Mr. Emerson’s account. Scope of Request: The parameters of the requested analysis are to first identify Ms. Oodle as the owner of the device which the hard drive being analyzed comes from. Also, to locate information on the communications between Mr. Emerson and Ms. Oodle, especially conversations where financial matters are discussed, and any other evidence in relation to financial crimes. Authority to Search: A search warrant was submitted on 10/1/2023, and has since been approved in case number 18CSP01234 , to look at the Toshiba laptop’s hard drive that was taken into custody at the time of her arrest for retail theft/open warrant on 5/15/18 at approximately 2100. The purpose of the digital analysis of the hard drive is to review the following information: 3
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
System/Network settings User profiles Transactions Search history E-mail Socia Media Saved files – documents/images etc. Downloads Forensic Software Used: Software Version Magnet Axiom Examine V5.10.0.30634 Autopsy 4.19.13 XWays Forensics Summary of Findings: Utilization of the abovementioned forensic tools provided insight into the hard drive located within the Toshiba laptop (Seagate Momentus.E01), taken into custody at the time of Ms. Oodles’ arrest on 5/15/18. The first utilization of the hard drive was 4/29/18, which is right before the interactions between Ms. Oodle and Mr. Emerson began. Review of user accounts showed just one primary user account, named “Tina”, which had social media data linked to the account previously identified to belong to Ms. Christina “Tina” Oodle ( www.facebook.com/tina.oodle5 ), e-mail data from an account that has previously been identified as being registered to Ms. Christina “Tina Oodle ( tinalovestocook6@gmail.com ), and all browser data, including downloads, were under this account. This solidifies that Ms. Oodle is indeed the owner and sole user of this hard drive. Frequent communication between Mr. Emerson and Ms. Oodle was also present on the hard drive, including those where Ms. Oodle mentioned financial difficulties, and Mr. Emerson offered to send her money. Analysis of the hard drive provided information linking Ms. Oodle to the placement of the flyer that first led to Mr. Emerson contacting her. The PDF for the flyer was found to be saved on the desktop, and the browser search history showed a Google search for “Where can I post flyers in Burlington Vermont”. Review of Google Maps data also found a driving route from 220 Flynn Avenue, Burlington VT to a few local businesses, including Brigantes, where Mr. Emerson reported that he found the flyer. Review of the Google browser history showed searches for such topics as “Anatomy of a Check”, from 5/6/18 at 1731, “hot new scams 2018”, from 4/29/18 at 1642, and “how much does a truck driver make”, from 5/6/18 at 1741, just to name a few. There was also history of a YouTube video called “How to Conduct a Romance Scam”, from 4/29/18 at 1645. Review of the documents saved on the hard drive include not only the flyer mentioned above, but also a blank check template document that matches those that were taken into possession at the time of Ms. Oodles’ arrest. Included in this document were the checks that were cashed from Mr. Emerson’s checking account; numbers 185 and 186. Previous analysis of Google account data for the e-mail address connected to Ms. Oodle provided an IP address that was sourced back to Paris, France (104.156.210.171). An application 4
called “NordVPN” was found to be installed on the system, and that it was first accessed on 4/29/18 at approximately 1526. This program is designed to mask a user’s IP address, and with the location of Ms. Oodle being in Burlington, VT, and the IP being found in Paris, France, shows her intent to use the VPN in an attempt to hide her online movements. Analysis and Exhibits: Seagate Momentus.E01 – Operating System, User profiles, Documents, Media, E-mail, Social Networking, Downloads, Browser history Encryption, Communication Approximately 177,519 digital artifacts Evidence Description Seagate Momentus.E01 was forensically imaged from the hard drive of the Toshiba laptop found in Ms. Oodles’ backpack at the time of her arrest. The hard drive had 49.68GB on it at the time of imaging. The laptop was named DESKTOP-T5DSQ80 (per the hard drive analysis), and was in relatively new condition. There were some minor scuffs, scratches, or other types of damage noted on the laptop, which could be attributed to frequent travel within the backpack without a protective sleeve/covering. All components appeared to be intact/not tampered with. The laptop was running Windows 10 Education, and was set to EST. The forensic image, Seagate Momentus.E01, has the following hash value: 9C191B13756E36131E2919A6A0713724 (located using XWays Forensics). Per AXIOM, there were 177,519 digital artifacts located on the hard drive. Examination of Evidence Seagate Momentus.E01 This forensic image was analyzed using three separate forensic applications; XWays Forensics, AXIOM, and Autopsy. All three programs were found to be updated to the newest version, and were tested prior to use for this analysis. In regards to determining the owner/primary user of the system, the user account that was the primary one used was called “Tina”. Review of the data under the user profile included e-mail communication from the known e-mail of Ms. Oodle ( tinalovestocook6@gmail.com ), and all Facebook data was found to come from the account that is known to be registered to Ms. Oodle ( www.facebook.com/tina.oodle5 ). There is no other activity under the other accounts on the account (Guest, Admin, or Default). The culmination of this information supports that Ms. Oodle is the owner, and sole user of the laptop that houses the hard drive being analyzed. A program called “NordVPN” was downloaded to the system on 4/29/18 and was used on the following days: 4/29 and 4/30; 5/1, 2, 4, 6, 8. 9, 10, 11, 12, 13. All of these days, except 5/13/18, 5
were days when Ms. Oodle communicated with Mr. Emerson either via Facebook or Gmail. When Google data was analyzed prior, the IP address associated with the account was sourced back to Paris, France (104.156.210.171). This shows the use of the VPN as a way to mask her IP address. On 5/4/18, a program was downloaded through a peer-to-peer sharing site called “utorrent”, called GIMP, GNU Image Manipulation Program ( GIMP - GNU Image Manipulation Program ). This program is designed to allow the user to manipulate images in a multitude of ways including photo retouching, image composition and image authoring. A review of e-mail communication through AXIOM provided a number of e-mails between Ms. Oodles’ e-mail (identified above) and Mr. Emerson’s e-mail (vermonttruckdriverretired@gmail.com), between 5/2/2018 and 5/12/2018 These were in fact, the only e-mails found except for Facebook notifications. The first e-mail exchange between the two individuals is general conversation as well as Ms. Oodle giving Mr. Emerson information on how to find her Facebook account. The first e-mail chain where money is brought up occurs on 5/4/18, with an e-mail from Mr. Emerson advising that he was “heading to the post office”, at 3:23pm. Ms. Oodle responds shortly after thanking Mr. Emerson, and complimenting his kindness. Review of Facebook data through Autopsy shows that Ms. Oodle, whose Facebook link is www.facebook.com/tina.oodle5 , had only friend on her account, Mr. Emerson, whose account is www.facebook.com/walter_emerson.5817 . There is evidence that they played games together, and exchanged messages back and forth, including messages where Ms. Oodle was mentioning her financial troubles including the inability to pay her internet bill, and the exchange regarding her car breaking down that occurred on 5/11/18. Most of the most significant evidence was found through analysis of the web search history, and visited sites which showed the following notable search topics: 4/29/18 o “What is my ip address?” o “hot new scams 2018” o “Hotscams.com” o “Nigerian Love Scammers Busted in Malaysia” o “Romance Scam” o “how to earn money quickly” o Youtube – “How to Conduct a Romance Scam” o “where to post flyers in Burlington Vermont” 5/6/18 o “how much does a truck driver make?” o “checks.com” 5/11/18 o “checks images” 5/12/18 o “utorrent.com” Finally, review of the various documents saved on the hard drive provided significant evidence including the flyer that Mr. Emerson discovered at Brigantes that prompted him to contact Ms. 6
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Oodle. Per the metadata viewed through XWays Forensics, this document was created on 4/29/18 at 1652, and a Google Map route for local restaurants, including Brigantes where Mr. Emerson came across the flyer, was saved to the system at 1646. A blank check template was downloaded and saved on 5/12/18, and from that template, the checks found in the possession of Ms. Oodle were derived. That document was created on 5/12/18 at 2034, and had layouts for checks number 185 through 191. Checks numbered 185 and 186, matched those that were fraudulently cashed from Mr. Emerson’s account. Overall, the analysis of the hard drive came back with nothing else of significance except it is important to note that there is not any evidence of Ms. Oodle communicating with any other individual, limiting the likelihood of her working in conjunction with another individual. Evidence of Ownership The primary user account utilized on the system is labeled “Tina”, and is the only one with any web search data, communication history, and other signs of use. All search history was in relation to romance scams, local restaurants, and multiple sites in relation to check printing, and both her e-mail address and Facebook account were the only ones accessed. The other user accounts, “Administrator, Guest and Default”, did not have data associated with them. Timeline Analysis 4/29/2018 First use of the computer by Ms. Oodle – e-mail and Facebook set-up DESKTOP- T5DSQ80 4/29/18 Poster,pdf – “Single?”…with Tina’s contact information – same one Mr. Emerson reported responding to Seagate Momentus.E01 – Saved Documents 4/29/18 Check Layout Design.pdf – instructions on how to design/adjust checks Seagate Momentus.E01 – Saved Documents 4/29/18 Directions to post flyers – Google Maps Seagate Momentus.E01 – Saved Documents 4/29/18 Google Searches “what is my ip address?” “hot new scams 2018” “where can I post flyers Burlington Vermont?” “how to get money quickly” Seagate Momentus.E01 – Chrome search history 4/29/18 Download and installation of NordVPN Seagate Momentus.E01 - Applications 4/29/18 https://en.wikipedia.org/wiki/Romance_scam Seagate Momentus.E01 – Browser History 5/6/18 https://www.checksconnect.com/htm/anatomyOfACheck.htm- looking - researching the anatomy of a check Seagate Momentus.E01 – 7
Browser History 5/6/18 Google Search – “how much does a truck driver make” Seagate Momentus.E01 – Chrome search history 5/12/18 Google Search – “gimp photo editor” Seagate Momentus.E01 – Chrome search history 5/12/18 Download of GIMP photo editor - http://download- hr.utorrent.com/track/stable/endpoint/utorrent/os/windows Seagate Momentus.E01 – Browser History 5/12/18 First download of check image template by Tina Seagate Momentus.E01 – Downloads 5/12/18 Creation of blank checks numbered 184 – 191, with a typed signature of “Walter Emerson” Seagate Momentus.E01 – Documents Closing Comments / Conclusions Review of the evidence provided, and the subsequent analysis in conjunction with the information provided in the previous report submitted on 9/19/23, there is credible evidence that Ms. Christina “Tina” Oodle has committed False Pretenses, in violation of 13 V.S.A. § 2002 . The blank checks, and the hard drive in the laptop found in the possession of Ms. Oodle at the time of her arrest on 5/15/18 provides probable caused that this crime was conducted against Mr. Walter Emerson. The evidence outlined in this report shows the ownership of the laptop seized to Ms. Oodle, as well as evidence of her researching such topics as blank checks, romance scams, photo editing, VPN use, and the anatomy of a check. Communication between Ms. Oodle and Mr. Emerson confirmed on this device matches that found on the device previously analyzed that is owned by Mr. Emerson. Compilation and review of all the information thus far in this case, and all digital evidence analysis, supports the belief that Ms. Oodle is the suspect in reference to case #18CSP01234. Analysis Start: 10/1/23 Analysis End: 10/3/23 End of report. 8

Related Documents

Windows Registry Forensics.docx
_Aaron Benavides__In a Network Far, Far Away!_.docx
combine.py
Unit Lesson Plan Project.docx.pdf
__Rocking your Network_.docx
AB Web Development Challenge.docx
Week 6 Assignment- Kambra Corbett.docx
Brandon Pina M12 Challenge Submission File.pdf
AB__Assessing Security Culture_.docx
AFs _ M15 Challenge Submission File.docx
JLane Week 7 Assignment.docx
JLane Week 6 Assignment.docx