John B. Baird

 

Computer Forensic Portfolio

Bradenton, FL

Open to relocation

941-363-1144

johnbairdpc at gmail dot com

 

Computer Forensic Investigation of Abetting Burglary

 

John B. Baird

 

Case brief 1

 

[SUSPECT] is an employee of [VICTIM COMPANY]. One day when leaving work, during a routine security search of all employees exiting the building, [SUSPECT] was found to have a compact flash memory card hidden under the soul of his shoe. The security guard suspects that [SUSPECT] was smuggling out sensitive company information in order to sell it to the highest bidder. The security guard believes the information was wanted by burglars. A seizure of the compact flash drive was performed in a manner consistent with recommendations found in Electronic Crime Scene Investigation: A Guide for First Responders. The compact flash drive was entered into evidence according to agency policy and I verified that the compact flash memory card belongs to [VICTIM COMPANY]. [VICTIM COMPANY] signed written permission to [REDACTED] to conduct an investigation and making the use of a search warrant not necessary. The compact flash memory card was submitted for examination.

 

Objective: To determine whether [SUSPECT] was smuggling out sensitive company information in order to assist in criminal activity against [VICTIM COMPANY].

 

Computer type: n/a

 

Operating system: n/a

 

Offense: Abetting burglary

 

Case agent: Investigator John B. Baird

 

Evidence number: [REDACTED]

 

Chain of custody: See attached form.

 

Where examination took place: Remote.

 

Tools used: UltraBlock Forensic Card Reader, Guidance Software EnCase, HashTool.

 

Processing

 

Assessment: Reviewed the case investigators requested for service. The signed written permission to [REDACTED] provided legal authority. The investigator was interested in finding all information pertaining to smuggling of company information that would aid in possible burglary. It was determined that the equipment needed was available in the forensic lab.

 

Imaging: Compact flash memory card was set to have a digital duplication made:

 

1. The compact flash memory card was examined and photographed.

 

a. The hardware was examined and documented.

 

b. The compact flash memory card was connected to the UltraBlock Forensic Card Reader with the device set to “write block” mode to prevent changing any digital evidence on the drive.

 

c. EnCase made a bit-by-bit image transfer of the compact flash memory card.

 

d. SHA-1 hash values of the compact flash memory card and compact flash memory card image were verified as forensically sound duplications with EnCase.

 

e. SHA-1 hash values of the compact flash memory card and compact flash memory card image were verified as forensically sound duplications a second time with HashTool.

 

f. The compact flash memory card was logged and locked into an evidence locker.

 

Examination: The compact flash memory card directory and file structures, including file dates and times, was recorded. A search was conducted. It was determined that this compact flash memory card was used in a Nikon Coolpix 5700 digital camera. Two deleted images were found that came directly from a computer. Both images depicted “[VICTIM COMPANY ADDRESS]”, which shows the layout of a building with sections labeled “Reception”, “Lab”, “Break Room”, “Vault” and “Shipping”. Within folders created automatically by the Nikon Coolpix 5700 digital camera was five images: one undeleted image and four deleted images, all depicting images of jewelry.

 

REPORT OF MEDIA ANALYSIS

 

MEMORANDUM FOR:

 

[REDACTED]

 

[REDACTED]

 

[REDACTED]

 

SUBJECT:

 

Forensic Media Analysis Report

 

SUBJECT: [SUSPECT]

 

Case Number: [REDACTED]

 

1. Status: Closed.

2. Summary of Findings:

 

* Files found appears to be normal employee productivity.

 

1. Items Analyzed:

 

TAG NUMBER: ITEM DESCRIPTION:

 

[REDACTED] SanDisk Compact Flash Memory card 1 GB, Serial # [REDACTED]

 

1. Details of Findings:

 

* Findings in this paragraph related to the SanDisk compact flash memory card, Model 1 GB, Serial # [REDACTED], tag number [REDACTED].

 

1. The examined compact flash memory card was found to have been used with a Nikon Coolpix 5700 digital camera.

 

2. Deleted image “_KV2~1.JPG” discovered on root directory depicting “[VICTIM COMPANY ADDRESS]”, which shows the layout of a building with sections labeled “Reception”, “Lab”, “Break Room”, “Vault” and “Shipping”. File was last accessed on 03/04/11, file created on 03/04/11 08:39:18PM, last written on 03/04/11 08:39:18PM.

 

3. Deleted image “_KV2~1.TIF” discovered on root directory depicting “[VICTIM COMPANY ADDRESS]”, which shows the layout of a building with sections labeled “Reception”, “Lab”, “Break Room”, “Vault” and “Shipping”. Discovered hex information that indicates “_KV2~1.TIF” was created by a graphics program by Corel. File was last accessed on 03/04/11, file created on 03/04/11 08:39:18PM, last written on 03/04/11 08:39:18PM.

 

4. Hidden file “NIKON001.DSC” on root directory, which indicates this compact flash memory card was used in a Nikon brand digital camera. File was last written on 03/04/11 09:11:12PM.

 

5. File “DSCN2065.TIF” located in “DCIM/100NIKON”., depicting a golden necklace photographed on a blue, felt-looking cloth flat surface. File was created on 03/04/11 09:12:38PM, last written on 03/04/11 09:12:38PM.

 

6. Deleted “_NFO.TXT” file located in “DCIM/100NIKON”, which contains information from the digital camera used for this compact flash memory card. Contains information of photo settings used for various pictures taken with this digital camera. “_NFO.TXT” contains hex information that matches all image files found within “DCIM/100NIKON”. Contains the model of camera 5700, “E5700V1.0”. File was created on 03/04/11 09:15:08PM, last written on 03/04/11 09:15:08PM.

 

7. Deleted “_SCN2066.JPG” file located in “DCIM/100NIKON”, which contains an image of a pearl necklace with a gold claps photographed on a blue, felt-looking cloth flat surface. File was created on 03/04/11 09:13:22PM, last written on 03/04/11 09:13:22PM.

 

8. Deleted “_SCN2067.JPG” file located in “DCIM/100NIKON”, which contains an image of a gold rope-style bracelet, unhooked, photographed on a grey, felt-looking cloth flat surface. File was created on 03/04/11 09:13:58PM, last written on 03/04/11 09:13:58PM.

 

9. Deleted “_SCN2068.JPG” file located in “DCIM/100NIKON”, which contains an image of a gold thin ring with red / brown gem-looking stone, photographed on a grey, felt-looking cloth flat surface. File was created on 03/04/11 09:14:20PM, last written on 03/04/11 09:14:20PM.

 

10. Deleted “_SCN2069.JPG” file located in “DCIM/100NIKON”, which contains an image of a gold ring with raised top with a clear, diamond-like stone, photographed on a grey, felt-looking cloth flat surface. File was created on 03/04/11 09:15:08PM, last written on 03/04/11 09:15:08PM.

 

11. Images taken within “DCIM/100NIKON” matches a Nikon model “Coolpix 5700”, evident from hex information containing the text “NIKON”, “E5700” and “e5700v1.0”.

 

12. Files found within “DCIM/100NIKON” that start with “_” were deleted and the start of the files started with the letter “D” but were changed to “_”. So “_SNC2066.JPG” was originally “DSCN2066.JPG”. This was likely done by the digital camera software and not by a user.

 

5. Conclusion: I have formed the conclusion that [SUSPECT] was not aiding in a burglary of [VICTIM COMPANY] but was simply taking a practically blank compact flash memory card home for personal use: suspected office supply theft. The images appear to be taken by employees for normal business use and deleted by the digital camera when the images were no longer needed. [SUSPECT] or another employee likely copied the two layout files of the building but because the images were deleted, it is not likely he intended to use the files for anything. The only files not deleted or hidden was one image of a golden rope-style necklace, which appears to be created by the digital camera and not transferred from a computer. Because most users cannot access files once they are deleted and believe that when a file is deleted, that it is gone for good, it is likely [SUSPECT] did not have any nefarious intentions beyond possibly borrowing or stealing a compact flash memory card for personal use.

 

This appears to be violations of petty theft because the compact flash memory card is valued under $100. A petty theft crime in the State of Florida is described as:

 

s. 775.082, s. 775.083, or s. 775.084, if the property stolen is valued at $100 or more, but less than $300, and is taken from a dwelling as defined in s. 810.011(2) or from the unenclosed curtilage of a dwelling pursuant to s. 810.09(1).

 

3)(a) Theft of any property not specified in subsection (2) is petty theft of the second degree and a misdemeanor of the second degree, punishable as provided in s. 775.082 or s. 775.083, and as provided in subsection (5), as applicable.

 

http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0800-0899/0812/Sections/0812.014.html

 

It is worth noting that [VICTIMCOMPANY] may allow users to take items such as compact flash memory cards home with them, although the way [SUSPECT] was smuggling the memory card in his shoe is questionable. Only [VICTIM COMPANY] can decide if this is the crime of petty theft or not.

 

1. Glossary:

 

* Imaging is the process of making an exact clone of a drive.

* SHA-1 is like a fingerprint of digital media used to ensure duplications are forensically sound clones of files.

* File structure is the arrangement of folders and files within digital media.

* Root directory is the very first (top level) folder in a file structure.

 

1. Items Provided: In addition to this hard copy report, one DVD was submitted with an electronic copy of this report. The report on DVD contains hyperlinks to the above-mentioned files and directories.

 

Back To Front Page