John B. Baird

 

Computer Forensic Portfolio

Bradenton, FL

Currently Seeking Employment

Open to relocation

941-363-1144

johnbairdpc at gmail dot com

 

Draft Complete Interim Report

 

John B. Baird

 

Case brief 1

 

Bruce Armiter is an employee of Draft Complete. One day when leaving work, during a routine security search of all employees exiting the building, Armiter was found to have a compact flash memory card hidden under the soul of his shoe. The security guard suspects that Armiter was smuggling out sensitive company information in order to sell it to the highest bidder. The security guard believes the information was wanted by burglars. A seizure of the compact flash drive was performed in a manner consistent with recommendations found in Electronic Crime Scene Investigation: A Guide for First Responders. The compact flash drive was entered into evidence according to agency policy and I verified that the compact flash memory card belongs to Draft Complete. Draft Complete signed written permission to Manatee County Sheriff’s Department to conduct an investigation, making the use of a search warrant not necessary. The compact flash memory card was submitted for examination.

 

Objective: To determine whether Armiter was smuggling out sensitive company information in order to assist in criminal activity against Draft Complete.

 

Computer type: n/a

 

Operating system: n/a

 

Offense: Abetting burglary

 

Case agent: Investigator John B. Baird

 

Evidence number: n/a

 

Chain of custody: See attached form.

 

Where examination took place: Criminal investigations unit.

 

Tools used: UltraBlock Forensic Card Reader, Guidance Software EnCase, HashTool.

 

Processing

 

Assessment: Reviewed the case investigators requested for service. The signed written permission to Manatee County Sheriff’s Department provided legal authority. The investigator was interested in finding all information pertaining to smuggling of company information that would aid in possible burglary. It was determined that the equipment needed was available in the forensic lab.

 

Imaging: Compact flash memory card was set to have a digital duplication made:

 

1. The compact flash memory card was examined and photographed.

 

a. The hardware was examined and documented.

 

b. The compact flash memory card was connected to the UltraBlock Forensic Card Reader with the device set to “write block” mode to prevent changing any digital evidence on the drive.

 

c. EnCase made a bit-by-bit image transfer of the compact flash memory card.

 

d. SHA-1 hash values of the compact flash memory card and compact flash memory card image were verified as forensically sound duplications with EnCase.

 

e. SHA-1 hash values of the compact flash memory card and compact flash memory card image were verified as forensically sound duplications a second time with HashTool.

 

f. The compact flash memory card was logged and locked into an evidence locker.

 

Examination: The compact flash memory card directory and file structures, including file dates and times, was recorded. A search was conducted. It was determined that this compact flash memory card was used in a Nikon Coolpix 5700 digital camera. Two deleted images were found that came directly from a computer. Both images depicted “DraftComplete HQ 101 Main Street Annapolis, MD”, which shows the layout of a building with sections labeled “Reception”, “Lab”, “Break Room”, “Vault” and “Shipping”. Within folders created automatically by the Nikon Coolpix 5700 digital camera was five images: one undeleted image and four deleted images, all depicting images of jewelry.

 

REPORT OF MEDIA ANALYSIS

 

MEMORANDUM FOR:

 

Manatee County Sherrif’s Department

 

Investigator John B. Baird

 

Bradenton, FL 34205

 

SUBJECT:

 

Forensic Media Analysis Report

 

SUBJECT: ARMITER, BRUCE

 

Case Number: 001687

 

1. Status: Closed.

2. Summary of Findings:

 

* Files found appears to be normal employee productivity.

 

1. Items Analyzed:

 

TAG NUMBER: ITEM DESCRIPTION:

 

01236 SanDisk Compact Flash Memory card 1 GB, Serial # 1456123CF123

 

1. Details of Findings:

 

* Findings in this paragraph related to the SanDisk compact flash memory card, Model 1 GB, Serial # 1456123CF123, tag number 01234.

 

1. The examined compact flash memory card was found to have been used with a Nikon Coolpix 5700 digital camera.

2. Deleted image “_LUEPR~1.JPG” discovered on root directory depicting “DraftComplete HQ 101 Main Street Annapolis, MD”, which shows the layout of a building with sections labeled “Reception”, “Lab”, “Break Room”, “Vault” and “Shipping”. File was last accessed on 03/04/04, file created on 03/04/04 08:39:18PM, last written on 03/04/04 08:39:18PM.

3. Deleted image “_LUEPR~1.TIF” discovered on root directory depicting “DraftComplete HQ 101 Main Street Annapolis, MD”, which shows the layout of a building with sections labeled “Reception”, “Lab”, “Break Room”, “Vault” and “Shipping”. Discovered hex information that indicates “_LUEPR~1.TIF” was created by a graphics program by Corel. File was last accessed on 03/04/04, file created on 03/04/04 08:39:18PM, last written on 03/04/04 08:39:18PM.

4. Hidden file “NIKON001.DSC” on root directory, which indicates this compact flash memory card was used in a Nikon brand digital camera. File was last written on 03/04/04 09:11:12PM.

5. File “DSCN2065.TIF” located in “DCIM/100NIKON”., depicting a golden necklace photographed on a blue, felt-looking cloth flat surface. File was created on 03/04/04 09:12:38PM, last written on 03/04/04 09:12:38PM.

6. Deleted “_NFO.TXT” file located in “DCIM/100NIKON”, which contains information from the digital camera used for this compact flash memory card. Contains information of photo settings used for various pictures taken with this digital camera. “_NFO.TXT” contains hex information that matches all image files found within “DCIM/100NIKON”. Contains the model of camera 5700, “E5700V1.0”. File was created on 03/04/04 09:15:08PM, last written on 03/04/04 09:15:08PM.

7. Deleted “_SCN2066.JPG” file located in “DCIM/100NIKON”, which contains an image of a pearl necklace with a gold claps photographed on a blue, felt-looking cloth flat surface. File was created on 03/04/04 09:13:22PM, last written on 03/04/04 09:13:22PM.

8. Deleted “_SCN2067.JPG” file located in “DCIM/100NIKON”, which contains an image of a gold rope-style bracelet, unhooked, photographed on a grey, felt-looking cloth flat surface. File was created on 03/04/04 09:13:58PM, last written on 03/04/04 09:13:58PM.

9. Deleted “_SCN2068.JPG” file located in “DCIM/100NIKON”, which contains an image of a gold thin ring with red / brown gem-looking stone, photographed on a grey, felt-looking cloth flat surface. File was created on 03/04/04 09:14:20PM, last written on 03/04/04 09:14:20PM.

10. Deleted “_SCN2069.JPG” file located in “DCIM/100NIKON”, which contains an image of a gold ring with raised top with a clear, diamond-like stone, photographed on a grey, felt-looking cloth flat surface. File was created on 03/04/04 09:15:08PM, last written on 03/04/04 09:15:08PM.

11. Images taken within “DCIM/100NIKON” matches a Nikon model “Coolpix 5700”, evident from hex information containing the text “NIKON”, “E5700” and “e5700v1.0”.

12. Files found within “DCIM/100NIKON” that start with “_” were deleted and the start of the files started with the letter “D” but were changed to “_”. So “_SNC2066.JPG” was originally “DSCN2066.JPG”. This was likely done by the digital camera software and not by a user.

 

5. Conclusion: I have formed the conclusion that Bruce Armiter was not aiding in a burglary of Draft Complete but was simply taking a practically blank compact flash memory card home for personal use: suspected office supply theft. The images appear to be taken by employees for normal business use and deleted by the digital camera when the images were no longer needed. Bruce Armiter or another employee likely copied the two layout files of the building but because the images were deleted, it is not likely he intended to use the files for anything. The only files not deleted or hidden was one image of a golden rope-style necklace, which appears to be created by the digital camera and not transferred from a computer. Because most users cannot access files once they are deleted and believe that when a file is deleted, that it is gone for good, it is likely Armiter did not have any nefarious intentions beyond possibly borrowing or stealing a compact flash memory card for personal use.

 

This appears to be violations of petit theft because the compact flash memory card is valued under $100. A petit theft crime in the State of Florida is described as:

 

s. 775.082, s. 775.083, or s. 775.084, if the property stolen is valued at $100 or more, but less than $300, and is taken from a dwelling as defined in s. 810.011(2) or from the unenclosed curtilage of a dwelling pursuant to s. 810.09(1).

 

3)(a) Theft of any property not specified in subsection (2) is petit theft of the second degree and a misdemeanor of the second degree, punishable as provided in s. 775.082 or s. 775.083, and as provided in subsection (5), as applicable.

 

http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0800-0899/0812/Sections/0812.014.html

 

It is worth noting that Draft Complete may allow users to take items such as compact flash memory cards home with them, although the way Armiter was smuggling the memory card in his shoe is questionable. Only Draft Complete can decide if this is the crime of petit theft or not.

 

1. Glossary:

 

* Imaging is the process of making an exact clone of a drive.

* SHA-1 is like a fingerprint of digital media used to ensure duplications are forensically sound clones of files.

* File structure is the arrangement of folders and files within digital media.

* Root directory is the very first (top level) folder in a file structure.

 

1. Items Provided: In addition to this hard copy report, one DVD was submitted with an electronic copy of this report. The report on DVD contains hyperlinks to the above-mentioned files and directories.