changing scrambled bits and reveal hidden information from picture

changing scrambled bits and reveal hidden information from picture

Task 1: Recovering scrambled bits (5 Marks)

 

For this task I will upload a text file with scrambled bits on the subject site closer to the assignment due date. You will be required to restore the scrambled bits to their original order and copy the plain text in your assignment.

 

Deliverable: Describe the process used in restoring the scrambled bits and insert plain text in the assignment.

 

Task 2: Revealing hidden information from an image (5 Marks)

 

For this task I will provide an image with hidden information in it. You will be required to reveal the hidden information.

 

Deliverable: Describe the process used to reveal the hidden information from the image and copy the revealed information in the assignment in plain text.

 

Task 3: Forensics Report (20 Marks)

 

In this major task you are assumed as a Digital Forensics Examiner. Considering a real or a hypothetical case you are required to produce a formal report consisting of facts from your findings to your attorney who has retained you. You are free to choose a forensics scenario which can be examination of a storage media (HDD, USB Drive etc), spoofed email, unscrambling bits, revealing information from an image or any other appropriate scenario you can think of.

 

Deliverable: A forensics report of 1800-2000 words

Task 3: Forensics Report (20 Marks)

 

In this major task you are assumed as a Digital Forensics Examiner. Considering a real or a hypothetical case you are required to produce a formal report consisting of facts from your findings to your attorney who has retained you. You are free to choose a forensics scenario which can be examination of a storage media (HDD, USB Drive etc), spoofed email, unscrambling bits, revealing information from an image or any other appropriate scenario you can think of.

 

Deliverable: A forensics report of 1800-2000 words.

 

ITC597 – Assignment 3 Signed: Witnessed: REPORT ON THE EXAMINATION OF A SAMSUNG NC10 NETBOOK COMPUTER (EXHIBIT 1234567/001) BY Phillip MAGNESS BA, BA (Police Studies), Dip. Policing, Grad.Dip.Computing A+. N+, CCE Senior Computer Forensic Examiner Police Computer Forensic Team CONTENTS PAGE(S) 1. Scope 2 2. Summary of Findings 2-3 3. Custody of Exhibit 3 4. Assumptions and Limitations 3 5. Processes and Techniques 4 6. Acquisition of Exhibit 1234567/001 4-6 7. Analysis of Exhibit 1234567/001 6-7 Appendix 1-8 8-29 CASE REFERENCE: ITC597 DATE OF PRODUCTION: 18 April 2012 1. SCOPE The scope of the examination that I conducted was based on the following Forensic Support Request which was submitted by Constable James SMITH: Request Details: Please examine 1 x Samsung NC10 laptop computer (exhibit 1234567/001) for evidence of the importation of cocaine. The suspect, known as “Billy Boy”, is alleged to have organised the import of two parcels of cocaine from China via EMS. The EMS Tracking references are: “E402233111CN” and “EE402233222CN”., In addition to the EMS Tracking numbers, the following keywords may be of assistance: “cocaine”, “EMS Tracking”, “Australia Post”, “drugs”, “customs, “Billy Boy” and any other related items. The laptop was seized on 03 April 2010 at 02:00am during a search warrant on the suspects premises. Request Objectives: Provision of a forensic report providing details the examination of the computer and any results identified. 2. SUMMARY OF FINDINGS The examination of the forensic image of exhibit 1234567/001 identified the following summary information in relation to the exhibit. A more detailed description of these results is provided in section 6 and 7 of this report and the attached Appendices.  The exhibit was a Samsung NC10 netbook computer which bore serial number ” ZJ1123ZZ01644E”;  The computer had an LCD screen which was visibly damaged. Only content on the right hand side of the screen could be viewed. The full screen content could be viewed if the computer was connected to an external monitor;  The computer containing a single hard disk drive;  The Microsoft Windows XP operating system was installed on the exhibit. The recorded installation date was 30 September 2010. The Registered Owner was recorded as “Billy_Boy”. The Computer Name was recorded as “BILLYSBOOK”;  Two active, local user accounts titled “Billy” and “Benny” were present;  The user account “Billy” required a password to access the account content. It had a last recorded logon of 02 Apr 2012 16:47:17 (UTC +1000);  The user account “Billy” did not require a password to access the account content. It had a last recorded logon of 09 Dec 2010 11:57:19 (UTC +1000);  Evidential material was only identified within the user account “Billy”;  The setting on the internal computer clock was, at the time of examination, with 15 seconds of correct time. This time bias needs to be considered when reviewing time and date stamps within this report;  A file titled “m.dll” was identified on the Desktop of the “Billy” user account. This file had an incorrect file extension. When the correct file extension was applied, the two suspected EMS tracking numbers that are the subject of the investigation were identified. Evidence was identified that a user of the “Billy” user account had accessed the file on 01 April 2012;  Two Australia Post web pages were recovered containing Tracking Information for the two suspected EMS tracking numbers that were subject to the Scope in this matter. The date and time of access to the web pages was recorded as occurring within two hours of search warrant execution; Case Ref: ITC597 Page 2 of 29 Signed:________________________________ Witnessed:_______________________________  Google Chrome data records were recovered indicating the entry of the suspected EMS tracking numbers and financial transfers into an online form/database;  A quantity of Google search terms and internet history records were recovered which contain search terms that may be relevant to the investigation. These include, but are not limited to: “where do I get cocaine from”, “importing cocaine”, “”ems tracking” and “ems says handed over to customs”;  Backup files for an Apple iPhone with the recorded mobile phone number of “+61 401 222 333” were present. SMS content was recovered which may be of relevance to the investigation;  A record of an SMS message recorded with the Optus Wireless Broadband service was recovered with content that may be of relevance to the investigation;  Two electronic mail (e-mail) records were recovered with content that may be of relevance to the investigation; and  Facebook chat messages were recovered with content that may be of relevance to the investigation. 3. CUSTODY OF EXHIBIT About 10:27am on 03 April 2012, I received possession of the following exhibit from Constable James SMITH at the Police Computer Forensic Office, 1 Commonwealth Avenue, Melbourne. Exhibit No. Exhibit Details 1234567/001 1 x Samsung NC10 netbook computer, bearing serial number “ZJ1123ZZ01644E”, contained within sealed audit bag number PR555111. About 10:27am on 05 April 2012, I returned exhibit 1234567/001 to Constable SMITH at the Police Computer Forensic Office. The transfer process was electronically recorded on the Police Laboratory Management Information System. A copy of the Internal Chain of Custody report from this system is attached as Appendix 1. For the period that the exhibit was in my custody, it was secured in my possession or in the Police Computer Forensic Office, 1 Commonwealth Avenue, Melbourne, where it remained under my control. The Police Computer Forensic laboratory is a secure area that only allows access to authorised Police personnel. 4. ASSUMPTIONS AND LIMITATIONS The findings of this report are based on the following assumptions:  All proper exhibit handling techniques have been adhered to;  All items were operable at the time of seizure and all relevant exhibits have been submitted for examination;  The contents of this report are determined by the aforementioned objectives and so should not be considered to include all data and information that may be contained on the exhibits; and  Due to the quantity of information stored on computer storage devices; it is not feasible to report on every aspect of every file and piece of information stored. It is assumed that following presentation of this report, if any issues are raised that require further explanation or examination they will be communicated to the author of this report so that they can be appropriately dealt with and a supplementary report or other information provided as necessary. Case Ref: ITC597 Page 3 of 29 Signed:________________________________ Witnessed:_______________________________ 5. PROCESSES AND TECHNIQUES An explanation of the processes and techniques used for the general examination of computers and other electronic devices is provided in:  Appendix 2 – Processes and Techniques – Computers and Other Electronic Storage Media 6. ACQUISITION OF EXHIBIT 1234567/001 6.1 Physical Exhibit Item The examination of the exhibit commenced about 10:30am on 03 April 2012. The exhibit appeared had the following properties: Make Samsung Model NC10 Serial Number ZJ1123ZZ01644E Colour Black Notable Features The computer was in a worn condition. The LCD screen was significantly damaged. Peripherals A power supply was included in the sealed audit bag in which the computer was received in. I located and removed the hard disk drive from within the computer. The hard disk drive had the following features: Make Western Digital Model WD1600BEVT-3ETCO Serial Number WXHOA1234567 Capacity 160 Gigabytes The following photographs were taken of the exhibit: Exhibit as received Case Ref: ITC597 Page 4 of 29 Signed:________________________________ Witnessed:_______________________________ Samsung NC10 netbook computer – front view Samsung NC10 netbook computer – rear view Samsung NC10 netbook computer – open view Case Ref: ITC597 Page 5 of 29 Signed:________________________________ Witnessed:_______________________________ The LCD of the netbook computer was visibly damaged, as displayed in the following photograph. Data displayed on the left hand side of the screen could not be viewed by a user of the computer. The full content could be viewed if the netbook computer was connected to an external monitor with a cable. Samsung NC10 netbook computer – damaged screen 6.2 Data Acquisition The acquisition of the available content of the hard disk drive was conducted using a Police acquisition computer with the following specifications:  Dell Precision T7500  Intel Xeon 2.53GHz  48.0GB system memory  Windows 7 Enterprise (64-bit), Service Pack 1 Prior to the acquisition, the Police examination computer had been rebuilt to a new Standard Operating Environment. The hard disk drive was connected to a Tableau T35i write blocking forensic bridge. This is a device which allows for data to be read or copied from an attached hard disk drive; whilst at the same time preventing data from being written to the drive. A Police On-Use diagnostic check was conducted using a known data set to ensure that the write blocking forensic bridge was operating correctly. The acquisition of the hard disk drive was conducted using EnCase v6.18.1.3. The acquisition of the available contents of the hard disk drive was saved in image file format with the file name “1234567/001_Samsung_Netbook.E01”. The image files were saved to a Western Digital ITB hard disk drive bearing serial number “WCATR7019999”. The Western Digital hard disk drive was newly purchased and had been electronically wiped prior to use. The Western Digital hard disk drive was allocated with exhibit number “1234567/001-MASTER” and was sealed in Police sealed audit bag number B422233. This was subsequently lodged in the Police Drug and Property Registry at about 4:00pm on 03 April 2012. Case Ref: ITC597 Page 6 of 29 Signed:________________________________ Witnessed:_______________________________ During the acquisition, a verification process was undertaken to ensure that the acquired forensic image was a bit-for-bit copy of all available data from the original hard disk drive. The verification process uses the Message Digest 5 (MD5)1 algorithmic calculation. The following verification results were identified: MD5 of original media 71CFE34538B276C6921C3C7XX0123456 MD5 of forensic image 71CFE34538B276C6921C3C7XX0123456 A copy of the forensic image was placed on the Police Computer Forensic network to be used as a working image. I re-verified the integrity of the forensic image and confirmed that the MD5 was the same as the original. 7. ANALYSIS OF EXHIBIT 1234567/001 All analysis was conducted on a working copy of the forensic image file which had been saved to the Police Computer Forensic network. This forensic copy is used to conduct computer forensic analysis. This analysis is not undertaken until the integrity of the forensic copy is verified to ensure that no data had changed from the time of acquisition. Analysis of the forensic image of the hard disk drive identified evidential material which is attached in the following appendices:  Appendix 3 – System Overview  Appendix 4 – Suspected EMS Tracking Numbers and Internet History  Appendix 5 – iPhone Backup Records  Appendix 6 – Optus SMS Messages  Appendix 7 – Electronic Mail  Appendix 8 – Facebook Messages 1 The Message-Digest Algorithm 5 (MD5) is a 128-bit hash value commonly used within the forensic community to assure that data has not been altered. A function such as the MD5 algorithm takes a string of data of any length as input and produces a fixed length string (of 128 bits) as output. This output is known as the hash value. If two strings have different MD5 hash values, then the strings differ by at least one bit. In this way a change in the MD5 of a file identifies that the data contained in the file has changed. Case Ref: ITC597 Page 7 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 1 Internal Chain of Custody Report – Exhibit 1234567/001 Samsung NC10 Laptop Computer The following is a copy of the Internal Chain of Custody Report for the transfer of the Samsung NC10 Laptop Computer in relation to this matter. Case Ref: ITC597 Page 8 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 2 Processes and Techniques Computers and Other Electronic Storage Media The physical characteristics of computers and electronic storage media are recorded through photographs and observations. Depending on the type of device/media information contained on that exhibit the use of manual or various electronic solutions may be employed to obtain that information. Where required, storage devices such as hard disk drives are removed from computers for examination. Where this occurs, observations of the storage devices (such as model and serial number details) are photographed and recorded. The contents of exhibits are extracted using commercially available software specifically designed for the forensic acquisition of data from electronic storage media. This software is used in conjunction with write blocking hardware and/or software which allows for data to be read and copied from a device; while preventing data from being written to the device. All forensic copies of exhibits are subject to a verification process to ensure that the forensic copy is a bit-for-bit copy of all available data from the original device. This forensic copy is used to conduct computer forensic analysis. This analysis is not undertaken until the integrity of the forensic copy is verified to ensure that no data had changed from the time of acquisition. Where a true bit-for-bit copy cannot be undertaken (where an exhibit is partially damaged for example); then details of this will be explicitly mentioned within the contents of the report. During the course of examinations, forensic copies of data are made available to Police member(s) involved in the investigation of the matter. These member(s) identify items of evidential interest to the investigation through a process known as “bookmarking”. As part of the examination process, I have presented and, where required, interpreted this bookmarked data within this report. Case Ref: ITC597 Page 9 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 3 System Overview – Exhibit 1234567/001 Samsung NC10 Netbook Computer 3.1 Operating System Details The following operating system information was extracted from the Registry for the installed Windows operating system: Registry Field Data Examiner Comment Registered Owner Billy_Boy Data field containing user inputted data. Registered Organization [blank] (optional) Data field containing user inputted data . ProductID 76477-OEM-22CAD-Q99H-D8G2M A Microsoft generated identifier for an operating system environment. Product Key XVX11-22QWH-P11TT-C7R1C-48HTR A Microsoft generated identifier to unlock a Microsoft Windows version. This is akin to a serial number. CurrentVersion 5.1 A Microsoft generated identifier for an operating system environment. CSDVersion Service Pack 3 A Microsoft generated identifier for an operating system environment. ProductName Microsoft Windows XP The name of the installed operating system. InstallDate 30 Sep 2010, 09:50:30 (UTC) The date and time of installation, recorded using the computer’s system clock. Computer Name BILLYSBOOK Data field containing user inputted data Last Shutdown Time 02 Apr 2012 06:05 (UTC) The date and time in which Windows last recorded a successful shutdown. ShutdownCount 220 A count of instances in which Windows recorded a successful shutdown. 3.2 System Users Two active, local user accounts were located on the exhibit, as follows: Account Name Account Type Password Protected? Password Last recorded logon date/time Billy Administrator1 Yes suSp3ct 02 Apr 2012 16:47:17 (UTC +1000)2 Benny Administrator No N/A 09 Dec 2010 11:57:19 (UTC +1000) 1 An Administrator account allows a user to change security settings, install software and hardware, and access all files on the computer. Administrators can also make changes to other user accounts. 2 UTC is an acronymn for Universal Time Coordinate and is the same as Greenwich Mean Time (GMT). Case Ref: ITC597 Page 10 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 3 System Overview – Exhibit 1234567/001 Samsung NC10 Netbook Computer 3.3 Logical Hard Drive Structure One hard disk drive was located inside the exhibit. This drive contained three partitions3 , as follows: Volume label Volume Name File System Total Capacity Allocated data4 Unallocated data5 RECOVERY NTFS 6GB 4.1GB 1.9GB C Local Disk NTFS 71GB 22GB 49GB W Working NTFS 72GB 123.8MB 71.9GB The RECOVERY partition is a hidden system partition which is used for data recovery purposes. The“C” partition contained the Windows operating system. All evidential material was located within this partition. The “W” partition did not contain an installed operating system. It appeared to be used for user data storage. 3.4 Time and Date Settings Time and date stamps that are recorded in the file system are dependent upon the time and date settings of the device being used. For example, in the case of a personal computer, the operating system uses the time and date setting of the computer as the reference for a time and date stamp. The device time and date setting can be set and changed by a user of the computer. Additionally, the computers time and date can also be set to routinely synchronise with a validated external time server. At the time of examination, the Windows Date and Time setting for each user account was configured with a time zone of “(UTC+10:00) Canberra, Melbourne, Sydney” and was set to automatically adjust for daylight savings time. The setting of the computer’s system clock was compared to a reference time source as follows: 3 A partition is a portion of a single physical hard disk which functions logically as a separate physical disk (hence they are commonly referred to as volumes or drives). 4 Allocated data is considered to be data that is available for use by an operating system or a user. A common example is a saved file. 5 Unallocated data is considered to be data that is not in use by the operating system or user. Data can become unallocated as a result of data deletion or drive reformatting. The data will remain present on the hard disk drive until it has been overwritten. It may contain remnants of previous files (in whole or in part) that may be recovered using forensic software. Case Ref: ITC597 Page 11 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 3 System Overview – Exhibit 1234567/001 Samsung NC10 Netbook Computer The exhibit clock bias of 15 seconds from the actual date and time should be taken into consideration when examining time and date stamps on files that are listed within this report. At the time of examination, the Windows Date and Time setting for each user account was configured to automatically synchronise with the Internet time server “time.nist.gov”. This setting ensures that, when connected to the Internet, the time on the computer is intermittently synchronised with a validated external clock. Date Time (HH:MM:SS) Time Zone Exhibit Date/Time 03 Apr 2012 11:05:15 AEDT Actual Date/Time 03 Apr 2012 11:05:00 AEDT Exhibit Clock Bias 0days +0hours, 0mins, 15secs Case Ref: ITC597 Page 12 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 4 Suspected EMS Tracking Numbers and Internet History Exhibit 1234567/001 – Samsung NC10 Netbook Computer Within the following Appendix, it should be noted that the times and dates reference those recorded by the Windows operating system using the Samsung netbook computer’s internal system clock. 4.1 Suspected EMS Tracking ID Numbers – File “m.dll” A file titled “m.dll” was located on the Desktop for the user account “Billy”. This file appeared as follows:1 The file had the following properties, as recorded by the Windows operating system: File Name: m.dll File Location: C:\Documents and Settings\Billy\Desktop MD5 Hash: 995140b766a8d7c135cd009fa378a80f File Creation: 27Mar/12 23:42:47 (UTC2 +1100) Last Written: 01/Apr/12 05:36:40 (UTC +1000) Is Deleted? No The file had the file extension “.dll. This extension is used as part of the Microsoft Dynamic Link Library system of files. If a user were to double-click the file, the following message would appear: 1 This file is presented through a re-creation of the exhibit, using virtualisation software. 2 UTC is an acronym for Universal Time Coordinate and is identical to Greenwich Mean Time (GMT). Case Ref: ITC597 Page 13 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 4 Suspected EMS Tracking Numbers and Internet History Exhibit 1234567/001 – Samsung NC10 Netbook Computer The analysis identified that the file had the signature for a Microsoft Office Word Document embedded within the file content. The “Author” of the document was recorded as “Billy”. The embedded signature and Author information is highlighted below: The following methods would allow for a user of the computer to access the contents of “m.dll” using Microsoft Word which was installed on the exhibit: (1) Right click the file and select Open With | Microsoft Office Word. (2) Launch Microsoft Word. Open the file “m.dll” from within Microsoft Word. (3) Rename “m.dll” to “m.doc”. The file could be opened by double-clicking the file. If the file was opened with Microsoft Word, the following information would be presented: Case Ref: ITC597 Page 14 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 4 Suspected EMS Tracking Numbers and Internet History Exhibit 1234567/001 – Samsung NC10 Netbook Computer 4.2 Recent File Analysis – Suspected EMS Tracking ID Numbers – File “m.dll” The Microsoft Windows XP operating systems maintain a directory called “Recent” where it places links to files (“link files”) as a user opens them. Files in the Recent directory indicate files that the user most recently used.3 Link files exist in a number of places on a computer, including the “My Recent Documents” directory. This enables the user to quickly access documents that were most recently opened. When user profiles are used, a separate “Recent” directory is created for each user under the users profile directory. This enables different users to see only those links that were created by the user of that profile. In some cases the act of opening files will not place a link in the Recent directory, so the contents of this directory should not be interpreted as a list of all the recently used files. The content of the Recent directory for the user account “Billy” was located in the file path “C:\Documents and Settings\Billy\Recent”. The file “m.doc” was identified as follows: Link file Name Linked To File Date Created m.lnk C:\Documents and Settings\Billy\Desktop\m.doc 01 April 2012 05:35:00 (UTC+1000) The presence of this link file indicates that a user of the “Billy” user account accessed a file titled “m.doc” on 01 Apr 2012 at 05:35:00 (UTC+1000). With the presence of the file “m.doc” on the user’s desktop, and the close proximity in date and time information; it is therefore suspected that a user of the computer renamed the file “m.dll” to “m.doc”, which would allow the contents to be viewed. 4.3 Suspected EMS Tracking ID Numbers – Google Chrome – User Account “Billy” The analysis identified the files in sub-sections 4.3.1 to 4.3.2 which are consistent with the entry of the suspected EMS tracking ID numbers using the Google Chrome web browser. Google Chrome version 11.0.696.68 was an installed web browser for the user account “Billy”. The web browser was accessible from a shortcut on the Desktop or from within the Windows Start Menu. The date and time of file creation indicates the date and time in which a user was recorded as accessing each webpage. 4.3.1 File Name: f_00001a File Location: C:\Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome\User Data\Default\ Cache\f_00001a MD5 Hash: 7212f79e75d55b0a451d2f14add89dd9 File Creation: 03/Apr/12 00:40:31 (UTC+1000) 3 Source: www.support.microsoft.com/kb/ 307875 as at 14 April 2012 Case Ref: ITC597 Page 15 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 4 Suspected EMS Tracking Numbers and Internet History Exhibit 1234567/001 – Samsung NC10 Netbook Computer Case Ref: ITC597 Page 16 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 4 Suspected EMS Tracking Numbers and Internet History Exhibit 1234567/001 – Samsung NC10 Netbook Computer Case Ref: ITC597 Page 17 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 4 Suspected EMS Tracking Numbers and Internet History Exhibit 1234567/001 – Samsung NC10 Netbook Computer 4.3.2 File Name: f_0000d5 File Location: C:\Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_0000d5 MD5 Hash: 14818491c3168624403e1af6d7b93a7d File Creation: 03/Apr/12 00:44:10 (UTC+1000) The following web page has been truncated to only show the Tracking Summary. The title “Australia Post – Track my item” and the content before the Tracking summary is the same as is shown in item 4.3.1. Case Ref: ITC597 Page 18 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 4 Suspected EMS Tracking Numbers and Internet History Exhibit 1234567/001 – Samsung NC10 Netbook Computer 4.4 Google Chrome Web Data Records – User account “Billy” The Google Chrome browser maintains a records of values which have been entered into input fields in online forms and other text boxes. Common examples of this are form boxes on websites that require the entry of a name, address, date of birth, reference numbers and so forth. Google Chrome records this information within the file titled “Web Data” which was located on the exhibit for the user account “Billy” in the file location of: “Documents and Settings\Billy\Local Settings\ Application Data\Google\Chrome\User Data\Default\”. The suspected EMS tracking numbers in this sub-section were entered into a field titled “number” on a webpage. The associated website that the below entries relate to is not recorded by the Google Chrome browser. At the time of reporting, the website of www.ems-tracking.net uses the Hyper Text Markup Language (HTML) text of “number” as the Input Field Value for the suspected EMS tracking numbers. It should be noted however, that the use of “number” may also be used by other webpages and the below should not be taken as confirmation that the EMS website was used. Input Field Name Input Field Value Date(s) of Entry number EE402233111CN 30 March 2012 08:59:04 (UTC +1000) 31 March 2012 06:29:10 (UTC +1000) 01 April 2012 10:33:47 (UTC+1100) 02 April 2012 02:44:55 (UTC+1100) 03 April 2012 07:00:09 (UTC+1100) number EE402233222CN   30 March 2012 10:55:54 (UTC+1000)   03 April 2012 07:01:10 (UTC+1100) The Google Chrome web browser recorded the following Input Field Names and Input Field Values that may be relevant to the investigation. The associated websites that these relate to are not available: Input Field Name   Input Field Value Date(s) of Entry (UTC+0000) FINANCIAL_TRANSACTION_TRANSFER_DE TAILS_PO[0].TRANSACTION_AMOUNT 20000 27 March 2012 00:56:47 (UTC+1000) FINANCIAL_TRANSACTION_TRANSFER_DE TAILS_PO[0].TRANSACTION_AMOUNT 10000 27 March 2012 01:15:47 (UTC+1000) shipping_addressee_name Billy Boy 27 March 2012 01:15:47 (UTC+1000) 27 March 2012 00:56:47 (UTC+1000) q4 item customs cust5oms customs 03 April 2012 01:07:14 (UTC+1100)   03 April 201201:07:25 (UTC+1100)   03 April 201201:07:32 (UTC+1100) 4 “q” is commonly used as for a search input box for search engines such as Google or Bing; in which “q” represents “query”. Case Ref: ITC597 Page 19 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 4 Suspected EMS Tracking Numbers and Internet History Exhibit 1234567/001 – Samsung NC10 Netbook Computer 4.5 Google Search Terms – User account “Billy” The analysis identified the following search terms for the search engine Google which had been entered using the Google Chrome web browser for the user account “Billy”. The search terms were located in the file location of: “C:\Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome\ User Data\Default\History”. It should be noted that the entries below are only those that may be relevant to the investigation. They do not include all search terms that may have been entered into the Google chrome browser. A full list is available upon request. Google Search Term Date/Time (UTC+0000) where do I get cocaine from 27 Feb 201215:46:11 (UTC +1000) importing cocaine 27 Feb 201215:46:22 (UTC +1000) turning cocaine into real cash 27 Feb 201215:46:33 (UTC +1000) track my parcel 27 Feb 201215:46:44 (UTC +1000) ems parcel tracking 27 Feb 201215:46:55 (UTC +1000) making more cocine5 27 Feb 201215:46:56 (UTC +1000) track shipping 13 March 2012 14:26:40 (UTC +1000) street names cocaine 20 March 2012 23:06:40 (UTC +1000) ems tracking 28 March 2012 02:53:20 (UTC +1000) EMS tracking 28 March 2012 06:40:00 (UTC +1000) australia post tracking from china 28 March 2012 14:13:01 (UTC +1000) ems says handed over to custom 28 March 2012 14:13:11 (UTC +1000) ems says handed over to customs australia 28 March 2012 14:13:19 (UTC +1000) australian customs item search 28 March 2012 17:46:10 (UTC +1000) how do i find out why my item is stuck in australian customs 28 March 2012 17:46:50 (UTC +1000) how do i know if my item has been destroyed by australian ustoms 28 March 2012 17:46:55 (UTC +1000) how long does customs take to process a package australia Sat, 01 April 2012 05:20:00 (UTC +1000) how do you know if your ems items have been seized by australian customs Wed, 01 April 2012 19:06:40 (UTC +1000) 4.6 Google Chrome websites accessed – User account “Billy” The analysis identified the following internet history records accessed via the Google Chrome web browser. The records were located in the file location of: “C:\Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome\User Data\Default\History”. It should be noted that the records below are only those that may be relevant to the investigation. They do not include all internet records as this would be voluminous in size. These are available upon request. 5 Note that the suspected typographical error was present in the Google search Case Ref: ITC597 Page 20 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 4 Suspected EMS Tracking Numbers and Internet History Exhibit 1234567/001 – Samsung NC10 Netbook Computer URL6 Webpage title Date/Time http://auspost.com.au/apps/search.html?q=item+customs Australia Post ‐ Search results 26 March 2012 14:13:20 (UTC +1000) http://auspost.com.au/apps/search.html?q=cust5oms&ent qr=0&output=xml_no_dtd&sort=date%3AD%3AL%3Ad1&u d=1&client=auspost_frontend&oe=UTF‐8&ie=UTF‐ 8&proxystylesheet=auspost_frontend Australia Post ‐ Search results 26 March 2012 14:13:23 (UTC +1000) http://auspost.com.au/apps/search.html?q=customs&entqr =0&ud=1&sort=date%3AD%3AL%3Ad1&output=xml_no_dt d&oe=UTF‐8&ie=UTF‐ 8&client=auspost_frontend&proxystylesheet=auspost_fron tend Australia Post ‐ Search results 26 March 2012 14:13:25 (UTC +1000) http://www.ems.com.cn/ems/English/index.jsp# EMS 27 March 2012 07:09:10 (UTC +1000) http://www.ems.com/ EMS 27 March 2012 07:09:20 (UTC +1000) http://www.ems.com.cn/english‐main.jsp EMS 27 March 2012 07:09:30 (UTC +1000) http://www.ems.com.cn/qcgzOutQueryNewAction.do EMS Tracking 27 March 2012 07:09:40 (UTC +1000) http://www.ems‐tracking.net/ EMS Tracking 27 March 2012 07:09:50 (UTC +1000) http://www.ems‐tracking.net/verification.php EMS Tracking 27 March 2012 07:10:15 (UTC +1000) 6 URL is an acronym for Uniform Resource Locator and refers to a website address. Case Ref: ITC597 Page 21 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 5 iPhone Backup – Exhibit 1234567/001 Samsung NC10 Netbook Computer An Apple iPhone can be synchronised and backed up with a computer. This process allows for the contents of the iPhone to be recovered in the event that the device is lost, damaged or the contents are corrupted. The analysis identified a backup file for an Apple iPhone which had the following information:1 Field Data Examiner Comment (if applicable) Device Name billy’s phone A user generated decriptor for the iPhone. ICCID 8961061000123456789 ICCID (Integrated Circuit Card Identifier). A unique identification number for the SIM card. It is stored electronically within the SIM card and may also be printed on the outside of the SIM card. IMEI 0126460012345678 IMEI (International Mobile Equipment Identity). The serial number of the handset. It is generally printed on both a sticker attached to the phone and stored electronically within the handset. Last Backup Date 2012-03-29 05:28:25Z Zulu time (Z) is, within a fraction of a second, the equivalent of GMT or UTC. This would equate to 29 Mar 2012 15:28:25 (UTC+1000). Phone Number +61 401 222 333 The recorded telephone number of the Apple iPhone. Product Type iPhone 3,1 The series of the Apple iPhone. Product Version 4.2.1 The current version of installed software on the iPhone. Serial Number 85108DDA40 The electronic recording of the serial number of the Apple iPhone. Analysis of SMS (instant messages) identified 1,152 messages that were present in the backup file of the device. Of these, the messages below may of relevance to the investigation. The “ROWID” is the location of the message within the 1,152 message list:2 ROWID Address Date/Time3 Text Flag 992 61401222333 15 March 2012 10:15:50 (UTC +1000) i’ve just checked EMS. Can’t wait to get my hands on the gear! Sent 993 61401111055 15 March 2012 10:15:5 (UTC +1000) be patient my friend Received 994 61401222333 15 March 2012 10:16:30 (UTC +1000) i can’t. I didn’t think we could make so much cash with the “white magic” Sent 995 61401111055 15 March 2012 10:16:35 (UTC +1000) we’ll be rich buddy Received There was no further correspondence between the users of “61401222333” and “61401111055”. A full list of all SMS content is available upon request. 1 Source file: C\Documents and Settings\Billy\Application Data\Apple Computer\MobileSync\Backup\2bf6d242e2bf6d242e99 7f14fc16eb3f135854a58\Info.plist 2 Source file: C\Documents and Settings\Billy\Application Data\Apple Computer\MobileSync\Backup\2bf6d242e2bf6d242e997 f14fc16eb3f135854a58\3d0d7e5fb2ce288898dgaqjsk881818\ 3 This date and time field is generated from the internal clock within the Apple iPhone that was subject to backup. Case Ref: ITC597 Page 22 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 6 Optus SMS Messages – Exhibit 1234567/001 Samsung NC10 Netbook Computer Software for the Optus Wireless Broadband service was installed on the exhibit and available to all users of the computer. The software has a Message Manager feature in which SMS messages can be sent and received. A record of sent and received messages was located in the file “MSGXMLData.xml” which had the following file properties: File Name: MSGXMLData.xml File Location: Documents and Settings\All Users\Documents\ Data\MSGXMLData.xml MD5 Hash: d5868cb75884289bafdfac82a3d447df File Creation: 23/Jul/11 11:56:48 (UTC+1000) Last Written: 15/Feb/12 13:39:28 (UTC +1000) All SMS messages that were located within this file are presented below. The date and time information was not present within the file. An SMS message which may be of interest to the investigation has been highlighted with a red box. mate, I need your cash asap. I have the big shipment coming and it will make us rich. But I need to pay $10k and then $20k on it now. Otherwise the chinaman will get very upset with me. Can you call me asap 0401222333; The analysis did not identify whether the messages were sent or received. Additionally, the data file for the Optus broadband service was available to all users on the computers. Accordingly, it was not determined which user account the SMS messages relate to. The Samsung NC10 laptop computer had a SIM card slot beneath the battery. At the time of examination, no SIM card was located in this slot. Case Ref: ITC597 Page 23 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 7 Electronic Mail (Email) – Exhibit 1234567/001 Samsung NC10 Netbook Computer The following electronic mail (email) was identified on the exhibit. The email has been reformatted where possible from a form that is present on the forensic image to a form which may assist in readability. Note that only data that could be recovered is presented below and that the full email content was not, in some instances, able to be fully recovered. 7.1 File Name: Not available File Location: Unallocated Clusters1 , Physical sector 985660575 Date/Time: Not available Hotmail ‐ billyboy@live.com.au   Billy Boy profile | sign out Hotmail Inbox (79)   Re: White Magic To Billy Boy What is the purity of the gear. I need at leats 75% to make some real money?  ‐‐‐‐‐ Original Message ‐‐‐‐‐ From: Supplier Dude To: billyboy@live.com.au Sent: 25 February 2012 2:41 PM Subject: Re: White Magic. Thank you for your interest in doing business. The white magic is available in lots of 250g. All prices are payable via Western Union. All goods are wrapped in such as a way as the customs dog’s wont get them. You do business with me. I look after you my friend. 7.2 File Name: Not available File Location: Unallocated Clusters, Physical sector 5684665999 Date/Time: Not available Hotmail ‐ billyboy@live.com.au   Billy Boy profile | sign out Hotmail Inbox (80)   The major toxicity of all the local anesthetics is CNS: cocaine, lidocaine. Cocaine hydrochloride is most commonly “snorted”. It can also be injected. Some people rub it into the gums, where it is absorbed into the bloodstream. Others add it to a drink or food. Freebase and crack cocaine are usually smoked.We hope to be you long term reliable and trustable supplier.   ‐‐‐‐‐ Original Message ‐‐‐‐‐ From: Billy Boy To: Supplier Dude Sent: 21 February 2012 6:42 AM Subject: Inquiry about Cocaine Home Product Directory Offers China Manufacturers Resources | Premium Services | Advertise | Join Free | Site Map | Contact Us . Note: Please do not reply to this message directly, Send to : supplier_dude666@live.com.au: Subject Inquiry about CocaineContent Hi, im wondering if you could give me a price on 2.5kg of cocaine , and if it can be delivered to melbourne, australia.. also id like to know how often your packages get detected here, and what guarantees you give. Email billyboy@live.com.au Tel 0411222111 Fax 0403333222 Country/Region Australia . 1 Unallocated data is considered to be data that is not in use by the operating system or user. Data can become unallocated as a result of data deletion or drive reformatting. The data will remain present on the hard disk drive until it has been overwritten. It may contain remnants of previous files (in whole or in part) that may be recovered using forensic software. Case Ref: ITC597 Page 24 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 8 Facebook Messages – Exhibit 1234567/001 Samsung NC10 Laptop Computer Facebook is on online social networking site which can be accessed from the website address of “www.facebook.com”. Facebook allows for sending and receiving of instant messages between two or more Facebook users. A record of instant messages which were located on the Samsung NC10 netbook computer is presented in the following pages. These instant messages include the Facebook username of “Billy Bob” and the associated user Facebook ID number of “888777444111”. As at 05 April 2012, neither of these Facebook ID numbers were viewable/accessible on the Facebook website. Case Ref: ITC597 Page 25 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 8 Facebook Messages – Exhibit 1234567/001 Samsung NC10 Laptop Computer Date/Time (UTC+0)1 Sender ID 2 Sender Name Recipient ID 3 Recipient Name Message Text Source File4 17 Mar 2012 05:35:33 888777444111 Billy Boy 10000187878787 John Jones HI C\Documents and Settings\Billy \Local\Google\Chro me\User Data\Default\Cache\data_1 17 Mar 2012 05:35:40 10000187878787 John Jones 888777444111 Billy Boy yeah Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:35:54 888777444111 Billy Boy 10000187878787 John Jones How are ya? Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:36:13 888777444111 Billy Boy 10000187878787 John Jones k. you? Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:36:32 10000187878787 John Jones 888777444111 Billy Boy Hihi Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:36:33 10000187878787 John Jones 888777444111 Billy Boy yes Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:36:45 888777444111 Billy Boy 10000187878787 John Jones You all set Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 1 Note that the times are in GMT+0 hours. Adjustments will need to be made for the appropriate time zones including any possible Daylight Savings times. 2 This is the Facebook ID reference of the sender of the message. 3 This is the Facebook ID reference for the receiver of the message. 4 This is the location of the message on the Samsung NC10 Laptop computer Case Ref: ITC597 Page 26 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 8 Facebook Messages – Exhibit 1234567/001 Samsung NC10 Laptop Computer Date/Time (UTC+0)1 Sender ID 2 Sender Name Recipient ID 3 Recipient Name Message Text Source File4 17 Mar 2012 05:36:58 888777444111 Billy Boy 10000187878787 John Jones Yep Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:37:17 10000187878787 John Jones 888777444111 Billy Boy Got the cutter? Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:37:23 888777444111 Billy Boy 10000187878787 John Jones Of course Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:37:32 888777444111 Billy Boy 10000187878787 John Jones And the clip seal bags? Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:38:11 10000187878787 John Jones 888777444111 Billy Boy Of course mate. no stress. Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:38:27 888777444111 Billy Boy 10000187878787 John Jones I’ve never done anyting as big as this. if the cops catch me, i’m inside for a long time mate Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:46:39 10000187878787 John Jones 888777444111 Billy Boy They wont catch you Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:46:53 888777444111 Billy Boy 10000187878787 John Jones How do you know. what about the customs dogs. they can find this sorta stuff Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 Case Ref: ITC597 Page 27 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 8 Facebook Messages – Exhibit 1234567/001 Samsung NC10 Laptop Computer Date/Time (UTC+0)1 Sender ID 2 Sender Name Recipient ID 3 Recipient Name Message Text Source File4 17 Mar 2012 05:47:01 888777444111 Billy Boy 10000187878787 John Jones I’m just nervous. Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:49:37 10000187878787 John Jones 888777444111 Billy Boy Don’t worry. the chinaman will make sure its all covered sothe dogs’ll never know the coke is there Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:49:50 10000187878787 John Jones 888777444111 Billy Boy Sorry didn’t mean to say coke. Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 05:50:32 888777444111 Billy Boy 10000187878787 John Jones Mate. careful what you say. you never know if the feds are listening.. i saw this doco once and they know everything. they can even see what you’re typing and whatyor thinking Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 06:09:04 10000187878787 John Jones 888777444111 Billy Boy Now you are paranoid.. Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 06:09:27 888777444111 Billy Boy 10000187878787 John Jones maybe biut i’m the one risking 20 years if i get caught.. Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 06:09:59 888777444111 Billy Boy 10000187878787 John Jones Ok mate. no more talking on line. and keep off the phones. lets meet at the usual spot tomrrow. Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 Case Ref: ITC597 Page 28 of 29 Signed:________________________________ Witnessed:_______________________________ Appendix 8 Facebook Messages – Exhibit 1234567/001 Samsung NC10 Laptop Computer Date/Time (UTC+0)1 Sender ID 2 Sender Name Recipient ID 3 Recipient Name Message Text Source File4 17 Mar 2012 06:10:51 10000187878787 John Jones 888777444111 Billy Boy ok Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 17 Mar 2012 06:11:17 888777444111 Billy Boy 10000187878787 John Jones Ok bye Documents and Settings\Billy\Local Settings\Application Data\Google\Chrome me\User Data\Default\Cache\data_1 Case Ref: ITC597 Page 29 of 29 Signed:________________________________ Witnessed:_______________________________