Office of the Attorney General High Tech Crimes Bureau -Chicago

September 26, 2006 Detective William Martin Schiller Park Police Department 9526 West Irving Park Road Schiller Park, IL 60176 Dear Detective Martin, This CD contains the report of the forensic examination of the evidence submitted by your office on 07/21/2006. We have created hyperlinks to relevant findings of this examination. These hyperlinks will appear in blue and placing the mouse cursor on the blue portion as described above will take you to that particular section of the report. We hope that this method will make your examination of our report easy for you. You can start reading by clicking on this link – Report of Digital Forensic Examination. If you have any questions about the forensic examination of your evidence or this report, please feel free to contact me at 312-814-3762. Sincerely,

Shahna G. Monge, EnCE Senior Computer Evidence Recovery Technician

Office of the Attorney General High Tech Crimes Bureau

Regional Computer Forensic Lab - Chicago Forensic Report – 09/18/2006

RCFL Case Number: HTCB-06-01-1028 Case Agent: Detective William Martin Schiller Park Police Department Forensic Examination Performed by: Shahna G. Monge, EnCE Senior Computer Evidence Recovery Technician

Illinois Attorney General’s Office High Tech Crime Bureau Chicago, IL 60601

Case Classification: Computer Tampering Suspect (Case Name): Annabel Melongo High Tech Crimes Bureau: A.A.G. David Haslett, Bureau Chief

Deputy Chief of Investigations Daniel Ferraro Deputy Chief Michael Sullivan – ICAC Coordinator A.A.G. Abigail Abraham, Prosecutor A.A.G. Kyle French, Prosecutor A.A.G. Elizabeth Lepic, Prosecutor

Forensic Procedure Summary: The hard drive from the computer system relating to this case was locked (write-protected) via the use of the Encase Fast Bloc IDE to SCSI imaging device. The hard drive was then imaged to a separate hard drive within the forensic computer. The ZIP media was imaged to the same hard drive within the forensic computer, and a separate file was created for each ZIP disk. The ZIP media was acquired though Encase’s network acquisition and the ZIP drive was locked to prevent writing to the media through Encase in DOS mode before the acquisition was begun. The CD media was imaged to the same hard drive within the forensic computer, and a separate file was created for each CD. The forensic CD drive does not have writing capabilities. The USB thumb drive was imaged to the same hard drive within the forensic computer. The thumb drive was write-blocked by the use of a Windows registry change that prohibits any writes being made to any media connected via USB.

1

2

This imaging process entailed the creation of an evidence file (disk image) in which the hard drive/ZIP/CD/USB thumb drive were recreated sector by sector in a forensic environment utilizing forensic software licensed and registered to Shahna G. Monge, Senior Computer Evidence Recovery Technician and/or the Illinois Attorney General. This process allowed the forensic examination to proceed without altering any of the original files from the suspect media, and also preserved File, Disk and Volume Slack. This also allowed the unallocated sectors of the disk to be searched and examined. The process detailed above also allowed for forensic examination of RAM Slack. Forensic Report Summary: I reviewed the case files provided by Detective Martin, Schiller Park Police Department. After review of the search warrant, it was determined that I would attempt to recover any information that would constitute evidence of the offense Computer Tampering and also determine ownership/control and/or dominion over the data. The forensic examination was completed and forensic reports are listed under their respective names and were provided as separate documents (files) to Detective Martin. During the course of the examination I observed the following: Please refer to the included Forensic Report for detailed information regarding the following.

Two link files were found in the Recycle Bin for a network connection to Save A Life

Foundation. Log files for the program Go To My PC were discovered. Go To My PC is a program that

allows remote access to another computer. A log file for the Jakarta service were discovered that contained entries for the specific date

and time of the intrusion. Jakarta is a project to create an open-source java-based server. Connection settings were found in the Microsoft network connections phonebook resident on

the laptop computer. Within a restore point “snapshot” that was automatically created by the computer, there was

a text document discovered named “domain.txt” that contains information relating to a computer on the domain savealifefou.

A cookie file containing IP information for comcast server with IP 24.15.202.102 was discovered. File last written 04/28/06 09:43:13hrs.

Several instances of the IP 24.15.202.102 were discovered on the evidence. Please see the forensic report for further details.

The URL f·t·p·:·/·/·7·0·.·1·4·2·.·2·5·1·.·2·4·2·/·· was found in the registry in the folder "TypedURLs" for Windows user Administrator. It also shows that an FTP session (or file transfer protocol) session was initiated by the Windows user Administrator for the IP 70.142.251.242.

3

The IP shown of 24.15.202.102 was located in the registry in the folder "TypedURLs". It is shown as it was typed by the Windows user Administrator.

The URL h·t·t·p·:·/·/·w·w·w·.·g·o·t·o·m·y·p·c·.·c·o·m·/··· was found in the registry in the folder "TypedURLs" by the Windows user Administrator.

The URL h·t·t·p·:·/·/·m·a·i·l·.·s·a·l·f·.·o·r·g·/··· was found in the registry in the folder "TypedURLs" for Windows user Administrator.

What appears to be user name and password (carol@salf.org:herman·) for the website www.salf.org:2095/Webmail. was found in the Protected Storage System Provider folder for SID (System ID) that corresponds to Windows user Administrator.

s·g·h·o·l·a·r·@·s·a·l·f·.·o·r·g···s·g·h·o·l·a·r·8·8·9·9··· appears to be information typed in at URL shown of http://70.142.251.241/

The URL of f·t·p·:·/·/·7·0·.·1·4·2·.·2·5·1·.·2·4·2·/·d·o·c·u·m·e·n·t·s··· was found in the registry in the folder "TypedURLs" for Windows user Administrator. It also shows that an FTP session (or file transfer protocol) session was initiated by the Windows user Administrator for the IP 70.142.251.242 and the folder "documents"

The executable file for the setup of the program Go To My PC, which allows remote access to other computers, was discovered under the Administrator account on the laptop computer.

The executable file for the program Go To My PC, which allows remote access to other computers, was discovered under the Administrator account on the laptop computer.

Several web pages (.htm) files were discovered that showed emails associated with melongo_Annabel@yahoo.com and what appears to be Annabel Melongo’s Roosevelt University email account that contain references to different individuals with Save A Life Foundation. Please see the forensic report for more detailed information. These pages can also be viewed separately and can be found in the folder named “Email”.

One Word document was discovered that contained the name “Saquan Gholar” Connection information for “scantron” was discovered shown in a java script page contained

within a folder named "new version", located on a USB thumbdrive. A URL was discovered for http://70.236.105.150 that was titled Scantron System. A URL was discovered for http://70.142.251.241 that was titled SALF Scantron System. Several different files that appear to relate to ID cards for various SALF employees were

discovered. This information was found in a folder on a USB thumbdrive named "TMP". Several images that appear to be parts of a website associated with Save A Live Foundation

were discovered. These images were found in a folder named "IMAGES", which was located on a USB thumbdrive.

Several different files were discovered that appear to be database items from Save A Life Foundation.

Several images, documents and one web page were discovered that contain information relating to ownership/control and/or dominion over the data.

The Recycle Bin report is also included that shows files that were contained in the recycle bin before it was emptied.

The Media Report can be found here and it contains information pertaining to the evidence that was turned over to our lab for analysis.

The Duplicate Digital Evidence (DDE), created on CD, will remain in the ESR until termination of this investigation. The DDE created on the forensic computer hard drive will be erased in preparation for future unrelated examinations. The original evidence is to be returned to Detective Martin for retention. Appendix A Appendix B Reporting Examiner: Shahna G. Monge, EnCE Senior Computer Evidence Recovery Technician Office of the Illinois Attorney General – High Tech Crime Bureau 188 W. Randolph, Chicago, IL

4

APPENDIX A – FORENSIC TERMINOLOGY

The following is utilized throughout reports prepared by Computer Evidence Recovery Technicians in the High Tech Crimes Bureau at the Illinois Attorney General’s Office.

Terminology is provided via:

♦ Industry Standard ♦ IACIS - International Association of Computer Investigative Specialists ♦ Training and Education ♦ SafeBack Software, Sydex, Inc. ♦ Expert Witness, Forensic Software, ASRDATA ♦ EnCase Forensic Software, Guidance Software, Inc.

ROM

• Read Only Memory. Chips that contain a permanent program that is "burned in" at the factory and maintained when the power to the computer is turned off. As its name implies, the information on the chips can only be read and not written to (i.e. Your computer cannot store information in these chips). They usually contain small programs and data that are needed to boot the computer.

RAM

• Random Access Memory. Each computer has a certain amount of volatile read/write memory locations whose contents are lost when the power is turned off. The operating system, programs and drivers are all loaded into RAM at the same time.

BIOS

• The Basic Input Output System of a PC. This is usually a number of machine code routines that are stored in ROM and available for execution at boot time. The "boot strap loader" is contained in ROM and is the first code to execute when the computer is turned on. The BIOS contains commands for reading the physical disks sector by sector.

Physical Disk

• The terms "volume", "drive" and "disk" are often used interchangeably, "disk", "disk drive" and "drive" refer to a physical device while "volume" refers to a logical device. A physical disk is an actual piece of hardware that you can hold in your hand. It could be a floppy disk, hard disk, Zip Disk or any other piece of physical media.

Logical Volume

• A logical volume is a concept, not a physical device. Early PC disks contained only one volume

(e.g. "C"). As drives grew larger, it became convenient to partition a single physical drive into a set of logical "volumes". Each volume consists of an area on a physical disk drive that DOS or Windows treats as a separate "disk drive". There can be any number (up to 24, as in C-Z) of these logical volumes on a physical disk and they show up as drive "C", "D", "E" in DOS.

Drive Geometry

• A physical drive is usually composed of any number of rapidly rotating platters with a set of read/write heads for each side of each platter. Each platter is divided into a series of concentric rings called tracks. Each track is further divided into sectors. Each sector is then divided into bytes. The number and position of these structures is referred to as the drive geometry.

Track

• Each platter on a disk is divided into thin concentric bands called Tracks. There is no physical structure associated with a track. Tracks are established when the disk is low level formatted. Tracks are numbered sequentially starting with track 0 on the outermost part of the platter, moving inwards.

Head

• There is one head for every side of every platter in a disk drive. They ride very close to the surface of the platter and allow information to be read from and written to the platter. The heads are attached to an arm, which is in turn attached to a head stack assembly. Normally, all heads move together and are positioned on the same logical track together. Heads are numbered sequentially from zero.

Cylinder

• A cylinder, like a track, is a logical term and does not refer to a physical piece of hardware. In other words, you can't open a disk drive cover and see the "cylinders". A cylinder refers to the set tracks on every side of every platter that are at the same head position, as if an actual cylindrical cross-section had been taken out of the whole drive. If a drive contains 4 heads, a cylinder refers to all the information that is available to all the heads while on a single track.

Sector

• A sector is a group of bytes within a track and is the smallest group of bytes that can be addressed on a drive. There are normally tens or hundreds of sectors within each track. The number of bytes in a sector can vary, but it is almost always 512 on drives built in the U.S. Sectors are numbered sequentially within a track, starting at 1. The numbering restarts on every track, so that "track 0, sector 1" and "track 5, sector 1" refer to different sectors.

Absolute Sectors

• Early disk drives would contain a known number of cylinders, heads and sectors and these numbers would refer to actual hardware present in the drive. The BIOS would address the disk controller directly and translate absolute sector numbers into C-H-S before writing to or reading from the disk. As disk capacities increased to unforeseen sizes, manufacturers and software developers were forced to change the stated number of cylinders, heads and sectors in order to trick the BIOS into addressing the additional space.

Boot Sector

• The very first sector of a physical disk (absolute sector 0) is called the boot sector. It contains machine code to enable the computer to find the partition table and the operating system. One of the first things a computer does when it starts up is to load this code into memory and execute it. This "boot code" has a very simple task. Its job is to read the partition table at the end of sector 0 and decide how the disk is laid out, and which partition contains the bootable operating system.

Partition Table

• The partition table describes every logical volume on a disk, its location on the disk, and whether or not the partition is bootable. Only one partition can be "bootable" at a time. This is indicated by a single byte in the partition table. In fact, the entire logical layout of the disk is determined by about 100 bytes of information. The boot code determines which logical volume is the "boot volume" and reads the first sector of that partition. The first sector of each partition is therefore called the "Partition Boot Sector".

Partition Waste Space

• After the boot sector of a partition, it is customary to skip the rest of the track and start the volume on the next track. This results in tens or even hundreds of sectors going to waste. However, since this area is inaccessible to all but low-level disk viewers, it can contain hidden information.

Partition Boot Sector

• The first sector of every partition is itself a boot sector with another partition table. This table has a duplicate copy of the partition entry for that volume that contains a sector offset into the current partition where the logical volume begins. The first sector of the volume is called the partition boot sector. It contains code that is different from the boot sector code described earlier. The job of the partition boot code is to find a file in the root directory (io.sys in the case of DOS) which is then loaded and run to continue the boot process at a higher level.

Evidence File

• Each file is an exact, sector by sector, copy of a floppy, hard disk or other media. When the file is created the user inputs information relevant to the investigation and this file is then archived inside the Evidence File along with the contents of the disk. Every byte of the file is verified using a 32 bit CRC.

Cyclical Redundancy Check (CRC)

• Each Disk Image File (Evidence File) is encrypted and CRC-checked. The integrity of the file is verified and occurs as the Image File is read. Forensic Programs utilized will not process any Image File in which the Integrity is not verified and confirmed, using the below Polynomial computations which confirm the file has not been altered:

• 16-bit CRC – Polynomial: x16+x15+x2+x1

• 32-bit CRC – Polynomial: x32+x26+x23+x22+x16+x12x11+x10+x8+x7+x5+x4+x2+x+1

Compression

• Compression algorithm to achieve an average of 50% size reduction. If most of the disk is unused, the compression ratio can be much higher. Compression NEVER has any effect on the final evidence, and compressed blocks are checked for validity in the same way as uncompressed ones.

File Allocation Table (FAT)

• The FAT is an array of numbers that sits near the beginning of a DOS volume. These numbers can be 1½ bytes (12 bits), 2 bytes (16 bits) or 4 bytes (32 bits) long depending on the size of the volume. This is why volumes are sometimes referred to as FAT12, FAT16 or FAT32.

• Each entry in the FAT corresponds directly to one cluster and there is always one FAT entry for

every cluster. Each entry is either a code indicating that the cluster is free, the cluster is bad or that this is the last cluster in a file. If it is not one of these codes, then the number refers to the next cluster in the chain belonging to a file. The first cluster in the chain for a file, is recorded in the directory entry for that file.

• The FAT is therefore a one way linked list of clusters for every file in a volume.

Cluster

• A cluster is a group of sectors in a logical volume that is used to store files and directory entries. Because DOS maintains information about each cluster in the FAT and the FAT must be relatively small, clusters usually contain more than one sector so that total number of clusters is manageable and space is used more efficiently on the volume. Clusters must contain a number of sectors that is a power of 2 (i.e. 2, 4, 8, 16, etc…)

Directory Entries

• A directory is treated just like a file on FAT volumes. Each directory contains a starting cluster and can be expanded or contracted as files are added or removed from the directory. Each file in the directory is represented by a 32 byte entry in a table. In other words, the contents of a directory “file” are an array of records containing information about the files in the directory. Each entry in the directory can be either a file or another directory. In this way, a "tree" structured can be built.

• A 32-byte entry contains enough space for an 8.3 character file name. Windows 95 implements

long file names by chaining together a number of entries and using the space to store the additional characters in the file name.

Root Directory

• On FAT12 and FAT16 volumes, the root directory resides at a fixed location on the drive and contains a maximum number of entries that is determined when the volume is formatted. The number of files and directories in the root directory of such a volume is limited, but the number and size of all subdirectories is essentially unlimited, because they are treated like normal files and can expand if space is available on the volume. On FAT32 volumes, the root directory is also treated like a file and can contain any number of files or subdirectories.

Logical File Size

• Most operating systems, including DOS and Windows, keep track of the exact size of a file in bytes. This is the logical size of the file and is the number that you see in the directory listing for a file. This number is different from the physical file size (described below).

Physical File Size

• The physical size of a file is the amount of space that the file occupies on the disk. A file or directory always occupies a whole number of clusters, even if it does not completely fill that space. A file always takes at least one cluster, even if it is empty. Therefore, even if a file has a logical size of only five bytes, its physical size is one cluster

File Slack

• The space between the logical end and the physical end of file is called the file slack. Example would be that of a 1024 byte size cluster, containing 2-cluster file with a physical size of 2048,bytes. The logical end of file, in this example, comes before the physical end of the second cluster. The remaining bytes are remnants of previous files or directories.

RAM Slack

• The space from the end of the file to the end of the containing sector is called RAM slack. Before a sector is written to disk, it is stored in a buffer somewhere in RAM. If the buffer is only partially filled with information before being committed to disk, remnants from the end of the buffer will be written to disk. In this way, information that was never "saved" can be found in RAM Slack on disk. Although not as big an issue concerning Windows version 98 2nd edition and NTFS.

America OnLine – AOL

• On line service provider, not to be confused with Internet Service Provider (ISP), although an AOL user can access the Internet via AOL, AOL is an On Line Service with it’s own Chat, Messaging and Email service.

Internet Service Provider – ISP

• An Internet Service Provider is a direct link into the Internet using an assorted number of Internet Browsers, including but not limited to Netscape, Internet Explorer, etc.

Message Digest 5 - MD5 Hash

• A “Digital Fingerprint” of the files contents regardless of the file name, path or associated dates. Odds of any two files having the same HASH value, but not being the same are:

o 2128 or o 1 in 340,282,366,920,938,463,463,374,607,431,768,211,456 o or 1 in 340 billion, billion, billion, billion

• Compared to fingerprints which are • 1 in 6,400,000,000 (“Galton” Study) or • 1 in 100,000,000,000,000,000 or 100 billion, billion (“Osterburg” Study)

Windows Swap File

• Microsoft Windows-based computer operating systems utilize a special file to write data when

additional random access memory is needed. In Windows, Windows 95 and Windows 98, these are called Windows Swap Files. In Windows NT and Windows 2000 they are called Windows Page Files but they have essentially the same characteristics as Windows Swap Files. Swap files are potentially huge and most computer users are unaware of their existence. The size of these files can range from 20 million bytes to over 200 million bytes and the potential exists for these huge files to contain remnants of word processing, E-Mail messages, Internet browsing activity, database entries and almost any other work that may have occurred during past Windows work sessions. This situation creates a significant security problem because the potential exists for data to be transparently stored within the Windows Swap File without the knowledge of the computer user. This can occur even if the work product was stored on a computer network server. The result is a significant computer security weakness that can be of benefit to the computer forensics specialist. Windows Swap Files can actually provide the computer forensics specialist with investigative leads that might not otherwise be discovered.

• Windows Swap Files are relied upon by Windows, Windows 95, and Windows 98 to create

"virtual memory"; i.e., using a portion of the hard disk drive for memory operations. The storage area is important to the computer forensics specialist for the same reason that file slack and unallocated space are important, i.e., large volumes of data exist for which the computer user likely has no knowledge. Windows Swap Files can be temporary or permanent, depending on the version of Windows involved and settings selected by the computer user. Permanent swap files are of more interest to a computer forensics specialist because they normally store larger amounts of information for much longer periods of time.

• Large permanent swap files can hold vast quantities of data and should be targeted early in the

examination by the computer forensics specialist to identify leads relative to past uses of the subject computer.

• The permanent swap file in Windows 3.1 and some later versions is called 386SPART.PAR and it

typically has a system attribute, which makes it invisible to standard DOS or Windows programs. The file usually can be found in the root directory of the drive designated in the Virtual Memory dialog box. Another place to look is in the Windows subdirectory or the Windows\System subdirectory.

• The permanent swap file in Windows 95 and Windows 98 is called WIN386.SWP. It is also

usually located in the root directory of the drive designated in the Virtual Memory dialog box. A permanent swap file will not be found on most computers running Windows 95 or Windows 98. In Windows 95 and Windows 98, the default is usually set for the swap file to be dynamic and it shrinks and expands as necessary. When a dynamic swap file is involved, its file size is reduced to zero and the file's content is released to unallocated space. Thus, the contents of the dynamic swap file must be analyzed along with the other data stored in this space. This requires the use of specialized computer forensics software tools to capture the data stored in the unallocated space, which is normally associated with previously 'deleted' files.

• In Windows NT, the Windows Page File is named PAGEFILE.SYS and such files are treated as

permanent (static) swap files. Permanent swap files can be viewed like any other file with software utilities.

1

APPENDIX B - Computer Forensic Examination Procedures These procedures are established as the High Tech Crime Bureau, Forensic Computer Evidence Recovery standards to ensure that competent, professional forensic examinations are conducted. These procedures are also accepted as standard, and required by the International Association of Computer Investigative Specialists, IACIS. It is acknowledged that almost all-forensic examinations of computer media are different and that each cannot be conducted in the exact same manner for numerous reasons, however there are four essential requirements of a competent forensic examination. These are: ♦ Forensically sterile media must be used. ♦ The examination must maintain the integrity of the original media. ♦ Positive hardware / software control must be maintained for all attempts to write to the examined media. ♦ Printouts / exhibits resulting from the examination must be properly marked, controlled and transmitted.

The Computer Forensic Investigator or examiner must demonstrate and maintain the highest standards of ethical conduct and therefore:

♦ Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved. ♦ Thoroughly examine and analyze the evidence in a investigation or case. ♦ Conduct examinations based upon established, validated principles. ♦ When applicable or required to render an opinion, do so having a basis that is demonstratively reasonable,

sound and based upon accurate level of training, experience or other factual basis. ♦ Not withhold any findings, whether inculpatory or exculpatory, that would cause the facts of a investigation or

case to be misrepresented or distorted. ♦ Never misrepresent credentials, education, training, and experience or membership status.

Further it is understood that in many instances a completed examination of all the data may not be

authorized, possible, necessary or conducted for various reasons. These should be documented as such. Examples of limited examinations are as follows:

♦ Scope limited by Search Warrant ♦ Examination must be made on scene, without seizing equipment or media ♦ Media size is vast, such as a network server, etc. ♦ Weight of evidence already recovered is so overwhelming, making further searching and processing

unnecessary. ♦ Due to hardware, software, operating system or other reason beyond examiner's control.

The following are recommended procedures for conducting a complete examination of computer media,

dependent upon type of media examined. (Hard Disk Drive (HDD) / Removable Media, etc.): 1. Forensically sterile recovery conditions. All control media utilized during the examination is to be freshly

prepared, completely wiped of non-essential data, and while not normally required, should be consistent to procedures regarding destruction of data pursuant to:

Department of Defense Directive #5020.22 (22-M and related supplements) DOD Industrial Security Program Dated December 8, 1980

Scanned for viruses and verified before use.

2. All forensic software utilized is licensed to, or authorized for use by, the examiner and/or agency.

2

3. The original computer is physically examined. A specific description of the hardware is made and noted, along with anything unusual found during the physical examination.

4. Hardware / software precautions are taken during the examination to prevent the transference of viruses, destructive programs, or other inadvertent writes to/from the examined media and other media used for the examination.

5. The contents of the CMOS, as well and the internal clock are checked and the correctness of the date and time is noted.

6. A duplicate image (Bit Stream, Sector by Sector, Etc.) of the original media is made. The duplicate image is used for the actual examination. A detailed description of the process and identification of the hardware, software and media is documented, and retained as Work Product / Processing Procedures (may be exempt as "Investigative Procedures" from Freedom of Information requests)

7. The copy of the original HDD is logically examined and a description of what was found or observed is documented.

8. The boot record data, and user defined system configuration and operation command files are examined and findings documented.

9. All recoverable deleted files are restored. The first character of the restored files is changed from the system standard of a HEX E5 to an Examiner unique character, such as "_", for identification and evidence purposes.

10. A listing of all the files contained on the examined media, whether they contain potential evidence or not, is made.

11. Unallocated space is examined for lost or hidden data. 12. Slack area of user data files in the root directory and each sub-directory (if present) is examined. 13. The contents of each user data file in the root directory and each sub-directory (if present) are examined. 14. Password protected files are defeated (when possible), unlocked and examined. 15. Printouts of all apparent evidentiary data, along with file information, location and other information relevant

to the data and its recovery. All exhibits in which Child Pornography or other contraband material is present are to be properly marked, secured and transmitted as required.

16. Executable programs of specific interest should be examined. User data files that could not be accessed by other means are examined at this time.

17. Document comments and findings.