practical 5 - timothy wells
TRANSCRIPT
-
8/10/2019 Practical 5 - Timothy Wells
1/34
KILLER CASEWells Digital Investigation
Version AccessData Forensic Toolkit Version: 5.4.0.37
Case Owner Cpcc
Case Name Practical 5 - Tim Wells
Case Reference #001
Case Description My final project in CCT-241 Report Created Wednesday, November 12, 2014 06:56:37 PM
Agency/Company Wells Digital Investigation
Investigator s Name Timothy Wells
Address 123 Madeitup Lane
Phone 704-867-5309
Email [email protected]
mailto:[email protected]:[email protected]:[email protected] -
8/10/2019 Practical 5 - Timothy Wells
2/34
1
Digital Investigation Overview
Wells Digital Investigation was hired by the NC SBI to seek out digital evidence of illegal actions by a suspectin a police raid occurring recently. The company, Wells Digital Investigation, was incorporated (solely for thisassignment) in 2014 by Timothy Wells, newly Access Data Certified Examiner with entire semesters of experience indigital forensic investigation. Mr. Wells is well qualified and certified to investigate such a case and provide detailedanalysis. WDI began its investigation November 2 nd , 2014, processing data provided through a raid of the suspects
home, resulting in an intact, untouched image of the suspects hard drive. The details of WDIs findings are as follows:
Email evidence of conspiracies involving credit card fraud, check washing and pharmaceutical fraud,as well as blatant emails about methamphetamine production.
Instant messages online with individuals in other similar criminal enterprises. Documents detailing debts owed, ostensibly for previous drug purchases. A patterned search history of information gathering on how to best commit the above crimes. Multiple pictures of monkeys, possibly associates of his.
It is the conclusion of Wells Digital Investigation that there is a preponderance of evidence contained within
the suspects PC that he has engaged in multiple illegal acts. Furthermore, there is enough evidence contained withinhis correspondence with non-criminals to tie him to the email and internet accounts that he used to procure illegaldrugs, fraudulent checks, hardware to commit credit card fraud, and false titles for automobiles.
Acquiring Mr. Mantooths Data
The image of Mr. Mantooths hard drive was acquired by forensic investigators at Charlotte MecklenburgPolice Department. The chain of custody was maintained from the investigator, to the evidence locker, being
surrendered to WDIs chief investigator, Timothy Wells, for processing. Mr. Wells verified that the MD5 Hash value (adigital signature) of the resulting image matched that of the original drive.
(An image of the digital signature, which matches that of the original drive)
The Forensic Image
The boot drive itself was a sole partition, the C: drive, on a Maxtor 6E040L0 40GB drive. The drive wasimaged using a write-blocker (Forensic UltraDock), which preserves the integrity of the data being collected. Muchlike cordoning off a crime scene, it ensures any evidence is not only accessible, but admissible in the eyes of the law.
The examination itself was carried out in a workspace only other forensic examiners have access to, and access tothe forensic application suite is password protected.
-
8/10/2019 Practical 5 - Timothy Wells
3/34
2
(A screenshot of the hardware ID from the registry system file)
Data Found Outside the File Table
Outside the regularly accessible files are files contained in unallocated space. Unfortunately, the only file ofreal interest, an autoexec.bat, a batch file used for actions in the windows operating system, clearly containedsome pertinent information, but was unaccessible to this examiner. The file, containing text at the beginning,
followed by gibberish, said, Maybe it is... maybe it isn't. WDI attempted to gain access to this file through Bit -Shifting, in which hexadecimal code is moved around in an attempt to uncover obfuscated files. Though unsuccessful,it is likely that the file contains a picture, as the file size is unlikely for a batch file, and the file header JFIF (a header
for a JPEG picture) is present after the added maybe it is... maybe it isn't.
Encrypted Files
Only a handful of encrypted files were present on the machine, a selection of which are listed below. Onlyone password was uncovered through the use of Access Data's Password Recovery Toolkit. thosewhoowes.xls wasfound to contain a table of money owed for drugs to the suspect, including methamphetamine and ketamine(labeled as Special K, it's street name). Other files included John.doc and Wes.doc, labeling two of the membersof this conspiracy. What was inside, we do not know, further processing may reveal this information. Additionally, itcan be assumed the C money plates.doc and CC nums.xls are related to the case, but more on those can befound in the listed evidence files, likely given the suspect's history of not deleting the files he made encrypted
versions of.
(file listing of encrypted files on the image)
Executable Files
A search of local executables found little substantial information, but it did reveal evidence that he may havebeen planning to conceal both his files and communication. Trout.exe is used to trace the path packets of data takewhen travelling across the internet, and could be used to ensure a Virtual Private Network is acting properly. It could
also be used to assist in discovering the location of his cohorts as he transferred one of many files to them.
(executables found on Mr. Mantooths drive)
-
8/10/2019 Practical 5 - Timothy Wells
4/34
3
Evidence Found
Listed at the end of this report is a full set of files that contain valuable evidence of Mr. Mantooth's illegalactions. Throughout this evidence, a preponderance of information leading to illegal acts is available, includingphotographic evidence of drugs, stolen checks, and credit cards. A live search using expressions (common patternsof numbers and letters creating standards for data) revealed a list of credit card numbers the suspect had generated.
This was found in the margins of the code of an otherwise normal file. WDI suspects the suspect has some
knowledge of editing hex code to include these hidden messages.
Indexed Searches
Below is a selection of indexed searches (searches of prerecorded listings of words at the time of case
processing), along with the hits they produced. A search of the term meth revealed calendar reminders to processmethamphetamine. Credit card lead us to not only documents in which stealing credit card numbers was detailed,but actual pictures of stolen credit cards. Washing, and Check revealed plans to trade dirty checks for clean ones, sothe suspect and his partners could defraud people they had stolen from. Continuous evidence produced by thesearches revealed the suspect not only performed these actions, but liked to brag about them with his co-
conspirators.
Conclusions
It is clear from the evidence that the suspect did not only commit multiple crimes, but that he did soconcurrently and with funds obtained from fraudulent activities. Additionally, information from emails to his motherand about his girlfriend tie him to the accounts used to converse about these activities. This investigator believesdigital evidence, corroborated with any amount of physicial evidence found in the raid of the suspect's home wouldbe more than enough to build a very strong case against him.
-
8/10/2019 Practical 5 - Timothy Wells
5/34
4
Chain of Custody
Description: 40 GB Hard Drive, Wes Mantooth Case #001 WDI INVESTIGATION USEONLY
Make: Maxtor 40GB Model: 6E040L0
Date/Time From: To: Reason:
10/27/2014 2:43 PM Officer Matthew Hart
CMPD
Detective/Chef BobbyFlay
NC SBI
Crime Scene Transfer tothe Detective handling thecase
11/2/2014 11:11 AM Detective John Johnington
NC SBI
Timothy Wells
WDI
Transfer to WDI forforensic processing.Contracted.
11/12/2014 6:00 PM Timothy Wells
WDI
Jason Lands
CPCC
Something Something thistotally isn't a schoolassignment.
-
8/10/2019 Practical 5 - Timothy Wells
6/34
5
Evidence (FTK REPORTS)
Below is a listing of FTK reports, culled from FTK 5.4s selection of file listings of relevant evidence. Includedare paths and listings to all files that contained suspicious information. Some files are circumstantial, such as thepresentations of how to steal credit cards, but others are very personal and direct evidence, such as the listthosewhoowes.xls, in which the suspect details people who owe him for drugs. Evidence like this is rife, andpervades the entire image of the PC. It is the opinion of this examiner that the suspect had little more than a fleeting
interest in hiding his criminal activities, and in many cases, flaunted it.
Case Information
11/12/2014
Time zone for display: Eastern Standard Time
File Overview
11/12/2014
Evidence Groups Ungrouped: 3159
File Items
Evidence Items: 1
Checked Items: 60
Unchecked Items: 3099
File Category
Archives: 76
Databases: 19
Documents: 317
Email: 169
Executable: 6
Folders: 687
Graphics: 655
Internet/Chat Files: 533
Mobile Phone Data: 0 Multimedia: 44
-
8/10/2019 Practical 5 - Timothy Wells
7/34
6
OS/File System Files: 252
Other Encryption Files: 15
Other Known Types: 137
Presentations: 2
Slack/Free Space: 2
Spreadsheets: 2
Unknown Types: 243 User Types: 0
File Status
Bad Extensions: 128
Data Carved Files: 0
Decrypted Files: 1
Deleted Files: 30
Duplicate Items: 231
Email Attachments: 136
Email Related Items (From Email): 347
Encrypted Files: 13
Flagged Ignore: 0
Flagged Privileged: 0
From Recycle Bin: 46
KFF Alert Files: 0
KFF Ignorable: 0
OCR Graphics: 0 OLE Subitems: 178
User-Decrypted Files: 0
Labels
Email Status
Email Attachments: 136
Email Related Items (From Email): 347
Email Reply: 20
Forwarded Email: 0
Evidence List
11/12/2014
Display Name: killercase.ad1
Evidence Path: C:\Users\CPCC\Downloads\killercase.ad1
ID Number/Name: Evidence Type: Archive
-
8/10/2019 Practical 5 - Timothy Wells
8/34
7
Description:
Time Zone: America/New_York
All Bookmarks
11/12/2014
Time zone for display: Eastern Standard Time
cpcc
Bookmark: Evidentiary Files
11/12/2014
Comments
Creator cpcc
File Count 3
Files
File Comments
Name ~ar1730.xar
Physical Size 6656 B
Logical Size 6656 B
Created Date 7/12/2007 7:02:58 PM (2007-07-12 23:02:58 UTC)
Modified Date 7/12/2007 6:56:54 PM (2007-07-12 22:56:54 UTC)
Accessed Date 7/12/2007 7:02:58 PM (2007-07-12 23:02:58 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Roaming/Microsoft/Excel/~ar1730.xar
File Comments
Name Checks Physical Size 56 B
Logical Size 56 B
Created Date 3/5/2007 9:01:04 PM (2007-03-06 02:01:04 UTC)
Modified Date 7/7/2007 7:07:50 PM (2007-07-07 23:07:50 UTC)
Accessed Date 7/2/2008 4:53:13 PM (2008-07-02 20:53:13 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks
-
8/10/2019 Practical 5 - Timothy Wells
9/34
8
File Comments
Name News Report.doc
Physical Size 66566 B
Logical Size 48568 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Inbox/7C580130-
00000011.emlNews Report.doc
Bookmark: Document
11/12/2014
Files
File Comments
Name readthis.txt
Physical Size 421 B
Logical Size 421 B
Created Date 3/5/2007 9:16:55 PM (2007-03-06 02:16:55 UTC) Modified Date 7/13/2007 2:59:08 PM (2007-07-13 18:59:08 UTC)
Accessed Date 7/13/2007 3:05:02 PM (2007-07-13 19:05:02 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/ADS/readthis.txt
Bookmark: Email Evidence
11/12/2014
Files
File Comments
Name wash checks
Physical Size n/a
Logical Size 0 B
Created Date 6/21/2007 7:14:01 PM (2007-06-21 23:14:01 UTC)
-
8/10/2019 Practical 5 - Timothy Wells
10/34
9
Modified Date 6/21/2007 7:14:23 PM (2007-06-21 23:14:23 UTC)
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Outlook/Outlook.pstPersonal FoldersTop of
Personal FoldersTaskswash checks
Bookmark: Graphics
11/12/2014
Comments Graphical Evidence of Possible Illegal Action
Creator cpcc
File Count 82
Files
File Comments Graphical Evidence of Possible Illegal Action
Name ~ar1730.xar
Physical Size 6656 B
Logical Size 6656 B
Created Date 7/12/2007 7:02:58 PM (2007-07-12 23:02:58 UTC)
Modified Date 7/12/2007 6:56:54 PM (2007-07-12 22:56:54 UTC)
Accessed Date 7/12/2007 7:02:58 PM (2007-07-12 23:02:58 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Roaming/Microsoft/Excel/~ar1730.xar
File Comments Graphical Evidence of Possible Illegal Action
Name 1d3bd207e2e30208
Physical Size n/a
Logical Size n/a Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db1d3bd207e2e30208
File Comments Graphical Evidence of Possible Illegal Action
Name 20433f88f3d5ecda
-
8/10/2019 Practical 5 - Timothy Wells
11/34
10
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db20433f88f3d5ecda
File Comments Graphical Evidence of Possible Illegal Action
Name 20433f88f3d5ecda
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db20433f88f3d5ecda
File Comments Graphical Evidence of Possible Illegal Action
Name 2e905f205572462
Physical Size n/a Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db2e905f205572462
File Comments Graphical Evidence of Possible Illegal Action
Name 38a718400f7e2003
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
-
8/10/2019 Practical 5 - Timothy Wells
12/34
11
[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db38a718400f7e2003
File Comments Graphical Evidence of Possible Illegal Action
Name 42260c022e79bfcc
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db42260c022e79bfcc
File Comments Graphical Evidence of Possible Illegal Action
Name 4480ab58e651cdde
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/WesMantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db4480ab58e651cdde
File Comments Graphical Evidence of Possible Illegal Action
Name 5fe736d6c40f793c
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db5fe736d6c40f793c
File Comments Graphical Evidence of Possible Illegal Action
Name 67chev.jpg
Physical Size 68608 B
Logical Size 68216 B
-
8/10/2019 Practical 5 - Timothy Wells
13/34
12
Created Date 6/21/2007 6:18:20 PM (2007-06-21 22:18:20 UTC)
Modified Date 6/21/2007 6:18:21 PM (2007-06-21 22:18:21 UTC)
Accessed Date 7/13/2007 2:44:38 PM (2007-07-13 18:44:38 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Car Titles/67chev.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name 714c85fa66d6d4e
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db714c85fa66d6d4e
File Comments Graphical Evidence of Possible Illegal Action
Name 78b0e5b26534e7f1
Physical Size n/a
Logical Size n/a
Created Date n/a Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db78b0e5b26534e7f1
File Comments Graphical Evidence of Possible Illegal Action
Name 78b0e5b26534e7f1
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db78b0e5b26534e7f1 File Comments Graphical Evidence of Possible Illegal Action
-
8/10/2019 Practical 5 - Timothy Wells
14/34
13
Name 792ac1e70946564d
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db792ac1e70946564d
File Comments Graphical Evidence of Possible Illegal Action
Name 824902f2f0241ed5
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db824902f2f0241ed5
File Comments Graphical Evidence of Possible Illegal Action
Name 8e1fba8bd17dbb24 Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db8e1fba8bd17dbb24
File Comments Graphical Evidence of Possible Illegal Action
Name 91064B.gif
Physical Size 21504 B
Logical Size 21003 B
Created Date 3/5/2007 8:52:34 PM (2007-03-06 01:52:34 UTC)
Modified Date 3/5/2007 8:07:48 PM (2007-03-06 01:07:48 UTC)
Accessed Date 3/5/2007 9:03:10 PM (2007-03-06 02:03:10 UTC)
-
8/10/2019 Practical 5 - Timothy Wells
15/34
-
8/10/2019 Practical 5 - Timothy Wells
16/34
15
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.dbb6166600e65b89ac
File Comments Graphical Evidence of Possible Illegal Action
Name Camera.bmp
Physical Size 513202 B
Logical Size 375030 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Inbox/458C76A0-
0000000C.emlCamera.bmp
File Comments Graphical Evidence of Possible Illegal Action
Name Camera.bmp
Physical Size 513202 B
Logical Size 375030 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Sent Items/5991409D-
00000002.emlCamera.bmp
File Comments Graphical Evidence of Possible Illegal Action
Name camera01[1].jpg
Physical Size 18432 B
Logical Size 17981 B
Created Date 7/12/2007 7:13:18 PM (2007-07-12 23:13:18 UTC)
Modified Date 7/12/2007 7:13:18 PM (2007-07-12 23:13:18 UTC)
-
8/10/2019 Practical 5 - Timothy Wells
17/34
16
Accessed Date 7/12/2007 7:13:18 PM (2007-07-12 23:13:18 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/JXOY3MEC/camera01[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name camera03[1].jpg
Physical Size 14336 B
Logical Size 14071 B
Created Date 7/12/2007 7:13:18 PM (2007-07-12 23:13:18 UTC)
Modified Date 7/12/2007 7:13:18 PM (2007-07-12 23:13:18 UTC)
Accessed Date 7/12/2007 7:13:18 PM (2007-07-12 23:13:18 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/RMAJCPM1/camera03[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name check2.bmp
Physical Size 197120 B
Logical Size 196822 B
Created Date 3/5/2007 8:52:34 PM (2007-03-06 01:52:34 UTC)
Modified Date 3/5/2007 8:11:28 PM (2007-03-06 01:11:28 UTC)
Accessed Date 3/5/2007 9:03:10 PM (2007-03-06 02:03:10 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks/check2.bmp
File Comments Graphical Evidence of Possible Illegal Action
Name ClassicVisaFern.gif
Physical Size 38912 B Logical Size 38473 B
Created Date 3/5/2007 8:44:22 PM (2007-03-06 01:44:22 UTC)
Modified Date 3/5/2007 8:20:00 PM (2007-03-06 01:20:00 UTC)
Accessed Date 7/13/2007 2:44:40 PM (2007-07-13 18:44:40 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/ClassicVisaFern.gif
File Comments Graphical Evidence of Possible Illegal Action
-
8/10/2019 Practical 5 - Timothy Wells
18/34
17
Name Cover Plate.bmp
Physical Size 556750 B
Logical Size 406854 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Inbox/458C76A0-
0000000C.emlCover Plate.bmp
File Comments Graphical Evidence of Possible Illegal Action
Name Cover Plate.bmp
Physical Size 556750 B
Logical Size 406854 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Sent Items/5991409D-
00000002.emlCover Plate.bmp
File Comments Graphical Evidence of Possible Illegal Action
Name csid-methhand[1].jpg
Physical Size 5120 B
Logical Size 4736 B
Created Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Modified Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Accessed Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/RMAJCPM1/csid-methhand[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name csid-valium[1].jpg
Physical Size 2560 B
Logical Size 2556 B
Created Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
-
8/10/2019 Practical 5 - Timothy Wells
19/34
18
Modified Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Accessed Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/DSUTLPS6/csid-valium[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name csid%20amphetamine[1].jpg
Physical Size 4608 B
Logical Size 4414 B
Created Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Modified Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Accessed Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/RMAJCPM1/csid%20amphetamine[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name csid%20barbiturates[1].jpg
Physical Size 4096 B
Logical Size 3935 B
Created Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Modified Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Accessed Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/JXOY3MEC/csid%20barbiturates[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name csid%20meth%20small[1].jpg
Physical Size 4096 B
Logical Size 3782 B
Created Date 7/12/2007 7:17:06 PM (2007-07-12 23:17:06 UTC)
Modified Date 7/12/2007 7:17:06 PM (2007-07-12 23:17:06 UTC)
Accessed Date 7/12/2007 7:17:06 PM (2007-07-12 23:17:06 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
-
8/10/2019 Practical 5 - Timothy Wells
20/34
19
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/DSUTLPS6/csid%20meth%20small[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name csid%20pharm[1].gif
Physical Size 13824 B
Logical Size 13676 B
Created Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Modified Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Accessed Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/3J6Q2YX9/csid%20pharm[1].gif
File Comments Graphical Evidence of Possible Illegal Action
Name csid_crackpara_small[1].jpg
Physical Size 2560 B
Logical Size 2186 B
Created Date 7/12/2007 7:17:06 PM (2007-07-12 23:17:06 UTC)
Modified Date 7/12/2007 7:17:06 PM (2007-07-12 23:17:06 UTC)
Accessed Date 7/12/2007 7:17:06 PM (2007-07-12 23:17:06 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/3J6Q2YX9/csid_crackpara_small[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name csid_meth1_small[1].jpg
Physical Size 2048 B
Logical Size 2009 B
Created Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Modified Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Accessed Date 7/12/2007 7:17:01 PM (2007-07-12 23:17:01 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/RMAJCPM1/csid_meth1_small[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name D02CCHK_e.jpg
-
8/10/2019 Practical 5 - Timothy Wells
21/34
20
Physical Size 14336 B
Logical Size 13919 B
Created Date 3/5/2007 8:52:34 PM (2007-03-06 01:52:34 UTC)
Modified Date 3/5/2007 8:09:59 PM (2007-03-06 01:09:59 UTC)
Accessed Date 3/5/2007 9:03:10 PM (2007-03-06 02:03:10 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks/D02CCHK_e.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name DC_TINK_lg_3.jpg
Physical Size 7680 B
Logical Size 7517 B
Created Date 3/5/2007 8:52:34 PM (2007-03-06 01:52:34 UTC)
Modified Date 3/5/2007 8:05:09 PM (2007-03-06 01:05:09 UTC)
Accessed Date 3/5/2007 9:03:11 PM (2007-03-06 02:03:11 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks/DC_TINK_lg_3.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name ec4c59756c7a19cf
Physical Size n/a Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.dbec4c59756c7a19cf
File Comments Graphical Evidence of Possible Illegal Action
Name emf_spool[72]
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
-
8/10/2019 Practical 5 - Timothy Wells
22/34
21
[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH
[NTFS]/[root]/Windows/System32/spool/PRINTERS/FP00000.SPLemf_spool[72]
File Comments Graphical Evidence of Possible Illegal Action
Name emf_spool[72]
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH
[NTFS]/[root]/Windows/System32/spool/PRINTERS/FP00001.SPLemf_spool[72]
File Comments Graphical Evidence of Possible Illegal Action
Name engineeringweb_drop[1].gif
Physical Size 2560 B
Logical Size 2141 B
Created Date 7/12/2007 7:16:20 PM (2007-07-12 23:16:20 UTC)
Modified Date 7/12/2007 7:16:20 PM (2007-07-12 23:16:20 UTC)
Accessed Date 7/12/2007 7:16:20 PM (2007-07-12 23:16:20 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/WesMantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/3J6Q2YX9/engineeringweb_drop[1].gif
File Comments Graphical Evidence of Possible Illegal Action
Name f27d2cf446fa8b77
Physical Size n/a
Logical Size n/a
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.dbf27d2cf446fa8b77
File Comments Graphical Evidence of Possible Illegal Action
Name Guts.bmp
Physical Size 577310 B
Logical Size 421878 B
-
8/10/2019 Practical 5 - Timothy Wells
23/34
22
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Inbox/458C76A0-
0000000C.emlGuts.bmp
File Comments Graphical Evidence of Possible Illegal Action
Name Guts.bmp
Physical Size 577310 B
Logical Size 421878 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Sent Items/5991409D-
00000002.emlGuts.bmp
File Comments Graphical Evidence of Possible Illegal Action
Name herbs1-hawaiian-ruler[1].jpg
Physical Size 47616 B
Logical Size 47178 B
Created Date 7/12/2007 7:15:52 PM (2007-07-12 23:15:52 UTC)
Modified Date 7/12/2007 7:15:52 PM (2007-07-12 23:15:52 UTC)
Accessed Date 7/12/2007 7:15:52 PM (2007-07-12 23:15:52 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/3J6Q2YX9/herbs1-hawaiian-ruler[1].jpg File Comments Graphical Evidence of Possible Illegal Action
Name HGCANI53L5CI7G666.jpg
Physical Size 3584 B
Logical Size 3423 B
Created Date 7/12/2007 7:17:26 PM (2007-07-12 23:17:26 UTC)
Modified Date 7/12/2007 7:17:26 PM (2007-07-12 23:17:26 UTC)
Accessed Date 7/2/2008 4:59:03 PM (2008-07-02 20:59:03 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
-
8/10/2019 Practical 5 - Timothy Wells
24/34
-
8/10/2019 Practical 5 - Timothy Wells
25/34
24
Name images[1].jpg
Physical Size 2560 B
Logical Size 2374 B
Created Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Modified Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Accessed Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/DSUTLPS6/images[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[1].jpg
Physical Size 2048 B
Logical Size 1652 B
Created Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Modified Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Accessed Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/OESSI8GM/images[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[10].jpg
Physical Size 3072 B
Logical Size 2774 B
Created Date 7/12/2007 7:16:50 PM (2007-07-12 23:16:50 UTC)
Modified Date 7/12/2007 7:16:50 PM (2007-07-12 23:16:50 UTC)
Accessed Date 7/12/2007 7:16:50 PM (2007-07-12 23:16:50 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/DSUTLPS6/images[10].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[10].jpg
Physical Size 3584 B
Logical Size 3460 B
Created Date 7/12/2007 7:16:44 PM (2007-07-12 23:16:44 UTC)
-
8/10/2019 Practical 5 - Timothy Wells
26/34
25
Modified Date 7/12/2007 7:16:44 PM (2007-07-12 23:16:44 UTC)
Accessed Date 7/12/2007 7:16:44 PM (2007-07-12 23:16:44 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/3J6Q2YX9/images[10].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[11].jpg
Physical Size 2560 B
Logical Size 2558 B
Created Date 7/12/2007 7:17:16 PM (2007-07-12 23:17:16 UTC)
Modified Date 7/12/2007 7:17:16 PM (2007-07-12 23:17:16 UTC)
Accessed Date 7/12/2007 7:17:16 PM (2007-07-12 23:17:16 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/3J6Q2YX9/images[11].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[11].jpg
Physical Size 3584 B
Logical Size 3496 B
Created Date 7/12/2007 7:16:50 PM (2007-07-12 23:16:50 UTC)
Modified Date 7/12/2007 7:16:50 PM (2007-07-12 23:16:50 UTC)
Accessed Date 7/12/2007 7:16:50 PM (2007-07-12 23:16:50 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/RMAJCPM1/images[11].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[2].jpg
Physical Size 4096 B
Logical Size 3816 B
Created Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Modified Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Accessed Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
-
8/10/2019 Practical 5 - Timothy Wells
27/34
26
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Content.IE5/ODZYUF25/images[2].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[2].jpg
Physical Size 3584 B
Logical Size 3423 B
Created Date 7/13/2007 7:00:12 PM (2007-07-13 23:00:12 UTC)
Modified Date 7/13/2007 7:00:12 PM (2007-07-13 23:00:12 UTC)
Accessed Date 7/13/2007 7:00:12 PM (2007-07-13 23:00:12 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Content.IE5/G9OC13Z5/images[2].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[2].jpg
Physical Size 4608 B
Logical Size 4128 B
Created Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Modified Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Accessed Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Content.IE5/1UU4JR3B/images[2].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[2].jpg
Physical Size 2560 B
Logical Size 2378 B
Created Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Modified Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Accessed Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/DSUTLPS6/images[2].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[2].jpg
-
8/10/2019 Practical 5 - Timothy Wells
28/34
27
Physical Size 4096 B
Logical Size 3755 B
Created Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Modified Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Accessed Date 7/13/2007 7:00:11 PM (2007-07-13 23:00:11 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Content.IE5/9P3VMWKR/images[2].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[2].jpg
Physical Size 2560 B
Logical Size 2189 B
Created Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Modified Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Accessed Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/3J6Q2YX9/images[2].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[2].jpg
Physical Size 2560 B
Logical Size 2181 B
Created Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Modified Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Accessed Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/JXOY3MEC/images[2].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[2].jpg
Physical Size 2560 B
Logical Size 2345 B
Created Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Modified Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
-
8/10/2019 Practical 5 - Timothy Wells
29/34
28
Accessed Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/RMAJCPM1/images[2].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name images[3].jpg
Physical Size 2048 B
Logical Size 1652 B
Created Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Modified Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Accessed Date 7/12/2007 7:15:23 PM (2007-07-12 23:15:23 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/RMAJCPM1/images[3].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name mime part 15.gif
Physical Size 6568 B
Logical Size 4794 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks/Google Image Result for http--glossary_ippaper_com-images-
graphicsedviser-common-security- ProbChecks_jpg.mhtmime part 15.gif
File Comments Graphical Evidence of Possible Illegal Action
Name nationaltall.gif
Physical Size 13312 B
Logical Size 13217 B
Created Date 3/5/2007 8:52:34 PM (2007-03-06 01:52:34 UTC)
Modified Date 3/5/2007 8:20:05 PM (2007-03-06 01:20:05 UTC)
Accessed Date 3/5/2007 9:03:46 PM (2007-03-06 02:03:46 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Scripts/nationaltall.gif
-
8/10/2019 Practical 5 - Timothy Wells
30/34
29
File Comments Graphical Evidence of Possible Illegal Action
Name Prescription2.gif
Physical Size n/a
Logical Size 9590 B
Created Date 3/5/2007 8:52:34 PM (2007-03-06 01:52:34 UTC)
Modified Date 3/5/2007 8:20:28 PM (2007-03-06 01:20:28 UTC)
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Outlook/Outlook.pstPersonal FoldersTop of Personal
FoldersSent ItemsRE: Whats up in D town?Prescription2.gif
File Comments Graphical Evidence of Possible Illegal Action
Name Prescription2.gif
Physical Size n/a
Logical Size 9590 B
Created Date 3/5/2007 8:52:34 PM (2007-03-06 01:52:34 UTC)
Modified Date 3/5/2007 8:20:28 PM (2007-03-06 01:20:28 UTC)
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Outlook/Outlook.pstPersonal FoldersSent ItemsRE:Whats up in D town?Prescription2.gif
File Comments Graphical Evidence of Possible Illegal Action
Name Prescription2.gif
Physical Size n/a
Logical Size 9590 B
Created Date 3/5/2007 8:52:34 PM (2007-03-06 01:52:34 UTC)
Modified Date 3/5/2007 8:20:28 PM (2007-03-06 01:20:28 UTC)
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Outlook/Outlook.pstPersonal FoldersSent ItemsRE:
Whats up in D town?Prescription2.gif
File Comments Graphical Evidence of Possible Illegal Action
Name scan1.jpg
Physical Size 41984 B
Logical Size 41903 B
-
8/10/2019 Practical 5 - Timothy Wells
31/34
30
Created Date 3/5/2007 8:52:35 PM (2007-03-06 01:52:35 UTC)
Modified Date 3/5/2007 8:18:00 PM (2007-03-06 01:18:00 UTC)
Accessed Date 7/13/2007 2:44:38 PM (2007-07-13 18:44:38 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks/scan1.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name seanafter.jpg
Physical Size 20480 B
Logical Size 20002 B
Created Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)
Modified Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)
Accessed Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks/seanbefore/seanafter.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name seanafter.jpg
Physical Size n/a
Logical Size 20002 B
Created Date n/a Modified Date 6/20/2007 1:00:00 AM (2007-06-20 05:00:00 UTC)
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks/seanbe fore.zipseanafter.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name seanbefore.jpg
Physical Size 22016 B
Logical Size 21812 B
Created Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)
Modified Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)
Accessed Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks/seanbefore/seanbefore.jpg File Comments Graphical Evidence of Possible Illegal Action
-
8/10/2019 Practical 5 - Timothy Wells
32/34
31
Name seanbefore.jpg
Physical Size n/a
Logical Size 21812 B
Created Date n/a
Modified Date 6/20/2007 1:00:00 AM (2007-06-20 05:00:00 UTC)
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Checks/seanbefore.zipseanbefore.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name suits car title copy only.jpg
Physical Size 1645056 B
Logical Size 1644899 B
Created Date 3/5/2007 9:04:23 PM (2007-03-06 02:04:23 UTC)
Modified Date 3/5/2007 8:29:36 PM (2007-03-06 01:29:36 UTC)
Accessed Date 7/13/2007 2:44:38 PM (2007-07-13 18:44:38 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/Documents/Car Titles/suits car title copy only.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name suits%20car%20title%20copy%20only.jpg Physical Size n/a
Logical Size 154286 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH
[NTFS]/[root]/ProgramData/AOL/C_AOL
9.0a/organize/mantooth2007mantooth2007MailMail You've Sent6212007
washermeister@gm Re: oooh I have AOL!suits%20car%20title%20copy%20only.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name VWCA8QNCACJQ28J.jpg
Physical Size 2560 B
Logical Size 2476 B
Created Date 7/12/2007 7:16:50 PM (2007-07-12 23:16:50 UTC)
-
8/10/2019 Practical 5 - Timothy Wells
33/34
32
Modified Date 7/12/2007 7:16:50 PM (2007-07-12 23:16:50 UTC)
Accessed Date 7/2/2008 5:02:21 PM (2008-07-02 21:02:21 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/JXOY3MEC/VWCA8QNCACJQ28J.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name washingislame3hu[1].jpg
Physical Size 219648 B
Logical Size 219412 B
Created Date 7/12/2007 7:17:41 PM (2007-07-12 23:17:41 UTC)
Modified Date 7/12/2007 7:17:44 PM (2007-07-12 23:17:44 UTC)
Accessed Date 7/12/2007 7:17:41 PM (2007-07-12 23:17:41 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet
Files/Low/Content.IE5/RMAJCPM1/washingislame3hu[1].jpg
File Comments Graphical Evidence of Possible Illegal Action
Name Wes.jpg
Physical Size 110398 B
Logical Size 80671 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Sent Items/20401532-
00000003.emlWes.jpg
File Comments Graphical Evidence of Possible Illegal Action
Name Wes.jpg
Physical Size 110398 B
Logical Size 80671 B
Created Date n/a
Modified Date n/a
Accessed Date n/a
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])
[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
-
8/10/2019 Practical 5 - Timothy Wells
34/34
Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Deleted Items/165D65F6-
00000004.emlmime part 2.emlWes.jpg
Bookmark: Internet Evidence
11/12/2014
Comments Graphical Evidence of Possible Illegal Action
Creator cpcc
File Count 2
Files
File Comments Graphical Evidence of Possible Illegal Action
Name formhistory.dat
Physical Size 3072 B Logical Size 2835 B
Created Date 7/7/2007 6:57:31 PM (2007-07-07 22:57:31 UTC)
Modified Date 4/12/2007 7:28:19 PM (2007-04-12 23:28:19 UTC)
Accessed Date 7/7/2007 6:57:31 PM (2007-07-07 22:57:31 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Roaming/Mozilla/Firefox/Profiles/643jnqw6.default/formhistory.dat
File Comments Graphical Evidence of Possible Illegal Action
Name history.dat
Physical Size 33792 B
Logical Size 33502 B
Created Date 7/7/2007 6:57:31 PM (2007-07-07 22:57:31 UTC)
Modified Date 4/12/2007 7:28:18 PM (2007-04-12 23:28:18 UTC)
Accessed Date 7/7/2007 6:57:31 PM (2007-07-07 22:57:31 UTC)
Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes
Mantooth/AppData/Roaming/Mozilla/Firefox/Profiles/643jnqw6.default/history.dat