practical 5 - timothy wells

8/10/2019 Practical 5 - Timothy Wells

1/34

KILLER CASEWells Digital Investigation

Version AccessData Forensic Toolkit Version: 5.4.0.37

Case Owner Cpcc

Case Name Practical 5 - Tim Wells

Case Reference #001

Case Description My final project in CCT-241 Report Created Wednesday, November 12, 2014 06:56:37 PM

Agency/Company Wells Digital Investigation

Investigator s Name Timothy Wells

Address 123 Madeitup Lane

Phone 704-867-5309

Email [email protected]
mailto:[email protected]:[email protected]:[email protected]


2/34

1

Digital Investigation Overview

Wells Digital Investigation was hired by the NC SBI to seek out digital evidence of illegal actions by a suspectin a police raid occurring recently. The company, Wells Digital Investigation, was incorporated (solely for thisassignment) in 2014 by Timothy Wells, newly Access Data Certified Examiner with entire semesters of experience indigital forensic investigation. Mr. Wells is well qualified and certified to investigate such a case and provide detailedanalysis. WDI began its investigation November 2 nd , 2014, processing data provided through a raid of the suspects

home, resulting in an intact, untouched image of the suspects hard drive. The details of WDIs findings are as follows:

Email evidence of conspiracies involving credit card fraud, check washing and pharmaceutical fraud,as well as blatant emails about methamphetamine production.

Instant messages online with individuals in other similar criminal enterprises. Documents detailing debts owed, ostensibly for previous drug purchases. A patterned search history of information gathering on how to best commit the above crimes. Multiple pictures of monkeys, possibly associates of his.

It is the conclusion of Wells Digital Investigation that there is a preponderance of evidence contained within

the suspects PC that he has engaged in multiple illegal acts. Furthermore, there is enough evidence contained withinhis correspondence with non-criminals to tie him to the email and internet accounts that he used to procure illegaldrugs, fraudulent checks, hardware to commit credit card fraud, and false titles for automobiles.

Acquiring Mr. Mantooths Data

The image of Mr. Mantooths hard drive was acquired by forensic investigators at Charlotte MecklenburgPolice Department. The chain of custody was maintained from the investigator, to the evidence locker, being

surrendered to WDIs chief investigator, Timothy Wells, for processing. Mr. Wells verified that the MD5 Hash value (adigital signature) of the resulting image matched that of the original drive.

(An image of the digital signature, which matches that of the original drive)

The Forensic Image

The boot drive itself was a sole partition, the C: drive, on a Maxtor 6E040L0 40GB drive. The drive wasimaged using a write-blocker (Forensic UltraDock), which preserves the integrity of the data being collected. Muchlike cordoning off a crime scene, it ensures any evidence is not only accessible, but admissible in the eyes of the law.

The examination itself was carried out in a workspace only other forensic examiners have access to, and access tothe forensic application suite is password protected.


3/34

2

(A screenshot of the hardware ID from the registry system file)

Data Found Outside the File Table

Outside the regularly accessible files are files contained in unallocated space. Unfortunately, the only file ofreal interest, an autoexec.bat, a batch file used for actions in the windows operating system, clearly containedsome pertinent information, but was unaccessible to this examiner. The file, containing text at the beginning,

followed by gibberish, said, Maybe it is... maybe it isn't. WDI attempted to gain access to this file through Bit -Shifting, in which hexadecimal code is moved around in an attempt to uncover obfuscated files. Though unsuccessful,it is likely that the file contains a picture, as the file size is unlikely for a batch file, and the file header JFIF (a header

for a JPEG picture) is present after the added maybe it is... maybe it isn't.

Encrypted Files

Only a handful of encrypted files were present on the machine, a selection of which are listed below. Onlyone password was uncovered through the use of Access Data's Password Recovery Toolkit. thosewhoowes.xls wasfound to contain a table of money owed for drugs to the suspect, including methamphetamine and ketamine(labeled as Special K, it's street name). Other files included John.doc and Wes.doc, labeling two of the membersof this conspiracy. What was inside, we do not know, further processing may reveal this information. Additionally, itcan be assumed the C money plates.doc and CC nums.xls are related to the case, but more on those can befound in the listed evidence files, likely given the suspect's history of not deleting the files he made encrypted

versions of.

(file listing of encrypted files on the image)

Executable Files

A search of local executables found little substantial information, but it did reveal evidence that he may havebeen planning to conceal both his files and communication. Trout.exe is used to trace the path packets of data takewhen travelling across the internet, and could be used to ensure a Virtual Private Network is acting properly. It could

also be used to assist in discovering the location of his cohorts as he transferred one of many files to them.

(executables found on Mr. Mantooths drive)


4/34

3

Evidence Found

Listed at the end of this report is a full set of files that contain valuable evidence of Mr. Mantooth's illegalactions. Throughout this evidence, a preponderance of information leading to illegal acts is available, includingphotographic evidence of drugs, stolen checks, and credit cards. A live search using expressions (common patternsof numbers and letters creating standards for data) revealed a list of credit card numbers the suspect had generated.

This was found in the margins of the code of an otherwise normal file. WDI suspects the suspect has some

knowledge of editing hex code to include these hidden messages.

Indexed Searches

Below is a selection of indexed searches (searches of prerecorded listings of words at the time of case

processing), along with the hits they produced. A search of the term meth revealed calendar reminders to processmethamphetamine. Credit card lead us to not only documents in which stealing credit card numbers was detailed,but actual pictures of stolen credit cards. Washing, and Check revealed plans to trade dirty checks for clean ones, sothe suspect and his partners could defraud people they had stolen from. Continuous evidence produced by thesearches revealed the suspect not only performed these actions, but liked to brag about them with his co-

conspirators.

Conclusions

It is clear from the evidence that the suspect did not only commit multiple crimes, but that he did soconcurrently and with funds obtained from fraudulent activities. Additionally, information from emails to his motherand about his girlfriend tie him to the accounts used to converse about these activities. This investigator believesdigital evidence, corroborated with any amount of physicial evidence found in the raid of the suspect's home wouldbe more than enough to build a very strong case against him.


5/34

4

Chain of Custody

Description: 40 GB Hard Drive, Wes Mantooth Case #001 WDI INVESTIGATION USEONLY

Make: Maxtor 40GB Model: 6E040L0

Date/Time From: To: Reason:

10/27/2014 2:43 PM Officer Matthew Hart

CMPD

Detective/Chef BobbyFlay

NC SBI

Crime Scene Transfer tothe Detective handling thecase

11/2/2014 11:11 AM Detective John Johnington

NC SBI

Timothy Wells

WDI

Transfer to WDI forforensic processing.Contracted.

11/12/2014 6:00 PM Timothy Wells

WDI

Jason Lands

CPCC

Something Something thistotally isn't a schoolassignment.


6/34

5

Evidence (FTK REPORTS)

Below is a listing of FTK reports, culled from FTK 5.4s selection of file listings of relevant evidence. Includedare paths and listings to all files that contained suspicious information. Some files are circumstantial, such as thepresentations of how to steal credit cards, but others are very personal and direct evidence, such as the listthosewhoowes.xls, in which the suspect details people who owe him for drugs. Evidence like this is rife, andpervades the entire image of the PC. It is the opinion of this examiner that the suspect had little more than a fleeting

interest in hiding his criminal activities, and in many cases, flaunted it.

Case Information

11/12/2014

Time zone for display: Eastern Standard Time

File Overview

11/12/2014

Evidence Groups Ungrouped: 3159

File Items

Evidence Items: 1

Checked Items: 60

Unchecked Items: 3099

File Category

Archives: 76

Databases: 19

Documents: 317

Email: 169

Executable: 6

Folders: 687

Graphics: 655

Internet/Chat Files: 533

Mobile Phone Data: 0 Multimedia: 44


7/34

6

OS/File System Files: 252

Other Encryption Files: 15

Other Known Types: 137

Presentations: 2

Slack/Free Space: 2

Spreadsheets: 2

Unknown Types: 243 User Types: 0

File Status

Bad Extensions: 128

Data Carved Files: 0

Decrypted Files: 1

Deleted Files: 30

Duplicate Items: 231

Email Attachments: 136

Email Related Items (From Email): 347

Encrypted Files: 13

Flagged Ignore: 0

Flagged Privileged: 0

From Recycle Bin: 46

KFF Alert Files: 0

KFF Ignorable: 0

OCR Graphics: 0 OLE Subitems: 178

User-Decrypted Files: 0

Labels

Email Status

Email Attachments: 136

Email Related Items (From Email): 347

Email Reply: 20

Forwarded Email: 0

Evidence List

11/12/2014

Display Name: killercase.ad1

Evidence Path: C:\Users\CPCC\Downloads\killercase.ad1

ID Number/Name: Evidence Type: Archive


8/34

7

Description:

Time Zone: America/New_York

All Bookmarks

11/12/2014

Time zone for display: Eastern Standard Time

cpcc

Bookmark: Evidentiary Files

11/12/2014

Comments

Creator cpcc

File Count 3

Files

File Comments

Name ~ar1730.xar

Physical Size 6656 B

Logical Size 6656 B

Created Date 7/12/2007 7:02:58 PM (2007-07-12 23:02:58 UTC)

Modified Date 7/12/2007 6:56:54 PM (2007-07-12 22:56:54 UTC)

Accessed Date 7/12/2007 7:02:58 PM (2007-07-12 23:02:58 UTC)

Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes

Mantooth/AppData/Roaming/Microsoft/Excel/~ar1730.xar

File Comments

Name Checks Physical Size 56 B

Logical Size 56 B





Mantooth/Documents/Checks


9/34

8

File Comments

Name News Report.doc


Logical Size 48568 B

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Inbox/7C580130-

00000011.emlNews Report.doc

Bookmark: Document

11/12/2014

Files

File Comments

Name readthis.txt

Physical Size 421 B

Logical Size 421 B

Created Date 3/5/2007 9:16:55 PM (2007-03-06 02:16:55 UTC) Modified Date 7/13/2007 2:59:08 PM (2007-07-13 18:59:08 UTC)



Mantooth/Documents/ADS/readthis.txt

Bookmark: Email Evidence

11/12/2014

Files

File Comments

Name wash checks

Physical Size n/a

Logical Size 0 B



10/34

9


Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Outlook/Outlook.pstPersonal FoldersTop of

Personal FoldersTaskswash checks

Bookmark: Graphics

11/12/2014

Comments Graphical Evidence of Possible Illegal Action

Creator cpcc

File Count 82

Files

File Comments Graphical Evidence of Possible Illegal Action

Name ~ar1730.xar


Logical Size 6656 B





Mantooth/AppData/Roaming/Microsoft/Excel/~ar1730.xar


Name 1d3bd207e2e30208

Physical Size n/a

Logical Size n/a Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db1d3bd207e2e30208


Name 20433f88f3d5ecda


11/34

10

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db20433f88f3d5ecda


Name 20433f88f3d5ecda

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db20433f88f3d5ecda


Name 2e905f205572462

Physical Size n/a Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db2e905f205572462


Name 38a718400f7e2003

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a

Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])


12/34

11

[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/Wes

Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db38a718400f7e2003


Name 42260c022e79bfcc

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db42260c022e79bfcc


Name 4480ab58e651cdde

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/WesMantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db4480ab58e651cdde


Name 5fe736d6c40f793c

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db5fe736d6c40f793c


Name 67chev.jpg




13/34

12





Mantooth/Documents/Car Titles/67chev.jpg


Name 714c85fa66d6d4e

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db714c85fa66d6d4e


Name 78b0e5b26534e7f1

Physical Size n/a

Logical Size n/a

Created Date n/a Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db78b0e5b26534e7f1


Name 78b0e5b26534e7f1

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db78b0e5b26534e7f1 File Comments Graphical Evidence of Possible Illegal Action


14/34

13

Name 792ac1e70946564d

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.db792ac1e70946564d


Name 824902f2f0241ed5

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db824902f2f0241ed5


Name 8e1fba8bd17dbb24 Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_96.db8e1fba8bd17dbb24


Name 91064B.gif







15/34


16/34

15

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.dbb6166600e65b89ac


Name Camera.bmp



Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Inbox/458C76A0-

0000000C.emlCamera.bmp


Name Camera.bmp



Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Sent Items/5991409D-

00000002.emlCamera.bmp


Name camera01[1].jpg






17/34

16



Mantooth/AppData/Local/Microsoft/Windows/Temporary Internet

Files/Low/Content.IE5/JXOY3MEC/camera01[1].jpg


Name camera03[1].jpg









Files/Low/Content.IE5/RMAJCPM1/camera03[1].jpg


Name check2.bmp







Mantooth/Documents/Checks/check2.bmp


Name ClassicVisaFern.gif

Physical Size 38912 B Logical Size 38473 B





Mantooth/Documents/ClassicVisaFern.gif



18/34

17

Name Cover Plate.bmp



Created Date n/a

Modified Date n/a

Accessed Date n/a



0000000C.emlCover Plate.bmp


Name Cover Plate.bmp



Created Date n/a

Modified Date n/a

Accessed Date n/a



00000002.emlCover Plate.bmp


Name csid-methhand[1].jpg


Logical Size 4736 B






Files/Low/Content.IE5/RMAJCPM1/csid-methhand[1].jpg


Name csid-valium[1].jpg


Logical Size 2556 B



19/34

18





Files/Low/Content.IE5/DSUTLPS6/csid-valium[1].jpg


Name csid%20amphetamine[1].jpg


Logical Size 4414 B






Files/Low/Content.IE5/RMAJCPM1/csid%20amphetamine[1].jpg


Name csid%20barbiturates[1].jpg


Logical Size 3935 B






Files/Low/Content.IE5/JXOY3MEC/csid%20barbiturates[1].jpg


Name csid%20meth%20small[1].jpg


Logical Size 3782 B







20/34

19


Files/Low/Content.IE5/DSUTLPS6/csid%20meth%20small[1].jpg


Name csid%20pharm[1].gif








Files/Low/Content.IE5/3J6Q2YX9/csid%20pharm[1].gif


Name csid_crackpara_small[1].jpg


Logical Size 2186 B






Files/Low/Content.IE5/3J6Q2YX9/csid_crackpara_small[1].jpg


Name csid_meth1_small[1].jpg


Logical Size 2009 B






Files/Low/Content.IE5/RMAJCPM1/csid_meth1_small[1].jpg


Name D02CCHK_e.jpg


21/34

20







Mantooth/Documents/Checks/D02CCHK_e.jpg


Name DC_TINK_lg_3.jpg


Logical Size 7517 B





Mantooth/Documents/Checks/DC_TINK_lg_3.jpg


Name ec4c59756c7a19cf

Physical Size n/a Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.dbec4c59756c7a19cf


Name emf_spool[72]

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a



22/34

21

[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH

[NTFS]/[root]/Windows/System32/spool/PRINTERS/FP00000.SPLemf_spool[72]


Name emf_spool[72]

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a

Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH

[NTFS]/[root]/Windows/System32/spool/PRINTERS/FP00001.SPLemf_spool[72]


Name engineeringweb_drop[1].gif


Logical Size 2141 B





[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH [NTFS]/[root]/Users/WesMantooth/AppData/Local/Microsoft/Windows/Temporary Internet

Files/Low/Content.IE5/3J6Q2YX9/engineeringweb_drop[1].gif


Name f27d2cf446fa8b77

Physical Size n/a

Logical Size n/a

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows/Explorer/thumbcache_256.dbf27d2cf446fa8b77


Name Guts.bmp




23/34

22

Created Date n/a

Modified Date n/a

Accessed Date n/a



0000000C.emlGuts.bmp


Name Guts.bmp



Created Date n/a

Modified Date n/a

Accessed Date n/a



00000002.emlGuts.bmp


Name herbs1-hawaiian-ruler[1].jpg








Files/Low/Content.IE5/3J6Q2YX9/herbs1-hawaiian-ruler[1].jpg File Comments Graphical Evidence of Possible Illegal Action

Name HGCANI53L5CI7G666.jpg


Logical Size 3423 B






24/34


25/34

24

Name images[1].jpg


Logical Size 2374 B






Files/Low/Content.IE5/DSUTLPS6/images[1].jpg


Name images[1].jpg


Logical Size 1652 B






Files/Low/Content.IE5/OESSI8GM/images[1].jpg


Name images[10].jpg


Logical Size 2774 B








Name images[10].jpg


Logical Size 3460 B



26/34

25





Files/Low/Content.IE5/3J6Q2YX9/images[10].jpg


Name images[11].jpg


Logical Size 2558 B








Name images[11].jpg


Logical Size 3496 B






Files/Low/Content.IE5/RMAJCPM1/images[11].jpg


Name images[2].jpg


Logical Size 3816 B







27/34

26


Files/Content.IE5/ODZYUF25/images[2].jpg


Name images[2].jpg


Logical Size 3423 B






Files/Content.IE5/G9OC13Z5/images[2].jpg


Name images[2].jpg


Logical Size 4128 B






Files/Content.IE5/1UU4JR3B/images[2].jpg


Name images[2].jpg


Logical Size 2378 B








Name images[2].jpg


28/34

27


Logical Size 3755 B






Files/Content.IE5/9P3VMWKR/images[2].jpg


Name images[2].jpg


Logical Size 2189 B








Name images[2].jpg


Logical Size 2181 B






Files/Low/Content.IE5/JXOY3MEC/images[2].jpg


Name images[2].jpg


Logical Size 2345 B




29/34

28






Name images[3].jpg


Logical Size 1652 B









Name mime part 15.gif


Logical Size 4794 B

Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/Documents/Checks/Google Image Result for http--glossary_ippaper_com-images-

graphicsedviser-common-security- ProbChecks_jpg.mhtmime part 15.gif


Name nationaltall.gif







Mantooth/Documents/Scripts/nationaltall.gif


30/34

29


Name Prescription2.gif

Physical Size n/a

Logical Size 9590 B



Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Outlook/Outlook.pstPersonal FoldersTop of Personal

FoldersSent ItemsRE: Whats up in D town?Prescription2.gif



Physical Size n/a

Logical Size 9590 B



Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Outlook/Outlook.pstPersonal FoldersSent ItemsRE:Whats up in D town?Prescription2.gif



Physical Size n/a

Logical Size 9590 B



Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Outlook/Outlook.pstPersonal FoldersSent ItemsRE:

Whats up in D town?Prescription2.gif


Name scan1.jpg




31/34

30





Mantooth/Documents/Checks/scan1.jpg


Name seanafter.jpg



Created Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)

Modified Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)

Accessed Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)


Mantooth/Documents/Checks/seanbefore/seanafter.jpg


Name seanafter.jpg

Physical Size n/a


Created Date n/a Modified Date 6/20/2007 1:00:00 AM (2007-06-20 05:00:00 UTC)

Accessed Date n/a


Mantooth/Documents/Checks/seanbe fore.zipseanafter.jpg


Name seanbefore.jpg



Created Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)


Accessed Date 6/20/2007 3:00:00 AM (2007-06-20 07:00:00 UTC)


Mantooth/Documents/Checks/seanbefore/seanbefore.jpg File Comments Graphical Evidence of Possible Illegal Action


32/34

31

Name seanbefore.jpg

Physical Size n/a


Created Date n/a


Accessed Date n/a


Mantooth/Documents/Checks/seanbefore.zipseanbefore.jpg


Name suits car title copy only.jpg







Mantooth/Documents/Car Titles/suits car title copy only.jpg


Name suits%20car%20title%20copy%20only.jpg Physical Size n/a


Created Date n/a

Modified Date n/a

Accessed Date n/a

Path killercase.ad1/killercase.ad1:Custom Content Image([Multi])[AD1]/\\.\PHYSICALDRIVE1:Partition 1 [109MB]:MANTOOTH

[NTFS]/[root]/ProgramData/AOL/C_AOL

9.0a/organize/mantooth2007mantooth2007MailMail You've Sent6212007

washermeister@gm Re: oooh I have AOL!suits%20car%20title%20copy%20only.jpg


Name VWCA8QNCACJQ28J.jpg


Logical Size 2476 B



33/34

32





Files/Low/Content.IE5/JXOY3MEC/VWCA8QNCACJQ28J.jpg


Name washingislame3hu[1].jpg








Files/Low/Content.IE5/RMAJCPM1/washingislame3hu[1].jpg


Name Wes.jpg



Created Date n/a

Modified Date n/a

Accessed Date n/a


Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Sent Items/20401532-

00000003.emlWes.jpg


Name Wes.jpg



Created Date n/a

Modified Date n/a

Accessed Date n/a




34/34

Mantooth/AppData/Local/Microsoft/Windows Mail/Local Folders/Deleted Items/165D65F6-

00000004.emlmime part 2.emlWes.jpg

Bookmark: Internet Evidence

11/12/2014

Comments Graphical Evidence of Possible Illegal Action

Creator cpcc

File Count 2

Files


Name formhistory.dat

Physical Size 3072 B Logical Size 2835 B





Mantooth/AppData/Roaming/Mozilla/Firefox/Profiles/643jnqw6.default/formhistory.dat


Name history.dat







Mantooth/AppData/Roaming/Mozilla/Firefox/Profiles/643jnqw6.default/history.dat