Running head: DIGITAL FORENSIC REPORT 1

Digital Forensic Report

Raul Mendoza

University of San Diego

Cyber Response/Network Forensics

CSOL 590

Mr.

Pappas

July 7, 2017
DIGITAL FORENSIC REPORT 2

Table of Contents

Abstract ........................................................................................................................................... 3

Forensic Analyst ............................................................................................................................. 4

Data Integrity and Chain of Custody……………………………………………………………...5

Forensic Tools/Data Collection......………………….………………………………………….6/7

Timeline/Findings…………………………………………………………………………………8

Recommendations…………………………………………………………………………………9

References ..................................................................................................................................... 10
DIGITAL FORENSIC REPORT 3

Abstract

This report is a cyber forensic review of Brandy Vela’s computer and phone intended to

identify what actions may have contributed to her suicide. The family of Bandy indicated that

there had been consistent harassment via social media and electronic communications in the

months leading up to her suicide. In addition to her computer and phone, the family also

provided images of Facebook posts of continuing harassment after their daughter’s death. The

report will detail the legal concerns, data integrity/chain of custody process, forensic tools used,

data collection process, forensic analysis, timeline, and findings. Finally, all scientific evidence

discovered in addition to my expert recommendation will be outlined in this report.

DIGITAL FORENSIC REPORT 4

Digital Forensic Report

Forensic Analyst:

Raul Mendoza

Certified Cyber Forensics Professional (ISC)2 - 1223989

(828) 454-9927

Formal Forensic Introduction:

On Tuesday, 29 November 2016, Brandy Vela of Texas City, Texas committed suicide

due to cyberbullying and the perpetrators have not been caught. I have been hired by the Texas

City police department as an expert witness in the area of cyber forensics. I have been asked to

perform cyber forensic analysis on Brandy Vela’s computer to try and determine the events that

led up to her suicide. The following report will detail all the actions taken to determine what

events contributed to Brandy’s suicide.

Legal Considerations:

As a recognized subject matter expert within the area of cyber forensics, under Rule 702 I

have been asked to perform forensic analysis and expert testimony to address scientific evidence

discovered on Brandy Vela’s computer. (Legal Information Institute, n.d., p. 1)

On December 1st, 2016 Brandy’s parents turned over their daughter’s computer and

phone in hope that it may provide details that contributed to their daughter’s unfortunate suicide.

Since the parents turned the computer over to the police department any concerns for possible 4th

amendment issues became immaterial. Although her computer and phone are clear for analysis,

it is important to understand that the evidence discovered on her computer or phone may be used

to obtain warrants against any potential assailants. (Legal Information Institute [LII], n.d., p. 1)
DIGITAL FORENSIC REPORT 5

If any findings of harassment, disruptive activities, or online impersonation are

discovered, the perpetrators can face possible charges of a Class A or B misdemeanor depending

on the circumstances. (Texas Penal Code § 42.07.), Class B misdemeanor. (Texas Educational

Code § 37.123.), or felony or misdemeanor depending on the circumstances. (Texas Penal Code

§ 33.07.) (Texas Constitution and Statutes, 2015, p. 1).

Data Integrity and Chain of Custody:

Upon receipt of Brandy’s computer and phone, the Texas police department documented,

labeled, and sealed the computer into evidence. As the sole authorized forensic expert, I signed

out the computer and phone and inspected it to verify that it had not been tampered with. Laptop

and phone specifications are as follows:

HP OMEN Laptop - 15t gaming Samsung Galaxy S8

UHD (Hewlett Packard [HP], 2017, p. 1)

To ensure the data integrity of the laptop and phone remained intact I used forensic tools

and hardware to ensure no data was written to the hard drive during the imaging process. The

imaging process that was performed ensured that a sector-bysector copy was completed and

verified via SHA1 and MD5 hash. After completing the imaging process I re-sealed both into
DIGITAL FORENSIC REPORT 6

their individual evidence bags, re-signed the document entering it back into the Texas police

department evidence room (Evidence ID BV011216, BV011217).

Evidence ID: BV011216 Evidence ID: BV011217

Forensic Tools:

The forensic tools used ensured that the phone and computer’s data was not manipulated

during the imaging process. Tools are listed below:

 UltraBlock SAS Write Blocker

 Forensic Tool Kit was used to image the computer’s hard drive

 Cain and Abel password cracking tool

Data Collection:

Prior to performing the imaging process, I connected the UltraBlock write protector to the

hard drive and then the phone. The write blocker allowed me to gain read-only access to the data

of both devices to ensure the following NIST requirements were met. (National Institute of

Standards and Technology[NIST], 2004, p. 6)

 The tool shall not allow a protected drive to be changed.

 The tool shall not prevent obtaining any information from or about any drive.

 The tool shall not prevent any operations to a drive that is not protected.
DIGITAL FORENSIC REPORT 7

Upon successful connection of the write blocker I then used the Forensic Tool Kit imager

software to perform a digital image of the hard drive. An image was successfully completed

and verified by a MD5 and SHA1 hash.

Computer hash’s:

Phone hash’s:

Data Analysis:

Because the parents did not know the password to the computer, I had to use Cain and

Abel to perform both a brute force and dictionary attack to gain access to the image. The brute

force attack was run for three days and was not successful. After the brute force was

unsuccessful, I then started the dictionary attack and after four hours was able to obtain the

password. Unlike the computer, the parents did know the pin to Brandy’s phone and it did not

require any actions to circumvent the security of the phone.

To perform the analysis, I used FTK imager to review the data contained within the

image. None of the information was encrypted, but there were 7 files deleted from the phone and

computer (Evidence ID BV011216, BV011217). I was able to recover the information and

images and they have been provided within the findings section of this report.
DIGITAL FORENSIC REPORT 8

Timeline:

The following timeline outlines when and what forensic actions were conducted:

 01 December 2016 – received the phone and computer from Brandy’s parents

 02 December 2016 – signed out the evidence and verified the integrity

 02 December 2016 – connected the write blocker and imaged the computer and phone

 02 December 2016 – Verified the image and MD5 and SHA1 hash

 02 December 2016 – Used Cain and Abel and began brute force attack

 05 December 2016 - Used Cain and Abel to perform dictionary attack

 05 December 2016 – Opened FTK and began running key word searches, determine

which files were modified, accessed, or changed (MAC)

 05 December 2016 – Identified all the MAC files and began connecting which files were

related to the information relevant to the case

 05 December 2016 - Reviewed the physical location of the files on the drive and file

metadata

Findings:

Upon reviewing the data from the hard drive and phone, I was able to discover multiple

websites, emails, and images. The primary websites visited were as follows:

 https://www.facebook.com/

 https://www.weightwatchers.com/us/

 http://www.criminaldefenselawyer.com/resources/cyberbullying-laws-texas.htm

Emails received:

 Sent on 02 November 2016, from IP address 72.220.10.22 by

AndresVillagomez@hotmail.com
DIGITAL FORENSIC REPORT 9

 Sent on 15 November 2016, from IP address 72.220.10.22 by

Karinthya.Romero@hotmail.com

 Sent on 25 November 2016, from IP address 72.220.10.22 by

AndresVillagomez@hotmail.com

Deleted Images on phone:

 Four deleted images were recovered

Phone calls received:

 Three phone calls received on the same dates as the email from (525)555-7872

Recommendations:

Analysis has revealed information and images consistent with the family’s claims of

cyberbullying. On three separate occasions emails were sent from Andres Villagomez and

Karinthya Romero. Two of the three emails were sent from Mr. Villagomez and contained

attachments with nude images of the victim.

When analyzing the victims phone, four nude images of the victim had been deleted. The

images appeared to have been taken by the victim of herself and sent to phone number (525)555-

7872. Like the emails, three phone calls were received by the victim from the same number that

the images were sent to. The phone calls were on the same dates that the emails were sent.

The emails, images, and phone calls lead me to believe that Mr. Villagomez and Ms. Romero

had been in contact with the victim leading up to her suicide. My recommendation based on the

scientific data provided is to request a warrant to search and seize Mr. Villagomez and Ms.

Romero’s phone and computers to determine the level of involvement they played in the

cyberbullying of Brandy Vela.

DIGITAL FORENSIC REPORT 10

References

Hewlett packard. (2017). OMEN Laptop - 15t gaming UHD. Retrieved from

http://store.hp.com/us/en/pdp/omen-laptop---15t-gaming-uhd-p-w2n30ua-aba

Legal Information Institute . (n.d.). Rule 702. Testimony by Expert Witnesses. Retrieved from

https://www.law.cornell.edu/rules/fre/rule_702

Legal Information Institute. (n.d.). Fourth Amendment. Retrieved from

https://www.law.cornell.edu/constitution/fourth_amendment

National Institute of Standards and Technology . (2004). Hardware Write Blocker Device

(HWB) Specification . Retrieved from https://www.cftt.nist.gov/HWB-v2-post-19-may-

04.pdf

Texas Constitution and Statutes. (2015). Penal Code 42.07. Retrieved from

http://www.statutes.legis.state.tx.us/StatutesByDate.aspx?code=PE&level=SE&value=42

.07&date=7/18/2015