FTK Forensic Examination Report: Running Head

Running Head: FTK FORENSIC EXAMINATION REPORT
Using FTK for Forensic Examinations

Jane Doe
CST-640 Project 4
University of Maryland University College
TO: SA Fox Molder, UBI Cyber Crime Division
IN RESPONSE TO: Request for Digital Forensic Analysis

Case Number: 20130614-1001a
Prepared by: Jane Doe

Special Agent and Forensic Examiner for the University Bureau of Investigation (UBI)
Cyber Division assigned to a Cyber Action Team (CAT).
ORIGINAL REQUEST:
From: SA Fox Molder, UBI Cyber Crime Division

Request for Digital Forensic Analysis
Suspect: Mantooth
Seizure Date: 14 June 2013
Requesting Agent/Organization:
General Scenario (provided by requestor): Mr. Mantooth’s computer was seized under search
warrant pursuant to case number 20130614-1001a. This is a request to process the seized hard
drive to look for evidence that may enlighten the investigation of this case.
We are specifically interested in any information that may lead us to Mantooth’s criminal activities,
which appear to be substantial. Mantooth has been very secretive, so we don’t know what he looks
like. We are counting on you to provide us a picture of him. We also don’t know who he associates
with and would like you to help us determine who his main contacts are.
We have some indication that a 1992 Dodge may be involved. Locate the VIN number so that we
can more specifically search on this vehicle. The name Sean has come up several times and we are
hoping you can help us determine how this name fits into the puzzle we are trying to solve.
Items Provided:
1. Digital Evidence – Mantooth, Washer and Thumbdrive (.E01 evidence files)
Special Agent for Cyber Crime Division

Tag #01: Digital Image of Suspect Drive
File Name: Mantooth
Hash Value: 31217210a1a69f272079a3bde3d9d8fc
Chain of Custody
Case Number 20130614-1001a
Description Digital images of 2 hard drives and a thumb drive collected under search warrant
MD5 Hash
Mantooth.E01 (SEE IMAGE VERIFICATIONS AT END OF REPORT)
Washer.E01
Thumbdrive.E01
Date From To Reason

14 June 2013 Officer Ron Burgundy S.A. Fox Molder Transfer to detective
investigating case
15 June 2013 S.A. Fox Molder S.A. Jane Doe Transfer of evidence
for forensic processing
18 June 2013 S.A. Jane Doe S.A. Fox Molder / Project 4 FTK
Dr. J. Johnson Investigation Report
FORENSIC INVESTIGATION REPORT

Report Completed by: S.A. Jane Doe
Executive Summary of Findings:

The examination of the data contained on Mantooth.E01, Washer.E01, and
Thumbdrive.E01 image files indicate evidence of criminal activity amongst at least 5 individuals.
According to the evidence recovered, their low-level criminal enterprise consists of:
 Conspiracy to commit check fraud, credit card / ATM fraud, prescription fraud,
vehicle title fraud, and illicit drug production (i.e., methamphetamines).
 Research on tactics, techniques, and procedures (TTPs) for committing various
criminal activities.
 Communications amongst accomplices involved in similar criminal enterprise
activities.
 Names of individuals indebted for possible illicit purchases.
 Evidence of attempts at file obfuscation.
The Network:
Communicates with
Mr. Smee Rasco Badguy
Dave Thomas
John Washer (Skimmerman)
Wes Mantooth
Conclusion: There is significant evidence to recommend further investigation of all

individuals in this criminal enterprise.
Part I
Source Image: Mantooth.E01
PC Name: WesMantooth-PC
Tools Used: FTK Imager / FTK 6.1 / Registry Viewer
Requested Information:
EEI 1: Mantooth's first name and a screenshot of a picture. Retrieved from: Email
traffic on Mantooth evidence file
Response: Mantooth’s first name is WES.
Wes Mantooth
EEI 2: Number of jpg files in the Mantooth evidence file
Response: Evidence of 324 .jpg files. Screenshot retrieved from Mantooth hard
drive image.
EEI 3: Names of the e-mail domains from the e-mail in this image, plus
the number of sent and received messages and the dates of the
oldest and newest sent and received e-mail message for each
domain
Response:
SENT OLDEST / NEWEST TOTAL RECEIVED OLDEST / NEWEST TOTAL
comcast.net 6/21/07 // 7/24/07 29 comcast.net 6/20/07 // 7/11/07 37
hotmail.com 1 gmail.com 6/20/07 // 6/20/07 5
mentaldental.com 2 swbell.com 7/23/07 // 8/1/07 6
microsoft.com 1 hotmail.com 7/23/07 // 7/23/07 1
swbell.com 2 microsoft.com 2/27/07 // 6/20/07 3
pgp.com 1 pgp.com 4/12/07 // 4/1/07 1
gmail.com 9 google.com 4/10/07 // 4/10/07 2
aol.com 7/23/07 // 7/23/07 1
EEI 4: Names of people who have sent e-mail to or received e-mail from
Mantooth, and the number of e-mails sent or received to and from each
person
 John Washer ckwasher@comcast.net (11)

 Rasco Badguy txkidd@swbell.net (2)
 Mom toothfairy@mentaldental.com (2)
 Laura Lee PGP_Corporation_Laura_Lee@mail.vresp.com (2)
 David Thomas skimmerman27@hotmail.com (2)
 Mr. Smee smeerox@gmail.com (7)
 U/I molarman420@gmail.com (1)
 Wes Mantooth washermeister@gmail.com (3)
EEI 5: Information on encryption—whether it was used for any of the e-mail, and
if so, what type
Response: Evidence of PGP and EFS encryption for email was found.
EEI 6: Evidence of potential criminal activity within this image
Reponse: Evidence of the following potential criminal activities:
 Check fraud- Found on Partition 1, several files containing images of blank

checks, and web searches on check washing (formhistory.dat).
 Prescription Fraud - Email correspondence found between Wes Mantooth and John
Washer on how to remove ink from prescriptions. The following images are of
prescriptions not issued to Wes Mantooth and John Washer:
 Interest in Methamphetamines / Other Illicit Drugs

 ATM/Credit Card Fraud: Email from Wes Mantooth to John Washer regarding
conspiracy to steal ATM cards/PIN
Email Attachments:
 Evidence of Credit Card processing application
 Vehicle Theft:
Additionally, A title of a 67 Chevy was found as an attachment to an email

suggesting that it is stolen
EEI 7: Information on how PINs were captured
Response: Screenshot of web page

Email correspondence between Wes Mantooth and Mr. Smee
EEI 8: Vehicle Identification Number of the '92 Dodge
Response: The VIN for the ’92 Dodge is as displayed in the following image:
EEI 9: Identity of Sean and his role in this case
Response: Sean P. Kane – there is evidence to suggest that he may be a possible victim
of check fraud, whereas the ink on the check was washed.
seanbefore.jpg seanafter.jpg
EEI 10: Malware that initiates on startup
Response: No evidence recovered
EEI 11: Information on password(s)—where you found it/them, whether

it/they are usable, what it/they are used for
Response: Password evidence recovered (*no passwords were usable):

Part II
Source Image: Washer.E01 / Thumbdrive.E01
Completed by: S.A. Amy Cerrone
EE 12: What are the AIM usernames for Rasco Badguy and John
Washer?
Response: The AIM usernames are:
Rasco Badguy rbadguy2424
John Washer chkwasher
EEI 13: What is the current zip code for the AOL IM account
registered to Washer?
Response: Viewing NTUSER.dat in FTK Registry Viewer, the zip code

indicated is 80525
EEI 14: When was AOL IM installed?
Response: Using FTK Registry Viewer, it is indicated that AIM was installed
on July 25, 2007.
EEI 15: What does Rasco's vehicle look like? Please provide a
description. Who might Rasco bring with him?
Response: According to his email correspondence with John Washer,

Rascoe’s vehicle is described as a “black Tahoe with really nice
22” wheels.” Rascoe mentions that he may travel with
Skimmerman.
EEI 16: Provide the starting and ending points for their camping trip, as
well as the name of body of water nearby (same as road running
along shore). Find a map and directions to the spot where they
will camp.
Response: The lake that they will be camping near is Hiawatha Lake.
(See screenshots)
(Image taken from decrypted file, “X marks the spot”)
EEI 17: Document three distinct types of criminal activity that are
under consideration and discussion by these individuals.
Response: The evidence on the three devices examined suggest that the
three primary criminal actions are:
 Check Fraud – evidence of check washing activity

 Prescription Fraud -
 ATM Card Theft (i.e., install skimmers, steal PINs)
 (Refer to evidence above, noted in Mantooth.E01 image)
EEI 18: There is a particular piece of software that will support one
of the types of criminal activity under consideration. It is
being obscured by file manipulation or encryption. Document
the name of the file, its function, and what needs to be
installed for it to operate properly.
Response: The software is contained in a compressed file “cool tool.piz” that

has been obscured by using the .piz extension, instead of .zip.
The file of interest in the compressed folder is
“ValidateCreditCard.jar” which requires Java to run.
EEI 19: Document two names, addresses, and credit card or account
numbers of potential victims.
Response: Victims:
 Sean P. Kane (Checking Account)

 Austria Corportation (Checking Account)
EEI 20: Prove that the file “How To Steal Credit Card Numbers.doc”
was opened on the computer.
Response: The opening of the encrypted file, “How To Steal Credit Card
Numbers.doc” on the computer from which the Washer.E01 image
is derived has not been verified.
EEI 21: The word “oops” has come up in intercepted traffic.

Document what it refers to.
Response: (see screenshots)
EEI 22: Document three ways this case has familiarity or linkages to
any other case you are familiar with.
Response: The evidence found on Washer.E01 image and Thumbdrive.E01

image shows direct correlation to the evidence discovered on
Mantooth.E01 image.
 The email accounts of Wes Mantooth and John Washer have

been in direct contact as verified in both images.
 There is evidence of credit car fraud on both images.
EEI 23: A number of people in this case owe money. Document who
they are and how much they owe.
Response: Taken from ~ar1730.xar on the Thumbdrive.E01 image the

following chart indicated those who owe money.
EEI 24: Is there anything that links the thumb drive to the Washer
image?
Response: There is no direct linkage found between the Washer.E01 image

and the Thumbdrive.E01 image
EEI 25: Document how many times the administrator account was
used and the date of the last login (hint: during 2008).
Response: (Unable to determine use of administrator account due to

difficulties with tool.)
Additional Files of Interest (from Mantooth.E01):

 People who owe money
 Task List / Appointments / Notes

 A “confession”
 Executables
 Unidentified male
 Possible experimentation with file obfuscation

Additional Files of Interest (Washer.E01 / Thumbdrive.E01)
 Encrypted files on Washer.E01
 Possible contact information for John Washer’s son
9706315006@vtext.com
 Chain letter proposal

 Credit card supplies obtained by Skimmerman
 Email with Prescription (similar to file found on Mantooth.E01)

 Possible password for X marks the spot.doc.
 Photos of Dave Thomas (aka Skimmerman) and his girlfriend.
 Users on computer from which the Washer.E01 image was derived
<END OF EVIDENCE>
-- IMAGE VERIFICATIONS--
_____________________________________________________
APPENDIX I
Using FTK Imager
This is a simple tutorial for creating an image file with FTK Imager.
Open FTK Imager, then select File > Create Disk Image
Select Contents of a Folder, then Next
Browse to the folder that contains the data that you’d like to image
Complete the image information, then select Next
Browse to the folder where the image is to be saved; choose a filename, then select Finish
Select Start
Once image is successfully created, select Close
Verify that hash results match, then select Close
Next, selct File, then Add Evidence Item

Select Image File, then Next
Browse to the image filename previously chosen
Inspect the image in Evidence Tree

Close FTK Imager, then open <imagefilename>.ad1.txt to verify hash values.


FTK Forensic Examination Report: Running Head

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FTK Forensic Examination Report: Running Head

Uploaded by

Copyright:

Available Formats

Running Head: FTK FORENSIC EXAMINATION REPORT

Using FTK for Forensic Examinations

TO: SA Fox Molder, UBI Cyber Crime Division

IN RESPONSE TO: Request for Digital Forensic Analysis

Prepared by: Jane Doe

From: SA Fox Molder, UBI Cyber Crime Division

1. Digital Evidence – Mantooth, Washer and Thumbdrive (.E01 evidence files)

Special Agent for Cyber Crime Division

Date From To Reason

FORENSIC INVESTIGATION REPORT

Executive Summary of Findings:

Mr. Smee Rasco Badguy

Conclusion: There is significant evidence to recommend further investigation of all

Tools Used: FTK Imager / FTK 6.1 / Registry Viewer

Response: Mantooth’s first name is WES.

EEI 2: Number of jpg files in the Mantooth evidence file

SENT OLDEST / NEWEST TOTAL RECEIVED OLDEST / NEWEST TOTAL

comcast.net 6/21/07 // 7/24/07 29 comcast.net 6/20/07 // 7/11/07 37

hotmail.com 1 gmail.com 6/20/07 // 6/20/07 5

mentaldental.com 2 swbell.com 7/23/07 // 8/1/07 6

microsoft.com 1 hotmail.com 7/23/07 // 7/23/07 1

swbell.com 2 microsoft.com 2/27/07 // 6/20/07 3

pgp.com 1 pgp.com 4/12/07 // 4/1/07 1

gmail.com 9 google.com 4/10/07 // 4/10/07 2

aol.com 7/23/07 // 7/23/07 1

 John Washer ckwasher@comcast.net (11)

EEI 6: Evidence of potential criminal activity within this image

Reponse: Evidence of the following potential criminal activities:

 Check fraud- Found on Partition 1, several files containing images of blank

 Interest in Methamphetamines / Other Illicit Drugs

 Evidence of Credit Card processing application

Additionally, A title of a 67 Chevy was found as an attachment to an email

EEI 7: Information on how PINs were captured

Response: Screenshot of web page

Email correspondence between Wes Mantooth and Mr. Smee

EEI 8: Vehicle Identification Number of the '92 Dodge

EEI 9: Identity of Sean and his role in this case

EEI 10: Malware that initiates on startup

Response: No evidence recovered

EEI 11: Information on password(s)—where you found it/them, whether

Response: Password evidence recovered (*no passwords were usable):

Response: The AIM usernames are:

Rasco Badguy rbadguy2424

John Washer chkwasher

Response: Viewing NTUSER.dat in FTK Registry Viewer, the zip code

EEI 14: When was AOL IM installed?

Response: According to his email correspondence with John Washer,

(Image taken from decrypted file, “X marks the spot”)

 Check Fraud – evidence of check washing activity

Response: The software is contained in a compressed file “cool tool.piz” that

 Sean P. Kane (Checking Account)

EEI 21: The word “oops” has come up in intercepted traffic.

Response: (see screenshots)

Response: The evidence found on Washer.E01 image and Thumbdrive.E01

 The email accounts of Wes Mantooth and John Washer have

Response: Taken from ~ar1730.xar on the Thumbdrive.E01 image the

Response: There is no direct linkage found between the Washer.E01 image

Response: (Unable to determine use of administrator account due to

Additional Files of Interest (from Mantooth.E01):

 Task List / Appointments / Notes

 Possible experimentation with file obfuscation

Additional Files of Interest (Washer.E01 / Thumbdrive.E01)