Professional Documents
Culture Documents
FTK Forensic Examination Report: Running Head
FTK Forensic Examination Report: Running Head
ORIGINAL REQUEST:
Suspect: Mantooth
Seizure Date: 14 June 2013
Case Number: 20130614-1001a
Requesting Agent/Organization:
General Scenario (provided by requestor): Mr. Mantooth’s computer was seized under search
warrant pursuant to case number 20130614-1001a. This is a request to process the seized hard
drive to look for evidence that may enlighten the investigation of this case.
We are specifically interested in any information that may lead us to Mantooth’s criminal activities,
which appear to be substantial. Mantooth has been very secretive, so we don’t know what he looks
like. We are counting on you to provide us a picture of him. We also don’t know who he associates
with and would like you to help us determine who his main contacts are.
We have some indication that a 1992 Dodge may be involved. Locate the VIN number so that we
can more specifically search on this vehicle. The name Sean has come up several times and we are
hoping you can help us determine how this name fits into the puzzle we are trying to solve.
Items Provided:
Chain of Custody
Case Number 20130614-1001a
Description Digital images of 2 hard drives and a thumb drive collected under search warrant
MD5 Hash
Mantooth.E01 (SEE IMAGE VERIFICATIONS AT END OF REPORT)
Washer.E01
Thumbdrive.E01
The Network:
Communicates with
Dave Thomas
John Washer (Skimmerman)
Wes Mantooth
Part I
Source Image: Mantooth.E01
PC Name: WesMantooth-PC
Requested Information:
EEI 1: Mantooth's first name and a screenshot of a picture. Retrieved from: Email
traffic on Mantooth evidence file
Wes Mantooth
Response: Evidence of 324 .jpg files. Screenshot retrieved from Mantooth hard
drive image.
EEI 3: Names of the e-mail domains from the e-mail in this image, plus
the number of sent and received messages and the dates of the
oldest and newest sent and received e-mail message for each
domain
Running Head: FTK FORENSIC EXAMINATION REPORT
Response:
EEI 4: Names of people who have sent e-mail to or received e-mail from
Mantooth, and the number of e-mails sent or received to and from each
person
EEI 5: Information on encryption—whether it was used for any of the e-mail, and
if so, what type
Running Head: FTK FORENSIC EXAMINATION REPORT
Response: Evidence of PGP and EFS encryption for email was found.
Prescription Fraud - Email correspondence found between Wes Mantooth and John
Washer on how to remove ink from prescriptions. The following images are of
prescriptions not issued to Wes Mantooth and John Washer:
Running Head: FTK FORENSIC EXAMINATION REPORT
ATM/Credit Card Fraud: Email from Wes Mantooth to John Washer regarding
conspiracy to steal ATM cards/PIN
Email Attachments:
Running Head: FTK FORENSIC EXAMINATION REPORT
Vehicle Theft:
Response: The VIN for the ’92 Dodge is as displayed in the following image:
Response: Sean P. Kane – there is evidence to suggest that he may be a possible victim
of check fraud, whereas the ink on the check was washed.
seanbefore.jpg seanafter.jpg
Running Head: FTK FORENSIC EXAMINATION REPORT
Part II
Source Image: Washer.E01 / Thumbdrive.E01
Completed by: S.A. Amy Cerrone
EE 12: What are the AIM usernames for Rasco Badguy and John
Washer?
EEI 13: What is the current zip code for the AOL IM account
registered to Washer?
Response: Using FTK Registry Viewer, it is indicated that AIM was installed
on July 25, 2007.
EEI 15: What does Rasco's vehicle look like? Please provide a
description. Who might Rasco bring with him?
EEI 16: Provide the starting and ending points for their camping trip, as
well as the name of body of water nearby (same as road running
along shore). Find a map and directions to the spot where they
will camp.
Response: The lake that they will be camping near is Hiawatha Lake.
(See screenshots)
Running Head: FTK FORENSIC EXAMINATION REPORT
EEI 17: Document three distinct types of criminal activity that are
under consideration and discussion by these individuals.
Response: The evidence on the three devices examined suggest that the
three primary criminal actions are:
EEI 18: There is a particular piece of software that will support one
of the types of criminal activity under consideration. It is
being obscured by file manipulation or encryption. Document
the name of the file, its function, and what needs to be
installed for it to operate properly.
Running Head: FTK FORENSIC EXAMINATION REPORT
EEI 19: Document two names, addresses, and credit card or account
numbers of potential victims.
Response: Victims:
EEI 20: Prove that the file “How To Steal Credit Card Numbers.doc”
was opened on the computer.
Running Head: FTK FORENSIC EXAMINATION REPORT
Response: The opening of the encrypted file, “How To Steal Credit Card
Numbers.doc” on the computer from which the Washer.E01 image
is derived has not been verified.
EEI 22: Document three ways this case has familiarity or linkages to
any other case you are familiar with.
EEI 23: A number of people in this case owe money. Document who
they are and how much they owe.
EEI 24: Is there anything that links the thumb drive to the Washer
image?
EEI 25: Document how many times the administrator account was
used and the date of the last login (hint: during 2008).
A “confession”
Executables
Unidentified male
9706315006@vtext.com
<END OF EVIDENCE>
Running Head: FTK FORENSIC EXAMINATION REPORT
-- IMAGE VERIFICATIONS--
_____________________________________________________
Running Head: FTK FORENSIC EXAMINATION REPORT
Running Head: FTK FORENSIC EXAMINATION REPORT
APPENDIX I
Using FTK Imager
This is a simple tutorial for creating an image file with FTK Imager.
Open FTK Imager, then select File > Create Disk Image
Browse to the folder that contains the data that you’d like to image
Running Head: FTK FORENSIC EXAMINATION REPORT
Browse to the folder where the image is to be saved; choose a filename, then select Finish
Select Start
Running Head: FTK FORENSIC EXAMINATION REPORT