1

CYBER FORENSICS & INCIDENT RESPONSE

NATIONAL GALLERY DC

Name
University
June 1, 2023

1
2

Executive Summary
The occurrence associated with the 2012 National Gallery DC case took place over a period of
around 10 days, and the problem is that it involved two separate but intertwined plot lines. The
inquiry is currently underway to identify those connected to the theft as well as defacement
instances using some digital evidence. A worker is being investigated and accused as the matter
develops, and an investigation is being created to find out if the worker is indeed connected to
the crime as well as discover additional people connected to the particular incident. Tracy is a
worker at the National Gallery. Considering her daughter is not living with him and Tracy was
unable to pay for her child's expensive private schooling on herself, Former Joe declines to assist
her. Her daughter says she won't go to any other school. A close relative named Carry offers to
pay her for bringing illegal items into the museum with the computers in exchange for a "flash
mob." Carry, on the contrary, has become actively attempting to sever Majavia's links to the US
as a result of her fervent pro-Krasnovian beliefs. She intends to deface valuable artwork from
Majavian culture art rather than organizing a flashmob. Tracy and her brother are preparing for
stealing expensive museum items in the interim. Joe had installed a keylogger on Tracy's phone
to watch their daughter, and when he became informed that something was going on, he called
the police, which resulted in the seizure of Tracy's phone.

2
3

Table of Contents

Executive Summary......................................................................................................................2

Introduction...................................................................................................................................5

Methodology.................................................................................................................................6

Equipment and Tools.....................................................................................................................6

Findings & Evidences...................................................................................................................9

Findings 1: Evidence relating to the theft of valuable stamps......................................................9

Findings 3:...................................................................................................................................20

Summary.....................................................................................................................................22

Conclusion...................................................................................................................................23

References...................................................................................................................................24

Appendices..................................................................................................................................25

Appendix 1: Plot timeline............................................................................................................25

Appendix 2: Persons Investigated...............................................................................................25

Appendix 3: GPS & Wi-Fi locations...........................................................................................26

3
4

Introduction
With regard to the twenty-first of January 2016 when DigiTech Inc. requested authorities look
into the loss of priceless stamps including the vandalization of the National Gallery of Art within
Washington, D.C.(NGDC). Pursuant to the storyline described above, Tracy is the subject of the
inquiry. A seizure of Tracy's iPhone was necessary for the investigation. Charged was Tracy.
DigiTech Inc. was tasked with looking into potential evidence of the conspiracy mentioned
above. Tracy Sumtwelve, a worker of the National Art Museum, was caught by Digitech, Inc.
conspiring in stealing numerous works of art alongside her brother along with a "King” (Ragai,
2013). The evident motive for the theft under investigation is further made clear by the fact that
Tracy is talking about money problems and the likelihood that her child might be forced to go to
another educational institution owing to problems with money. The Digitech staff deployed a
Kali Linux PC to perform their study, using programs like Autopsy and SQLite Explorer.

Figure 1

4
5

Figure 2

We also discovered Tracy's "Notes" under the library, which she noted that Prufrock, the
institution which her child is attending, desire "support" (note the prior financial issues). Tracy's
Safari Cache also contained a search for "Financial Aid." Among the most crucial areas of
discussion in digital forensics is the connection of evidence. As with physical evidence, the chain
of custody for digital proof has to be transparent (Ragai, 2013). The technician ought to
accordingly utilize a replica or photograph of evidence to use in place of the real thing (in this
case, a picture of Tracy's phone). Additionally, there are numerous ways to create an exact
image, and in some circumstances it may be necessary to face difficulties or employ particular
tools, such as a write blocker (Cline, 2012).
Methodology
Equipment and Tools

An image from Tracy's iPhone was examined on a Kali Linux server using the open-source
forensics program Autopsy. To make certain absolutely nothing has been changed throughout the
examination, the initial file or image must also be scrambled as opposed to being generated
(Loshin, 2022). Here is one way to destroy Tracy's phone. Other hashing techniques, though,
5
6

could be utilized.

Figure 3

We may check for changes made during the investigation using hashing. The evidence might
become admissible throughout trial if there was any discrepancy between its actual hash as well
as the hash created from it throughout the course of the investigation (Khan et al., 2016). Two
crucial ingest modules you as a consumer should think about are the Module Interference
Analyzer along with the Keyword. The ideal option, though, for the purpose of
comprehensiveness, would be to implement all of the parts that were selected if you are short on
time or just concentrate on a few very specific items. This would prove to be an especially
thorough strategy.

Simply add a resource to the appropriate folder; subsequently browse with it when you need it.
When you are not comfortable with an operating system or the source of information, it could be
challenging to find the subdirectory from the left. Despite it is challenging to tell from the
directories independently unallocated disks might contain crucial data. Data can be organized
and put in a readily available directory inside the Findings > Derived Material and Keyword Hits
part of the Directory Tree utilizing the help of Autopsy. The keyword lists are also visible in the
window's right-hand corner (Scholarworks@uno & Mishra, 2007). One can use these keywords
to look up URLs, internet protocol addresses, as well as email contacts. It is vital to allocate to
storage the key files or places that relate to the different types of data in order to prevent wasting
valuable time searching through the directory tree. Whenever you have the opportunity, you may
use the Search option rather than the file names. Even so, since there are files with the same
names, it is important keeping the location in mind.

6
7

Additionally, some electronic proof was recently used in this investigation. As an example,
Carry's calls are used. Moreover, Carry's tablet continues to be employed. The emails which
Tracy wrote to Joe on her MacBook are currently being examined to determine whether they
relate to the incident. Additionally, Tracy's phone is going to be utilized as proof. It signifies that
the primary approach has been applied in this instance, and the conduct that these suspect
individuals have engaged in will be taken into account in order to comprehend their involvement
in the criminal case. In order to provide a clear understanding of how the problem occurred and
how the suspects were connected in this case, various variables that may also be seen as the
results of the police investigation will be emphasized in the sections that come after.

Table 1: Information about Tracy's iPhone

7
8

Figure 4: iPhone's contact book

Findings & Evidences

Findings 1: Evidence relating to the theft of valuable stamps

Description:

This portion provides evidence that priceless stamps had been lost. Tracy finds a magnificent
stamp collection exhibit in "Mailbox Data Structure." Tracy (Coral) calls Pat (Perry) throughout
an incident and adds that there will be some spectacular international exhibit and how she thinks
it will be a big deal according to her assessment of the papers. King, an individual with a
criminal history also is now on parole, is recruited by Pat through threats and intimidation. King
possesses a criminal past. King has consented to take involved during the robbery as well as has
put out a list of requirements. Pat replies by texting Tracy the list of attachments and a message
with directions on how to open the file that was attached. Tracy also gives Pat the covert
insurance paperwork for the stamp exhibition. Tracy's iPhone contains all of the stamps listed in
the coverage paperwork. According to the proof presented, there can be no question that Pat with
Tracy was conspiring to steal pricey stamps. In a message with an attachment, "King Kthings"
submitted a list of the items needed for the theft.
Supporting evidences

8
9

Figure 5

This offense involved the use of an MP3 audio file attachment (Crazydave1.mp3) that contained
more details on how to set up a VirtualBox VM. The web address trdt.biz is discontinued from
being registered by anyone, and it uses the "subdomain" of "www.target.com" in pretense so as
to make it appear to indicate that this is associated with Target, although it is not. Tracey
received a text from her cell phone alerting her of her winnings had been selected a one thousand
dollars Target Gift Card as well as offering her the instructions for accessing a website that uses
the deceitful domain name "at what place she can send it." The digital camera storage space had
three.pdf attachments from emails consisting of Memorandums of Insurance for various value
stamps).

9
10

Figure 6: Email proof

Figure 7: Command performed to unlock the password along with display the stamps'
photographs

10
11

Gallery Stamps may be seen in the newest photos taken from her cell phone. These photographs
were taken before the robbery. Tracy was nearby when the pictures were captured, and their
Geo-Location makes it clear that they took them there. According to the evidence presented, she
may have snapped or mailed the images with the intention of later showing them to others.

Figure 8: Stamp_insurance1.pdf

11
12

Figure 9: Stamp_insurance2.pdf

12
13

Figure 10: Stamp_insurance3.pdf

In a pair of messages, Pat Sumtwelve (patsumtwelve@gmail.com) as well as "King"

(kthrone1966@gmail.com) addressed stealing at some point and detailed the things they
intended to use to do it. According to the date and time stamp of the email, which was sent
fourteen days following July 6, 2012, the heist could have taken place on July 20, 2012. The
museum's stamps were duplicated on the iPhone as well. It's probable that Tracy obtained a
duplicate of the Art stamps because that may change them and try to claim ownership. 9 "Lots"

13
14

of art, each with three stamps, totaling well over two hundred sixty thousand dollars’ worth taken
away art).

Figure 11
Findings 2: Evidence relating to Defacement of Museum Art

Description
Carry phoned Tracy, and the two met for lunch. Carry asks Tracy for aid in sneaking a tablet
entering the National Gallery in order to conduct an arranged flash mob. Carry adds that she will
compensate Tracy for her help. They set up an appointment for the tablet transfer at nine in the
morning after Tracy promises to carry it in. In addition, Carry wanted payment from Tracy in
exchange for details regarding a change in the security shift. Tracy consents to telling someone
else about the precautionary shift. Carry added Tracy to a Google+ circle and then
communicated anything with her there. Tracy receives notifications on this from Google+. Tracy
receives updates on this from Google+. During one of these warnings, Carry's friend Alex
JFamEleven was proposed as another contact. Tracy messaged Carry to see whether the flash
mob was progressing and if everything was going smoothly. Tracy was involved in the leaking
and the illegal possession of the tablet, but it appears from the enclosed message and Tracy's
previous correspondence that Tracy was oblivious of the bigger plan.

14
15

Supporting Evidences
Table 2: Plot timeline

15
16

16
17

Figure 11: Failed message from Tracy to Pat

Around July 7, 2012, @ 7:36:35 particulate matter, "Tracy" receives a one thousand dollar
Target Gift Card by means of SMS from an anonymous number. For additional details, check out
the URL that follows. It ought to be pointed out the following URL appears to be related to
Target Corp., however, it is actually a subsidiary domain of trdt.biz, which is why there currently
is no registry data at present. Although there has been no approval, it can be reasonable to infer
that Alex delivered this money. At 11:24 a.m., Pat transmits Tracy a printed version of the
mailing list. the 10th of July. Tuesday, July 11, 2012, around 12:41:45 PM, Carry as well as
Tracy arranged a device for shipment by SMS. At 5:06:45 p.m., Tracy messages Carry on
Thursday, July 12, 2012, for instance, to learn how the flash mob was doing.

17
18

Figure 12: Use the Sqlite interface for accessing the SMS database

It might have been feasible to determine that there was indeed an unambiguous agreement
between Carry and Tracy concerning the theft preparation by looking into the proof that is
accessible in this context. It has been able to determine that they were participating in the
incident while still adhering to a pre-planned scenario by taking into account the discourse
between them during phone calls. This has been reasonable to deduce that Carry was teaching
Tracy on how Tracy needed to assist the person in relation to the theft by taking into account
their phone conversation from 2012-07-15. The directions were obvious and straightforward. By
taking these factors into account, it can be said that Carry crafted the strategy with intelligence
and that his aim and goal throughout the procedure were crystal apparent. Carry had keen on
Tracy's weaknesses and was also cognizant of the reality of the contrary, in order to do the task
as needed; she would still need to control Tracy. She was also aware that Tracy might get
quickly seduced if a sizable sum in cash is presented to the individual. Examining Tracy's phone
on 15.7.2012 revealed evidence that money had been provided to someone in consideration of
the same. By looking into the Carry upon 16.7 tablets, an identical hint was also uncovered.
2012. From these angles, it is clear that both of those individuals had a direct connection to the
tragedy.

Tracy's iPhone included evidence that Pat went under the alias Perry while she went under her

18
19

given name Coral. Tracy had planned the stamp heist primarily for the sake of money. Letters
with stamps from the National Gallery of Art of DC were delivered to Pat along with Tracy's
email accounts. If Tracy had become aware of Pat's scheme to extort someone using the alias of
King, the burglary could have seemed simpler. Tracy and Carry benefited from working
together. Tracy gave Carry essential details on security guard deployments at the gallery.
Although Tracy helped Carry sneak a tablet through the Museum, she hadn't heard of Carry's
wider plan. Email identities were used by Tracy and Pat to stay in touch. Tracy employed
'patsumtwelve@gmail.com' while Pat employed it. Tracy as well as Carry collaborated with a
notorious thief named "King" who has an email address of "throne1966@hotmail.com" in order
to steal certain priceless stamps. Pat succeeded in convincing to convince King because he is
familiar with the probation officer. Tracy along with Carry is scheduled to provide a writing
instrument filled with data on Carry's established flash mob. King stole from the museum's
exhibits whereas the security personnel appeared to be preoccupied by the notepad program. A
one thousand dollars "Gift Card" was officially granted to Tracy, according to an email she
received early morning. The following is very certainly a payment from Carry, whether via Alex
or personally. Although the website URL appears to have originated from Target, it is actually
housed at trdt.biz, a separate company's url. There is currently no information available at that
URL. Uncertainty surrounds the three classifications of WiFi and mobile location data. More
research will have to be done on the times and locations of both email as well as Cellphone
interactions.
Findings 3:
Description

For the purpose of to gather the necessary evidence for understanding how the incident occurred
and to conduct an examination effectively, it was previously reported that mobile devices,
tablets, and other both indoor and outdoor evidence have been employed in this case. It was
necessary to create some photographs that would depict how the tragedy actually happened. This
is where the inquiry of these photographs will be conducted.
Supporting evidences
For the purpose of looking into in this case, certain hard disk pictures have been acquired. Any
significant material that would have pointed straight at Tracy and Carry's contributions to the

19
20

occurrence hadn't been discovered by looking at the hard drive photos. However, it is clear from
looking at the pictures that Tracy was doing more than just attending to her workplace duties. In
several pictures, Tracy is nowhere to be seen, and it's assumed that she was engaged in some
efforts to aid Carry at the time she was missing. As a result, an aspect of an investigation became
exposed and the photographs have been connected to the incident.
The driving photographs do not demonstrate any information that would lead one to believe that Carry
and Tracy are the major parties involved in the crime, as has been previously mentioned. As a result, they
cannot be viewed as reliable evidence in this case. Since the themes of each image were distinct, none of
the images are comparable because they were all taken from unique vantage points. But it's not that the
pictures show entirely different information about a certain aspect. In other words, it does not follow that
some photographs indicate Carry's contribution to the matter while other images do not. Investigative
work would be more difficult if such repercussions were to occur. However, these problems are not
present here because the visuals do not clearly indicate anything important.

Figure 13: Hard drive photos

20
21

It is clear from the images' brightness and kind that Windows 10 or 11's standard creation
procedures were used to make them. Images can be made using the file menus create image
option, the control and key combination, and other conventional methods. The SSL strip tool was
used to perform network grabs in this case; therefore both capture folders containing and
removing SSL-encrypted communication are accessible.

Summary
Whenever someone is discovered performing any unlawful work, their first line of defense is
usually that they were unaware that it was against the law, however, they may also claim that
they did not do it on purpose. Carry, Tracy, Alex, and other others involved in the process may
claim that they did not act intentionally in this instance as well as that they were completely
unaware that their actions were unlawful. Setting up a flash mob within the exhibit is suspicious
in the present instance, so the first thing that must be said is that. If they claim that they did not
do it on purpose, it is essential to ask Carry the reason that she demonstrated an eagerness to put
together a flash mob. If she rejects the fact, it is essential to let his partner recognize that the
interaction among her and Tracy has been evaluated, and by evaluating the same, it has endured
possible to figure out that she possesses shown the readiness to set up a flash mob. If it wasn't
done internally, why did she make this plan with Tracy and why did she offer Tracy money to
aid her in her endeavor? Second, based on information about Carry's past, it is clear that he
considers himself an adult. As an adult, he is required to follow certain basic conventions, and
one of the most fundamental rules that applies to all adults is that doing everything skeptic in the
National Gallery demands permission. So signifies that a person must obtain authorization from
the appropriate authorities before engaging in something like that, and if Carry did so, then
anything would be clearer. Second, Tracy wouldn't have had the opportunity to claim that she
was unaware that engaging in such behavior is against the law. The individual has been the
National Portrait Gallery's supervisor. As a supervisor, someone is needed to be informed about
all activities that are prohibited at the National Gallery and to exercise suspicion when learning
of such wired requests from Carry. If the individual were sincere, they would stop Carry from
doing the same thing at the outset. Tracy, on the other hand, has not done it, which implies that
neither of them can claim that they did it accidentally.

21
22

By looking into the records or pieces of documentation, there can be deduced that they had a
plan for the occurrence, and by taking into account Tracy's communication with her brother, it
can be concluded that Tracy had expressed interest in stealing stamps out of the gallery.
Considering this vantage point, it may be said that it is a premeditated crime, and it has
previously been established in the part of the debate that they had no way to indicate that they
were unaware that such behaviors might be prohibited. It is clear from the investigation and
evaluation that both of them participated in the work despite knowing it was illegal. In this
respect, it should be noted that they did so while making appropriate plans, which is why they
must be penalized and fined for engaging in this illegal conduct.
Conclusion
By taking into account an instance, a wider discussion is being formed. It is clear from the
evidence in the case that Tracy and Carry had a direct hand in the crime. The mobile devices of
the accused have been correctly evaluated here, therefore if these individuals were to be
appropriately questioned, it would also be feasible to learn about additional individuals
connected to the crime. Despite the fact that significant proof against Alex hasn't yet been
uncovered, there have been certain indicators, and after reviewing the case, it can be said that
everyone involved in it deserves to receive just punishment.
I believe that given that they demonstrate these individuals' direct involvement, every piece of
evidence is very reliable. Their voices were audible during the phone calls, and it might be
considered to be the strongest evidence in this case. However, it is possible to claim that Tracy's
email account was compromised and that Joe received correspondence addressed to Tracy. From
this angle, it is clear that the messages can't be used as solid proof in this case. However, there
cannot be a way to refute their telephone voices, which indicates that substantial proof has been
gathered.

22
23

References
Cline, A. (2012). The Evolving Role of the Exhibition and its Impact on Art and The Evolving
Role of the Exhibition and its Impact on Art and Culture Culture.
https://digitalrepository.trincoll.edu/cgi/viewcontent.cgi?article=1275&context=theses

Loshin, P. (2022) Top Kali Linux tools and how to use them | TechTarget.
https://www.techtarget.com/searchsecurity/tip/Top-Kali-Linux-tools-and-how-to-use-them

Ragai, J. (2013). The Scientific Detection of Forgery in Paintings. Proceedings of the American
Philosophical Society, 157(2), 164–175. https://www.jstor.org/stable/24640239

Scholarworks@uno, S., & Mishra, S. (2007). Keyword Indexing and Searching for Large
Forensics Targets Keyword Indexing and Searching for Large Forensics Targets using
Distributed Computing using Distributed Computing.
https://scholarworks.uno.edu/cgi/viewcontent.cgi?
referer=&httpsredir=1&article=1510&context=td

23
24

Appendices
Appendix 1: Plot timeline

Appendix 2: Persons Investigated

24
25

Appendix 3: GPS & Wi-Fi locations

25
26

26
27

27