Cyber Incident Response and Computer Forensics
The following is an Evidenciary Report produced as part of the final assignment for the Cyber Incident Response and Computer Forensics course. Although the case in this case study is real, the "evidence" presented in this report is NOT. The purpose of this paper was to demonstrate how the an evidence package could be put together, highlighting some of the cyber forensic analysis processes, the tools used in the collection and analysis of data, and the importance of keeping the chain of custody intact.
Background to the case
On November 29, 2016 18-year-old Brandy Vela committed suicide after enduring months of cyberbullying, online impersonation and harassment. Interviews with family members and the forensic examination of Brandy Vela’s laptop and cell phone led to identifying two persons of interest. Andres Arturo Villagomez, 21 (Brandy’s ex-boyfriend) and Karinthya Sanchez Romero, 22 (Villagomez's girlfriend). Evidence on Brandy’s Laptop and cell phone established probable cause and warrants were issued to Seize Villagomez and Romero's cell phones and computers.
Jackie Vela, Brandy's sister in her interview with police stated that fake facebook profiles had been created in her sister’s name. This profile impersonating Brandy posted derogatory information about her including that she would offer sex for free.
The tools used in this forensics investigation were FTK (Forensic Toolkit) Imager v. 3.3, Foxton Forensics Browser Examiner v. 1.7.3, Oxygen Forensics Detective v.9.4, Cain and Abel 4.9.56. The team of investigators in this case have extensive training and hold various computer forensics certifications.
Criminal Offenses
Karinthya Sanchez Romero, 22, is facing: Harassment (Texas Penal Code § 42.07.) and Online Impersonation (Texas Penal Code § 33.07.) charges.
Andres Arturo Villagomez, 21, is facing: Unlawful Disclosure or Promotion of Intimate Visual Material (Texas Penal Code § 21.16.) charges.
Search and Seizure
With the warrant at hand, investigators went to the Villagomez and Romero's residence. Following established procedures, prior to seizing the Villagomez and Romero's cell phones and laptops the scene was photographed and video-taped, the current state of all the devices was documented. After evaluating the scene and discovering that all devices were powered off and that there wasn’t an opportunity to get RAM images, a decision was made that no acquisition would be carried out on-site. All the devices were prepared and packaged for transport to the lab.
Chain of custody was established by documenting and itemizing every item seized. Transportation to the lab was provided by TxDPS Crime Lab Transportation Services.
There were no issues with seizing the suspects phones and laptops per the scope of the warrant. Andres Villagomez decided to cooperate by providing passwords to his phone and laptop so no further legal action was required. Karinthya Romero, on the other hand refused to provide passwords. A warrant for Romero to provide her finger print on the touch id to unlock the phone was necessary.
Chain of Custody
All items seized were identified and detailed information about the devices was captured and documented at the scene, at the time of the transfer to the lab and at the time of the receipt at the lab. All this information was verified by both, the releasing and receiving parties.
On November 29, 2016 18-year-old Brandy Vela committed suicide after enduring months of cyberbullying, online impersonation and harassment. Interviews with family members and the forensic examination of Brandy Vela’s laptop and cell phone led to identifying two persons of interest. Andres Arturo Villagomez, 21 (Brandy’s ex-boyfriend) and Karinthya Sanchez Romero, 22 (Villagomez's girlfriend). Evidence on Brandy’s Laptop and cell phone established probable cause and warrants were issued to Seize Villagomez and Romero's cell phones and computers.
Jackie Vela, Brandy's sister in her interview with police stated that fake facebook profiles had been created in her sister’s name. This profile impersonating Brandy posted derogatory information about her including that she would offer sex for free.
The tools used in this forensics investigation were FTK (Forensic Toolkit) Imager v. 3.3, Foxton Forensics Browser Examiner v. 1.7.3, Oxygen Forensics Detective v.9.4, Cain and Abel 4.9.56. The team of investigators in this case have extensive training and hold various computer forensics certifications.
Criminal Offenses
Karinthya Sanchez Romero, 22, is facing: Harassment (Texas Penal Code § 42.07.) and Online Impersonation (Texas Penal Code § 33.07.) charges.
Andres Arturo Villagomez, 21, is facing: Unlawful Disclosure or Promotion of Intimate Visual Material (Texas Penal Code § 21.16.) charges.
Search and Seizure
With the warrant at hand, investigators went to the Villagomez and Romero's residence. Following established procedures, prior to seizing the Villagomez and Romero's cell phones and laptops the scene was photographed and video-taped, the current state of all the devices was documented. After evaluating the scene and discovering that all devices were powered off and that there wasn’t an opportunity to get RAM images, a decision was made that no acquisition would be carried out on-site. All the devices were prepared and packaged for transport to the lab.
Chain of custody was established by documenting and itemizing every item seized. Transportation to the lab was provided by TxDPS Crime Lab Transportation Services.
There were no issues with seizing the suspects phones and laptops per the scope of the warrant. Andres Villagomez decided to cooperate by providing passwords to his phone and laptop so no further legal action was required. Karinthya Romero, on the other hand refused to provide passwords. A warrant for Romero to provide her finger print on the touch id to unlock the phone was necessary.
Chain of Custody
All items seized were identified and detailed information about the devices was captured and documented at the scene, at the time of the transfer to the lab and at the time of the receipt at the lab. All this information was verified by both, the releasing and receiving parties.
Evidence Collection
The first step at the lab, after recording the receipt of the evidence in the Chain of Custody forms, was to ensure that the evidence would be preserved unaltered. Investigators proceeded to take images of the laptops hard-drives with FTK Imager. FTK imager produces hash values of the images which provides a repeatable and verifiable process that image has not been altered. Investigators also extracted all the data from the cell phones using Oxygen Forensics. All the extracted data was saved and stored in its original state.
Once all the images had been created and saved, investigators worked from copies of these images to enable preserving the original evidence. All analysis work was done on verified copies of the original images.
Based on the facts of the case the investigators focused on collecting the following data from the laptops and cell phones:
The Foxton Browser History Examiner Website Activity Timeline feature was used to capture all Internet Activity during the 8 months prior to the Brandy's suicide. This was used to capture all email account and social media activity.
Oxygen Forensics was used to capture all images, text messages and phone calls, including recovering all deleted images, messages and calls.
Cain and Abel was used to gain access to Romero’s XP laptop. Romero refused to provide her Windows password to her laptop. Cain and Abel was used to crack the password.
Analysis Results
Once all the data was collected during the Evidence Collection process, Investigators analyzed the data to determine what was relevant to the case. After sifting through all the collected data, the focus was on finding evidence about online impersonation on social media and evidence of harassment related to Romero’s charges and evidence about posting intimate visual material related to Villagomez’s charges.
Browser History Examiner evidence found on Romero’s laptop.
The first step at the lab, after recording the receipt of the evidence in the Chain of Custody forms, was to ensure that the evidence would be preserved unaltered. Investigators proceeded to take images of the laptops hard-drives with FTK Imager. FTK imager produces hash values of the images which provides a repeatable and verifiable process that image has not been altered. Investigators also extracted all the data from the cell phones using Oxygen Forensics. All the extracted data was saved and stored in its original state.
Once all the images had been created and saved, investigators worked from copies of these images to enable preserving the original evidence. All analysis work was done on verified copies of the original images.
Based on the facts of the case the investigators focused on collecting the following data from the laptops and cell phones:
- All images on the phones and laptops, including recovered deleted images
- All incoming and outgoing text messages from all phones
- All incoming and outgoing phone calls
- All Internet browser activity including:
- Websites visited
- Logins to URLs
- Form history – for email account and social media profile creation
- Email addresses
- Cookies
- Searches
The Foxton Browser History Examiner Website Activity Timeline feature was used to capture all Internet Activity during the 8 months prior to the Brandy's suicide. This was used to capture all email account and social media activity.
Oxygen Forensics was used to capture all images, text messages and phone calls, including recovering all deleted images, messages and calls.
Cain and Abel was used to gain access to Romero’s XP laptop. Romero refused to provide her Windows password to her laptop. Cain and Abel was used to crack the password.
Analysis Results
Once all the data was collected during the Evidence Collection process, Investigators analyzed the data to determine what was relevant to the case. After sifting through all the collected data, the focus was on finding evidence about online impersonation on social media and evidence of harassment related to Romero’s charges and evidence about posting intimate visual material related to Villagomez’s charges.
Browser History Examiner evidence found on Romero’s laptop.
After examining Romero's Laptop, evidence was found indicating the facebook fake profiles had been created on her laptop. The following constructed timeline shows the use of the laptop, the creation of the social media profiles and the online postings.
Timeline Analysis
Timeline Analysis
In addition, deleted intimate images of Brandy were found on Villagomez's phone and laptop.
The browsing history showed the time of the posting and that Villagomez’s phone had been used to post intimate pictures of Brandy.
Review
All the data collected, analyzed and reported was reviewed for accuracy and correctness prior to publishing this report. In general, the evidence examination went well without issues. The investigation staff was well prepared, proper resources were allocated to handle the various stages of the examination, all the investigators had clear instructions and understanding of the procedures.
Conclusion
Andres Arturo Villagomez
Based on the timeline constructed of the social media access from Motorola G4 phone belonging to Villagomez and the recovered the images of Brandy Vela on the phone. There is conclusive evidence that the posting of the images of Brandy Vela in the In the Unlawful Disclosure or Promotion of Intimate Visual Material charge, were submitted from Villagomez’s phone. Call records and text messages show that at the time of the postings Villagomez was in possession of his Motorola G4 phone.
Karinthya Sanchez Romero
In the Online Impersonation charge, evidence shows the ‘fake’ facebook accounts were created on Romero’s laptop. The evidence also shows no other user was logged into the laptop locally or remotely. Emails sent from her laptop during the time of the posting establishes that Romero was the only person that could have submitted the postings on the impersonated profile.
In the Harassment charge, the abusive text messages to Brandy Vela were recovered from Romero’s Samsung Galaxy 5 phone. Also, phone call data was recovered showing calls made to Brandy’s cell phone most of which were made late night and early morning. Other text messages not related to the case confirmed that Romero was in possession of her phone at the time that the harassing text messages and calls were made.
Keating, C. (2017, March 17). 2 arrested in alleged cyberbullying suicide of teen Brandy Vela, who killed herself in front of family. Retrieved from http://people.com/crime/brandy-vela-cyberbullying-suicide-family-2-arrested/
AP News. (2017, March 17). 2 indicted, accused of cyberbullying 18-year-old to suicide. Retrieved from https://apnews.com/5ed767b87dc74293bd73b88dab0ec5fe/2-indicted-accused-cyberbullying-18-year-old-suicide
The Zendeh Del Law Firm. (n.d.). Grand jury process in Texas. Retrieved from http://www.zenlawfirm.com/Criminal-Defense/Criminal-Process/Grand-Jury-Process.aspx
FindLaw. (2017). Texas penal code - PENAL § 33.07. Online impersonation. Retrieved from http://codes.findlaw.com/tx/penal-code/penal-sect-33-07.html
FindLaw. (2017). Texas penal code - PENAL § 42.07. harassment. Retrieved from http://codes.findlaw.com/tx/penal-code/penal-sect-42-07.html
FindLaw. (2017). Texas Penal Code - PENAL § 21.16. unlawful disclosure or promotion of intimate visual material. Retrieved from http://codes.findlaw.com/tx/penal-code/penal-sect-21-16-nr2.html
Foxton Forensics. (n.d.). Browser history examiner. Retrieved from https://www.foxtonforensics.com/browser-history-examiner/
Oxygen Forensics. (n.d,). Oxygen forensics Detective. Retrieved from https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective
AP News. (2017, March 17). 2 indicted, accused of cyberbullying 18-year-old to suicide. Retrieved from https://apnews.com/5ed767b87dc74293bd73b88dab0ec5fe/2-indicted-accused-cyberbullying-18-year-old-suicide
The Zendeh Del Law Firm. (n.d.). Grand jury process in Texas. Retrieved from http://www.zenlawfirm.com/Criminal-Defense/Criminal-Process/Grand-Jury-Process.aspx
FindLaw. (2017). Texas penal code - PENAL § 33.07. Online impersonation. Retrieved from http://codes.findlaw.com/tx/penal-code/penal-sect-33-07.html
FindLaw. (2017). Texas penal code - PENAL § 42.07. harassment. Retrieved from http://codes.findlaw.com/tx/penal-code/penal-sect-42-07.html
FindLaw. (2017). Texas Penal Code - PENAL § 21.16. unlawful disclosure or promotion of intimate visual material. Retrieved from http://codes.findlaw.com/tx/penal-code/penal-sect-21-16-nr2.html
Foxton Forensics. (n.d.). Browser history examiner. Retrieved from https://www.foxtonforensics.com/browser-history-examiner/
Oxygen Forensics. (n.d,). Oxygen forensics Detective. Retrieved from https://www.oxygen-forensic.com/en/products/oxygen-forensic-detective