CASE0001: Forensics Analysis - George & Martha
BN026 Lab Report 
  
Robert Fox
1
Table of Contents
All related evidence is
grouped together:
  • Obfuscated Messages

  • Email Messages

  • Text file Messages

  • Bank message & 
account information
2
Abstract - summary
I was contacted by Steve Billings, the manager of a small business.  Steve was concerned about two of his employees; Martha Heiser and George Montgomery. 

  • Martha had began a one week emergency leave from the company Two weeks prior to Steve contacting me. 

  • Martha did not inform anyone where she was going or how to contact her. 

  • Martha had still not returned from her leave at the time Steve contacted me.

  • George was a supervisor in the Accounts Payable Department and had been missing from work for the last week and no one knew why.

  • Steve had searched Martha’s desk and found travel brochures for foreign tours.
 
  • Steve also searched George’s desk and found paper notes about a Switz supplier that Steve had once used as well as a memory stick. Steve found a label on the memory stick with the former suppliers name on it. 

Steve asked me to examine it to see if it contained any information that would explain the whereabouts of George & Martha. 

3
Tools Used for Analysis
Software

• Windows 7 Enterprise Edition 64 bit
• AccessData Forensic Toolkit v. 1.62.1
• Microsoft Word 2013
• Windows Notepad
• 7-Zip File Manager v. 9.20
 
Hardware

• AOC E2260S LCD Monitor
• Celtic G3240 Personal Computer
• Microsoft Basic Optical Mouse v2.0
• Microsoft Wired Keyboard 400

4
Message Digest
Upon receiving the Memory Stick from Steve Billings, the first thing I did was to take note of the Message Digest (MD5) checksum for the memory stick image. This will product a unique 128 bit string of characters. If even 1 byte of this file is changed in any way, the MD5 string will be completely different.  

  • The Message Digest checksum of the 
image was as follows, as shown in
Figure 1:
Upon beginning my analysis, I checked the MD5 of the image file again and as shown in
Figure 2, the MD5 is an exact match.

  • This assures us of data integrity and that 
the image file had not been tampered
with between the time Steve gave me the
Memory Stick, and 18:15 on 06/02/2014,
when I began my analysis.
1F81505C8B5102EBE4EB8A2F1F4628C8
5
Evidence
This is a collection of evidence
found on the Memory Stick
after starting the analysis
at 18:15 on 06/02/2014.

All of the evidence found is
listed and detailed numerically/
sequentially.
6
7
8
9
10
11
12
13
14
15
16
17
18
Conclusion
All of this information, data and evidence warrants further investigation into George and Martha.