Internal Investigation Report
advertisement
Internal Investigation Report
Tyler Hall
9 Greenhouse Road, 2nd Floor
Kingston, RI
April 26, 2007
Internal Investigation Team: Brittnee Morgan, Corey Pontius, Sean Alvarez, Tim Ball, John
Wilson, Johan Attali, San Myint, Sherida Jacobs, Ravid Te, Ignacio Perez-Ibanez, Remo Stierli
Requester: Norman Von Finkelstein
Offense: Threatening email
CONCLUSION
This investigation concluded that Manny Ramirez, URI Computer Science department employee,
sent a threatening email to Prof. Norman Von Finkelstein in order to scare him away from his
work in BioInformatics.
FINDINGS
The analysis of the server and desktop computer resulted in 5 files and 2 log entries of
evidentiary interest. Files were examined using standard internal investigation procedures.
Investigation started: March 29, 2007
Investigation completed: April 26, 2007
Investigation hours: 150 hours
Operating systems examined: Microsoft® Windows Server® 2003 R2 (UNIX Mail Server) Don’t know what software version was the server running but it was UNIX, not MWS 2003-,
Windows® XP SP 2
File system: NTFS
Amount of data analyzed: 1,200,000 MB
Evidence Description
Item 1: One Nikon Cool Pix Digital Camera S/N 3126580
Actions taken:
Date / time
Action
March 29, 2007 18:19
Retrieved original camera from room D. Acquired data from
the camera following standard acquisition process.
April 5, 2007 10:00
Analyzed evidence collected from camera. Viewed current
pictures on camera but did not carve out unallocated
pursuant to request by superior.
Evidence found:
Sean, if you could add what you found.
Item 2: One Computer If anyone wrote down the model and s/n number please include it here
Actions taken:
Date / time
Action
March 29, 2007 18:30
Retrieved desktop image from computer belonging to user
Manny Ramirez.
April 9, 2007 18:15
Analyzed evidence collected from desktop. Identified files
and events of interest. Documented the system following
standard procedures.
Evidence found:
In the file Sent Items.dbx the threatening email is present.
The picture of Von Finkelstein’s son was found deleted on the computer.
Evidence of connections with bioinformatics were found.
Evidence that Von Finkelstein’s website had been visited was found in Temporary
Internet Files.
That the name of the machine was render.cs.uri.edu and that its MAC address was
00:13:20:ee:93:29 (important for the analysis of the DNS logsO.
Item 3: URI’s Computer Science Department “Tester” mail server (Tester was the actual name of
the server)
Actions taken:
Date / time
Action
March 29, 2007 18:25
Parsed, limited and retrieved logs entries related /
contained the email address “wonfilkestein@cs.uri.edu”.
April 9, 2007 18:20
Retrieved a copy of the threatening email from the IMAP
server.
Evidence found:
That a machine called render with the IP 131.128.81.60 connected to the mail server to
send the threatening email.
That the threating letter attached to the theatening email was written with Word and that
the GUID was {5E2C2E6C-8A16-46F3-8843-7F739FA12901}
Item 4: URI’s Computer Science Department DNS server (
Actions taken:
Date / time
Action
March 29, 2007 18:25
Parsed, limited and retrieved logs entries for the IP address
“131.128.81.60”, the MAC address 00:13:20:ee:93:29 and
the computer named render.cs.uri.edu.
Evidence found:
that the IP address from which the email was send matched the one given to Mr.
Ramirez’ computer when the email was sent.
