Internal Investigation Report Tyler Hall 9 Greenhouse Road, 2nd Floor Kingston, RI April 26, 2007 Internal Investigation Team: Brittnee Morgan, Corey Pontius, Sean Alvarez, Tim Ball, John Wilson, Johan Attali, San Myint, Sherida Jacobs, Ravid Te, Ignacio Perez-Ibanez, Remo Stierli Requester: Norman Von Finkelstein Offense: Threatening email CONCLUSION This investigation concluded that Manny Ramirez, URI Computer Science department employee, sent a threatening email to Prof. Norman Von Finkelstein in order to scare him away from his work in BioInformatics. FINDINGS The analysis of the server and desktop computer resulted in 5 files and 2 log entries of evidentiary interest. Files were examined using standard internal investigation procedures. Investigation started: March 29, 2007 Investigation completed: April 26, 2007 Investigation hours: 150 hours Operating systems examined: Microsoft® Windows Server® 2003 R2 (UNIX Mail Server) Don’t know what software version was the server running but it was UNIX, not MWS 2003-, Windows® XP SP 2 File system: NTFS Amount of data analyzed: 1,200,000 MB Evidence Description Item 1: One Nikon Cool Pix Digital Camera S/N 3126580 Actions taken: Date / time Action March 29, 2007 18:19 Retrieved original camera from room D. Acquired data from the camera following standard acquisition process. April 5, 2007 10:00 Analyzed evidence collected from camera. Viewed current pictures on camera but did not carve out unallocated pursuant to request by superior. Evidence found: Sean, if you could add what you found. Item 2: One Computer If anyone wrote down the model and s/n number please include it here Actions taken: Date / time Action March 29, 2007 18:30 Retrieved desktop image from computer belonging to user Manny Ramirez. April 9, 2007 18:15 Analyzed evidence collected from desktop. Identified files and events of interest. Documented the system following standard procedures. Evidence found: In the file Sent Items.dbx the threatening email is present. The picture of Von Finkelstein’s son was found deleted on the computer. Evidence of connections with bioinformatics were found. Evidence that Von Finkelstein’s website had been visited was found in Temporary Internet Files. That the name of the machine was render.cs.uri.edu and that its MAC address was 00:13:20:ee:93:29 (important for the analysis of the DNS logsO. Item 3: URI’s Computer Science Department “Tester” mail server (Tester was the actual name of the server) Actions taken: Date / time Action March 29, 2007 18:25 Parsed, limited and retrieved logs entries related / contained the email address “wonfilkestein@cs.uri.edu”. April 9, 2007 18:20 Retrieved a copy of the threatening email from the IMAP server. Evidence found: That a machine called render with the IP 131.128.81.60 connected to the mail server to send the threatening email. That the threating letter attached to the theatening email was written with Word and that the GUID was {5E2C2E6C-8A16-46F3-8843-7F739FA12901} Item 4: URI’s Computer Science Department DNS server ( Actions taken: Date / time Action March 29, 2007 18:25 Parsed, limited and retrieved logs entries for the IP address “131.128.81.60”, the MAC address 00:13:20:ee:93:29 and the computer named render.cs.uri.edu. Evidence found: that the IP address from which the email was send matched the one given to Mr. Ramirez’ computer when the email was sent.