Internal Investigation Report

advertisement
Internal Investigation Report
Tyler Hall
9 Greenhouse Road, 2nd Floor
Kingston, RI
April 26, 2007
Internal Investigation Team: Brittnee Morgan, Corey Pontius, Sean Alvarez, Tim Ball, John
Wilson, Johan Attali, San Myint, Sherida Jacobs, Ravid Te, Ignacio Perez-Ibanez, Remo Stierli
Requester: Norman Von Finkelstein
Offense: Threatening email
CONCLUSION
This investigation concluded that Manny Ramirez, URI Computer Science department employee,
sent a threatening email to Prof. Norman Von Finkelstein in order to scare him away from his
work in BioInformatics.
FINDINGS
The analysis of the server and desktop computer resulted in 5 files and 2 log entries of
evidentiary interest. Files were examined using standard internal investigation procedures.






Investigation started: March 29, 2007
Investigation completed: April 26, 2007
Investigation hours: 150 hours
Operating systems examined: Microsoft® Windows Server® 2003 R2 (UNIX Mail Server) Don’t know what software version was the server running but it was UNIX, not MWS 2003-,
Windows® XP SP 2
File system: NTFS
Amount of data analyzed: 1,200,000 MB
Evidence Description
Item 1: One Nikon Cool Pix Digital Camera S/N 3126580
Actions taken:
Date / time
Action
March 29, 2007 18:19
Retrieved original camera from room D. Acquired data from
the camera following standard acquisition process.
April 5, 2007 10:00
Analyzed evidence collected from camera. Viewed current
pictures on camera but did not carve out unallocated
pursuant to request by superior.
Evidence found:
Sean, if you could add what you found.
Item 2: One Computer If anyone wrote down the model and s/n number please include it here
Actions taken:
Date / time
Action
March 29, 2007 18:30
Retrieved desktop image from computer belonging to user
Manny Ramirez.
April 9, 2007 18:15
Analyzed evidence collected from desktop. Identified files
and events of interest. Documented the system following
standard procedures.
Evidence found:

In the file Sent Items.dbx the threatening email is present.

The picture of Von Finkelstein’s son was found deleted on the computer.

Evidence of connections with bioinformatics were found.

Evidence that Von Finkelstein’s website had been visited was found in Temporary
Internet Files.
That the name of the machine was render.cs.uri.edu and that its MAC address was
00:13:20:ee:93:29 (important for the analysis of the DNS logsO.
Item 3: URI’s Computer Science Department “Tester” mail server (Tester was the actual name of
the server)
Actions taken:
Date / time
Action
March 29, 2007 18:25
Parsed, limited and retrieved logs entries related /
contained the email address “wonfilkestein@cs.uri.edu”.
April 9, 2007 18:20
Retrieved a copy of the threatening email from the IMAP
server.
Evidence found:

That a machine called render with the IP 131.128.81.60 connected to the mail server to
send the threatening email.

That the threating letter attached to the theatening email was written with Word and that
the GUID was {5E2C2E6C-8A16-46F3-8843-7F739FA12901}
Item 4: URI’s Computer Science Department DNS server (
Actions taken:
Date / time
Action
March 29, 2007 18:25
Parsed, limited and retrieved logs entries for the IP address
“131.128.81.60”, the MAC address 00:13:20:ee:93:29 and
the computer named render.cs.uri.edu.
Evidence found:

that the IP address from which the email was send matched the one given to Mr.
Ramirez’ computer when the email was sent.
Download