Addendum Forensic Report for GOAA BP-S00132 Procurement

Transcription

1 Addendum Forensic Report for GOAA BP-S00132 Procurement Case Number: CF-BC March 13 th, 2018 Internal Case #: CF-BC

2 Table of Contents I. Introduction... 3 II. Executive Summary... 4 III. Evidence Consideration... 5 IV. Examination of Robert Sanders Computer... 6 V. Examination of Martin Ineichen s GOAA Computer... 8 VI. Examination of Martin Ineichen s PMA Computer VII. Conclusion VIII. Appendix AXIOM Log Internal Case #: CF-BC

3 I. Introduction At the public hearing on February 27 th, 2018 regarding the BP-S00132 STC BHS procurement process, the Greater Orlando Aviation Authority (GOAA) decided to continue a supplemental forensic data investigation into the computer system assigned to Mr. Sanders, as well as the GOAA computer system assigned to Mr. Martin Ineichen and the PMA assigned computer system for Mr. Ineichen. This decision was, in part, based on the recommendations in the Forensic Report submitted by Data Analyzers on February 23rd, GOAA granted a two-week time duration to allow for this supplemental investigation. The scope of the supplemental data forensic investigations should accomplish the following: 1. Examine the computer system assigned to Mr. Robert Sanders, as it was not processed during the initial investigation due to time restrictions and it requiring a proprietary adapter. The goal of the examination of this computer system was to determine if any documents from Exhibit A) of the Revised Protocol which are related to the BP-S00132 STC BHS procurement process had been accessed and/or copied and if so, how they had been obtained. 2. Perform an extended examination on the GOAA computer system assigned to Mr. Martin Ineichen and determine why downloaded files from box.com could not be found on the computer system. If any of these documents existed on the computer system, Data Analyzers would draw a more substantial conclusion. 3. Perform an extended examination on the PMA computer system assigned to Mr. Martin Ineichen and determine why metadata affecting the timeline of interest was missing from this computer system. Internal Case #: CF-BC

4 II. Executive Summary Data Analyzers has conducted this supplemental investigation on the computer system assigned to Mr. Sanders and the two computer systems assigned to Mr. Ineichen. Due to the extended scope of this investigation and based on the metadata, system artifacts and additional data that had been analyzed, Data Analyzers has arrived at the following conclusions Data Analyzers did not find any evidence that the computer assigned to Robert Sanders possessed any documents outlined in Exhibit A) of the initial report. While Data Analyzers did find evidence (Appendix A) that the GOAA s box.com account was accessed with the web browser (Internet Explorer) from Mr. Ineichen s assigned GOAA computer, Data Analyzers did not find any evidence that any of the files in Exhibit A) have been downloaded onto this computer system. Data Analyzers did not find any direct evidence that the time clock on the PMA computer assigned to Mr. Ineichen was altered with the intent to conceal any information. None of the data that have been systematically examined have revealed any such evidence. Internal Case #: CF-BC

5 III. Evidence Consideration Data Analyzers collected data from three computer systems for this addendum. The Computer system utilized by Robert Sanders, the GOAA computer system assigned to Mr. Ineichen and the PMA Laptop computer assigned to Mr. Ineichen. Data Analyzers had physical access to all three computer systems. Custodian Laptop or Desktop Computer Name Model / Serial Number Robert Sanders Laptop OAR38 Lenovo X1 Carbon / PK-0PVFZ 13/08 Martin Ineichen Desktop OAR7 HP Compaq Elite 8300 / 2UA3330KGK Martin Ineichen Laptop LTMINEICHENT430 Lenovo T430 / PB295W5 The objective was to perform a collection and examination of Mr. Sanders s computer, as it was conducted on the computer systems of the previous investigation. The collection was limited to metadata and system files, which was the scope agreed upon during the initial investigation. The objective of the examination for the other two computer systems, the GOAA HP desktop computer and the PMA Lenovo laptop computer, was to perform a detailed investigation in addition to the previously conducted investigation that was limited to metadata and system files. All investigations conducted for this report were conducted at the laboratory of Data Analyzers. Internal Case #: CF-BC

6 IV. Examination of Robert Sanders Computer During the initial analysis, a Lenovo Laptop with the model number: X1 Carbon and serial number: PK- 0PVFZ 13/08 assigned to Mr. Robert Sanders was not processed and therefore, no examination was conducted on it. The computer system assigned to Mr. Sanders could not be examined, due to the laptop having been received within only two days of having to complete the examination and the Laptop containing an SSD drive with a proprietary interface. Picture of proprietary SSD interface. For this second examination attempt, Data Analyzers was able to order the proprietary adapter for this SSD drive and conducted its analysis of the procurement investigation pursuant to the Revised Protocol. Picture of the adapter and the proprietary SSD connected to its interface. Internal Case #: CF-BC

7 Data Analyzers searched and analyzed the PMA Laptop computer to identify only documents, data, fragments and artifacts that reasonably appeared to be related to the BP-S00132 procurements outlined in Exhibit A). During the analysis, Data Analyzers employed a methodology tailored to the particular facts of this case. Data Analyzers methodology included: 1. Extracting all available and potentially relevant metadata and system artifacts. These included the MFT, NTUser.dat, UsrClass.dat, LNK files, event logs, registry files as well as the Internet Explorer s WebCacheV01.dat file. 2. Consolidating, parsing, and converting the metadata into a readable format. The data for each artifact was parsed and the output was converted to either a csv file or body file format. 3. Reducing the timeframe of the data to search and analyze. The content of csv or body file of each artifact was reduced to only contain the data from November 1 st 2017 to February 21 st The reduced set of metadata was then imported into a database application called Splunk. A set of search queries was built to search for the names and variations of the file names in Exhibit A). 5. Performing additional manual metadata artifact review on key artifact areas to cross-verify results and proper due-diligence. A selection of metadata and system artifacts which included MFT entries, NTUser.dat and LNK files have been manually reviewed with either a text editor or a hexadecimal editor, depending on the specific artifact type. 6. The searches performed included the full name of the file, as well as variations of the file names in Exhibit A) to be able to capture variations of the file names, for example: The full name of the file Technical Proposal for DBOM Services for BP-S00132 BHS_archive.pdf was used to perform an exact search. A search with an asterisk character (*) was used instead of the.pdf extension. Example: Technical Proposal for DBOM Services for BP-S00132 BHS_archive.* The same query was executed with the asterisk at the beginning of the file. Example: *Technical Proposal for DBOM Services for BP-S00132 BHS_archive.pdf The asterisk character is what is called a wildcard character and can represent any unknown character or group of characters that the symbol represents in the search query. Therefore, the asterisk character replacing the pdf among other things would catch any other type of file Internal Case #: CF-BC

8 extension besides pdf, such as for word documents (doc, docx), Tiff files, and all other possible changed file formats. 7. In addition, a partial query for Technical Proposal, as well as for BP-S00132 was performed. Thereafter, a search for any pdf files within the time frame was conducted and reviewed. 8. Furthermore, the time line and event logs have been inspected for any suspicious activities that could relate to the documents in Exhibit A) and or the masking of such documents. 9. Registry artifacts that include most recent accessed documents, connected USB storage devices, and network connections have been manually reviewed. 10. On any abnormalities encountered, the process was re-run and further manual examination was performed. The examinations of this computer system have displayed regular and consistent user activity. MFT records, internet activity, and system artifacts, such as Jump Lists, Link files and the registry have not revealed any irregular activity or usage patterns. No indications that an access or download for any of the documents in Exhibit A) occurred could be found for this computer system. V. Examination of Martin Ineichen s GOAA Computer Data Analyzers had previously recommend a supplementary investigation of Mr. Ineichen s GOAA assigned computer system that would not be limited to a metadata only examination. The purpose of this extended examination was to determine why downloaded files from box.com could not be found on the computer system and to draw a more substantial conclusion as to whether any of these documents existed on the computer system. Data Analyzers has conducted a full examination of the computer hard drive. During the analysis, Data Analyzers employed three methods to determine if the document was downloaded onto this computer system. The results of each method are used to corroborate the findings of the other methods. Internal Case #: CF-BC

9 Method 1: 1. An exact copy of the file that was supposedly downloaded from GOAA s box.com account was provided to Data Analyzers. It contained a file named Technical Proposal for DBOM Services for BP-S00132 BHS_archive.pdf. Data Analyzers generated a MD5 hash signature for this file. The MD5 Hash is: 2f8d805894fdc78a731059e39eb076ca This MD5 hash signature is a unique identifier for that particular file. It is calculated based on a mathematical equation and the MD5 algorithm thereby generates a 128-bit hash signature. Changing the name or extension of the file would not change the MD5 hash signature. Once this signature was calculated, a raw recovery of any and every file that would include the identifier of a PDF file was performed. Each PDF document has a common signature which is called a header. The raw recovery technique performed a data recovery of all PDF files that could be found based on the header signature rather than relying on the computer s file system and metadata to dictate where PDF files are located. This process bypasses the limitations of working only with PDF files that the computer, via its metadata, can identify as being active and deleted. The benefit of this process is that it will search the entire hard drive for any active and deleted PDF files, including partial PDF files, as long as the PDF header is still intact. Therefore, it will generate a more in-depth method of searching for deleted PDF files. Once all PDF files have been carved out from the raw hard drive, a signature matching program was ran to scan all PDF files for any matches to the following MD5 Hash: Hash:2f8d805894fdc78a731059e39eb076ca This would capture PDF files that have been renamed, PDF files where the extension of the file was changed (example: Myfile.pdf to Myfile.jpg), as well as PDF files that have been deleted. This would include PDF files which may no longer exist in the metadata, which had previously already been examined. A total of 8747 PDF file signatures have been found on the hard drive. The MD5 hash was run against all of them to search for any matches of the document. No positive matches have been found for the MD5 Hash of 2f8d805894fdc78a731059e39eb076ca. Internal Case #: CF-BC

10 Method 2: A full examination of the hard drive has been performed using Magnet AXIOM, which is a digital forensic platform that can read a large variety of computer artifacts including deleted data, documents, artifacts, internet activity, metadata, registry and system information. It was used to run a full examination on the entire hard drive of this computer system. Activities produced by user and computer system for the day of January 19 th, 2018 included a total of 4162 results found by AXIOM, which does not include the Master File Table. The screenshot above displays a breakdown of artifacts found and identified for January 19 th 2018 Internal Case #: CF-BC

11 Some of these artifacts include Outlook s as indicated by the screenshot below. Others include Jump Lists, which display the most recent files opened which includes PDF files stored locally on the computer system, as well as some PDF files that have been opened from a network share. Internal Case #: CF-BC

12 As well as LNK Lists A total of 67 records relating to activity on the GOAA Box.com account on January 19 th 2018 have been found. These records are seen in the two screenshots below and are included in their entirety as Appendix. They have been converted to Eastern Standard Time and are similar to the time stamp activity provided by Box.com s own logs captured from their servers. Internal Case #: CF-BC

13 While the records clearly show that the GOAA s Box.com portal was accessed, that someone logged into the account from Mr. Ineichen s GOAA assigned computer and that files have been accessed, it also shows that neither of the records in Appendix indicate that any files from the box.com account have been downloaded on to the computer system. If any files would have been downloaded such activity would have been identifiable in the attached Appendix. Method 3: All internet activity within this time frame was conducted with Microsoft s Internet Browser named Internet Explorer. In addition to the more automated approach, as performed by Magnet AXIOM, a manual examination of the Internet Explorers Webcache and database file was conducted, to cross verify the results obtained in method 2 and to catch any potential exceptions and abnormalities that could have occurred. The database used by more recent versions of Internet Explorer, such as it is on this system, is an Extensible Storage Engine (ESE) database. This file for the user account mineichen which represents the first initial and last name of Mr. Martin Ineichen was found at the following location. Users\mineichen This file comprises of the ESE database with multiple containers and tables containing cookies, browser history, as well as various other browser related activities. Each container of this database file was manually examined searching for relevant activity to box.com and procurement documents. Several examples of what these containers and tables looks like can be seen in the screenshots below. Internal Case #: CF-BC

14 Screenshot above shows a sample portion of the cache database Screenshot above shows a sample of the cookies database The content found during the manual examination of the database is equivalent with the entries produced by Method 2. While entries show that the GOAA s box.com account was accessed, there are no references of the files in questions having been downloaded via Internet Explorer, which was the only web browser used during that timeframe. In addition, no abnormal exceptions have been encountered during this process. Note that Data Analyzers had previously already determined that no USB storage devices had been accessed during that time duration, see page 4 of report submitted February 23 rd VI. Examination of Martin Ineichen s PMA Computer Data Analyzers had previously recommended a supplementary investigation of Mr. Ineichen s PMA assigned Laptop computer system that would not be limited to a metadata-only examination. The purpose of this extended examination was to determine why metadata affecting the timeline of interest was missing from this computer system. The initial examination was limited to only active metadata. In addition to having a limited time to complete the examination, the scope limitations prevented any final conclusions from being drawn and hence, the examination was extended to allow for additional time and additional access to the computer system which would not be limited to the active metadata. Internal Case #: CF-BC

15 Data Analyzers had, in the previous report, stated that computer records had been altered and that it usually encounters such activities in an attempt to hide and/or conceal activities that have occurred on the computer system. Data Analyzers also stated that it could not indefinitely determine the reason within the limited scope of investigation. The reasons for the previous conclusions had been the following: 1. Data Analyzers found that there was no metadata between August 2017 and January 26 th 2018, with an exception of a very limited amount of entries, far less than any type of usual computer activity would produce. On a Windows based computer system one should expect to see several hundred or even several thousand entries per day. Data Analyzers was not presented with any Affidavit or other statements, informing Data Analyzers that the computer system would have not been in use during that time frame. 2. Data Analyzers also found an unusual system time change. The time clock of the computer was changed by 144 days. Which suspiciously matched the time duration of missing metadata entries. 3. Such large adjustments to the computer system time are frequently made to change or alter system metadata and are known as anti-forensic techniques within the digital forensic community. When the time of a computer system is changed to another time that does not reflect the current time of existence, all metadata records after the time change will then reflect the inaccurate time. Such processes are often used to change the dates and times of certain activity so that they do not reflect the actual time of these activities. In addition, such processes are often used to aid in covering up or removal of certain records. The previous time and scope limitations of the initial forensic data investigation prevented further examination into these issues. Data Analyzers supplementary investigation examined the computer hard drive. During the analysis, Data Analyzers employed five methods to determine if there was an intentional change of system time and, sequentially, an alteration of metadata for reasons to conceal activity on the computer system. Internal Case #: CF-BC

16 Method 1: Data Analyzers revisited the event logs of the system and searched for any deleted event log files. No deleted event log files were found. Data Analyzers then reviewed the sequence of event logs. In particular, the sequence of event logs during the time duration of when the time change occurred. If event logs are tampered with, i.e. records deleted or changes of event logs time representation, due to intentional alteration of the system time clock, discrepancies between the time and the sequence number are usually found. Every entry has a sequential number that increases with every event log entry. Even if an event log entry has an altered time stamp, the sequence number would still continue with an accurate reflection of when and in which order the event log would have been generated. Screenshot of event log with consistent sequence numbers Method 2: A full examination of the hard drive has been performed using Magnet AXIOM, which is a digital forensic platform that can read a large variety of computer artifacts including deleted data, documents, artifacts, internet activity, metadata, registry and system information. It was used to run a full examination on the entire hard drive of this computer system. A thorough review of all activities has been performed; which included the examination of the Recycling Bin, Jump Lists, LNK files, Shellbags and time zone settings. During the examination conducted with this method, no additional artifacts that would have matched the time period of interest could be discovered. Internal Case #: CF-BC

17 The screenshot above displays a breakdown of system artifacts found and identified on the computer system. Method 3: The MFT (Master File Table) is a database that keeps track of files stored on the computer system, such as their location, size, as well as the creation and modification of dates and times. A detailed analysis has been conducted of the MFT, which included utilizing several different tool sets, as well as a manual inspection of certain entries. This also included searching and parsing for any potential old and deleted MFT tables, as well as any fragments that could be located. The MFT also has a sequence number for each entry. Special attention was given to the sequence numbers, as tampering with the MFT often will cause disruptions to the sequential order of the entries. The sequence numbering continued on January 12 th 2018 where the sequence numbers have left off on August 21 st Internal Case #: CF-BC

18 Method 4: When a Laptop computer is set to hibernation mode, it will store all currently open and active files, programs and processes in a type of a memory file called the hibernation file (hiberfil.sys). On this computer system, this was a file of approximately 6GB. This file is compressed and once uncompressed was approximately 8GB in size. An examination of the content was performed and no activity between August 21 st 2017 and January 12 th 2018 could be found. This correlated with the time frames seen in the event log. Method 5: An additional raw recovery was performed to specifically search for deleted LNK files. LNK is the file extension of a Windows Shortcut file. It is used by Microsoft Windows to link to multiple types of information, such as, files and network shares that have been previously opened. LNK files are artifacts that can be very useful to determine files that may no longer exist on the system. Therefore, even if a file no longer exists, the content of the LNK file can still reveal a location of a file and access time stamps even if the file is no longer found in the MFT or other metadata artifacts. Once a raw recovery was performed and the entire system was scanned for the signature of the LNK files, all found LNK files had been extracted to a folder. The content was then parsed with a third-party software tool called LECmd, which has been developed by Eric Zimmerman a former Special Agent with the FBI. The found LNK files did not reveal any activity during August 21 st 2017 and January 12 th Internal Case #: CF-BC

19 VII. Conclusion Data Analyzers has not found any evidence that the computer system assigned to Mr. Sanders has contained any documents outlined in Exhibit A). Neither internet activity, system artifacts, nor file system records revealed the access of such files. Data Analyzers found that while the computer assigned to Mr. Ineichen did login to GOAA s box.com account and access files, as shown in the log provided by box.com, there was no evidence of the files having been downloaded to the assigned GOAA desktop computer system. Plausible explanations for this activity include: 1. The download, while logged on box.com, was never fully executed or blocked by the Internet s browser configuration features. 2. The download of the file was blocked by a Firewall or Proxy security service utilized by GOAA. Data Analyzers determined that there was no evidence of intentional tampering of metadata on Mr. Ineichen s assigned PMA computer system. Although Data Analyzers did find that there was a system time change on this computer system, further examinations have not revealed any intentional changing or altering of system time stamps and metadata. The typical anti-forensic reasons for such system time changes, such as restoring an old backup set to conceal or overwrite existing data have been ruled out during this investigation. All common indicators for such activities have been investigated and have not revealed any evidence of deliberate modifications. While the activity that occurred is certainly unusual, Data Analyzers has not been able to confirm what exactly caused the change in the system time clock. None of the further-investigated methods and techniques have revealed the exact cause, and even PMA s Forensic Expert, Halock Security Labs s, examination did not sufficiently explain the MFT records that have been identified from October 16 th 2017, December 6 th 2017, January 2 nd 2018 and January 5 th Typically, if the computer is in a sleep or hibernation mode, there is no activity that occurs, not even Microsoft Windows updates. Data Analyzers has considered potential causes of such behaviors which included CMOS battery issues and Windows system bugs, which could have caused the time change, but was unable to confirm the exact cause in this instance. Nevertheless, this supplemental examination has been able to rule out any intentional alterations of metadata or files. I declare under penalty of perjury that the foregoing is true and correct. Andrew von Ramin Mapp Internal Case #: CF-BC

20 Appendix Internal Case #: CF-BC

21 Forensic Examination Report Report generated Thursday, March 08, 2018 Case generated Wednesday, February 28, 2018 Case number CF-BC Evidence numbers Martin-Ineichen-GOAA-Desktop.E01 Martin-Ineichen-GOAA-Desktop.E01

22 Cloud Services URLs Record 1 URL Date/Time - UTC-05:00 1/19/2018 8:49:09 AM Artifact ID 4b4ad36e42424c479ce3da9546e1905d Location Table: Container_2 (EntryId: 22282) Record 2 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box goaa.box.com_folder_ futm-5fsource-3 Dtrans-26utm-5Fmedium-3D -26utm-5Fcampaign-3Dcollab-252Bauto-2520accept-2520user&d=DwMFaQ&c=- NtS L06WDZoKOqkhIdSxyw&r=MaxCn_9-BQUU1IvuvZBxx3slTYags06bPMZ9FjVfwhU&m=lIZctF8ksVQ60i6Dh09mvoB2mNo9SiST Y1Dm_wtMMs&s=fxY2jnm5EENJzj2Uh5UHJqBneqTYF_Nx6gZzkssQ5ys&e= 1/19/2018 8:49:09 AM Internet Explorer Main History 8da0e581aefb b6bfcd92c7c Location Table: Container_2 (EntryId: 22284) Record 3 URL Date/Time - UTC-05:00 1/19/2018 8:49:09 AM Artifact ID dc74bff2a3e04212bf740e99b269c813 Location Table: Container_2 (EntryId: 22281) Record 4 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box 20accept%20user 1/19/2018 8:49:09 AM Internet Explorer Main History cf26dc6c4db14459b4059cb480a3a29d Location Table: Container_2 (EntryId: 22280) CF-BC Thursday, March 08,

23 Cloud Services URLs Record 5 URL Date/Time - UTC-05:00 1/19/2018 8:49:10 AM Artifact ID b4720ee fa1e757efbab4636a Location Table: Container_2 (EntryId: 22283) Record 6 URL Date/Time - UTC-05:00 1/19/2018 8:49:10 AM Artifact ID f39a439efd2c436a9cd112361d356b24 Location File Offset Record 7 URL Date/Time - UTC-05:00 1/19/2018 8:49:10 AM Artifact ID 1e da04d0383bee a2 Location Table: Container_11 (EntryId: 61713) Record 8 URL Date/Time - UTC-05:00 1/19/2018 8:49:26 AM Artifact ID c0206ac678044a628c8b9fd192a0e295 Location File Offset Record 9 Tags Site Name URL Evidence Box CF-BC Thursday, March 08,

24 Cloud Services URLs Date/Time - UTC-05:00 1/19/2018 8:49:26 AM Artifact ID a8ab1e8eb0d34e568e5ec116d0ef3499 Location Table: Container_11 (EntryId: 61715) Record 10 URL Date/Time - UTC-05:00 1/19/2018 8:49:26 AM Artifact ID a2ae395e496043a78a51120d03ee9baa Location Table: Container_2 (EntryId: 22285) Record 11 URL Date/Time - UTC-05:00 1/19/2018 8:49:44 AM Artifact ID 1e cd94a9e9d0829b59094ec20 Location Table: Container_11 (EntryId: 61716) Record 12 URL Date/Time - UTC-05:00 1/19/2018 8:49:47 AM Artifact ID 6888b13f14a84d32ad724472b160cd03 Location Table: Container_11 (EntryId: 61717) Record 13 URL Date/Time - UTC-05:00 1/19/2018 8:49:47 AM Artifact ID 83ba5913bf0e4e eb89ea6de35 CF-BC Thursday, March 08,

25 Cloud Services URLs Location Table: Container_2 (EntryId: 22286) Record 14 URL Date/Time - UTC-05:00 1/19/2018 8:49:47 AM Artifact ID 1023f6f538a648c88f9c80b0a773f73c Location File Offset Record 15 URL Date/Time - UTC-05:00 1/19/2018 8:51:40 AM Artifact ID 1fb0230b179d4a4fbc98ea dd3 Location File Offset Record 16 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box IGVQstib9oZC6l4Nm63Zf0hSxysxBKVrSK55xAgFoGc98XemekoHY_2- CGu4Ewd7NAJmpO87VbD9B64s1fc89SA8Hjd36TOxWtkg BDI08gtcwMpIoA8D63fytzJIyq5N8ekNSoY-poEeeHHD4CHMCZQVDwhuXet-2B0uuDbNq8- C5oMD_1BnYndo87960EyWU9dRZjZJ 7dw0pes3WZr2enyVp62twQxX3r-LsvwPzXlo1PK83IrowKlCDZtM-Umj40Rvc6v3djps1feij5do4TP6JPt7E0UtjwQ2wlOgZRh FyEq8H6LOBclMGzrGtEs31g.. 1/19/2018 8:51:41 AM Internet Explorer Content 28bbb29f d82add781096c8cca Location File Offset Record 17 URL Date/Time - UTC-05:00 1/19/2018 8:51:42 AM Artifact ID ed651a97b5b54662be508370be4340c0 CF-BC Thursday, March 08,

26 Cloud Services URLs Location File Offset Record 18 URL Date/Time - UTC-05:00 1/19/2018 8:51:42 AM Artifact ID 61c59ebcd2af4b61b9a45a5f1dd3da98 Location File Offset Record 19 URL Date/Time - UTC-05:00 1/19/2018 8:51:42 AM Artifact ID 6bb4342f9a024ab59daf a6f76 Location File Offset Record 20 URL Date/Time - UTC-05:00 1/19/2018 8:51:50 AM Artifact ID 3c5b7d37cf6d4c489fc61f1466dea036 Location File Offset Record 21 URL Date/Time - UTC-05:00 1/19/2018 8:52:34 AM Artifact ID 92de57d74d0648aaa2e c0 Location Table: Container_11 (EntryId: 61721) Record 22 Tags Evidence CF-BC Thursday, March 08,

27 Cloud Services URLs URL Date/Time - UTC-05:00 1/19/2018 8:52:34 AM Artifact ID 16d6c2e8783c4b26a5353c078eb56467 Location File Offset Record 23 URL Date/Time - UTC-05:00 1/19/2018 8:52:34 AM Artifact ID f1fabc2b1bef49acbf8ca479d21ec964 Location Table: Container_2 (EntryId: 22290) Record 24 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box hf536p3uh5ypnvgbe9lgjpq9hjgragk6rkhzh4xfwfpvucqip4btxx-hnsboevc3195cmmzyqyegver-fwkndhm61df6kjw3q8a _hawb8qgeciqaal2fzf_qrxhz_fuu6rva7oojaj7r_ue9uh1mawik58anmum3uciawoxxm6b216cnk1- qdxhjdsq6ehl3muutq_b GJxVPliYi5CIFFHk9w2hSi5oTZ rtotc18cm-mkcdblyvlm4e8mjkr-e0ryxefybb4ir2v2ttmc5-1gfhw3wkyx3rfalbeoiewf btbjd99_zhm0-pfsrju7r7w.. 1/19/2018 9:00:47 AM Internet Explorer Content e79e84973bce41e82b3e59ab6 Location File Offset Record 25 Tags Site Name URL Evidence Box gkhk- UYqqknBp5ikYmfLaimfAh32iONpGQrqtUYfZ787EgaTZ4fG1mG1AswK1WGNvd51HTGdRP_3HyfHVA7HASgT7KHxToSGDZJZ AgFFLu6PbMe0S8Oj7nKWiwmrl6f_zKIy-iOuZVw1jjaXw1yq1o5poYT6isJhiYLGdS51n_GmfLLaCPwMrrqUhFYLdqfS2obvhEw o_d8teufgfneuz8gqcrv0k7i0mlowy86pprfwcya64npukujytdxlpk_o92n11ykzokibszu3zki69kqvfxggkquzffowi7fjoei Date/Time - UTC-05:00 Artifact Artifact ID HrGOE-18PeX1DxoHyDvY-Pg.. 1/19/2018 9:00:56 AM Internet Explorer Content 4ffb7018adc54c109c6be601c77c4bd6 CF-BC Thursday, March 08,

28 Cloud Services URLs Location File Offset Record 26 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box 2-bkYwJ29UY35Poe0ph1yHqcTidfAL4XCIU-yaSk2NmxhRDMG9YKqad5FLlYS73LzSsjKm-jq4P61FXZYKmceJOxC99- vwjjtgfa zfghxn-3t3zc1yljgll4k1slcuasc-ivd6t8utnum4mg4mxe- GZApyDPOUNWIWCQAgvHs7WJr0ahx28cA46uwUN3fuBi68USU1MW LN03b5-6cQgjZfpO4tvrOb7Qvvi_z2RTv8d3hpK4MHdWvfFBQr3yLIFT7A5YNiFU_Kq5aCSIqVuxJ84ZdZmcPqB3XEUlRyu0bNl 7IWkwrNHEdKqcXpun7wtX2w.. 1/19/2018 9:02:49 AM Internet Explorer Content e397580cd11b47b38ab3660b014b56a9 Location File Offset Record 27 URL Date/Time - UTC-05:00 1/19/2018 9:02:55 AM Artifact ID 85947d0d27d24ef2a8810b62ee6a0d3d Location File Offset Record 28 URL Date/Time - UTC-05:00 1/19/2018 9:02:55 AM Artifact ID e814440ccb68ad5eefe80c415 Location File Offset Record 29 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box 1/19/ :47:27 PM Internet Explorer Main History b03b58af1d3f d8c506c4 CF-BC Thursday, March 08,

29 Cloud Services URLs Location Table: Container_11 (EntryId: 61782) Record 30 URL Date/Time - UTC-05:00 1/19/ :47:28 PM Artifact ID ea2d09c5f d170bb34bd21 Location Table: Container_2 (EntryId: 22323) Record 31 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box goaa.app.box.com_files_ _mineichen-40goaa.o rg_0_f_ _1_f-5f &d=dwmfaq&c=-ntsl06wdzokoqkhidsxyw&r=maxcn_9- BQUU1IvuvZBxx3slTY ags06bpmz9fjvfwhu&m=e-hpilq- NzS1InOU9Sd7HdB5xPXq06svfIBm8qLyG6I&s=p8HkDueN3DIy7a1VgPZ1Nit8hCxwpQKfQD g6uag5wdo&e= 1/19/ :47:28 PM Internet Explorer Main History b0301ae651774ec19d25e Location Table: Container_2 (EntryId: 22325) Record 32 URL Date/Time - UTC-05:00 1/19/ :47:29 PM Artifact ID da1c796b77ea41c98fc8c a78 Location Table: Container_2 (EntryId: 22324) Record 33 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box 1/19/ :47:29 PM Internet Explorer Main History 30abbe7ae23e401f9a760f77f0cb7c9f CF-BC Thursday, March 08,

30 Cloud Services URLs Location Table: Container_11 (EntryId: 61783) Record 34 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Record 35 Evidence Box goaa.app.box.com_link_-3flp-3dhunhpsraila767pe- 5FCwE5pgC6x5gq1E6VMkiWwjiXubV1Y7eeZGVP2taXP5yj2zV6RU- 2DFTCqaNWgFIc22O662tds70E7bBsf2VrbJJgWARNTasznL t5jmpnxqrnmccjqx-5fwzvguf1ccglf-5fwuykd5ysmc8wpknspmdtf0soakresztk2nlrfrehs25uunjn- 5FIwub6svTZXRcDFt -2DYBgZszT15mHxb-5FWvTPKlLIV40fuPkaTwj1ChpKk3oWZ3-5F3VZ7I2PR1UmNCYgrzDnzrv1MvqDrdps5TKUWsiXW54itU5rI L5GbkrkFRDrAlnW4EUle8viv-2DwfcYUrMU-2DhDspPENcl-2Dx-5F9DssBhiCxB6MSl90k2xrHTBUQZe-2DpmR1Elg- 2DFzcd7d No.-26a-3Dclick-26tt-3DViewAllUpdates-26ru-3DaDrH5e2VUbEBN-5Fj-2D3w-5FlA8xldGyISSxxDO9tGLGUmlCL9aTP7 e5uxwsjyhncfosvpamj7m- 2D9SyEaMBrW7bcCj1ATrwX37HQpmWRBlEHQtQzKX8CZPc5HKMLDuEeueyP2tuli0XPw&d=DwMFaQ&c =-NtSL06WDZoKOqkhIdSxyw&r=MaxCn_9-BQUU1IvuvZBxx3slTYags06bPMZ9FjVfwhU&m=e-hpIlQ- NzS1InOU9Sd7HdB5xPXq 06svfIBm8qLyG6I&s=P9eu8hcWyA3rb4QYeDagK6cBBs7CFrVjlxA4IeCcRNA&e= 1/19/ :48:28 PM Internet Explorer Main History 3fcb98dfa2a843e2b2ec404ba720014d Location Table: Container_2 (EntryId: 22289) Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box goaa.app.box.com_link_-3flp-3dhunhpsraila767pe- 5FCwE5pgC6x5gq1E6VMkiWwjiXubV1Y7eeZGVP2taXP5yj2zV6RU- 2DFTCqaNWgFIc22O662tds70E7bBsf2VrbJJgWARNTasznL t5jmpnxqrnmccjqx-5fwzvguf1ccglf-5fwuykd5ysmc8wpknspmdtf0soakresztk2nlrfrehs25uunjn- 5FIwub6svTZXRcDFt -2DYBgZszT15mHxb-5FWvTPKlLIV40fuPkaTwj1ChpKk3oWZ3-5F3VZ7I2PR1UmNCYgrzDnzrv1MvqDrdps5TKUWsiXW54itU5rI L5GbkrkFRDrAlnW4EUle8viv-2DwfcYUrMU-2DhDspPENcl-2Dx-5F9DssBhiCxB6MSl90k2xrHTBUQZe-2DpmR1Elg- 2DFzcd7d No.-26a-3Dclick-26tt-3DViewAllUpdates-26ru-3DaDrH5e2VUbEBN-5Fj-2D3w-5FlA8xldGyISSxxDO9tGLGUmlCL9aTP7 e5uxwsjyhncfosvpamj7m- 2D9SyEaMBrW7bcCj1ATrwX37HQpmWRBlEHQtQzKX8CZPc5HKMLDuEeueyP2tuli0XPw&d=DwMFaQ&c =-NtSL06WDZoKOqkhIdSxyw&r=MaxCn_9-BQUU1IvuvZBxx3slTYags06bPMZ9FjVfwhU&m=e-hpIlQ- NzS1InOU9Sd7HdB5xPXq 06svfIBm8qLyG6I&s=P9eu8hcWyA3rb4QYeDagK6cBBs7CFrVjlxA4IeCcRNA&e= 1/19/ :48:28 PM Internet Explorer Main History 8afdc a5817e59a25cab2696 Location Table: Container_11 (EntryId: 61720) Record 36 Tags Evidence CF-BC Thursday, March 08,

31 Cloud Services URLs Site Name URL Box U- FTCqaNWgFIc22O662tds70E7bBsf2VrbJJgWARNTasznLt5jmpNxqrNmccjQx_wZVguF1CCGlf_WUyKd5Ysmc8wpKnSPMDtF0s Date/Time - UTC-05:00 Artifact Artifact ID OakresZTK2NLrfREhS25UUnjn_Iwub6svTZXRcDFt- YBgZszT15mHxb_WvTPKlLIV40fuPkaTwj1ChpKk3oWZ3_3VZ7I2PR1UmNC YgrzDnzrv1MvqDrdps5TKUWsiXW54itU5rIL5GbkrkFRDrAlnW4EUle8viv-wfcYUrMU-hDspPENclx_9DssBhiCxB6MSl90k2x rhtbuqze-pmr1elg-fzcd7dno.&a=click&tt=viewallupdates&ru=adrh5e2vubebn_j- 3w_lA8xldGyISSxxDO9tGLGUmlCL 9aTP7e5UXwsjYhNcFOsVpAMj7M- 9SyEaMBrW7bcCj1ATrwX37HQpmWRBlEHQtQzKX8CZPc5HKMLDuEeueyP2tuli0XPw 1/19/ :48:28 PM Internet Explorer Main History 195e6740dd314d8da217f23cfce988dc Location Table: Container_2 (EntryId: 22287) Record 37 URL Date/Time - UTC-05:00 1/19/ :48:32 PM Artifact ID 9bdb8626fe97497c80f1b01a304682e2 Location Table: Container_11 (EntryId: 61719) Record 38 URL Date/Time - UTC-05:00 1/19/ :48:32 PM Artifact ID ea07000ab56e494dba477457d5dd9da3 Location File Offset Record 39 URL Date/Time - UTC-05:00 1/19/ :48:32 PM Artifact ID 232a1cba91db426a834c5b43704ea1fd Location Table: Container_2 (EntryId: 22288) CF-BC Thursday, March 08,

32 Cloud Services URLs Record 40 URL Date/Time - UTC-05:00 1/19/ :48:32 PM Artifact ID 7e0bb85af08e4e109127c65b36391ac5 Location File Offset Record 41 URL Date/Time - UTC-05:00 1/19/ :48:32 PM Artifact ID 18388f1b87b94ddcac1cfe3ef78fa6d8 Location File Offset Record 42 URL Date/Time - UTC-05:00 1/19/ :48:32 PM Artifact ID ce2afbe93c8b4ef2b8d93e64c85bb676 Location File Offset Record 43 URL Date/Time - UTC-05:00 1/19/ :48:33 PM Artifact ID b7f354b098a34de8b1c6ff8c4ad4c085 Location File Offset Record 44 Tags Site Name URL Evidence Box CF-BC Thursday, March 08,

33 Cloud Services URLs Date/Time - UTC-05:00 1/19/ :48:33 PM Artifact ID c27a3991f5c74875b397c5e23f Location File Offset Record 45 URL Date/Time - UTC-05:00 1/19/ :48:33 PM Artifact ID c07327cc2d2c420eabeeb4c4bc7f661a Location File Offset Record 46 URL Date/Time - UTC-05:00 1/19/ :48:33 PM Artifact ID b2cf4f12560e46e7945bd8013a9bdaec Location File Offset Record 47 URL Date/Time - UTC-05:00 1/19/ :48:33 PM Artifact ID eb0f0aa97ec34b6fa30ca dd8 Location File Offset Record 48 URL Date/Time - UTC-05:00 1/19/ :48:33 PM Artifact ID 970ca215a78c4c85b3864f7542e0f7d1 CF-BC Thursday, March 08,

34 Cloud Services URLs Location File Offset Record 49 URL Date/Time - UTC-05:00 1/19/ :48:33 PM Artifact ID 52fb391a697e4683bbf6c b76e Location File Offset Record 50 URL Date/Time - UTC-05:00 1/19/ :48:38 PM Artifact ID 1ffbc5e9a5c b3dfcdb0fd5491 Location File Offset Record 51 URL Date/Time - UTC-05:00 1/19/ :48:38 PM Artifact ID b214667af63e0d782cff153 Location File Offset Record 52 URL Date/Time - UTC-05:00 1/19/ :48:38 PM Artifact ID aa4689d14f b641bb65f5054 Location File Offset Record 53 Tags Evidence CF-BC Thursday, March 08,

35 Cloud Services URLs URL Date/Time - UTC-05:00 1/19/ :48:38 PM Artifact ID cd0d6feeb6b8420c95a41ce8fdb37f22 Location File Offset Record 54 URL Date/Time - UTC-05:00 1/19/ :48:38 PM Artifact ID 4c629638cc4a492ca0c8dd5486ad41ad Location File Offset Record 55 URL Date/Time - UTC-05:00 1/19/ :48:40 PM Artifact ID e414e09a88484d969e950ec06038e669 Location File Offset Record 56 URL Date/Time - UTC-05:00 1/19/ :48:44 PM Artifact ID bca545bea68d3964ab Location Table: Container_11 (EntryId: 61785) Record 57 Tags Site Name URL Date/Time - UTC-05:00 Artifact Artifact ID Evidence Box 1/19/ :48:44 PM Internet Explorer Main History 49c518621ce8456e80a d1232 CF-BC Thursday, March 08,

36 Cloud Services URLs Location Table: Container_2 (EntryId: 22326) Record 58 URL :Host: goaa.account.box.com Date/Time - Local Time 1/19/2018 3:49:10 AM (yyyy-mm-dd) Artifact Internet Explorer Daily/Weekly History Artifact ID f4f32f3be055482b8fb945d8b30db39e Location Table: Container_1267 (EntryId: 139) Record 59 URL Date/Time - Local Time 1/19/2018 7:47:29 AM (yyyy-mm-dd) Artifact Internet Explorer Daily/Weekly History Artifact ID 11c0de4630f04294b00bba9c92e8ceca Location Table: Container_1267 (EntryId: 58) Record 60 URL Date/Time - Local Time 1/19/2018 3:49:10 AM (yyyy-mm-dd) Artifact Internet Explorer Daily/Weekly History Artifact ID 1607e8463fc94dec8c754300c02722d2 Location Table: Container_1267 (EntryId: 7) Record 61 URL Date/Time - Local Time 1/19/2018 7:48:32 AM (yyyy-mm-dd) Artifact Internet Explorer Daily/Weekly History Artifact ID 1e7b04916ca44f368424ffb Location File Offset Record 62 CF-BC Thursday, March 08,

37 Cloud Services URLs URL Date/Time - Local Time 1/19/2018 3:49:26 AM (yyyy-mm-dd) Artifact Internet Explorer Daily/Weekly History Artifact ID d0a56f866de241f086af355a8343c17c Location Table: Container_1267 (EntryId: 8) Record 63 URL :Host: goaa.app.box.com Date/Time - Local Time 1/19/2018 3:49:47 AM (yyyy-mm-dd) Artifact Internet Explorer Daily/Weekly History Artifact ID 4de94db6649f42b498895fa35f15ee00 Location Table: Container_1267 (EntryId: 17) Record 64 URL Date/Time - Local Time 1/19/2018 3:52:34 AM (yyyy-mm-dd) Artifact Internet Explorer Daily/Weekly History Artifact ID eeb299845ae44934afbcaff99a3fc805 Location Table: Container_1267 (EntryId: 59) Record 65 URL Date/Time - Local Time 1/19/2018 7:48:44 AM (yyyy-mm-dd) Artifact Internet Explorer Daily/Weekly History Artifact ID 353c317c1eb447489ff2fc75fded1886 Location Table: Container_1267 (EntryId: 61) Record 66 Tags Site Name URL Date/Time - Local Time (yyyy-mm-dd) Evidence Box 1/19/2018 3:49:47 AM CF-BC Thursday, March 08,

38 Cloud Services URLs Artifact Internet Explorer Daily/Weekly History Artifact ID fa5fd20eec5041e681e78e4226d89a94 Location Table: Container_1267 (EntryId: 60) Record 67 URL Date/Time - Local Time 1/19/2018 7:48:32 AM (yyyy-mm-dd) Artifact Internet Explorer Daily/Weekly History Artifact ID 5de440cc66ec4c1b8235a4bc12147bbd Location Table: Container_1267 (EntryId: 57) CF-BC Thursday, March 08,