Sample Ad Advertise your business on myplick. Only $2.00 a month.
Comments:
Notes:
Slide 1: Computer Forensics Report
Counter Terrorism Crime Scene Investigation
Lead Inspector Jean-Marc Verkempinck Inspector Matt Schmidt Inspector Alan Martin
Slide 2: Tools
Access Data Forensics Toolkit Guidance Software EnCase Digital Detective NetAnalysis Paraben Write Blockers
Slide 3: Access Data Forensics Toolkit
Version 1.43
A certified forensic tool
Used by Law Enforcement
Full text indexing by dtSearch Filtering and searching Uses Stellent's Outside In Viewer Technology to search over 270 file formats Supports NTFS, NTFS compressed, FAT 12/16/32, and Linux ext2 & ext3 file formats Locates and flags known file system formats
Slide 4: Forensics Toolkit Imager
Program used to acquire (image) hard drives for two desktop computers Can create multiple images from one source Can generate DD, Smart and EnCase case formats Able to read several other formats
Slide 5: Guidance Software EnCase
Version 4.22a A certified forensic tool
Used by Law Enforcement
Full text indexing Filtering and searching Linen EnCase imaging tool
EnCase Linux acquisition tool Used to acquire (image) hard drive of one laptop computer
Slide 6: Digital Detective NetAnalysis
Version 1.36.0123 Used primarily for Internet history, email, online passwords, and search history
Slide 7: NetAnalysis
Powerful filtering and searching
Filter by type of history file. Ex) password, searching, pictures….
Can view date of access, full path in file, full URL and more Does MD5 hash of history file Works on Windows and Mac IE, Mozilla, Netscape, Safari and Opera
Slide 8: Paraben Write Blocker
Allows evidence to be acquired without writing to evidence drive
Maintains evidentiary integrity
Evidence drive connection by either 40 or 80 pin IDE desktop, or converter for 44 pin laptop drive
Evidence Drive Paraben Write Blocker Forensic Workstation
Slide 9: Preparation
Zeroed out storage drives that later held images of suspects’ drives Used
Linux command
dd if=/dev/zeros of=/dev/sda1
Macintosh Disk Utility to place FAT32 file system on storage drive
Slide 10: Evidence Found on Computer 063
Analyzed by Inspector S. Belonged to Null Nolan? Set of weather graphs containing information possibly linked to document on how to launch short range missiles Document contained calculations on launching angles and other specifications of a missile launch
Slide 11: Evidence Found on 063 (continued)
Pictures in a folder labeled Target
Contained images of Quest, AFN and a Quest building in Talent
Froogle searches for “fertilizer good price ammonium nitrate” and “fertilizer good price” A picture and Google search hit for Plutonium
Slide 12: Photos Found on 063
Qwest building in Ashland
Slide 13: Photos Found on 063
Ashland Fiber Network satellite
Slide 14: Photos Found on 063
Qwest building in Talent
Inspector S. enlarged and enhanced to see that this says Qwest
Slide 15: Evidence Found on 063 (continued)
A letter from Null in MS Word format as follows:
To Mom, Dad, Sarah, Tiffany, baby, friends, relatives, etc. It’s possible I will become a martyr to my cause (fighting for the working man!) If this happens, please know that you will see me in heaven. I am not sad. I am happy. I have found my niche. I’m powerful. I believe in what I’m doing. I’m not depressed. I don’t need medication. I just like to blow things up for the CAUSE. If I die, I will die happy. Love to all of you. Null
Slide 16: Evidence Found on Computer 064
Analyzed by Lead Inspector V. Belonged to Bill Billings?
Letter: Date created and saved: 10/30/2006 3:19:00 PM with MS WORD
Dear Mom and Dad, I don’t plan to die in our operation but if I do, please know that I love you and I never meant to hurt anyone. It’s just buildings we want to destroy but you never know with these sorts of things. We were born to die, right? I’m on this planet to make a difference and the difference I want to make is getting attention to the plight of the workers. I failed in Iraq to make a difference. The terrorists are still going to get us. But I’m smarter than they are and can make explosives better than anyone on this planet! Qwest and AFN messed with us just one too many times. Sheriff Winters doesn’t know what he’s doing but we’ll give him something good to investigate now. Power to the People! Say bye to grandma Love, Billy Boy
Slide 17: Evidence Found on 064
(continued)
Document of Meeting Ideas: Date created and saved: 10/6/2006 3:14:00 PM
Ideas for meeting Be sure to tell Null and Mooney about The Terrorist Handbook available online... Mostly has stuff about creating bombs with household stuff from your kitchen! Can we get C4? How about RDX? Is C4 too hard to set off? We can get ANFO, easy to get, easy to set off. ANFO stands for ammonium nitrate fuel oil. Fuel can be diesel fuel, kerosene, even molasses! Um, I’m hungry for some molasses cookies. Maybe we can get Tiffany to make us some cookies. Heh heh. Explosives need nitrogen. (and so on)
Slide 18: Evidence Found on 064
(continued)
Document: Explosive Mixtures: Date created and saved: 10/6/2006 3:40:00 PM
1)Potassium perchlorate and cane sugar 2)Sodium nitrate and sulphur flour 3)Potassium bichromate and Antimony sulfide 4)Guanidine nitrate and powdered antimony 5)Potassium permanganate and powdered sugar
6)Barium chlorate and paraffin wax 7)Sodium chlorite and aluminum powder(not sure about this one) 8)Magnesium perchlorate and cane sugar 9)Ammonium nitrate (more than 40%pure) and gasoline(VERY POWERFUL) 10)Sodium peroxide and flowers of sulphur
Slide 19: Evidence Found on Computer 062 (Laptop)
Analyzed by Inspector M. Belonged to Mooney Money? Various saved web pages
How to hack a voting machine in 4 minutes Manufacturing methamphetamine How to acquire explosives Default password list for routers and other devices
Slide 20: Evidence Found on 062 (continued)
Various JPG images
Targets around Medford, Ashland, and Talent IED cell phone activator Images of various explosives including C4, TNT, RDX, Tetryl, Petric Acid
Slide 21: Evidence Found on 062 (continued)
Cached web sites
Websites related to socialism, Communications Workers of America Google search terms: Semtex, meth manufacture, C4 explosive, cell phone explosives, sexy military desktop pictures
Suspects seemed to have their own websites 140.211.102.199 http://www.myspace.com/momoney31
Slide 22: Cell Phone
Analyzed by Inspector V. Belonged to Mooney Money? Email and text messages
Boris/ The chair is against the wall Meet at the stadium on election day AFN will be lit! Hi Professor Ackler
Slide 23: Cell Phone (continued)
To do list
Buy some pseud. (Pseudophedrine?) Meet the boys Phone book Four different female phone numbers Null, Bill
Slide 24: Cell Phone (continued)
Phone calls
Null Nolan SOU main number Great American Pizza Ashland Hardware
Slide 25: Emails
Suspects had SOU email accounts Investigation underway Preliminary results
Set up on September 1st, 2006 null41, bill25, moon62 Email threads
Info about their websites Qwest and AFN port scans Null Nolan on 11/07/06: “Where are you? I need to talk to you!”
Slide 26: Conclusions
Mooney Money was a player (both sides) Interest in meth manufacturing They were researching launch missiles, cell phone explosives, making explosives They were researching voter fraud and hacking They were plotting to blow up Qwest and AFN buildings on election day
