DIGITAL FORENSIC ANALYSIS REPORT: THE CASE OF ALEX VS. THE UNITED STATES
Digital forensic investigation as a branch of forensic science has grown significantly in the last couple of years due to the increase in cybercrimes with the increased technological advancements. This discipline focuses on the identification, acquisition, processing, analyses, and reporting of the data that is stored in the electronic devices. Digital forensics has been identified as a crucial branch of forensic that will determine the future success of the organizations (Harbawi and Varol, 2016). Many organizations have faced serious ramifications due to hacking which has led to massive losses of financial resources. In the contemporary world, many criminals have resorted to performing their crimes online or planning their crimes through the aid of technological devices like mobile phones, computers, and the internet. Therefore, this discipline has grown with the aim of sorting out these issues. In order to perform digital forensic analysis, one must have the necessary academic qualifications, skills, and experiences, which include using various tools for digital forensic investigation (Grobler et al., 2010). Therefore, the investigation is carried out by a team of specialists and experts that are familiar with the process and digital devices that are being investigated to properly explore the facts and evidence that is related to the specific cybercrime.
Digital forensic investigation has become a major part of the modern legal system. The increase in cybercrimes has necessitated officers to be aware of this development in order to combat crime. However, this necessitates a legal background in order to ensure that the process adheres to legal standards and requirements. Having a legal background is important as part of the legal digital forensics analysis as it ensures that the digital evidence collected during a forensic investigation is admissible in a court of law (Grobler et al., 2010). This was a consideration in the present case which involves allegations of crime against the United States. This case involves Alex, who is a businessman who has Krasnovian ties. It is alleged that Alex had contacted Carry through her father, whom she needed to facilitate an attack at the National Gallery of the United States. Carry is then believed to have contacted her friend Tracy who works at the National Gallery requesting for key information that would help them to organize the attack and deface the government of the UK. This case was brought to me as the officer on duty, with the need to carry out a forensic investigation of the exhibits that were collected. The exhibits entail electronic devices such as phones, tablets, and the personal computers of the suspects that are believed to have been used in the communication processes. This digital forensic investigation, therefore, aimed at establishing whether there was indeed malicious communication between the suspects planning to deface the United States government by attacking the National Gallery.
Digital forensic investigation is a complex field that requires high levels of qualifications and experiences to ensure the validity and reliability of the evidence provided. In addition, the officers carrying out the investigation must do so in the highest level of professional and ethical conduct, following the industry standards and that of the legal field for the evidence to be admissible in a court of law (Marshall, 2010). Notably, I have a bachelor’s degree in cybersecurity, in accordance with the educational requirements in the United Kingdom (UK). In addition to the basic education, I am also certified by the Information Systems Security Professional (CISSP) and Certified Digital Forensics Examiner (CDFE), with the certifications for forensic analysis. These specialized trainings have become imperative in digital forensic investigations field with the changing technologies and tools that are needed to handle even more complex digital crimes. As technology advances, criminals increasingly exploit digital platforms for illicit activities, ranging from financial fraud to cyber terrorism, hence the need for properly qualified officers to unravel the crimes.
In addition to the academic qualifications, I have also gained relevant experiences as an officer in charge of the cybercrimes. As an officer, I have gained hands-on experience in conducting digital investigations, analyzing evidence, and using various forensic tools. It should be noted that many professionals in this field gain experience through internships, entry-level positions, or by working on real-world cases (Jahankhani and Hosseinian-far, 2014). Personally, I have engaged in these practical experiences, and also collaborated with other cybersecurity professionals to identify vulnerabilities in systems, recommend security measures, and stay ahead of emerging threats. This expertise is essential in creating a robust cybersecurity framework to safeguard sensitive information and critical infrastructure.
The events that are under investigation in this case had taken place in the National Gallery of the United States in 2012. The case involves Alex, who was a wealthy Krasnovian businessman who had ties with Carry, a Krasanovian supporter in the US. Alex was alleged to have intended to embarrass the United States and damage its public relations by defacing foreign art at the national gallery. This was planned to have been executed in July, when the artworks were to be displayed. The activity was to be carried out by allowing Krasanovian militants disguised as tourists to get into the museum with tools to damage the artwork. Since Carry were acquaintances with Tracy, who works at the museum, Carry started to communicate with Tracy, asking her to help her organize a flash mob for which Carry was to transfer money to Tracy. The financial problems that Tracy was facing, and the fact that the information did not look suspicious compelled Tracy to accept the offer. In addition, Tracy has been in contact with her brother, whom they have been planning to steal some items from the National Gallery. All these conversations were being made through communications mainly via email to reduce suspicion. It is also important to point out that Carry is a tech savvy and is aware of tracking, hence sought to hide the communication by encrypting all the email communications. However, Joe, who is Tracy’s ex-husband had installed a key logger to Tracy’s computers, who then discovers the malicious communications and turned them to the police. Various exhibits, as discussed below, were collected, which forms the basis for this investigation.
As the forensic officer in charge of this investigation, I can affirm that the investigation and preparation of this report was carried out with great care to ensure strict compliance with industry requirements and legal standards, especially during the preservation stage of digital forensic investigations. One of the fundamental legal compliance requirements that I diligently upheld during the investigation process was the establishment and maintenance of a secure and unbroken chain of custody for all the digital evidence provided. This involved documentation of every step taken from the identification of evidence through its collection, storage, and analysis (Granja and Rafael, 2017). By ensuring a sound chain of custody of the evidence, I guarantee the integrity of the digital evidence and its admissibility in a court of law.
In addition, I acknowledge that privacy laws and regulations are of utmost importance in digital forensic investigation for legal proceedings. Therefore, throughout the process I was committed to complying with all the laws and regulations from the evidence collection to the report preparation stage. Importantly, I followed the General Data Protection Regulation (GDPR) in the European Union and the Data Protection Act in the United Kingdom, to ensure that all necessary permissions were obtained, and the investigation was conducted within the bounds of legal privacy frameworks. To fulfill this legal requirement, I exercised discretion in data collection, ensuring that only information directly relevant to the investigation was preserved. Therefore, in my role as the forensic investigation officer in charge, I can affirm my dedication to maintaining the highest standards of professionalism and ethical conduct for credible and reliable findings that are a true reflection of the events that occurred.
Over the years, there have been a number of investigation models that have been developed and proposed by different authors to guide digital forensic officers to develop standard investigation process. Some models that have been developed are more specific to particular scenarios while others are more general and can be applied in a wider scope. However, all the models cover the basic stages of forensic investigation which include collection of the evidence, examination of the evidence, analysis, and reporting of the findings (Yusoff et al., 2011). In this forensic investigation, the Systematic Digital Forensic Investigation Model (SRDFIM) was chosen. This model has gained a lot of application in organizations due to its detailed procedure that allows the investigation process to be carried out in a systematic manner (Agarwal et al., 2011). It is mostly used when analyzing cybercrimes and computer frauds. In this model, the investigation process is divided in four tiers, with each tier having different stages and activities that must be carried out, which take place iteratively. The first tier is the preparation and takes place over the course of investigation from the assessment to the presentation stage (Agarwal et al., 2011). This tier has four major rules of preparation, identification, authorization, and communication. The second tier consists of collection, preservation, and documentation of the evidence. In the third tier, the activities that are detailed include examination of the evidence, exploratory testing, and analysis. The model then consists of the fourth and the last tier of the presentation phase that involves result presentation, review, and reporting (Agarwal et al., 2011). This model was chosen due to its emphasis on interaction, as the investigator should be in consistent interaction with all the resources needed to carry out the investigation.
Different types of exhibits were examined in this digital forensic investigation to come up with the evidence used to make conclusions as presented and analyzed below.
1. Carry’s phone –
2. Carry’s tablet
3. Email messages generated form the spyware
4. Tracy’s phone
5. Tracy’s home computer
6. Tracy’s external hard drive –
There are numerous tools that have been developed to aid carrying out digital forensic examination of the evidence presented. All these tools have their advantages and disadvantages, which an investigating officer must be aware of when choosing the tools to use in a particular investigation. In this evidence analysis, the Magnet AXIOM was used. This is a comprehensive digital forensics tool that has been designed to aid investigators in collecting, analyzing, and reporting the digital evidence from various sources, such as computers, smartphones, and cloud services (Leonardo and Indrayani, 2021). Magnet AXIOM has gained a lot of prominence in digital forensic investigation since despite its advanced capabilities, it has a user-friendly interface which makes it simple and effective for the investigating officers. One significant aspects of Magnet AXIOM are its ability to perform a holistic examination of digital artifacts (Leonardo and Indrayani, 2021). This tool has been used to support the acquisition and analysis of data from various sources such as computers, mobile devices, and cloud services, and has the capabilities to recover deleted files, analyze internet activities, and decode various file formats. Therefore, it facilitates investigators to reconstruct digital timelines and uncover decrypted and hidden information.
The advancement of the technologies that can help investigators to properly conduct an investigation has made criminals also to advance their ways of conducting crimes. It should be noted that in the planning stage, some form of communication, especially when the crime is made by multiple parties involves come exchanges (Stalans and Finn, 2016). However, the criminals try as much as possible to make these communications anonymous to protect their identity. Therefore, criminals have increasingly used encrypted channels in their communication like Telegram and Emails. In a forensic investigation, analysis of emails of the suspects is important as it is the most likely way that they exchanged some information about the crime (Brown, 2015). In the present case, an analysis of email was conducted as one of the forms of evidence that was sought between the suspects. It was noted that Tracy had been in communication with Carry as they planned the crime at the National Gallery. The analysis of the emails revealed that, indeed, Tracy was in communication with Carry.
Specifically, the analysis of tracy-external-2012-07-16-final.E01 revealed that, on 06/07/2012 15:49:31, Carry using her email Pat TeeSumTwelve patsumtwelve@gmail.com, wrote to Tracy through her email throne1966@hotmail.com and copied the same email to CC: coralbluetwo@hotmail.com. This was the first email where she explained the plan to conduct a heist at the national gallery. The communication between the two, as shown in the evidence below, shows that the two were using emails that did not display their names. Using a different email from the official email is a way that criminals use to hide their identity (Brown, 2015). In most cases, an anonymous email raises fewer suspicion and the two knew this. This might suggest that the two were concealing something in their communication. From the email, it is evident that Tracy was on parole and was doing drugs. This might explain her financial problems. Brown (2015) argued that financial problems contribute significantly to people turning to crime. This may be due to severe financial difficulties and the lack of better alternatives. In such situations, crimes tend to appear to be a quick and accessible means of addressing immediate financial challenges. Therefore, as noted that Tracy was facing financial challenges, it is very likely that Carry could have lured her into the crime.
Exhibit 1 AA 06/07/2012
On 28/06/2012 20:16:52, through her email Tracy, disguising as Perry Patsum perrypatsum@yahoo.com wrote to Carry, disguising as Coral coralbluetwo@hotmail.com informing her that they should communicate via email since its safe and to avoid suspicion from her colleagues. This is further evidence that the two suspects were using email communication to avoid detection. Email platforms often allow users to create accounts without stringent identity verification processes (Choo et al., 2007). Therefore, cyber criminals have been exploiting this by creating anonymous or pseudonymous accounts, which shield their true identities from authorities. The aim of intending to create this anonymity was to make it challenging for law enforcement agencies to trace and apprehend them.
Exhibit 2 AA 28/06/2012
It should be noted that Carry had been facilitating Alex to plan an attack of the National Gallery, with a focus of destroying some art works that were on display. This was to take place during the National Exhibition. As such, the investigation sought for the email communication that may have had such terms. From the analysis of tracy-external-2012-07-16-final.E01, it was revealed that on 02/07/2012 16:05:06, Carry using her email, coralbluetwo@hotmail.com wrote to Tracy with the email perrypatsum@yahoo.com and informed her of an incoming National Exhibition that was being organized. This was in line with Carry’s plan where she intended to disguise the Krasnovian militants as tourists. It should be noted that the plans from Alex was to send Krasnovian militants to Washington DC, so that they could get into the museum and destroy the artwork. Therefore, the fact that the two suspects were discussing about the exhibition shows that they were guilty of the alleged crime.
Exhibit 3 AA 02/07/2012
It is important, as this point, to note that the responses that Tracy would give Carry would determine whether she was part of the plans or not. Tracy had an option of not responding at all, or warning Carry that she could not help in the needed plans. However, on 03/07/2012 14:53:04, Tracy responded and agreed that the event will play a big role in aiding their plan. This is solid evidence that Tracy was aware of what was being planned and she agreed to facilitate the plan in her capacity as an employee of the National Gallery. This evidence shows that Tracy and Carry were guilty of planning to commit a crime at the National Gallery. The communication is shown in the evidence below.
Exhibit 4 AA 03/07/2012
All criminals look for all the ways that they can mitigate the risks of being caught before, during, or after committing a crime. With the increase in security provisions, and the efficiency of the security offerings in buildings, it has become paramount for criminals to analyse the security details to ensure that they can execute their plan by exploiting the possible weaknesses (Warkentin and Willison, 2009). As such, any communication that involves security details of the location that the crime is being planned identifies the criminals as guilty. Considering that the crime was to be conducted at the National Gallery in the US which is highly guarded, it was important for the suspects to analyse the security details that they would exploit. Therefore, in order to execute her plan, Carry required several details which includes security, schedules, events, and locations where art will be displayed. This was part of the reconnaissance and planning, which is important to facilitate a successful attack. Notably, an analysis of Tracy’s home computer revealed the presence of a document securityrotation.pdf file containing the security of personnel schedule. This was a crucial document that Carry needed to enable her execute her heist. Notably, it was important for Carry to know the behaviour of the security personnel to identify where they would exploit and at what time. The evidence, as shown below, was in the form of a document that was sent via an email by Tracy to Carry and Carry was instructed not to reveal the details of the document to any other party.
Exhibit 5 AA 11/072012
The file details can further be illustrated as shown in the evidence below.
Exhibit 6 AA 11/07/2012
In addition to the communication about the personnel, there are other artefacts that were found on Carry’s tablets that included, the museum floor plans for both West and East buildings. Brontinghom et al. (2013) noted that getting information about the floor plans of a building is a strategic move for suspects planning criminal activities. Notably, understanding the layout allows the criminals to plan their movements efficiently, identifying optimal entry and exit points, escape routes, and potential hiding spots (Brontinghom et al., 2013). Such a move is important as it increases their chances of success in carrying out the activity while reducing their risk of detection. As such, the fact that Carry was in possession of the floor plans of the museum is an indication that they were planning an attack of the facility. In addition, further images about the available permanent collections, how the collections are organised and how they can be accessed was obtained from Carry’s tablets. It should be noted that the attack was targeting artworks. Therefore, it is was important for Carry to know beforehand which type of artwork was to be destroyed and where it was located in order to plan the attack effectively.
Exhibit 7 AB 05/07/2012
Further analysis on Carry’s tablet revealed images of security cameras and gate access using a credit card. Presence of these details revealed that Tracy had provided the required information to assist Carry execute the heist. Welsh and Harris (2014) argued that inquiring about security cameras helps suspects to identify weaknesses in the surveillance system. It is through this analysis that tampering or even disabling some cameras would be planned to facilitate the attack. In addition, the suspects may have been evaluating the possible blind spots that they would exploit, which would allow them to plan effectively for the escape routes. By avoiding camera coverage areas, the suspects can navigate the location without being tracked visually. Therefore, this information is solid evidence that the suspects were planning an attack to the museum.
Exhibit 8 AB 11/07/2012
Security cameras
Exhibit 9 AB 11/07/2012
The other important evidence in this investigation was the key logs that were installed in Tracy’s computers, which was obtained after analysing the email.zip evidence. It should be noted that keylogging, or keystroke logging, is a crucial tool in digital crime investigations as it captures the keystrokes made by a user on a computer or mobile device. Keystroke logs have become instrumental in reconstructing the sequence of events which take place before, during, and even after the digital crime (Makura et al., 2020). By analysing the key logs in Tracy’s computer, the investigator was able to establish the intent and motive behind digital crimes. It was also possible to track communication, especially in the form of emails that revealed the conspiracy between the suspects.
According to the case details, Joe, Tracy’s boyfriend suspected Tracy was organizing a sinister motive. Joe installed a keylogger to monitor Tracy’s activities. The recorded keystrokes were automatically email to joe.sum.twelve@gmail.com from the System Administrator root@Tracys-MacBook-Air.local email. Here is a screenshot of the keylogger activities where Tracy informs Carry about the Exhibit. The information obtained through the keyloggers showed the plans that Tracy was involved in against the National Gallery, which is solid evidence of the criminal activity.
Exhibit 10 AC 02/07/2012
The other important evidence that would incriminate the culprits was the presence of the insurance stamps in their communication. It should be noted that in addition to defacing the US government, Tracy had been involved in plans to steal items from the museum with her brother. Specifically, Tracy and her brother were planning to steal insurance stamps from the museum, which would fetch them money that Tracy would use to sort out her financial mess. Therefore, the analysis of Tracy’s home computer revealed that on 06/07/2012 13:39:52, using her email Tracy Sumtwelve tracysumtwelve@gmail.com, she sent an email to coralbluetwo@hotmail.com containing 3 insurance stamps details. The evidence is shown below. This is an indication that the suspects were guilty of planning to steal museum stamps, which further incriminates them and makes her vulnerable to facilitating a further crime by Alex and Carry to attack the museum.
Exhibit 11 AA 06/07/2012
Exhibit 12 AA 06/07/2012
Exhibit 13 AA 06/07/2012
Further analysis revealed images of stamps
Exhibit 14 AA 06/07/2012
The analysis of the findings shows the credibility of the evidence was used to come with the conclusions in this report. Importantly, the analysis shows the accuracy and reliability of digital forensic evidence in this analysis, which was achieved through a combination of meticulous documentation, validation of tools and methods, cross-verification with multiple sources, adherence to forensic protocols, and peer review. Since the evidence collected and analyzed is considered to be sound and reliable, so are the conclusions. The main conclusions in this report show that Carry and Tracy were in communication through their emails, which were mainly encrypted to avoid suspicious and detection. These two were involved in plans to deface the National Gallery Museum, as planed by Alex. In addition, Tracy was guilty for planning to steal the insurance stamps. Notably, all the evidence that was collected from their devices and drive images pointed towards the fact that there was theft and destruction that was being planned against the United States. However, it is important, at this point, to emphasize that Tracy had not stolen anything. She is, however, guilty of planning theft. The analysis also found Carry guilty of planning the defacement although they have not executed the plan yet since they were caught before actualizing their plans.
I, as the duly sworn forensic officer on duty who carried out the digital forensic investigation, hereby declare the veracity and accuracy of the digital forensic investigation and the report details herein. I diligently carried out the examination of digital evidence pertaining to Alex vs. the United States case in accordance with established protocols and industry standards. The purpose of this investigation was to uncover and analyze digital artifacts relevant to the case and present findings in an impartial and comprehensive forensic report. Therefore, I can confirm that I adhered strictly to the recognized procedures, methodologies, and ethical guidelines that govern the field of digital forensics, as well as the legal guidelines and requirements for preservation of evidence to enable presentation in a court of law. I can confirm that the chain of custody for the digital evidence that was collected was meticulously maintained, with a detailed documentation at every stage of handling. Therefore, I can affirm that the forensic report presented herewith is an accurate and truthful representation of the digital forensic examination conducted.
Click one of our contacts below to chat on WhatsApp
