WHATCOM COUNTY SHERIFFS OFFICE

COMPUTER ANALYSIS REPORT

OPS CASE NUMBER:

AI2012-001

AUTHOR:

Cooley

Throughout this investigation, I examined several computer hard drives and their contents, often with the assistance of Detective Scott Matsudaira of the Bellingham Police Department, a computer forensics specialist. This report is a summary of relevant findings. Hard drive: Hitachi Travelstar, 80 GB IDE, Model #HTS541080G9AT00, Serial #X6HK074G Found in: Panasonic Toughbook #17445 on or about February 10, 2012 Matsudaira was asked to make an exact working copy of the drive before I was assigned this investigation. He did so by creating an image of the original hard drive then copying this image onto another hard drive. When I attempted to use the first copy he made, it would not work. I provided Matsudaira with another hard drive I obtained from I.T. and Matsudaira successfully placed the image he had made of the original drive onto the drive I provided him. Matsudaira maintained the image on his computer for analysis and I maintained the working copy in another Toughbook I.T. provided to me. The original hard drive was secured by Chief Edge in a cabinet until April 17, 2012, when I moved it to a locked cabinet in the O.P.S. offices. I retrieved the original drive from Edges cabinet on two occasions: once when I took another drive to Matsudaira for his second attempt at making a copy, in case he needed the original (he did not, as I found he had maintained the image of the original drive on his computer) and again to ask Matsudaira to assist me with opening the enclosure so that I could retrieve identifying information from the drive itself in an attempt to determine its origins. Examination of the data** from the drive revealed numerous Sheriffs Office case reports authored by Murphy as well as supporting documentation and images. There were also documents regarding other Sheriffs Office internal investigations, include those related to previous misconduct by Murphy and Deputy Mark Lann. In addition, there were numerous documents and images that appeared to be from the Internet and related to Murphys political activities and opinions. An analysis made by Matsudaira showed the website Murphy most often visited while using the drive was www.scribd.com, with others like Facebook and various political and news websites close behind. Matsudaira found two encrypted files among the data and was able to open them. Both appeared to be different versions of the same comprehensive lists of motorcycle gang membership. They were .pdf files, and Matsudaira was not able to tell whether the files were simply encrypted using protection settings available in Adobe software or whether they were encrypted by programs specifically designed for such purposes. He found no other encrypted content.

Hard drive: Seagate Momentus 20GB, Model # ST92011A, Serial #3KV0BQEE Found in: Panasonic Toughbook #17445 on or about September 14, 2010 Matsudaira informed me that there was data on this drive but the master file table* was missing. This meant that it could not be readily indexed for examination and that attempting to have forensic software piece together the data would be very time consuming. Matsudaira indicated that a missing master file table could mean that someone had begun some sort of process to overwrite the contents of the drive but had not finished doing so. *From the Microsoft website: The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. Hard drive: Hitachi 80GB SATA, Model #HTS541280H9SA00, Serial #BFGJ4AWA Found in: Dell Latitude #17840 on April 17, 2012 Matsudaira found that this drive contained three partitions: a relatively small one containing Dell backup files (common on all Dell computers made after 1995, according to Matsudaira) and two others that split the remaining space on the drive in half. The second partition appeared to Matsudaira to be one containing normal user files. He was not sure about the third partition. Investigating the purpose of this partition required further examination that Matsudaira was unable to perform in the near future due to other duties and commitments. A cursory examination of the data** on the second and third drives revealed files that appeared to have been authored by Murphy (e.g. case reports) and images of Murphy, his family, biker gang members, and autopsy photos.

**It is important to note that the data I viewed included files that had been previously deleted and thus would not be accessible to most users.