Ricardo Nevarez

CSOL 590 – Module 7 Assignment

University of San Diego

Forensic Examination Report

July 10, 2017
Forensic Examination Report by Ricardo Nevarez Page |1

CYBER FORENISCS EXAMINER:

Forensics Examiner Name: Ricardo Nevarez
Forensics Examiner ID Number: 11087817
Forensics Examiner Contact Phone: 909-219-XXXX
Forensics Examiner Role: Cyber Forensics Expert Witness

EDUCATION:
Bachelor of Science, Computer Information Technology, California Baptist University
Master of Science, Cyber Security Operations and Leadership, University of San Diego
CCE: Certified Computer Examiner
CFCE: Certified Forensic Computer Examiner
SANS and GCFA: GIAC Certified Forensics Analyst

SUBJECT: Forensic Examination Report

WARRANT CASE NUMBER: DN00125

OFFENCE: Teen Suicide

VICTIM: Brady Vela, 18 years of age.

ACCUSED: Unknown suspect is accused of cyberbullying that lead to the death of

the victim, death threats, and online stalking.

DATE OF REQUEST OF FORENSIC EXAMINATION: July 4th, 2017

DATE OF CONCLUSION OF FORENSIC EXAMINATION: July 9th, 2017

Forensic Examination Report by Ricardo Nevarez Page |2

Table of Contents
Summary of the Case ................................................................................................................................ 3
Objectives .................................................................................................................................................... 3
Computer Forensic Acquisition and Transport of Evidence to Forensics Lab .................................. 4
Computer Evidence Analysis ................................................................................................................... 7
Timeline of Events.................................................................................................................................... 10
Legal Aspects to Consider ...................................................................................................................... 10
Relevant Findings to the Court............................................................................................................... 11
Link to PowerPoint Presentation from Module 6 Assignment ........................................................... 11
References: ............................................................................................................................................... 12
Forensic Examination Report by Ricardo Nevarez Page |3

Summary of the Case

This is a case of a teen suicide by cyber-bullying. The teen victim named Brandy Vela of 18
years old, from Texas City, Texas shot herself with a gun in front of her family taking her own
life on Tuesday, November 29th, 2016, due to the extreme cyber-bullying she received on the
internet. At this time, the perpetrator is unknown, and is still at large.

As a cyber-forensic examiner with many years of training, and experience in computer cyber-
forensics, I was requested by the Texas City Police on Tuesday, July 4th, 2017 to be an expert
witness in this case DN00125 - AB. I Ricardo Nevarez accepted the request to be an expert
witness, and to perform a full computer cyber-forensics analysis on the victim’s computer to
discover the chain of events that led up to the teen’s suicide, and the person(s) who stalked,
and cyber-bullied the victim.

This cyber forensic analysis is in an attempt to come up with an events time-line that led up to
the victim’s suicide, and perhaps discover the person(s) behind the cyber-bullying that led up to
the victim committing suicide. Per the issued warrant, it clearly states that the entire digital
contents of the computer (hidden or otherwise), and possibly the victims cellphone (if available),
or USB Thumb Drives are to be forensically imaged, and analyzed back at the forensics lab.

Objectives
Per the warrant the following all digital items will be collected, and analyzed.

1. All telephone numbers and identities assigned to the phone numbers on the computer.

2. All data stored on the computer Hard Drive.

3. All username, and passwords, and emails to all identities.

4. All stored images, documents, videos, and text messages.

5. Stored, electronic email, email attachments, chat logs, voice messages.

6. Web – browsing history, and any stored web pages found in browser bookmarks.

7. All geo-location information (if applicable to the case).

8. All stored data in any application.

9. All stored data on USB Thumb Drive.

Also, while maintaining Chain of Custody, recover the victim’s computer, and possibly cell
phone back to the computer forensics lab. Prior to relocating evidence back to the forensics lab,
the victim’s computer, and possibly cell phone (if available) have been forensically imaged
onsite at the victim’s crime scene. Once at the forensic crime scene, I created another second
forensic image of the victim’s computer, and USB Thumb Drive, to confirm the contents of the
Hard Drive, and USB Thumb Drive was not tampered with during the move of these items back
to the forensics lab. Also, I am to analyze the digital files for possible communication between
Forensic Examination Report by Ricardo Nevarez Page |4

the victim, and the perpetrator(s). Also, analyze any other digital information that can lead to the
identity of the perpetrator(s).

Computer Forensic Acquisition and Transport of Evidence to Forensics Lab

Chain of Custody was adhered to at every step.
1. Obtained warrant from the Texas City Police on Tuesday, July 4th, 2017.

2. On Tuesday, July 4th, 2017, I entered the victim’s crime scene, and proceeded to obtain,
and record every person present of their Name, Title, Employee ID Number,
Department/ Company they work for, their signature, Date and Time, and reason for
being onsite (Electronic Crime Scence Investigation A Guide for First Responders,
2001).

3. Prior to removing the victim’s computer back to the computer forensics lab, I took digital
pictures of everything of which included: location of the computer (including computer
screen), computer cables, the back of the computer, image on the computer screen,
USB thumb drive, no cell-phone was found at the victims crime scene. I also
recorded the make, model, and serial numbers of the items collected.
a. Computer Type: Dell Inspiron Desktop (Intel Chipset).
i. Processor 6th Generation Intel Core, i5-6400 with 6M Cache.
ii. Operating System Windows 7 Home, English 64-bit.
iii. Memory 8GB DDR3L, Model: Dell, SN: br48076-AB
iv. Hard Drive 1TB 7200 rpm, Model: Toshiba L200, SN: nd00194f-AB
v. Optical Drive Front Tray Load, Model: 318-2826, SN: wd-035j35-AB
vi. Wireless 802.11bgn + Bluetooth 4.0
vii. Ports 2 Front – USB 3.0, 1 5:1 Multi-Card Reader, 1 Audio Combo Jack
Rear-Line in/out and Microphone port, 1 VGA, 1 HDMI out, 4 USB 2.0, 1
Network Port, 1 DC power
b. Computer Screen: Dell Ultra-Sharp 24 Edge, Model: U2417H, SN: un-4719-AB.
c. USB Thumb Drive: Make: SanDisk, Model: sdcz60 16GB, SN: fw-35775-AB.

4. Once, all items had been digitally photographed, I used Live Response a computer
forensic tool run off of a USB thumb drive to collect the volatile data from the 8GB of
RAM. The USB thumb drive was connected to the front USB 3.0 port to capture the data
from the volatile memory.

5. After collecting the data from the volatile RAM, I turned off the computer, disconnected
the power, and serial ATA cable from the internal Hard Drive, and connected the Hard
Drive to a hardware “write-blocker” to make a forensic image copy of the Hard Drive onto
a new blank Hard Drive, and a MD5, and SHA Hash (SWGDE Best Practices for
Computer Forensics, 2006).
Make, model, and serial number of the new Hard Drive:
Make: Western Digital 2TB rpm,
Model: WD2003FZEX,
SN: wd-45084423-AB.
I made the forensic image of the victims Hard Drive, and USB Thumb Drive, along
with MD5, and SHA hashes for each, using FTK Imager forensic software.
Victim’s Hard Drive
a. MD5 Hash: 5f014b21448adb756be0f8be7fc7156
b. SHA Hash: af17449a83681de22db7ce16672f16fbec0022371d4ace5d1854301e0
Forensic Examination Report by Ricardo Nevarez Page |5

Victim’s Thumb Drive

a. MD5 Hash: 948370a0cd39047cd5205243564dea74
b. SHA Hash: 2ce72f3880bddd5564966b15b017a038d84de41c390b2aafe28fd8452

6. Once, I made the forensic images of the victim’s Hard Drive, and USB Thumb Drive, I
tagged all the items into evidence boxes, and sealed them with evidence forensic tape,
and signed the evidence forensic tape with my name using a black magic marker. The
items collected into evidence boxes included: one computer, one monitor, one USB
Thumb Drive, computer cables, one black power cord, one wireless keyboard, and one
wireless mouse. All the steps taken adhered to the Chain of Custody, as these items
were taken back to the forensics lab to be analyzed, all per the issued warrant from the
Texas City Police Department.

7. No other digital device was found at the victim’s home, except for what has been
mentioned above, the one computer, and USB Thumb Drive. There was no blank
CD/DVD media, or cell phone found at the victims home. NO OTHER DIGITAL
DEVICES WERE FOUND.

8. There were three forensic images taken, along with their respective MD5, and SHA
hashes of which belonged to the following items listed here:

a. Volatile memory.
MD5 Hash: de677726e2982098ede441764591892b
SHA Hash: 6E7A4DDFDD4B01CF72C145F5B27D10B9C73D075A5277EC2356

b. Internal Hard Drive.

MD5 Hash: 5f014b21448adb756be0f8be7fc7156
SHA Hash: af17449a83681de22db7ce16672f16fbec0022371d4ace5d1854301e0

c. USB Thumb Drive.

MD5 Hash: 948370a0cd39047cd5205243564dea74
SHA Hash: 2ce72f3880bddd5564966b15b017a038d84de41c390b2aafe28fd8452

9. Once back at the forensics lab, the integrity of the evidence box, and evidence tape was
checked for tampering. NO TAMPERING WAS FOUND.

10. The items removed from the evidence box was the victim’s Hard Drive, the new Hard
Drive (contains the victims bit-to–bit image), and USB Thumb Drive. A second cyber
forensic image was made of the victim’s Hard Drive, and USB Thumb Drive with MD5,
and SHA Hash. I personally, verified, and confirmed that all MD5, and SHA hashes of
the original victim’s Hard Drive, and previously made forensics image copies of which
were made at the victim’s crime scene all matched.
THERE WAS NO TAMPERING OF ANY DIGITAL DEVICE DURING TRANSPORT OF
EVIDENCE FROM THE VICTIM’S CRIME SCENE, TO THE FORENSICS LAB.

11. The forensic image I created of the victim’s Hard Drive using FTK Imager (Forensic
Toolkit (FTK), 2017) included the MD5, and SHA hashes. Also included within the
forensic image was the master-boot record, logical volumes, meta-data, everything
about the Hard Drive. The same was done onto the USB Thumb Drive.
Forensic Examination Report by Ricardo Nevarez Page |6

Make, model, and serial number of the new Hard Drive:

Make: Western Digital 2TB rpm,
Model: WD2003FZEX,
SN: wd-45084423-AB.
I made the forensic image of the victims Hard Drive, and USB Thumb Drive, along
with MD5, and SHA hashes for each, using FTK Imager forensic software.

Victim’s Hard Drive

a. MD5 Hash: 5f014b21448adb756be0f8be7fc7156
b. SHA Hash: af17449a83681de22db7ce16672f16fbec0022371d4ace5d1854301e0

Victim’s Thumb Drive

c. MD5 Hash: 948370a0cd39047cd5205243564dea74
d. SHA Hash: 2ce72f3880bddd5564966b15b017a038d84de41c390b2aafe28fd8452

12. The data collected of the volatile RAM while the computer was turned on at the victim’s
crime scene, and using the Live Response forensic tool, included:
a. The type of network connection the computer was using to get onto the internet.
b. The current running processes.
c. What browser was used, and what web sites were visited.
d. Any scheduled jobs of which included: printing, e-faxes, any messages in queue.
e. Windows Registry.
f. Browser auto-completion, Browser history, and user name and passwords to
web-sites.
g. SAM files (stores user names, and passwords)

13. Data collected from the victim’s Hard Drive using the FTK Imager forensic tool included:
a. Protected files.
b. Hidden files.
c. The type of network connection the computer was using to get on the internet.
d. The current running processes.
e. What browser was used, and what web sites were visited.
f. Any scheduled jobs of which included: printing, e-faxes, any messages in queue.
g. Windows Registry.
h. Browser auto-completion, Browser history, and user name and passwords to
web-sites.
i. SAM files (stores user names, and passwords).
j. All telephone numbers and identities assigned to the phones numbers within the
contacts.
k. All stored electronic emails from email application Outlook 2010.
l. All email attachments, chat logs, and voice messages.
m. All stored images, documents, videos, and saved text messages.
n. All stored data in all software installed applications, of which included:
i. Microsoft Office: Word, Excel, PowerPoint, Outlook.
ii. 3rd party contacts calendar.
iii. AOL Instant Messenger (AIM), and buddy lists.
iv. Anonymizer (software used to hide ones online identity).
v. Facebook, personal profiles, interests, photos, private and public chats.
vi. Other social media sites, interests, photos, private and public chats.
vii. Instagram, shared comments on images, and videos.
Forensic Examination Report by Ricardo Nevarez Page |7

Computer Evidence Analysis

Following the acquisition of the data from the victim’s computer Hard Drive, and USB Thumb
Drive, it was time to analyze the data. My goal through the Analysis stage was to search the
digital contents for anything that seemed tied to the victim’s suicide, and or the identity of the
cyberbully. From analyzing the available information from the social media websites chat logs
time stamps, the deleted word documents, and other hidden word documents, including a
personal diary, I was able to establish a time line of three months back, and up to the date of the
victim’s suicide.

I attempted first to view the contents of the victim’s computer physical Hard Drive sound forensic
image. I analyzed the contents of the using keywords, or any words that mentioned: cyber-bully,
bullying, gun, suicide, derogatory comments, physical threats, harassing and threating text
messages, threating images, upsetting email, self-injury. Also, I verified that all the forensic
software used within this case was current, and up to date.

1. Software I used to analyze the data:

a. FTK Imager Version 3.4.3.
b. Microsoft Office 2016.
c. Browsers: Internet Explorer Version 11, and Google Chrome Version 59.0.3071.
d. Microsoft Office Picture Viewer 2010.
e. OSForensics (OSForensics, 2017).

2. Using the sound forensic image of the victim’s Hard Drive, I used the only two web
browsers installed within the forensic image. It would appear the victim used these two
browsers to visit two distinct types of websites. The victim used Internet Explorer, to visit
many random websites, including websites that contained information about suicide,
guns, and cyberbullying. The Google Chrome browser was only used for social media
websites.

3. According to time stamps, and browsers history, I found that three months prior to the
victim’s suicide, there were many visits to websites obsessed with suicide, guns, and
cyberbullying. Specifically, these were as follows:

a. Internet Explorer Version 11 Browser

i. Searched temporary, and history files that were created from the web-
sites the victim visited. Found many websites such as:
1. Nobullying.com
https://nobullying.com/
2. Stopbullying.com
https://www.stopbullying.gov/
3. Kidshelpline.com.au
https://kidshelpline.com.au/
4. Cybersafteysolutions.com.au
http://www.cybersafetysolutions.com.au/
5. Netalert.gov.au
http://www.netalert.net.au/
6. Bullying.org
https://bullying.org/
7. Wiredsaftey.org
http://www.wiredsafety.com/
Forensic Examination Report by Ricardo Nevarez Page |8

8. Lostallhope.com
http://lostallhope.com/
9. Allaboutlifechallenges.org
http://www.allaboutlifechallenges.org/
10. https://www.youtube.com/watch?v=akxkwfOcmB0
11. http://www.wikihow.com/Shoot-a-Handgun
12. Google.com/search
https://www.google.com/
13. msn.com
http://www.msn.com/
14. youtube.com
https://www.youtube.com/

b. Google Chrome Version 55.0.2883 Browser

i. Facebook.com
https://www.facebook.com/
ii. MySpace.com
https://myspace.com/
iii. Instagram
https://www.instagram.com/?hl=en
iv. Reddit
https://www.reddit.com/
v. Meetup
https://www.meetup.com/

4. I was also able to review previous chat postings of the victim’s social media websites:
Facebook, and MySpace, because the Google Browser retained the login credentials to
these particular websites. I was able to log into the victim’s profile. There was no need
to crack any passwords to any of the victim’s social media websites.

5. I discovered the victim’s Facebook profile contained very strong negative language
directed to her from another Facebook user named “unknown victim”. From the chat
timestamps, these postings that had been going back and forth between the cyber-bully,
and the victim started about three months prior to the victim’s suicide. There was no first
or last name associated to this onscreen name, thus there was no way to identify this
user. I reached out to Facebook’s legal department (Facebook, 2017) to inquire if it was
necessary for me to seek a warrant to gain some information of this Facebook user
named “unknown victim”. Their response was to check if there were any real information
about the owner of this Facebook profile, and it turned out that all the personal
information to create the Facebook profile was fictitious.

6. I discovered the victim’s MySpace profile contain very strong negative language directed
to her from another MySpace user named “ my unknown victim”. From the chats
timestamps, these postings also started going back and forth between the cyber-bully,
and the victim about three months prior to the victims suicide. There was no first or last
name associated to this onscreen name, thus there was no way to identify this user. I
reached out to MySpace legal department (MySpace, 2013) to inquire if it was
necessary for me to seek a warrant to gain some information of this MySpace user
named “my unknown victim”. Their response was to check if there were any real
Forensic Examination Report by Ricardo Nevarez Page |9

information about the owner of this MySpace profile, and it turned out that all the
personal information to create the MySpace profile was fictitious.

7. Using the victims first, and last name within the search field on youtube.com, I also
discovered many short video clips of a user name “yours truly”, talking behind a
cartoon mask, directing strong derogatory language about the victims physical
characteristics, including her weight. I took the same approach on youtube.com as I did
with Facebook, and MySpace legal department. They looked into

8. I also examined the physical Hard Drive, of which I discovered a number of deleted files.
These were discovered by markers left within the file management of the c: drive. The
forensic software used to recover deleted files is called OSForensics. I discovered
personal word files of the victim’s diary. These files dated back a few months back
August of 2016, when the cyberbullying started, and described that some boy was
behind the cyberbullying, and that she did not know who this boy could be, or how can
he know so much about her. I also was able to undelete more word documents, these
documents dated closer to the victim’s suicide November of 2016. The victim writes
about ways to take her own life, of which included on how to do it, when to do it, and
where to do it, and what time to do it. No leads on who this boy’s name is.

9. After enabling the Windows file feature “hidden files”, I discovered the victim’s personal
diary. Going through the diary, I made an obvious observation, the deleted word
documents I discovered were about death, and much sadness, while the personal diary
had everyday stuff, nothing to do with death, or sadness. There was no

10. Accessing the victim’s gmail email account was a non-issue, since the browser retained
all username, and passwords including this gmail account. After careful analyzation
through the victim’s gmail, I found there were many derogatory emails directed to the
victim from many different source email addresses. These seemed to be random, but
many. Reviewing the Headers of the emails, did not reveal a legitimate source, since
many third party email companies were used to hide who the sender was. No solid
information was reaped from this the victims emails.

11. NOT found during the analysis were stenographic images, encrypted or zipped files, or
deleted audio files.
 Forensic Examination Report by Ricardo Nevarez Page |
10

Timeline of Events
It would appear that three months prior to the victim’s suicide, there was browser activity on
many of the victim’s social media websites. There was also browser activity about cyberbullying,
guns, and suicide. During the last week of the victim’s life, there was a drop of online activity.
On the last day of the victim’s life August 29, 2016, there was no online activity.

DATE TIME EVENT

August 1, Facebook postings directed at the victim containing graphic
2016 language
August 1, MySpace page created to bully the victim, containing graphic,
2016 and threating language.
August 7, Emails sent to victim. All emails from random generated email
2016 accounts.
August 7, Entry in victims deleted word document of online bullying, and
2016 harassment. This is very upsetting to the victim.
August 8, Emails going outbound to inbound coming emails that are
2016 sending strong threating language. Victim is pleading, asking
for the bullying to stop.
October 1, Facebook postings continue. Victim responds to postings for
2016 the bullying to stop.
October 1, Browser activity pertaining to cyberbullying, guns, and suicide.
2016
October 1, Entry in victim’s deleted word document of online bullying, and
2016 harassment on Facebook. The victim is very upset, and talking
about killing herself.
November 15, MySpace postings continue, and continue on the victim’s other
2016 social media websites. Victim plead for the bullying to stop, and
to be left alone.
November 25, The entry’s into the deleted word documents talk about how
2016 she wants to kill herself, and how she wants to do it, and
selects a day, and time to do.
November 29, Date the victim committed suicide.
2016

Legal Aspects to Consider

Parents of the deceased victim granted full disclosure of the personal computer (Quality
Standards for Digital Forensics, 2012), and any other digital device that belonged to the victim
for analysis. Therefore, the victims privacy, and 4th Amendment rights were not compromised, or
violated. The Texas City Police Department requested, and was granted one warrant to collect
any, and all digital files for analyzing that belonged to the deceased victim. All local, state and
federal laws where adhered. The warrant allowed me to adhere to the Wiretap Act (18 U.S.C.
2510 -22), and Stored Wired, and Electronic Communications Act (18 U.S.C. 2701 -120)
(CERT, 2008).
 Forensic Examination Report by Ricardo Nevarez Page |
11

Relevant Findings to the Court

The important ingredient throughout this forensic collection, and examination was to adhere to
guide lines, and methodologies of Chain of Custody. From the very first time I set foot at the
scene, the Chain of Custody methodology was followed, with identifying all persons onsite,
documenting, and taking digital photographs of everything, including maintaining the integrity of
the original digital image from the victim’s computer, and ONLY working off the forensic copy.

It is also my conclusion, and expert opinion from the analysis I performed on the victims
computer, that this unknown suspect that went by the on online persona name of “unknown
victim, my unknown victim, and yours truly” bullied, and stalked the victim online to such an
extreme, that it drove the victim to commit suicide. In my expert opinion, I recommend that this
unknown suspect, be found, and brought to trial in the suicide of Brady Vela.

Link to PowerPoint Presentation from Module 6 Assignment

Assignment Evidence
Package Power Point Presentation.pptx
 Forensic Examination Report by Ricardo Nevarez Page |
12

References:
CERT, U. . (2008). Computer Forensics. Retrieved July 10, 2017, from US-CERT:
https://www.us-cert.gov

Electronic Crime Scence Investigation A Guide for First Responders. (2001, July). Retrieved
July 10, 2017, from U.S. Department of Justice:
https://www.ncjrs.gov/pdffiles1/nij/219941.pdf

Facebook. (2017). Information for Law Enforcement Authorities. Retrieved July 10, 2017, from
Facebook: https://www.facebook.com/safety/groups/law/guidelines

Forensic Toolkit (FTK). (2017). Retrieved June 24, 2017, from ACCESSDATA:
http://accessdata.com/products-services/forensic-toolkit-ftk

MySpace. (2013, June 10). Law Enforcement. Retrieved July 10, 2017, from MySpace:
https://help.myspace.com/hc/en-us/articles/202248100-Law-Enforcement-

OSForensics. (2017). Retrieved July 10, 2017, from osforensices:

http://www.osforensics.com/index.html

Quality Standards for Digital Forensics. (2012, November 20). Retrieved July 10, 2017, from
crime-scene-investigator: http://www.crime-scene-investigator.net/quality-standards-for-
digital-forensics.html

SWGDE Best Practices for Computer Forensics. (2006, July). Retrieved July 10, 2017, from
OAS.org: https://www.oas.org/juridico/spanish/cyb_best_pract.pdf

Forensic Examination Report by Ricardo Nevarez