EDUCATION:
Bachelor of Science, Computer Information Technology, California Baptist University
Master of Science, Cyber Security Operations and Leadership, University of San Diego
CCE: Certified Computer Examiner
CFCE: Certified Forensic Computer Examiner
SANS and GCFA: GIAC Certified Forensics Analyst
Table of Contents
Summary of the Case ................................................................................................................................ 3
Objectives .................................................................................................................................................... 3
Computer Forensic Acquisition and Transport of Evidence to Forensics Lab .................................. 4
Computer Evidence Analysis ................................................................................................................... 7
Timeline of Events.................................................................................................................................... 10
Legal Aspects to Consider ...................................................................................................................... 10
Relevant Findings to the Court............................................................................................................... 11
Link to PowerPoint Presentation from Module 6 Assignment ........................................................... 11
References: ............................................................................................................................................... 12
Forensic Examination Report by Ricardo Nevarez Page |3
As a cyber-forensic examiner with many years of training, and experience in computer cyber-
forensics, I was requested by the Texas City Police on Tuesday, July 4th, 2017 to be an expert
witness in this case DN00125 - AB. I Ricardo Nevarez accepted the request to be an expert
witness, and to perform a full computer cyber-forensics analysis on the victim’s computer to
discover the chain of events that led up to the teen’s suicide, and the person(s) who stalked,
and cyber-bullied the victim.
This cyber forensic analysis is in an attempt to come up with an events time-line that led up to
the victim’s suicide, and perhaps discover the person(s) behind the cyber-bullying that led up to
the victim committing suicide. Per the issued warrant, it clearly states that the entire digital
contents of the computer (hidden or otherwise), and possibly the victims cellphone (if available),
or USB Thumb Drives are to be forensically imaged, and analyzed back at the forensics lab.
Objectives
Per the warrant the following all digital items will be collected, and analyzed.
1. All telephone numbers and identities assigned to the phone numbers on the computer.
6. Web – browsing history, and any stored web pages found in browser bookmarks.
Also, while maintaining Chain of Custody, recover the victim’s computer, and possibly cell
phone back to the computer forensics lab. Prior to relocating evidence back to the forensics lab,
the victim’s computer, and possibly cell phone (if available) have been forensically imaged
onsite at the victim’s crime scene. Once at the forensic crime scene, I created another second
forensic image of the victim’s computer, and USB Thumb Drive, to confirm the contents of the
Hard Drive, and USB Thumb Drive was not tampered with during the move of these items back
to the forensics lab. Also, I am to analyze the digital files for possible communication between
Forensic Examination Report by Ricardo Nevarez Page |4
the victim, and the perpetrator(s). Also, analyze any other digital information that can lead to the
identity of the perpetrator(s).
2. On Tuesday, July 4th, 2017, I entered the victim’s crime scene, and proceeded to obtain,
and record every person present of their Name, Title, Employee ID Number,
Department/ Company they work for, their signature, Date and Time, and reason for
being onsite (Electronic Crime Scence Investigation A Guide for First Responders,
2001).
3. Prior to removing the victim’s computer back to the computer forensics lab, I took digital
pictures of everything of which included: location of the computer (including computer
screen), computer cables, the back of the computer, image on the computer screen,
USB thumb drive, no cell-phone was found at the victims crime scene. I also
recorded the make, model, and serial numbers of the items collected.
a. Computer Type: Dell Inspiron Desktop (Intel Chipset).
i. Processor 6th Generation Intel Core, i5-6400 with 6M Cache.
ii. Operating System Windows 7 Home, English 64-bit.
iii. Memory 8GB DDR3L, Model: Dell, SN: br48076-AB
iv. Hard Drive 1TB 7200 rpm, Model: Toshiba L200, SN: nd00194f-AB
v. Optical Drive Front Tray Load, Model: 318-2826, SN: wd-035j35-AB
vi. Wireless 802.11bgn + Bluetooth 4.0
vii. Ports 2 Front – USB 3.0, 1 5:1 Multi-Card Reader, 1 Audio Combo Jack
Rear-Line in/out and Microphone port, 1 VGA, 1 HDMI out, 4 USB 2.0, 1
Network Port, 1 DC power
b. Computer Screen: Dell Ultra-Sharp 24 Edge, Model: U2417H, SN: un-4719-AB.
c. USB Thumb Drive: Make: SanDisk, Model: sdcz60 16GB, SN: fw-35775-AB.
4. Once, all items had been digitally photographed, I used Live Response a computer
forensic tool run off of a USB thumb drive to collect the volatile data from the 8GB of
RAM. The USB thumb drive was connected to the front USB 3.0 port to capture the data
from the volatile memory.
5. After collecting the data from the volatile RAM, I turned off the computer, disconnected
the power, and serial ATA cable from the internal Hard Drive, and connected the Hard
Drive to a hardware “write-blocker” to make a forensic image copy of the Hard Drive onto
a new blank Hard Drive, and a MD5, and SHA Hash (SWGDE Best Practices for
Computer Forensics, 2006).
Make, model, and serial number of the new Hard Drive:
Make: Western Digital 2TB rpm,
Model: WD2003FZEX,
SN: wd-45084423-AB.
I made the forensic image of the victims Hard Drive, and USB Thumb Drive, along
with MD5, and SHA hashes for each, using FTK Imager forensic software.
Victim’s Hard Drive
a. MD5 Hash: 5f014b21448adb756be0f8be7fc7156
b. SHA Hash: af17449a83681de22db7ce16672f16fbec0022371d4ace5d1854301e0
Forensic Examination Report by Ricardo Nevarez Page |5
6. Once, I made the forensic images of the victim’s Hard Drive, and USB Thumb Drive, I
tagged all the items into evidence boxes, and sealed them with evidence forensic tape,
and signed the evidence forensic tape with my name using a black magic marker. The
items collected into evidence boxes included: one computer, one monitor, one USB
Thumb Drive, computer cables, one black power cord, one wireless keyboard, and one
wireless mouse. All the steps taken adhered to the Chain of Custody, as these items
were taken back to the forensics lab to be analyzed, all per the issued warrant from the
Texas City Police Department.
7. No other digital device was found at the victim’s home, except for what has been
mentioned above, the one computer, and USB Thumb Drive. There was no blank
CD/DVD media, or cell phone found at the victims home. NO OTHER DIGITAL
DEVICES WERE FOUND.
8. There were three forensic images taken, along with their respective MD5, and SHA
hashes of which belonged to the following items listed here:
a. Volatile memory.
MD5 Hash: de677726e2982098ede441764591892b
SHA Hash: 6E7A4DDFDD4B01CF72C145F5B27D10B9C73D075A5277EC2356
9. Once back at the forensics lab, the integrity of the evidence box, and evidence tape was
checked for tampering. NO TAMPERING WAS FOUND.
10. The items removed from the evidence box was the victim’s Hard Drive, the new Hard
Drive (contains the victims bit-to–bit image), and USB Thumb Drive. A second cyber
forensic image was made of the victim’s Hard Drive, and USB Thumb Drive with MD5,
and SHA Hash. I personally, verified, and confirmed that all MD5, and SHA hashes of
the original victim’s Hard Drive, and previously made forensics image copies of which
were made at the victim’s crime scene all matched.
THERE WAS NO TAMPERING OF ANY DIGITAL DEVICE DURING TRANSPORT OF
EVIDENCE FROM THE VICTIM’S CRIME SCENE, TO THE FORENSICS LAB.
11. The forensic image I created of the victim’s Hard Drive using FTK Imager (Forensic
Toolkit (FTK), 2017) included the MD5, and SHA hashes. Also included within the
forensic image was the master-boot record, logical volumes, meta-data, everything
about the Hard Drive. The same was done onto the USB Thumb Drive.
Forensic Examination Report by Ricardo Nevarez Page |6
12. The data collected of the volatile RAM while the computer was turned on at the victim’s
crime scene, and using the Live Response forensic tool, included:
a. The type of network connection the computer was using to get onto the internet.
b. The current running processes.
c. What browser was used, and what web sites were visited.
d. Any scheduled jobs of which included: printing, e-faxes, any messages in queue.
e. Windows Registry.
f. Browser auto-completion, Browser history, and user name and passwords to
web-sites.
g. SAM files (stores user names, and passwords)
13. Data collected from the victim’s Hard Drive using the FTK Imager forensic tool included:
a. Protected files.
b. Hidden files.
c. The type of network connection the computer was using to get on the internet.
d. The current running processes.
e. What browser was used, and what web sites were visited.
f. Any scheduled jobs of which included: printing, e-faxes, any messages in queue.
g. Windows Registry.
h. Browser auto-completion, Browser history, and user name and passwords to
web-sites.
i. SAM files (stores user names, and passwords).
j. All telephone numbers and identities assigned to the phones numbers within the
contacts.
k. All stored electronic emails from email application Outlook 2010.
l. All email attachments, chat logs, and voice messages.
m. All stored images, documents, videos, and saved text messages.
n. All stored data in all software installed applications, of which included:
i. Microsoft Office: Word, Excel, PowerPoint, Outlook.
ii. 3rd party contacts calendar.
iii. AOL Instant Messenger (AIM), and buddy lists.
iv. Anonymizer (software used to hide ones online identity).
v. Facebook, personal profiles, interests, photos, private and public chats.
vi. Other social media sites, interests, photos, private and public chats.
vii. Instagram, shared comments on images, and videos.
Forensic Examination Report by Ricardo Nevarez Page |7
I attempted first to view the contents of the victim’s computer physical Hard Drive sound forensic
image. I analyzed the contents of the using keywords, or any words that mentioned: cyber-bully,
bullying, gun, suicide, derogatory comments, physical threats, harassing and threating text
messages, threating images, upsetting email, self-injury. Also, I verified that all the forensic
software used within this case was current, and up to date.
2. Using the sound forensic image of the victim’s Hard Drive, I used the only two web
browsers installed within the forensic image. It would appear the victim used these two
browsers to visit two distinct types of websites. The victim used Internet Explorer, to visit
many random websites, including websites that contained information about suicide,
guns, and cyberbullying. The Google Chrome browser was only used for social media
websites.
3. According to time stamps, and browsers history, I found that three months prior to the
victim’s suicide, there were many visits to websites obsessed with suicide, guns, and
cyberbullying. Specifically, these were as follows:
8. Lostallhope.com
http://lostallhope.com/
9. Allaboutlifechallenges.org
http://www.allaboutlifechallenges.org/
10. https://www.youtube.com/watch?v=akxkwfOcmB0
11. http://www.wikihow.com/Shoot-a-Handgun
12. Google.com/search
https://www.google.com/
13. msn.com
http://www.msn.com/
14. youtube.com
https://www.youtube.com/
4. I was also able to review previous chat postings of the victim’s social media websites:
Facebook, and MySpace, because the Google Browser retained the login credentials to
these particular websites. I was able to log into the victim’s profile. There was no need
to crack any passwords to any of the victim’s social media websites.
5. I discovered the victim’s Facebook profile contained very strong negative language
directed to her from another Facebook user named “unknown victim”. From the chat
timestamps, these postings that had been going back and forth between the cyber-bully,
and the victim started about three months prior to the victim’s suicide. There was no first
or last name associated to this onscreen name, thus there was no way to identify this
user. I reached out to Facebook’s legal department (Facebook, 2017) to inquire if it was
necessary for me to seek a warrant to gain some information of this Facebook user
named “unknown victim”. Their response was to check if there were any real information
about the owner of this Facebook profile, and it turned out that all the personal
information to create the Facebook profile was fictitious.
6. I discovered the victim’s MySpace profile contain very strong negative language directed
to her from another MySpace user named “ my unknown victim”. From the chats
timestamps, these postings also started going back and forth between the cyber-bully,
and the victim about three months prior to the victims suicide. There was no first or last
name associated to this onscreen name, thus there was no way to identify this user. I
reached out to MySpace legal department (MySpace, 2013) to inquire if it was
necessary for me to seek a warrant to gain some information of this MySpace user
named “my unknown victim”. Their response was to check if there were any real
Forensic Examination Report by Ricardo Nevarez Page |9
information about the owner of this MySpace profile, and it turned out that all the
personal information to create the MySpace profile was fictitious.
7. Using the victims first, and last name within the search field on youtube.com, I also
discovered many short video clips of a user name “yours truly”, talking behind a
cartoon mask, directing strong derogatory language about the victims physical
characteristics, including her weight. I took the same approach on youtube.com as I did
with Facebook, and MySpace legal department. They looked into
8. I also examined the physical Hard Drive, of which I discovered a number of deleted files.
These were discovered by markers left within the file management of the c: drive. The
forensic software used to recover deleted files is called OSForensics. I discovered
personal word files of the victim’s diary. These files dated back a few months back
August of 2016, when the cyberbullying started, and described that some boy was
behind the cyberbullying, and that she did not know who this boy could be, or how can
he know so much about her. I also was able to undelete more word documents, these
documents dated closer to the victim’s suicide November of 2016. The victim writes
about ways to take her own life, of which included on how to do it, when to do it, and
where to do it, and what time to do it. No leads on who this boy’s name is.
9. After enabling the Windows file feature “hidden files”, I discovered the victim’s personal
diary. Going through the diary, I made an obvious observation, the deleted word
documents I discovered were about death, and much sadness, while the personal diary
had everyday stuff, nothing to do with death, or sadness. There was no
10. Accessing the victim’s gmail email account was a non-issue, since the browser retained
all username, and passwords including this gmail account. After careful analyzation
through the victim’s gmail, I found there were many derogatory emails directed to the
victim from many different source email addresses. These seemed to be random, but
many. Reviewing the Headers of the emails, did not reveal a legitimate source, since
many third party email companies were used to hide who the sender was. No solid
information was reaped from this the victims emails.
11. NOT found during the analysis were stenographic images, encrypted or zipped files, or
deleted audio files.
Forensic Examination Report by Ricardo Nevarez Page |
10
Timeline of Events
It would appear that three months prior to the victim’s suicide, there was browser activity on
many of the victim’s social media websites. There was also browser activity about cyberbullying,
guns, and suicide. During the last week of the victim’s life, there was a drop of online activity.
On the last day of the victim’s life August 29, 2016, there was no online activity.
It is also my conclusion, and expert opinion from the analysis I performed on the victims
computer, that this unknown suspect that went by the on online persona name of “unknown
victim, my unknown victim, and yours truly” bullied, and stalked the victim online to such an
extreme, that it drove the victim to commit suicide. In my expert opinion, I recommend that this
unknown suspect, be found, and brought to trial in the suicide of Brady Vela.
Assignment Evidence
Package Power Point Presentation.pptx
Forensic Examination Report by Ricardo Nevarez Page |
12
References:
CERT, U. . (2008). Computer Forensics. Retrieved July 10, 2017, from US-CERT:
https://www.us-cert.gov
Electronic Crime Scence Investigation A Guide for First Responders. (2001, July). Retrieved
July 10, 2017, from U.S. Department of Justice:
https://www.ncjrs.gov/pdffiles1/nij/219941.pdf
Facebook. (2017). Information for Law Enforcement Authorities. Retrieved July 10, 2017, from
Facebook: https://www.facebook.com/safety/groups/law/guidelines
Forensic Toolkit (FTK). (2017). Retrieved June 24, 2017, from ACCESSDATA:
http://accessdata.com/products-services/forensic-toolkit-ftk
MySpace. (2013, June 10). Law Enforcement. Retrieved July 10, 2017, from MySpace:
https://help.myspace.com/hc/en-us/articles/202248100-Law-Enforcement-
Quality Standards for Digital Forensics. (2012, November 20). Retrieved July 10, 2017, from
crime-scene-investigator: http://www.crime-scene-investigator.net/quality-standards-for-
digital-forensics.html
SWGDE Best Practices for Computer Forensics. (2006, July). Retrieved July 10, 2017, from
OAS.org: https://www.oas.org/juridico/spanish/cyb_best_pract.pdf