Example Report 1 MTK

CATCH
Computer and Technology Crime

High-Tech Response Team
CASE NUMBER:
Page 1 of 9
05-FR-0011
BEAT NUMBER
CITY:
Corona, CA
FORENSIC COMPUTER
EXAMINATION REPORT
INCIDENT DATE:
CODE SECTION AND DESCRIPTION (ONE INCIDENT ONLY)
1/26/2005
LOCATION OF INCIDENT
Corona, CA
INVESTIGATOR
ARJIS
AGENCY/DIVISION
M. T. Kelly
0703
SDSO/CATCH
DATE OF FOLLOW-UP
4/6/2005
PRIMARY VICTIMS NAME
PRIMARY SUSPECTS NAME
Fraley, Linda
Manriquez, Selenne
SUSPECTS DOB / AGE RANGE
I have examined and forensically analyzed three computers seized by me on 1/26/2005 at 206 S.
Buena Vista Ave., Space 26, Corona, CA. For details of the seizure, see the Forensic Computer
Seizure Report by me dated 2/10/2005.
On 2/10/2005 I received a CATCH Forensic Service request from Detective W. Stephenson; this
request was assigned Forensic Case Number 05-FR-0011. Stephenson requested that the three
computers seized on 1/26/2005 be analyzed for any references to Linda Fraley (the victim),
Washington Mutual Bank, Dell, Victorias Secret, feelnvoodoo74@yahoo.com,
supexptz007@yahoo.com and Teresa Carrillo.
On 2/10/2005 I retrieved three computers from CATCH Evidence in order to forensically image
each computer. On 2/15/2005 I prepared one Maxtor HDD to hold the Encase forensic images
from the computers by formatting the drive and creating a single partition. This was accomplished
without errors. The CATCH BCN for the drive is P0688.
Each computer was photographed prior to the start of the forensic imaging process. All seals were
found to be intact. Each computer was also photographed during the imaging process to
document the computers condition and progress of the forensic imaging process. At the
completion of the forensic imaging process, all digital photographs were transferred to Compact
Disk in accordance with CATCH Policy.
Each computer was forensically imaged using Encase version 4.20 and by attaching the Hard
Disk Drive (HDD) to an A-Card write blocking device. This devices firmware has been previously
updated to prevent writing to any hard drives attached to it; the write blocking behavior has been
previously tested and verified for this device. The results of the imaging process can be seen
below. On completion of the imaging of the HDD, the computer was re-assembled. On 2/16/2005 I
returned all computers to CATCH Evidence. During the time the computers were in my
possession, they were maintained in my locked office at CATCH.
COMPUTER F-1
eMachine Model W-3050, S/N CA7481001795
CATCH BCN E-1078
Upon receipt of this computer, all seals were found to be intact. After photographing, the single
HDD was removed from the computer and also photographed. No defects were noted. After
INVESTIGATOR: M. T. Kelly
PEER REVIEW:
APPROVED BY:
AGENCY: SDSO/CATCH
DATE OF FOLLOW-UP: 3/28/2008

DATE OF PEER REVIEW:
DATE OF APPROVAL:
FOLLOW-UP INVESTIGATION
CODE SECTION:
Page 2 of 9
CASE NUMBER:
05-FR-0011
REPORT DATE:
4/6/2005
removing the HDD, I connected the computer to a monitor, keyboard, mouse and power and
accessed the BIOS, obtaining the following settings. (All local dates and times were obtained from
my Nextel Cellular Telephone.)
SYSTEM DATE:
SYSTEM TIME:
2/25/2005
1100 HRS
LOCAL DATE:
LOCAL TIME:
2/15/2005
1100 HRS
COMPUTER MEDIA:
One Seagate Model ST380011A HDD, serial number 5JVGRC28; 80 GB. This HDD was
connected to the Primary Master IDE bus, jumpered as Cable Select.
PHYSICAL EXAMINATION:
The HDD had no obvious physical defects and appeared to function normally.
LOGICAL EXAMINATION:
The HDD was forensically imaged with Encase version 4.20; this software is specifically designed
for use in computer forensics and is licensed to CATCH. The drive imaged normally, with no
anomalies noted. Encase reported the acquisition and verification MD5 hashes for this drive as
E4BD202CEC863825C5FB6C2278D92183. (An MD5 hash is a computer algorithm used to
calculate a digital fingerprint of the forensic image. The hash value is calculated during the
acquisition of the forensic image, and then again during the verification of the forensic image,
insuring a duplicate digital image of the original drive.)
FINDINGS:
For the purposes of this analysis, this HDD was named eMachines HDD. There were two
partitions found on eMachines HDD: one NTFS partition with no volume name and a size of 69.6
GB and one FAT32 partition with a volume name RECOVERY and a volume size of 2.9 GB. The
FAT32 partition appears to be a hidden partition created by the computer manufacturer; it appears
to contain files necessary to recover from a system failure. Encase interpreted this partition as the
C drive. The NTFS partition is the bootable partition on the eMachines HDD; Encase interpreted
this partition as the D drive. All further references are to data contained on the NTFS partition.
Based on information recovered from the Window Registry located on the NTFS partition,
eMachines HDD had the Windows XP operating system with Service Pack 2 installed on 1/3/2005
at 1524 hours. The registered owner and organization were blank. The operating system was
configured to use the Pacific Standard Time Zone and appeared to be configured correctly. The
registry did not contain any network setting information such as IP address, subnet mask or
default gateway. The computer name was recorded as YOUR-81D81111F9 and the primary
domain name was recorded as MSHOME. The last good shutdown date and time were recorded
as 1/25/2005 at 11:35:40. The following user accounts were identified: Administrator, ASPNET,
PEER REVIEW:
APPROVED BY:
AGENCY: SDSO/CATCH

DATE OF APPROVAL:
CODE SECTION:
Page 3 of 9
CASE NUMBER:
05-FR-0011
REPORT DATE:
4/6/2005
Guest, HelpAssistant, Owner and Support_388945a0. Of these accounts, only the Owner account
appeared to be active on the system. The Last Logon date and time for this account was recorded
as 1/25/2005 at 11:34:52. There were no shared folders and no mapped network drives listed in
the registry for this computer.
I conducted the following keyword searches on all computers: Linda Fraley, Washington Mutual
Bank, Dell, www.dell.com, Victorias Secret, feelnvoodoo74@yahoo.com,
supexptz007@yahoo.com, and Teresa Carrillo. The only search hits on eMachines HDD on any of
the search terms were related to Dell or www.dell.com.
The following text fragments were located based on the search terms identified above. Each text
fragment was found in unallocated space, as indicated:
Comment: Recovered text fragment for search term Dell showing contents of Order From Dell (deleted e-mail.)
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167839577
Length
2086
Inbox&MsgId=9754_949212_60106_1287_2399_0_344_4487_1636742387&PREV=1&inc=&num=&Idx=7&Search=&YY=
47803&order=down&sort=date&pos=0&view=a&head=b" onmouseover="window.status='From: melissa_harlan
@dell.com, Subject: Dell Order Summary for order number #154982914';return true" onmouseout="win
dow.status=window.defaultStatus;return true">Previous</a>
| <a href="/ym/ShowLetter?bo
x=Inbox&MsgId=9754_949212_60106_1287_2399_0_344_4487_1636742387&NEXT=1&inc=&num=&Idx=7&Search=&Y
Y=47803&order=down&sort=date&pos=0&view=a&head=b" onmouseover="self.status='From: melissa_harlan
@dell.com, Subject: Dell Order Summary for order number #154982856';return true" onmouseout="win
dow.status=window.defaultStatus;return true">Next</a>
| <a href="/ym/ShowFolder?box=Inb
ox&YY=47803&order=down&sort=date&pos=0&view=a&head=b" onmouseover="window.status='Folder: Inbox'
;return true" onmouseout="window.status=window.defaultStatus;return true">Back to Messages</a> <
/span> <span class="last"> <a href="/ym/ShowLetter/file.txt?box=Inbox&MsgId=9754_949212_60106_12
87_2399_0_344_4487_1636742387&bodyPart=1&filename=file.txt&save=1&download=1&YY=47803&order=down
&sort=date&pos=0&view=a&head=b">Save Message Text</a></span> </div> QDell's Order Status In
quiry line: 1-800-433-9014. ]Qty Part #
Description --- -------- -------------------------------------------1 221-6967 Axim X50v, Intel 624MHz, 128MBROM 64MB SDRAM, 3.7iVGA, 802
.11b, BT
1 310-5946 USB Cradle for Dell Axim X50 Handheld
1 950-4194 No Warranty, Year 2 and
3
1 960-2820 Technical Support, Electronics, Initial Year
1 960-3490 Type 11 Contract-Handh
eld Ad vance Exchange 1Yr Limited Warranty.
1 313-3046 3D Game CD Kit, Special Promo Bundle,
for Dell Axim X50v </tt></pre> &I<tr><td class=label nowrap>Date:</td><td> Sun, 26 Dec 2004
19:08:48 -0600</td></tr> </table> <tr>
<td><font face='arial' size='2'>Email Address:
</font></td>
<td><font face='arial' size='2'><b>FEELNVOODOO74@YAHOO.COM</b></font></td> </tr
<<TABLE CELLPADDING='0' CELLSPACING='0' BORDER='0' WIDTH='671'>
Comment: Recovered text fragment for search term Dell showing contents of e-mail to Way Chong from Dell re: Membership
account (deleted e-mail.)
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167874700
Length
1234
ALIGN='LEFT' BGCOLOR='#00339A' WIDTH='150' ROWSPAN='2'><A target="_blank" HREF='http://www.del
l.com/' ><IMG SRC='http://membership.dell.com/myaccount/images/masthead_dell2.jpg' WIDTH='150'
PEER REVIEW:
APPROVED BY:
AGENCY: SDSO/CATCH

DATE OF APPROVAL:
CODE SECTION:
Page 4 of 9
CASE NUMBER:
05-FR-0011
REPORT DATE:
4/6/2005
HEIGHT='57' VSPACE='0' BORDER='0' ></A></TD>

</TR>
zEDear Way Chong,
O<form name="showLetter" method=post action="/ym/ShowLetter?Search=&Idx=5&YY=78532&order
=down&sort=date&pos=0&view=a&head=b"> :To learn more about how we use your information, see
our <a href="http://us.ard.yahoo.com/SIG=129oqm13t/M=224039.2020109.3495275.1958505/D=mail/S=15
0500004:FOOT2/EXP=1105425938/A=1052425/R=5/SIG=11b5p6lhe/*http://privacy.yahoo.com/privacy/us/ma
il/" target="_top">Privacy Policy</a></small></center>
j<tr bgcolor="#efefef"><td id=ygm
alinks class=ygmabk width="100%" colspan=3><font face="arial,helvetica,sans-serif" size="-2"><a
href="http://us.ard.yahoo.com/SIG=129i8fba3/M=289534.5473431.6553392.5333790/D=mail/S=150500004:
HEADR/EXP=1105425938/A=2378664/R=0/SIG=10mgpruen/*http://www.yahoo.com" target="_top"><font colo
r=#000000>Yahoo!</font></a> <a href="http://us.ard.yahoo.com/SIG=1<input type=text name=
p size=12 title="Enter search terms here"> <input type="hidden" name=".done"
Comment: Recovered text fragment for search term Dell showing contents of e-mail with Dell Order numbers (deleted e-mail.)
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167930723
Length
1174
Associated Order Number: 154982872
oG?<form name=compose method=post action="/ym/Compose
?box=Inbox&Mid=9747_945403_59723_1286_2521_0_343_4703_2380752443&inc=&Search=&YY=38330&order=dow
n&sort=date&pos=0&view=a&head=b"> &(!<tr><td class=label nowrap>Subject:</td><td><a href="#at
tachments"><img src="http://us.i1.yimg.com/us.yimg.com/i/mail/clip.gif" width=11 height=16 borde
r=0 align=top></a> Dell Order Summary for order number #154982856</td></tr> </table> ?*1<li v
alue="0">As Inline Text</li> )h<TITLE>Dell - Home Systems</TITLE> R <input type="hidden
" name=".done" value="http://us.f513.mail.yahoo.com/ym/ShowLetter?MsgId=3655_956801_60872_1326_2
846_0_346_11220_2260659682&order=down&inc=&sort=date&view=a&head=b&box=Inbox&YY=78532"> </form>
N/KH<TD HEIGHT='17' VALIGN='middle' BGCOLOR='#CCDAF0'><A target="_blank" HREF='http://acc
essories.us.dell.com/sna/index.asp?customer_id=19' ><IMG SRC='http://membership.dell.com/myaccou
nt/images/sna.gif' WIDTH='122' HEIGHT='17' ALT='' BORDER='0' ></A></TD>
Kj<div id="ca
lendarshortcuts" class="shortcuts"> <strong><a target="_top" name="calendarshortcuts">Calendar
Shortcuts</a></strong>
Comment: Recovered text fragment for search term Dell showing contents of e-mail with Dell Order numbers (deleted e-mail.)
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167987925
Length
75
top></a> Dell Order Summary for order number #154982807</td></tr> </table>
Comment: Recovered text fragment showing e-mail from Dell regarding Order #154982872.
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167970695
Length
367
<a href="/ym/ShowLetter?box=Inbox&MsgId=9726_952900_60489_1286_2613_0_345_4831_2990278946&NEXT=1
&inc=&num=&Idx=6&Search=&YY=45104&order=down&sort=date&pos=0&view=a&head=b" onmouseover="self.st
atus='From: melissa_harlan@dell.com, Subject: Dell Order Summary for order number #154982872';re
turn true" onmouseout="window.status=window.defaultStatus;return true">Next</a>
PEER REVIEW:
APPROVED BY:
AGENCY: SDSO/CATCH

DATE OF APPROVAL:
CODE SECTION:
Page 5 of 9
CASE NUMBER:
05-FR-0011
REPORT DATE:
4/6/2005
Comment: Recovered text fragment showing e-mail from Dell regarding Temporary Dell Account Password.
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167970312
Length
371
<a href="/ym/ShowLetter?box=Inbox&MsgId=9726_952900_60489_1286_2613_0_345_4831_2990278946&PREV=1
&inc=&num=&Idx=6&Search=&YY=45104&order=down&sort=date&pos=0&view=a&head=b" onmouseover="window.
status='From: Dell Home Systems Registration, Subject: Your Temporary Dell Account Password';ret
urn true" onmouseout="window.status=window.defaultStatus;return true">Previous</a>
Comment: Recovered text fragment showing e-mail from Dell regarding Order Number 154982849.
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167879454
Length
213
<a href="/ym/ShowLetter?MsgId=9745_940883_59341_1286_3232_0_342_6167_769111826&Idx=9&YY=42506&in
c=25&order=down&sort=date&pos=0&view=a&head=b&box=Inbox">
Dell Order Summary for order number #154982849
</a>
Comment: Recovered text fragment showing e-mail from Dell regarding three Dell Order Numbers.
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167858380
Length
837
Order Number: 154982807
s<div class="contentnav">
<span class="first">
<a href="/ym/ShowLetter?box=Inbox&MsgId=9738_937176_58958_1287_2418_0_341_4512_2097566469&PREV=1
&inc=&num=&Idx=10&Search=&YY=69036&order=down&sort=date&pos=0&view=a&head=b" onmouseover="window
.status='From: melissa_harlan@dell.com, Subject: Dell Order Summary for order number #154982849'
;return true" onmouseout="window.status=window.defaultStatus;return true">Previous</a>
|
<a href="/ym/ShowLetter?box=Inbox&MsgId=9738_937176_58958_1287_2418_0_341_4512_2097566469&NEXT=1
&inc=&num=&Idx=10&Search=&YY=69036&order=down&sort=date&pos=0&view=a&head=b" onmouseover="self.s
tatus='From: melissa_harlan@dell.com, Subject: Dell Order Summary for order number #154982781';r
eturn true" onmouseout="window.status=window.defaultStatus;return true">Next</a>
Comment: Recovered text fragment showing e-mail from Dell regarding Dell Order Number154982781.
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167846127
Length
376
<a href="/ym/ShowLetter?box=Inbox&MsgId=8239_926407_58198_1200_5873_0_337_24709_1885984626&PREV=
1&inc=&num=&Idx=12&Search=&YY=52188&order=down&sort=date&pos=0&view=a&head=b" onmouseover="windo
PEER REVIEW:
APPROVED BY:
AGENCY: SDSO/CATCH

DATE OF APPROVAL:
CODE SECTION:
Page 6 of 9
CASE NUMBER:
05-FR-0011
REPORT DATE:
4/6/2005
w.status='From: melissa_harlan@dell.com, Subject: Dell Order Summary for order number #154982781
';return true" onmouseout="window.status=window.defaultStatus;return true">Previous</a>
Comment: Recovered text fragment showing e-mail from Dell.

Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167830284
Length
369
<pre><tt>Your order with Dell has been processed and will go into production
upon authorization of your method of payment. Please review your order
detail below and save this e-mail. It contains your Customer Number and
your Order Number(s), which allow you to track your order's status. If
there are any changes, please contact your sales representative below.
Comment: Recovered text fragment showing e-mail from Dell regarding Dell Order Number 154982914.
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
167749573
Length
214
<a href="/ym/ShowLetter?MsgId=9726_952900_60489_1286_2613_0_345_4831_2990278946&Idx=6&YY=42506&i
nc=25&order=down&sort=date&pos=0&view=a&head=b&box=Inbox">
</a>
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
165182068
Length
215
<a href="/ym/ShowLetter?MsgId=9731_933482_58575_1287_2405_0_340_4495_3381389283&Idx=11&YY=42506&
inc=25&order=down&sort=date&pos=0&view=a&head=b&box=Inbox">
</a>
Physical Location
5,352,107,520
Logical Size
67,478,810,624
Physical Size
67,478,810,624
File Offset
165177761
Length
399
<tr><td class=label nowrap>Subject:</td><td><a href="#attachments"><img src="http://us.i1.yimg.c
om/us.yimg.com/i/mail/clip.gif" width=11 height=16 border=0 align=top></a> Dell Order Summary fo
r order number #154982872</td></tr>
</table>
U73*DELL RECYCLES! For information about Dell's environmentally friendly
method to dispose of excess computer equipment, go to:
www.dell4me.com/recycling.
PEER REVIEW:
APPROVED BY:
AGENCY: SDSO/CATCH

DATE OF APPROVAL:
CODE SECTION:
Page 7 of 9
CASE NUMBER:
05-FR-0011
REPORT DATE:
4/6/2005
AOL 9.0, an internet service application, was installed on eMachines HDD. I located a single user
account for this software, gina951. I exported the applicable files and checked the stored e-mail
for this user; I found no e-mail items related to this case.
There were no other items of interest found on eMachines HDD.
COMPUTER G-1
ATX Clone, No Serial Number
CATCH BCN E-1079
removing the HDD, I connected the computer to a monitor, keyboard, mouse and power and
accessed the BIOS, obtaining the following settings. (All local dates and times were obtained from
my Nextel Cellular Telephone.)
SYSTEM DATE:
SYSTEM TIME:
1/3/1999
1200 HRS
LOCAL DATE:
LOCAL TIME:
2/15/2005
1347 HRS
COMPUTER MEDIA:
One Seagate Model ST34311A HDD, serial number 5BF206JC; 4.3 GB. This HDD was connected
to the Primary Master IDE bus, jumpered as Master.
for use in computer forensics and is licensed to CATCH. The drive imaged normally, with 63
sector blocks reporting read errors during acquisition. Encase reported the acquisition and
verification MD5 hashes for this drive as 077CBB82262A8A6E6D6F63C0FA75B653.
FINDINGS:
For the purposes of this analysis, this HDD was named ATX Clone HDD. There was a single
bootable partition found on ATX Clone HDD which was unnamed.
Based on Windows Registry Settings, the installed operating system was identified as Windows
Millennium Edition (version number 4.90.3000) first installed on 6/28/2000 at 1949 hours. The
registered owner and organization information was blank. The Time Zone was set as Pacific
PEER REVIEW:
APPROVED BY:
AGENCY: SDSO/CATCH

DATE OF APPROVAL:
CODE SECTION:
Page 8 of 9
CASE NUMBER:
05-FR-0011
REPORT DATE:
4/6/2005
Standard Time and appeared to be configured correctly. There were no network configuration
settings found. The computer name was recorded as OEM Computer.
The same keyword search as previously identified was also run on ATX Clone HDD. There were
no items of interest related to the case found on ATX Clone HDD.
AOL 9.0 was installed on ATX Clone HDD; I did not find any active user accounts for this
software.
No other items of interest were found on this computer.
COMPUTER F-6
Dell Inspiron 1000, Serial Number C7NVZ51
CATCH BCN E-1080
removing the HDD, I powered the computer and accessed the BIOS, obtaining the following
settings. (All local dates and times were obtained from my Nextel Cellular Telephone.)
SYSTEM DATE:
SYSTEM TIME:
2/15/2005
1746 HRS
LOCAL DATE:
LOCAL TIME:
2/15/2005
1545 HRS
COMPUTER MEDIA:
One Toshiba Model MK3021GAS HDD, serial number Z49S9593T; 30 GB. This HDD was
connected to the Primary Master IDE bus.
for use in computer forensics and is licensed to CATCH. The drive imaged normally, with no
anomalies. Encase reported the acquisition and verification MD5 hashes for this drive as
C600DA305FDCDBA73532266F43F6CCEA.
FINDINGS:
For the purposes of this analysis, this HDD was named Dell Inspiron HDD. There were three
partitions found on Dell Inspiron HDD: One FAT16 Partition of 15.6 MB and named DellUtility,
one NTFS partition of 25.7 GB with no name and one FAT32 partition of 2.2 GB with no name.
PEER REVIEW:
APPROVED BY:
AGENCY: SDSO/CATCH

DATE OF APPROVAL:
CODE SECTION:
Page 9 of 9
CASE NUMBER:
05-FR-0011
REPORT DATE:
4/6/2005
The FAT16 partition appears to be a hidden partition created by the computer manufacturer; it
appears to contain files necessary to recover from a system failure. Encase interpreted this
partition as the C drive. The NTFS partition is the bootable partition on the Dell Inspiron HDD;
Encase interpreted this partition as the D drive. Encase interpreted the FAT32 partition as the
E Drive.
Based on information recovered from the Window Registry located on the NTFS partition, Dell
Inspiron HDD had the Windows XP operating system with Service Pack 2 installed on 1/19/2005
at 0303 hours. The registered owner was listed as ginna and the registered organization was
blank. The operating system was configured to use the Central Standard Time Zone and
appeared to be configured correctly. The registry did not contain any network setting information
such as IP address, subnet mask or default gateway. The computer name was recorded as
DC7NVZ51 and the primary domain name was recorded as MSHOME. The last good
shutdown date and time were recorded as 1/24/2005 at 17:57:20. The following user accounts
were identified: Administrator, dad, ginna, Guest, HelpAssistant and Support_388945a0. Of
these accounts, only the dad and ginna accounts appeared to be active on the system. The
Last Logon date and time for the dad account was recorded as 1/20/2005 at 21:07:44; the Last
Logon date and time for the ginna account was recorded as 1/25/2005 at 19:56:02. There were
no shared folders and no mapped network drives listed in the registry for this computer.
The same keyword search as previously identified was also run on ATX Clone HDD. There were
no items of interest related to the case found on ATX Clone HDD.
AOL 9.0 and AOL 9.0a were installed on ATX Clone HDD; I located a single user account for this
software, gina951. I exported the applicable files and checked the stored e-mail for this user; I
found no e-mail items related to this case.
No other items of interest were found on this computer.
CONCLUSIONS:
Based on the data previously discussed, it appears that the eMachines computer was used to
receive e-mails from Dell regarding several orders for Dell equipment, as well as at least one email regarding another identity theft victim, Way Chong. The two remaining computers did not
appear to have been used for this criminal purpose.
///////////////////////////////////////////////END OF REPORT//////////////////////////////////////////////////////////////
PEER REVIEW:
APPROVED BY:
AGENCY: SDSO/CATCH

DATE OF APPROVAL:

Example Report 1 MTK

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Example Report 1 MTK

Uploaded by

Copyright:

Available Formats

CATCH

Computer and Technology Crime

CODE SECTION AND DESCRIPTION (ONE INCIDENT ONLY)

PRIMARY VICTIMS NAME

PRIMARY SUSPECTS NAME

SUSPECTS DOB / AGE RANGE

DATE OF FOLLOW-UP: 3/28/2008

DATE OF FOLLOW-UP: 3/28/2008

DATE OF FOLLOW-UP: 3/28/2008

HEIGHT='57' VSPACE='0' BORDER='0' ></A></TD>

DATE OF FOLLOW-UP: 3/28/2008

DATE OF FOLLOW-UP: 3/28/2008

Comment: Recovered text fragment showing e-mail from Dell.

DATE OF FOLLOW-UP: 3/28/2008

DATE OF FOLLOW-UP: 3/28/2008

DATE OF FOLLOW-UP: 3/28/2008

DATE OF FOLLOW-UP: 3/28/2008

You might also like