report of forensic examination

Transcription

REPORT OF FORENSIC EXAMINATION
Prepared By: Tami L. Loehrs
LAW2000, Inc.
305 South Euclid, Suite 111
Tucson, Arizona 85719
520.219.6807
Prepared For: Steven Berne
Case No:
2:08 CR-000033
08-CR-0626
Case Name: United States vs. Milton Scott Pruitt
State of Georgia vs. Milton Scott Pruitt
Date:
12/26/2008
CASE NAME / NUMBER
DETAILS
United States vs. Milton Scott Pruit
2:08 CR-000033
PAGE 1 OF 58 PAGES
EXAMINATION REPORT
THIS IS A PRELIMINARY REPORT OF AN ONGOING FORENSIC EXAMINATION. THIS
REPORT MAY BE SUPPLEMENTED AS NEW EVIDENCE IS UNCOVERED.
SUMMARY OF FINDINGS
•
A review of the Panasonic Toughbook laptop computer identified as the Forsyth County computer issued to Milton
Scott Pruitt (HDD01) revealed no pornographic images in allocated or unallocated space indicating no
pornography was ever received or otherwise possessed on HDD01. In this regard, the evidence does not support
the charges in Federal Count One that Milton Scott Pruitt knowingly received child pornography on his Forsyth
County-issued computer.
•
With the exception of one Internet search term for “weird al ebony and ivory parody” on December 14, 2006, a
review of HDD01 revealed nothing of an obvious personal nature and all activity appeared to be related to Pruitt’s
work. With regard to March 15, 2007 specifically, there is no evidence that anything of a personal nature
occurred on HDD01. In this regard, the evidence does not support the charges in State Count II that Milton Scott
Pruitt willfully and intentionally violated the terms of his oath by using his county issued computer for his personal
use.
•
I found evidence that the Remote to County (Public Hotspot) connection was setup as a shortcut on HDD01 and
accessed from HDD01 on many occasions, including March 15, 2007. However, there is no evidence on HDD01
that anything of a personal nature occurred on this date and as such does not support the charges in State Count
I that Milton Scott Pruitt willfully and intentionally violated the terms of his oath by using his county issued
computer to access the wireless Internet account of Savis Communications for his personal use. Whether or not
Pruitt’s access to the wireless Internet account was conducted without authority is beyond the scope of my
examination.
•
Although there is evidence that a remote access connection was made to the Forsyth County Server from HDD01
on March 15, 2007, there is no evidence on HDD01 regarding the files accessed during that remote session. The
only evidence I have seen in this regard is two screenshots of the My Recent Documents folder for MSPruitt
allegedly taken from the Forsyth County Server. However, these two screenshots which purport to be the same
document submitted in two separate matters do not match and are forensically unsound. In order to make any
determinations with regard to files accessed during the remote session by MSPruitt on March 15, 2007, an
independent forensic examination of the Forsyth County Server needs to be conducted.
•
I found evidence that multiple USB media storage devices were connected to HDD01 from 01/18/06 through
05/03/07. However, the charges in State Counts IV, V, VI and VII do not provide any identification of the media
storage devices at issue such as a Hardware ID, Serial Number or Friendly Name. Therefore, it is impossible to
conclude from reviewing the evidence whether any of the media storage devices referenced in Counts IV, V, VI or
VII are, in fact, the same media storage devices connected to HDD01 or the media storage devices seized and
forensically examined.
•
I did not find any images of child pornography in allocated space on the HP Pavilion desktop computer seized
from Pruitt’s residence (HDD02).
TYPED EXAMINER’S NAME
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 2 OF 58 PAGES
EXAMINATION REPORT
•
I found approximately 63 images of child pornography in unallocated space on HDD02, all of which appear to
have been cached from Internet activity. As of the writing of this report, I have not found any evidence that Pruitt
knowingly received, viewed or otherwise possessed any of the images of child pornography found in unallocated
space. In this regard, the evidence does not support the charges in Federal Count Three that Milton Scott Pruitt
knowingly possessed child pornography on his home computer.
•
There is evidence that multiple users had access to HDD02 including Jami Suddeth. In fact, there is evidence
that Jami Suddeth was accessing HDD02 during several dates and times associated with deleted images of child
pornography and images identified in SA Stanley’s report.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 3 OF 58 PAGES
EXAMINATION REPORT
FACTS OF CASE
The following are the facts of this case as they were set forth in the disclosure I reviewed:
On the morning of April 16, 2007, an Information Technology employee for the County Government of Forsyth, Georgia,
John-David Rusk (“Rusk”), noticed unusual Internet usage on the Forsyth County Server from the previous weekend of
April 14 and15, 2007. Rusk researched remote access connections and identified several users who connected to the
Server during the time in question, including MSPruitt. According to Rusk he opened the MSPruitt profile and “by
accident I sorted to see the oldest files first and was shocked to see thumbnail images of a disturbing sexual nature
accessed by the MSPruitt account on March 15, 2007.” Rusk immediately contacted Chief Hamrick to inquire if Pruitt
was authorized to view such material. Rusk never completed his research into the unusually high Internet usage.
On May 3, 2007, Special Agent Bobby Stanley (“SA Stanley”) received a request to investigate the remote access to the
Forsyth County Server by Pruitt. SA Stanley met with Rusk and was provided with Rusk’s report and a screen shot of
the My Recent Documents folder for MSPruitt. A review of the My Recent Documents folder for user MSPRUITT
revealed 10 images of child pornography opened between 2:07 a.m. through 03:16 a.m. on March 15, 2007. Before
concluding the interview, Rusk executed a RAS session and successfully copied a file from the remote computer to the
local computer showing that data could be copied during a remote session.
According to the event properties for March 15, 2007, at 2:01:10 a.m., MSPRUITT logged into the Remote Access
Server utilizing IP address 216.91.246.162. This IP address was traced to the patrol zone of South Precinct for which
Pruitt was assigned. (Investigative Summary Bates No. 163240.)
In an Affidavit and Application for Search Warrant prepared by Special Agent Bobby Stanley, SA Stanley states that it
appeared the only area Pruitt accessed were files belonging to Detective Roe and images associated with child
pornography investigations. According to Stanley, Pruitt navigated his way to S:\Roe\2007\mar\07031338 Joe Mamma
to access ten images of child pornography. Also according to SA Stanley in another document, images of child
pornography were accessed by MSPruitt from S:\Roe\2005\2005 CFTS\may 05\0505434 State v. Jackson CP\Exhibit 5
Forensics\Possible CP Unallocated_file. During his investigation, SA Stanley was provided with a screen capture taken
by the Forsyth County CID showing that the items in Roe’s folder show the “thumbnail” view by default. Accordingly, it
was concluded that MSPruitt had to scroll through those images to open the ten files found in the My Recent Documents
folder of the MSPruitt profile.
On May 11, 2007 at approximately 11:30 p.m., a search warrant was executed on Pruitt’s Crown Victoria patrol car and
items of evidentiary value were seized and recorded on GBI Evidence Receipt E-364895. Although the evidence receipt
is difficult to read, it appears that the items seized included a hard drive, a PNY thumb drive and a Panasonic Toughbook
laptop computer. (Investigative Summary, Bates No. 163249.)
On May 14, 2007, Special Agent Bobby Stanley conducted a forensic examination of a Panasonic Pro Toughbook laptop
computer and items of possible evidentiary value were found. A written report of the forensic examination prepared by
SA Stanley was not found in the disclosure I reviewed.
On May 16, 2007 at approximately 07:26 p.m., Pruitt was interviewed by SA Stanley at the Forsyth County Sheriff’s
Office. Although SA Stanley summarized this interview in an investigative summary, a transcript of this interview was not
found in the disclosure I reviewed.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 4 OF 58 PAGES
EXAMINATION REPORT
On May 17, 2007 at 03:10 a.m., a search warrant was executed at the residence of Scott Pruitt and an HP Pavilion
Desktop computer was forensically previewed and seized. In addition, SA Stanley conducted on-sight forensic previews
of three thumb drives but found nothing of evidentiary value.
From May 16, 2007 through February 13, 2008, SA Stanley conducted a forensic examination of a Western Digital 250gb
hard dive bearing serial number WCANK2776793 (HDD02). The examination consisted of a search of the history files
and examining htm and dhtml files. During the exam, SA Stanley determined that “Pruitt had inserted the missing thumb
drive into his personal computer and viewed what appeared to be images of child pornography.” SA Stanley noted that
the images matched the naming nomenclature of images located on the Forsyth County Sheriff’s office server that
contained forensic files of child pornography investigations. A forensic report of the exam was saved as a file titled
Home.rtf, however, I did not see this report in the disclosure I reviewed. (Investigative Summaries, Bates No. 163265,
174533, 174537, 174540 and 176099.)
On or about August 20, 2008, an Indictment was filed in the United States District Court for the Northern District of
Georgia, charging Milton Scott Pruitt with the following:
Count One
On or about March 15, 2007, Milton Scott Pruitt knowingly received on his Forsyth County-issued computer child
pornography, in violation of Title 18, United States Code, Sections 2252A(1)(2)(A) and 2256(8)(A).
Count Two
Beginning on a date unknown and continuing through on or about May 16, 2007, Milton Scott Pruitt knowingly
received on his Forsyth County-issued computer child pornography, in violation of Title 18, United States Code,
Sections 2252A(1)(2)(A) and 2256(8)(A).
Count Three
Beginning on a date unknown and continuing through on or about May 16, 2007, Milton Scott Pruitt knowingly
possessed on his home computer child pornography, in violation of Title 18, United States Code, Sections
2252A(1)(2)(A) and 2256(8)(A).
On or about November 10, 2008, an Indictment was filed in the Forsyth Superior Court, charging Milton Scott Pruitt with
the following:
Count I
Milton Scott Pruitt, with the offense of Violation of Oath by a Public Officer, did willfully and intentionally violate the
terms of his oath on the 15th day of March by using his county issued computer to access the wireless Internet
account of Savis Communications, without authority and with the intent to appropriate said Internet service for his
personal use.
Count II
terms of his oath on the 15th day of March by using his county issued computer for his personal use.
Count III
terms of his oath on the 15th day of March by accessing files without authority.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 5 OF 58 PAGES
EXAMINATION REPORT
Count IV
terms of his oath between the 11th day of October, 2006 and the 17th day of May, 2007 by keeping for his personal
use a media storage device seized in a criminal investigation.
Count V
terms of his oath on the 16th day of March by taking a county issued media storage device.
Count VI
Milton Scott Pruitt, with the offense of Theft by Taking, between the 11th day of October, 2006 and the 17th day of
May, 2007, did appropriate a media storage device which was seized in a criminal investigation.
Count VII
Milton Scott Pruitt, with the offense of Theft by Taking, on the 16th day of March did appropriate a county issued
media storage belonging to the Forsyth County Sheriff’s Office.
Count VIII
Milton Scott Pruitt, with the offense of Computer Theft, on the 16th day of March, did use a computer network
without authority and with the intent to appropriate the wireless Internet access of Savis Communications
Corporation.
PURPOSE OF EXAMINATION
Determine if the evidence supports the Federal charges that Milton Scott Pruitt knowingly received images of child
pornography on his Forsyth County-issued laptop computer (HDD01).
Determine if the evidence supports the Federal charges that Milton Scott Pruitt knowingly received and possessed
images of child pornography on his home computer (HDD02).
Determine if the evidence supports the State charges that Milton Scott Pruitt accessed the wireless Internet account of
Savis Communications without authority with the intent to appropriate said service for his personal use; used his county
issued computer for personal use; accessed files without authority; kept for his personal use a media storage device
seized in a criminal investigation; and took a county issued media storage device belonging to the Forsyth County
Sheriff’s Office.
EVIDENCE EXAMINED
Item No
Description
Notes
HDD01
80gb hard drive from Panasonic Pro
Toughbook laptop computer seized from
Pruitt’s patrol car
Original evidence remains in the custody of the
Georgia Bureau of Investigation, forensic
analysis was conducted on EnCase evidence
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 6 OF 58 PAGES
EXAMINATION REPORT
HDD02
Western Digital 250gb hard drive, S/N:
WCANK2776793, from HP Pavilion desktop
computer seized from Pruitt’s residence
HDD03
512mb Thumb Drive seized from Pruitt’s
Patrol car; S/N 0016-9E40
HDD04
1gb Thumb Drive seized from Pruitt’s
residence; S/N E3BD-E7F7
files provided by Special Agent Bobby Stanley
EXAMINATION DETAILS
On December 1, 2008 at 08:30 a.m., I arrived at the Georgia Bureau of Investigation and met with SA Stanley. He
provided me with a Dell XPS M1730 Laptop computer, with an Intel Core 2 Extreme 2.8ghz processor, 3.18gb of RAM
and Windows XP Service Pack 2. In addition, SA Stanley provided me with two hard drives and a Tableau write blocker.
The first hard drive was a Seagate 1000gb SATA Hard Drive, SN 90J0MG76, labeled Pruit Patrol PC. I attached the
drive to the write blocker and viewed the contents which included EnCase evidence files identified as toughb.E01
through toughb.E60. The second hard drive was a Seagate 1000gb SATA, SN 9QJ1CRPV, labeled Pruit Home PC.
This drive contained EnCase evidence files identified as image.E01 through image.EKN.
Inasmuch as I could not connect both drives to the forensic laptop at the same time, and there was not enough time in
three days to conduct two completely separate forensic exams, I copied the evidence files from the Panasonic
Toughbook to the Dell XPS laptop after confirming that no child pornography existed on that piece of evidence. I then
connected the second drive with the home PC to the write blocker and added evidence files for both drives to EnCase
and FTK. I set FTK to index and carve image files from unallocated space and as FTK processed the evidence, I began
my examination using EnCase.
Neither of the evidence drives I received from SA Stanley contained images for the thumb drives seized pursuant to the
evidence sheets I reviewed. I spoke with SA Stanley regarding the thumb drives and he explained that he had one of the
thumb drives on location and would make me a forensic image and the other drive would have to be sent down from
Forsyth County. Shortly thereafter, SA Stanley provided me with a blue thumb drive identified with white letters “PNY”.
This drive contained one file titled PNY.E01. I added the PNY.E01 file to the EnCase case file and noted one device
labeled Untitled. I bookmarked the specifications, folder structure and exported the file listing. I asked SAt Stanley
about the origination of this drive and he stated that this was one of the drives seized from Pruitt’s Patrol car. He further
stated that the Evidence sheet regarding this drive is in the disclosure materials. I located a Forsyth County Sheriff’s
Office Property & Evidence sheet dated 10/11/06 identifying 1 512 PNY technologies Attache Jump Drive, Serial No
0528-AWK6990149. According to the evidence sheet, the location where this drive was found is identified as person. I
concluded my exam for the day at 05:00 p.m. At that time, FTK was still processing the evidence and I let EnCase run
various forensic processes to run overnight.
On December 2, 2008 at 08:30 a.m., I arrived at the Georgia Bureau of Investigation and was escorted by SA Stanley to
the forensics computer. I noted that FTK was still processing the evidence and EnCase had concluded its processes. I
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 7 OF 58 PAGES
EXAMINATION REPORT
continued conducting my exam until 05:00 p.m. at which time FTK was still processing the evidence and I allowed
EnCase to run additional processes overnight.
On December 3, 2008 at 08:30 a.m., I arrived at the Georgia Bureau of Investigation and was escorted by SA Stanley to
the forensics computer. I noted that FTK was still processing the evidence and EnCase had concluded its processes. At
approximately 9:30 a.m., SA Stanley provided me with an EnCase evidence file titled Pruitt.E01. I added this file to the
EnCase case file and noted one device labeled untitled. I bookmarked the specifications, folder structure and exported
the file listing. I asked SA Stanley about the origination of this drive and he stated that this thumb drive was seized from
Pruitt’s residence and that he had not previously examined this drive. I located a Forsyth County Sheriff’s Office
Property & Evidence sheet dated 05/17/07 identifying 1 Hitachi 1g jump drive, no serial number. According to the
evidence sheet, the location where this drive was found is unreadable but appears to be living room.
At approximately 02:30 p.m., I concluded my examination for the purpose of allowing time to export out evidentiary data
for further examination at my forensics lab in Tucson and to catch my flight back to Tucson. FTK was still processing the
evidence at this time so I canceled the process and closed FTK. All of the data I exported for further examination was
contained in a folder under Desktop\Pruitt\Export. I showed SA Stanley the data folder I needed copied and connected
my 160gb USB drive to the forensics laptop. SA Stanley re-enabled write access to the USB port on the forensic laptop
and he copied the Export folder to my USB drive ensuring that no contraband was exported.
Upon returning to Tucson, I continued my examination of the evidence using the data exported during my examination at
the GBI in Atlanta, Ga.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 8 OF 58 PAGES
EXAMINATION REPORT
PANASONIC PRO TOUGHBOOK LAPTOP COMPUTER (HDD01)
System Specifications
I ran the Initialize Case feature of EnCase and noted that a forensic image of HDD01 was created on 11/25/08 at 12:37
p.m. by Stilger. HDD01 has one partition identified as C, with a total capacity of 37.3gb and 8.4gb allocated to data. The
operating system is Windows XP and was installed on 10/20/05 at 06:31 p.m. registered to Forsyth County Government.
Other than the default accounts created by the Windows operating system, I noted one user account for MDT and one
user account for MDTAdmin. The time zone was set to Eastern Standard time and I assured that EnCase and FTK were
set accordingly.
Name:
ActualDate:
TargetDate:
FilePath:
Case Number:
Evidence Number:
Examiner Name:
Notes:
Drive Type:
File Integrity:
Acquisition Hash:
Verify Hash:
EnCase Version:
System Version:
Fastbloced:
Is Physical:
Compression:
Total Sectors:
C
Volume
File System:
Sectors per cluster:
Total Sectors:
Total Clusters:
Free Clusters:
Volume Name:
Id:
Serial Number:
Full Serial Number:
Driver Information:
OS Info
Product Name:
Current Version:
Registered Owner:
Registered Organization:
System Root:
Current Build Number:
Path Name:
toughb
11/25/08 12:37:03PM
11/25/08 12:37:03PM
F:\toughb.E01
bobby image
toughb
stilger
DRIVEFIXED
Verifying
524BBF39C73DF8DD7E9E0DD7C75277C0
6.11
Windows XP
No
Yes
None
78140160
NTFS
8
78,124,032
9,765,503
7,561,734
Drive Type:
Bytes per sector:
Total Capacity:
Unallocated:
Allocated:
Volume Offset:
S-1-5-21-2709433111-2501898379-1022875441
B86C-6E5E
8B86C80B86C6E5E
NTFS 3.1
Fixed
512
39,999,500,288 bytes (37.3GB)
30,972,862,464 bytes (28.8GB)
9,026,637,824 bytes (8.4GB)
63
Microsoft Windows XP
5.1
Forsyth County Government
Forsyth County Government
C:\WINDOWS
2600
C:\WINDOWS
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 9 OF 58 PAGES
EXAMINATION REPORT
Product ID:
Last Service Pack:
Product Key:
VersionNumber:
Source Path:
Install Date:
Last Shutdown Time:
55274-OEM-0011903-00116
Service Pack 2
User name:
Full Name:
Type of User:
Account Description:
Primary Group Number:
Security Identifier:
User belongs to group:
MDT
MDT
Local User
MDT User
513
S-1-5-21-2709433111-2501898379-1022875441-1006
Users
Power Users
Logon Script:
Profile Path:
Last Logon:
Last Password Change:
Last Incorrect Password Logon:
User name:
Full Name:
Type of User:
Logon Script:
Profile Path:
Last Logon:
c:\windows
10/20/05 06:31:58PM
05/04/07 05:01:53PM
%SystemDrive%\Documents and Settings\MDT
05/04/07 03:52:23AM
10/20/05 06:58:43PM
05/04/07 03:52:18AM
MDTAdmin
Local User
Built-in account for administering the computer/domain
513
S-1-5-21-2709433111-2501898379-1022875441-500
Administrators
%SystemDrive%\Documents and Settings\Administrator
02/08/07 09:52:08PM
12/17/05 12:46:02AM
02/08/07 09:52:06PM
TimeZone Info
Current control set is 001
Default control set is 001
Failed control set is 000
LastKnownGood control set is 002
Standard time bias is -5:00 hours offset from GMT.
StandardName: Eastern Standard Time
Standard time is set to change the Standard bias by 0 minutes.
Standard time is set to change on Sunday of the 5th week of October, at 02:00 hours.
DaylightName: Eastern Daylight Time
Daylight savings is set to change the Standard bias by 60 minutes.
Daylight savings time is set to change on Sunday of the 1st week of April, at 02:00 hours.
Active time bias is -4:00 hours offset from GMT.
The current time setting is -4:00 hours offset from GMT.
The offset must be either added or subtracted from GMT depending on the time zone location
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 10 OF 58 PAGES
EXAMINATION REPORT
Mapped Info
Administrator
Drive:
RemotePath:
UserName:
ProviderName:
ProviderType:
ConnectionType:
DeferFlags:
Z
\\172.27.128.8\Forsyth FTP
ISDMS\administrator
Microsoft Windows Network
131072
1
4
Last Accessed
I sorted all files on HDD01 by Last Accessed date to confirm the original evidence was not accessed after it was seized.
The evidence revealed that HDD01 was last accessed on 05/04/07 at 07:01 a.m. which is consistent with no access after
the evidence was seized.
IMAGES
I reviewed all images in allocated space using the Gallery View in EnCase and noted a total of 3001 images, including
default system images, cached Internet images and default images from software applications. I did not find any images
of an obvious personal nature and no adult pornography or child pornography.
I ran the File Mounter process in EnCase to open compound files such as the thumbs.db. The thumbs.db is a hidden file
created by the Windows operating system that stores small thumbnails of images that are on the computer. Each folder
containing images or videos will also have a corresponding thumbs.db file. When an image or video is deleted from the
computer, the thumbnail of that image will remain in the thumbs.db. The thumbs.db files are compressed and must be
“mounted” or uncompressed before the images inside those files can be seen. The thumbs.db files are commonly
examined during a forensic analysis to determine if child pornography images existed on the computer at one time and
were subsequently deleted. I did not find any images of an obvious personal nature and no adult pornography or child
pornography in the thumbs.db files.
I ran the file carver for all .jpg images in unallocated space and recovered 7910 images. I reviewed all 7910 images but
did not find any images of an obvious personal nature and no adult pornography or child pornography.
MULTIMEDIA FILES (VIDEOS)
I sorted all files by file extension and looked for .avi, .mpeg, .mov, and .wmv files. I found several video files associated
with software applications but nothing of a personal nature and nothing containing adult pornography or child
pornography.
FOLDER STRUCTURE
I reviewed the entire Folder Structure of HDD01 for any user-defined files and folders indicative of adult pornography or
child pornography but found none. To view the Folder Structure in its entirety, click here. I reviewed various locations in
the Folder Structure that commonly contain items of evidentiary interest but I found nothing related to adult pornography
or child pornography.
Desktop
The Desktop is the graphical user interface that appears when the computer is booted up. The Desktop consists of
icons, windows, toolbars, folders and wallpaper and users commonly create shortcuts on the Desktop to files and folders
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 11 OF 58 PAGES
EXAMINATION REPORT
of interest for easy access. I located one folder titled Camera Photos with several non-pornography photographs, but I
did not find anything of a personal nature and nothing related to adult pornography or child pornography.
Cookies
Cookies are text files sent by a server to a Web client used for authenticating, session tracking and maintaining specific
information about users. These Cookies are automatically cached to the hard drive, named by the website address and
stored in a folder under each user’s Windows profile. I reviewed the Cookies folder under the profile MDT and found 10
Cookies but nothing of a personal nature and nothing related to adult pornography or child pornography.
My Documents
My Documents is a default folder created under each user’s profile by the Windows operating system and is considered
the standard location for storing user-defined files and folders. All of the folders in this location are default folders
installed by Windows. I found three user-defined documents, two of which are related to Remote Desktop but I did not
find anything of an obvious personal nature and nothing related to child pornography or adult pornography.
Recent Folder
When a file is opened on a computer running the Windows operating system, the file name of the opened file is saved
with a .lnk file extension in the Recent Folder. These links contain dates and times when the files were opened (File
Created), when they were opened again (Last Written) and the full path where the file is/was located. I reviewed the
Recent folder and found 152 link files with activity from 10/20/05 through 05/03/07. The majority of the links are related
to work documents on the desktop. I did not find any links to files of an obvious personal nature and nothing indicative
of adult pornography or child pornography.
There are links to ten image files opened on 03/26/07 at 2:06 p.m. from D:\Pics, identified as a Store’N’Go USB drive
(highlighted in yellow below.) To view all details of the link files, click here. Although these files have the same naming
nomenclature as files on the Forsyth County Server that allegedly contain images of child pornography, there is no
evidence that the files identified in the Recent folder actually contain child pornography inasmuch as the actual files
were not found on HDD01 and the Store’N’Go USB drive was not examined. If this file naming nomenclature is
commonly used for other files on the Forsyth County Server of a non-pornographic nature, then it would be impossible
to determine if these images were related to a legitimate investigation versus images of child pornography without
examining the images on the Store’N’Go USB drive.
Name
Desktop.ini
DATE.lnk
PRINT STUFF (E).lnk
world_of_warcraft_hunter_b.lnk
02-11-07 (2).lnk
JANUARY 2007.lnk
Click It or Ticket.lnk
B Watch Click or Ticket Master JAN.lnk
Click or Ticket FEB 07.lnk
Removable Disk (E).lnk
02-12-07 North Precinct.lnk
File Created
10/20/05 09:17:49AM
02/12/07 02:32:19AM
02/14/07 02:39:08PM
02/14/07 02:39:14PM
02/14/07 08:56:29AM
02/14/07 10:49:30PM
02/14/07 10:49:30PM
02/14/07 10:49:36PM
02/14/07 10:52:31PM
02/14/07 10:52:31PM
02/15/07 02:32:49AM
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
Last Written
12/19/05 01:33:45PM
02/12/07 02:32:27AM
02/14/07 02:39:14PM
02/14/07 02:39:14PM
02/14/07 03:36:35PM
02/14/07 10:49:35PM
02/14/07 10:49:36PM
02/14/07 10:49:36PM
02/14/07 10:52:31PM
02/14/07 10:52:31PM
02/15/07 02:33:05AM
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 12 OF 58 PAGES
EXAMINATION REPORT
02-13-07 Passdown.lnk
02-14-07 (2).lnk
Copper thefts and residential burglaries.lnk
Defensive Tactics In-service.lnk
Doc1__.lnk
D-South Pass Down 02-13-07.lnk
FW STINGER CLASS.lnk
N SOARPassdown.lnk
NORTH SOAR Passdown.lnk
NOTES TO ONCOMING SHIFT 02-12-07 C-WATCH
NORTH.lnk
NORTH.lnk
Passdown.lnk
Seniority February 07.lnk
South DShift 02-12-07.lnk
South Pct 021207 Weekly Roster.lnk
Watch Preference Plan February 07.lnk
Badge Numbers ACTIVE-INACTIVE.lnk
02-15-07.lnk
gcic wanted person located 07-02-00056.lnk
WANTED PERSON LOCATED 07-02-00056.lnk
07-02-00056 WANTED PERSON LOCATED.lnk
02-18-07 Passdown C-SHIFT SOUTH.lnk
02-19-07 (2).lnk
07b006U.lnk
BOLO.lnk
bolo.doc.lnk
C Watch Passdown 02-17-07.lnk
FW Suspecious Vehicle.lnk
HEAT Posting21407_.lnk
K-9 Posting021907.lnk
North B Passdown.lnk
NORTH SOAR PASSDOWN 02-16-07.lnk
02/15/07 02:34:21AM
02/15/07 02:35:20AM
02/15/07 03:18:39AM
02/15/07 03:19:37AM
02/10/07 02:20:54AM
02/15/07 03:21:53AM
02/15/07 03:22:12AM
02/15/07 03:22:24AM
02/10/07 02:24:54AM
02/15/07 02:35:16AM
02/15/07 02:35:25AM
02/15/07 03:19:36AM
02/15/07 03:20:55AM
02/15/07 03:21:51AM
02/15/07 03:22:11AM
02/15/07 03:22:23AM
02/15/07 03:22:49AM
02/15/07 03:23:01AM
02/15/07 03:23:03AM
02/15/07 03:27:06AM
02/15/07 03:27:07AM
02/10/07 02:27:10AM
02/15/07 03:31:50AM
02/15/07 03:31:58AM
02/15/07 03:32:13AM
02/15/07 03:32:26AM
02/15/07 09:48:24AM
02/16/07 12:46:12AM
02/19/07 09:10:38PM
02/19/07 09:11:38PM
02/19/07 09:10:40PM
02/20/07 09:36:33PM
02/20/07 09:37:59PM
02/20/07 09:38:11PM
02/20/07 05:04:25AM
02/20/07 09:41:33PM
02/20/07 09:41:42PM
02/20/07 09:41:48PM
02/20/07 09:42:15PM
02/20/07 09:42:21PM
02/20/07 09:42:52PM
02/20/07 05:04:38AM
02/20/07 09:47:43PM
02/20/07 09:48:35PM
02/10/07 02:24:02AM
02/20/07 09:49:00PM
02/20/07 09:49:29PM
02/20/07 09:49:46PM
02/15/07 03:31:33AM
02/15/07 03:31:49AM
02/15/07 03:31:57AM
02/15/07 03:32:11AM
02/15/07 03:32:25AM
02/15/07 03:37:51AM
02/15/07 10:57:55AM
02/16/07 12:46:24AM
02/19/07 09:11:36PM
02/19/07 09:11:50PM
02/19/07 09:11:50PM
02/20/07 09:37:54PM
02/20/07 09:37:59PM
02/20/07 09:38:14PM
02/20/07 09:38:40PM
02/20/07 09:41:33PM
02/20/07 09:41:42PM
02/20/07 09:42:14PM
02/20/07 09:42:20PM
02/20/07 09:42:51PM
02/20/07 09:44:27PM
02/20/07 09:44:45PM
02/20/07 09:47:55PM
02/20/07 09:48:38PM
02/20/07 09:48:59PM
02/20/07 09:49:28PM
02/20/07 09:49:45PM
02/20/07 09:50:00PM
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 13 OF 58 PAGES
EXAMINATION REPORT
NORTH.lnk
NORTH.lnk
Employee Ride Along.lnk
Citizen Ride Along.lnk
ride along.lnk
Incident Report.lnk
02-19-07.lnk
KELLER.lnk
02-27-07 Passdown C-Shift South.lnk
02-28-07 (2).lnk
02272007.lnk
BOLO-1068.lnk
BOLO-1068A.lnk
employeeconcerns.lnk
employeeconcerns2.lnk
Extra Patrol 20 beat.lnk
Extra Patrol Request.lnk
FW Bald Ridge Acres.lnk
FW High Value Stolen Rims.lnk
FW Hole in the Wall Burglary.lnk
Grand Jury TRIAL DATES 2007.lnk
RE New Hospital Guard On-Call List.lnk
02-28-07PD.lnk
A South PASSDOWN 02-28-07.lnk
B Watch Passdown 02-28-07.lnk
PASSDOWN 02-28-07.lnk
FW No Driver's License.lnk
02-14-07.lnk
01-22-07.lnk
Bald Ridge Acres Extra Patrol 30 beat.lnk
02/20/07 09:50:01PM
02/20/07 05:04:54AM
02/21/07 07:32:30AM
02/21/07 07:33:54AM
02/21/07 07:35:35AM
02/28/07 10:59:24PM
02/20/07 09:38:15PM
02/20/07 05:04:25AM
03/01/07 01:56:10AM
03/01/07 01:56:19AM
03/01/07 01:56:39AM
03/01/07 01:57:23AM
03/01/07 01:58:21AM
03/01/07 01:58:37AM
03/01/07 01:58:42AM
03/01/07 01:59:22AM
03/01/07 01:59:58AM
02/10/07 02:23:37AM
03/01/07 02:02:08AM
03/01/07 02:02:15AM
03/01/07 02:02:28AM
03/01/07 02:02:38AM
03/01/07 02:02:52AM
03/01/07 02:02:55AM
03/01/07 02:03:11AM
03/01/07 02:03:19AM
03/01/07 02:03:35AM
03/01/07 02:03:46AM
03/01/07 02:05:46AM
03/01/07 11:31:23PM
03/01/07 11:32:05PM
03/01/07 11:33:13PM
03/01/07 11:33:38PM
03/01/07 11:34:34PM
02/15/07 02:32:49AM
03/01/07 11:39:50PM
03/01/07 11:39:50PM
03/02/07 01:50:13AM
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
02/20/07 09:50:06PM
02/20/07 09:50:25PM
02/21/07 07:32:30AM
02/21/07 07:33:54AM
02/21/07 07:35:35AM
02/28/07 10:59:24PM
02/28/07 11:51:47PM
02/28/07 11:51:47PM
03/01/07 01:56:13AM
03/01/07 01:56:19AM
03/01/07 01:56:39AM
03/01/07 01:57:26AM
03/01/07 01:58:29AM
03/01/07 01:58:41AM
03/01/07 01:59:20AM
03/01/07 01:59:56AM
03/01/07 02:01:59AM
03/01/07 02:02:03AM
03/01/07 02:02:13AM
03/01/07 02:02:26AM
03/01/07 02:02:37AM
03/01/07 02:02:50AM
03/01/07 02:02:52AM
03/01/07 02:02:55AM
03/01/07 02:03:13AM
03/01/07 02:03:33AM
03/01/07 02:03:44AM
03/01/07 02:04:03AM
03/01/07 02:05:46AM
03/01/07 11:31:37PM
03/01/07 11:33:11PM
03/01/07 11:33:32PM
03/01/07 11:33:48PM
03/01/07 11:34:34PM
03/01/07 11:38:36PM
03/01/07 11:42:00PM
03/01/07 11:42:00PM
03/02/07 01:50:13AM
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 14 OF 58 PAGES
EXAMINATION REPORT
02-28-07.lnk
03-05-07.lnk
Tidwell 1-46 movies.lnk
!Start.lnk
0064.lnk
0079.lnk
0080.lnk
0102.lnk
0101.lnk
0111.lnk
0114.lnk
0132.lnk
0081.lnk
0029.lnk
Pics.lnk
Shift Deputies.lnk
Quarterly Eval.lnk
Quarterly Eval Devereaux.lnk
Devereaux.lnk
Bishop.lnk
Bishop (2).lnk
FCSO Employee Manual.revised-1-16-2007.lnk
Mobile Video Master Log.lnk
Mobile Video Recording Tape Tracking Log.lnk
Tape Drop.lnk
Award.lnk
04102007.lnk
3667_001.lnk
041107 Burglary Weekly.lnk
041107 Entering Autos Weekly.lnk
041107 Motor Veh Theft Weekly.lnk
aprilphotoshoot.lnk
FBI RFI.lnk
FW Forsyth Co Website Noise ordinance.lnk
Mar 07 Monthly.lnk
New Microsoft Word Document.lnk
Passdown Sheet 04-09-07.lnk
PITTS BOLO 1.lnk
PITTS BOLO 2.lnk
03/01/07 01:56:19AM
03/05/07 11:23:40PM
03/05/07 11:23:40PM
03/25/07 05:43:23AM
03/25/07 05:43:23AM
03/26/07 02:06:45PM
03/26/07 02:07:09PM
03/26/07 02:07:14PM
03/26/07 02:07:41PM
03/26/07 02:09:03PM
03/26/07 02:09:30PM
03/26/07 02:09:44PM
03/26/07 02:10:05PM
03/26/07 02:10:43PM
03/26/07 02:11:15PM
03/22/07 02:04:09PM
03/29/07 02:00:24AM
02/14/07 01:26:51PM
03/29/07 02:48:26AM
03/29/07 02:48:26AM
02/14/07 01:26:41PM
04/06/07 10:28:12PM
02/14/07 10:44:08AM
02/15/07 03:46:06AM
02/15/07 03:44:40AM
04/09/07 12:23:14AM
04/11/07 09:04:43PM
04/11/07 09:04:43PM
04/11/07 09:05:39PM
04/11/07 09:05:58PM
04/11/07 09:06:36PM
04/11/07 09:06:59PM
04/11/07 09:07:19PM
04/11/07 09:08:21PM
04/11/07 09:08:42PM
04/11/07 09:08:50PM
04/11/07 09:09:00PM
04/11/07 09:09:14PM
04/11/07 09:09:24PM
04/11/07 09:09:39PM
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
03/02/07 01:50:13AM
03/05/07 11:24:29PM
03/05/07 11:24:29PM
03/25/07 05:43:23AM
03/25/07 05:43:23AM
03/26/07 02:06:45PM
03/26/07 02:07:09PM
03/26/07 02:07:14PM
03/26/07 02:07:41PM
03/26/07 02:09:03PM
03/26/07 02:09:30PM
03/26/07 02:09:44PM
03/26/07 02:10:05PM
03/26/07 02:10:43PM
03/26/07 02:11:15PM
03/26/07 02:11:15PM
03/29/07 02:00:24AM
03/29/07 02:00:24AM
03/29/07 02:48:26AM
03/29/07 02:48:26AM
04/06/07 10:28:28PM
04/06/07 10:28:28PM
04/07/07 11:03:16PM
04/09/07 12:21:03AM
04/09/07 12:21:24AM
04/09/07 12:23:14AM
04/11/07 09:05:27PM
04/11/07 09:05:27PM
04/11/07 09:05:39PM
04/11/07 09:05:58PM
04/11/07 09:06:36PM
04/11/07 09:06:59PM
04/11/07 09:08:13PM
04/11/07 09:08:21PM
04/11/07 09:08:42PM
04/11/07 09:08:50PM
04/11/07 09:09:07PM
04/11/07 09:09:20PM
04/11/07 09:09:24PM
04/11/07 09:09:39PM
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 15 OF 58 PAGES
EXAMINATION REPORT
RE Roll Call Training Item.lnk
Xgboys THE STAR LEDGER - The road to a tragic
showdown at bank.lnk
04-11-07.lnk
TROOPER LEGAL UPDATE MARCH 07.lnk
04-03-07 (2).lnk
04-03-07.lnk
USB DISK (D).lnk
04-03-07 tanner.lnk
04-03-07 ROGERS.lnk
04-06-07 ROGERS.lnk
DAILY ACTIVITY 4-12-07.lnk
DAILY ACTIVITY LOG 04-12-07.lnk
04242007-2.lnk
04-25-07.lnk
3235_001.lnk
Remote to County (Coutny Hotspot).lnk
Clear On.lnk
Forsyth County Map.lnk
FCSO 01-00-000.lnk
Supplemental Report.lnk
07-02-00695.lnk
SGT PRUITT (D).lnk
Remote to County (Public Hotspot).lnk
04/11/07 09:10:15PM
04/11/07 09:10:47PM
04/11/07 09:11:26PM
04/11/07 09:05:40PM
04/11/07 09:11:15PM
04/17/07 10:36:37PM
04/17/07 10:36:37PM
04/17/07 10:37:56PM
04/17/07 10:37:56PM
04/17/07 11:20:05PM
04/17/07 11:20:10PM
04/17/07 11:47:55PM
04/17/07 11:47:59PM
04/17/07 11:48:03PM
04/18/07 12:12:30AM
04/25/07 08:16:29PM
04/25/07 08:16:31PM
04/25/07 08:16:44PM
11/07/06 10:51:43AM
02/10/07 10:06:48PM
10/16/06 09:05:40AM
02/12/07 02:30:35AM
02/15/07 03:38:19AM
05/03/07 08:19:15PM
02/20/07 01:00:37AM
11/20/06 02:47:45PM
04/11/07 09:11:26PM
04/11/07 09:12:34PM
04/11/07 09:12:34PM
04/17/07 10:37:04PM
04/17/07 10:37:04PM
04/17/07 10:37:56PM
04/17/07 10:43:50PM
04/17/07 11:20:09PM
04/17/07 11:20:12PM
04/17/07 11:47:58PM
04/17/07 11:48:01PM
04/17/07 11:48:05PM
04/18/07 12:12:36AM
04/25/07 08:16:36PM
04/25/07 08:16:44PM
04/25/07 08:16:44PM
05/03/07 04:05:05AM
05/03/07 07:04:13AM
05/03/07 07:22:28PM
05/03/07 08:17:23PM
05/03/07 08:17:23PM
05/03/07 08:19:15PM
05/03/07 08:19:15PM
05/03/07 08:52:07PM
PROGRAM FILES
I reviewed the Program Files folder for software applications installed on HDD01 that may contain items of evidentiary
value. All applications of evidentiary interest are discussed below.
Real VNC
RealVNC is a server and client application for the Virtual Network Computing (VNC) protocol to control another
computer's screen remotely. RealVNC was installed on HDD01 on 12/18/06. My preliminary review did not reveal
anything of evidentiary value with regard to the Real VNC application.
Internet Explorer
Internet Explorer is a graphical web browser developed by Microsoft and included as part of the Microsoft Windows
operating system. A history of the user’s Internet usage, searches conducted, and files opened or saved using the
browser software is contained in the Index.dat files. Using NetAnalysis, I reviewed the Index.dat files for websites visited
and noted activity from 10/20/05 through 05/03/07 for users MDTAdmin and MDT. I reviewed all Internet activity and
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 16 OF 58 PAGES
EXAMINATION REPORT
noted the following websites were most often visited but I did not find anything of an obvious personal nature and no
websites related to adult pornography or child pornography.
Google.com
Microsoft.com
Fcnet
Forsythco.com
I reviewed all Search Engine Criteria and noted the following search terms and phrases used on Google.com, but I did
not find any search terms related to adult pornography or child pornography. Although the search term “weird al ebony
ivory parody” does not appear to be work related, the remaining search terms appear to be related to work and/or
resolving issues with the computer.
Last Visited
29/01/2007 15:37:29 Mon
29/01/2007 15:37:29 Mon
29/01/2007 15:37:28 Mon
14/12/2006 09:41:33 Thu
14/12/2006 09:37:01 Thu
14/12/2006 09:36:39 Thu
14/12/2006 09:36:17 Thu
28/11/2006 21:26:16 Tue
28/11/2006 21:25:30 Tue
28/11/2006 21:00:37 Tue
28/11/2006 21:00:20 Tue
28/11/2006 20:59:20 Tue
28/11/2006 20:56:47 Tue
24/10/2006 13:35:11 Tue
24/10/2006 13:34:52 Tue
24/10/2006 13:34:35 Tue
24/10/2006 13:30:51 Tue
24/10/2006 13:30:38 Tue
24/10/2006 13:17:38 Tue
24/10/2006 12:59:04 Tue
Host
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
Search Engine Criteria
RNAAPP
RNAAPP
RNAAPP
weird al ebony ivory parody
weird al ebony ivory
Streets and trips problems
Streets and trips conflicting with Norton
Streets and trips conflicting with Norton
Streets and trips running slow
Streets and trips launching slow
Streetsand trips launching slow
.ink on all icons
restore destop shortcuts
system restore executable
restoring a corupt desktop
tweakui
all desktop icons are .ink
.ink
Favorites
Favorites are stored web page locations and their primary purpose is to easily catalog and access web pages that a user
has visited and chosen to save. I reviewed the Favorites in Internet Explorer but I noted only the default favorites
included with the Internet Explorer software. I did not find any user-created links and nothing of a personal nature and
nothing related to adult pornography or child pornography.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 17 OF 58 PAGES
EXAMINATION REPORT
Windows Media Player
Windows Media Player is the default digital media player included with the Windows operating system and is used for
organizing and playing digital music, video and image files. When a multimedia file is opened using the Windows Media
Player, the name of the file is stored in the RecentFileList folder. I reviewed the RecentFileList but did not find anything
of a personal nature and nothing related to adult pornography or child pornography.
REGISTRY FILES
The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows
32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating
system software, most non-operating system software, users, preferences of the computer, etc. I exported the registry
files including USER.DAT, SYSTEM, SOFTWARE, SAM and SECURITY and reviewed them for evidentiary information
using Registry Viewer.
Storage Devices
The registry maintains a record of hardware devices on the computer including removable storage media connected to
the USB ports. I reviewed the registry key ControlSet002\Enum\USBSTOR and noted many different USB drives that
have been connected to HDD01, including a USB device used by the Geek Squad, a computer repair service. The
following is a summary of those devices found in the Registry. For a more detailed listing of these devices, click here.
ControlSet002\Enum\USBSTOR\Disk&Ven_&Prod_Geek_Squad&Rev_0.3\200411005005915123f8&0
Last Written Time
11/16/2006 15:23:19 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\Disk________Geek_Squad______0.3_
FriendlyName
REG_SZ
Geek Squad USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Flash&Prod_Drive_SM_USB20&Rev_1000\AA04812700783&0
Last Written Time
11/21/2006 18:17:43 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskFlash___Drive_SM_USB20__1000
FriendlyName
REG_SZ
Flash Drive SM_USB20 USB Device
Last Written Time
2/21/2007 2:40:19 UTC
Name
Type
HardwareID
FriendlyName REG_SZ
Data
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 18 OF 58 PAGES
EXAMINATION REPORT
Last Written Time
4/18/2007 3:19:40 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
Last Written Time
4/8/2007 4:00:56 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
Last Written Time
3/22/2007 13:04:18 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
Last Written Time
4/18/2007 4:12:03 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
Last Written Time
4/12/2007 22:32:10 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 19 OF 58 PAGES
EXAMINATION REPORT
Last Written Time
4/18/2007 2:37:42 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
Last Written Time
2/10/2007 1:04:03 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
ControlSet002\Enum\USBSTOR\Disk&Ven_IC25N020&Prod_ATCS04-0&Rev_\DEF10A6AC38F&0
Last Written Time
11/15/2006 21:05:40 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskIC25N020ATCS04-0____________
FriendlyName
REG_SZ
IC25N020 ATCS04-0 USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.04\0DB185515021D952&0
Last Written Time
8/29/2006 18:38:40 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskKingstonDataTraveler_2.01.04
FriendlyName
REG_SZ
Kingston DataTraveler 2.0 USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_LEXAR&Prod_JUMPDRIVE&Rev_1.20\F251430221100&0
Last Written Time
2/14/2007 19:38:21 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskLEXAR___JUMPDRIVE_______1.20
FriendlyName
REG_SZ
LEXAR JUMPDRIVE USB Device
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 20 OF 58 PAGES
EXAMINATION REPORT
ControlSet002\Enum\USBSTOR\Disk&Ven_LEXAR&Prod_JUMPDRIVE_SECURE&Rev_1000\302AC201012824290105&0
Last Written Time
11/17/2006 19:20:44 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskLEXAR___JUMPDRIVE_SECURE1000
FriendlyName
REG_SZ
LEXAR JUMPDRIVE SECURE USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Memorex&Prod_TD_2C&Rev_1.00\286071516303A8C2&0
Last Written Time
1/18/2006 21:23:40 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskMemorex_TD_2C___________1.00
FriendlyName
REG_SZ
Memorex TD 2C USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Memorex&Prod_TD_2C&Rev_1.00\2860FB40F1B1CBC8&0
Last Written Time
11/15/2006 21:43:48 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskMemorex_TD_2C___________1.00
FriendlyName
REG_SZ
Memorex TD 2C USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Memorex&Prod_TD_Classic_003C&Rev_1.02\0C516B500380C8B9&0
Last Written Time
4/18/2007 3:47:16 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskMemorex_TD_Classic_003C_1.02
FriendlyName
REG_SZ
Memorex TD Classic 003C USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_PNY&Prod_USB_2.0_FD&Rev_PMAP\6E6C0B004D32&0
Last Written Time
5/3/2007 21:52:12 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskPNY_____USB_2.0_FD______PMAP
FriendlyName
REG_SZ
PNY USB 2.0 FD USB Device
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 21 OF 58 PAGES
EXAMINATION REPORT
ControlSet002\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Micro&Rev_0.1\20041100401b4bd16b60&0
Last Written Time
8/29/2006 18:59:08 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskSanDisk_Cruzer_Micro____0.1_
FriendlyName
REG_SZ
SanDisk Cruzer Micro USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Micro&Rev_0.2\200443184213a151adcf&0
Last Written Time
8/31/2006 17:48:59 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskSanDisk_Cruzer_Micro____0.2_
FriendlyName
REG_SZ
SanDisk Cruzer Micro USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_SIMPTECH&Prod_USB_DRIVE&Rev_1.12\0159245429290&0
Last Written Time
8/30/2006 20:26:54 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskSIMPTECHUSB_DRIVE_______1.12
FriendlyName
REG_SZ
SIMPTECH USB DRIVE USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_USB_2.0&Prod_Flash_Disk&Rev_1100\AA04012700007667&0
Last Written Time
3/22/2007 13:01:39 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskUSB_2.0_Flash_Disk______1100
FriendlyName
REG_SZ
USB 2.0 Flash Disk USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_VBTM&Prod_Store_'n'_Go&Rev_5.00\0B618860D06088B3&0
Last Written Time
3/26/2007 18:02:06 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskVBTM____Store_'n'_Go____5.00
FriendlyName
REG_SZ
VBTM Store 'n' Go USB Device
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 22 OF 58 PAGES
EXAMINATION REPORT
Typed URLs
When a user manually types a website address (URL) into the Internet Explorer browser, that address is recorded in the
registry key Software\Microsoft\Internet Explorer\TypedURLs. I reviewed the Typed URLs but did not find anything of a
personal nature and nothing related to adult pornography or child pornography.
Last Written Time 2/14/2007 14:59:21 UTC
Name Type
Data
url1
REG_SZ http://www.yahoo.com/
url2
REG_SZ http://www.google.com/
url3
REG_SZ http://www.forsythco.com/www.google.com
url4
REG_SZ http://fcnet/
url5
REG_SZ http://172.27.128.20/iuseragent/iuseragent.asmx
url6
REG_SZ http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
OpenSave Most Recently Used
When a file is opened and saved using the Open / Save As command in Windows, the name of that file is stored in the
Windows registry under the key Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*. I
reviewed this registry key and noted the following items that had been opened and saved on HDD01 but I did not find
anything of a personal nature and nothing related to adult pornography or child pornography.
Class Name
Name
Shell
Type
Data
MRUList REG_SZ gfedcab
g
REG_SZ C:\Program Files\West Group\GALEH1WG.vid
f
REG_SZ
e
REG_SZ C:\Documents and Settings\MDT\Desktop\Forsyth County Map.est
d
REG_SZ C:\Documents and Settings\MDT\My Documents\Deputy Terminal Services.RDP
c
REG_SZ C:\emblem_fire1024.jpg
a
REG_SZ C:\badge4.jpg
C:\Documents and Settings\MDT\Desktop\Remote to County (Coutny
Hotspot).RDP
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 23 OF 58 PAGES
EXAMINATION REPORT
b
REG_SZ
C:\Documents and Settings\MDT\My Documents\Georgia, United States, North
America.ptm
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 24 OF 58 PAGES
EXAMINATION REPORT
HP PAVILION DESKTOP COMPUTER (HDD02)
I ran the Initialize Case feature of EnCase and noted that a forensic image of HDD02 was created on 11/25/08 at 12:16
p.m. by Stilger. HDD02 has one partition identified as C, with a total capacity of 244.4gb and 60.2gb allocated to data.
The operating system is Windows XP and was installed on 09/24/06 at 01:31 p.m. registered to Scott Pruitt. Other than
the default accounts created by the Windows operating system, I noted one user account for HP_Administrator and one
user account for Jami Suddeth. The time zone was set to Eastern Standard and I assured that EnCase and FTK were
set accordingly.
Name:
ActualDate:
TargetDate:
FilePath:
Case Number:
Evidence Number:
Examiner Name:
Notes:
Drive Type:
File Integrity:
Acquisition Hash:
Verify Hash:
EnCase Version:
System Version:
Fastbloced:
Is Physical:
Compression:
Total Sectors:
M Pruitt
11/25/08 12:16:34PM
11/25/08 12:16:34PM
F:\image.E01
Bobby Image
M Pruitt
STILGER
DRIVEFIXED
Verifying
2553AE67B81C454E0B019AA61B3711FB
6.11
Windows XP
No
Yes
None
488397168
C
Volume
File System:
Sectors per cluster:
Total Sectors:
Total Clusters:
Free Clusters:
Volume Name:
Id:
Serial Number:
Full Serial Number:
NTFS
Drive Type:
8
Bytes per sector:
488,392,002
Total Capacity:
58,819,981
Unallocated:
43,026,039
Allocated:
HP_PAVILION Volume Offset:
S-1-5-21-1223415986-456185491-3836011227
7FB0-E824
70B5BA297FB0E824
Driver Information:
NTFS 3.1
OS Info
Product Name:
Current Version:
Registered Owner:
Registered Organization:
System Root:
Current Build Number:
Fixed
512
240,926,642,176 bytes (224.4GB)
176,234,655,744 bytes (164.1GB)
64,691,986,432 bytes (60.2GB)
63
Microsoft Windows XP
5.1
Scott Pruitt
C:\WINDOWS
2600
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 25 OF 58 PAGES
EXAMINATION REPORT
Path Name:
Product ID:
Last Service Pack:
Product Key:
VersionNumber:
Source Path:
Install Date:
Last Shutdown Time:
C:\WINDOWS
76487-OEM-0011903-00803
Service Pack 2
User name:
Full Name:
Type of User:
HP_Administrator
Scott Pruitt
Local User
Logon Script:
Profile Path:
Last Logon:
User name:
Full Name:
Type of User:
Logon Script:
Profile Path:
Last Logon:
09/24/06 01:31:48PM
05/16/07 09:03:05AM
513
S-1-5-21-1223415986-456185491-3836011227-1008
Debugger Users
Administrators
%SystemDrive%\Documents and Settings\HP_Administrator
05/17/07 12:16:46AM
09/25/06 06:34:48AM
05/12/07 06:47:08AM
Jami Suddeth
Jami Suddeth
Local User
513
S-1-5-21-1223415986-456185491-3836011227-1009
Users
%SystemDrive%\Documents and Settings\Jami Suddeth
12/14/06 12:33:50AM
12/14/06 12:32:57AM
12/14/06 12:33:44AM
TimeZone Info
Current control set is 003
Default control set is 003
Failed control set is 001
LastKnownGood control set is 002
Standard time bias is -5:00 hours offset from GMT.
StandardName: Eastern Standard Time
Standard time is set to change the Standard bias by 0 minutes.
Standard time is set to change on Sunday of the 1st week of November, at 02:00 hours.
DaylightName: Eastern Daylight Time
Daylight savings is set to change the Standard bias by 60 minutes.
Daylight savings time is set to change on Sunday of the 2nd week of March, at 02:00 hours.
Active time bias is -4:00 hours offset from GMT.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 26 OF 58 PAGES
EXAMINATION REPORT
Last Accessed
I sorted all files by Last Accessed date to confirm the original evidence was not accessed after it was seized. The
evidence revealed that HDD02 was last accessed on 05/16/07 at 04:16 p.m. which is consistent with no access after the
evidence was seized. However, the last logon time recorded by the operating system indicates a logon of 05/17/06 at
12:16 a.m.
IMAGES
I reviewed all images in allocated space using the Gallery View in EnCase and noted a total of 72,941 images, including
default system images, cached Internet images, default images from software applications and personal photos of family
and/or friends. I did not find any images of child pornography in allocated space.
I ran the File Mounter process in EnCase to open compound files such as the thumbs.db. The thumbs.db is a hidden file
created by the Windows operating system that stores small thumbnails of images that are on the computer. Each folder
containing images or videos will also have a corresponding thumbs.db file. When an image or video is deleted from the
computer, the thumbnail of that image will remain in the thumbs.db. The thumbs.db files are compressed and must be
“mounted” or uncompressed before the images inside those files can be seen. The thumbs.db files are commonly
examined during a forensic analysis to determine if child pornography images existed on the computer at one time and
were subsequently deleted. After mounting the thumbs.db, I noted 78,500 total images but I did not find any images of
child pornography.
I ran the file carver process for all .jpg images in unallocated space and recovered 6010 images. I reviewed all 6010
images and bookmarked 63 images of possible child pornography found in unallocated space. All images were small
thumbnails that were likely cached to the hard drive from websites accessed on the Internet based on their appearance
and file sizes. 17 of the images recovered from unallocated space are thumbnail images of video files with the same
maroon colored banner across the top of the image indicating these thumbnails likely came from the same website.
I spoke with SA Stanley and requested that he show me the images of child pornography that resided on the Forsyth
County Server escorted me to his lab to show me the images that resided on the Forsyth County Server at the location
S:\Roe\2005\2005 CFTS\may 05\0505434 State v. Jackson CP\Exhibit 5 Forensics\Possible CP Unallocated_file and
allegedly accessed by Pruitt. After visually observing these images and taking some handwritten notes, I compared
those with the images found on HDD02 but did not find any matches.
Subsequently, SA Stanley provided me with hash values for the images that resided on the Forsyth County Server at the
location S:\Roe\2005\2005 CFTS\may 05\0505434 State v. Jackson CP\Exhibit 5 Forensics\Possible CP
Unallocated_files. I ran a search for those hash values on HDD02 but did not find any matches.
MULTIMEDIA FILES (VIDEOS)
I sorted all files by file extension and located several video files but nothing related to adult pornography or child
pornography. Other than a couple of deleted videos with innocuous names such as 002.mpg, all videos appeared to be
related to software applications.
FOLDER STRUCTURE
I reviewed the entire Folder Structure of HDD02 for any user-defined files and folders indicative of child pornography but
found none. To view the Folder Structure in its entirety, click here. I reviewed various locations in the Folder Structure
that commonly contain items of evidentiary interest but I found nothing related to child pornography.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 27 OF 58 PAGES
EXAMINATION REPORT
Desktop
The Desktop is the graphical user interface that appears when the computer is booted up. The Desktop consists of
icons, windows, toolbars, folders and wallpaper and users commonly create shortcuts on the Desktop to files and folders
of interest for easy access. I reviewed the Desktop shortcuts but I did not find anything related to child pornography.
My Documents
My Documents is a default folder created under each user’s profile by the Windows operating system and is considered
the standard location for storing user-defined files and folders. I reviewed the My Documents folder but I did not find
anything related to child pornography. To view the files in the My Documents folder, click here.
Recent Folder
with a .lnk file extension in the Recent Folder. These links include dates and times when the files were opened (File
Created), when they were opened again (Last Written) and the full path where the file is/was located. I reviewed the
Recent folder and found activity from 09/25/06 through 05/16/07 but nothing related to child pornography. To view the
files in the Recent Folder, click here.
PROGRAM FILES
I reviewed the Program Files folder for software applications installed on EV1HD1 that may contain items of evidentiary
value. All applications of evidentiary interest are discussed below.
Internet Explorer
Internet Explorer is a graphical web browser developed by Microsoft and included as part of the Microsoft Windows
operating system. A history of the user’s Internet usage, searches conducted, and files opened or saved using the
browser software is contained in the Index.dat files. Using NetAnalysis, I reviewed the Index.dat files for websites visited
and noted activity from 03/28/06 through 05/16/07 for users Jami Suddeth and HP_Administrator and over 27,932 URL
records. I noted websites related to adult pornography, teen pornography and child pornography. My analysis regarding
this Internet activity and the identification of a computer user during this activity is ongoing and will be supplemented as
additional evidence is discovered.
I reviewed all Search Engine Criteria and noted the following search terms and phrases used on Google and Alta Vista. I
did find searches indicative of child pornography and my analysis regarding this activity and the identification of a
computer user during this activity is ongoing and will be supplemented as additional evidence is discovered.
Last Visited
16/05/2007 14:14:05 Wed
16/05/2007 14:14:05 Wed
16/05/2007 14:12:54 Wed
16/05/2007 14:12:54 Wed
16/05/2007 14:12:45 Wed
16/05/2007 14:12:44 Wed
16/05/2007 12:50:42 Wed
16/05/2007 12:50:42 Wed
Host
www.altavista.com
www.altavista.com
search.yahoo.com
search.yahoo.com
search.yahoo.com
search.yahoo.com
www.altavista.com
www.altavista.com
Search Engine Criteria
callaway golf clubs
callaway golf clubs
chess sales
chess sales
www.uschesssales.com
www.uschesssales.com
hot whois
hot whois
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 28 OF 58 PAGES
EXAMINATION REPORT
16/05/2007 12:50:18 Wed
16/05/2007 12:50:18 Wed
16/05/2007 12:09:23 Wed
16/05/2007 12:09:22 Wed
15/05/2007 22:01:01 Tue
15/05/2007 22:00:04 Tue
15/05/2007 22:00:03 Tue
15/05/2007 22:00:02 Tue
15/05/2007 22:00:02 Tue
15/05/2007 21:59:53 Tue
15/05/2007 21:59:53 Tue
15/05/2007 21:57:38 Tue
15/05/2007 21:57:37 Tue
15/05/2007 13:11:25 Tue
15/05/2007 13:11:24 Tue
15/05/2007 13:11:12 Tue
15/05/2007 13:11:12 Tue
25/04/2007 09:46:26 Wed
25/04/2007 09:45:25 Wed
25/04/2007 09:35:59 Wed
25/04/2007 09:35:56 Wed
25/04/2007 09:35:43 Wed
25/04/2007 09:34:59 Wed
25/04/2007 04:46:25 Wed
25/04/2007 04:45:24 Wed
25/04/2007 04:35:58 Wed
25/04/2007 04:35:55 Wed
25/04/2007 04:35:43 Wed
25/04/2007 04:34:59 Wed
20/04/2007 09:14:15 Fri
20/04/2007 07:49:38 Fri
20/04/2007 07:47:40 Fri
30/01/2007 12:19:32 Tue
30/01/2007 12:17:01 Tue
30/01/2007 12:16:51 Tue
11/01/2007 20:34:28 Thu
11/01/2007 20:34:17 Thu
11/01/2007 20:33:41 Thu
11/01/2007 20:31:10 Thu
11/01/2007 20:31:10 Thu
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
search.yahoo.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
hot who is
hot who is
two car garqge plans
two car garqge plans
ttp://search.yahoo.com/search/age_restrict_redirect
hair bow design guide
hair bow design guide
hair bow "design guide"
hair bow "design guide"
making hair bows
making hair bows
hair bow "how to guide"
hair bow "how to guide"
pearl vision
pearl vision
pearl vision lakeland plaza cumming ga
pearl vision lakeland plaza cumming ga
Chessmaster OPK check patch
Chesmaster OPK check patch
crafty download
crfty download
winboard version crafty
Chessmaster OPK check patch
Chesmaster OPK check patch
crafty download
crfty download
white county ga criminal records
fulton county georgia court
child support increase fulton county georgia
interrogatories
Legal response
Legal responce
disable file renaming in excel
disable file renaming
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 29 OF 58 PAGES
EXAMINATION REPORT
11/01/2007 20:29:59 Thu
11/01/2007 20:28:53 Thu
11/01/2007 20:28:40 Thu
11/01/2007 20:28:16 Thu
11/01/2007 17:51:13 Thu
08/01/2007 02:33:21 Mon
08/01/2007 02:10:09 Mon
07/01/2007 14:32:49 Sun
07/01/2007 14:31:13 Sun
07/01/2007 14:31:02 Sun
06/01/2007 06:21:10 Sat
06/01/2007 06:20:51 Sat
06/01/2007 06:20:47 Sat
06/01/2007 06:19:40 Sat
06/01/2007 06:19:13 Sat
06/01/2007 06:19:08 Sat
06/01/2007 06:19:00 Sat
06/01/2007 06:18:51 Sat
06/01/2007 06:18:32 Sat
06/01/2007 06:12:43 Sat
06/01/2007 06:12:32 Sat
06/01/2007 06:12:28 Sat
06/01/2007 06:11:32 Sat
06/01/2007 06:11:28 Sat
06/01/2007 06:11:22 Sat
06/01/2007 06:10:51 Sat
06/01/2007 06:10:46 Sat
06/01/2007 06:09:56 Sat
06/01/2007 06:09:07 Sat
06/01/2007 06:08:40 Sat
06/01/2007 06:08:28 Sat
06/01/2007 06:08:13 Sat
06/01/2007 06:07:54 Sat
06/01/2007 06:07:51 Sat
06/01/2007 06:07:48 Sat
06/01/2007 06:04:25 Sat
06/01/2007 06:02:01 Sat
06/01/2007 06:01:34 Sat
06/01/2007 05:59:33 Sat
06/01/2007 05:57:36 Sat
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.altavista.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
images.google.com
stop file renaming
file renaming
Excel Visual Basic Code
Excel Visual Basic Code
avery label template 5160
Avery Label 5160 template
don lee homes cumming ga
don lee homes forsyth county ga
don lee homes
nude preteen
nude preteen
nude preteen
nude preteen
nude preteen
nude preteen boy
preteen boy
gay boy
gay boy
nude boy
nude boy
nude boy
nude boy
nude boy
nude boy
nude boy
nude boy
inurl:"nude boy"
inurl:"nude boy"
inurl:"nude preteen"
inurl:"nude lolita"
inurl:"underage"
inurl:"lolita" "nude" "underage"
inurl:"lolita" "nude"
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 30 OF 58 PAGES
EXAMINATION REPORT
06/01/2007 05:57:34 Sat
06/01/2007 05:57:34 Sat
06/01/2007 05:57:31 Sat
06/01/2007 05:49:32 Sat
06/01/2007 05:48:56 Sat
06/01/2007 05:28:10 Sat
06/01/2007 05:23:56 Sat
06/01/2007 05:10:29 Sat
06/01/2007 05:10:18 Sat
06/01/2007 05:10:10 Sat
06/01/2007 05:09:50 Sat
04/01/2007 14:25:59 Thu
03/01/2007 20:49:34 Wed
03/01/2007 20:49:33 Wed
03/01/2007 20:49:26 Wed
03/01/2007 20:49:21 Wed
03/01/2007 20:49:21 Wed
03/01/2007 20:49:21 Wed
02/01/2007 23:31:42 Tue
02/01/2007 23:30:52 Tue
02/01/2007 23:27:34 Tue
02/01/2007 23:26:52 Tue
02/01/2007 23:20:33 Tue
02/01/2007 23:18:42 Tue
27/12/2006 00:04:10 Wed
24/12/2006 22:06:58 Sun
24/12/2006 22:06:54 Sun
24/12/2006 22:03:08 Sun
24/12/2006 21:35:41 Sun
24/12/2006 21:35:05 Sun
24/12/2006 21:34:21 Sun
24/12/2006 21:33:01 Sun
24/12/2006 21:32:44 Sun
24/12/2006 21:32:28 Sun
24/12/2006 21:32:22 Sun
24/12/2006 21:32:18 Sun
24/12/2006 21:31:41 Sun
24/12/2006 21:31:30 Sun
24/12/2006 21:30:09 Sun
24/12/2006 20:45:36 Sun
images.google.com
images.google.com
images.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
images.google.com
images.google.com
www.google.com
news.google.com
news.google.com
news.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
www.altavista.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
images.google.com
www.google.de
inurl:"lolita" filetype:".jpg"
inurl:"lolita" filetype:.jpg
inurl:"lolita" filetype:"jpg"
inurl:"lolita"
cumming cleaners
saddam hanging
saddam hanging
saddam hanging
saddam hanging
saddam hanging
saddam hanging
APNIC lookup
RIPE lookup
ARIN lookup
CRSNIC lookup
whois lookup
whois look up
inurl:naked preteen
preteen porno
preteen porno
preteen porno
intitle:"nude preteen" -non
intitle:"nude preteen" -non
intitle:"nude preteen"
nude preteen
preteen nude
nude preteen
preteen
preteen
preteen
preteen
preteen
inurl:newbbs biz
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 31 OF 58 PAGES
EXAMINATION REPORT
24/12/2006 20:45:13 Sun
24/12/2006 20:45:00 Sun
24/12/2006 20:44:44 Sun
24/12/2006 20:44:30 Sun
24/12/2006 20:44:20 Sun
24/12/2006 20:42:34 Sun
24/12/2006 20:41:50 Sun
24/12/2006 20:36:59 Sun
24/12/2006 20:36:40 Sun
24/12/2006 20:33:58 Sun
24/12/2006 20:29:31 Sun
24/12/2006 20:28:27 Sun
24/12/2006 20:24:20 Sun
24/12/2006 20:21:20 Sun
24/12/2006 20:21:12 Sun
24/12/2006 20:17:23 Sun
24/12/2006 20:09:00 Sun
24/12/2006 20:08:25 Sun
24/12/2006 20:07:09 Sun
24/12/2006 20:06:50 Sun
09/12/2006 11:05:25 Sat
09/12/2006 06:05:25 Sat
07/12/2006 22:14:50 Thu
07/12/2006 17:14:49 Thu
05/12/2006 21:48:34 Tue
05/12/2006 21:47:20 Tue
05/12/2006 21:46:42 Tue
05/12/2006 21:46:05 Tue
05/12/2006 21:42:50 Tue
05/12/2006 21:41:11 Tue
05/12/2006 21:36:29 Tue
05/12/2006 16:48:33 Tue
05/12/2006 16:46:42 Tue
05/12/2006 16:46:04 Tue
05/12/2006 16:42:49 Tue
05/12/2006 16:41:11 Tue
05/12/2006 16:36:28 Tue
02/12/2006 14:17:16 Sat
02/12/2006 14:13:11 Sat
02/12/2006 14:11:24 Sat
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.de
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
inurl:newbbs
intitle:newbbs
intitle:newbbs preteen
intitle:bbs preteen
intitle:bbs preteen
intitle:bbs preteen
intitle:bbs preteen
intitle:bbs
intitle:nude preteen
preteen
preteen
preteen
r=all
allintitle: newbbs
allintitle: newbbs
intitle:"newbbs"
intitle: newbbs
movies 400 in cumming ga
movies 400 in cumming ga
m&ms.com
m&ms.com
the lords prayer
the lords prayer
sweet poems
sweet poems
health care poems
healthcarepoems.com
google earth
the lords prayer
sweet poems
sweet poems
health care poems
healthcarepoems.com
google earth
old navy
lakeshore mall in gainesville ga
north point mall
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 32 OF 58 PAGES
EXAMINATION REPORT
02/12/2006 14:11:09 Sat
02/12/2006 09:17:16 Sat
02/12/2006 09:13:11 Sat
02/12/2006 09:11:23 Sat
02/12/2006 09:11:08 Sat
30/11/2006 19:18:31 Thu
30/11/2006 19:17:34 Thu
30/11/2006 19:17:13 Thu
30/11/2006 19:16:08 Thu
30/11/2006 19:14:09 Thu
30/11/2006 19:13:03 Thu
30/11/2006 19:02:01 Thu
30/11/2006 17:48:58 Thu
30/11/2006 14:18:31 Thu
30/11/2006 14:17:33 Thu
30/11/2006 14:17:12 Thu
30/11/2006 14:16:08 Thu
30/11/2006 14:14:08 Thu
30/11/2006 14:13:03 Thu
30/11/2006 14:02:01 Thu
30/11/2006 12:48:58 Thu
29/11/2006 19:35:11 Wed
29/11/2006 19:26:32 Wed
29/11/2006 19:26:04 Wed
29/11/2006 14:35:10 Wed
29/11/2006 14:26:31 Wed
29/11/2006 14:26:04 Wed
24/11/2006 12:57:54 Fri
24/11/2006 12:37:24 Fri
24/11/2006 12:36:47 Fri
24/11/2006 12:36:38 Fri
24/11/2006 12:36:13 Fri
24/11/2006 12:35:24 Fri
24/11/2006 12:32:17 Fri
24/11/2006 12:30:16 Fri
24/11/2006 12:28:15 Fri
24/11/2006 12:28:10 Fri
24/11/2006 12:28:06 Fri
24/11/2006 12:28:00 Fri
24/11/2006 12:27:54 Fri
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
outlet mall in dawsonville
old navy
lakeshore mall in gainesville ga
north point mall
outlet mall in dawsonville
thefoster'shouse.com
jobs in cumming ga
jobs in cumming ga
jobs in cumming ga
jos in cumming ga
specialtyappliancey.com
jobsshearch.com
abcjobs.com
thefoster'shouse.com
jobs in cumming ga
jobs in cumming ga
jobs in cumming ga
jos in cumming ga
specialtyappliancey.com
jobsshearch.com
abcjobs.com
truck body kits
little acres day care in cumming ga
day cares in cumming ga
truck body kits
little acres day care in cumming ga
day cares in cumming ga
mysapce.com
applebees in cumming ga
xtreme audio in cumming ga
yellow pages
mobile electronics and accessories in cumming ga
keyless entry for automobile installation in cumming ga
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 33 OF 58 PAGES
EXAMINATION REPORT
24/11/2006 12:27:41 Fri
24/11/2006 12:27:03 Fri
24/11/2006 12:26:48 Fri
24/11/2006 12:25:54 Fri
24/11/2006 12:25:40 Fri
24/11/2006 12:21:02 Fri
24/11/2006 12:20:54 Fri
24/11/2006 12:10:31 Fri
24/11/2006 12:09:05 Fri
24/11/2006 12:06:50 Fri
24/11/2006 12:06:29 Fri
24/11/2006 07:57:54 Fri
24/11/2006 07:37:23 Fri
24/11/2006 07:36:47 Fri
24/11/2006 07:36:37 Fri
24/11/2006 07:36:13 Fri
24/11/2006 07:35:24 Fri
24/11/2006 07:32:16 Fri
24/11/2006 07:30:16 Fri
24/11/2006 07:28:14 Fri
24/11/2006 07:28:10 Fri
24/11/2006 07:28:05 Fri
24/11/2006 07:28:00 Fri
24/11/2006 07:27:53 Fri
24/11/2006 07:27:41 Fri
24/11/2006 07:27:02 Fri
24/11/2006 07:26:48 Fri
24/11/2006 07:25:53 Fri
24/11/2006 07:25:40 Fri
24/11/2006 07:21:01 Fri
24/11/2006 07:17:41 Fri
24/11/2006 07:10:31 Fri
24/11/2006 07:06:50 Fri
24/11/2006 07:06:29 Fri
18/11/2006 13:55:13 Sat
03/11/2006 22:43:52 Fri
28/10/2006 23:01:14 Sat
14/10/2006 20:00:56 Sat
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
www.google.com
search.yahoo.com
search.yahoo.com
www.google.com
HPIA:2006-39
keyless entry for automobile in cumming ga
keyless entry for automobile
cumming ga
cummin
cummin stereo
cumming stereos in cumming ga
keyless entries for trucks in cumming ga
mysapce.com
applebees in cumming ga
yellow pages
mobile electronics and accessories in cumming ga
keyless entry for automobile in cumming ga
keyless entry for automobile
cumming ga
cummin
cummin stereo
cumming stereos in cumming ga
clark howard
myspace
face painting
www.google.com
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 34 OF 58 PAGES
EXAMINATION REPORT
Favorites
Favorites are stored web page locations and their primary purpose is to easily catalog and access web pages that a user
has visited and chosen to save. I reviewed the Favorites in Internet Explorer but I did not find anything related to child
pornography.
Real Player
Real Player is a cross platform media player that can play various multimedia formats including music and video files.
When files are opened using the Real Player software, link (.lnk) files are created in the Real Player History file. I
reviewed the Real Player history file and found 238 links to videos that were opened using Real Player from 10/15/06
through 12/14/06. Some of the link files had names indicative of adult pornography but I did not find anything related to
child pornography. To view the Real Player History, click here.
Windows Media Player
Windows Media Player is the default digital media player included with the Windows operating system and is used for
organizing and playing digital music, video and image files. When a multimedia file is opened using the Windows Media
Player, the name of the file is stored in the RecentFileList folder. I reviewed the RecentFileList but did not find any files.
REGISTRY FILES
The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows
32-bit versions, 64-bit versions, and Windows Mobile. It contains information and settings for all the hardware, operating
system software, most non-operating system software, users, preferences of the computer, etc. I exported the registry
files including USER.DAT, SYSTEM, SOFTWARE, SAM and SECURITY and reviewed them for evidentiary information
using Registry Viewer.
Storage Devices
The registry maintains a record of hardware devices on the computer including removable storage media connected to
the USB ports. I reviewed the registry key ControlSet002\Enum\USBSTOR and noted many different USB drives that
have been connected to HDD01. The following is a summary of those devices found in the Registry. For a more
detailed listing of these devices, click here.
ControlSet001\Enum\USBSTOR\Disk&Ven_&Prod_USB_DRIVE&Rev_1.12\1162700724893&0
Last Written Time
3/28/2006 23:59:32 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\Disk________USB_DRIVE_______1.12
FriendlyName
REG_SZ
USB DRIVE USB Device
ControlSet001\Enum\USBSTOR\Disk&Ven_Brother&Prod_MFC-420CN&Rev_1.00\7&32e1dc08&0&BROK4F677441&0
Last Written Time
10/20/2006 4:16:02 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskBrother_MFC-420CN_______1.00
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 35 OF 58 PAGES
EXAMINATION REPORT
FriendlyName
REG_SZ
Brother MFC-420CN USB Device
Last Written Time
10/8/2006 2:24:24 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
ControlSet001\Enum\USBSTOR\Disk&Ven_FUJIFILM&Prod_USBDRIVEUNIT&Rev_1.00\592D3936325E06021174B320328B30&0
Last Written Time
10/15/2006 0:17:21 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskFUJIFILMUSB-DRIVEUNIT___1.00
FriendlyName
REG_SZ
FUJIFILM USB-DRIVEUNIT USB Device
ControlSet001\Enum\USBSTOR\Disk&Ven_Generic&Prod_USB_CF_Reader&Rev_1.01\2004888&1
Last Written Time
10/22/2006 15:32:34 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskGeneric_USB_CF_Reader___1.01
FriendlyName
REG_SZ
Generic USB CF Reader USB Device
ControlSet001\Enum\USBSTOR\Disk&Ven_Generic&Prod_USB_MS_Reader&Rev_1.03\2004888&3
Last Written Time
10/22/2006 15:32:34 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskGeneric_USB_MS_Reader___1.03
FriendlyName
REG_SZ
Generic USB MS Reader USB Device
ControlSet001\Enum\USBSTOR\Disk&Ven_Generic&Prod_USB_SD_Reader&Rev_1.00\2004888&0
Last Written Time
10/22/2006 15:32:34 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskGeneric_USB_SD_Reader___1.00
FriendlyName
REG_SZ
Generic USB SD Reader USB Device
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 36 OF 58 PAGES
EXAMINATION REPORT
ControlSet001\Enum\USBSTOR\Disk&Ven_Generic&Prod_USB_SM_Reader&Rev_1.02\2004888&2
Last Written Time
10/22/2006 15:32:34 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskGeneric_USB_SM_Reader___1.02
FriendlyName
REG_SZ
Generic USB SM Reader USB Device
Last Written Time
10/21/2006 23:15:38 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
ControlSet001\Enum\USBSTOR\SFloppy&Ven_MITSUMI&Prod_USB_FDD_____070M&Rev_3.01\6&2b63e84c&0
Last Written Time
10/22/2006 7:38:21 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\SFloppyMITSUMI_USB_FDD_____070M3.01
FriendlyName
REG_SZ
MITSUMI USB FDD 070M USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_&Prod_USB_DRIVE&Rev_1.12\1162700724893&0
Last Written Time
3/28/2006 23:59:32 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\Disk________USB_DRIVE_______1.12
FriendlyName
REG_SZ
USB DRIVE USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Apple&Prod_iPod&Rev_1.62\000A2700194EE41D&0
Last Written Time
1/17/2007 2:01:56 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskApple___iPod____________1.62
FriendlyName
REG_SZ
Apple iPod USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Apple&Prod_iPod&Rev_1.62\000A270019A49E0F&0
Last Written Time
Name
4/13/2007 18:45:01 UTC
Type
Data
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 37 OF 58 PAGES
EXAMINATION REPORT
HardwareID
REG_MULTI_SZ USBSTOR\DiskApple___iPod____________1.62
FriendlyName
REG_SZ
Apple iPod USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Brother&Prod_MFC-420CN&Rev_1.00\7&32e1dc08&0&BROK4F677441&0
Last Written Time
5/15/2007 15:18:37 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskBrother_MFC-420CN_______1.00
FriendlyName
REG_SZ
Brother MFC-420CN USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Creative&Prod_NOMAD_MUVO&Rev_0100\0000210429E28116&0
Last Written Time
1/7/2007 16:11:25 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskCreativeNOMAD_MUVO______0100
FriendlyName
REG_SZ
Creative NOMAD MUVO USB Device
Last Written Time
1/31/2007 22:35:26 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
Last Written Time
2/26/2007 14:44:03 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
ControlSet002\Enum\USBSTOR\Disk&Ven_FUJIFILM&Prod_USBDRIVEUNIT&Rev_1.00\592D3936325E06021174B320328B30&0
Last Written Time
10/15/2006 0:17:21 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskFUJIFILMUSB-DRIVEUNIT___1.00
FriendlyName
REG_SZ
FUJIFILM USB-DRIVEUNIT USB Device
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 38 OF 58 PAGES
EXAMINATION REPORT
ControlSet002\Enum\USBSTOR\Disk&Ven_Generic&Prod_USB_CF_Reader&Rev_1.01\2004888&1
Last Written Time
5/16/2007 14:31:15 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskGeneric_USB_CF_Reader___1.01
FriendlyName
REG_SZ
Generic USB CF Reader USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Generic&Prod_USB_MS_Reader&Rev_1.03\2004888&3
Last Written Time
5/16/2007 14:31:15 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskGeneric_USB_MS_Reader___1.03
FriendlyName
REG_SZ
Generic USB MS Reader USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Generic&Prod_USB_SD_Reader&Rev_1.00\2004888&0
Last Written Time
5/16/2007 14:31:15 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskGeneric_USB_SD_Reader___1.00
FriendlyName
REG_SZ
Generic USB SD Reader USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_Generic&Prod_USB_SM_Reader&Rev_1.02\2004888&2
Last Written Time
5/16/2007 14:31:15 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskGeneric_USB_SM_Reader___1.02
FriendlyName
REG_SZ
Generic USB SM Reader USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_LEXAR&Prod_JD_CLASSIC&Rev_3000\BDED2510112913250806&0
Last Written Time
4/19/2007 12:52:30 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskLEXAR___JD_CLASSIC______3000
FriendlyName
REG_SZ
LEXAR JD CLASSIC USB Device
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 39 OF 58 PAGES
EXAMINATION REPORT
ControlSet002\Enum\USBSTOR\Disk&Ven_LEXAR&Prod_JUMPDRIVE&Rev_1.20\F251430221100&0
Last Written Time
5/7/2007 20:06:35 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskLEXAR___JUMPDRIVE_______1.20
FriendlyName
REG_SZ
LEXAR JUMPDRIVE USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_OLYMPUS&Prod_DVR_DM_SERIES&Rev_1.00\6&4a610b4&0
Last Written Time
1/6/2007 9:25:06 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskOLYMPUS_DVR_DM_SERIES___1.00
FriendlyName
REG_SZ
OLYMPUS DVR DM SERIES USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_PNY&Prod_USB_2.0_FD&Rev_PMAP\6E6C0B004D32&0
Last Written Time
4/19/2007 12:28:03 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskPNY_____USB_2.0_FD______PMAP
FriendlyName
REG_SZ
PNY USB 2.0 FD USB Device
ControlSet002\Enum\USBSTOR\Disk&Ven_USB_2.0&Prod_Flash_Disk&Rev_1.00\0603220149265&0
Last Written Time
1/12/2007 3:58:24 UTC
Name
Type
Data
HardwareID
REG_MULTI_SZ USBSTOR\DiskUSB_2.0_Flash_Disk______1.00
FriendlyName
REG_SZ
Last Written Time
5/7/2007 20:13:44 UTC
Name
Type
Data
HardwareID
FriendlyName
REG_SZ
ControlSet002\Enum\USBSTOR\Disk&Ven_VBTM&Prod_Store_'n'_Go&Rev_5.00\0B618860D06088B3&0
Last Written Time
Name
5/10/2007 16:00:15 UTC
Type
Data
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 40 OF 58 PAGES
EXAMINATION REPORT
HardwareID
REG_MULTI_SZ USBSTOR\DiskVBTM____Store_'n'_Go____5.00
FriendlyName
REG_SZ
VBTM Store 'n' Go USB Device
Typed URLs
When a user manually types a website address (URL) into the Internet Explorer browser, that address is recorded in the
registry key Software\Microsoft\Internet Explorer\TypedURLs. I reviewed the Typed URLs but did not find anything
related to adult pornography or child pornography.
Name Type
Data
url1
REG_SZ www.uschesssales.com
url2
REG_SZ http://www.msn.com/
url3
REG_SZ http://www.ebay.com/
url4
REG_SZ http://www.eyemedvisioncare.com/
url5
REG_SZ http://www.wachovia.com/
url6
REG_SZ http://www.myspace.com/
url7
REG_SZ http://www.softlyher.com/
url8
REG_SZ http://www.google.com/
OpenSave Most Recently Used
When a file is opened and saved using the Open / Save As command in Windows, the name of that file is stored in the
Windows registry under the key Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*. I
reviewed this registry key and noted items that had been opened and saved on HDD02 but I did not find anything related
to adult pornography or child pornography. The following is a sampling of those documents, for a complete list of all files
in the OpenSaveMRU, click here.
Class Name
Name
Type
Shell
Data
MRUList REG_SZ ihgfedcba
i
REG_SZ K:\New Folder\SM\1.jpg
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 41 OF 58 PAGES
EXAMINATION REPORT
h
REG_SZ C:\Program Files\ChessBase\Engines\Inactive Engines\Chessmaster 10\Wb2Uci.exe
g
REG_SZ C:\Program Files\ChessBase\DeepFritz GM\Wb2Uci.zip
f
REG_SZ C:\Program Files\Ubisoft\Chessmaster 10th Edition\crafty1917p3.exe
e
REG_SZ C:\Program Files\ChessBase\Engines\Inactive Engines\CM10engine.exe
d
REG_SZ
C:\Documents and Settings\HP_Administrator\My Documents\BRYAN
WADE\Georgia_Offline_Child_Support_Calculator_2007v3.xls
c
REG_SZ
C:\Documents and Settings\HP_Administrator\My Documents\BRYAN WADE\Open
Record - White County SO.wps
b
REG_SZ F:\openrecord.wps
a
REG_SZ
C:\Documents and Settings\HP_Administrator\My Documents\TurboTax\2006 Pruitt M
Tax Return.tax
Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\doc
Class Name
Name
Shell
Type
Data
MRUList REG_SZ edcba
c
REG_SZ
C:\Documents and Settings\HP_Administrator\My Documents\Downloads\Microsoft
keys\Microsoft License Keys Ementor.doc
b
REG_SZ
C:\Documents and Settings\HP_Administrator\Desktop\New Things to check
out\Computer Checking Software\TEST PASSWORD.doc
a
REG_SZ
C:\Documents and Settings\HP_Administrator\Desktop\Work Items\Blamk
Forms\BLANK Investigative Notes.doc
Recent Docs
with a .lnk file extension in the Recent Folder and recorded in the Windows registry under the key
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs. I reviewed the Recent Docs but found nothing
related to child pornography. I did find ten file names in the RecentDocs having the same nomenclature as the images of
alleged child pornography on the Forsyth County Server. These files were opened on HDD02 on 05/16/07. However,
the actual images do not reside on HDD02 and there is no evidence that these images contain child pornography.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 42 OF 58 PAGES
EXAMINATION REPORT
Name Type
Data
34
Shortcut Target Name
: Pics
REG_BINARY Shortcut Name (ASCII) : Pics (2).lnk
Shortcut Name (Unicode) : Pics (2).lnk
20
: 0063.jpg
REG_BINARY Shortcut Name (ASCII) : 0063.lnk
Shortcut Name (Unicode) : 0063.lnk
46
: 0071.jpg
16
: 0081.jpg
22
: 0112.jpg
23
: 0115.jpg
9
: 0125.jpg
36
: 0122.jpg
15
: 0127.jpg
21
REG_BINARY
Shortcut Name (ASCII)
: 0128.jpg
: 0128.lnk
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 43 OF 58 PAGES
EXAMINATION REPORT
55
: 0129.jpg
10
: Pics 2
REG_BINARY Shortcut Name (ASCII) : Pics 2.lnk
Shortcut Name (Unicode) : Pics 2.lnk
53
: SM
REG_BINARY Shortcut Name (ASCII) : SM.lnk
Shortcut Name (Unicode) : SM.lnk
52
: Work Jump Drive
REG_BINARY Shortcut Name (ASCII) : Work Jump Drive.lnk
Shortcut Name (Unicode) : Work Jump Drive.lnk
Virus Scan
Using Mount Image Pro, I mounted HDD02 and scanned the evidence drive using Trend Micro PC-cillin Internet Security
Version 14.60.1206, engine version 8.910.1002, Serial No. DLEM-0013-6525-8298-3803. No malware was detected.
STANLEY’S REPORT OF IMAGES
SA Stanley produced a report titled HP Images Report that includes approximately 78 image files of interest found on
HDD02. The report includes the file names, Created dates, Last Accessed dates and the full path where each file was
found. Four of the files were found in the Java Cache folder and the remaining images were deleted temporary Internet
files. Inasmuch as the report does not contain the actual images, I located all 78 images on HDD02 and reviewed them
for their content. In addition, I reviewed each of the images in SA Stanley’s report and noted the dates when the activity
occurred, as follows:
11/05/06
12/10/06
12/11/06
01/17/07
05/16/07
12:06 PM
05:10 PM – 06:28
04:15 PM
10:06 AM
02:37 PM – 02:50 PM
11/05/06
SA Stanley’s report includes four images of interest created on 11/05/06 at 12:06 p.m. The following is an example of
one of the images. None of the images noted on this date and time contain child pornography.
Name
File Created
Last Accessed
Full Path
preteen_model_girl.jpg-16dd1af8-720492a5.jpg
11/05/06 12:06:51PM
01/16/07 10:42:21PM
Pruitt\1\C\Documents and Settings\HP_Administrator\Application
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 44 OF 58 PAGES
EXAMINATION REPORT
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\preteen_model_girl.jpg-16dd1af8-720492a5.jpg
I was unable to identify any specific user activity during this date and time. It was not until 05:36 p.m. that the first user
Identified activity begins with Jami Suddeth.
05:36 pm
06:19 pm
LoveMuffins (Jami Suddeth) is editing her MySpace account. All Internet activity at this time
occurs under the Jami Suddeth profile.
MySpace activity ends
12/10/06
SA Stanley’s report includes three images of interest created on 12/10/06 between 05:21 and 06:28 p.m. and
subsequently deleted. Only one of these images contains pornographic content. Image 1350598715_s[1].jpg is a very
small thumbnail image that depicts a close-up of male and female genitals engaged in intercourse. Other than the lack
of pubic hair on the female genitals, there are no identifying features to determine the age of either person in the image.
The other two images are not pornographic in nature as evidenced below. All activity noted on this date from 05:21
p.m. to 06:28 p.m. indicates Jami Suddeth on MySpace.
Name
File Created
Last Accessed
Full Path
612796291_m[1].jpg
12/10/06 05:21:52PM
02/05/07 12:07:16PM
Pruitt\1\C\Documents and Settings\Jami Suddeth\Local Settings\Temporary Internet
Files\Content.IE5\QE2WQDBT\612796291_m[1].jpg
Name
File Created
Last Accessed
Full Path
1350598715_s[1].jpg
12/10/06 05:37:42PM
02/05/07 12:02:42PM
Files\Content.IE5\3IQQ0SKX\1350598715_s[1].jpg
Name
prettyprincesspink444[1].gif
File Created
12/10/06 06:28:17PM
Last Accessed 02/05/07 12:07:30PM
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 45 OF 58 PAGES
EXAMINATION REPORT
Full Path
Files\Content.IE5\QE2WQDBT\prettyprincesspink444[1].gif
12/11/06
SA Stanley’s report includes one image of interest created on 12/11/06 at 04:15 p.m. and subsequently deleted. This
image is a very small thumbnail image that depicts a close-up of male and female genitals engaged in intercourse.
Other than the lack of pubic hair on the female genitals, there are no identifying features to determine the age of either
person in the image. All activity noted on this date indicates Jami Suddeth on MySpace.
Name
File Created
Last Accessed
Full Path
70244rdc9jm4y6t[1].jpg
12/11/06 04:15:34PM
02/05/07 12:02:25PM
Files\Content.IE5\2OUFDUI5\70244rdc9jm4y6t[1].jpg
01/17/07
SA Stanley’s report includes one image of interest created on 01/17/07 at 10:06 a.m. This image is a very small
thumbnail image that depicts a close-up of male and female genitals. Other than the lack of pubic hair on the female
genitals, there are no identifying features to determine the age of either person in the image. There is no user
identifiable activity on the computer on this date and time.
Name
File Created
Last Accessed
Full Path
tn_1112[1].jpg
01/17/07 10:06:36AM
01/17/07 10:06:37AM
Pruitt\1\C\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet
Files\Content.IE5\2NHI22GP\tn_1112[1].jpg
05/16/07
SA Stanley’s report includes 67 images of interest created on 05/16/07 from 02:37 p.m. through 02:50 p.m. None of the
images cached on this date contain child pornography.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 46 OF 58 PAGES
EXAMINATION REPORT
512MB THUMB DRIVE (HDD03)
HDD03 has a total capacity of 488.6mb with 136mb allocated to data. I bookmarked the Folder Structure and noted one
folder in allocated space for Program Files, the remaining folders have been deleted. Because HDD03 is a storage
device only, no operating system or user accounts exist. There are a total of 507 files and folders on HDD03 with
created dates from 10/05/05 through 10/12/06. For a listing of all files on HDD03, click here. I did not find anything of a
personal nature, no images of adult pornography or child pornography and nothing of evidentiary value on HDD03.
Volume
File System
FAT16
Sectors per cluster 16
Total Sectors
1,001,184
Total Clusters
62,541
Free Clusters
45,134
Volume Name
NO NAME
OEM Version
)o-H]IHC
Heads
8
Unused Sectors
32
Sectors Per FAT 245
Drive Type
Fixed
Bytes per sector 512
Total Capacity
512,335,872 bytes (488.6MB)
Unallocated
369,737,728 bytes (352.6MB)
Allocated
142,598,144 bytes (136MB)
Volume Offset
32
Serial Number
0016-9E40
Sectors Per Track 32
Number of FATs 2
Boot Sectors
1
└─
C
├─
Program Files
│ └─
StaffCom
│
└─
DB
_B
├─
├─
FL WC forms
├─
Forms瀀
├─
├─
├─
└─
Ga WC Forms
New Folder
_B
_B
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 47 OF 58 PAGES
EXAMINATION REPORT
1GB THUMB DRIVE (HDD04)
HDD04 has a total capacity of 984mb. I bookmarked the Folder Structure and noted many user defined files and folders
that all appeared to be work related. The following is an example of the Folder Structure. To view the Folder Structure in
its entirety, click here. Because HDD04 is a storage device only, no operating system or user accounts exist. There are
a total of 1959 files and folders on HDD04 with created dates from 12/26/06 through 05/03/07. For a listing of all files on
HDD03, click here. I did not find anything of a personal nature, no images of adult pornography or child pornography and
nothing of evidentiary value on HDD04.
Total Size
1,031,798,784 bytes (984MB)
Total Sectors 2,015,232
Disk Signature 00000000
Partitions
Code Type
0E
Start Sector Total Sectors Size
LBA DOS 0
2,015,232
984MB
└─ untitled
└─ C
├─ ACCIDENT DIAGRAMS
├─ Bishop
├─ Camera Photos
│ └─ Simmons 04-09-07
├─ Click It or Ticket
├─ Daily Activity
│ ├─ 2007 Daily Activity Reports
│ │ ├─ 03 March 2007
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 48 OF 58 PAGES
EXAMINATION REPORT
CONCLUSIONS
On the morning of April 16, 2007, John-David Rusk noticed unusual Internet usage on the Forsyth County Server from
the previous weekend of April 14-15, 2007 and proceeded to investigate the activity. Rusk identified MSPruitt as one of
the users who remotely accessed the server that weekend. According to Rusk he opened the MSPruitt profile and “by
accident I sorted to see the oldest files first and was shocked to see thumbnail images of a disturbing sexual nature
accessed by the MSPruitt account on March 15, 2007.” A screen shot was taken of the My Recent Documents folder in
the MSPruitt profile showing files accessed from March 15, 2007 through March 26, 2007.
There are several notable and troubling discrepancies with the facts set forth in this regard. Rusk states that he
accidentally sorted the oldest files first and was shocked to see thumbnail images of a disturbing sexual nature.
According to the screen shot that was provided with the disclosure, there are 36 shortcuts with Modified Dates from
03/15/07 to 03/26/07. The scroll bar on the right side of the screen is at all the way at the top indicating there are many
additional files after 03/26/07 but none before 03/15/07. According to this screen shot, MSPruitt never accessed a file
during a remote session prior to 03/15/07. However, the Remote to County shortcut was setup on HDD01 on 12/21/05
and last accessed on 05/03/07 indicating the remote connection was used for a period of at least six months.
Additionally, this screen shot does not show any additional information regarding the link files and Pruitt’s activities
including the File Created, Last Written or Last Accessed dates.
Although the author of the screen shots was not identified in the disclosure I reviewed, the screen shots were disclosed
in both State and the Federal cases charging Mr. Pruitt with wrongdoing. I reviewed both documents and noted that the
screen shot disclosed in the State matter differs from the screen shot disclosed in the Federal matter. Identified as
Exhibit 2 in the State matter, the screen shot shows the image files in question as 0024, 0044, 0058, 0134, 0132, 0082,
0063 and 0071. Identified only with 34-0525-22-07 in the Federal case, the screen shot shows the image files in
question as 0024, 0041, 0044, 0058, 0134, 0132, 0082, 0063 and 0071. The 0041 shortcut file is clearly missing from
the screen shot disclosed in the State matter indicating that file was either deleted or added. Because computer
forensic evidence is an exact science, verified with the use of hash values, this extraordinary flaw merits further
investigation.
Another discrepancy with the screen shots disclosed by the Government is the order in which the files appear. In one
document, SA Stanley states that the images of child pornography were located in the Joe Mamma folder and in a
different document SA Stanley indicates that the images of child pornography were located in the Possible CP
Unallocated_Files folder. While the Joe Mamma folder appears in the My Recent Documents almost two hours prior to
the first file being accessed, it seems unlikely that a user would open a folder during a remote session and then wait two
hours to open the first file. According to the screen shot, the Jo Mamma folder is opened, but no files within that folder
are opened. If the images were actually located in the Possible CP Unallocated_Files folder, common sense tells us that
the folder should appear in the My Recent Documents moments before the first file is opened indicating the folder is
opened and then a file is opened. However, this folder does not appear in the screen shot until 02:16 a.m., almost 9
minutes after the first file contained in the folder was allegedly opened. These questions surrounding these
inconsistencies may be answered through an independent forensic exam of the Forsyth County Server, however, the
questions can not be answered with the hard copy screen shots provided.
With regard to Rusk’s statement that he “was shocked to see thumbnail images of a sexual nature”, the files in the My
Recent Documents are link files or shortcuts. Shortcuts are simply links to files that have been opened, not the files
themselves. As such, the icons for the shortcut files represent the software application associated with that file. For
example, if I open a .PDF document, the shortcut in My Recent Documents would be an image of the Adobe Acrobat
software application, as evidenced in the screenshot below:
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 49 OF 58 PAGES
EXAMINATION REPORT
Therefore, when Rusk viewed the My Recent Documents for the MSPruitt profile, he would have seen icons for software
applications associated with the format of the files, not the content of the files themselves. Additionally, the names of the
shortcuts in the My Recent Documents folder did not have naming conventions associated with child pornography and as
such Rusk would not have known that shortcuts named “0024” and” 0041” actually contained child pornography.
In the Affidavit of Search Warrant prepared by SA Stanley, he states that “it appeared that the only area Pruitt accessed,
were files belonging to Det. Roe and images associated with child pornography investigations.” He goes on to state that
Pruitt navigated his way to S:\Roe\207\mar\07031338 and also accessed images of child pornography in
S:\Roe\2005\2005 CFTS\may 05\0505434 State v. Jackson CP\Exhibit 5 Forensics\Possible CP Unallocated_files.
When I reviewed the screen shot of My Recent Documents, I noticed that other folders were accessed during the same
date and time including FCSO Investigative Notes, CFI, and 0303239 State vs Stowe. These files do not appear on the
surface to be related to Detective Roe or child pornography as stated by SA Stanley in his Affidavit. Again, I feel it would
be imperative that a forensic examination be conducted on the Forsyth County Server to determine exactly what activity
occurred during the early morning hours of March 15, 2007 that prompted this investigation.
SA Stanley also states in his Affidavit for Search Warrant that he was provided with a screen capture by the Forsyth
County CID showing that the items in Roe’s folder show the “thumbnail” view by default. Accordingly, it was concluded
by SA Stanley that MSPruitt would have viewed that folder in the “thumbnails” view and would have had to scroll through
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 50 OF 58 PAGES
EXAMINATION REPORT
the images to open the ten files found in the My Recent Documents. What SA Stanley fails to mention is that the default
folder view in Windows is not the “thumbnail” view and although a user can change the view to “Thumbnails”, “Icons”,
“Details” or “List”, that choice is determined by the user profile, not the folder itself. Therefore, when CID created the
screen shot with the “thumbnail” view, it is imperative to know which profile was being used at the time. If the MSPruitt
profile was defaulted to the “List” view, the conclusions set forth by SA Stanley that Pruitt scrolled through the images
would be false.
The solution to all of these inconsistencies, missing information and unanswered questions may be found in an
independent forensic exam conducted by the defense on the Forsyth County Server.
PANASONIC PRO TOUGHBOOK LAPTOP COMPUTER (HDD01)
A review of the Panasonic Toughbook laptop computer identified as the Forsyth County computer issued to Milton Scott
Pruitt (HDD01) revealed no pornographic images in allocated or unallocated space indicating no pornography was ever
received or otherwise possessed on HDD01. Further, a review of all user-defined files and folders, installed software
applications, emails, Internet activity and registry files revealed nothing of a pornographic nature in allocated or
unallocated space indicating nothing of a pornographic nature was ever received or otherwise possessed on HDD01.
The allegations that Pruitt logged into the Forsyth County Server on March 15, 2007 and accessed 10 images of child
pornography from HDD01 is supported solely by two screenshots of the My Recent Documents allegedly taken from the
Forsyth County Server. The discrepancies with this evidence have already been discussed previously in my report and
my conclusions in this regard remain the same. While it may or may not be true that Pruitt logged into the Forsyth
County Server and accessed files of child pornography, I have not seen any forensic evidence of such.
There are indirect allegations that Pruitt copied these images of child pornography during his remote session on the
Server to a media storage device that was never recovered but subsequently accessed by Pruitt for the purpose of
viewing the images again. SA Stanley surmises that file names with similar naming nomenclature must certainly be the
same images of child pornography thereby insinuating that Pruitt must have copied these images from the Server. I did
not see any information disclosed from the Forsyth County Server security event logs in this regard. These security
event logs would contain detailed information with regard to the activities conducted by MSPruitt during his remote
session on March 15, 2007 including the exact time he logged on, the exact time he logged off, and the amount of data
that was transferred during that remote session, if any. Some of this information will only exist if various security options
in the Windows operating software have been turned on as they are not turned on by default. I can only assume that
these very important security features were surely enabled on a server that was hosting remote access connections
while storing illegal images of child pornography. While the Adam Walsh Act prohibits me from examining a hard drive
containing child pornography images in my lab for fear of possible dissemination; and hundreds of hours of computer
forensics training by law enforcement has taught me that forensics computers can not be networked or connected to the
Internet for fear of disseminating images of child pornography; and Court Protective Orders require that all evidence
containing child pornography be locked securely in an evidence safe when not being examined; I am nonetheless
astounded that Forsyth County stored illegal images of child pornography on a server that was not only networked and
connected to the Internet, but was specifically setup to allow users to remotely access the server and all the data
contained therein. The allegations that Pruitt copied images of child pornography to a removable storage media device
during the remote session of March 15, 2007 can be answered simply by examining the Security Event logs of the
Forsyth County Server.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 51 OF 58 PAGES
EXAMINATION REPORT
The only evidence on HDD01 that SA Stanley is using to support the allegations that Pruitt copied images of child
pornography during his remote session, exists in the form of 10 link files that appear in the Recent folder on 03/26/07.
These link files have a similar naming nomenclature to the images on the server and were accessed from D:\Pics on a
media storage device identified as a Store’N’Go. Inasmuch as I have not examined the Store’N’Go thumb drive nor do I
have hash values for any of the files with which to compare, I can make no conclusions with regard to the images stored
there and can not assume that a similar file name indicates similar content. If, for example, there are other images
stored on the Forsyth County Server with the same nomenclature that are not child pornography, it would be possible
that the images stored on the Store’N’Go thumb drive are related to one of Pruitt’s investigations and are wholly
unrelated to child pornography.
I found evidence that multiple USB media storage devices were connected to HDD01 from 01/18/06 through 05/03/07.
However, the charges in State Counts IV, V, VI and VII do not provide any identification of the media storage devices at
issue such as a Hardware ID, Serial Number or Friendly Name. Therefore, it is impossible to conclude from reviewing
the evidence whether any of the media storage devices referenced in Counts IV, V, VI or VII are, in fact, the same media
storage devices connected to HDD01 or the devices seized and forensically examined.
With regard to the allegations that Pruitt used his county issued laptop for personal use, I found no evidence of this. With
the exception of one Internet search term for “weird al ebony and ivory parody” on December 14, 2006, a review of
HDD01 revealed nothing of an obvious personal nature and all activity appeared to be related to Pruitt’s work. With
regard to March 15, 2007 specifically, there is no evidence that anything of a personal nature occurred on HDD01.
HP PAVILION DESKTOP COMPUTER (HDD02)
After Rusk’s findings on the Forsyth County Server, Pruitt’s home computer was forensically previewed and, according to
the GBI Receipt for Property, seized on 05/16/07 at approximately 09:20 p.m. During my examination of the HP Pavilion
desktop computer (HDD02), I sorted all files by Last Accessed date to confirm the original evidence was not accessed
after it was seized and the evidence revealed that HDD02 was last accessed on 05/16/07 at 04:16 p.m. which is
consistent with no access after the seizure. However, the last logon time recorded by the operating system indicates a
logon of 05/17/06 at 12:16 a.m. As of the writing of this report, I have not yet determined why the last logon occurred
after the last accessed dates of any of the files. At the very least, a logon would cause system files to be accessed
thereby having the same last accessed dates and times as the logon. My examination in this regard continues and may
be supplemented.
After examining all files in allocated space on HDD02, I did not find any images of child pornography and no multimedia
files containing child pornography. Upon completing a forensic process that carves image files from unallocated space, I
did find images of child pornography in unallocated space on HDD02. All of the images I found were very small
thumbnails that likely originated from websites accessed on the Internet based on their appearance and file sizes. In
fact, 17 of the images recovered from unallocated space are thumbnail images of video files with identical maroon
colored banners across the top of each image indicating these thumbnails likely came from the same website. Because
one website can cache hundreds of images to a user’s computer in a matter of seconds, it is possible that all of the
images of child pornography found in unallocated space were cached from one website on the same date and time.
Because no metadata can be retrieved from images in unallocated space, it is impossible to say when the images came
to be on the computer, how long they were on the computer, who or what may have caused them to be on the computer,
and whether or not they were viewed, saved or otherwise distributed. Without this information, it is impossible to
determine the user who may have been at the keyboard when the images were cached to the hard drive and thereby
impossible to say if Pruitt knowingly possessed these images.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 52 OF 58 PAGES
EXAMINATION REPORT
Further, my examination revealed multiple users had access to HDD02 including Jami Suddeth. When multiple users
have access to a computer, it is impossible to say with 100% certainty who is responsible for any particular activity. In
this case, Jami Suddeth had her own profile on HDD02 and spent a considerable amount of time on the Internet,
specifically on MySpace. In fact, Jami Suddeth was logged onto HDD02 and her MySpace profile was being accessed
during the very same date and time several images identified in SA Stanley’s report as child pornography were created
on HDD02. It is important to note that simply because a user has his or her own profile on a computer, does not mean
the only activity connected to that user will be found under that profile.
My review of the Index.dat files indicates Internet activity related to adult pornography and some child pornography,
however, I have not completed my examination of the evidence in this regard. Although I found search terms indicative
of child pornography, many of them were conducted on German Google and include “bbs” in the term. This term in and
of itself is odd in that “bbs” stands for bulletin boards which is old technology that is rarely used anymore. In addition, I
found other foreign website activity that looks suspicious on the surface and warrants a more in-depth examination into
the possible causes. Although it is possible for this activity to have been created by the user at the keyboard, I have
seen similar activity on other child pornography cases that was proven to be caused by unwanted intrusions. This will
require a more in-depth and timely investigation and I will supplement as additional evidence is uncovered.
SA Stanley examined HDD02 and submitted a document named “HP Images Report” and titled “Pruitt Images” which I
can only assume are images of concern since they were selected from thousands of images found on HDD02. This
document contains the File Name, File Created dates, Last Accessed dates and Full Path for 78 files. Because the
document does not contain the actual images, I located all 78 files on HDD02 and reviewed them for content. I found
four of these images in the Java Cache folder but none contain child pornography. The remaining images were found in
the temporary Internet files folder and had all been deleted, making them inaccessible to a computer user. Of the 78
images, I found three that may be considered child pornography. However, these images are close-up photos of female
genitals with no pubic hair and no other distinguishing factors to identify the age of the female in the image. In addition,
these images are very small thumbnails that were cached from a website as a result of Internet activity. As of the writing
of this report, I have not identified an origin for these images. While I have identified Jami Suddeth as the computer user
during the date and time that two of these images were created, I have been unable to identify a computer user during
the date and time of the creation of the third image. My examination continues in this regard and will be supplemented
as evidence is uncovered.
Also during SA Stanley’s examination of HDD02, he determined that “Pruitt had inserted the missing thumb drive into his
personal computer and viewed what appeared to be images of child pornography.” After my examination of the
evidence, I find that these conclusions have no evidentiary basis. The Registry revealed many different USB thumb
drives connected to HDD02, each identified by a hardware ID and a friendly name. Inasmuch as I have not seen any
forensic evidence positively identifying the “missing thumb drive”, it is impossible for me or any other examiner to
conclude that one of the thumb drives attached to HDD02 was the “missing thumb drive.” Further, SA Stanley concludes
that Pruitt viewed “what appeared to be images of child pornography from the missing thumb drive. What SA Stanley
refers to are ten link files that exist in the Recent folder with names such as 0063.jpg indicating these images were
viewed on HDD02 on 05/16/07 and were stored on a thumb drive identified as a Store’N’Go . The files themselves do
not exist on HDD02, they do not exist on any of the thumb drives I examined, and no hash values or file sizes are
available for any of the files. The conclusion that these files contain child pornography is purely speculative with no
forensic evidence to support such a conclusion.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 53 OF 58 PAGES
EXAMINATION REPORT
512MB THUMB DRIVE (HDD03)
My examination of the 512mb thumb drive seized from Pruitt’s patrol car (HDD03) revealed nothing of an obvious
personal nature, nothing of a pornographic nature and nothing of evidentiary value.
1GB THUMB DRIVE (HDD04)
My examination of the 1gb thumb drive seized from Pruitt’s residence (HDD04) revealed nothing of an obvious personal
nature, nothing of a pornographic nature and nothing of evidentiary value.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 54 OF 58 PAGES
EXAMINATION REPORT
FORENSIC TOOLS USED
Hardware
Dell Latitude D630 Laptop Computer
Intel Duo 2.2ghz
4gb RAM
Software
EnCase Forensic Version 6.8
Forensic Tool Kit Version 1.7
Registry Viewer 1.5
NetAnalysis 1.37
DISCLOSURE REVIEWED
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
Forsyth County Sheriff’s Office Property & Evidence sheet dated 10/11/06 re: PNY jumpdrive obtained from
Angela Harper
Discovery of Suspicious File Access Activity prepared by John-David Rusk (No Bates)
Traffic Analysis for FastEthernet dated 04/26/07 (No Bates)
Screen shot of C:\Documents and Settings\MSPruitt\Recent, no date, 03:11 p.m. (No Bates)
Screen shot of C:\Documents and Settings\MSPruitt\Recent, no date, 05:03 p.m. (No Bates)
GBI Waiver of Constitutional Rights to a Search Warrant of a Computer dated 05/10/07
Affidavit and Application for Search Warrant dated 05/11/07 (No Bates)
Forsyth County Sheriff’s Office Property & Evidence sheet dated 05/11/07
GBI Receipt for Property dated 05/16/07
Forsyth County Sheriff’s Office Property & Evidence sheet dated 05/17/07
Search Warrant with handwritten corrected date of 05/17/07 (No Bates)
Memo dated 05/17/07 from Captain Ron Freeman to Sgt. Richard Holcomb re: Internal Affairs Investigation
Letter dated 05/17/07 to Sergeant Pruitt
Order dated 05/23/07
Forsyth County Pre-Booking Form dated 05/23/07
Return of Service dated 05/23/07
Georgia Bureau of Investigation Investigative Summary dated 10/25/07 (Bates No. 163240)
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 55 OF 58 PAGES
EXAMINATION REPORT
30.
31.
32.
33.
34.
35.
36.
Criminal Indictment dated August 20, 2008
General Bill of Indictment dated November 10, 2008
THIS REPORT CONTAINS HYPERLINKS TO SUPPORTING DOCUMENTATION INCLUDED ON THE ATTACHED
CD-ROM.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 56 OF 58 PAGES
EXAMINATION REPORT
GLOSSARY OF COMPUTER TERMS
The following are common computer terms that may be used in this report:
ALLOCATED SPACE: Allocated, or used, space is the area of a hard disk that holds files that are recognized by the
operating system. This recognition is accomplished via a file allocation table of some type. Different types of operating
systems use different types of allocation tables to keep track of files.
COMPUTER EVIDENCE: Computer evidence is unique when compared with other forms of "documentary evidence."
Unlike paper documentation, computer evidence is fragile, and a copy of a document stored in a computer file is
Identical to the original. Thus, the legal "best evidence" rules change when it comes to the processing of computer
evidence.
COMPUTER FORENSICS: Computer Forensics deals with the preservation, identification, extraction, interpretation
and documentation of computer evidence. Like any other forensic science, computer forensics involves the use of
sophisticated technology, tools and procedures that must be followed to guarantee the accuracy of the results.
Typically, computer forensic tools exist in the form of computer software and hardware write-blocking devices.
Computer forensic examiners guarantee the accuracy of evidence processing results through the use of time tested
procedures, and through the use of validated software tools from independent developers.
FILE SLACK: Files are created in varying lengths depending on their contents. Windows based computers store files in
fixed length blocks of data called clusters. Rarely do file sizes exactly match the size of one or more clusters perfectly.
The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called "file
slack". File slack potentially contains randomly selected bytes of data from computer memory. This happens because
Windows normally writes in 512 byte blocks called sectors. Clusters are made up of blocks of sectors. If there is not
enough data in the file to fill the last sector in a file, Windows makes up the difference by padding the remaining space
with data from the memory buffers of the operating system. This randomly selected data from memory is called "RAM
slack" because it comes from the memory of the computer. RAM slack can contain any information that may have
been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer
was last booted. Thus, if the computer has not been shut down for several days, the data stored in RAM slack can
come from work sessions that occurred in the past. It should be noted that the newer versions of the Windows
operating system zero out (write all zeros to) the RAM slack when a file is created. RAM slack pertains only to the last
sector of a file. If there are additional, unused sectors between the last sector of the file and the end of the cluster, this is
called "drive slack." Unlike RAM slack, which comes from memory, drive slack is made up of the data that was stored
on the storage device prior to the file in question. Such data could contain remnants of previously deleted files.
GB: A Gigabyte (GB) is a unit of computer memory or storage capacity equal to 1,073,741,824, or roughly one billion,
bytes or characters. One gigabyte of storage space is the equivalent of 500,000 double-spaced pages of text. Hard
disks capable of storing one-hundred gigabytes of data are now commonplace in desktop computers. Such storage
devices could contain the equivalent of 50 million pages of data.
INSTANT MESSAGING (IM) : IM is a text-based computer conversation over the Internet between two or more people
who must be online at the same time, and who must be using the same instant messaging system. Current, popular IM
systems are AOL's Instant Messenger (AIM), AOL's ICQ, Microsoft's MSN Messenger and Yahoo! Messenger.
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 57 OF 58 PAGES
EXAMINATION REPORT
JPG/JPEG: Joint Photographic Experts Group (JPEG or shortened to JPG) is a compressed format for storing bitmap
images, and is one of the most common image formats used on the Internet. Other common image formats include
ART, BMP, GIF(F), and TIF(F).
KB: A kilobyte (KB) is a unit of computer memory or storage capacity equal to 1,024 bytes or characters.
MB: A megabyte (MB) is a unit of computer memory or storage capacity equal to 1,048,576, or roughly one million,
bytes or characters.
METADATA: Metadata can be described simply as "data about data", or as a hidden level of information embedded in a
file and maintained by the application that created the file. For example, Microsoft Word documents contain metadata
showing the author of the file, the author's company, the number of file revisions, total editing time, and its own set of
created, accessed and written dates. Most digital cameras save images with metadata embedded in the file showing
the make and model of the camera, the date and time the photograph was taken, and the values of many of the
camera's settings, such as exposure, flash, focal length, etc.
OPERATING SYSTEM (OS): An OS is set of software programs used by a computer to manage its own resources,
such as recognizing input from the keyboard, sending output to the display screen, keeping track of files and directories
on the disk, and controlling peripheral device~ such as disk drives and printers. Examples of operating systems are
Windows 98, Windows XP, Mac OSX, Linux, and Unix. The OS is the core of the computer's operation, and application
programs such as word processors run on top of it.
PAGEFILE.SYS: The page file is a special file used by windows for holding temporary data which is swapped in and
out of physical memory in order to provide a larger virtual memory set. In a Microsoft Windows NT, Windows 2000 and
Windows XP environment, the file name is pagefile.sys and it is created during setup in the Root of the boot drive as a
hidden file. It will not show up on an Explorer file listing unless you toggle off the "Hide system Files" option.
PARALLEL ATA (PATA): For many years, Parallel ATA was the most common disk drive interface. Serial ATA has now
become the preferred disk drive interface due to its faster speed, smaller connector, and longer cable length. When
Parallel ATA was first introduced, it was an important advancement because it provided controller electronics on the
drive itself, eliminating the need for a separate adaptor card. It was easy to configure and was relatively inexpensive
compared to its traditional rival, SCSI. PATA uses 40-pin ribbon cables with a maximum length of 18 inches and a
maximum transfer rate of 133 MB/second.
PEER-TO-PEER (P2P) : P2P allows a sharing and delivery of user specified files among groups of people who are
logged on to a file-sharing network. Napster was the first mainstream P2P software that enabled large scale file
sharing. P2P networks are used to share multimedia files, such as music and movies. Typically, users place files they
want to share with others in a 'shared" folder on their computer. To access a P2P network you need to download,
install and run a P2P tool (P2P client software) . *The P2P software allows users to search for the types and names of
files they are interested in downloading. Examples of current, popular P2P software are Kazaa and Grokster (FastTrack
network), Limewire and BearShare (Gnutella network), eDonkey and Overnet (eDonkey/Overnet network), and
BitTorrent (BitTorrent network).
RAM: RAM, or Random Access Memory, is a type of memory that can be written to and read from in a nonlinear
(random) manner. When a computer program or application is opened, it is transferred from the hard drive to RAM
where it is more readily accessible. RAM enhances system performance because it can process requests from the
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
CASE NAME / NUMBER
DETAILS
2:08 CR-000033
PAGE 58 OF 58 PAGES
EXAMINATION REPORT
CPU much more quickly than the hard drive. The kind of RAM used in main memory on most computers is Dynamic
RAM (DRAM) . DRAM stores data as electronic signals that must be constantly refreshed to keep them from
dissipating. The data held in PAM is lost when the computer is turned off.
UNALLOCATED SPACE/CLUSTERS: Unallocated space is the area of a hard disk that is not currently occupied by
saved files, but is free to have data written to it. Unallocated file space can contain the entire or partial content of
deleted files, deleted folders, and temporary files that were transparently created and deleted by computer applications
and the operating system. With manual or automated methods, it is often possible to "unerase" deleted files and view
the original content so long as the data area of the file has not been overwritten by other data, such as from a newer
file.
URL: Uniform Resource Locator (URL) is the address of a resource on the Internet. World Wide Web URLs begin with
http://
ORGANIZATION
TAMI L. LOEHRS
LAW2000, INC.
SIGNATURE
DATE
12/26/2008
EXHIBIT
"\
)
.1
'-----
"----'
GEORGIA BUREAU OF INVESTIGATION
HIGH TECHNOLOGY
INVESTIGATIVE
INVESTIGATIONS
UNIT
CASE SUMMARY
34·0525·22·07
On Wednesday, August 13, 2008, Special Agent Bobby Stanley conducted a forensic
analysis of the hard drive of Milton Scott Pruitt's personal home desktop computer.
The hard drive is described as a Western Digital 250 GB hard drive bearing serial
number WCANK2776793. The examination was conducted utilizing Guidance
Software Encase v6 forensic software and a Guidance Software Fastbloc write
blocking device. During the, examination, Special Agent Stanley was able to locate
numerous items of possible evidentiary value. The items of possible evidentiary value
consisted of images of suspected child pornography which were located by
conducting a search of the unallocated space of the harddrive. These images were
subsequently saved and made a part of this case file titled Image Search Unallocated.
The original files were stored for future analysis with a copy of the report saved to a
CD and made a part of this case file.
SPECIAL AGENT BOBBY T STANLEY, JR: 8/14/2008
,Ks.
bts: 10/9/2008
Page 1 of 1
211067
PROPERTY OF GBI
Further dissemination is prohibited without written approval of a
,
GBI Supervisor
EXHIBIT
L [)

report of forensic examination

Transcription

Similar documents

Commentaria in Aristotelem graeca

Google Business Photos ($) To make Google Maps even more

Google Maps in the Classroom

2999 $1499 $5999 $5999 $15999 $1899 $2495 $1099 10% off 10

EMUKEY Product Sheet

Plan Preliminar de Mercadeo

Meson Sabika

Lightning in a Bottle