forensic report for goaa bp-s00132 procurement · · 2018-02-24internal case #: cf-bc021418 1 ....
TRANSCRIPT
Internal Case #: CF-BC021418 1
Forensic Report
for GOAA BP-S00132 Procurement
Case Number: CF-BC021418
February 23rd, 2018
Internal Case #: CF-BC021418 2
Table of Contents
I. Introduction ................................................................................................................................. 3
II. Executive Summary ..................................................................................................................... 4
III. Data Analyzers Background ....................................................................................................... 5
IV. Evidence Consideration ............................................................................................................. 6
V. Data Analyzers Process and Procedures ..................................................................................... 9
VI. Additional Considerations ....................................................................................................... 10
VII. Investigation and Analysis ...................................................................................................... 11
VIII. Conclusion………………………………………………………………………………………………………………………..14
Appendix A Chain of Custody Form……………………………………………………………………………….……………………...15
Appendix B Chain of Custody Form…………………….………………………………………………………….……………………..17
Appendix C Affidavit D4 LLC…………………………………………………………………………………………………………………..19
Internal Case #: CF-BC021418 3
I. Introduction
The Greater Orlando Aviation Authority is in the process of procuring a baggage handling system for its
new South Terminal C. During the procurement process, irregularities had been discovered and the
Aviation Authority staff, consultants and legal counsel initiated an investigation into this matter. After
having learned that Mr. Martin Ineichen of PMA had accessed and possibly downloaded certain
documents related to the BP-S00132 STC BHS procurement, the Greater Orlando Aviation Authority
(GOAA) decided that a forensic data investigation should be conducted.
On February 13th, 2018 Broad and Cassel contacted Data Analyzers, LLC (Data Analyzers). On February
14th, 2018 Broad and Cassel LLP retained Data Analyzers, LLC to assist with the forensic data examination
of the systems and custodians involved with the procurement project.
Specifically, the scope of the data forensic investigations should reveal any digital evidence that could
assist in answering the following questions.
1. Whether PMA staff downloaded onto its computers, servers, cloud-based services, or removable
storage devices any of the documents identified on Exhibit A, or whether any of those documents
were deleted;
2. Whether Jervis B. Webb has possession on its network or any cloud-based services, of any of the
documents identified on Exhibit A, or whether any of those documents were deleted;
3. Whether any of the searches and computer usage depicted in Exhibit B evidence the transfer,
download, upload, or deletion of any document identified on Exhibit A; and
4. Whether personal email servers evidence the transfer or deletion of any of the documents
identified on Exhibit A.
Recognizing the existence of confidential data on the devices examined, the scope of the examination was
limited to the analysis of metadata and system artifacts of desktop and laptop computer systems. The
systems investigated were computers identified as having been utilized by individuals from Jervis B. Webb
Company (“Jervis”) and PMA Consultants, Inc. (“PMA”) during the BP-S00132 STC BHS procurement
process. With a deadline of findings of the forensic data investigations to be turned over by February 23rd,
this report is a summary of findings by Data Analyzers regarding the any activities related to the
documents in Exhibit A.
Internal Case #: CF-BC021418 4
II. Executive Summary
Data Analyzers has not found any evidence that Jervis B. Webb has, or has had, possession of any
documents outlined in Exhibit A, on the computer systems that Data Analyzers has examined. Neither
internet activity, system artifacts nor file system records revealed the access of such files. In addition, Data
Analyzers made the following findings:
Data Analyzers has found direct and compelling digital forensic evidence that the PMA Laptop
assigned to Mr. Ineichen was tampered with to the extent that system artifacts and metadata
were altered to conceal activity on the Laptop computer system. If this was for reasons pertaining
to this investigation, or for other reasons could not be determined at this time.
Data Analyzers did not find a copy of any of the documents outlined in Exhibit A) stored on the
GOAA computer systems assigned to Mr. Ineichen. Similarly, Data Analyzers did not find evidence
of any USB storage device connected to that computer during the time frame of the incident.
Data Analyzers did not find a copy of any of the documents outlined in Exhibit A) stored on any of
the computer systems examined.
Data Analyzers did establish in a metadata timeline that after the files on box.com had been
accessed by Mr. Ineichen’s GOAA assigned computer system, the next user activity was accessing
PMA’s web-based outlook email service.
Data Analyzers was not able to cross-reference the results provided by Box.com in regards to the
Download of the file “Technical Proposal for DBOM Services for BP-S00132 BHS_archive.pdf”,
while internet activity and login to box.com could be verified, during this timeframe, the metadata
did not show the download of the file to the computer system. Further detailed examination
beyond the metadata would be required to conclude this abnormality.
Internal Case #: CF-BC021418 5
III. Data Analyzers Background
A. Company Information
Founded in 2009, Data Analyzers, LLC is a professional service firm and consultancy whose principal place
of business is in Lake Mary, Florida. The focus of the practice is on delivering intelligent electronic
discovery collection, data recovery, data breach analysis, and advisory services to corporations, law firms
and government entities. Its professional staff hold numerous industry certifications and have assisted
clients with data preservation requests, data breach investigations, cybercrime responses and expert
witness services.
B. Biographies
This report was prepared by Andrew von Ramin Mapp.
Andrew von Ramin Mapp is the founder and principal consultant of Data Analyzers, LLC. Mr. von Ramin Mapp
manages matters in the areas of digital forensics, electronic discovery and cybercrime responses and supervises
data recovery engineers and digital forensics examiners in the performance of their jobs.
He holds a degree in Industrial Engineering from Berufsfachschule Kuenzelsau in Germany and an Associate’s
degree in computer programing and network administration from Florida Technical College. He is a Certified
Information Systems Security Professional (CISSP), a GIAC Certified Forensic Examiner (GCFE), a GIAC Certified
Forensic Analyst (GCGA), a Certified Hacking Investigator (CHFI), a Certified Ethical Hacker (CEH), a Certified
Computer Examiner (CCE), and a Certified Forensic Consultant (CFC). He is a member of the American College
of Forensics Examiners (ACFEI), the American Society of Digital Forensics and eDiscovery (ASDFED) and the
International Society of Forensic Examiners (ISFCE). Mr. von Ramin Mapp has provided trial and hearing
testimony on a number of occasions and has been admitted as an expert in federal and state court.
Internal Case #: CF-BC021418 6
IV. Evidence Consideration
Data Analyzers collected data for forensic examination and analysis from Desktop and Laptop computers
used by PMA and Jervis employees or contractors between February 14th and February 21st 2018.
1. Data Collection Jervis B. Webb Company (“Jervis”)
A total of eleven remote collections had been performed from computer systems located in Novi,
Michigan. A list of individuals involved in the procurement project was provided by Mr. Michael J. Farley,
Sr. Vice President and General Counsel of DAIFUKU North American Holding Company. In addition, a list
of usernames and computer host names had been provided by Mr. Ryan Jacobs, Security Analyst with
DAIFUKU North American Holding Company. This information assisted in cross verifying that the data was
being collected from the correct custodians, computers and user profiles.
Custodian Laptop or Desktop Username Computer Name
Todd Alderman Laptop Dtadler D20036
Joe Emery Laptop and Desktop Djemery D20437, D19224
Ken Hamel Laptop Dkhamel D19349
Colin Oatley Laptop Dcoatle D19911
Alex Wuchte Laptop Dawucht D20180
Alan Daavettila Laptop Dadaave D20180
Dave Daavettila Desktop Dddaave D18697
Paul Lalinsky Desktop Dplalin D18033
Brian Hoppe Desktop Dbhoppe D20512
Andrew Grusnick Laptop Dagrusn D20124
The objective was to perform a remote collection within the given time restraints and to limit the
collection to metadata and system files. This was the scope that was agreed upon by all parties’ counsels
due to concerns of security and trade secrets. A remote agent was pushed on to each device listed above
and a remote collection within the scope was executed.
Internal Case #: CF-BC021418 7
2. Data Collection PMA Consultants, Inc. (“PMA”).
A data collection was performed on five out of six computer systems delivered to the premise of Data
Analyzers, LLC. Two laptop computers belonging to PMA which had been utilized by Mr. Martin Ineichen
and Mr. Noel Alvarez had been delivered to the premises of Data Analyzers, LLC on February 16th 2018,
by Broad and Cassel LLP.
In addition, two laptop computers belonging to GOAA, also utilized by Mr. Ineichen and Mr. Alvarez, had
been delivered to the premises of Data Analyzers, LLC on February 20th 2018 by Broad and Cassel LLP.
The remaining two laptop systems had been delivered via FedEx courier service on February 21st 2018.
Custodian Laptop or Desktop Computer Name Model / Serial Number
Martin Ineichen Laptop LTMINEICHENT430 Lenovo T430 /PB-295Wd12/11
Noel Alvarez Laptop LTNAP50 Lenovo P50s /R9-0LJEDW16/09
Richard Johnson Laptop LTRJohnsonT450s Lenovo T450s/PC07XSS 3 15/09
Martin Ineichen Desktop OAR7 HP/2UA3330KGK
Noel Alvarez Desktop OAR38 HP/2UA3190THW
The objective was to perform a collection within the given time restrains and to limit the collection to
metadata and system files. This was the scope that was agreed upon by all parties’ counsels due to
concerns of security and trade secrets. The hard drives were removed and connected to a write blocker.
After which metadata and system files were extracted.
Front side picture of the write blocker device utilized
The Wiebetech Write Blocker model: Forensic UltraDock v4 and UID: 21-070185-B was used during this
investigation
Internal Case #: CF-BC021418 8
Back side pictures of the write blocker device utilized
A Lenovo Laptop with the model number: X1 Carbon and serial number: PK-0PVFZ 13/08 assigned to Mr.
Robert Sanders was not processed and therefore no examination was conducted on it. This Laptop was
received on February 21st 2018 and contains an SSD drive with a proprietary PCI connector. While Data
Analyzers maintains a variety of proprietary SSD adapters, none that matched this particular interface
were available, and no immediate solution could be presented to process the metadata for this Laptop
within the targeted deadline due to the late delivery of the device.
Picture of proprietary SSD interface.
Internal Case #: CF-BC021418 9
V. Data Analyzers Process and Procedures
Data Analyzers conducted its analysis of the procurement investigation pursuant to the protocol issued
by GOAA.
Data Analyzers searched and analyzed the PMA, Jervis and GOAA computer systems to identify only
documents, data, fragments and artifacts that reasonably appeared to be related to the BP-S00132
procurements and outlined in Exhibit A.
During the analysis, Data Analyzers employed a methodology tailored to the particular facts of this case.
Data Analyzers methodology included:
1. Extracting all available metadata and system artifacts containing metadata.
2. Consolidating, parsing, and converting the metadata into a readable format.
3. Reducing the timeframe of the data to search and analyze to include data from November 1st
2017 to February 21st 2018.
4. Importing the metadata into a database and building a set of search queries for the names
and variations of the file names in Exhibit A).
5. Performing additional manual metadata artifact review on key artifact areas to cross-verify
results and proper due-diligence.
6. The searches performed included the full name of the file, as well as variations of the file
names in Exhibit A) to be able to capture variations of the file names, for example:
The full name of the file “Technical Proposal for DBOM Services for BP-S00132
BHS_archive.pdf” was used to perform an exact search. A search with an asterisk character
(*) was used instead of the.pdf extension. As well as at the beginning of the file. The asterisk
character is what is called a wildcard character and can represent any unknown character or
group of characters that the symbol represents in the search query. Therefore, the asterisk
character replacing the pdf among other things would catch any other type of file extension
besides pdf, such as for word documents (doc, docx) Tiff files and all other possible changed
file formats.
7. In addition, a partial query for “Technical Proposal” as well as for “BP-S00132” was performed.
Thereafter, a search for any pdf files within the time frame was conducted and reviewed.
Internal Case #: CF-BC021418 10
8. Furthermore, the time line and event logs have been inspected for any suspicious activities
that could relate to the documents in Exhibit A) and or the masking of such documents.
9. Registry artifacts that include most recent accessed documents, connected USB storage
devices and network connections have been manually reviewed.
10. On any abnormalities encountered, the process was re-run and further manual examination
was performed.
Data Analyzers methodology was designed to identify downloaded or accessed documents relevant to
Exhibit A). This methodology within reason, would have identified any downloading, accessing and
transferring of the documents in question.
VI. Additional Considerations
Due to having limited time, when results had to be produced Data Analyzers utilized its best judgement
to evaluate and implement the most efficient techniques for collection and analysis. Hence a remote
collection was favored for the computer systems located in Novi, Michigan as it was more cost and time
effective compared to flying onsite for the data collection.
In addition, due to privacy concerns of PMA and Jervis expressed by their respective counsel, a collection
of data from mobile phones was not performed.
Internal Case #: CF-BC021418 11
VII. Investigation and Analysis
All modern Microsoft Windows type of computers, such as examined during this investigation, have a
Master File Table (MFT). This table keeps track of all creation and modification of files stored on the
computer system.
The MFT was examined on all computer systems discussed in the evidence consideration section of this
report. No MFT records showed the existence of any of the files in Exhibit A) or any reasonable variations.
In addition to the MFT, the internet activity was examined on all computer systems. Each of the computer
systems had one or several of the following internet browsers installed: Google Chrome, Mozilla Firefox
and Microsoft’s Internet Explorer. The internet history and supplemental artifacts have been examined
and no records of the files in Exhibit A) having been downloaded via an internet browser exist in the
metadata and browser artifacts.
The examinations of the Jervis desktop and laptop computer systems, as well as the examination of the
computer systems assigned to Mr. Alvarez and Mr. Johnson, have displayed regular and consistent user
activity. MFT records, Internet activity and registry artifacts have not revealed any irregular activity or
usage patterns. No indications that an access or download for any of the documents in Exhibit A)
occurred could be found for these systems that have been examined.
Abnormalities discovered:
1. Mr. Ineichen’s PMA Laptop
Data Analyzers found very limited system activity from September 2017 to January 2018. This is rather
unusual and does not fit the pattern of normal computer usage. The MFT entry below, for example, shows
consistent activity until September 30th 2017. Thereafter, the MFT records become very inconsistent and
with the exception of four entries, we do not see any activity at all until January 12th and, thereafter, again
no activity until January 26th, at which point standard expected activities continue. To further elaborate,
usually a large quantity of MFT entries are seen every day, as not only user activity is logged, but also
background activity performed by the system itself, such as program updates. Yet with the exception of
four entries, October 16th, December 6th, January 2nd and January 5th, there is no activity logged in the MFT
until January 12th. After January 12th, there again is no activity logged until January 26th.
Internal Case #: CF-BC021418 12
In addition, other system artifacts, such as the registry, also showed no activity during that time frame.
To further investigate, the event logs had been examined. The Application, Security and System event logs
also showed no records during that time frame.
When examining the System event log in more detail, an entry can be seen for a change of system time.
This record is dated January 12th 2018 at 8:13:11 AM. Furthermore, the record shows that the system time
was changed from August 22nd 2017 to January 12th 2018. This is very unusual and is often used as an anti-
forensic technique to mask true system activity.
As displayed in the picture above, this entry on January 12th shows that the system time was changed to
cause an almost 5-month time discrepancy between what was previously set as the system time. This time
discrepancy correlated to the missing activities in the metadata and is not something that is done as a
process by a user during normal computer operations.
Internal Case #: CF-BC021418 13
2. Mr. Ineichen’s GOAA computer
During the examination, unusual activity was discovered. Metadata revealed that on December 14th, 2017
a remote access session was established via TeamViewer, which is a remote access software application.
A forensic collection tool called FTK imager was executed from a folder called “D4 Collection Tools
Package_11 8 16”. A large quantity of documents had been collected from the computer via this software
and copied into a container file called “Martin Loose documents.ad1”. In addition, an encryption software
application called Vera Crypt was executed. This initially was a concern, as Data Analyzers was not
informed of any forensic activity that occurred on the computer system, and could not immediately
determine if this was an authorized or unauthorized access. After having spoken to Broad and Cassel in
regards to this matter, they were able to obtain an Affidavit from D4 LLC, stating that this was an
authorized collection performed by them at the direction of GOAA. This satisfied the initial concerns
regarding this discovery. The affidavit explaining the data collection of D4 LLC from this computer is
attached as Appendix C to this report.
In addition, the examination of the Internet activity showed that from Mr. Ineichen’s assigned computer
and from his user account the web address “goaa.account.box.com” was accessed. It was logged in the
site and files have been accessed. It however does not show a direct artifact showing a download.
Furthermore, there is no MFT record entry nor any registry artifacts that show the file in Exhibit A) as
having been downloaded. After having accessed files on the GOAA box account, the next user activity was
to login to PMA’s web-based outlook email portal. Which was accessed via the following address
https://owa.pmaconsultants.com an export of the records is included as Exhibit C) to this report.
Internal Case #: CF-BC021418 14
VIII. Conclusion
Data Analyzers has not found any evidence that Jervis B. Webb has, or has had, possession of any
documents outlined in Exhibit A) on the computer systems that Data Analyzers has examined. Neither
internet activity, system artifacts nor file system records revealed the access of such files.
Data Analyzers has found that computer records for the PMA computer system assigned to Mr. Ineichen have
been altered, most likely with the intent to conceal activity of usage. Based on a metadata examination, Data
Analyzers has not found any records of the documents from Exhibit A) stored on the computer systems
assigned to Mr. Ineichen, nor on any of the other computer systems that have been examined.
Data Analyzers would recommend an additional forensic examination and analysis that is not limited to
the metadata and system artifacts, to further investigate the record manipulation that occurred on Mr.
Inichen’s assigned PMA Laptop. A forensic investigation with full unrestricted access to the computer
system, would uncover additional information that presumptively can assist in determining which actions
had been performed on the laptop.
Furthermore, Data Analyzers would recommend a supplementary investigation of Mr. Ineichen’s GOAA
assigned computer system, to determine why downloaded files from box.com could not be found on the
computer system. This additional forensic examination and analysis which would not be limited to the
analysis of metadata and system artifacts, would assist in drawing a more substantial conclusion.
For the additional examination of either the GOAA desktop or the PMA laptop to be successful, access to the pdf documents in Exhibit A) as they exist on goaa.box.com would be crucial.
In addition, Data Analyzers would recommend providing additional time to examine the PMA Laptop
computer system assigned to Mr. Robert Sanders, which could not be processed due to it having a
proprietary interface and the limited time that was available.
I declare under penalty of perjury that the foregoing is true and correct.
Andrew von Ramin Mapp