Exhibit 60 - Longarm Case Report Narrative - BPD

March 13, 2014

Page 1 of 4

Bellingham Police Department Longarm Case Report

12805349 ASSIST OTHER AGENCY Primary Author: GITTS, LES

Location: 505 GRAND AV

Incident Date: Feb 14, 2012 3:00PM

Date Reported: Feb 14, 2012 3:02PM

Press Summary:

BPD is assisting another agency with CSI processing.

HEADER Appvd: 145

March 13, 2014

Page 2 of4


12805349 ASSIST OTHER AGENCY

Investigator: Not assigned

ASSOCIATES

Primary Author: GITTS, LES Rpt date: Feb 14, 2012 3:02PM Appvd: 145

C1 ROSSMILLER. SCOTT A

Drivers:

Bus Address: 311 GRAND AV

Bus Phone: (360) 676-6650

Cell Phone:

DOB:

Lie. St:

Ethnicity: Unknown

R1 WHATCOM COUNTY SHERIFF'S OFFICE. 311 G DOB:

Drivers:

Res Address:

Bus Address: 311 GRAND AV

Res Phone:

Cell Phone:

Lie. St:

Bus Phone: (360) 676-6650

Ethnicity:

Age: Sex: M Race: W Ht: Wt:

Eyes: Hair:

City: Bellingham State: WA Zip: 98225

Age: Sex: Race: Ht: Wt:

Eyes: Hair:

City: State: WA Zip:

City: BELLINGHAM State: WA Zip: 98225

March 13, 2014

Page 3 of 4


12805349 ASSIST OTHER AGENCY Primary Author: GITTS, LES Rpt date: Feb 14, 2012 3:02 PM


NARRATIVE

Appvd: 145

On this date, I was contacted by Lt. SCOTT ROSSMILLER (C1) of the WHATCOM COUNTY SHERIFF'S OFFICE (R1), asking for assistance with some computer forensics work.

Lt. Rossmiller asked if we could assist them by "mirroring" data contained on a laptop hard drive, onto a clean hard drive, which will be used for their forensics work. Lt. Rossmiller indicated they did not want us to view or extract any data on the target hard drive, just simply copy (mirror) the data onto the clean hardrive.

I took possession of the hardrives and noted the "target hard rive" was to be preserved for later latent fingerprint processing, so notations were made to protect this hard rive for this later processing. Both hardrives were placed in anti-static bags for data preservation and impounded for processing.

March 13, 2014

Page 4 of 4


12805349 ASSIST OTHER AGENCY Primary Author: GITTS. LES Rpt date: Feb 14, 2012 3:02PM

Found I Seized Article: Computer Hardware/Software

Description: Computer hardrive unit

Serial#: NECABTD00006 SK 1st Color: Silver

Impounded: Feb 14, 2012 03:16PM

Notified:


PROPERTY

.Appvd: 145

Brand: TOUGHBOOK

Model: CF 29 L Value: Owner: WHATCOM COUNTY SHERIFF'S OFFI

Features: hardrive unit removed from toughbook laptop computer

Found I Seized

Description: computer hardrive unit

Serial #: NECABT000006 0 6A

Brand: TOUGHBOOK

Model: CF 29 L

Features: clean- working unit

Article: Computer Hardware/Software

1st Color: Silver

Value:

Impounded: Feb 14, 2012 03:16PM

Notified:

Owner: WHATCOM COUNTY SHERIFF'S OFFI

(

March 13, 2014

page 1 of2


12805349 ASSIST OTHER AGENCY Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Feb 16, 2012 8:41 AM


NARRATIVE

- Appvd: 145

On this date (02/16/012), I removed impound numbers 105180 and 105181 from out of evidence on the request of Evidence and Ide Gitts. I was asked to the contents from 105180 and restore them onto 105181

Prior to removing 105181 from out of it's evidence bag, I put on nitrile evidence gloves to handle the evidence. I then removed the hard drive from out of the evidence bag and found that it was a Hitachi HTS541 08 80GB IDE hard drive still in a tough book enclosure. I removed the hard drive from the tough book enclosure and attached it to a FireChief write blocking device. The hard drive was placed into a read/write bay of the FireChief and EnCase Forensic Edition software was initiated to forensically wipe the hard drive in preparation for receiving the forensic image of 105180. EnCase reported that the total number of sectors on this hard drive was 156,301 ,488. EnCase then forensically wiped the hard drive by replacing all readable bytes of data from the hard drive with a known hex value (OOh). Once this was done, a checksum of the hard drive was performed to confirm that every readable byte was overwritten with the OOh hex value. When this process was complete, EnCase reported that the forensic wipe was successful. 156,301,488 total sectors were wiped with zero read, write, or verify errors. This hard drive was then set aside and will be referred to as "TARGET" from this point on.

With nitrile evidence gloves on, I then removed the hard drive from out of evidence box 105180 and found it to also be enclosed in the same type of tough book enclosure. I handled the enclosure by touching the corners as much as possible to prevent destroying any fingerprints that may have been on the enclosure. The hard drive was found to also be a Hitachi HTS541 08 80GB IDE hard drive. This hard drive was then removed from the enclosure and attached to an UltraBiock (Tableau) write blocking device that prevents any data from being written to, deleted from, or otherwise, altered on the media attached to it. I then initiated a computer forensic program called FTK Imager (AccessData) and obtained an independent MD5 hash value of the hard drive

, · . ., which to compare to the acquisition MD5 hash value to ensure that a successful forensic image had been obtained. This · .. ....rd drive will be referred to as "SOURCE" from this point on. FTK Imager reported that the SOURCE hard drive also had

156,301,488 total sectors.

When FTK Imager finished obtaining an independent MD5 hash for the SOURCE hard drive, it reported an MD5 hash value of 01e8-2145-b762-12fc-a439-68de-12f7-6220 with a sector count of 156,301,488 and zero bad sectors.

While the SOURCE hard drive was still attached to the UltraBiock write blocking device, FTK Imager was closed and another computer forensic program called EnCase (Guidance Software) was initiated. EnCase was then used to obtain a forensic image of the SOURCE hard drive. EnCase also reported the same number of sectors on the SOURCE hard drive and also listed the hard drive serial number as MPB4LAX6HK074G.

When EnCase completed it's acquisition process, EnCase reported that zero errors had occurred and reported an identical acquisition MD5 hash value than what was reported during the independent MD5 hash process. This is an indication that EnCase successfully acquired a forensic image of the SOURCE hard drive. EnCase then verified the forensic image by obtaining yet another MD5 hash value of the data that was written (the actual forensic image) to verify that what was written was the same as what was read from the SOURCE hard drive. When this process was complete, EnCase reported an identical verification MD5 hash value as the independent and acquisition hashes.

With the SOURCE hard drive still attached to the Ultrablock write blocking device, I initiated another computer forensic program called Win Hex (x-ways forensics) and obtained a post MD5 hash value of the SOURCE to verify that the data on the SOURCE had not been altered during the independent and acquisition processes. When this was complete, Win hex reported an identical MD5 hash value indicating that the original SOURCE hard drive had not been altered.

While wearing Nitrile gloves, I removed the SOURCE hard drive from the UltraBiock write blocking device and placed it back into the toughbook enclosure. I then placed the SOURCE hard drive back into the evidence box that it came in and sealed the top.

~n took the TARGET hard drive that had previously been forensically wiped and attached it to a read/write bay that was 1ocated in a "FireChief' hard drive shuttle. The read/write bay allows for data to be read from and written to the media attached to it. Once the TARGET hard drive was attached to the read/write bay, I initiated EnCase and restored the forensic image onto the TARGET hard drive. This copies the data from the forensic image onto the TARGET hard drive in the same manner that it was read on the SOURCE hard drive. EnCase was also instructed to forensically wipe any remaining sectors on the TARGET hard

March 13, 2014

Page 2 of 2



urive however, the number of sectors on the SOURCE hard drive and the number of sectors on the TARGET hard drive were the same so there should not have been any "remaining sectors".

Upon completion of the restore process, EnCase reported that the restore was completed with zero read/write/verify errors and that the correct number of total sectors were restored (156,301 ,488). EnCase also reported a different restored MD5 hash value than what was reported from the original SOURCE hard drive (c0a9-812b-6915-26ac-edc2-c1 08-a0d6-608f). The cause for the different MD5 hash is not known at this time. A representative of the WCSO came to the Bellingham Police Department to retrieve 105180 and 105181 before I had a chance to determine the reason for the mismatched MD5 hash value or to start the restore process over.

The contents of the forensic image, 105180, and 105181 are unknown as they were not viewed at the request of the WCSO.

March 13, 2014

Page 1 of 1


12805349 ASSIST OTHER AGENCY Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Feb 29, 2012 1 :25 PM


NARRATIVE

Appvd: 155

On this date at approximately 1151 hours, I received a phone call from Chief Inspector Steve Cooley of the Whatcom County Sheriff's Office regarding the restored hard drive that was created on 02/22/2012. Cooley stated that their IT department was not able to boot up the drive and asked if there was another way to view the contents. I told Cooley that I still had the original forensic image of the source hard drive and that I would be able to mount the image for him allowing him to view the contents as if it were attached to my system. Cooley stated that would be fine and responded to my office. 1211 hours, Cooley arrived and was let to my office.

I loaded the forensic image into EnCase Forensic Edition software and explained to Cooley the basics about how to navigate around the program to view the contents of the image. I then removed myself from the area and did not look at what Cooley was examining. While Cooley was looking at the contents of the forensic image, I was available in the area (other side of office or hallway) to answer questions about how to locate or view certain types of data. When Cooley was done, I closed EnCase without saving.

Cooley had the restored target drive with him and I was able to compare the contents of the forensic image and the restored hard drive. Upon doing so, it was found that at least the last few sectors of data on the forensic image did not copy over. Cooley and I discussed the possible reasons why this could have happened and it was decided that a different target hard drive would be brought to me so that the restore process could be attempted again.

Before leaving, the restored target hard drive was removed from my computer forensic system and given back to Cooley who stated that he would return at a later date with a different target hard drive. I also advised Cooley that the new target hard drive had to have at least 156,301,488 total sectors and why. Cooley stated that he understood and would make sure that the person

')plying him with the new target hard drive knew this as well.

March 13, 2014

Page 1 of 2


12805349 ASSIST OTHER AGENCY Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Mar 5, 2012 2:30 PM


NARRATIVE

Appvd: 145

Chief Inspector Cooley (Whatcom County Sheriff's Office) returned to the Bellingham Police Department with two Panasonic Tough book laptop computers and asked if I would be able to try a restore again using one of the hard drives in the laptops that he brought in. Inspector Cooley brought two in case one didn't work. This was done based on a prior conversation we had during his last visit. Investigator Cooley also asked if it would be possible to locate encrypted data on the forensic image and attempt to bypass the security of that encrypted data in asistance for their investigation.

As Inspector Cooley was leaving my office, I realized that this hadn't been previously cleared with my immediate supervisor so notified Evidence and Identification Supervisor Gitts about the two toughbook laptop computers and requested forensic work. I was instructed to place the two laptops into evidence for safe storage until the proper authorization could be obtained. I was advised not to initiate any work on this matter at this time.

Both laptops were impounded for safekeeping (105553 and 105554)

March 13, 2014

Page 2 of 2



12805349 ASSIST OTHER AGENCY PROPERTY

Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Mar 5, 2012 2:30 PM Appvd: 145

Found I Seized

Description: Panasonic Toughbook laptop

Serial #: 6AKSB05442

Brand: PANASONIC

Model: TOUGHBOOK CF-2

Features:

Found I Seized

Description: Panasonic Toughbook Laptop

Serial#: 5KKSA75561

Brand: PANASONIC

Model: TOUGBOOK CF-29

Features:


1st Color:

Value:

Impounded: Mar 05, 2012 02:36PM

Notified:



1st Color:

Value:

Impounded: Mar 05, 2012 02:37 PM

Notified:


March 13, 2014

Page 1 of 1


12805349 ASSIST OTHER AGENCY Follow-Up Author: MATSUDAIRA, SCOTT Rpt date: Mar 22, 2012 2:06 PM


NARRATIVE

Appvd: 175

I received notification from Evidence and ID supervisor Gitts that authorization for the processing and restoration were approved.

On 03/22/2012, I attached a new HOD from out of one of the spare Tough book laptop computers (impound 105553) to a MacBook pro laptop computer that I use in my computer forensic lab. I then initiated a LINUX operating system called Paladin that was specifically created for computer forensics by Sumari and forensically wiped the HOD. This forensic wipe was verified by Paladin. The computer was then rebooted into Windows XP and another computer forensic program called EnCase (v4.22a) was initiated. The forensic image file associated with this case was loaded into EnCase and restored to the forensically wiped HOD. When EnCase had completed this restore, EnCase reported that the restored HDD had an MD5 hash value of 01e8-2145-b762-12fc-a439-68de-12f7-6220. This is an identical MD5 hash value that was obtained when the forensic image was obtained indicating that a successful restore had been accomplished. The restored HDD was then removed from the computer and re-inserted into the Toughbook protective sleeve and then placed back into the spare Toughbook laptop computer (impound 1 05553).

On Inspector Cooley's request, this spare laptop with the restored copy of the HDD was booted to ensure that it correctly booted into an operating system. When the login screen for Windows appeared, I shut the laptop down and placed it back into evidence. I also placed the second Toughbook laptop into evidence (impound 105554) as it would not be needed. I then called Inspector Cooley on his cell phone and left a message for him advising him of the successful restore. I also told Inspector Cooley that the laptop with the restored HOD was impound number 105553.

Inspector's second request for the examination of the forensic image for encrypted data and possible decryption of same will have to be done at a later date due to other priority examinations in the queue.

Page 1 of 1

Incident History for: BP12006950 Case Number: 12B05349

Entered: Feb 14,2012 Dispatched:

En route: On scene:

Closed: Feb 14,2012

Bellingham Police Department CAD Report

3:1l:OOPM Incident Op ID:

Dispatch Op ID:

3:1l:OOPM

927

Initial Type: CNBP Disposition:

Final Type: 900

Police Block:

Location: 505 GRAND A V

Name: 145 Address:

Phone:

Time Operator Type

3:11 :14PM 927 3:11:14PM 927

ASNCAS ADVISD

Unit Text

$BP12005349 D/73 T/511

Officer:

March 13, 2014

'Computer Forensic Examination Case Log 11 8

Date I Time Action

1°'·15~~.-;;J ~ MD~~~ LO~ (Dcj)1~.()~ t-. f\Aol;;Q! ~ Tq;2 D /I A- W

1 pe L (f:4c1'Y1

6/rJ ,· ok:I/I> ££- ()()~

, f?o4;r k+ ,Ue-/ Dszo CJe;rv\ce ~0 411+ 1 rJ B '

{-h~cA ,· ~:B :Zk1~ l+DD Mode. ) ; I+ 'IS :)L..} I z&-o H- C) sAo o

5/~ ·. vF6_ S~,AwA

I 0??>3&[\ lbhe~J> Jo~

\5h['?ui/LJ.}Jr -bi-d ~s

7'/)J oS o o

Detective Scott Matsudaira #164 Page __ of __

Computer Forensic Examination Case Log 11 8

Date I Time Action

?

Detective Scott Matsudaira #164 Page of ----

Documents

Exhibit 60 - Longarm Case Report Narrative - BPD