Assignment – Hire Academic Expert

ITC597 – Assignment 3
Signed: Witnessed:
REPORT ON THE EXAMINATION OF A SAMSUNG NC10
NETBOOK COMPUTER (EXHIBIT 1234567/001)
BY
Phillip MAGNESS
BA, BA (Police Studies), Dip. Policing, Grad.Dip.Computing
A+. N+, CCE
Senior Computer Forensic Examiner
Police Computer Forensic Team
CONTENTS PAGE(S)
1. Scope 2
2. Summary of Findings 2-3
3. Custody of Exhibit 3
4. Assumptions and Limitations 3
5. Processes and Techniques 4
6. Acquisition of Exhibit 1234567/001 4-6
7. Analysis of Exhibit 1234567/001 6-7
Appendix 1-8 8-29
CASE REFERENCE: ITC597
DATE OF PRODUCTION: 18 April 2012

1. SCOPE
The scope of the examination that I conducted was based on the following Forensic Support Request
which was submitted by Constable James SMITH:
Request Details:
Please examine 1 x Samsung NC10 laptop computer (exhibit 1234567/001) for evidence of the importation
of cocaine. The suspect, known as “Billy Boy”, is alleged to have organised the import of two parcels of
cocaine from China via EMS. The EMS Tracking references are: “E402233111CN” and
“EE402233222CN”.,
In addition to the EMS Tracking numbers, the following keywords may be of assistance:
“cocaine”, “EMS Tracking”, “Australia Post”, “drugs”, “customs, “Billy Boy” and any other related
items.
The laptop was seized on 03 April 2010 at 02:00am during a search warrant on the suspects premises.
Request Objectives:
Provision of a forensic report providing details the examination of the computer and any results identified.
2. SUMMARY OF FINDINGS
The examination of the forensic image of exhibit 1234567/001 identified the following summary
information in relation to the exhibit. A more detailed description of these results is provided in section 6
and 7 of this report and the attached Appendices.
The exhibit was a Samsung NC10 netbook computer which bore serial number ”
ZJ1123ZZ01644E”;
The computer had an LCD screen which was visibly damaged. Only content on the right hand
side of the screen could be viewed. The full screen content could be viewed if the computer was
connected to an external monitor;
The computer containing a single hard disk drive;
The Microsoft Windows XP operating system was installed on the exhibit. The recorded
installation date was 30 September 2010. The Registered Owner was recorded as “Billy_Boy”.
The Computer Name was recorded as “BILLYSBOOK”;
Two active, local user accounts titled “Billy” and “Benny” were present;
The user account “Billy” required a password to access the account content. It had a last recorded
logon of
02 Apr 2012 16:47:17 (UTC +1000);
The user account “Billy” did not require a password to access the account content. It had a last
recorded logon of
09 Dec 2010 11:57:19 (UTC +1000);
Evidential material was only identified within the user account “Billy”;
The setting on the internal computer clock was, at the time of examination, with 15 seconds of
correct time. This time bias needs to be considered when reviewing time and date stamps within
this report;
A file titled “m.dll” was identified on the Desktop of the “Billy” user account. This file had an
incorrect file extension. When the correct file extension was applied, the two suspected EMS
tracking numbers that are the subject of the investigation were identified. Evidence was identified
that a user of the “Billy” user account had accessed the file on 01 April 2012;
Two Australia Post web pages were recovered containing Tracking Information for the two
suspected EMS tracking numbers that were subject to the Scope in this matter. The date and time
of access to the web pages was recorded as occurring within two hours of search warrant
execution;
Case Ref: ITC597 Page 2 of 29
Signed:________________________________ Witnessed:_______________________________

Google Chrome data records were recovered indicating the entry of the suspected EMS tracking
numbers and financial transfers into an online form/database;
A quantity of Google search terms and internet history records were recovered which contain
search terms that may be relevant to the investigation. These include, but are not limited to:
“where do I get cocaine from”, “importing cocaine”, “”ems tracking” and “ems says handed over
to customs”;
Backup files for an Apple iPhone with the recorded mobile phone number of “+61 401 222 333”
were present. SMS content was recovered which may be of relevance to the investigation;
A record of an SMS message recorded with the Optus Wireless Broadband service was recovered
with content that may be of relevance to the investigation;
Two electronic mail (e-mail) records were recovered with content that may be of relevance to the
investigation; and
Facebook chat messages were recovered with content that may be of relevance to the
investigation.
3. CUSTODY OF EXHIBIT
About 10:27am on 03 April 2012, I received possession of the following exhibit from Constable James
SMITH at the Police Computer Forensic Office, 1 Commonwealth Avenue, Melbourne.

Exhibit No. Exhibit Details
1234567/001 1 x Samsung NC10 netbook computer, bearing serial number
“ZJ1123ZZ01644E”, contained within sealed audit bag number PR555111.

About 10:27am on 05 April 2012, I returned exhibit 1234567/001 to Constable SMITH at the Police
Computer Forensic Office.
The transfer process was electronically recorded on the Police Laboratory Management Information
System. A copy of the Internal Chain of Custody report from this system is attached as
Appendix 1.
For the period that the exhibit was in my custody, it was secured in my possession or in the Police
Computer Forensic Office, 1 Commonwealth Avenue, Melbourne, where it remained under my control.
The Police Computer Forensic laboratory is a secure area that only allows access to authorised Police
personnel.
4. ASSUMPTIONS AND LIMITATIONS
The findings of this report are based on the following assumptions:
All proper exhibit handling techniques have been adhered to;
All items were operable at the time of seizure and all relevant exhibits have been submitted for
examination;
The contents of this report are determined by the aforementioned objectives and so should not be
considered to include all data and information that may be contained on the exhibits; and
Due to the quantity of information stored on computer storage devices; it is not feasible to report
on every aspect of every file and piece of information stored. It is assumed that following
presentation of this report, if any issues are raised that require further explanation or examination
they will be communicated to the author of this report so that they can be appropriately dealt with
and a supplementary report or other information provided as necessary.
Case Ref: ITC597 Page 3 of 29
Signed:________________________________ Witnessed:_______________________________

5. PROCESSES AND TECHNIQUES
An explanation of the processes and techniques used for the general examination of computers and other
electronic devices is provided in:
Appendix 2 – Processes and Techniques – Computers and Other Electronic Storage Media
6. ACQUISITION OF EXHIBIT 1234567/001
6.1 Physical Exhibit Item
The examination of the exhibit commenced about 10:30am on 03 April 2012. The exhibit
appeared had the following properties:

Make Samsung
Model NC10
Serial Number ZJ1123ZZ01644E
Colour Black
Notable Features The computer was in a worn condition. The LCD screen was
significantly damaged.
Peripherals A power supply was included in the sealed audit bag in which
the computer was received in.

I located and removed the hard disk drive from within the computer. The hard disk drive had the
following features:

Make Western Digital
Model WD1600BEVT-3ETCO
Serial Number WXHOA1234567
Capacity 160 Gigabytes

The following photographs were taken of the exhibit:
Exhibit as received
Case Ref: ITC597 Page 4 of 29
Signed:________________________________ Witnessed:_______________________________

Samsung NC10 netbook computer – front view
Samsung NC10 netbook computer – rear view
Samsung NC10 netbook computer – open view
Case Ref: ITC597 Page 5 of 29
Signed:________________________________ Witnessed:_______________________________

The LCD of the netbook computer was visibly damaged, as displayed in the following
photograph. Data displayed on the left hand side of the screen could not be viewed by a user of
the computer. The full content could be viewed if the netbook computer was connected to an
external monitor with a cable.
Samsung NC10 netbook computer – damaged screen
6.2 Data Acquisition
The acquisition of the available content of the hard disk drive was conducted using a Police
acquisition computer with the following specifications:
Dell Precision T7500
Intel Xeon 2.53GHz
48.0GB system memory
Windows 7 Enterprise (64-bit), Service Pack 1
Prior to the acquisition, the Police examination computer had been rebuilt to a new Standard
Operating Environment.
The hard disk drive was connected to a Tableau T35i write blocking forensic bridge. This is a
device which allows for data to be read or copied from an attached hard disk drive; whilst at the
same time preventing data from being written to the drive. A Police On-Use diagnostic check was
conducted using a known data set to ensure that the write blocking forensic bridge was operating
correctly.
The acquisition of the hard disk drive was conducted using EnCase v6.18.1.3.
The acquisition of the available contents of the hard disk drive was saved in image file format
with the file name “1234567/001_Samsung_Netbook.E01”. The image files were saved to a
Western Digital ITB hard disk drive bearing serial number “WCATR7019999”.
The Western Digital hard disk drive was newly purchased and had been electronically wiped
prior to use. The Western Digital hard disk drive was allocated with exhibit number
“1234567/001-MASTER” and was sealed in Police sealed audit bag number B422233. This was
subsequently lodged in the Police Drug and Property Registry at about 4:00pm on 03 April 2012.
Case Ref: ITC597 Page 6 of 29
Signed:________________________________ Witnessed:_______________________________

During the acquisition, a verification process was undertaken to ensure that the acquired forensic
image was a bit-for-bit copy of all available data from the original hard disk drive. The
verification process uses the Message Digest 5 (MD5)
1 algorithmic calculation. The following
verification results were identified:

MD5 of original media 71CFE34538B276C6921C3C7XX0123456
MD5 of forensic image 71CFE34538B276C6921C3C7XX0123456

A copy of the forensic image was placed on the Police Computer Forensic network to be used as
a working image. I re-verified the integrity of the forensic image and confirmed that the MD5
was the same as the original.
7. ANALYSIS OF EXHIBIT 1234567/001
All analysis was conducted on a working copy of the forensic image file which had been saved to the
Police Computer Forensic network. This forensic copy is used to conduct computer forensic analysis.
This analysis is not undertaken until the integrity of the forensic copy is verified to ensure that no data
had changed from the time of acquisition.
Analysis of the forensic image of the hard disk drive identified evidential material which is attached
in the following appendices:
Appendix 3 – System Overview
Appendix 4 – Suspected EMS Tracking Numbers and Internet History
Appendix 5 – iPhone Backup Records
Appendix 6 – Optus SMS Messages
Appendix 7 – Electronic Mail
Appendix 8 – Facebook Messages
1The Message-Digest Algorithm 5 (MD5) is a 128-bit hash value commonly used within the forensic community to
assure that data has not been altered. A function such as the MD5 algorithm takes a string of data of any length as
input and produces a fixed length string (of 128 bits) as output. This output is known as the hash value. If two
strings have different MD5 hash values, then the strings differ by at least one bit. In this way a change in the MD5
of a file identifies that the data contained in the file has changed.
Case Ref: ITC597 Page 7 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 1
Internal Chain of Custody Report – Exhibit 1234567/001
Samsung NC10 Laptop Computer
The following is a copy of the Internal Chain of Custody Report for the transfer of the Samsung NC10 Laptop
Computer in relation to this matter.
Case Ref: ITC597 Page 8 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 2
Processes and Techniques
Computers and Other Electronic Storage Media
The physical characteristics of computers and electronic storage media are recorded through photographs and
observations. Depending on the type of device/media information contained on that exhibit the use of manual or
various electronic solutions may be employed to obtain that information.
Where required, storage devices such as hard disk drives are removed from computers for examination. Where this
occurs, observations of the storage devices (such as model and serial number details) are photographed and
recorded.
The contents of exhibits are extracted using commercially available software specifically designed for the forensic
acquisition of data from electronic storage media. This software is used in conjunction with write blocking
hardware and/or software which allows for data to be read and copied from a device; while preventing data from
being written to the device.
All forensic copies of exhibits are subject to a verification process to ensure that the forensic copy is a bit-for-bit
copy of all available data from the original device. This forensic copy is used to conduct computer forensic
analysis. This analysis is not undertaken until the integrity of the forensic copy is verified to ensure that no data had
changed from the time of acquisition.
Where a true bit-for-bit copy cannot be undertaken (where an exhibit is partially damaged for example); then
details of this will be explicitly mentioned within the contents of the report.
During the course of examinations, forensic copies of data are made available to Police member(s) involved in the
investigation of the matter. These member(s) identify items of evidential interest to the investigation through a
process known as “bookmarking”. As part of the examination process, I have presented and, where required,
interpreted this bookmarked data within this report.
Case Ref: ITC597 Page 9 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 3
System Overview – Exhibit 1234567/001
Samsung NC10 Netbook Computer
3.1 Operating System Details
The following operating system information was extracted from the Registry for the installed Windows
operating system:

Registry Field Data Examiner Comment
Registered Owner Billy_Boy Data field containing user inputted data.
Registered Organization [blank] (optional) Data field containing user
inputted data .
ProductID 76477-OEM-22CAD-Q99H-D8G2M A Microsoft generated identifier for an
operating system environment.
Product Key XVX11-22QWH-P11TT-C7R1C-48HTR A Microsoft generated identifier to unlock a
Microsoft Windows version. This is akin to
a serial number.
CurrentVersion 5.1 A Microsoft generated identifier for an
operating system environment.
CSDVersion Service Pack 3 A Microsoft generated identifier for an
operating system environment.
ProductName Microsoft Windows XP The name of the installed operating system.
InstallDate 30 Sep 2010, 09:50:30 (UTC) The date and time of installation, recorded
using the computer’s system clock.
Computer Name BILLYSBOOK Data field containing user inputted data
Last Shutdown Time 02 Apr 2012 06:05 (UTC) The date and time in which Windows last
recorded a successful shutdown.
ShutdownCount 220 A count of instances in which Windows
recorded a successful shutdown.

 

3.2 System Users
Two active, local user accounts were located on the exhibit, as follows:

 

Account
Name
Account Type Password
Protected?
Password Last recorded logon date/time
Billy Administrator1 Yes suSp3ct 02 Apr 2012 16:47:17 (UTC +1000)2
Benny Administrator No N/A 09 Dec 2010 11:57:19 (UTC +1000)

1 An Administrator account allows a user to change security settings, install software and hardware, and access all files on the
computer. Administrators can also make changes to other user accounts.
2 UTC is an acronymn for Universal Time Coordinate and is the same as Greenwich Mean Time (GMT).
Case Ref: ITC597 Page 10 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 3
System Overview – Exhibit 1234567/001
Samsung NC10 Netbook Computer
3.3 Logical Hard Drive Structure
One hard disk drive was located inside the exhibit. This drive contained three partitions3, as follows:

Volume
label
Volume Name File System Total
Capacity
Allocated
data
4
Unallocated
data
5
RECOVERY NTFS 6GB 4.1GB 1.9GB
C Local Disk NTFS 71GB 22GB 49GB
W Working NTFS 72GB 123.8MB 71.9GB

The RECOVERY partition is a hidden system partition which is used for data recovery purposes.
The“C” partition contained the Windows operating system. All evidential material was located within this
partition.
The “W” partition did not contain an installed operating system. It appeared to be used for user data
storage.
3.4 Time and Date Settings
Time and date stamps that are recorded in the file system are dependent upon the time and date settings of
the device being used. For example, in the case of a personal computer, the operating system uses the time
and date setting of the computer as the reference for a time and date stamp. The device time and date
setting can be set and changed by a user of the computer. Additionally, the computers time and date can
also be set to routinely synchronise with a validated external time server.
At the time of examination, the Windows Date and Time setting for each user account was configured with
a time zone of “(UTC+10:00) Canberra, Melbourne, Sydney” and was set to automatically adjust for
daylight savings time.
The setting of the computer’s system clock was compared to a reference time source as follows:
3 A partition is a portion of a single physical hard disk which functions logically as a separate physical disk (hence they are
commonly referred to as volumes or drives).
4 Allocated data is considered to be data that is available for use by an operating system or a user. A common example is a
saved file.
5 Unallocated data is considered to be data that is not in use by the operating system or user. Data can become unallocated as a
result of data deletion or drive reformatting. The data will remain present on the hard disk drive until it has been overwritten. It
may contain remnants of previous files (in whole or in part) that may be recovered using forensic software.
Case Ref: ITC597 Page 11 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 3
System Overview – Exhibit 1234567/001
Samsung NC10 Netbook Computer
The exhibit clock bias of 15 seconds from the actual date and time should be taken into consideration when
examining time and date stamps on files that are listed within this report.
At the time of examination, the Windows Date and Time setting for each user account was configured to
automatically synchronise with the Internet time server “time.nist.gov”. This setting ensures that, when
connected to the Internet, the time on the computer is intermittently synchronised with a validated external
clock.

Date Time (HH:MM:SS) Time
Zone
Exhibit Date/Time 03 Apr 2012 11:05:15 AEDT
Actual Date/Time 03 Apr 2012 11:05:00 AEDT
Exhibit Clock Bias 0days +0hours, 0mins, 15secs

Case Ref: ITC597 Page 12 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 4
Suspected EMS Tracking Numbers and Internet History
Exhibit 1234567/001 – Samsung NC10 Netbook Computer
Within the following Appendix, it should be noted that the times and dates reference those recorded by the
Windows operating system using the Samsung netbook computer’s internal system clock.

4.1 Suspected EMS Tracking ID Numbers – File “m.dll”
A file titled “m.dll” was located on the Desktop for the user account “Billy”. This file appeared as follows:1

The file had the following properties, as recorded by the Windows operating system:

File Name: m.dll
File Location: C:Documents and SettingsBillyDesktop
MD5 Hash: 995140b766a8d7c135cd009fa378a80f
File Creation: 27Mar/12 23:42:47 (UTC2 +1100)
Last Written: 01/Apr/12 05:36:40 (UTC +1000)
Is Deleted? No

The file had the file extension “.dll. This extension is used as part of the Microsoft Dynamic Link Library
system of files. If a user were to double-click the file, the following message would appear:
1 This file is presented through a re-creation of the exhibit, using virtualisation software.
2 UTC is an acronym for Universal Time Coordinate and is identical to Greenwich Mean Time (GMT).
Case Ref: ITC597 Page 13 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 4
Suspected EMS Tracking Numbers and Internet History
Exhibit 1234567/001 – Samsung NC10 Netbook Computer
The analysis identified that the file had the signature for a Microsoft Office Word Document embedded
within the file content. The “Author” of the document was recorded as “Billy”. The embedded signature
and Author information is highlighted below:
The following methods would allow for a user of the computer to access the contents of “m.dll” using
Microsoft Word which was installed on the exhibit:
(1) Right click the file and select Open With | Microsoft Office Word.
(2) Launch Microsoft Word. Open the file “m.dll” from within Microsoft Word.
(3) Rename “m.dll” to “m.doc”. The file could be opened by double-clicking the file.
If the file was opened with Microsoft Word, the following information would be presented:
Case Ref: ITC597 Page 14 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 4
Suspected EMS Tracking Numbers and Internet History
Exhibit 1234567/001 – Samsung NC10 Netbook Computer
4.2 Recent File Analysis – Suspected EMS Tracking ID Numbers – File “m.dll”
The Microsoft Windows XP operating systems maintain a directory called “Recent” where it places links
to files (“link files”) as a user opens them. Files in the Recent directory indicate files that the user most
recently used.
3 Link files exist in a number of places on a computer, including the “My Recent Documents”
directory. This enables the user to quickly access documents that were most recently opened.
When user profiles are used, a separate “Recent” directory is created for each user under the users profile
directory. This enables different users to see only those links that were created by the user of that profile. In
some cases the act of opening files will not place a link in the Recent directory, so the contents of this
directory should not be interpreted as a list of all the recently used files.
The content of the Recent directory for the user account “Billy” was located in the file path “C:Documents
and SettingsBillyRecent”. The file “m.doc” was identified as follows:

Link file Name Linked To File Date Created
m.lnk C:Documents and SettingsBillyDesktopm.doc 01 April 2012
05:35:00 (UTC+1000)

The presence of this link file indicates that a user of the “Billy” user account accessed a file titled “m.doc”
on 01 Apr 2012 at 05:35:00 (UTC+1000). With the presence of the file “m.doc” on the user’s desktop, and
the close proximity in date and time information; it is therefore suspected that a user of the computer
renamed the file “m.dll” to “m.doc”, which would allow the contents to be viewed.
4.3 Suspected EMS Tracking ID Numbers – Google Chrome – User Account “Billy”
The analysis identified the files in sub-sections 4.3.1 to 4.3.2 which are consistent with the entry of the
suspected EMS tracking ID numbers using the Google Chrome web browser.
Google Chrome version 11.0.696.68 was an installed web browser for the user account “Billy”. The web
browser was accessible from a shortcut on the Desktop or from within the Windows Start Menu.
The date and time of file creation indicates the date and time in which a user was recorded as accessing
each webpage.
4.3.1

File Name: f_00001a
File Location: C:Documents and SettingsBillyLocal SettingsApplication DataGoogleChromeUser
DataDefault Cachef_00001a
7212f79e75d55b0a451d2f14add89dd9
MD5 Hash:

File Creation: 03/Apr/12 00:40:31 (UTC+1000)
3 Source: www.support.microsoft.com/kb/ 307875 as at 14 April 2012
Case Ref: ITC597 Page 15 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 4
Suspected EMS Tracking Numbers and Internet History
Exhibit 1234567/001 – Samsung NC10 Netbook Computer
Case Ref: ITC597 Page 16 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 4
Suspected EMS Tracking Numbers and Internet History
Exhibit 1234567/001 – Samsung NC10 Netbook Computer
Case Ref: ITC597 Page 17 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 4
Suspected EMS Tracking Numbers and Internet History
Exhibit 1234567/001 – Samsung NC10 Netbook Computer
4.3.2

File Name: f_0000d5
File Location: C:Documents and SettingsBillyLocal SettingsApplication DataGoogleChromeUser
DataDefaultCachef_0000d5
14818491c3168624403e1af6d7b93a7d
MD5 Hash:

File Creation: 03/Apr/12 00:44:10 (UTC+1000)
The following web page has been truncated to only show the Tracking Summary. The title “Australia Post –
Track my item” and the content before the Tracking summary is the same as is shown in item 4.3.1.
Case Ref: ITC597 Page 18 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 4
Suspected EMS Tracking Numbers and Internet History
Exhibit 1234567/001 – Samsung NC10 Netbook Computer
4.4 Google Chrome Web Data Records – User account “Billy”
The Google Chrome browser maintains a records of values which have been entered into input fields
in online forms and other text boxes. Common examples of this are form boxes on websites that require the
entry of a name, address, date of birth, reference numbers and so forth.
Google Chrome records this information within the file titled “Web Data” which was located on the exhibit
for the user account “Billy” in the file location of: “Documents and SettingsBillyLocal Settings
Application DataGoogleChromeUser DataDefault”.
The suspected EMS tracking numbers in this sub-section were entered into a field titled “number” on a
webpage. The associated website that the below entries relate to is not recorded by the Google Chrome
browser.
At the time of reporting, the website of www.ems-tracking.net uses the Hyper Text Markup
Language (HTML) text of “number” as the Input Field Value for the suspected EMS tracking numbers. It
should be noted however, that the use of “number” may also be used by other webpages and the below
should not be taken as confirmation that the EMS website was used.

Input Field Name Input Field Value Date(s) of Entry
number EE402233111CN 30 March 2012 08:59:04 (UTC +1000)
31 March 2012 06:29:10 (UTC +1000)
01 April 2012 10:33:47 (UTC+1100)
02 April 2012 02:44:55 (UTC+1100)
03 April 2012 07:00:09 (UTC+1100)
number EE402233222CN 30 March 2012 10:55:54 (UTC+1000)
03 April 2012 07:01:10 (UTC+1100)

The Google Chrome web browser recorded the following Input Field Names and Input Field Values that
may be relevant to the investigation. The associated websites that these relate to are not available:

Input Field Name Input Field Value Date(s) of Entry (UTC+0000)
FINANCIAL_TRANSACTION_TRANSFER_DE
TAILS_PO[0].TRANSACTION_AMOUNT
20000 27 March 2012 00:56:47 (UTC+1000)
FINANCIAL_TRANSACTION_TRANSFER_DE
TAILS_PO[0].TRANSACTION_AMOUNT
10000 27 March 2012 01:15:47 (UTC+1000)
shipping_addressee_name Billy Boy 27 March 2012 01:15:47 (UTC+1000)
27 March 2012 00:56:47 (UTC+1000)
q
4
item customs
cust5oms
customs
03 April 2012 01:07:14 (UTC+1100)
03 April 201201:07:25 (UTC+1100)
03 April 201201:07:32 (UTC+1100)

4 “q” is commonly used as for a search input box for search engines such as Google or Bing; in which “q” represents “query”.
Case Ref: ITC597 Page 19 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 4
Suspected EMS Tracking Numbers and Internet History
Exhibit 1234567/001 – Samsung NC10 Netbook Computer
4.5 Google Search Terms – User account “Billy”
The analysis identified the following search terms for the search engine Google which had been entered
using the Google Chrome web browser for the user account “Billy”. The search terms were located
in the file location of: “C:Documents and SettingsBillyLocal SettingsApplication DataGoogleChrome
User DataDefaultHistory”. It should be noted that the entries below are only those that may be relevant to
the investigation. They do not include all search terms that may have been entered into the Google chrome
browser. A full list is available upon request.

Google Search Term Date/Time (UTC+0000)
where do I get cocaine from 27 Feb 201215:46:11 (UTC +1000)
importing cocaine 27 Feb 201215:46:22 (UTC +1000)
turning cocaine into real cash 27 Feb 201215:46:33 (UTC +1000)
track my parcel 27 Feb 201215:46:44 (UTC +1000)
ems parcel tracking 27 Feb 201215:46:55 (UTC +1000)
making more cocine5 27 Feb 201215:46:56 (UTC +1000)
track shipping 13 March 2012 14:26:40 (UTC +1000)
street names cocaine 20 March 2012 23:06:40 (UTC +1000)
ems tracking 28 March 2012 02:53:20 (UTC +1000)
EMS tracking 28 March 2012 06:40:00 (UTC +1000)
australia post tracking from china 28 March 2012 14:13:01 (UTC +1000)
ems says handed over to custom 28 March 2012 14:13:11 (UTC +1000)
ems says handed over to customs australia 28 March 2012 14:13:19 (UTC +1000)
australian customs item search 28 March 2012 17:46:10 (UTC +1000)
how do i find out why my item is stuck in australian
customs
28 March 2012 17:46:50 (UTC +1000)
how do i know if my item has been destroyed by
australian ustoms
28 March 2012 17:46:55 (UTC +1000)
how long does customs take to process a package
australia
Sat, 01 April 2012 05:20:00 (UTC
+1000)
how do you know if your ems items have been seized by
australian customs
Wed, 01 April 2012 19:06:40 (UTC
+1000)

4.6 Google Chrome websites accessed – User account “Billy”
The analysis identified the following internet history records accessed via the Google Chrome web
browser. The records were located in the file location of: “C:Documents and SettingsBillyLocal
SettingsApplication DataGoogleChromeUser DataDefaultHistory”. It should be noted that the records
below are only those that may be relevant to the investigation. They do not include all internet records as
this would be voluminous in size. These are available upon request.
5 Note that the suspected typographical error was present in the Google search
Case Ref: ITC597 Page 20 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 4
Suspected EMS Tracking Numbers and Internet History
Exhibit 1234567/001 – Samsung NC10 Netbook Computer

URL6 Webpage title Date/Time
http://auspost.com.au/apps/search.html?q=item+customs Australia Post ‐ Search results 26 March 2012
14:13:20 (UTC +1000)
http://auspost.com.au/apps/search.html?q=cust5oms&ent
qr=0&output=xml_no_dtd&sort=date%3AD%3AL%3Ad1&u
d=1&client=auspost_frontend&oe=UTF‐8&ie=UTF‐
8&proxystylesheet=auspost_frontend
Australia Post ‐ Search results 26 March 2012
14:13:23 (UTC +1000)
http://auspost.com.au/apps/search.html?q=customs&entqr
=0&ud=1&sort=date%3AD%3AL%3Ad1&output=xml_no_dt
d&oe=UTF‐8&ie=UTF‐
8&client=auspost_frontend&proxystylesheet=auspost_fron
tend
Australia Post ‐ Search results 26 March 2012
14:13:25 (UTC +1000)
http://www.ems.com.cn/ems/English/index.jsp# EMS 27 March 2012
07:09:10 (UTC +1000)
http://www.ems.com/ EMS 27 March 2012
07:09:20 (UTC +1000)
http://www.ems.com.cn/english‐main.jsp EMS 27 March 2012
07:09:30 (UTC +1000)
http://www.ems.com.cn/qcgzOutQueryNewAction.do EMS Tracking 27 March 2012
07:09:40 (UTC +1000)
http://www.ems‐tracking.net/ EMS Tracking 27 March 2012
07:09:50 (UTC +1000)
http://www.ems‐tracking.net/verification.php EMS Tracking 27 March 2012
07:10:15 (UTC +1000)

6 URL is an acronym for Uniform Resource Locator and refers to a website address.
Case Ref: ITC597 Page 21 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 5
iPhone Backup – Exhibit 1234567/001
Samsung NC10 Netbook Computer
An Apple iPhone can be synchronised and backed up with a computer. This process allows for the contents of the
iPhone to be recovered in the event that the device is lost, damaged or the contents are corrupted.
The analysis identified a backup file for an Apple iPhone which had the following information:
1

Field Data Examiner Comment (if applicable)
Device Name billy’s phone A user generated decriptor for the iPhone.
ICCID 8961061000123456789 ICCID (Integrated Circuit Card Identifier). A unique
identification number for the SIM card. It is stored
electronically within the SIM card and may also be printed
on the outside of the SIM card.
IMEI 0126460012345678 IMEI (International Mobile Equipment Identity). The serial
number of the handset. It is generally printed on both a
sticker attached to the phone and stored electronically
within the handset.
Last Backup Date 2012-03-29 05:28:25Z Zulu time (Z) is, within a fraction of a second, the
equivalent of GMT or UTC. This would equate to 29 Mar
2012 15:28:25 (UTC+1000).
Phone Number +61 401 222 333 The recorded telephone number of the Apple iPhone.
Product Type iPhone 3,1 The series of the Apple iPhone.
Product Version 4.2.1 The current version of installed software on the iPhone.
Serial Number 85108DDA40 The electronic recording of the serial number of the Apple
iPhone.

Analysis of SMS (instant messages) identified 1,152 messages that were present in the backup file of the device. Of
these, the messages below may of relevance to the investigation. The “ROWID” is the location of the message within
the 1,152 message list:
2

ROWID Address Date/Time3 Text Flag
992 61401222333 15 March 2012 10:15:50 (UTC +1000) i’ve just checked EMS. Can’t
wait to get my hands on the gear!
Sent
993 61401111055 15 March 2012 10:15:5 (UTC +1000) be patient my friend Received
994 61401222333 15 March 2012 10:16:30 (UTC +1000) i can’t. I didn’t think we could
make so much cash with the
“white magic”
Sent
995 61401111055 15 March 2012 10:16:35 (UTC +1000) we’ll be rich buddy Received

There was no further correspondence between the users of “61401222333” and “61401111055”. A full list of all SMS
content is available upon request.
1 Source file: CDocuments and SettingsBillyApplication DataApple ComputerMobileSyncBackup2bf6d242e2bf6d242e99
7f14fc16eb3f135854a58Info.plist
2 Source file: CDocuments and SettingsBillyApplication DataApple ComputerMobileSyncBackup2bf6d242e2bf6d242e997
f14fc16eb3f135854a583d0d7e5fb2ce288898dgaqjsk881818
3 This date and time field is generated from the internal clock within the Apple iPhone that was subject to backup.
Case Ref: ITC597 Page 22 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 6
Optus SMS Messages – Exhibit 1234567/001
Samsung NC10 Netbook Computer
Software for the Optus Wireless Broadband service was installed on the exhibit and available to all users of the
computer. The software has a Message Manager feature in which SMS messages can be sent and received. A
record of sent and received messages was located in the file “MSGXMLData.xml” which had the following file
properties:

File Name: MSGXMLData.xml
File Location: Documents and SettingsAll UsersDocuments DataMSGXMLData.xml
MD5 Hash: d5868cb75884289bafdfac82a3d447df
File Creation: 23/Jul/11 11:56:48 (UTC+1000)
Last Written: 15/Feb/12 13:39:28 (UTC +1000)

All SMS messages that were located within this file are presented below. The date and time information was not
present within the file. An SMS message which may be of interest to the investigation has been highlighted with a
red box.
<message>mate, I need your cash asap. I have the big shipment coming and it will make us rich. But I need
to pay $10k and then $20k on it now. Otherwise the chinaman will get very upset with me. Can you call me
asap
<message>
<send_receive_phonenumber>
0401222333; <send_receive_phonenumber>
The analysis did not identify whether the messages were sent or received. Additionally, the data file for the Optus
broadband service was available to all users on the computers. Accordingly, it was not determined which user
account the SMS messages relate to.
The Samsung NC10 laptop computer had a SIM card slot beneath the battery. At the time of examination, no SIM
card was located in this slot.
Case Ref: ITC597 Page 23 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 7
Electronic Mail (Email) – Exhibit 1234567/001
Samsung NC10 Netbook Computer
The following electronic mail (email) was identified on the exhibit. The email has been reformatted where possible
from a form that is present on the forensic image to a form which may assist in readability. Note that only data that
could be recovered is presented below and that the full email content was not, in some instances, able to be fully
recovered.
7.1

File Name: Not available
File Location: Unallocated Clusters1, Physical sector 985660575
Date/Time: Not available

Hotmail ‐ [email protected]
Billy Boy profile | sign out Hotmail Inbox (79)
Re: White Magic
To Billy Boy
What is the purity of the gear. I need at leats 75% to make some real money?
‐‐‐‐‐ Original Message ‐‐‐‐‐ From: Supplier Dude To: [email protected] Sent: 25 February 2012 2:41 PM
Subject: Re: White Magic. Thank you for your interest in doing business. The white magic is available in lots of
250g. All prices are payable via Western Union. All goods are wrapped in such as a way as the customs dog’s
wont get them. You do business with me. I look after you my friend.
7.2

File Name: Not available
File Location: Unallocated Clusters, Physical sector 5684665999
Date/Time: Not available

Hotmail ‐ [email protected]
Billy Boy profile | sign out Hotmail Inbox (80)
The major toxicity of all the local anesthetics is CNS: cocaine, lidocaine. Cocaine hydrochloride is most
commonly “snorted”. It can also be injected. Some people rub it into the gums, where it is absorbed into the
bloodstream. Others add it to a drink or food. Freebase and crack cocaine are usually smoked.We hope to be
you long term reliable and trustable supplier.
‐‐‐‐‐ Original Message ‐‐‐‐‐ From: Billy Boy To: Supplier Dude Sent: 21 February 2012 6:42 AM Subject: Inquiry
about Cocaine Home Product Directory Offers China Manufacturers Resources | Premium Services | Advertise
| Join Free | Site Map | Contact Us . Note: Please do not reply to this message directly, Send to :
[email protected]: Subject Inquiry about CocaineContent Hi, im wondering if you could give me a
price on 2.5kg of cocaine , and if it can be delivered to melbourne, australia.. also id like to know how often
your packages get detected here, and what guarantees you give. Email [email protected] Tel 0411222111
Fax 0403333222 Country/Region Australia .
1 Unallocated data is considered to be data that is not in use by the operating system or user. Data can become unallocated as a
result of data deletion or drive reformatting. The data will remain present on the hard disk drive until it has been overwritten. It
may contain remnants of previous files (in whole or in part) that may be recovered using forensic software.
Case Ref: ITC597 Page 24 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 8
Facebook Messages – Exhibit 1234567/001
Samsung NC10 Laptop Computer
Facebook is on online social networking site which can be accessed from the website address of
“www.facebook.com”.
Facebook allows for sending and receiving of instant messages between two or more Facebook users. A record of
instant messages which were located on the Samsung NC10 netbook computer is presented in the following pages.
These instant messages include the Facebook username of “Billy Bob” and the associated user Facebook ID
number of “888777444111”. As at 05 April 2012, neither of these Facebook ID numbers were viewable/accessible
on the Facebook website.
Case Ref: ITC597 Page 25 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 8
Facebook Messages – Exhibit 1234567/001
Samsung NC10 Laptop Computer

Date/Time (UTC+0)1 Sender ID 2 Sender Name Recipient ID 3 Recipient Name Message Text Source File4
17 Mar 2012 05:35:33 888777444111 Billy Boy 10000187878787 John Jones HI CDocuments and SettingsBilly
LocalGoogleChro
meUser DataDefaultCachedata_1
17 Mar 2012 05:35:40 10000187878787 John Jones 888777444111 Billy Boy yeah 🙂 Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:35:54 888777444111 Billy Boy 10000187878787 John Jones How are ya? Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:36:13 888777444111 Billy Boy 10000187878787 John Jones k. you? Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:36:32 10000187878787 John Jones 888777444111 Billy Boy Hihi Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:36:33 10000187878787 John Jones 888777444111 Billy Boy yes Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:36:45 888777444111 Billy Boy 10000187878787 John Jones You all set Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1

1 Note that the times are in GMT+0 hours. Adjustments will need to be made for the appropriate time zones including any possible Daylight Savings times.
2 This is the Facebook ID reference of the sender of the message.
3 This is the Facebook ID reference for the receiver of the message.
4 This is the location of the message on the Samsung NC10 Laptop computer
Case Ref: ITC597 Page 26 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 8
Facebook Messages – Exhibit 1234567/001
Samsung NC10 Laptop Computer

Date/Time (UTC+0)1 Sender ID 2 Sender Name Recipient ID 3 Recipient Name Message Text Source File4
17 Mar 2012 05:36:58 888777444111 Billy Boy 10000187878787 John Jones Yep Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:37:17 10000187878787 John Jones 888777444111 Billy Boy Got the cutter? Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:37:23 888777444111 Billy Boy 10000187878787 John Jones Of course Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:37:32 888777444111 Billy Boy 10000187878787 John Jones And the clip seal bags? Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:38:11 10000187878787 John Jones 888777444111 Billy Boy Of course mate. no stress. Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:38:27 888777444111 Billy Boy 10000187878787 John Jones I’ve never done anyting as
big as this. if the cops catch
me, i’m inside for a long time
mate
Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:46:39 10000187878787 John Jones 888777444111 Billy Boy They wont catch you Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:46:53 888777444111 Billy Boy 10000187878787 John Jones How do you know. what
about the customs dogs. they
can find this sorta stuff
Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1

Case Ref: ITC597 Page 27 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 8
Facebook Messages – Exhibit 1234567/001
Samsung NC10 Laptop Computer

Date/Time (UTC+0)1 Sender ID 2 Sender Name Recipient ID 3 Recipient Name Message Text Source File4
17 Mar 2012 05:47:01 888777444111 Billy Boy 10000187878787 John Jones I’m just nervous. Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:49:37 10000187878787 John Jones 888777444111 Billy Boy Don’t worry. the chinaman
will make sure its all covered
sothe dogs’ll never know the
coke is there
Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:49:50 10000187878787 John Jones 888777444111 Billy Boy Sorry didn’t mean to say
coke.
Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 05:50:32 888777444111 Billy Boy 10000187878787 John Jones Mate. careful what you say.
you never know if the feds
are listening.. i saw this doco
once and they know
everything. they can even
see what you’re typing and
whatyor thinking
Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 06:09:04 10000187878787 John Jones 888777444111 Billy Boy Now you are paranoid.. Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 06:09:27 888777444111 Billy Boy 10000187878787 John Jones maybe biut i’m the one
risking 20 years if i get
caught..
Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 06:09:59 888777444111 Billy Boy 10000187878787 John Jones Ok mate. no more talking on
line. and keep off the
phones. lets meet at the usual
spot tomrrow.
Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1

Case Ref: ITC597 Page 28 of 29
Signed:________________________________ Witnessed:_______________________________

Appendix 8
Facebook Messages – Exhibit 1234567/001
Samsung NC10 Laptop Computer

Date/Time (UTC+0)1 Sender ID 2 Sender Name Recipient ID 3 Recipient Name Message Text Source File4
17 Mar 2012 06:10:51 10000187878787 John Jones 888777444111 Billy Boy ok Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1
17 Mar 2012 06:11:17 888777444111 Billy Boy 10000187878787 John Jones Ok bye Documents and SettingsBillyLocal
SettingsApplication
DataGoogleChrome
meUser DataDefaultCachedata_1

Case Ref: ITC597 Page 29 of 29
Signed:________________________________ Witnessed:_______________________________