Running head: FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 1

Final Practical Assignment: Solve the Crime

Lorenze Salas

Professor Aaron Jones

FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 2

Final Practical Assignment: Solve the Crime

Digital Forensics has changed the world of finding evidence from the digital media for

the likes of the mobile devices, computers, surveillance cameras, cloud service, and much more.

It provides the investigator to identify who is the suspects and reveal their motives on a specific

target during an investigation. The types of digital forensics cases can be “Intellectual Property

theft, Industrial espionage, Inappropriate use of the Internet and email in the workplace, and

Bankruptcy investigation” (“What is Digital Forensics? History, Process, Types, Challenges”,

n.d.).

In this assignment, in the Lonewolf EO1 file, the things we are looking for is hard drive

architecture, total disk space, number of partitions, file systems, user accounts, evidence files,

$MFT analysis of each evidence file, disk location of each file (or file fragments).

In the Autopsy software application, to investigate the number of partitions, I clicked the

data source tree folder, it shows 6 different volumes of partitions alongside with their

descriptions, flags, and sectors information under the listing table tab.

Name ID Starting Sector Length in Sectors Description Flags

vol1
(Unallocated: 0-
2047) 1 0 2048 Unallocated Unallocated
vol4 (Basic data
partition: 2048- Basic data
1023999) 4 2048 1021952 partition Allocated
vol5 (EFI system
partition:
1024000- EFI system
1226751) 5 1024000 202752 partition Allocated
vol6 (Microsoft Microsoft
reserved partition: 6 1226752 32768 reserved partition Allocated
FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 3

Name ID Starting Sector Length in Sectors Description Flags

1226752-
1259519)
vol7 (Basic data
partition:
1259520- Basic data
1000214527) 7 1259520 998955008 partition Allocated
vol8
(Unallocated:
1000214528-
1000215215) 8 1000214528 688 Unallocated Unallocated
Within the same listing tab in the “Summary”, under the

types, it shows the 7 different file system types that is listed

on the directories. The pie chart indicates the total number

of disk space on different categories (images, videos, audio,

documents, etc.). Additionally, it shows the total of

allocated/unallocated files, slack files, directories, operating

system, and hard drive architecture size.

On the Extracted Content Results folder, it listed the

suspect’s accounts, recent documents, the programs that

they run in their computer, web history, web searches, and more artificial types that is listed as

evidence.
FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 4

In the Operating Systems User Account Extracted Content, there are about 5 register accounts

(SAM source files) and 3 software accounts in the service. “Jcloudy” stood out the most because

it has recent activity on the computer and given a password hint. The 4 other register accounts

are disabled in the account setting.

Jcloudy user account

To examine evidence, I went to the vol7 partition, clicked the

Users folder, then expanded the jcloudy user account (which is the main

account on the LoneWolf.EO1 hard drive). After investigating within the

files on the jcloudy (or Jimcloudy) user account, the OneDrive folder

contains the most valuable evidence on the hard drive. It contains

numerous documents and screenshots.

FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 5

I extracted Operation 2nd Hand Smoke.pptx,

AIRPORT INFORMATION.docx, Planning.docx,

and The Cloudy Manifeso.docx to the export folder

under the case. To analysis $MFT, a NTFS file

system that keeps “records of all files in a volume,

the files' location in the directory, the physical

location of the files in on the drive, and file

metadata” (Gurkok, 2017). I went to one of the

files and clicked “File Metadata” under the listings

tab.
FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 6

The Operation 2nd Hand Smoke PowerPoint indicates where the

event should take place, the date and time of the event, the suspects

destinations, and their departure to another country. Airport Information

documents contains some text and screenshot to their destination. The

planning document covers reveals their set up ideas before executing the

operation. They contain their target, the supplies they are buying, escape

route, and their thoughts process. Lastly, The Cloudy Manifesto

document shows the Jimcloudy views on gun control and gun-free zones.

Jimcloudy said:

“You will soon see when the blood has been shed and the defenseless

bodies stacked high. I will do what I must. No matter who is hurt, the

collateral damage will be worth it.

I will be the change. I will be the revolutionary. I will be the history

maker. I will fight. I will be the Lone Wolf.”

FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 7

Days prior before the Town Hall event,

Jimcloudy did a lot of web searches in his web

histories. Jimcloudy researched:

Domain Text Date Access

www.google.com Shooting range near me 2018-03-27
18:09:53 MST
www.google.com just how easy is it to buy an 2018-03-28
illegal gun 21:037:29 MST
www.google.com Is there a map of gun free 2018-03-29
zones D.C. 16:13:52 MST
www.google.com Gun stores near me 2018-03-31
10:49:27 MST
www.google.com Why is there a timespan on 2018-04-02
my flight departure 23:29:21 MST
www.google.com Velcro tear away clothes 2018-04-03
22:13:41 MST
www.google.com Can I tape cash to myself and 2018-04-04
walk through tsa 23:03:68 MST
FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 8

To establish a timeline on what happened on “Town Hall For Our Lives” event on Saturday,

April 7, 2018 on 21030 Whitfield Place Sterling VA, 20165. Approximately between 12:30 PM

and 1:00 PM, the suspect, Jimcloudy, has entered the building and started a mass shooting during

that timeframe.

The suspect leaves the library entrance after his plan was completed and headed to Dulles

International Airport before

police arrive at the crime scene. It will

take 13 – 20 minutes to get to

the destination.

When the suspect arrives at the Dulles International Airport, he gets his ticket via online few

days prior before the mass shooting. The suspect’s destination will be Denpasar, Bali, Indonesia

on April 8, 2018 after departing the United States for 22+ hours. Additionally, the suspect booked

a lodging in Sea Breeze Candidasa, which is an hour and thirty minutes away from Denpasar,

Bali, Indonesia.
FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 9

Most importantly, Jimcloudy has more different cloud

service: Dropbox - 62 files, Goggle Drive – 7 files,

OneDrive – 22 files
FINAL PRACTICAL ASSIGNMENT: SOLVE THE CRIME 10

References

Gurkok, C. (2017). Master file table | Computer and Information Security Handbook (Third

Edition). sciencedirect. https://www.sciencedirect.com/topics/computer-science/master-

file-table

What is Digital Forensics? History, Process, Types, Challenges. (n.d.).

guru99. https://www.guru99.com/digital-forensics.html#:~:text=Digital%20Forensics

%20is%20defined%20as,phone%2C%20server%2C%20or%20network