Internal Case #: CF-BC021418 1

Forensic Report

for GOAA BP-S00132 Procurement

Case Number: CF-BC021418

February 23rd, 2018

Internal Case #: CF-BC021418 2

Table of Contents

I. Introduction ................................................................................................................................. 3

II. Executive Summary ..................................................................................................................... 4

III. Data Analyzers Background ....................................................................................................... 5

IV. Evidence Consideration ............................................................................................................. 6

V. Data Analyzers Process and Procedures ..................................................................................... 9

VI. Additional Considerations ....................................................................................................... 10

VII. Investigation and Analysis ...................................................................................................... 11

VIII. Conclusion………………………………………………………………………………………………………………………..14

Appendix A Chain of Custody Form……………………………………………………………………………….……………………...15

Appendix B Chain of Custody Form…………………….………………………………………………………….……………………..17

Appendix C Affidavit D4 LLC…………………………………………………………………………………………………………………..19

Internal Case #: CF-BC021418 3

I. Introduction

The Greater Orlando Aviation Authority is in the process of procuring a baggage handling system for its

new South Terminal C. During the procurement process, irregularities had been discovered and the

Aviation Authority staff, consultants and legal counsel initiated an investigation into this matter. After

having learned that Mr. Martin Ineichen of PMA had accessed and possibly downloaded certain

documents related to the BP-S00132 STC BHS procurement, the Greater Orlando Aviation Authority

(GOAA) decided that a forensic data investigation should be conducted.

On February 13th, 2018 Broad and Cassel contacted Data Analyzers, LLC (Data Analyzers). On February

14th, 2018 Broad and Cassel LLP retained Data Analyzers, LLC to assist with the forensic data examination

of the systems and custodians involved with the procurement project.

Specifically, the scope of the data forensic investigations should reveal any digital evidence that could

assist in answering the following questions.

1. Whether PMA staff downloaded onto its computers, servers, cloud-based services, or removable

storage devices any of the documents identified on Exhibit A, or whether any of those documents

were deleted;

2. Whether Jervis B. Webb has possession on its network or any cloud-based services, of any of the

documents identified on Exhibit A, or whether any of those documents were deleted;

3. Whether any of the searches and computer usage depicted in Exhibit B evidence the transfer,

download, upload, or deletion of any document identified on Exhibit A; and

4. Whether personal email servers evidence the transfer or deletion of any of the documents

identified on Exhibit A.

Recognizing the existence of confidential data on the devices examined, the scope of the examination was

limited to the analysis of metadata and system artifacts of desktop and laptop computer systems. The

systems investigated were computers identified as having been utilized by individuals from Jervis B. Webb

Company (“Jervis”) and PMA Consultants, Inc. (“PMA”) during the BP-S00132 STC BHS procurement

process. With a deadline of findings of the forensic data investigations to be turned over by February 23rd,

this report is a summary of findings by Data Analyzers regarding the any activities related to the

documents in Exhibit A.

Internal Case #: CF-BC021418 4

II. Executive Summary

Data Analyzers has not found any evidence that Jervis B. Webb has, or has had, possession of any

documents outlined in Exhibit A, on the computer systems that Data Analyzers has examined. Neither

internet activity, system artifacts nor file system records revealed the access of such files. In addition, Data

Analyzers made the following findings:

Data Analyzers has found direct and compelling digital forensic evidence that the PMA Laptop

assigned to Mr. Ineichen was tampered with to the extent that system artifacts and metadata

were altered to conceal activity on the Laptop computer system. If this was for reasons pertaining

to this investigation, or for other reasons could not be determined at this time.

Data Analyzers did not find a copy of any of the documents outlined in Exhibit A) stored on the

GOAA computer systems assigned to Mr. Ineichen. Similarly, Data Analyzers did not find evidence

of any USB storage device connected to that computer during the time frame of the incident.

Data Analyzers did not find a copy of any of the documents outlined in Exhibit A) stored on any of

the computer systems examined.

Data Analyzers did establish in a metadata timeline that after the files on box.com had been

accessed by Mr. Ineichen’s GOAA assigned computer system, the next user activity was accessing

PMA’s web-based outlook email service.

Data Analyzers was not able to cross-reference the results provided by Box.com in regards to the

Download of the file “Technical Proposal for DBOM Services for BP-S00132 BHS_archive.pdf”,

while internet activity and login to box.com could be verified, during this timeframe, the metadata

did not show the download of the file to the computer system. Further detailed examination

beyond the metadata would be required to conclude this abnormality.

Internal Case #: CF-BC021418 5

III. Data Analyzers Background

A. Company Information

Founded in 2009, Data Analyzers, LLC is a professional service firm and consultancy whose principal place

of business is in Lake Mary, Florida. The focus of the practice is on delivering intelligent electronic

discovery collection, data recovery, data breach analysis, and advisory services to corporations, law firms

and government entities. Its professional staff hold numerous industry certifications and have assisted

clients with data preservation requests, data breach investigations, cybercrime responses and expert

witness services.

B. Biographies

This report was prepared by Andrew von Ramin Mapp.

Andrew von Ramin Mapp is the founder and principal consultant of Data Analyzers, LLC. Mr. von Ramin Mapp

manages matters in the areas of digital forensics, electronic discovery and cybercrime responses and supervises

data recovery engineers and digital forensics examiners in the performance of their jobs.

He holds a degree in Industrial Engineering from Berufsfachschule Kuenzelsau in Germany and an Associate’s

degree in computer programing and network administration from Florida Technical College. He is a Certified

Information Systems Security Professional (CISSP), a GIAC Certified Forensic Examiner (GCFE), a GIAC Certified

Forensic Analyst (GCGA), a Certified Hacking Investigator (CHFI), a Certified Ethical Hacker (CEH), a Certified

Computer Examiner (CCE), and a Certified Forensic Consultant (CFC). He is a member of the American College

of Forensics Examiners (ACFEI), the American Society of Digital Forensics and eDiscovery (ASDFED) and the

International Society of Forensic Examiners (ISFCE). Mr. von Ramin Mapp has provided trial and hearing

testimony on a number of occasions and has been admitted as an expert in federal and state court.

Internal Case #: CF-BC021418 6

IV. Evidence Consideration

Data Analyzers collected data for forensic examination and analysis from Desktop and Laptop computers

used by PMA and Jervis employees or contractors between February 14th and February 21st 2018.

1. Data Collection Jervis B. Webb Company (“Jervis”)

A total of eleven remote collections had been performed from computer systems located in Novi,

Michigan. A list of individuals involved in the procurement project was provided by Mr. Michael J. Farley,

Sr. Vice President and General Counsel of DAIFUKU North American Holding Company. In addition, a list

of usernames and computer host names had been provided by Mr. Ryan Jacobs, Security Analyst with

DAIFUKU North American Holding Company. This information assisted in cross verifying that the data was

being collected from the correct custodians, computers and user profiles.

Custodian Laptop or Desktop Username Computer Name

Todd Alderman Laptop Dtadler D20036

Joe Emery Laptop and Desktop Djemery D20437, D19224

Ken Hamel Laptop Dkhamel D19349

Colin Oatley Laptop Dcoatle D19911

Alex Wuchte Laptop Dawucht D20180

Alan Daavettila Laptop Dadaave D20180

Dave Daavettila Desktop Dddaave D18697

Paul Lalinsky Desktop Dplalin D18033

Brian Hoppe Desktop Dbhoppe D20512

Andrew Grusnick Laptop Dagrusn D20124

The objective was to perform a remote collection within the given time restraints and to limit the

collection to metadata and system files. This was the scope that was agreed upon by all parties’ counsels

due to concerns of security and trade secrets. A remote agent was pushed on to each device listed above

and a remote collection within the scope was executed.

Internal Case #: CF-BC021418 7

2. Data Collection PMA Consultants, Inc. (“PMA”).

A data collection was performed on five out of six computer systems delivered to the premise of Data

Analyzers, LLC. Two laptop computers belonging to PMA which had been utilized by Mr. Martin Ineichen

and Mr. Noel Alvarez had been delivered to the premises of Data Analyzers, LLC on February 16th 2018,

by Broad and Cassel LLP.

In addition, two laptop computers belonging to GOAA, also utilized by Mr. Ineichen and Mr. Alvarez, had

been delivered to the premises of Data Analyzers, LLC on February 20th 2018 by Broad and Cassel LLP.

The remaining two laptop systems had been delivered via FedEx courier service on February 21st 2018.

Custodian Laptop or Desktop Computer Name Model / Serial Number

Martin Ineichen Laptop LTMINEICHENT430 Lenovo T430 /PB-295Wd12/11

Noel Alvarez Laptop LTNAP50 Lenovo P50s /R9-0LJEDW16/09

Richard Johnson Laptop LTRJohnsonT450s Lenovo T450s/PC07XSS 3 15/09

Martin Ineichen Desktop OAR7 HP/2UA3330KGK

Noel Alvarez Desktop OAR38 HP/2UA3190THW

The objective was to perform a collection within the given time restrains and to limit the collection to

metadata and system files. This was the scope that was agreed upon by all parties’ counsels due to

concerns of security and trade secrets. The hard drives were removed and connected to a write blocker.

After which metadata and system files were extracted.

Front side picture of the write blocker device utilized

The Wiebetech Write Blocker model: Forensic UltraDock v4 and UID: 21-070185-B was used during this

investigation

Internal Case #: CF-BC021418 8

Back side pictures of the write blocker device utilized

A Lenovo Laptop with the model number: X1 Carbon and serial number: PK-0PVFZ 13/08 assigned to Mr.

Robert Sanders was not processed and therefore no examination was conducted on it. This Laptop was

received on February 21st 2018 and contains an SSD drive with a proprietary PCI connector. While Data

Analyzers maintains a variety of proprietary SSD adapters, none that matched this particular interface

were available, and no immediate solution could be presented to process the metadata for this Laptop

within the targeted deadline due to the late delivery of the device.

Picture of proprietary SSD interface.

Internal Case #: CF-BC021418 9

V. Data Analyzers Process and Procedures

Data Analyzers conducted its analysis of the procurement investigation pursuant to the protocol issued

by GOAA.

Data Analyzers searched and analyzed the PMA, Jervis and GOAA computer systems to identify only

documents, data, fragments and artifacts that reasonably appeared to be related to the BP-S00132

procurements and outlined in Exhibit A.

During the analysis, Data Analyzers employed a methodology tailored to the particular facts of this case.

Data Analyzers methodology included:

1. Extracting all available metadata and system artifacts containing metadata.

2. Consolidating, parsing, and converting the metadata into a readable format.

3. Reducing the timeframe of the data to search and analyze to include data from November 1st

2017 to February 21st 2018.

4. Importing the metadata into a database and building a set of search queries for the names

and variations of the file names in Exhibit A).

5. Performing additional manual metadata artifact review on key artifact areas to cross-verify

results and proper due-diligence.

6. The searches performed included the full name of the file, as well as variations of the file

names in Exhibit A) to be able to capture variations of the file names, for example:

The full name of the file “Technical Proposal for DBOM Services for BP-S00132

BHS_archive.pdf” was used to perform an exact search. A search with an asterisk character

(*) was used instead of the.pdf extension. As well as at the beginning of the file. The asterisk

character is what is called a wildcard character and can represent any unknown character or

group of characters that the symbol represents in the search query. Therefore, the asterisk

character replacing the pdf among other things would catch any other type of file extension

besides pdf, such as for word documents (doc, docx) Tiff files and all other possible changed

file formats.

7. In addition, a partial query for “Technical Proposal” as well as for “BP-S00132” was performed.

Thereafter, a search for any pdf files within the time frame was conducted and reviewed.

Internal Case #: CF-BC021418 10

8. Furthermore, the time line and event logs have been inspected for any suspicious activities

that could relate to the documents in Exhibit A) and or the masking of such documents.

9. Registry artifacts that include most recent accessed documents, connected USB storage

devices and network connections have been manually reviewed.

10. On any abnormalities encountered, the process was re-run and further manual examination

was performed.

Data Analyzers methodology was designed to identify downloaded or accessed documents relevant to

Exhibit A). This methodology within reason, would have identified any downloading, accessing and

transferring of the documents in question.

VI. Additional Considerations

Due to having limited time, when results had to be produced Data Analyzers utilized its best judgement

to evaluate and implement the most efficient techniques for collection and analysis. Hence a remote

collection was favored for the computer systems located in Novi, Michigan as it was more cost and time

effective compared to flying onsite for the data collection.

In addition, due to privacy concerns of PMA and Jervis expressed by their respective counsel, a collection

of data from mobile phones was not performed.

Internal Case #: CF-BC021418 11

VII. Investigation and Analysis

All modern Microsoft Windows type of computers, such as examined during this investigation, have a

Master File Table (MFT). This table keeps track of all creation and modification of files stored on the

computer system.

The MFT was examined on all computer systems discussed in the evidence consideration section of this

report. No MFT records showed the existence of any of the files in Exhibit A) or any reasonable variations.

In addition to the MFT, the internet activity was examined on all computer systems. Each of the computer

systems had one or several of the following internet browsers installed: Google Chrome, Mozilla Firefox

and Microsoft’s Internet Explorer. The internet history and supplemental artifacts have been examined

and no records of the files in Exhibit A) having been downloaded via an internet browser exist in the

metadata and browser artifacts.

The examinations of the Jervis desktop and laptop computer systems, as well as the examination of the

computer systems assigned to Mr. Alvarez and Mr. Johnson, have displayed regular and consistent user

activity. MFT records, Internet activity and registry artifacts have not revealed any irregular activity or

usage patterns. No indications that an access or download for any of the documents in Exhibit A)

occurred could be found for these systems that have been examined.

Abnormalities discovered:

1. Mr. Ineichen’s PMA Laptop

Data Analyzers found very limited system activity from September 2017 to January 2018. This is rather

unusual and does not fit the pattern of normal computer usage. The MFT entry below, for example, shows

consistent activity until September 30th 2017. Thereafter, the MFT records become very inconsistent and

with the exception of four entries, we do not see any activity at all until January 12th and, thereafter, again

no activity until January 26th, at which point standard expected activities continue. To further elaborate,

usually a large quantity of MFT entries are seen every day, as not only user activity is logged, but also

background activity performed by the system itself, such as program updates. Yet with the exception of

four entries, October 16th, December 6th, January 2nd and January 5th, there is no activity logged in the MFT

until January 12th. After January 12th, there again is no activity logged until January 26th.

Internal Case #: CF-BC021418 12

In addition, other system artifacts, such as the registry, also showed no activity during that time frame.

To further investigate, the event logs had been examined. The Application, Security and System event logs

also showed no records during that time frame.

When examining the System event log in more detail, an entry can be seen for a change of system time.

This record is dated January 12th 2018 at 8:13:11 AM. Furthermore, the record shows that the system time

was changed from August 22nd 2017 to January 12th 2018. This is very unusual and is often used as an anti-

forensic technique to mask true system activity.

As displayed in the picture above, this entry on January 12th shows that the system time was changed to

cause an almost 5-month time discrepancy between what was previously set as the system time. This time

discrepancy correlated to the missing activities in the metadata and is not something that is done as a

process by a user during normal computer operations.

Internal Case #: CF-BC021418 13

2. Mr. Ineichen’s GOAA computer

During the examination, unusual activity was discovered. Metadata revealed that on December 14th, 2017

a remote access session was established via TeamViewer, which is a remote access software application.

A forensic collection tool called FTK imager was executed from a folder called “D4 Collection Tools

Package_11 8 16”. A large quantity of documents had been collected from the computer via this software

and copied into a container file called “Martin Loose documents.ad1”. In addition, an encryption software

application called Vera Crypt was executed. This initially was a concern, as Data Analyzers was not

informed of any forensic activity that occurred on the computer system, and could not immediately

determine if this was an authorized or unauthorized access. After having spoken to Broad and Cassel in

regards to this matter, they were able to obtain an Affidavit from D4 LLC, stating that this was an

authorized collection performed by them at the direction of GOAA. This satisfied the initial concerns

regarding this discovery. The affidavit explaining the data collection of D4 LLC from this computer is

attached as Appendix C to this report.

In addition, the examination of the Internet activity showed that from Mr. Ineichen’s assigned computer

and from his user account the web address “goaa.account.box.com” was accessed. It was logged in the

site and files have been accessed. It however does not show a direct artifact showing a download.

Furthermore, there is no MFT record entry nor any registry artifacts that show the file in Exhibit A) as

having been downloaded. After having accessed files on the GOAA box account, the next user activity was

to login to PMA’s web-based outlook email portal. Which was accessed via the following address

https://owa.pmaconsultants.com an export of the records is included as Exhibit C) to this report.

Internal Case #: CF-BC021418 14

VIII. Conclusion

Data Analyzers has not found any evidence that Jervis B. Webb has, or has had, possession of any

documents outlined in Exhibit A) on the computer systems that Data Analyzers has examined. Neither

internet activity, system artifacts nor file system records revealed the access of such files.

Data Analyzers has found that computer records for the PMA computer system assigned to Mr. Ineichen have

been altered, most likely with the intent to conceal activity of usage. Based on a metadata examination, Data

Analyzers has not found any records of the documents from Exhibit A) stored on the computer systems

assigned to Mr. Ineichen, nor on any of the other computer systems that have been examined.

Data Analyzers would recommend an additional forensic examination and analysis that is not limited to

the metadata and system artifacts, to further investigate the record manipulation that occurred on Mr.

Inichen’s assigned PMA Laptop. A forensic investigation with full unrestricted access to the computer

system, would uncover additional information that presumptively can assist in determining which actions

had been performed on the laptop.

Furthermore, Data Analyzers would recommend a supplementary investigation of Mr. Ineichen’s GOAA

assigned computer system, to determine why downloaded files from box.com could not be found on the

computer system. This additional forensic examination and analysis which would not be limited to the

analysis of metadata and system artifacts, would assist in drawing a more substantial conclusion.

For the additional examination of either the GOAA desktop or the PMA laptop to be successful, access to the pdf documents in Exhibit A) as they exist on goaa.box.com would be crucial.

In addition, Data Analyzers would recommend providing additional time to examine the PMA Laptop

computer system assigned to Mr. Robert Sanders, which could not be processed due to it having a

proprietary interface and the limited time that was available.

I declare under penalty of perjury that the foregoing is true and correct.

Andrew von Ramin Mapp

Internal Case #: CF-BC021418 15

Appendix A

Internal Case #: CF-BC021418 16

Internal Case #: CF-BC021418 17

Appendix B

Internal Case #: CF-BC021418 18

Internal Case #: CF-BC021418 19

Appendix C

Internal Case #: CF-BC021418 20