Loehrs & Associates produced a preliminary examination report of forensics examination (PDF). An excerpt of the report has been provided below that was compiled by the examiner. The analysis log has been redacted to remove references to Trojans etc to support the activity.
| Date | Timestamp | Description |
|---|---|---|
| 26/10/06 | 21:02:21 | Link file created to the 40 cent mile sheet |
| 26/10/06 | 21:20:18 | Vision Appraisal Technology website visited |
| 26/10/06 | 21:28:17 | Massachusetts Municipal Association website visited |
| 26/10/06 | 22:49:36 | Microsoft Word accessed |
| 26/10/06 | 23:02:39 | Fox News website accessed |
END ACTIVITY |
||
| 27/10/06 | 10:39:31 | Worcester website is accessed |
END ACTIVITY |
||
| 27/10/06 | 01:40:28 | Restore point .ini files |
| 27/10/06 | 02:22:19 | smp[1].htm file appears, no page is visible but the html indicates the content is child pornorgraphy; no searches or other Internet activity occur prior to this page. |
| 27/10/06 | 02:24:02 | KIDZINDEX1.htm appears – this page could not be viewed but the underlying html language shows it’s a child pornography site – TOPKDS LOLITA BBS |
| 27/10/06 | 02:24:03 | sp[2] and popu.zaipal files appear again. |
END ACTIVITY |
||
| 06/12/06 | 07:27:57 | Restore Point .que files |
| 06/12/06 | 13:31:28 | Load[1].htm is a website file that simply shows “loading...”; unknown website or origin |
| 06/12/06 | 14:04:44 | Pornographic images appear with no origin and continue for approximately 44 minutes˜ |
| 06/12/06 | 14:48:58 | Pornographic activity ends |
END ACTIVITY |
||
| 07/12/06 | 09:04:30 | Websites accessed including weather and Worcester Works.com |
| 07/12/06 | 09:10:15 | Pornographic images appear with no origin and continue for approximately 50 minutes |
| 07/12/06 | 10:00:21 | END ACTIVITY |
| 07/12/06 | 12:37:36 | Restore Point .que files |
| 07/12/06 | 12:43:48 | 4 desktop.ini files created |
| 07/12/06 | 12:46:30 | 2 unknown htm files appear – CAMXA327.htm and CAA99IRH.htm |
| 07/12/06 | 12:53:10 | Pornographic images appear with no origin and continue for approximately 20 minutes |
| 07/12/06 | 13:13:40 | Pornographic images end |
| 07/12/06 | 14:01:06 | Restore point.que files |
| 07/12/06 | 14:21:39 | Pornographic images appear again with no origin and continue for approximately 30 minutes index[8]8.htm file – Preteen and Teen Models HQ Sites Collection – also contains downloader because page pops out of forensic software; several more downloaders appear before activity ends |
| 07/12/06 | 14:43:27 | Symantec log reports Bloodhound.Exploit.95 |
| 07/12/06 | 14:43:38 | |
END ACTIVITY |
||
| 07/12/06 | 14:47:44 | Pornographic activity ends |
| 07/12/06 | 14:50:21 | Restore Point .que files |
END ACTIVITY |
||
| 11/12/06 | 11:36:52 | Restore Point .que file |
| 11/12/06 | 13:59:08 | Restore Point .que files |
| 11/12/06 | 14:13:08 | GGGD.tmp |
| 11/12/06 | 14:13:18 | Googletoolbardownloader_EN prefetch file |
| 11/12/06 | 14:13:21 | GGGD.tmp prefetch file |
| 11/12/06 | 14:15:24 | Two unknown html files appear – CA65EDMT.htm and CAQZ0DIR.htm; pornographic images appear and continue for approximately 30 minutes |
| 11/12/06 | 14:48:58 | edw.exe-0f1df43f.pf file |
| 11/12/06 | 14:48:58 | Sweet-young.htm file appears – this file popped out of the forensic software and caused my forensic computer to freeze and I had to shutdown and reboot – this is the end of pornographic activity for this date. |
| 11/12/06 | 14:49:02 | Dr. Watson is loaded indicating problem with the computer |
| 11/12/06 | 14:54:12 | Restore Point .que files |
END ACTIVITY |
||
| 21/12/06 | 09:37:11 | Gmail accessed |
| 21/12/06 | 10:52:09 | Shrewsbury and City of Malden websites visited |
| 21/12/06 | 12:53:54 | wifilocator.exe prefetch file |
| 21/12/06 | 13:33:59 | Restore Point.que files |
| 21/12/06 | 13:44:00 | Restore Point.que files |
| 21/12/06 | 13:52:13 | Pornographic images appear with no origin and continue for approximately one hour; sites include lolitas, urinelove and scat sites |
| 21/12/06 | 14:28:42 | Restore Point.que file |
| 21/12/06 | 14:32:15 | desktop.ini files |
| 21/12/06 | 14:51:53 | END ACTIVITY |
| 27/12/06 | 11:18:28 | Spencer Mass website |
| 27/12/06 | 11:29:25 | Unknown htm files appear – CAG5EF8H.htm, CA2FPRK2.htm, CALNOAJ9.htm, CAYXDTID.htm |
| 27/12/06 | 11:29:53 | Pornography images begin appearing with no origin |
| 27/12/06 | 11:30:09 | Restore Point.que files |
| 27/12/06 | 11:31:31 | Pornographic images appear from scat site |
| 27/12/06 | 11:33:53 | Ert.jar zip file – ACTIVITY ENDS |
| 27/12/06 | 12:04:00 | Restore Point.que file |
| 27/12/06 | 14:01:52 | Restore Point.que file |
| 27/12/06 | 14:16:53 | Restore Point.que files |
| 27/12/06 | 14:25:56 | Windows Media Player prefetch file |
| 27/12/06 | 14:35:01 | Pornographic images appear with no origin |
| 27/12/06 | 14:37:36 | Restore Point.que files |
| 27/12/06 | 14:38:16 | taboomoviej10-3 prefectch file |
| 27/12/06 | 14:41:45 | Pornographic images appear with no origin and continue for approximately 30 minutes; sites are scat and urine |
| 27/12/06 | 15:08:15 | END ACTIVITY |
| 06/01/07 | 14:11:25 | Restore Point .que files |
| 06/01/07 | 14:14:17 | SMS.exe prefetch file |
| 06/01/07 | 14:19:02 | Begin Internet activity related to real estate |
| 06/01/07 | 14:38:21 | End Internet activity related to real estate |
| 06/01/07 | 15:08:03 | Symantec log reports Drivecleaner |
| 06/01/07 | 15:22:25 | index[8].htm – Nymphets web page appears |
| 06/01/07 | 15:34:50 | index[1]1.htm – Little Nymphets webpage (page pops out of FTK indicating it is a downloader) |
| 06/01/07 | 15:39:46 | Restore Point .que files |
| 06/01/07 | 15:59:47 | Restore Point .que files |
END ACTIVITY |
||
| 10/01/07 | 09:20:17 | Restore Point .que files |
| 10/01/07 | 09:42:21 | Pornographic images appear with no origin |
| 10/01/07 | 11:51:11 | Pornographic images appear with no origin |
| 10/01/07 | 12:16:43 | Windows Media Player prefetch file |
| 10/01/07 | 12:19:30 | Taboomovie9tr0-1 MPEG prefetch file |
| 10/01/07 | 12:35:11 | rundll32.exe prefetch file |
| 10/01/07 | 14:26:47 | Pornographic images appear with no origin |
| 10/01/07 | 14:54:51 | Pornographic activity ends |
END ACTIVITY |
||
| 11/01/07 | 09:52:06 | Restore Point .que files |
| 11/01/07 | 09:53:01 | Pornographic images appear with no origin and continue to appear sporadically for approximately one and a half hours |
| 11/01/07 | 10:58:11 | Restore Point .que files |
| 11/01/07 | 11:03:12 | Restore Point .que files |
| 11/01/07 | 11:09:31 | Pornographic activity ends |
| 08/02/07 | 12:12:15 | Gmail |
| 08/02/07 | 12:14:26 | Vision Appraisal website |
| 08/02/07 | 12:15:13 | Massachusetts Tax Assessors website |
| 08/02/07 | 12:17:35 | Restore Point .que files |
| 08/02/07 | 12:19:05 | City of Brockton Assessors website |
| 08/02/07 | 12:20:41 | Pornographic images appear with no origin |
| 08/02/07 | 12:44:00 | Multiple html pages appear with no content and “Service Temporarily Unavailable” – this is indicative of the Feebs Family virus; web pages are being created at the rate of 20-40 per minute |
| 08/02/07 | 12:54:10 | Pornographic activity ends |
| 08/02/07 | 12:56:00 | Symantec log reports downloader |
| 08/02/07 | 13:03:31 | Nymphets website appears and activity ends |
| 08/02/07 | 13:27:42 | Sovereign Bank website |
| 08/02/07 | 13:54:43 | Sovereign Bank website |
| 08/02/07 | 14:02:09 | Restore Point .que files |
| 08/02/07 | 14:07:45 | Pornographic images appear with no origin and continue for approximately one hour |
| 08/02/07 | 15:09:11 | Pornographic activity ends |
END ACTIVITY |
||
| 14/02/07 | 09:38:50 | Website for Massachusetts Government Gmail |
| 14/02/07 | 09:39:31 | Careerbuilder.com |
| 14/02/07 | 09:45:34 | Website for Acushnet, MA |
| 14/02/07 | 10:44:58 | login to CMS |
| 14/02/07 | 10:45:07 | login to CMS |
| 14/02/07 | 10:53:10 | login to CMS |
| 14/02/07 | 11:01:01 | Gmail |
| 14/02/07 | 11:05:22 | Google search results page – “nymphey bbs” |
| 14/02/07 | 11:05:41 | Bleso.com website – pornography images appear and continue for 10 minutes |
| 14/02/07 | 11:05:56 | Drivecleaner |
| 14/02/07 | 11:15:11 | Google search results page – “nymphets bbs” |
END ACTIVITY |
||
| 14/02/07 | 12:32:45 | Restore Point .que files |
| 14/02/07 | 12:33:40 | Gmail |
| 14/02/07 | 12:35:40 | Google search page appears – “nymphets tpg” |
| 14/02/07 | 12:39:54 | Google search page appears - “nymphets tpg” |
| 14/02/07 | 12:40:22 | Google search page appears – “nymphets tpg” |
| 14/02/07 | 12:40:53 | login to CMS |
| 14/02/07 | 12:40:58 | login to CMS |
| 14/02/07 | 12:41:28 | Website appears – best rape sites |
| 14/02/07 | 12:43:29 | MSN search page appears - “sun Lolita BBS” |
| 14/02/07 | 12:43:45 | Drivecleaner |
| 14/02/07 | 12:44:30 | barelylegal[1].htm |
| 14/02/07 | 12:44:34 | preview[1].htm |
| 14/02/07 | 12:45:11 | gallery1[1]1.htm |
| 14/02/07 | 12:45:17 | gallery1[1].htm |
| 14/02/07 | 12:45:43 | login to CMS |
| 14/02/07 | 12:45:47 | movie1[1].htm |
| 14/02/07 | 12:45:54 | Search page appears - “12 year old model bbs” |
| 14/02/07 | 12:47:07 | Google search page appears - “non nude pre teen sites” |
| 14/02/07 | 12:48:29 | fetishcon[1].htm – beginning of scat websites |
| 14/02/07 | 13:23:44 | Scat pornography ends |
| 14/02/07 | 13:24:55 | login to CMS |
| 14/02/07 | 13:25:34 | login to CMS |
| 14/02/07 | 13:30:46 | restore point activity |
| 14/02/07 | 13:39:24 | login to CMS |
| 14/02/07 | 13:41:34 | login to CMS |
| 14/02/07 | 13:41:50 | login to CMS |
| 14/02/07 | 13:41:57 | restore point activity |
| 14/02/07 | 13:58:59 | Google search page appears – “preteen nonnude” |
| 14/02/07 | 13:59:04 | Google search page appears – “preteen non nude” |
| 14/02/07 | 13:59:44 | myinceststories.htm |
| 14/02/07 | 14:02:58 | index[1]3.htm – drivecleaner |
| 14/02/07 | 14:03:47 | search[2]2.htm – Google search “preteen incest storys” |
| 14/02/07 | 14:06:42 | search[1]15.htm – Google search “preteen incest stories” |
| 14/02/07 | 14:07:52 | search[6]7.htm – Google search “pedophile fiction incest stories” results 1-10 |
| 14/02/07 | 14:08:06 | search[7]4.htm – Google search “pedophile fiction incest stories” results 41-50 |
| 14/02/07 | 14:12:13 | installdrivecleanerstart[1].ext |
| 14/02/07 | 14:12:51 | [2].htm – drivecleaner |
| 14/02/07 | 14:15:24 | search[1]7.htm – Google search “free incest pictures” results 81-90 |
| 14/02/07 | 14:15:49 | search[7]1.htm – Google search “incest taboo” results 1-10 |
| 14/02/07 | 14:17:11 | incest[1].htm – incest website – pops FTK like a downloader |
| 14/02/07 | 14:37:11 | porn activity ends |
| 14/02/07 | 14:38:42 | END ACTIVITY |
| 14/02/07 | 19:36:54 | VBN finds downloader |
| 14/02/07 | 19:42:03 | search[4]4.htm – Google search for “cartography” |
| 14/02/07 | 19:45:21 | out[5].htm – www.innocent-youth.com/angel-teens top |
| 14/02/07 | 19:46:03 | restore point activity |
| 14/02/07 | 19:52:11 | nymphets_land_gallery_3[1].htm |
| 14/02/07 | 19:54:43 | porn ends |
| 14/02/07 | 19:56:06 | Symantec services shuts down – system shut down |
END ACTIVITY |
||
| 08/03/07 | 11:50:58 | Real Estate websites |
| 08/03/07 | 11:55:28 | Best Candid.com website – School girls and child models |
| 08/03/07 | 11:58:21 | Preteen-Preteen.com search page – “preteen models” |
| 08/03/07 | 11:59:47 | Restore Point .que files |
| 08/03/07 | 12:00:46 | 7[2]1.htm – “requested URL/bng/7.jpg was not found on this server” – pornographic images continue for approximately 40 minutes |
| 08/03/07 | 12:37:59 | Coolnetsearching.info search results – “code help myspace” |
| 08/03/07 | 12:38:06 | Coolnetsearching.info search results – “help desk services” |
| 08/03/07 | 12:38:13 | Looksearch home page |
| 08/03/07 | 12:38:14 | CA67EN2D.htm page appears |
| 08/03/07 | 12:38:25 | Forbidden Lolitas Pictures website |
| 08/03/07 | 13:02:13 | Login to CMS |
| 08/03/07 | 13:02:27 | Login to CMS |
| 08/03/07 | 13:07:48 | Login to CMS |
| 08/03/07 | 13:07:55 | Login to CMS |
| 08/03/07 | 13:20:49 | Google search results – “pet show in ri” |
| 08/03/07 | 13:21:02 | Google search results – “ri convention center” |
| 08/03/07 | 13:21:56 | Google search results – “dunkin donuts center ri” |
| 08/03/07 | 13:25:40 | 7[3]1.htm – “The requested URL /bng/7.jpg was not found on this server” |
| 08/03/07 | 13:29:53 | 7[1]12.htm – “The requested URL /bng/7.jpg was not found on this server” |
| 08/03/07 | 13:31:22 | Best Pay Lolita Porn Sites |
| 08/03/07 | 13:34:28 | ToseekA.com search results – “social studies activities” |
| 08/03/07 | 13:34:31 | ToseekA.com search results – “what is divorce” |
| 08/03/07 | 13:38:37 | Lolita Gallery website |
| 08/03/07 | 13:41:27 | big[2]1.htm – “The requested URL / new/classic-cpinfo/thumbs/big.jpg was not found on this server” – pornographic images continue for approximately 30 minutes |
| 08/03/07 | 14:17:24 | Netster home page |
| 08/03/07 | 14:17:42 | Coolnetsearching.info search results – “spyware removal tool” |
| 08/03/07 | 14:18:22 | Google search results – “nymphets” |
| 08/03/07 | 14:39:10 | Pornographic activity ends |
| 08/03/07 | 15:27:21 | Spiritair website |
END ACTIVITY |