Loehrs & Associates produced a preliminary examination report of forensics examination (PDF). An excerpt of the report has been provided below that was compiled by the examiner.
| Date | Timestamp | Description |
|---|---|---|
| 26/10/06 | 21:02:21 | Link file created to the 40 cent mile sheet |
| 26/10/06 | 21:20:18 | Vision Appraisal Technology website visited |
| 26/10/06 | 21:28:17 | Massachusetts Municipal Association website visited |
| 26/10/06 | 22:49:36 | Microsoft Word accessed |
| 26/10/06 | 23:02:39 | Fox News website accessed |
END ACTIVITY |
||
| 27/10/06 | 10:39:31 | Worcester website is accessed |
END ACTIVITY |
||
| 27/10/06 | 01:40:28 | Restore point .ini files |
| 27/10/06 | 02:22:19 | smp[1].htm file appears, no page is visible but the html indicates the content is child pornorgraphy; no searches or other Internet activity occur prior to this page. |
| 27/10/06 | 02:22:20 | The file sp[2]1.htm can not be viewed but it causes the browser to pop up even when being accessed inside forensic software; this appears to be some sort of downloader Trojan. |
| 27/10/06 | 02:22:21 | popup.zaipal[1].htm can not be viewed and also pops up the browser from within the forensic software indicative of the downloader Trojan. |
| 27/10/06 | 02:24:02 | KIDZINDEX1.htm appears – this page could not be viewed but the underlying html language shows it’s a child pornography site – TOPKDS LOLITA BBS |
| 27/10/06 | 02:24:03 | sp[2] and popu.zaipal files appear again. |
END ACTIVITY |
||
| 06/12/06 | 07:27:57 | Restore Point .que files |
| 06/12/06 | 13:31:28 | Load[1].htm is a website file that simply shows “loading...”; unknown website or origin |
| 06/12/06 | 14:04:44 | Pornographic images appear with no origin and continue for approximately 44 minutes |
| 06/12/06 | 14:48:58 | Pornographic activity ends |
END ACTIVITY |
||
| 07/12/06 | 09:04:30 | Websites accessed including weather and Worcester Works.com |
| 07/12/06 | 09:10:15 | Pornographic images appear with no origin and continue for approximately 50 minutes |
| 07/12/06 | 09:10:51 | script[1]1.js file appears; this is a JavaScript file containing various search engines including foreign search engines and the term “sun bbs”; this JavaScript file appears to be related to a virus or Trojan. |
| 07/12/06 | 09:12:42 | Symantec log begins reporting Adware.ZangoSearch and Downloader Trojan; 20 Instances reported |
| 07/12/06 | 10:00:21 | END ACTIVITY |
| 07/12/06 | 12:37:36 | Restore Point .que files |
| 07/12/06 | 12:43:48 | 4 desktop.ini files created |
| 07/12/06 | 12:46:30 | 2 unknown htm files appear – CAMXA327.htm and CAA99IRH.htm |
| 07/12/06 | 12:51:44 | Symantec log begins reporting Downloader Trojan; 5 instances |
| 07/12/06 | 12:53:10 | Pornographic images appear with no origin and continue for approximately 20 minutes |
| 07/12/06 | 13:13:40 | Pornographic images end |
| 07/12/06 | 14:01:06 | Restore point.que files |
| 07/12/06 | 14:21:39 | Pornographic images appear again with no origin and continue for approximately 30 minutes index[8]8.htm file – Preteen and Teen Models HQ Sites Collection – also contains downloader because page pops out of forensic software; several more downloaders appear before activity ends |
| 07/12/06 | 14:24:19 | Symantec log begins reporting Downloader Trojan; 7 instances are reported |
| 07/12/06 | 14:43:27 | Symantec log reports Bloodhound.Exploit.95 |
| 07/12/06 | 14:43:38 | |
END ACTIVITY |
||
| 07/12/06 | 14:44:10 | Symantec log reports Trojan.ByteVerify |
| 07/12/06 | 14:47:44 | Pornographic activity ends |
| 07/12/06 | 14:50:21 | Restore Point .que files |
END ACTIVITY |
||
| 11/12/06 | 11:36:52 | Restore Point .que file |
| 11/12/06 | 13:59:08 | Restore Point .que files |
| 11/12/06 | 14:13:08 | GGGD.tmp |
| 11/12/06 | 14:13:18 | Googletoolbardownloader_EN prefetch file |
| 11/12/06 | 14:13:21 | GGGD.tmp prefetch file |
| 11/12/06 | 14:15:24 | Two unknown html files appear – CA65EDMT.htm and CAQZ0DIR.htm; pornographic images appear and continue for approximately 30 minutes |
| 11/12/06 | 14:48:58 | edw.exe-0f1df43f.pf file |
| 11/12/06 | 14:48:58 | Sweet-young.htm file appears – this file popped out of the forensic software and caused my forensic computer to freeze and I had to shutdown and reboot – this is the end of pornographic activity for this date. |
| 11/12/06 | 14:49:02 | Dr. Watson is loaded indicating problem with the computer |
| 11/12/06 | 14:54:12 | Restore Point .que files |
END ACTIVITY |
||
| 21/12/06 | 09:37:11 | Gmail accessed |
| 21/12/06 | 10:52:09 | Shrewsbury and City of Malden websites visited |
| 21/12/06 | 12:53:54 | wifilocator.exe prefetch file |
| 21/12/06 | 13:33:59 | Restore Point.que files |
| 21/12/06 | 13:44:00 | Restore Point.que files |
| 21/12/06 | 13:52:13 | Pornographic images appear with no origin and continue for approximately one hour; sites include lolitas, urinelove and scat sites |
| 21/12/06 | 14:28:42 | Restore Point.que file |
| 21/12/06 | 14:32:15 | desktop.ini files |
| 21/12/06 | 14:51:53 | END ACTIVITY |
| 27/12/06 | 11:18:28 | Spencer Mass website |
| 27/12/06 | 11:29:25 | Unknown htm files appear – CAG5EF8H.htm, CA2FPRK2.htm, CALNOAJ9.htm, CAYXDTID.htm |
| 27/12/06 | 11:29:53 | Pornography images begin appearing with no origin |
| 27/12/06 | 11:30:09 | Restore Point.que files |
| 27/12/06 | 11:31:31 | Pornographic images appear from scat site |
| 27/12/06 | 11:33:53 | Ert.jar zip file – ACTIVITY ENDS |
| 27/12/06 | 12:04:00 | Restore Point.que file |
| 27/12/06 | 14:01:52 | Restore Point.que file |
| 27/12/06 | 14:16:53 | Restore Point.que files |
| 27/12/06 | 14:25:56 | Windows Media Player prefetch file |
| 27/12/06 | 14:35:01 | Pornographic images appear with no origin |
| 27/12/06 | 14:37:36 | Restore Point.que files |
| 27/12/06 | 14:38:16 | taboomoviej10-3 prefectch file |
| 27/12/06 | 14:41:45 | Pornographic images appear with no origin and continue for approximately 30 minutes; sites are scat and urine |
| 27/12/06 | 15:08:15 | END ACTIVITY |
| 06/01/07 | 14:11:25 | Restore Point .que files |
| 06/01/07 | 14:14:17 | SMS.exe prefetch file |
| 06/01/07 | 14:19:02 | Begin Internet activity related to real estate |
| 06/01/07 | 14:38:21 | End Internet activity related to real estate |
| 06/01/07 | 15:08:03 | Symantec log reports Drivecleaner |
| 06/01/07 | 15:22:25 | index[8].htm – Nymphets web page appears |
| 06/01/07 | 15:22:48 | Symantec log begins reporting Downloader Trojan; 14 instances reported |
| 06/01/07 | 15:34:50 | index[1]1.htm – Little Nymphets webpage (page pops out of FTK indicating it is a downloader) |
| 06/01/07 | 15:39:46 | Restore Point .que files |
| 06/01/07 | 15:59:47 | Restore Point .que files |
END ACTIVITY |
||
| 10/01/07 | 09:20:17 | Restore Point .que files |
| 10/01/07 | 09:42:21 | Pornographic images appear with no origin |
| 10/01/07 | 10:24:36 | Symantec log begins reporting Downloader Trojan; 14 instances reported |
| 10/01/07 | 11:51:11 | Pornographic images appear with no origin |
| 10/01/07 | 12:08:24 | Symantec log begins reporting Downloader Trojan; 3 instances reported |
| 10/01/07 | 12:16:43 | Windows Media Player prefetch file |
| 10/01/07 | 12:19:30 | Taboomovie9tr0-1 MPEG prefetch file |
| 10/01/07 | 12:35:11 | rundll32.exe prefetch file |
| 10/01/07 | 14:26:47 | Pornographic images appear with no origin |
| 10/01/07 | 14:36:44 | Symantec log begins reporting Downloader Trojan; 28 instances reported |
| 10/01/07 | 14:50:03 | Symantec log reports Trojan.ByteVerify; 3 instances reported |
| 10/01/07 | 14:50:31 | Symantec log begins reporting Downloader Trojan; 37 instances reported |
| 10/01/07 | 14:54:51 | Pornographic activity ends |
END ACTIVITY |
||
| 11/01/07 | 09:52:06 | Restore Point .que files |
| 11/01/07 | 09:53:01 | Pornographic images appear with no origin and continue to appear sporadically for approximately one and a half hours |
| 11/01/07 | 10:30:24 | Symantec log begins reporting Downloader Trojan; 21 instances reported |
| 11/01/07 | 10:58:11 | Restore Point .que files |
| 11/01/07 | 11:03:12 | Restore Point .que files |
| 11/01/07 | 11:09:31 | Pornographic activity ends |
| 11/01/07 | 11:10:04 | Symantec log reports Downloader Trojan; 24 instances reported |
| 08/02/07 | 12:12:15 | Gmail |
| 08/02/07 | 12:14:26 | Vision Appraisal website |
| 08/02/07 | 12:15:13 | Massachusetts Tax Assessors website |
| 08/02/07 | 12:17:35 | Restore Point .que files |
| 08/02/07 | 12:19:05 | City of Brockton Assessors website |
| 08/02/07 | 12:20:41 | Pornographic images appear with no origin |
| 08/02/07 | 12:22:16 | Symantec VBN log reports Downloader Trojan |
| 08/02/07 | 12:44:00 | Multiple html pages appear with no content and “Service Temporarily Unavailable” – this is indicative of the Feebs Family virus; web pages are being created at the rate of 20-40 per minute |
| 08/02/07 | 12:54:10 | Pornographic activity ends |
| 08/02/07 | 12:56:00 | Symantec log reports downloader |
| 08/02/07 | 13:03:31 | Nymphets website appears and activity ends |
| 08/02/07 | 13:27:42 | Sovereign Bank website |
| 08/02/07 | 13:54:43 | Sovereign Bank website |
| 08/02/07 | 14:02:09 | Restore Point .que files |
| 08/02/07 | 14:07:45 | Pornographic images appear with no origin and continue for approximately one hour |
| 08/02/07 | 15:09:11 | Pornographic activity ends |
END ACTIVITY |
||
| 14/02/07 | 09:38:50 | Website for Massachusetts Government Gmail |
| 14/02/07 | 09:39:31 | Careerbuilder.com |
| 14/02/07 | 09:45:34 | Website for Acushnet, MA |
| 14/02/07 | 10:44:58 | login to CMS |
| 14/02/07 | 10:45:07 | login to CMS |
| 14/02/07 | 10:53:10 | login to CMS |
| 14/02/07 | 11:01:01 | Gmail |
| 14/02/07 | 11:05:22 | Google search results page – “nymphey bbs” |
| 14/02/07 | 11:05:41 | Bleso.com website – pornography images appear and continue for 10 minutes |
| 14/02/07 | 11:05:56 | Drivecleaner |
| 14/02/07 | 11:15:11 | Google search results page – “nymphets bbs” |
END ACTIVITY |
||
| 14/02/07 | 12:32:45 | Restore Point .que files |
| 14/02/07 | 12:33:40 | Gmail |
| 14/02/07 | 12:35:40 | Google search page appears – “nymphets tpg” |
| 14/02/07 | 12:39:54 | Google search page appears - “nymphets tpg” |
| 14/02/07 | 12:40:22 | Google search page appears – “nymphets tpg” |
| 14/02/07 | 12:40:53 | login to CMS |
| 14/02/07 | 12:40:58 | login to CMS |
| 14/02/07 | 12:41:28 | Website appears – best rape sites |
| 14/02/07 | 12:43:29 | MSN search page appears - “sun Lolita BBS” |
| 14/02/07 | 12:43:45 | Drivecleaner |
| 14/02/07 | 12:44:30 | barelylegal[1].htm |
| 14/02/07 | 12:44:34 | preview[1].htm |
| 14/02/07 | 12:45:11 | gallery1[1]1.htm |
| 14/02/07 | 12:45:17 | gallery1[1].htm |
| 14/02/07 | 12:45:43 | login to CMS |
| 14/02/07 | 12:45:47 | movie1[1].htm |
| 14/02/07 | 12:45:54 | Search page appears - “12 year old model bbs” |
| 14/02/07 | 12:47:07 | Google search page appears - “non nude pre teen sites” |
| 14/02/07 | 12:48:29 | fetishcon[1].htm – beginning of scat websites |
| 14/02/07 | 13:16:30 | Symantec reports Downloader Trojan |
| 14/02/07 | 13:23:44 | Scat pornography ends |
| 14/02/07 | 13:24:55 | login to CMS |
| 14/02/07 | 13:25:34 | login to CMS |
| 14/02/07 | 13:30:46 | restore point activity |
| 14/02/07 | 13:39:24 | login to CMS |
| 14/02/07 | 13:41:34 | login to CMS |
| 14/02/07 | 13:41:50 | login to CMS |
| 14/02/07 | 13:41:57 | restore point activity |
| 14/02/07 | 13:58:59 | Google search page appears – “preteen nonnude” |
| 14/02/07 | 13:59:04 | Google search page appears – “preteen non nude” |
| 14/02/07 | 13:59:17 | guestbook[1].htm – Combat BBS – popped up browser indicative of the downloader Trojan |
| 14/02/07 | 13:59:44 | myinceststories.htm |
| 14/02/07 | 14:02:58 | index[1]3.htm – drivecleaner |
| 14/02/07 | 14:03:47 | search[2]2.htm – Google search “preteen incest storys” |
| 14/02/07 | 14:06:42 | search[1]15.htm – Google search “preteen incest stories” |
| 14/02/07 | 14:07:52 | search[6]7.htm – Google search “pedophile fiction incest stories” results 1-10 |
| 14/02/07 | 14:08:06 | search[7]4.htm – Google search “pedophile fiction incest stories” results 41-50 |
| 14/02/07 | 14:12:13 | installdrivecleanerstart[1].ext |
| 14/02/07 | 14:12:51 | [2].htm – drivecleaner |
| 14/02/07 | 14:15:24 | search[1]7.htm – Google search “free incest pictures” results 81-90 |
| 14/02/07 | 14:15:49 | search[7]1.htm – Google search “incest taboo” results 1-10 |
| 14/02/07 | 14:17:11 | incest[1].htm – incest website – pops FTK like a downloader |
| 14/02/07 | 14:37:11 | porn activity ends |
| 14/02/07 | 14:38:41 | VNB file shows Trojan.ByteVerify |
| 14/02/07 | 14:38:42 | END ACTIVITY |
| 14/02/07 | 19:36:54 | VBN finds downloader |
| 14/02/07 | 19:42:03 | search[4]4.htm – Google search for “cartography” |
| 14/02/07 | 19:45:21 | out[5].htm – www.innocent-youth.com/angel-teens top |
| 14/02/07 | 19:46:03 | restore point activity |
| 14/02/07 | 19:52:11 | nymphets_land_gallery_3[1].htm |
| 14/02/07 | 19:54:43 | porn ends |
| 14/02/07 | 19:56:06 | Symantec services shuts down – system shut down |
END ACTIVITY |
||
| 08/03/07 | 11:50:58 | Real Estate websites |
| 08/03/07 | 11:55:28 | Best Candid.com website – School girls and child models |
| 08/03/07 | 11:58:21 | Preteen-Preteen.com search page – “preteen models” |
| 08/03/07 | 11:59:47 | Restore Point .que files |
| 08/03/07 | 12:00:46 | 7[2]1.htm – “requested URL/bng/7.jpg was not found on this server” – pornographic images continue for approximately 40 minutes |
| 08/03/07 | 12:37:59 | Coolnetsearching.info search results – “code help myspace” |
| 08/03/07 | 12:38:06 | Coolnetsearching.info search results – “help desk services” |
| 08/03/07 | 12:38:13 | Looksearch home page |
| 08/03/07 | 12:38:14 | CA67EN2D.htm page appears |
| 08/03/07 | 12:38:25 | Forbidden Lolitas Pictures website |
| 08/03/07 | 13:02:13 | Login to CMS |
| 08/03/07 | 13:02:27 | Login to CMS |
| 08/03/07 | 13:07:48 | Login to CMS |
| 08/03/07 | 13:07:55 | Login to CMS |
| 08/03/07 | 13:20:49 | Google search results – “pet show in ri” |
| 08/03/07 | 13:21:02 | Google search results – “ri convention center” |
| 08/03/07 | 13:21:56 | Google search results – “dunkin donuts center ri” |
| 08/03/07 | 13:25:40 | 7[3]1.htm – “The requested URL /bng/7.jpg was not found on this server” |
| 08/03/07 | 13:28:20 | Japanese pornography website – pops out of FTK indicative of Downloader Trojan |
| 08/03/07 | 13:29:53 | 7[1]12.htm – “The requested URL /bng/7.jpg was not found on this server” |
| 08/03/07 | 13:31:22 | Best Pay Lolita Porn Sites |
| 08/03/07 | 13:34:28 | ToseekA.com search results – “social studies activities” |
| 08/03/07 | 13:34:31 | ToseekA.com search results – “what is divorce” |
| 08/03/07 | 13:38:37 | Lolita Gallery website |
| 08/03/07 | 13:41:27 | big[2]1.htm – “The requested URL / new/classic-cpinfo/thumbs/big.jpg was not found on this server” – pornographic images continue for approximately 30 minutes |
| 08/03/07 | 14:17:24 | Netster home page |
| 08/03/07 | 14:17:42 | Coolnetsearching.info search results – “spyware removal tool” |
| 08/03/07 | 14:18:22 | Google search results – “nymphets” |
| 08/03/07 | 14:39:10 | Pornographic activity ends |
| 08/03/07 | 15:27:21 | Spiritair website |
END ACTIVITY |