REPORT OF FORENSIC EXAMINATION by SonnyWoodcock

VIEWS: 594 PAGES: 9

									REPORT OF FORENSIC EXAMINATION




                                 Prepared By: Tami L. Loehrs, EnCe, ACE
                                              Loehrs & Associates, LLC.
                                              3037 West Ina, Suite 121
                                              Tucson, Arizona 85741
                                              520.219.6807

                                 Prepared For: Kim Pruitt
                                 Date:         7/25/2009
DETAILS
                                                                        CASE NAME / NUMBER
                                                                               United States vs. Milton Scott Pruitt
                                                                                        2:08 CR-000033
                  EXAMINATION REPORT                                            PAGE 1 OF 8 PAGES


EVIDENCE EXAMINED

    Item No       Description                                        Notes
    PC01          Forsyth County “new” FCVRAS Server – this          I was remotely logged into the FCVRAS server
                  was alleged to be the “new” FCVRAS server          as a network user with access to the S and T
                  by JD Rusk, no other information regarding         drives; my review was conducted in a non-
                  this server was provided                           forensic manner
    PC02          Forsyth County “old” FCRAS Server – this           Forensically examined image acquired by GBI
                  was alleged to be the “old” FCRAS server by        Agent Beth Messick
                  JD Rusk, no other information regarding this
                  server was provided

SYNOPSIS AND CONCLUSIONS

On or about July 9, 2009, I was informed that I would be allowed access to the Forsyth County Server on July 16th and
17th to conduct an independent forensics examination for the defense. The purpose of this examination is to obtain
evidence regarding the alleged remote access by MSPruitt on March 15, 2007, the files allegedly accessed by him and to
identify naming nomenclatures of other files stored on the server. I was told to contact Forsyth County IT Director, John
David Rusk, to make arrangements and I was provided with two telephone numbers for him.

Early in the morning on July 10, 2009, I telephoned Rusk at both phone numbers but was unable to reach him and left an
urgent message to please call me back with regard to the examination of the server the following week. At
approximately 5:00PM EST, I received a telephone call from Rusk and he informed me that he could not arrange for my
exam without the assistance from others. In this regard, Rusk informed me that he would schedule a conference call
with the appropriate persons for Monday morning at 8:00AM Arizona time. It was also confirmed that he would initiate
the call.

I rearranged my schedule to be available for the conference call on Monday at 8:00AM, but no phone call was received.
I telephoned Rusk at 8:30AM but received his voice mail. I left him an urgent message to call me as soon as possible.
In that voice mail, I let Rusk know that I would be out of town in a deposition all day Tuesday and then leaving for Atlanta
Wednesday morning at 6:00AM and that I needed to confirm my arrangements before leaving. I never received a return
phone call from Rusk. That afternoon, I received a phone call from County Attorney Tripp Peak regarding the details of
my examination. At 2:26PM, I emailed a letter to Peak setting forth the purpose, procedure and scope of my examination
and it was confirmed that the exam would begin on Thursday morning at 9:30AM at the Forsyth County Administration
building.

On Wednesday July 15, 2009 at 5:00 PM, a conference call was held with Peak, Rusk, County Attorney Ken Jarrard,
Attorney for Defendant Ann Fitz, GBI Agent Bobby Stanley, the Pruitts and me. The procedures and scope of the exam
as set forth in my letter were discussed at length and towards the end of the conversation Rusk referenced a remote
access connection. I explained that a forensics exam could not be conducted remotely and after additional discussion it
was understood that I would need direct access to the server or an image of the hard drive in order to conduct my exam.
At the end of the conference call all were in agreement with respect to the procedures and scope of the exam.



TYPED EXAMINER’S NAME                                        ORGANIZATION
TAMI L. LOEHRS                                               LOEHRS & ASSOCIATES, LLC.
SIGNATURE                                                    DATE                         EXHIBIT
                                                             7/25/2009
DETAILS
                                                                        CASE NAME / NUMBER
                                                                               United States vs. Milton Scott Pruitt
                                                                                        2:08 CR-000033
                  EXAMINATION REPORT                                            PAGE 2 OF 8 PAGES

I arrived at the Forsyth County Administration Building on Thursday July 16, 2009 at 9:00AM and met with Peak, Rusk,
GBI Agents Stanley and Beth Messick and Matt Allen. I was escorted to the server room to begin a forensics
examination and Rusk identified a Dell server rack that contained four physical Dell servers and three Storage Area
Network Systems (“SANS”). Based on our telephone conference the night before, I asked Rusk how I was going to
connect directly to the server inasmuch as there was no monitor, keyboard or mouse. He explained that it could not be
done. I asked additional questions of Rusk with regard to possible methods for connecting to the server from within the
server room and he explained that it was not possible to connect to the server from inside the server room. I attempted
to resolve the issue of needing to connect directly to the server but Rusk was not cooperative. In the interest of time, I
had no other alternative but to follow Rusk’s direction and we all drove to the CID building to conduct the exam remotely
from that location.

Once at the CID building, Rusk began logging into the server using Remote Desktop and I noticed that he logged into a
server by the name of FCVRAS. I asked him if that meant Forsyth County Virtual Remote Access Server and he
confirmed that it did. I asked him why the screen shot he provided at the beginning of this case indicates a server by the
name of FCRAS. Rusk explained that FCRAS is the “old” remote access server and FCVRAS is the “new” remote
access server. I asked him when the new server was installed and he said “oh, about a year ago”. Then he said
“Coincidentally, it was installed exactly one year ago on July 15, 2008”. I asked Rusk, “if this new server was installed a
year ago then none of the data I’m looking for that we discussed in the conference call last night would be on it.” Rusk
replied in a smug manner, “that’s correct”. It became very clear that Rusk was purposefully being uncooperative and had
knowledge of this new server during the planning and implementation of my forensics examination over the past week.
In addition, Rusk knew the scope of my exam included evidence of the alleged remote access connection by MSPruitt on
March 15, 2007 and knew that this information was not on the new server. Rusk’s withholding of this information cost a
number of people lost time and money and directly hindered the defense’s discovery requests.

By this time, it was approximately 10:30AM and Rusk was asked where the FCRAS server that is the focus of this exam
would be located. Rusk first replied that he had no way of knowing where that server is located and I inquired if he had
an identification system such as bar coding to locate the server. Rusk replied that the County can’t afford it. When
asked what happened to the FCRAS server Rusk explained that it would have been formatted, had VMWare installed
and was likely used as a domain controller somewhere on the network. After several phone calls with County Attorney
Ken Jarrard, Rusk was asked to locate the old FCRAS server.

While the old FCRAS server was being located, I agreed to look at the current server with regard to the issues of file
naming nomenclatures. Stanley and Messick installed the EnCase forensics software using the remote access
connection provided by Rusk but found that the forensics software would not work. The reason the software was not
functioning is because a USB dongle is required to activate the software and a remote access connection does not
recognize the dongle. Rusk attempted to resolve the problem but was unsuccessful.

At approximately 1:30PM, having conducted no forensic work thus far, the old FCRAS server arrived at the CID building.
Although Rusk had earlier told me there was no way to locate this server, it was miraculously located after phone calls
with Mr. Jarrard. No information was ever provided to me regarding how the server was eventually identified as being
the old FCRAS server that Pruitt allegedly logged into on 03/15/07. After many unsuccessful attempts to resolve the
issues with conducting a forensics exam remotely and additional phone calls with Mr. Jarrard, Rusk agreed that we
would go back over to the Administration building where the physical server resides so he could connect a monitor,
keyboard and mouse, which he had previously indicated could not be done. In addition, the server that was identified as
the old FCRAS server was taken to the Administration building for examination at the same location.


TYPED EXAMINER’S NAME                                       ORGANIZATION
TAMI L. LOEHRS                                              LOEHRS & ASSOCIATES, LLC.
SIGNATURE                                                   DATE                          EXHIBIT
                                                            7/25/2009
DETAILS
                                                                       CASE NAME / NUMBER
                                                                              United States vs. Milton Scott Pruitt
                                                                                       2:08 CR-000033
                  EXAMINATION REPORT                                           PAGE 3 OF 8 PAGES

After connecting a monitor, keyboard and mouse to the old FCRAS server, Messick attempted to install EnCase,
however, no Windows platform was available and therefore, the software could not be installed. Although Rusk knew
what Messick, Stanley and I had been trying to accomplish, he never informed anyone that no software could be installed
on the server due to the current configuration. As the IT Director for Forsyth County, I have to believe that Rusk is
knowledgeable with respect to the configuration of his network and was certainly aware that no Windows platform
existed. Based on this new knowledge, at approximately 2:00PM, Messick began making a forensic image of the old
FCRAS server so I could conduct a proper forensics examination of the image.

It was also learned at this time that Messick would be unable to install the EnCase software on the new FCVRAS server
for the same reasons described above. In this regard, I agreed to simply be logged in as a remote access user so that I
could review the nomenclature issues. Rusk then logged me into the current RCVRAS server from a workstation in the
server room, the same room that Rusk had earlier told us had no ability to remotely access the server. I was provided
access to the S and T drives to identify naming nomenclatures and folder structures relevant to the defense. At the
conclusion of my live review, I prepared several screen shots that were reviewed by Rusk and then burned to a CD-
ROM. In addition, the forensic image of the old server was completed and given to Peak for safe keeping until such time
as I could conduct my forensic exam the following day.

The results of my live review of the new FCVRAS server revealed additional discrepancies with the printed screen shot
prepared by Rusk in 2007.

The screen shot prepared by Rusk, and offered as evidence of MSPruitt’s alleged wrongdoing, shows that MSPruitt
accessed a folder titled “Joe Mamma” on 03/15/07 at 12:29AM. However, in the Affidavit for Search Warrant prepared
by Stanley, he refers to this folder as “07031338 Joe Mamma”. Based on the two different names, these are two
different folders. I ran a search for the keyword Joe Mamma on the S and T drives which revealed only one folder titled
“07031338 Joe Mamma” created on 05/03/07 at 07:37AM, days before Pruitt was arrested. Since this folder allegedly
existed on 03/15/07 pursuant to Stanley’s Affidavit, it is unknown why this folder has a create date of almost two months
later and several days before Pruitt was arrested. Inasmuch as I was unable to forensically examine this server, I am
unable to make any conclusions as to why this folder was created on this date. Further, I did not find any folders titled
“Joe Mamma” and found no evidence with regard to the “Joe Mamma” folder that appears on the printed screen shot
prepared by Rusk in 2007. Because this folder appears in the Recent Folder of MSPruitt on 03/15/07 I can only
conclude that it was subsequently deleted from the system.




TYPED EXAMINER’S NAME                                       ORGANIZATION
TAMI L. LOEHRS                                              LOEHRS & ASSOCIATES, LLC.
SIGNATURE                                                   DATE                         EXHIBIT
                                                            7/25/2009
DETAILS
                                                                     CASE NAME / NUMBER
                                                                            United States vs. Milton Scott Pruitt
                                                                                     2:08 CR-000033
                  EXAMINATION REPORT                                         PAGE 4 OF 8 PAGES




Also during my review of the new FCVRAS server, I searched for all .jpg images on the T drive and noted several other
folders with images containing identical nomenclatures as the images alleged to have been opened by MSPruitt back in
March, 2007, including the Tidwell folder.




TYPED EXAMINER’S NAME                                     ORGANIZATION
TAMI L. LOEHRS                                            LOEHRS & ASSOCIATES, LLC.
SIGNATURE                                                 DATE                         EXHIBIT
                                                          7/25/2009
DETAILS
                                         CASE NAME / NUMBER
                                               United States vs. Milton Scott Pruitt
                                                        2:08 CR-000033
                EXAMINATION REPORT              PAGE 5 OF 8 PAGES




TYPED EXAMINER’S NAME           ORGANIZATION
TAMI L. LOEHRS                  LOEHRS & ASSOCIATES, LLC.
SIGNATURE                       DATE                      EXHIBIT
                                7/25/2009
DETAILS
                                         CASE NAME / NUMBER
                                               United States vs. Milton Scott Pruitt
                                                        2:08 CR-000033
                EXAMINATION REPORT              PAGE 6 OF 8 PAGES




TYPED EXAMINER’S NAME           ORGANIZATION
TAMI L. LOEHRS                  LOEHRS & ASSOCIATES, LLC.
SIGNATURE                       DATE                      EXHIBIT
                                7/25/2009
DETAILS
                                                                       CASE NAME / NUMBER
                                                                              United States vs. Milton Scott Pruitt
                                                                                       2:08 CR-000033
                  EXAMINATION REPORT                                           PAGE 7 OF 8 PAGES

I reviewed the S drive for the path S:\CID\Access, Case Management\Investigative Notes\General, Property, White
Collar, the location where the Roe folder existed in March, 2007. This path no longer exists although I did find the
CID\Access, Case Management folder under S:\New S Drive\Enforcement Bureau\Criminal Investigation.




On July 17, 2009 at 8:30AM, I met with Peak at the Forsyth County Administration building to begin my examination of
the old FCRAS server that was forensically imaged by Messick the day before. Peak escorted me upstairs where we
met with Rusk and I was escorted to a conference room. In the room was a large flat panel monitor that I was asked to
connect to my forensic laptop so Rusk and Peak could watch my exam. Approximately 10 minutes into my exam, Rusk
asked me to stop, go back and allow him to review an item I bookmarked as being relevant to the defense. At that time I

TYPED EXAMINER’S NAME                                       ORGANIZATION
TAMI L. LOEHRS                                              LOEHRS & ASSOCIATES, LLC.
SIGNATURE                                                   DATE                         EXHIBIT
                                                            7/25/2009
DETAILS
                                                                         CASE NAME / NUMBER
                                                                                United States vs. Milton Scott Pruitt
                                                                                         2:08 CR-000033
                   EXAMINATION REPORT                                            PAGE 8 OF 8 PAGES

discontinued my exam and explained to Peak that it was not proper to allow a testifying witness to review my forensic
examination in which I am gathering evidence directly related to that witness’ testimony. After several phone calls and
discussions, Jarrard arrived at the conference room to discuss the issue. After several discussions both in private and
together, Rusk was removed from the room and I continued my examination of the evidence while Peak supervised.

As I continued my exam, it became apparent that the server I was reviewing was not the old FCRAS server that Pruitt
allegedly logged into on March 15, 2007. Keyword searches for Pruitt revealed nothing related to the events in question.
A search for the date 03/15/07 in various formats revealed no activity for this date. A search for the IP address that
MSPruitt used to allegedly log into the server revealed no hits. Although I recovered a lot of activity from unallocated
space, I did not find any evidence that this was the old FCRAS server at issue.

While waiting for forensic processes to run, I was given permission to access the email server to run a keyword search
for Pruitt. Peak and Rusk escorted me to the server room and Rusk accessed the email server using the same
workstation I had used earlier to review the S and T drives on the server. I watched Rusk log into the “Administrator”
email account which appeared to contain automatically generated emails regarding the status of the system. After
logging into this Administrator account, Rusk said, “o.k., what are you looking for?” Knowing that Rusk had logged into
only one email account that would not contain any information relevant to this case, I explained to Rusk that I needed to
examine the entire email server. Once again, Rusk was difficult to work with and acted as though he did not know how
to comply with my request. In this regard, I asked Rusk how many users had email accounts and he estimated 1,000. I
explained that I would need access to the email server that hosts those 1,000 email accounts so I could run the keyword
search through all email accounts. Rusk attempted to comply with the request but then admitted he did not know how to
do that without searching each account individually. Based on Rusk’s inability to comply with the request, I informed
Peak that the only proper way to conduct the exam would be to make a forensic image of the email server so I could
conduct my exam forensically. Several phone calls were made by Peak but nobody was available to make an image of
the server as it was Friday afternoon.

In the interest of time, it was decided to limit the keyword search to the email accounts of those individuals relevant to
this matter which included Matt Allen, Aaron Coe, Evans, J. Robert Hamrick, Ted Paxton, Sesam and John David Rusk.
In addition, it was agreed to limit the relevant time period of January 1, 2007 through August 19, 2008. Peak, Rusk and I
returned to the server room and Rusk accessed each of the designated email accounts and ran the keyword search for
Pruitt. All emails located as a result of the keyword search were reviewed by Peak and Rusk for privilege and relevance
and then all emails that fit the criteria were copied into a folder and printed for both the prosecution and the defense. At
the conclusion of this review, I asked Rusk, in the presence of Peak, if the emails we searched represented all the emails
for these individuals and he confirmed they were. I asked if he knew of any other location where emails would be found
and he stated that he knew of no other location. I asked Rusk if there was a retention policy regarding emails and he
stated that there is not.

A review of the emails recovered as a result of the keyword search revealed that none of these individuals sent or
received any emails regarding Scott Pruitt and this matter. In fact, only three emails were found for the entire year of
2007. All three emails were sent from Ted Paxton in December, 2007 but do not pertain to this matter.

My examination was concluded Friday afternoon at approximately 5:00PM.




TYPED EXAMINER’S NAME                                        ORGANIZATION
TAMI L. LOEHRS                                               LOEHRS & ASSOCIATES, LLC.
SIGNATURE                                                    DATE                          EXHIBIT
                                                             7/25/2009

								
To top