Timeline Analysis of Desktop Property # 0214 207268 HDD -- Image Z6E8M349.E01 (Device 1) important Identifiers: Date 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 User: Username: SID: SID: Time 0:36:54 0:38:36 0:39:31 0:39:31 0:40:10 0:40:14 0:43:00 0:44:19 0:44:19 0:44:53 0:45:58 0:48:20 0:49:11 0:50:50 0:53:20 0:53:31 0:53:35 0:53:37 0:53:48 0:53:55 0:54:01 0:54:06 0:56:46 0:56:49 0:57:18 Michael Thomas BoP19012 §-1-5-21-1823249720-3210992811-1527010081-1102 Microsoft Security Identifier Action User BOP19012 Successfully Logged onto the System User launches GroupWise (grpwise.exe) User saves/downloads document named "SHU 30 CHECK SHEET (CONDENSED)_1.docx" to location "C:\Users\bop19012\Documents\GroupWise\" The "SHU 30 CHECK SHEET (CONDENSED)_1.docx" Word Document is also opened at this time. The GroupWise program crashes The GroupWise program reloads Last Printed timestamp indicates "SHU 30 CHECK SHEET (CONDENSED)_1.docx" was printed User saves/downloads document named "SHU Rules Metropolitan Correctional Center New York.docx" to location "C:\Users\bop19012\Desktop\" The "SHU Rules Metropolitan Correctional Center New York.docx" Word Document is also opened at this time User opens document named "SHU ORDERLY REQUEST 42214. rtf" from location "C:\Users\bop19012\Desktop\" User launches Calculator (calc.exe) User opens document named "1 - SHU LOCATOR 2019(HARDCOPY).docx" from network location "\\NYMC_GRPS_SERVER\GRPS\GROUPS\SHAREDOC\SHU PAPERWOR Execution of splwow64.exe by user BOP19012 indicates something was printed from the system User launches Calculator (calc.exe) User continues to access document named "1 - SHU LOCATOR 2019(HARDCOPY).docx" from network location User launches Internet Explorer (iexplorer.exe) User is navigated in IE to "ie1 lwelcome.microsoft.com/" User is navigated in IE to "http://sallyport.bop.gov/" -- Internet Explorer Hompage User navigates in IE to "http://sallyport.bop.gov/inst/nym/index.jsp" User navigates in IE to "http://sallyport.bop.gov/inst/nym/corrsvc/index.jsp" User navigates in IE to "http://sallyport.bop.gov/inst/nym/corrsvc/nymofficer.jsp" User opens document named "Daily Fire & Security Form[1].pdf" in Internet Explorer from "http://sallyport.bop.gov/inst/nym/corrsvc/docs/" User launches Internet Explorer (iexplorer.exe) User is navigated in IE to "http://sallyport.bop.gov/" -- Internet Explorer Hompage User open Microsoft Database named "Roster.accde" at "\\NYMC_APPS_SERVER\APPS\BOPAPPS\Roster\Ver3.1\" EFTA00062276

--=PAGE_BREAK=--

8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 0:59:22 1:00:24 1:00:28 1:00:31 1:00:52 1:00:54 1:01:21 1:02:14 1:02:18 1:02:25 1:03:16 1:03:02 1:03:02 1:13:49 5:14:10 6:03:30 6:03:41 6:12:15 6:14:15 6:14:21 6:15:03 6:15:07 6:19:05 6:19:05 6:29:07 8:55:12 User launches GroupWise (grpwise.exe) User searches Bing for "cycletrader" User navigates in IE to "https://www.cycletrader.com/" User navigates in IE to "https://www.cycletrader.com/myt/saved-listings/myListings?_=1565413229430" User searches Google for "suzuki gsx-r 750 motorcycle for sale" User navigates in IE to "https://www.cycletrader.com/Suzuki-Gsx-R-750/motorcycles-for-sale?type=motorcycle%7C356953&make=suzuki%7C2320128&model=gsx-r> User navigates in IE to "https://www.cycletrader.com/userSavedListings" User navigates in IE to "https://www.cycletrader.com/" User searches "gsxr" on "https://www.cycletrader.com/" User navigates in IE to "https://www.cycletrader.com/motorcycles-for-sale" User searches Google for "suzuki gsx-r 1000 motorcycle for sale" User Internet Activity Ends User activity on the system stops Screen Pass is Executed by System/User - Computer System is Locked User is logged off from the system User BOP19012 Successfully Logged onto the System User searches "shu" in Windows Explorer User launches GroupWise (grpwise.exe) User launches Internet Explorer (iexplorer.exe) User is navigated in IE to "http://sallyport.bop.gov/" -- Internet Explorer Hompage User searches Bing for "espn" User navigates in IE to "https://www.espn.com/nfl/" User Internet Activity Ends User activity on the system stops Screen Pass is Executed by System/User - Computer System is Locked User is logged off from the system EFTA00062277

--=PAGE_BREAK=--

EFTA00062278

--=PAGE_BREAK=--

67C764861123&trim=750%7C3160&zip=08832 &radius=150" EFTA00062279

--=PAGE_BREAK=--

Timeline Analysis of Desktop Property # 0214 207270 HDD -- Image Z6E8K1EV.E01 (Device 2) Important identifiers: Date 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/9/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 User: Username: SID: SID: 23:40:27 23:41:28 23:42:55 23:43:04 23:43:12 23:43:21 23:43:27 23:44:01 23:45:40 23:46:16 23:47:06 23:53:42 23:53:42 Tova Noel BOP61232 $-1-5-21-3548300276-3289552418-2794689317-1126 Microsoft Security Identifier Action User BOP61232 Fails to Login - Incorrect Password User BOP61232 Successfully Logged onto the System User launches Microsft Access (MSACCESS.EXE) User launches Internet Explorer (iexplorer.exe) User is navigated in IE to "http://sallyport.bop.gov/" — Internet Explorer Hompage User searches Google for “ebenefits” User navigates in IE to “https://www.ebenefits.va.gov/" User navigates in IE to “https://myaccess.dmdc.osd_mil/identitymanagement/authenticate.do?gotoUrl=https://myaccess.dmdc_osd.mil/opensso/SAMLAwareServiet? TARGET=https://eauth.va.gov/ebenefits-portal" User navigates in IE to “https://eauth.va.gov/ebenefits-portal” User searches Google for “what does it mean by VA claim contention input" User navigates in IE to “http://www.benefits.va.gov/warms/docs/admin21/m21_1/me/part3/subptil/chO7/m21-Lili_l_7.doc* - Attachment Al User types in the URL “https://www.amazon.com/" User Internet Activity Ends User activity on the system stops Screen Pass is Executed by System/User - Computer System is Locked Computer is unlocked by user 80P61232 Website “www.amazon.com/" is accessed by user. Likely indicator that the web browser was left open and accessed at this time. User navigates in IE to “https://10.33.56.106/TRUACCESS/Login.aspx" User navigates in IE to “https://10.33.56.106/TRUACCESS/Dashboard_aspx" User navigates in IE to “https://10.33.3.57/RunTruscope.aspx” User launches GroupWise (grpwise_exe) User launches Internet Explorer (iexplorer.exe) User is navigated in IE to “http://sallyport.bop.gov/" — Internet Explorer Hompage User searches Google for “epp" User navigates in IE to “https://wwew.nfc_usda.gov/personal/" User searches Bing for "calendar 2019" User searches Google for "unum insurance" User navigates in IE to “https://wwew.unum.com/" User navigates in IE to “https://vewew.unum.com/employees* User navigates in IE to “https://www.unum_com/employees/benefits” User navigates in IE to “https://www.unum.com/employees/benefits/disability-insurance" User searches Google for “usajobs" User navigates in IE to “https://www.usajobs gov/Search/* User searches Google for “furniture bronx ny" User navigates in IE to “https://www.mybobs.com/stores/new-york/bronx-co-op-city" User navigates in IE to “https://www.mybobs.com/c/bedroom-sets" User navigates in IE to “https://www.mybobs.com/furniture/bedroom/bedroom-sets/majestic-king-bedroom-set/p/20023186" User searches Google for “ashleys furniture” User launches Internet Explorer (iexplorer.exe) User is navigated in IE to “http://sallyport.bop.gov/" — Internet Explorer Hompage User searches Google for “ashleys furniture” User navigates in IE to “https://wwew.ashleyfurniture.com/c/furniture/sets/bedroom-sets/" User types in the URL "https: //www_raymourflanigan.com/" User navigates in IE to “https://wwew.raymourflanigan.com/hempstead-king-bed-597155007.aspx" User Internet Activity Ends User activity on the system stops User launches Internet Explorer (explorer.exe) User is navigated in IE to "http://sallyport.bop.gov/" — Internet Explorer Hompage User searches for Last Name “noel” in BOP Staff Directory -- https://sallyport.bop.gov/StaffDirectory/execute/sdStaffDirectory?action=sd_action_search&facilityCode=&lastName=noel&firstName=S&recordsPerPage=25 User launches GroupWise (grpwise.exe} User launches Microsft Access (MSACCESS.EXE) User launches Internet Explorer (iexplorer.exe) User open Microsoft Database named “Roster.accde” at “file:///K:/BOPAPPS/Roster/Ver3.1/Roster.accde" User navigates in IE to “https://10.33.56.106/TRUACCESS/Login.aspx" User navigates in IE to “https://10.33.56.106/TRUACCESS/Dashboard.aspx" User navigates in IE to “https://10.33.56.106/truaccess/ApplicationLauncher.aspx" User navigates in IE to “https://10.33.3.57/Dashboard_aspx" User launches Internet Explorer (iexplorer.exe) User is navigated in IE to “http://sallyport.bop.gov/" — Internet Explorer Hompage User searches Google for "KENYATTA TAISTE” User activity on the system stops User searches Google for "KENYATTA KHAN" User navigates in IE to “https://imfromdriftwood.com/tag/kenyatta-taiste/" User navigates in IE to “https://pose-fx.fandom.com/wiki/Lady_Kenyatta_Taiste" User searches Google for "KENYATTA TAISTE” EFTA00062280

--=PAGE_BREAK=--

8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 8/10/2019 User searches Google for "KENYATTA KHAN" User searches Google for “latest on epstein in jail” User navigates in IE to “https://www.cnbe.com/2019/08/09/documents-released-about-jeffrey-epstein-and-ghislaine-maxwell.htm|" User navigates in IE to “https://wwew.google.com/url?sa=t&rct=|&q=&esrc=s&source=web&icd=28ved=2ahUKEw) DOZFFgvjjAhVKTIBKHOkbD2wQOPADMAFGBAgAEAK& urizhttps%3A%2F%2Fktla.com%2F2019%2F08%2F09%2F jeffrey-epstein-repeated|y-refused-to-answer-questions-about-allegations-he-orchestrated-sex-trafficking-ring-documents%2F &usg=AOvVaw3BUNSOG6WDIzbkD9Je_9KSC" User searches Google for “latest on epstein in jail" User searches Google for “latest on omar amanat* User navigates in IE to “https://nypost.com/tag/omar-amanat/" User navigates in IE to “https://wvew justice. gov/usao-sdny/pr/former-owner-and-manager-dubai-based-investment-fund-found-guilty-manhattan-federal" User navigates in IE to “https://wwew.law360.com/articles/1148332/ex-cfo-of-fraud-ridden-video-startup-spared-more-prison” User searches Google for "latest on omar amanat” User opens file from IE named “nysd-1_2015-cr-00536-446092-00792([1).pdf" -- SENTENCING MEMORANDUM OF OMAR AMANAT User launches GroupWise (grpwise.exe} Screen Pass is Executed by Systemn/User - Computer System is Locked Computer is unlocked by user BOP61232 User launches Internet Explorer (explorer.exe) User is navigated in IE to "http://sallyport.bop.gov/" — Internet Explorer Hompage User searches Google for “law enforcement discounts” User navigates in IE to “https://www.badgediscounts.com/" User navigates in IE to “https://proudpolicewife.com/the-mega-list-oftaw-enforcement-discounts/* User searches Google for “law enforcement discounts” User navigates in IE to “https://www.verizonwireless.com/support/first-responders-discounts-faqs/" User Internet Activity Ends User activity on the system stops Screen Pass is Executed by System/User - Computer System is Locked User is logged off from the systern EFTA00062281