The examiner then retrieved the content, exposing a .doc file and a .zip file that were also encrypted. Then, the examiner created a dictionary and used the PRTK tool and obtained the key that he later used to crack open the .zip file. Inside the .zip folder, there were 5 different files which file extensions had been altered. To discover what the real extension of the files was, the examiner used the “WinHex” tool, and was able to determine that the files were all .png and that they were related to the case. The .png files were the plans stolen from the “archivaldesigns” website. Right after discovering the plans, the examiner move onto examining the suspect’s browsing history by loading the data from Firefox located inside the USB onto the “Belkasoft Evidence Center Ultimate” tool. During the browsing history examination, there was a huge part that indicated that the suspect had been searching for a software to duplicate the plans he had been stealing. The tool he was using was Chief Architecture, a tool used to design plans and other architectural