diff --git a/findings/IMG_20160823_130922.jpg b/findings/IMG_20160823_130922.jpg
new file mode 100644
index 0000000..ff0dd61
Binary files /dev/null and b/findings/IMG_20160823_130922.jpg differ
diff --git a/findings/_RECoVERY_+wdbic.png b/findings/_RECoVERY_+wdbic.png
new file mode 100644
index 0000000..1cf37b8
Binary files /dev/null and b/findings/_RECoVERY_+wdbic.png differ
diff --git a/findings/e-mail1.PNG b/findings/e-mail1.PNG
new file mode 100644
index 0000000..15eb8be
Binary files /dev/null and b/findings/e-mail1.PNG differ
diff --git a/findings/e-mail2.PNG b/findings/e-mail2.PNG
new file mode 100644
index 0000000..9a29752
Binary files /dev/null and b/findings/e-mail2.PNG differ
diff --git a/findings/e-mail3.PNG b/findings/e-mail3.PNG
new file mode 100644
index 0000000..c986519
Binary files /dev/null and b/findings/e-mail3.PNG differ
diff --git a/findings/e-mail4.PNG b/findings/e-mail4.PNG
new file mode 100644
index 0000000..7d5561b
Binary files /dev/null and b/findings/e-mail4.PNG differ
diff --git a/findings/e-mail5.PNG b/findings/e-mail5.PNG
new file mode 100644
index 0000000..4d26c34
Binary files /dev/null and b/findings/e-mail5.PNG differ
diff --git a/report.tex b/report.tex
index 211d7c8..4392ea5 100644
--- a/report.tex
+++ b/report.tex
@@ -30,4 +30,147 @@
 \begin{document}
 \maketitle
 
+\section{Findings}
+
+The forensic analysis has been conducted on Windows 10 with the program
+\emph{Autopsy} in version 4.19.2.
+
+\subsection{Image}
+
+The seized computer image\footnote{sha1sum:
+B4C3AE80F840BB612F982BA5081872B8A6A19E83} is running \emph{Windows 7
+Professional} with \emph{Service Pack 1} installed. The computer's name is
+\emph{Hyrule} and is owned by the user \emph{Peter}. Peter's Security
+Identifier (SID) is S-1-5-21-3032217210-630098460-752710606-1001.
+
+\subsection{E-Mail Conversation}
+
+Peter was in contact with Iris over E-Mail. They went on a date, but decided to
+keep their relationship hidden from coworkers. Before a second date could
+happen, Iris asked Peter if he would send her a copy of Sabrina's new concept
+art of a main character. With pressure from Iris and the promise of a second
+date, Peter proceeded to send an image\footnote{sha1sum:
+98296EF2B0A297A323EA36CA7E5C31399D412D91} (figure~\ref{fig:drawing}) of
+Sabrina's initial drawing to Iris. The conversation over E-Mail is documented
+in figures~\ref{fig:e-mail1} to~\ref{fig:e-mail4}.
+
+\subsection{Other Persons}
+
+Other persons that are in involved are: Anna (director of Indiga), John
+(co-director of Indiga) and Sabrina (designer).
+
+\subsection{Additional Information}
+
+Peter's online search history include searches for how to hide images on a
+computer. In one of his personal folders there is an encrypted \emph{truecrypt}
+container\footnote{sha1sum: 7F6048D6293EF22F94D31847CEBBCE116D000D5C}. Multiple
+files on the system have an additional \texttt{.mp3} extension to their file
+names. These files have been encrypted by malware. The malware has placed a
+request for ransom\footnote{sha1sum: 8BDAF44B3454C4DE35B13F66AB04F8092DCAFBE5}
+(figure~\ref{fig:malware}) in Peter's personal folder. 
+
+\section{Analysis}
+
+Peter's conversation with Iris confirms Anna's and John's suspicions that Peter
+leaked the concept art of the main character. From the conversation it is
+evident that Peter was reluctant to do so and was swayed by Iris' apparent
+interest in him. It is very likely that Iris was only interested in Peter,
+because she knew that he would be an easy target to get the concept art. After
+Peter realized that he is a suspect (the last E-Mail to Iris suggests this), he
+tried to hide his tracks by searching for ways to hide the image he leaked.
+
+\subsection{Truecrypt Container}
+
+Peter stored four files in an encrypted truecrypt container with the file name
+\texttt{personal.tc}. The password to open the container with \emph{Veracrypt
+v1.24-Update7} (the successor to the deprecated \emph{Truecrypt}) can be
+cracked with \texttt{hashcat} in a matter of seconds: \texttt{sec1}. The four
+files stored in the container include two Excel tables
+(\texttt{contacts.xlsx}\footnote{sha1sum:
+0434109BBC3BC12E86E338B0EF2B9099E9110955},
+\texttt{passwords.xlsx}\footnote{sha1sum:
+3EB6909C3EFE4F13C7283B47CB41E1F63FB1ADAA}), one image of Iris
+(\texttt{iris.jpg}\footnote{sha1sum: B234337053D01A7A60388CBF866096683604ED43})
+and a file called \texttt{workinfo.docx}\footnote{sha1sum:
+549429BE9608D0A04D47E4A9D69C99CE19EAABB4}. The last file is very likely also
+stolen information from Sabrina, because it says \emph{DO NOT SHOW ANYONE} and
+mentions that it is a working copy for Peter and Iris. The contents further
+specify key characters in the upcoming game and a note that Peter and Iris will
+receive the drawings as soon as they are finished and to be integrated into the
+game to avoid data theft.
+
+\subsection{Malware}
+
+The image from figure~\ref{fig:malware} has been placed in Peter's personal
+folder under the file name \texttt{\_RECoVERY\_+wdbic.png}. Additionally, the
+same content is placed into a \texttt{.txt} file as well as an \texttt{.html}
+file. It asks for a ransom to be paid in Bitcoin and then promises to decrypt
+the encrypted files. Peter's E-Mail to the company's support desk indicate that
+there are multiple encrypted \texttt{.mp3} files stored on his computer. The
+message placed by the ransomware is indicative of a malware called
+\texttt{Teslacrypt}. This type of malware has been prominent on computers of
+gamers, specifically. Teslacrypt has been studied extensively by multiple
+security research firms and Kaspersky provides a tool called
+\texttt{tesladecrypt.exe}\footnote{sha1sum:
+0B465C610F2F9E5D87F8C44261CB147D620C5D9A} to decrypt the \texttt{.mp3} files.
+The decrypted files do not provide additional information that is not already
+present in other files.
+
+\section{Appendix}
+
+This section contains the most relevant information found on the computer
+image.
+
+\begin{figure}
+    \centering
+    \includegraphics[width=1\textwidth]{findings/IMG_20160823_130922.jpg}
+    \caption{Sabrina's main character concept.}
+    \label{fig:drawing}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics{findings/e-mail1.PNG}
+    \caption{Peter's conversation with Iris over E-Mail.}
+    \label{fig:e-mail1}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics{findings/e-mail2.PNG}
+    \caption{Peter's conversation with Iris over E-Mail. This message contains
+    the image from figure~\ref{fig:drawing}.}
+    \label{fig:e-mail2}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics{findings/e-mail3.PNG}
+    \caption{Peter's conversation with Iris over E-Mail.}
+    \label{fig:e-mail3}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics{findings/e-mail4.PNG}
+    \caption{Indiga's director and co-director are suspecting Peter.}
+    \label{fig:e-mail4}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics{findings/e-mail5.PNG}
+    \caption{Peter needs help with his computer, because multiple files have
+    been encrypted by malware.}
+    \label{fig:e-mail5}
+\end{figure}
+
+\begin{figure}
+    \centering
+    \includegraphics[width=1\textwidth]{findings/_RECoVERY_+wdbic.png}
+    \caption{Ransom request in file named \texttt{\_RECoVERY\_+wdbic.png} from
+    \emph{Teslacrypt} malware.}
+    \label{fig:malware}
+\end{figure}
+
 \end{document}