diff --git a/STIX_for_digital_forensics/Email_Harassment/email_harassment.jpg b/STIX_for_digital_forensics/Email_Harassment/email_harassment.jpg
index eb66b23..920c8cd 100644
Binary files a/STIX_for_digital_forensics/Email_Harassment/email_harassment.jpg and b/STIX_for_digital_forensics/Email_Harassment/email_harassment.jpg differ
diff --git a/STIX_for_digital_forensics/Email_Harassment/email_harassment.pdf b/STIX_for_digital_forensics/Email_Harassment/email_harassment.pdf
index 3cc4482..4f09cdf 100644
Binary files a/STIX_for_digital_forensics/Email_Harassment/email_harassment.pdf and b/STIX_for_digital_forensics/Email_Harassment/email_harassment.pdf differ
diff --git a/STIX_for_digital_forensics/Email_Harassment/email_harassment.svg b/STIX_for_digital_forensics/Email_Harassment/email_harassment.svg
index 65ae5a5..304f84d 100644
--- a/STIX_for_digital_forensics/Email_Harassment/email_harassment.svg
+++ b/STIX_for_digital_forensics/Email_Harassment/email_harassment.svg
@@ -23,10 +23,10 @@
.st9 {fill:#a0360a;font-family:Franklin Gothic Demi;font-size:1.00001em}
.st10 {marker-end:url(#mrkr4-26);stroke:#008cd8;stroke-linecap:round;stroke-linejoin:round;stroke-width:0.75}
.st11 {fill:#008cd8;fill-opacity:1;stroke:#008cd8;stroke-opacity:1;stroke-width:0.22935779816514}
- .st12 {fill:#ffffff;stroke:none;stroke-linecap:butt}
- .st13 {fill:#002f49;font-family:Franklin Gothic Demi;font-size:0.666664em}
- .st14 {fill:#ffffff;stroke:#008cd8;stroke-linecap:round;stroke-linejoin:round;stroke-width:1}
- .st15 {fill:#004b74;font-family:Franklin Gothic Demi;font-size:1.00001em}
+ .st12 {fill:#002f49;font-family:Franklin Gothic Demi;font-size:0.666664em}
+ .st13 {fill:#ffffff;stroke:#008cd8;stroke-linecap:round;stroke-linejoin:round;stroke-width:1}
+ .st14 {fill:#004b74;font-family:Franklin Gothic Demi;font-size:1.00001em}
+ .st15 {fill:#ffffff;stroke:none;stroke-linecap:butt}
.st16 {fill:#ffffff;stroke:#005e3a;stroke-linecap:round;stroke-linejoin:round;stroke-width:1}
.st17 {fill:#005e3a;font-family:Franklin Gothic Demi;font-size:1.00001em}
.st18 {fill:#ff0000;font-size:1em}
@@ -61,7 +61,7 @@
Page-1
-
+
Rectangle.1002
x-crime-case: Email Harassment
@@ -105,10 +105,10 @@
Dynamic connector.1192
reconstructed_from_ref
-
-
-
- reconstructed_from_ref
+
+
+
+ reconstructed_from_ref
Rectangle.1001
indicator: accessed the website
@@ -117,8 +117,8 @@
-
- i
+ indicator:accessed the website
Rectangle.1027
@@ -128,16 +128,16 @@
-
- observed-data
+
+ observed-data
Dynamic connector.1028
indicated-by
-
- i
+ indicated-by
@@ -147,7 +147,7 @@
- based-on
+ based-on
Rectangle.1075
network-traffic
@@ -156,16 +156,16 @@
-
- network-traffic
+
+ network-traffic
Dynamic connector.1035
object_refs
-
- object_refs
+
+ object_refs
Rectangle.1016
ip4-addr
@@ -174,8 +174,8 @@
-
- ip4-addr
+
+ ip4-addr
Rectangle.1017
domain-name
@@ -184,24 +184,24 @@
-
- domain-name
+
+ domain-name
Dynamic connector.1018
src_ref
-
- src_ref
+
+ src_ref
Dynamic connector.1019
dst_ref
-
+
- dst_ref
+ dst_ref
Rectangle.1020
indicator: submitted a form that forms a harassment email
@@ -210,8 +210,8 @@
-
- i
+ indicator:submitted a form that forms a harassment email
@@ -220,8 +220,8 @@
-
- i
+ indicated-by
@@ -232,16 +232,16 @@
-
- observed-data
+
+ observed-data
Dynamic connector.1025
based-on
-
- based-on
+
+ based-on
Dynamic connector.1026
object_refs
@@ -249,8 +249,8 @@
- object_refs
-
+ object_refs
+
Rectangle.1027
threat-actor
@@ -258,8 +258,8 @@
-
- threat-actor
+
+ threat-actor
Rectangle.1028
x-computer
@@ -270,22 +270,22 @@
x-computer
-
+
Dynamic connector.1029
has
-
-
-
- has
+
+
+
+ has
Dynamic connector.1031
used-by
-
-
-
- used-by
+
+
+
+ used-by
Rectangle.1033
network-traffic
@@ -294,8 +294,8 @@
-
- network-traffic
+
+ network-traffic
Rectangle.1034
mac-add
@@ -304,8 +304,8 @@
-
- mac-add
+
+ mac-add
Dynamic connector.1035
resolves-to
@@ -314,15 +314,15 @@
- resolves-to
+ resolves-to
Dynamic connector.1036
has
-
- has
+
+ has
Rectangle.1037
infrastructure
@@ -331,8 +331,8 @@
-
- infrastructure
+
+ infrastructure
Dynamic connector.1038
indicates
@@ -340,7 +340,7 @@
- indicates
+ indicates
Dynamic connector.1039
indicates
@@ -348,23 +348,23 @@
- indicates
+ indicates
Dynamic connector.1040
consists-of
-
- consists-of
-
+
+ consists-of
+
Dynamic connector.1041
ues
-
-
-
- ues
+
+
+
+ ues
Rectangle.1042
x-action: submitted a harassment form
@@ -393,7 +393,7 @@
- dst_ref
+ dst_ref
Dynamic connector.1045
src_ref
@@ -401,7 +401,7 @@
- src_ref
+ src_ref
Rectangle.1046
email-message
@@ -410,8 +410,8 @@
-
- email-message
+
+ email-message
Rectangle.1047
email-addr
@@ -420,8 +420,8 @@
-
- email-addr
+
+ email-addr
Dynamic connector.1048
to_refs
@@ -429,7 +429,7 @@
- to_refs
+ to_refs
Rectangle.1051
url
@@ -438,8 +438,8 @@
-
- url
+
+ url
Dynamic connector.1052
consists-of
@@ -448,7 +448,7 @@
- consists-of
+ consists-of
Rectangle.1054
indicator: An email contains a harassment link to the website
@@ -457,8 +457,8 @@
-
- i
+ indicator:An email contains a harassment link to the website
@@ -469,8 +469,8 @@
-
- observed-data
+
+ observed-data
Dynamic connector.1056
based-on
@@ -478,7 +478,7 @@
- based-on
+ based-on
Dynamic connector.1057
object_refs
@@ -486,15 +486,15 @@
- object_refs
+ object_refs
Dynamic connector.1058
object_refs
-
- object_refs
+
+ object_refs
Rectangle.1061
indicator: A link leads to a harassment message
@@ -503,8 +503,8 @@
-
- i
+ indicator:A link leads to a harassment message
@@ -515,16 +515,16 @@
-
- observed-data
+
+ observed-data
Dynamic connector.1063
based-on
-
- based-on
+
+ based-on
Rectangle.1066
x-webpage
@@ -542,8 +542,8 @@
-
- url_ref
+
+ url_ref
Dynamic connector.1068
object_refs
@@ -551,7 +551,7 @@
- object_refs
+ object_refs
Rectangle.1069
x-investigation-tool: Wireshark
@@ -571,8 +571,8 @@
-
- file:
+ file: nitroba.pcap
Dynamic connector.1108
@@ -580,32 +580,32 @@
-
- inputs_refs
+
+ inputs_refs
Dynamic connector.1104
outputs_refs
-
- outputs_refs
+
+ outputs_refs
Dynamic connector.1073
outputs_refs
-
- outputs_refs
-
+
+ outputs_refs
+
Dynamic connector.1074
case_file_refs
-
-
-
- case_file_refs
+
+
+
+ case_file_refs
Rectangle.1075
indicator: Suspect’s name matches email address
@@ -614,8 +614,8 @@
-
- i
+ indicator:Suspect’s name matches email address
@@ -626,8 +626,8 @@
-
- observed-data
+
+ observed-data
Dynamic connector.1079
based-on
@@ -635,26 +635,26 @@
- based-on
+ based-on
Dynamic connector.1080
object_refs
-
- object_refs
+
+ object_refs
Dynamic connector.1081
object_refs
- object_refs
-
+ object_refs
+
Rectangle.1082
file: roster.txt
@@ -662,9 +662,9 @@
-
- file: roster.txt
-
+
+ file: roster.txt
+
Rectangle.1083
artifact: Johnny Coach
@@ -672,34 +672,34 @@
-
- artifact:
+ artifact: Johnny Coach
-
+
Dynamic connector.1084
content_ref
-
-
-
- content_ref
+
+
+
+ content_ref
Dynamic connector.1085
object_refs
-
-
-
- object_refs
-
+
+
+
+ object_refs
+
Dynamic connector.1086
case_file_refs
-
-
-
- case_file_refs
-
+
+
+
+ case_file_refs
+
Rectangle.1087
identity: Johnny Coach
@@ -707,18 +707,18 @@
-
- identity:
+ identity:Johnny Coach
-
+
Dynamic connector.1088
attributed-to
-
-
-
- attributed-to
-
+
+
+
+ attributed-to
+
Rectangle.1089
identity: Lily Tuckrige
@@ -726,34 +726,62 @@
-
+
identity:Lily Tuckrige
-
+
Dynamic connector.1090
targets
-
-
-
- targets
-
+
+
+
+ targets
+
Dynamic connector.1091
related-to
-
-
-
- related-to
-
+
+
+
+ related-to
+
Dynamic connector.1092
related-to
-
-
-
- related-to
-
+
+
+
+ related-to
+
+ Rectangle.1067
+ x-investigator:
+
+
+
+
+
+
+ x-investigator:
+
+ Dynamic connector.1012
+ investigates
+
+
+
+
+ investigates
+
+ Dynamic connector.1095
+ reconstructed_by_ref
+
+
+
+
+ reconstructed_by_ref
+
@@ -771,7 +799,7 @@
Note.1193
[network-traffic:src_ref.value='192.168.15.4' AND network-tra...
-
+
@@ -784,7 +812,7 @@
x="4" dy="1.2em" class="st23">uct.com' ANDinfrastrcture:consists-of.value='www.willselfdestruct.com' ]
-
+
Sheet.1013
@@ -792,7 +820,7 @@
-
+
@@ -810,7 +838,7 @@
Note.1022
[network-traffic:extensions.http-request-ext.request_method='...
-
+
@@ -845,7 +873,7 @@
class="st18">ANDinfrastrcture:consists-of.value='www.willselfdestruct.com' ]
-
+
Sheet.1023
@@ -853,7 +881,7 @@
-
+
@@ -871,7 +899,7 @@
Note.1059
[url:value='www.willselfdestruct.com' AND email-message:body ...
-
+
@@ -882,7 +910,7 @@
class="st24">' AND email-message:body MATCHES 'www.willselfdestruct.com']
-
+
Sheet.1060
@@ -890,7 +918,7 @@
-
+
@@ -908,7 +936,7 @@
Note.1064
[webpage:url_ref:value='www.willselfdestruct.com' AND webpage...
-
+
@@ -921,7 +949,7 @@
class="st28">' AND webpage:content MATCHES 'and you can't hide from us. Stop teaching.']
-
+
Sheet.1065
@@ -929,7 +957,7 @@
-
+
@@ -940,25 +968,24 @@
-
-
-
-
+
+
+
Note.1076
[network-traffic:extensions.http-request-ext.request_header.C...
-
+
-
+
[network-traffic:extensions.http-request-ext.request_header.Cookie MATCH 'jocahj@gmail.com' ANDartifact:payload_bin='Johnny Coach']
-
+
Sheet.1077
diff --git a/STIX_for_digital_forensics/Email_Harassment/email_harassment.vsdx b/STIX_for_digital_forensics/Email_Harassment/email_harassment.vsdx
index 3c1f1c4..85d7db5 100644
Binary files a/STIX_for_digital_forensics/Email_Harassment/email_harassment.vsdx and b/STIX_for_digital_forensics/Email_Harassment/email_harassment.vsdx differ