I am involved as the defendant in a court case where the local TI did an image of my computer using Encase 6.8 and concluded that I had done three google searches of the insurance investigator 23 days prior to the fire in my home. Each was from an overwritten file and each search had identical time stamps.
Our forensic expert using a Unix based system found the actual google search which was 24 days after the fire when I was trying to follow up with the investigator after he interviewed me. In other words, there is a difference of 47 days from the time the local TI says the search was made to the actual date.
It should also be noted that there was a five month lag between the time the TI acquired the computers and the images were made.
The insurance investigator was an outside contractor working for a firm with over 100 investigators and who had not been hired by my insurance company but rather by their owner company. (My insurance company was a wholly owned sub) The investigator was not hired until after the fire and he was not local (coming from 150 miles away) Of course, I had no way of knowing this person.
It is also noteworthy that the local TIs results showed that I had approx. 3200 web searches with identical time stamps. I did not recognize any of these searches and they appear to have a suspicious origin.
Not to poison the well but there have been many other problems in this case.
The court has already made a ruling that the timestamps are not reliable but I am more interested in how they became NOT reliable.
Speculation Did the local TI change the dates using Nirsolft or something similar and then flood my system with searches to cause the system to overwrite attempting to hide his tracks? How was this done? Did he merge databases into my system and then do the images? I have seen many items which show time problems related to daylight savings time or time zones or GMT but nothing on this scale. Has anyone out there heard of anything remotely resembling this set of circumstances where dates are off by nearly 7 weeks. It would seem that Guidance would be getting killed with product liability suits if there were no human hand involved in the manipulation of the dates with the purpose of incrimination.
Any ideas?
Do you mean IT as in Information technology? If not what's TI? It sounds like someone that doesn't have the correct training performed the analysis if you are referencing someone in an IT department. It will be hard fro someone to give you a solid answer without looking at the data. I would try and get a neutral party or third party examiner involved. It seems odd that the date would be off by that much, but it could be a format issue or the tool used. Good luck.
TI is Technical Investigator as in Police Technical Investigator.
He is Encase Certfied.
Of course, the issue is can Encase 6.8 make that great an error three times reading an overwritten files?
As stated previously without seeing the actual data and information it is hard to give answers that might assist.
Did your investigator work of the same forensic copy of the data as the TI or did he acquire your devices himself?
We got our image from the Police Technical Investigator so they ought to be identical.
The 5 months lapse between the computer being seized and imaged is neither here nor there, provided the computer was not turned on in the interim then the image will still be a true and correct copy.
I would avoid speculating that you have been "set up" or "evidence planted" as all that will do is make you sound like a conspiracy nut and hurt your credibility.
You said the insurance company hired the TI, but then you said he is Police. So is this a criminal investigation or a civil investigation? Not being from the US I don't know the laws over there, maybe insurance companies can hire the Police to assist investigate.
You also said that timestamps were found in overwritten files. That sounds a bit hard as overwritten files are generally unrecoverable. Do you mean the evidence of google searches was found in file slack, or simply recovered deleted files?
Are we talking about rebuilt web pages or registry evidence?
There are a number of places where evidence of google searches might be found. Date/time stamps of deleted files can be very unreliable, but it largely depends on where the files or evidence was found. It is also possible for the Police to get information directly from Google itself about you search activity so that is probably an avenue worth exploring if they are getting the dates wrong.
You would have to think "Why" the police/investigator would change the time stamps. Generally they have huge backlogs of cases waiting to be looked at,, so finding no evidence lets them put the case to bed and get on with a new one.
But more so getting caught would be the end of their career, if anyone wanted to do this they would need a compelling reason.
Thank you guys for responding.
Perhaps I was not clear. The Technical Investigator works for the Police. The insurance investigator who was googled works for the insurance company.
To be clear, I voluntarily turned over my computer knowing there was nothing there. The image came back from the TI. I did not make an image prior to turning the computer over because I could not conceive of any connection to our fire.
We have absolute evidence of multiple perjuries by prosecution witnesses. Not he said, he said but irrefutable evidence of perjury in areas other than the computer. Not mistakes, perjury.
For the person who said the TI would lose his career. Likely. Why? There is a history of log rolling in this area. Multiple other charges that kiddie porn was added to other computers in other cases. Mercifully, not in mine. Additionally, this office has been subject to prior criminal prosecution.
So can we stay with what we actually know. Does anybody know how Encase 6.8 could backdate the three date stamps on three separate overwritten files 47 days? Am I wrong in thinking no normal function of the Windows operating system would backdate? Then the answer must lay elsewhere.
You also said that timestamps were found in overwritten files. That sounds a bit hard as overwritten files are generally unrecoverable. Do you mean the evidence of google searches was found in file slack, or simply recovered deleted files?
Are we talking about rebuilt web pages or registry evidence?
There are a number of places where evidence of google searches might be found. Date/time stamps of deleted files can be very unreliable, but it largely depends on where the files or evidence was found. It is also possible for the Police to get information directly from Google itself about you search activity so that is probably an avenue worth exploring if they are getting the dates wrong.
The erroneous timestamps were claimed by the TI to be found in overwritten files.
Police did not get information from Google.
No mention of registry evidence was claimed. Just a list of potential relevant files were produced. All were from overwritten files and did not appear on the internet history.
Both Unix and Google agreed on the actual date.
Given the above, has anyone ever seen another example where Encase 6.8 erroneously backdated three overwritten searches by 7 weeks to the identical erroneous time stamps. Has anyone ever seen anything similar?
Encase 6.8? Encase 6.1.8?
Firstly, the surrounding background information to your question is slightly confusing as your abbreviations and legislation may not be apparent to people replying to this post from outside countries with their own legislation.
So just to clarify, the question you are asking is
"How can 3 recovered deleted internet searches show the exact same timestamp within Encase?"
You will need to clarify exactly where these deleted searches were recovered from?
Unallocated space, slack, recovered folder etc…
Which web browser were these searches performed with?
If IE then unless you you have different history records within your index.dat files which have correlating Timestamps, UTC/Local.
Lastly, was the time and date correct on the computer system at time of examination?