Sheesh! Isn't that what this is about?
No, it is not. It is one thing when you come here looking to solve a case, or a student looking to go above and beyond the curriculum, but these forums are not for you to get people to do your homework for you.
The thing is, these questions are very basic, a simple study of the EnCE study guide can answer them. If your professor is asking these questions, I would wager that the information is in your lecture or course materials. If not, actually sitting at a computer and experimenting. What information comes up when you preview a hard drive, how easy would this be to actually try?
The people here are very nice, and glad to help even students. But when you copy and paste the questions and expect them to do the homework for you, they get pissed. That is very much what these forums are not about.
If is as you say, and I have no reason to doubt you, it is possible to NOT find date/time stamps when using EnCase in preview mode keyword searching for an allegedly stolen item by looking for what web pages a user looked up via the internet, under what circumstances could that happen? What conditions would there have to be for that to happen?
I have seen the documents the examiner had created using a copy and paste method into a blank Word document. They do, indeed, show date and time stamps. This appears to cast doubt on the truth of the examiner's statements.
I guess by saying that there was less information gleaned from the second preview, it would be more accurate to say there wasn't any MORE data found. Further, that the examiner then took away the detective's wrongful assertions, which by then had morphed into wrong assumptions (the difference in my mind is that assertions are presented as FACT while assumptions are merely guesses); means to me that there was, in eect less than what there was before. One would reasonably assume that, given a second, more in depth look, there would be more of something, correct? That there wasn't appears to me to be indicative that there wasn't anything there of evidentiary value any way and that the detective, via the examiner, was merely putting on a show for the benefit of the judge (as there was no jury).
All I guess I am saying is that this detective, at least in part, supported his case or nine moths based upon an impossible assertion. The prosecutor himsel used this false information as one basis ro charge the woman. Only when the detective was told that it was impossible or the girl to have used her computer when he said she did and for the purpose he said she did, did the detective change gears. I wonder what would have happened if he had not been told until the day of trial?
What you are asking isn't tool specific. Get a better grasp of forensics in general and you will be able to understand what you are asking and what the answer is. "Encase Preview Mode" roll
Just a couple of points…
When investigating/examining a Hard disk we would normally create an image and work from that.
It is possible to investigate/examing an image in "preview mode".
We can do anything in preview mode we could do with an image…reports/scripts/exports etc.
"second, even after a second, supposedly more in-depth examination, there was not any more information gleaned. In fact, there was even less than before. How can that be?"
Think about it???
How long between examinations?
Does data get overwritten?
Has there been a deliberate attempt to remove data?
There are a number of circumstances in which the time/date of website accessed may not be recorded. e.g.
1. If the access was made more than 30 days ago there may still be fragments of the pages accessed remaining but the actual internet history records will most likely have been deleted (they are not kept forever) or overwritten.
2. If the suspect was to use the browser in 'Private' mode. This mode exists in most modern browsers and prevents internet access and browsing history from being logged on the computer. (If this case is from 2003 though this situation may not apply)
3. The suspect/user has specifically gone and cleared their internet history records at some point in the past.
As far as the issue of having less information the second time round goes, I would say this relates directly to the problems with relying on dates/times from a computer. The date/time recorded on the computer may seem correct at the time of preview but could have easily been changed or manipulated at any time in the past causing certain records on the computer to prove inaccurate. A forensic examiner would never rely entirely on a computer recorded date/time, there often needs to be corroborating evidence. So in your case it seems the investigator wrongly asserted that these date/times were absolute only to be proven otherwise by the alibi.
No forensic software offers the magical "Find Evidence Button" and the tool is only as good as the person who's using it. EnCase is merely one of many many investigative tools that forensic examiners use in whatever way and following whatever procedure suits them best.