I received some evidence collected by another forensic lab with the following.
jpg's retrieved from unallocated space that had been in the windows media Art cache. All time stamps have the same date and time for each file. i.e. created, last accessed, last written for each file.
The "movies" associated with these art files (mpg's) have a date and time that could not have been created by the subject as they are date's and times 6 month's after his computers had been confiscated and were in the possession/control of the original investigation team.
All of these "files" were retrieved from the unallocated space on the subjects hard drives. An image using EnCase was made of each hard drive and the examiner retrieved the information from those images.
This is my thinking. First the jpg's in the art cache were never opened. They were downloaded to what appears to be a default location and deleted.
The movie files associated with these art files were never opened by the subject hence the different dates and times after confiscation.
The subject has stated that he did in fact download movies via Lime Wire but that if they were something he didn't want he simply deleted them.
What say you?
Anything carved from unallocated space has no reliable timestamp information.
Some files may _contain_ timestamp information, such as OLE files or LNK files, but the metadata for that carved file when it existed 'in the clear' can not be determined.
From what you wrote, both the JPGs and movies came from UA - you wont be able to establish any temporal correlation whatsoever just from these files.
Graphic files carved from unallocated areas are almost impossible to attribute date and time information to, however since the investigating team have done so, they must have a good reason for doing so especially if the date and times given are inconsistent with the seemingly associated movie files. This inconsistency could be explained by an unfaithfully maintained system clock so your assertion that the files could not have been accessed at the stated time (i.e. after seizure) relies on the accuracy of said clock.
It may be the case that the cached Art files are 'lost' or 'orphaned' files and hence the attributed timestamps and full paths being quoted.
Their existence and provenance as Windows Media Player Art cache thumbnails suggests that they have been created as a result of their originating movie file having being viewed/played using Windows Media Player.
If you are suggesting that the investigating team are responsible for creating the Art cache files as a result of a flawed examination, you should request a copy of the original forensic images in order to perform your own exam & prove your defence.
Please accept that this is just my opinion and that it may be flawed as I do not have all the facts at my disposal.
Most JPEGs do contain the date, but this is the date they were taken based on the camera date. It has no relation to the date they were copied to a disk drive. Camera dates are also not very reliable because unlike a computer, the date has be set manually.
If the files were deleted, then they would be in unallocated space, but they could also possibly found as deleted files - and some directory date data could also be found. If I was given this task, I would check the hash value for recovered JPEGs with known, and deleted JPEGs. There may be the odd match.
I understand and appreciate all the replies.
The subject has stated in interviews that he did not keep these objectionable files. He admits that he may have down loaded them inadvertently as a batch through Lime Wire and that those he found objectionable he immediately deleted. What sort of puzzles me is that ALL the files they found were in unallocated space and what corroborates his story is that the created, last written and last accessed times are all the same. i.e. C\Users\Owner\AppData\Local\Microsoft\MediaPlayer\ArtCache|LocalMLS\{CLISD number}.jpg
File Created 7/14/08 083417am
Last Accessed 7/14/08 083417am
Last written 7/14/08 0834;17am
The next file will have either a different date and time or just a different time but in all cases the date and times are all the same. If I was looking at this in a Windows GUI in real time in allocated space I would say it was created but never looked at again. I'm assuming the he down loaded it, looked at it, found it objectionable and deleted it hence it being found in unallocated space.
Now what they are saying is that there is a movie file associated with this Art file (I'm assuming the thumb nail associated with a video). The problem I have is this movie has a path that looks like this
(case number)\Single files\(case number) Recovered Movies\(*_* C- Unallocated Clusters- (HEX number) -Start_offset=(Number) - End _Offset=(Number).mpg
All of these files were created on the same date at different times 6 months after the subject computers were confiscated.
If they were associated I would expect the dates and times to be somewhat close to the dates and times of the original Art Cache files. Or at least before the computers were confiscated.
I don't understand what they are trying to show me here. That he had downloaded some objectionable material and deleted it without keeping it? The crux of this case is intent to posses. I'm not seeing it as all of what I've seen points to the guy deleting it right after downloading and seeing it was not something he wanted.
BTW - There was nothing found within the allocated space and readily indexed or saved to my knowledge. I have informed the attorney to request a copy of the hard drive images so I can look further into this.
Thanks to all for your insight and opinions.
Harry Parsonage has written a rather nice paper on the lnk files here
http//
My hope is that through corroboration with this group and his paper I will get a better understanding of what I am looking at. As stated earlier I have requested the attorney request a copy of the images for these hard drives and hopefully by getting a little deeper into it I will be able to find the truth.
Thanks to all that reply.
snip>
The problem I have is this movie has a path that looks like this
(case number)\Single files\(case number) Recovered Movies\(*_* C- Unallocated Clusters- (HEX number) -Start_offset=(Number) - End _Offset=(Number).mpg
All of these files were created on the same date at different times 6 months after the subject computers were confiscated.If they were associated I would expect the dates and times to be somewhat close to the dates and times of the original Art Cache files. Or at least before the computers were confiscated.
I don't understand what they are trying to show me here. That he had downloaded some objectionable material and deleted it without keeping it? The crux of this case is intent to posses. I'm not seeing it as all of what I've seen points to the guy deleting it right after downloading and seeing it was not something he wanted.
BTW - There was nothing found within the allocated space and readily indexed or saved to my knowledge. I have informed the attorney to request a copy of the hard drive images so I can look further into this.
Thanks to all for your insight and opinions.
I may have missed something here but if they carved out the data from unallocated space they have created a new file with new time stamps in the file system for the media they stored the carved data on. The dates and times for files are stored in the $MFT as $Standard_Attributes (for NTFS) and are actually (usually) detached from the file data unless the file is small enough to actually store in the $MFT, as others have said you may get some EXIF meta data about the carved images if they are from a camera but the info could be unreliable.
There is no law preventing data carving trying to recreate dates from the metadata found within the the original file. It can be very helpful to use such dates when saving a data carved file, as long as any investigator understands where the date came from. If dates are not implemented this way, then the only information is when the carving was done.
There is no law preventing data carving trying to recreate dates from the metadata found within the the original file. It can be very helpful to use such dates when saving a data carved file, as long as any investigator understands where the date came from. If dates are not implemented this way, then the only information is when the carving was done.
Absolutely spot on, the post seems to be asking why the carved data do not have file dates closer to the dates of the offences. I have had spotty success working with old $MFT records but it looks like they didn't try to get any of the $MFT records or examine them. I think that he didn't get any meta data in the carved out file or doesn't know the offsets from the file header(s) that could be meta data.
I would like to thank one and all for responding to this post.
This answers what I thought. As a 25 year computer veteran doing mostly data recovery and networking I had some suspicions as to why these dates were so far off. I have only been involved in a few true forensic cases because of this data recovery. All of my other cases centered around just having the material on the computer for corporate clients.
This case centers around intent to posses. To this point I have been given dribs and drabs of information. All of it has been carved from unallocated space and non of it really proves that the subject "intended" to keep it or "posses" it. In a couple of other cases it was clear because the subject had used steganography and other means to hide the information in the allocated space of the computer and the attributes were quite clear. None of the evidence to date has come from allocated space on the computers. The second thing is the subject appears to be a complete novice. This was deduced through interviews and the fact that any evidence so far produced has pointed to default locations before it was deleted.
I hope this makes sense. Your thoughts and opinions are greatly appreciated.