There is no law preventing data carving trying to recreate dates from the metadata found within the the original file. It can be very helpful to use such dates when saving a data carved file, as long as any investigator understands where the date came from. If dates are not implemented this way, then the only information is when the carving was done.
Absolutely spot on, the post seems to be asking why the carved data do not have file dates closer to the dates of the offences. I have had spotty success working with old $MFT records but it looks like they didn't try to get any of the $MFT records or examine them. I think that he didn't get any meta data in the carved out file or doesn't know the offsets from the file header(s) that could be meta data.
That is exactly my suspicion. And yes I agree with there being no law against carving to recreate dates. I was hoping they would have done this already. It would have made my job a little easier (LOL). I have asked the attorney to ask for copies of the imaged hard drives to do my own testing to verify the subjects claims. My job is not to prove innocence or guilt. Only to present the facts. Good or bad for the subject.
One approach that you may consider is when you get the image trawl the $MFT for the information related to the erased file(s) such as the suspected name or volume offset that they were carved from. You may be able to find traces that could point to the last accessed dates and the date the $MFT record for the file was modified (sometimes the last date for a deleted file in this offset is the date it was deleted). The success of this approach is going to depend on how long the computer was storing and deleting files after the suspect files were on the system due to the shuffling of information in the $MFT and B-tree records by NTFS.
Hope this helps.
Thanks Beetle - This was my thoughts also after communicating with another specialist across the pond. This has become a rather twisted/difficult case as the discovery evidence has been somewhat vague and sporadic. Other mitigating circumstances have come to light also during my investigation that may point to a 3rd party. That is why I have asked for copies of the images. Just trying to get a clearer picture of what was really going on. My intent is not to disprove another examiners report as I believe we have all gotten into this business for good intentions. My intent is to only see that no stone goes unturned, so to speak, in proving or disproving the allegations. Again thank you for your input.
What is your training in CF, I know you said you were in computers and data recovery for 25 years.
Thanks Beetle - This was my thoughts also after communicating with another specialist across the pond. This has become a rather twisted/difficult case as the discovery evidence has been somewhat vague and sporadic. Other mitigating circumstances have come to light also during my investigation that may point to a 3rd party. That is why I have asked for copies of the images. Just trying to get a clearer picture of what was really going on. My intent is not to disprove another examiners report as I believe we have all gotten into this business for good intentions. My intent is to only see that no stone goes unturned, so to speak, in proving or disproving the allegations. Again thank you for your input.
So the data from post 1 in this thread were all taken from jpg's someone else recovered, and you are now asking for a copy of the image of the drive to look for yourself?
I know you stated that everyone has good intentions etc, but aren't you doing your client a disservice by not asking to image the hard drives yourself as opposed to just asking for a copy of the imaged hard drive, unless that data has changed.
You could possibly be dealing with someone who is less knowledgeable in CF than you are and maybe they made mistakes which need to be looked at.
I think that copies of jpg's recovered from unallocated space would probably not be the BE as far as evidence goes.
There is no law preventing data carving trying to recreate dates from the metadata found within the the original file. It can be very helpful to use such dates when saving a data carved file, as long as any investigator understands where the date came from. If dates are not implemented this way, then the only information is when the carving was done.
Absolutely spot on, the post seems to be asking why the carved data do not have file dates closer to the dates of the offences. I have had spotty success working with old $MFT records but it looks like they didn't try to get any of the $MFT records or examine them. I think that he didn't get any meta data in the carved out file or doesn't know the offsets from the file header(s) that could be meta data.
That is exactly my suspicion. And yes I agree with there being no law against carving to recreate dates. I was hoping they would have done this already. It would have made my job a little easier (LOL). I have asked the attorney to ask for copies of the imaged hard drives to do my own testing to verify the subjects claims. My job is not to prove innocence or guilt. Only to present the facts. Good or bad for the subject.
You bring up an excellent point forensicakb. Now comes the legal wrangling. Is the State going to turn over chain of custody to an independent lab for analysis? As a mater of discovery I don't know they can refuse. This will be one for the attorney to work on. I completely agree with you that an independent analysis needs to be done in this case.
As for my own training in CF, there is no real formal "CF" training so to speak. I am a data recovery specialist and network specialist having been in the field for over 25 years. Couple of years ago I was asked to get my PI license so I could work with others on these type of cases. It has been interesting to say the least and I have been self learning some of the technical challenges and looking forward to more formal training in this field and set up my own lab as an independent forensic analyst.
Ok, good luck.
I personally would always ask to image things yourself, unless it's one of the 3 forms of contraband, then there might be objections, but I believe they will not withstand any effort that counsel puts fourth.
There are plenty of occasions where you should be looking to find errors in the report, especially if it is based on someones freedom. Many times people get complacent in report writing knowing that 99% of their cases will not get reviewed by someone who has the correct knowledge to question them. It sounds like you have a bit of desire to get in there and find something.
Again GL to ya.
What version of LimeWire are we talking about here? This is very important.
First and foremost, you need FULL DISCLOSURE on the investigation to be able to competently confirm or refute what the prosecution is saying…..Before I would even started doing an analysis of this nature, I would review the entire investigation so I knew exactly what was going on, according to the State. So far, it seems like you are getting bits and pieces, and you are giving us bits and pieces of what you are getting…
How many recovered images and how many recovered movies are we talking about here? Are we talking 5 or 10? 1000? 50000?
As for the "batch download from LimeWire" argument - what does that mean? I'd like a demonstration of that. 😯
If you are finding CP images and movies in unallocated, it is possible you will find related LimeWire artifacts in unallocated and that you will be able to recover the actual filenames from those fragments, based on the SHA1 values of the recovered files. You can also recover the modified times in the fileurns.cache fragments, and, in the case of LimeWire 5.X.X, you'll be able to tell if it was shared at some point if you can locate a library5.dat fragment(s).
How did the State become aware this guy had CP in his possession?
What version of LimeWire are we talking about here? This is very important.
First and foremost, you need FULL DISCLOSURE on the investigation to be able to competently confirm or refute what the prosecution is saying…..Before I would even started doing an analysis of this nature, I would review the entire investigation so I knew exactly what was going on, according to the State. So far, it seems like you are getting bits and pieces, and you are giving us bits and pieces of what you are getting…
How many recovered images and how many recovered movies are we talking about here? Are we talking 5 or 10? 1000? 50000?
As for the "batch download from LimeWire" argument - what does that mean? I'd like a demonstration of that. 😯
If you are finding CP images and movies in unallocated, it is possible you will find related LimeWire artifacts in unallocated and that you will be able to recover the actual filenames from those fragments, based on the SHA1 values of the recovered files. You can also recover the modified times in the fileurns.cache fragments, and, in the case of LimeWire 5.X.X, you'll be able to tell if it was shared at some point if you can locate a library5.dat fragment(s).
How did the State become aware this guy had CP in his possession?
I'll answer in order.
Lime wire version 4.1? Computer was confiscated 12/08. Version 5 didn't come out until 3/09.
I do have full disclosure. I am a licensed PI and computer/network specialist. Have been working on this pretty much from the beginning. Another PI got the case but was way over his head so he contacted me. There are also some other mitigating circumstances that I have chosen to leave out as they are not pertinent to this thread but could exonerate the subject. (I always get the twisted ones)
Yes I'm giving you what I'm getting. Bit's and pieces. Nothing in any kind of order. As one poster put it most of these cases are never looked at by someone with our knowledge from the defense side. In my opinion the prosecution doesn't understand it all either so that's why I'm only getting what they give to the defense attorney.
From what they have said and the evidence I've seen we are looking at 8 movies, all in unallocated space on 2 different hard drives. The defendant had ownership of these 2 computers for approx. 2.5 years. 1 had been dead and not used for over a year.
I'm no Lime Wire expert but from what I've been able to duplicate you query for certain movies, songs, images, etc. A list will appear. You can pick from the list or download all that show up in the list. The subject would use the latter and inadvertently pick up CP. From test's I've done the items are automatically shared after download unless you tell the program not to. The subject is a complete novice and probably never knew this. He would query, get a list select download all then go to work for 8 hours. When he came home or at a later time he would go through the list and delete anything he didn't want. In my opinion this is the reason for so few (8 over a 2.5 year period) and all in the unallocated space.
I did get some Lime Wire artifacts today. The information is in paper form and appears to be individual clusters. Looks to be 6 different movies scattered across 49 clusters. I'm in the process of looking the data over tonight. I'll post my findings tomorrow. I hope the DA doesn't think these are individual files.
The State was "cruising" the Gnutella Network looking for perp's that had CP files for download. Got the IP addy's, subpoenaed the ISP, raided the house. Just that simple.
Hi Mike,
I think the answer is a lot more simple then what has been put forward so far in relation to the times.
This is what I have read and understand of your question;
Device imaged by another lab.
LEA has recovered the CP from unallocated clusters.
You have then been provided with a copy and the recovered images, which have dates about six months after seizure.
My theory is;
The analyst has recovered the images from the unallocated clusters and these have been placed on an device external to the forensic software being used to carve the data.
When the data is carved the $MFT entries are not carved along with it.
The carved images, when created, have been put into the $MFT or FAT dependent on FS, giving the times and dates that they were created on the analyst system.
When these 'Single Files' are placed back into EnCase or any other forensic software the new $MFT or FAT times, from the analyst hard drives are used.
The times you are seeing are the times that these images were created by the analyst from the other lab, not the original times and dates from the files.
This is what I have read into this problem and please let me know if I have misread your question.
Other than that, as suggest above, carving the library.dat files from Limewire is a good way to go. A quick Google search should see you right.
Cheers,
DM