Stuck in a tricky case of forensic examination, the suspects computer shows transfers of incriminated data via "Google Hello" …
Actually I'm quite proficient with Hello, but now I have to analyze RAW-Recovery chatlogs, filmstrips, etc. and therefore have to reassemble the initial state (somehow, that is).
So now to the question I have
A filmstrip header contains an XML-ish header.
Especially the filemodtime-Tag is of interest … which time does it depict, though ?
size, width, height, filesize are known to describe the origin.
But filemodtime ??
Assumption is, that filemodtime should encode the timestamp of the origin in the Senders FS.
Does anyone recall having verified this ?
Google Hello is effectively offline since Mid-2008, so re-verification is not possible for me.
If though, the filemodtime actually describes the transfer/storage-time on the recipient's computer, it would influence the outcome and development of the current legal case.
Regards
C. Colina
Edit removed typos
Did you ever get an answer for this? I have the exact same question.
This paper on Harry's site might be of help to shed some light on "Google Hello"..
http//