deleting all of my posts..thanks to everyone. God Bless.
TweedyBird,
you entered a forum for digital forensic experts. I can really comprehend your situation and the emotional stress for you and your family. But nobody here can work with the things you write here, nobody! What we need are files and facts, not stories.
Again what evidence do you have? What are you able or allowed to share with others? Even if it is hard for you, keep the emotional things for yourself and give us real pieces of evidence.
deleting all of my posts..thanks to everyone. God Bless.
A few things come to mind here.
One, if I was the expert you hired, I would wonder why in the heck you were on the internet forums asking for help when you HAVE the answers in front of you. Presently, you have all the logs, files, chat, and relevant times for every file on the PC.
If your attorney or expert doesn't know what to do, or if they have told you there is nothing to disprove the police theory, then I am not sure what everyone here can do. Even if you got some really good answers from here, you can't go to your attorney and say "But I got the info from an internet forum."
Second, passing a poly means little to nothing. However, IF I was going to take a poly in a case like you are discussing, I would make damn sure that it was with a polygrapher who both the police detective and the various bar attys agreed on. Additionally, I would make a stipulation that if passed on all questions, then charging information would be dropped.
No way I advise anyone to take a poly unless there is something in it.
What was the reason for taking it, did the police say pass or no pass something would be done?
Thirdly, I've done a lot of these type of cases, and I find that the best combination is a forensic guy and an investigator. For instance, there was a password on the PC, maybe times the password was inputted into the PC he was at work, credit card bills put him at a bar down the street, he was at a movie, anything like that. The files may not jive with the type of history your guy normally looks at. Installing or lack of there being wiping, elimination, or clearing software on the computer is also important.
Fourthly, I would definitely not discount a threat in a chat room. Has your attorney tried to ascertain the identify of that person through the security division of the chat company? Was a report immediately filed with the police when this report came through? If no to both of these, then I feel bad for you.
That's all for now.
I'm in Jacksonville, FL
deleting all of my posts..thanks to everyone. God Bless.
The log files may not show enough to help you. It's hard to say without spending some hours looking at them and reading the prosecution's expert's report. But, I think the odds that someone was remotely connected to that computer and controlling it to carry out these crimes is vanishingly small.
I'll say again I think the malware angle is a dead end. I looked at your links. The encyclopedia is one I've never heard of and the reference to malware storing child pornography does not cite any references. I'm not a malware expert, but over the last twenty years I've read technical reports on various malware, read hundreds of news articles on malware, attended a malware conference, read malware source code, read books on malware, wrote an article on identifying malware, worked in forensics and security, and I've never heard of any malware that was actually associated with downloading child pornography.
The case you cited where charges were dropped is almost a decade old and is pretty sketchy. The malware in that case (CoolWebSearch) has never been associated with child pornography. I don't want to trash another expert without seeing her work, but I have serious doubts about the the defense expert's analysis in that case; in particular, I've not read that she did any reverse engineering to reach her conclusions; without that, her "conclusions" are just unsupported assertions. The same expert has supported the same malware defense in other cases but I've not read of a case with any other expert reaching the same conclusion in any case involving child abuse images.
Also while you may be paying the bills, the attorney is your nephew's lawyer.
If you have the CP files creation dates and times, I would look and see if any of them are before the threat in the chat room was made.
For example, if the threat was made on September 1, 2014, at 403 PM but there are creation dates for the CP on August 1, 2013, at 303 AM, October 29, 2012, at 211 PM, etc. then the threat, although made, was after the CP was on the computer. Also, look at the dates for the search terms. If they were before the date of the threat, then you have your answer.
Let's not forget if we're talking about a possible takeover of a pc, then it's not a stretch to say that settings, times, and even more files could be hidden.
quote="kastajamah"]If you have the CP files creation dates and times, I would look and see if any of them are before the threat in the chat room was made.
For example, if the threat was made on September 1, 2014, at 403 PM but there are creation dates for the CP on August 1, 2013, at 303 AM, October 29, 2012, at 211 PM, etc. then the threat, although made, was after the CP was on the computer. Also, look at the dates for the search terms. If they were before the date of the threat, then you have your answer.
Nephew is NOT computer savvy there would not be any wiping software or anything like that.
Any wiping software leaves traces in the typical locations MRU, Prefetch, AppCompatCache…easy to find. Windows does not have a file called "eraser.exe" for example. Comparing the existing files with the ones from the Shadow copy and the MFT could be a way to the truth.
Is there a setting that indicates HIS LAPTOP WAS CLOSED when this stuff printed?
Yes, perhaps. Look for the energy report etl file. It contains energy consumption details.
And for the 3rd time which files are you able to share? Are you able to provide the forensic image of the nephew`s device for download?
best regards,
Robin
Let's not forget if we're talking about a possible takeover of a pc, then it's not a stretch to say that settings, times, and even more files could be hidden.
Valid point @amresl. Being that there had been no mention of timestomping by the original poster, I did not think to preface my words. With everything else she/he has posted, I figured if there was timestomping involved, she/he would have mentioned it by now.