I am a research journalist working on a crime story that involves solving the mystery of conflicting time stamps for a crucial google search made on a home computer.
The prosecutor in a murder case claims the time stamp for a computer search for ways to commit murder was done 400 PM. The defense expert claims the search was made at 300 PM. The reason the time is critical, is this the defendant was not at home at 300 PM, but another {not charged suspect was at home then}.
I have the xls files decoded from the hard drive for the date and time in question. I have cell phone tower ping records, etc. as well.
How can I definitively prove which time a google search was made on this computer?
Sounds like a timezone issue. You would need to look at computer settings. The .xls output will not do you much good without knowing more.
The prosecutor in a murder case claims the time stamp for a computer search for ways to commit murder was done 400 PM. The defense expert claims the search was made at 300 PM. The reason the time is critical, is this the defendant was not at home at 300 PM, but another {not charged suspect was at home then}.
That's queer, I mean an expert should not only "claim" something but provide the explanation of the "claim", i.e. how from the "RAW" data he/she came to the statement.
I have the xls files decoded from the hard drive for the date and time in question. I have cell phone tower ping records, etc. as well.
How can I definitively prove which time a google search was made on this computer?
There are several factors that may influence a 1 hour time difference, knowing which OS was running, how exactly date/time was set on it, the date(s) where this happened etc. are all things that may (or may not) be related to the 1 hour shift.
Just as an example, daylight savings time has been traditionally a source of issues on most NT based systems
http//
Additionally different tools may parse these data differently.
Still as an example, not necessarily applying ot your case, see
http//articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/
jaclaz
Is this a student question??
One area to investigate would be how accurate are the times? You indicate a difference of 60 mins - is there are issue with DST / summer time etc. There can be a danger of comparing apples with pears.
Thanks for your response.
The Browser was Firefox. The prosecutor's "computer crimes" dept. made many errors all throughout their investigation of the computer hard drive.
For instance, they initially only search for IE files. They used software that misrepresented the number of searches made on a specific date.
They claimed the computer's timestamp was in sync with DST.
Here is the deal.
I need to confirm from the xls decoded hard drive records, plus other information, whether the time stamp from the decoded files is in sync with the DST times on the day the search was made.
For instance, is the time stamp something that can be changed based on software input of the investigator? Or is it hardwired so-to-speak in the data? Two forensic experts examined the data and came up with one hour apart time stamps for the data in the hard drive.
Is this a mystery that can be solved? Specifically, can we determine when activity on a computer actually occurred, when two independent experts have one hour conflicting conclusions in their answers to that question? I wonder how I can go about answering that question?
They claimed the computer's timestamp was in sync with DST.
It may well have been.
You need to be very careful when saying the prosecution made mistakes. There is a difference between the settings of the computers clock an dthe way in which a date and time is stored for a particular application.
Some of the variables, off the top of my head
The computer was set to GMT/UTC and the computer locale was set to (say ) PST
or
The computer was set to local time
- either would work fine from a users point of view, but the setting would effetc a forensic investigation.
You then need to look at the application(s) of interest.
Do they store the time as local time
or
as GMT/UTC
Was the system clock synched to a time server?
Lots of variables and you probably wont be able to come up with the correct answer from a spreadsheet.
For instance, is the time stamp something that can be changed based on software input of the investigator? Or is it hardwired so-to-speak in the data?
Is this a mystery that can be solved? Specifically, can we determine when activity on a computer actually occurred, when two independent experts have one hour conflicting conclusions in their answers to that question? I wonder how I can go about answering that question?
I do understand how a journalist's activity is mainly that of asking questions, but unless you read the given resources AND answer the questions made/provide the data, it is unlikely you will have an accurate enough answer.
Please READ the earlier given links then ask if you have doubts on their contents, you need more detailed explanations, etc.
If you want a couple "vague" answers, they are
- Yes, it is possible, for a number of reasons that the Operating System writes a timestamp "off one hour from actual time".
- Yes, it is possible that two different tools, expecially if used by two different people, may translate the SAME timestamp to human readable values differing one hour between them.
- Once said how BOTH the above are possible, the data AND the two "opposed" reports/claims need to be examined IN DETAIL to understand if #1 or #2 (or another issue not mentioned) may have happened.
[/listo]
jaclaz
I need to confirm from the xls decoded hard drive records, plus other information, whether the time stamp from the decoded files is in sync with the DST times on the day the search was made.
Without the .xls file and the original evidence (or at least a forensic evidence file thereof) and a forensic examination, nothing we say on here can confirm or refute the findings of the prosecutor's computer crimes unit. It would be unfair, and unethical, for us to speculate with so little information (how was the .xls generated, what were the original timestamps, what version of Windows, what browser was used, what websites were visited, etc), or for you to take what we say and use it towards drawing a conclusion.
Without the .xls file and the original evidence (or at least a forensic evidence file thereof) and a forensic examination, nothing we say on here can confirm or refute the findings of the prosecutor's computer crimes unit. It would be unfair, and unethical, for us to speculate with so little information (how was the .xls generated, what were the original timestamps, what version of Windows, what browser was used, what websites were visited, etc), or for you to take what we say and use it towards drawing a conclusion.
However, in context of that disclaimer, you may wish to consider that file MACE times in NTFS are stored natively in UTC, and when dumped into an XLS, they may or may not have been adjusted to local time correctly. (For example, they may all have been adjusted to UTC-5.) This might be an avenue for further investigation.
I'm not sure if anyone has pointed out that as well as the normal timezone issues its possible that the clock could be wrong.
Frankly if you want a definitive answer to your question you're going to need to hire an expert.