I'm not sure if anyone has pointed out that as well as the normal timezone issues its possible that the clock could be wrong.
That implication was here
Was the system clock synched to a time server?
Thanks very much guys.
Remember, I am not looking for dispositive conclusions to resolve the disputed time that a specific google search occurred.
Rather, I am looking for scientific methods to follow so that I can discover if unscientific, sloppy, or other types of investigative techniques may have been used by one of the other of the original forensic investigators.
From the perspective of an investigative journalist, I feel {at least intuitively} that both forensic investigators could not be right, since they have one-hour varying time stamp data for the time this google search occurred.
I am very hopeful of using scientific methods to identify the error that was made.
This type of forensic self examination is important for maintaining the standards of forensic computer evaluations.
I very much appreciate the help I am receiving in this review.
Thanks,
Keith
Sounds like you have already made up your mind that the prosecutor's forensic experts were the ones that made a mistake (if indeed one has been made). Based on the tone of all your messages it's quite clear that if you haven't been hired by the defense to muddy the waters more, then you have already made up your own mind where the error lies and are now trying to find evidence to support your own theory.
) Good luck with that.
Rather, I am looking for scientific methods to follow so that I can discover if unscientific, sloppy, or other types of investigative techniques may have been used by one of the other of the original forensic investigators.
Sure, but you are entering a CATCH22 loop, in order to be able to use scientific methods, you need to be a scientist (or become one), this is something that anyone can do, as long as he/she is willing to study the matter (and no, it's not something you can learn by asking a couple of questions on a forum, but, much more than that without the data to be examined).
The alternative is to get an opinion by a scientist.
In both cases, you need to have a copy of the RAW image.
From the perspective of an investigative journalist, I feel {at least intuitively} that both forensic investigators could not be right, since they have one-hour varying time stamp data for the time this google search occurred.
I am very hopeful of using scientific methods to identify the error that was made.
Sure, one of the two must be "wrong", same data should lead to same conclusions, or at least it should be possible to identify the reason why opinions diverged.
This type of forensic self examination is important for maintaining the standards of forensic computer evaluations.
I beg your pardon? 😯
jaclaz
Anyone else getting PM's asking the same question?
Anyone else getting PM's asking the same question?
Yes
How can I definitively prove which time a google search was made on this computer?
Without clarification, I'm going to assume that the "xls files decoded from the hard drive" refer to some sort of tool output; in this case, the issue seems to be with the interpretation of a time stamp for a web/Google search.
Given the totality of the data, analysis can demonstrate when the search was made, with respect to what time the computer "thought" it was. You could also determine if the system had sync'd to a time server, as well.
What you're looking at here is two "experts" who have different interpretations of some piece of data. Both appear to have been accepted by the court as 'experts', and both appear (with no additional information) to have access to the same data, and both have different interpretations of one specific piece of data.
Further, we have no information regarding the methodology employed by either expert. What data did they see, how did they arrive at the data, how did they interpret it, etc.?
With respect to "definitively", we also have no information from the BIOS of the computer system on which the operating system (again, no information with respect to that, either) was found to reside.
Questions
- Have you checked logfiles to see if the system time has been altered? If logging is not configured properly, can you seen any other logs with out of order timestamps?
- Have you validated that the battery on the system board is still in a working condition?
- The program parsing the timestamp, has it been *validated* to extract the right time from the timezone during DST/Normal time? If i remember correctly, if you use GetSystemTime(), it returns UTC and unless you read the TZ data AND the savings time, you end up with a flawed time.
- Have you contacted the search engine provider to ask about the searches? They could provide an independent time source.
(But this whole technical/scientific discussion is pointless if one - or both are lying and no one can validate their claims. The end result could just as well prove that neither were there - or that both are guilty).
How can I definitively prove which time a google search was made on this computer?
Without clarification, I'm going to assume that the "xls files decoded from the hard drive" refer to some sort of tool output; in this case, the issue seems to be with the interpretation of a time stamp for a web/Google search.
Given the totality of the data, analysis can demonstrate when the search was made, with respect to what time the computer "thought" it was. You could also determine if the system had sync'd to a time server, as well.
What you're looking at here is two "experts" who have different interpretations of some piece of data. Both appear to have been accepted by the court as 'experts', and both appear (with no additional information) to have access to the same data, and both have different interpretations of one specific piece of data.
Further, we have no information regarding the methodology employed by either expert. What data did they see, how did they arrive at the data, how did they interpret it, etc.?
With respect to "definitively", we also have no information from the BIOS of the computer system on which the operating system (again, no information with respect to that, either) was found to reside.
**
The google search was made with a firefox browser. I decoded the Firefox history file into xls files using a Perl script written by a one-time employee of Netscape (pre-cursor to Firefox). The time stamp for the google search was Noon, which is 1 hour later than the time the other forensic expert said the search was done.
I believe I have a bit of a problem not usually encountered in forensic examinations. The computer hardware and hard drive are in the possession of the states attorney's computer crimes dept. So I am thinking I can ask them for bios settings and registry information, but how likely am I to get them to give those to me?
The other examiner used "Netanalysis" v 1.52. This examiner had access to the original hard drive and his time stamp for the google search is 11 AM. But the computer hardware remains with the states attorney.
I am going to make a FOIA {}Freedom of Information Act} request to the states attorney and ask for bios settings from the computer they have, and the computer's registry information.
I have more information to follow.
Keith
I have UTC and local time in the xls decoded data. I believe I can find out if those times were synced to the server.
The developer of the software "Cacheback" did a report and concluded the time for the google search was noon.
The google search was made with a firefox browser. I decoded the Firefox history file into xls files using a Perl script written by a one-time employee of Netscape (pre-cursor to Firefox). The time stamp for the google search was Noon, which is 1 hour later than the time the other forensic expert said the search was done.
Okay, so then you know/can see exactly what the script is doing, and how it's extracting and translating the time value. As such, you can then compare that to what Mozilla says is the way to go about translating the time value, and ensure that it is correct.