Time Stamp Mystery

Ok thanks.

I will publish here each step I take and together we can get to the final goal line.

Keith

The google search was made with a firefox browser. I decoded the Firefox history file into xls files using a Perl script written by a one-time employee of Netscape (pre-cursor to Firefox). The time stamp for the google search was Noon, which is 1 hour later than the time the other forensic expert said the search was done.

Are you a journalist or a forensic analyst?

The time stamp for the google search was Noon

And how do you know that? It sounds like you are just relying on your tool, as the other expert may be.

Tools help you get to the answer quickly, but if you don't know what you are doing, or if you don't double check them, they can lead you to the wrong answer quickly.

The thing is, you can't just copy out a file, run a tool, and call yourself a digital examiner. A computer is a marvelously complex creature, and the number of components that go into that file may be numerous. As others have mentioned, whether your output is right or wrong can depend on the BIOS clock, the time zone setting, whether or not the user manually changed the clock can all be factors. For you to pronounce your results "right" without looking at the WHOLE of the case is an all to common mistake with tool monkeys.

Don't get me wrong, tool monkeys are fun. They get humiliated and embarrassed quite often.

writerKeith currently reading the good responses you have received you may start to feel like your surrounded as did General Custer at Little Bighorn.

You may have already done this but in case you haven't during your research have you considered the tool of choice used by the character experts in your story line by reference to available online manuals e.g

http//www.x-ways.net/winhex/manual.pdf

The manual can be downloaded, too, and maybe look at e.g. Section 2.5 Data Sets to see if that gives some background help for you.

A computer is a marvelously complex creature, and the number of components that go into that file may be numerous.

I would add that a single "point in time" given by the result of analyzing a browser cache (or whatever) can normally be verified/made plausible or nullified by a number of other artifacts.
Examples (not necessarily applying to your case)

• in order to make a search in Firefox, the PC has to be on and firefox must be running wink
• if there is any trace of the program starting before 11 AM and closing (or crashing) before noon, this would likely confirm that not only *that* search, but *any* search has been carried before the time the "other party" stated.
• if there is any trace (as an example an automatic update of the OS of or any third party tools) around 11 AM, it would mean that the PC was on (and online) around that time, if any external device was connected to it may provide another point in time, etc.
• even some "background" tasks (a screensaver starting, a background scheduled task, etc) may provide further data

In other words the single event (the search in the browser) must fit in a more general timeline of the whole system (and IMHO without such a "whole" timeline there is the concrete possibility that a single event comes out - for whatever reason - shifted in time).

jaclaz

I am not sure if anyone has mentioned that the accuracy of the BIOS clock now/when it was seized does not necessarily mean that the clock was right at the time of the search. Even if the computer was synched to a time server the user could manually adjust the clock and either change it back or it woyuld be changed back at the next synch.

Determining whether the clock has been adjusted can be a bit of a fishing expedition, i.e. you dont know without examining the image what logs will show evidence of tampering - i.e. which logs are present.

All in all this may not be an investigation where you can ask for a copy of the registry and the firefox logs (not a forensic image of the firefox browser as you asked privately).

I am definitely a research journalist trying to swim in a sea of forensic analysis.

It is pretty much anybody's guess if I sink or swim.

But I know there are a lot of boats trying to help me.

?

The time stamp for the google search was Noon

And how do you know that? It sounds like you are just relying on your tool, as the other expert may be.

Tools help you get to the answer quickly, but if you don't know what you are doing, or if you don't double check them, they can lead you to the wrong answer quickly.

The thing is, you can't just copy out a file, run a tool, and call yourself a digital examiner. A computer is a marvelously complex creature, and the number of components that go into that file may be numerous. As others have mentioned, whether your output is right or wrong can depend on the BIOS clock, the time zone setting, whether or not the user manually changed the clock can all be factors. For you to pronounce your results "right" without looking at the WHOLE of the case is an all to common mistake with tool monkeys.

Don't get me wrong, tool monkeys are fun. They get humiliated and embarrassed quite often.

Great advice, thanks. BTW, I agree. I am wanting to be a scientist, and I suddenly realize a scientist needs to do a lot of studying {and research}.

Keith

writerKeith currently reading the good responses you have received you may start to feel like your surrounded as did General Custer at Little Bighorn.

You may have already done this but in case you haven't during your research have you considered the tool of choice used by the character experts in your story line by reference to available online manuals e.g

http//www.x-ways.net/winhex/manual.pdf

The manual can be downloaded, too, and maybe look at e.g. Section 2.5 Data Sets to see if that gives some background help for you.

You are right about being overwhelmed. I saved the manual. It looks like an excellent resource, and seems to be international in its references. Thanks.

Keith

A computer is a marvelously complex creature, and the number of components that go into that file may be numerous.

I would add that a single "point in time" given by the result of analyzing a browser cache (or whatever) can normally be verified/made plausible or nullified by a number of other artifacts.
Examples (not necessarily applying to your case)

• in order to make a search in Firefox, the PC has to be on and firefox must be running wink
• if there is any trace of the program starting before 11 AM and closing (or crashing) before noon, this would likely confirm that not only *that* search, but *any* search has been carried before the time the "other party" stated.
• if there is any trace (as an example an automatic update of the OS of or any third party tools) around 11 AM, it would mean that the PC was on (and online) around that time, if any external device was connected to it may provide another point in time, etc.
• even some "background" tasks (a screensaver starting, a background scheduled task, etc) may provide further data

In other words the single event (the search in the browser) must fit in a more general timeline of the whole system (and IMHO without such a "whole" timeline there is the concrete possibility that a single event comes out - for whatever reason - shifted in time).

jaclaz

This analysis is the "big picture" analysis I am comfortable with. It allows me to look at simple, common elements and deduce the possible solution for the primary question was there a shift in time for the google search.

Now I need to determine if I can look at {auto update of OS, a scheduled background test} these single elements from the perl script. Or do I need to run a new program.
Keith