I am not sure if anyone has mentioned that the accuracy of the BIOS clock now/when it was seized does not necessarily mean that the clock was right at the time of the search. Even if the computer was synched to a time server the user could manually adjust the clock and either change it back or it woyuld be changed back at the next synch.
Determining whether the clock has been adjusted can be a bit of a fishing expedition, i.e. you dont know without examining the image what logs will show evidence of tampering - i.e. which logs are present.
All in all this may not be an investigation where you can ask for a copy of the registry and the firefox logs (not a forensic image of the firefox browser as you asked privately).
Thanks Paul,
I will ask the states attorney's computer crimes officer if they can provide a forensic image for a specific date. They have advised me the will charge $20,000 to provide a "scrubbed" forensic image of the complete hard drive. They estimated their man hours in months. So having the computer hard ware in the custody of law enforcement, is definitely an obstacle to this investigation. But, I have been provided .dat files and history on a CD. So they will work with me on this.
Keith
This is from the computer crimes dept examiner case report. The case report lists the time zone information.
I don't see anything that will help resolve the conflicting reports for the google search. Probably not here. But, it is what it is.
Keith
*
OS Info
Product Name Microsoft Windows XP
Current Version 5.1
Registered Owner bobby
Registered Organization
System Root C\WINDOWS
Current Build Number 2600
Path Name C\WINDOWS
Product ID 76487-OEM-0011903-00803
Last Service Pack Service Pack 2
Product Key
VersionNumber
Source Path C\I386
Install Date 11/13/06 062151PM
Last Shutdown Time 07/14/08 102025AM
TimeZone Info
Current control set is 001
Default control set is 001
Failed control set is 000
LastKnownGood control set is 002
Standard time bias is -500 hours offset from GMT.
StandardName Eastern Standard Time
Standard time is set to change the Standard bias by 0 minutes.
Standard time is set to change on Sunday of the 1st week of November, at 0200 hours.
DaylightName Eastern Daylight Time
Daylight savings is set to change the Standard bias by 60 minutes.
Daylight savings time is set to change on Sunday of the 2nd week of March, at 0200 hours.
Active time bias is -400 hours offset from GMT.
The current time setting is -400 hours offset from GMT.
The offset must be either added or subtracted from GMT depending on the time zone location
I decoded the Firefox history file into xls files using a Perl script written by a one-time employee of Netscape (pre-cursor to Firefox). The time stamp for the google search was Noon, which is 1 hour later than the time the other forensic expert said the search was done.
Provide some more data and a link to the Perl script you used.
Describe EXACTLY how you ran the script, on which system, on which date, and which settings has/had the computer you ran the script on.
jaclaz
They have advised me the will charge $20,000 to provide a "scrubbed" forensic image of the complete hard drive.
Aside from the fact that I've never heard of this being done, please note that the resulting image won't be forensically sound. I have requested "scrubbed" reports before (i.e., all but contraband images), but never an entire drive. Definitely not worth the time & money.
Aside from knowing whether the system clock was accurate and knowing the time settings (which you have), it sounds like all you'll need are Firefox artifacts, which (based on your Perl script post), it sounds like you already have. Make sure you know the version of Firefox in question and make sure you know which files you need (e.g., recent versions use sqlite files) and get those.
The Case Report {above} notes "Last Service Service Pack 2."
There was a Microsoft DST update{s} beginning in late 2007 through 2008. Is it possible to determine if the information above confirms whether the Microsoft DST update was made to the computer?
If the update was not installed, then I am thinking that could account for the 1 hour time
difference.
Keith
A computer is a marvelously complex creature, and the number of components that go into that file may be numerous.
I would add that a single "point in time" given by the result of analyzing a browser cache (or whatever) can normally be verified/made plausible or nullified by a number of other artifacts.
Examples (not necessarily applying to your case)
- in order to make a search in Firefox, the PC has to be on and firefox must be running wink
- if there is any trace of the program starting before 11 AM and closing (or crashing) before noon, this would likely confirm that not only *that* search, but *any* search has been carried before the time the "other party" stated.
- if there is any trace (as an example an automatic update of the OS of or any third party tools) around 11 AM, it would mean that the PC was on (and online) around that time, if any external device was connected to it may provide another point in time, etc.
- even some "background" tasks (a screensaver starting, a background scheduled task, etc) may provide further data
In other words the single event (the search in the browser) must fit in a more general timeline of the whole system (and IMHO without such a "whole" timeline there is the concrete possibility that a single event comes out - for whatever reason - shifted in time).
jaclaz
This analysis is the "big picture" analysis I am comfortable with. It allows me to look at simple, common elements and deduce the possible solution for the primary question was there a shift in time for the google search.
Now I need to determine if I can look at {auto update of OS, a scheduled background test} these single elements from the perl script. Or do I need to run a new program.
Keith
I have the computer crimes case report by the prosecution's examiner. It is 47 pages, too long to post here. I can post it with a url and share the link here, if you believe it can help identify some of the critical information my lack of expertise is just not able to find.
Keith
I have the computer crimes case report by the prosecution's examiner. It is 47 pages, too long to post here. I can post it with a url and share the link here, if you believe it can help identify some of the critical information my lack of expertise is just not able to find.
Why don't you start by providing the things that were asked for?
I decoded the Firefox history file into xls files using a Perl script written by a one-time employee of Netscape (pre-cursor to Firefox). The time stamp for the google search was Noon, which is 1 hour later than the time the other forensic expert said the search was done.
Provide some more data and a link to the Perl script you used.
Describe EXACTLY how you ran the script, on which system, on which date, and which settings has/had the computer you ran the script on.
Wouldn't it be better if you provided the actual DATA that you analyzed AND the tool you used?
Maybe someone else will be able to run another tool on that same data and/or validate the tool you used.
jaclaz
Yes,
But the data is held as evidence by the computer crimes department and they want to charge $20,000 to scrub the data so that personal information is not released. So I can request specific files, their reports, etc. but not raw data from the complete files. {see earlier post about cost of receiving data}.
Keith
Keith
1) The Windows Update is probably a red herring. I can't see how it would have any relevance unless the search took place in the DST change interval, which is a longshot. Nevertheless, you should probably follow up on that. What was the DST change and was the search performed in that interval? Incidentally, if one were doing a comprehensive timeline analysis, this illustrates why time conversion (e.g., of NTFS UTC metadata to local time) can be non-trivial.
2) Yes, posting a URL to the report would help. I will look at it and hopefully so will others.
3) As I previously suggested, you don't want the "scrubbed" version of the drive. What you do want is the Firefox history file (preferably with MAC metadata) and a hash value that will allow it to be authenticated against the original. That file (or files?), along with the source code of the tool you used to dump it into CSV, will put the experts' reports in perspective.
Good luck.
I have the XLS allocated files and the unallocated files from the Firefox history. Then I have the computer crimes "case history" which have information the examiner recorded when he first opened up the computer for his review. The case history is 47 pages and has a lot of code and sum plain English commentary.
The Google search was made several months after DST went into effect.
I will create a url with my gmail account and post it here soon.
I will try to find the perl script information you are suggesting, and post that here as well.
Keith