View Full Version : Kevin Stenger testimony (Superviser, OCSO computer forensics)
06-08-2011, 02:56 PM
HHBP asks if jury allergic to seafood ...may have surprise tonite
Kevin Stinger - Sgt. Computer Crimes OcSo x25 yrs....computer crimes unit formed in 2002, he is Sgt., unit responsible for investigating computer crimes ie: hacking/child porn, cellphone/computer/pda's for evidence....certified credential forensic computer examiner...attended all conferences of IASIS since '96, attended and put on classes, access data and syquest(?) guest lecturer and subject matter expert.....testified in both state and federal court as forensic computer expert....accepted as expert in computer forensics to give opinions....
recovery of info HP computer given by SO by the A family...role ...review Det. Osborne's work - peer review...if she was unfamiliar with something he assisted her....keyword search for chloroform done on HP...active role attempt to preserve info...Osborne observed search hit for word chloroform on the computer asked assistance in what context - she knew internet search unfamiliar with structure it was in....unallocated space - delete file not gone...library analgy - card catelogs = found where stored on the shelf...in order computer can find file has to look up name and find it on unallocated....card gets destroyed no reference to where ....book is still on the shelf...recognized Mozilla Firefox....fan of the tv show - internet history browser much like internet explorer...auto delete clear history on it's own...not aware clears records auto...it may be possible to set it to do so....not auto done....some size limit where action taken? could be a size limit for that version but not aware of it...get rid of internet search history? delete history to dump history records....it is still on your hard drive until such time that space is used again for another file...Mozilla firefox store name of user? no....not record user name in records not set up to do that .....identify where it started and ended and use manual history files to retract info....most files start with a header...this data base says MORK - footer ends with unique # of bytes ....found header & footer and extracted info out into a file...where file begins..tell forensic tool where it starts and how many bytes long file is....it manually extracts info for him - save it into a file name he creates.....tool used encase program.....forensic tools used to intrepret the data...examine hx records....hx file spans date between daylight savings time switches.....at the time he sets his @ daylight standard time...half of the record was always an hour off...use cashe back tool - history record spanned that length of time.....recall/records reflect time spanned...refresh with look @ report for exact dates...spans 3/4/08 - 3/21/08....utlizing casheback provides info not available with other tool - single largest difference show dates and times correctly regardless of how he set his computer...no matter standard or daylight savings time....request Mr. bradley from casheback to review data file copy extracted - subsequent exam and provided a statement with his findings....filter info out of hx of 3/4/08 - 3/21 - two reports for 3/17 and 3/21....dates filtered dates contained info relating to chloroform searches and others done in mozilla firefox....report for 3/17 generated from the computer using casheback program....cashback report generated for 3/21......introduce as evidence ...no object - enter in records....
Info provided to Mr. Bradley in the form of copies of the file that he did exam on....used that same file to do his findings...copy provided exact copy from unalloacted space on that computer
no other questions -cross
06-08-2011, 03:03 PM
LDB: "Have you yourself attended many trainings in the area?"
KS: "I have, as I stated I have attended all the conferences of IASIS since 1996 and attended training through guidance software both in classes and in conferences where i have not only attended training but I have presenting training classes I've also attended training through classes put on by a company called access data and another company called syquest. I've presented classes for the university of central Florida both as a lecturer and a subject matter expert."
LDB: "Have you ever had the opportunity to testify in court as an expert in computer forensics?"
KS: "I've testified in both state and federal court and as expert in computer forensics."
LDB: "your Honor at this time we would tender the witness for either voir dire or submission as an expert who can give opinions."
JB: "No objections sir."
HJBP: "Okay, ladies and gentlemen of the jury Sergeant Stenger. will be accepted as an expert witness in the area of forensic computer analysis. You may proceed."
LDB: "Thank you. Sergeant Stenger in connection with your employment at the Orange County Sheriff's Office were you supervising Sandra Osborne in the recovery of information seized or given to the Sheriff's Office by the Anthony family?"
KS: "I was."
LDB: "Okay can you explain to the jury what your role was in this endeavor?"
KS: "As far as the examination goes, I would review Det. Osborne's work, in the field it is referred to as peer review where you have somebody else go back over you examination in addition if Detective Osborne encountered something that she was unfamiliar with I would assist her with it."
LDB: "Were you made aware of a keyword search for the word chloroform that was done on the HP?"
KS: "I was."
LDB: "Once you were made aware of that search did you take an active role in an attempt to preserve the information as a result of the keyword search?"
KS: "I did, Detective Osborne observed a search hit for the word chloroform on the computer and asked my assistance in identifying in what context that word appeared she knew it was an internet search but she was unfamiliar of the structure of what it was in. this particular keyword was in what is called unallocated space."
LDB: "What is that?"
KS: "Many of you I'm sure are aware that when you delete a file, it is not necessarily gone. The best analogy I have for you as far as what unallocated space it, is a library. Many people use different types of analogies but the library is probably the easiest. Hopefully most of you remember back in the days when they had card catalogs, you used to go and look up the name of your book in the card catalog you would then find out where that book was stored on the shelves. Computers use something similar. In order for a computer to find a file, it has to essentially look up the name of that file before it can go out on a hard drive and locate it. What happens when something becomes unallocated is that that card that entry essentially gets destroyed and there is not longer any reference as to where that file is on the hard drive, however the data out there is still there. That book is still on the shelf. So, the information was still out there. I recognized what type of file that was from the structure as an internet history record from Mozilla FireFox. It is an old version of Mozilla in what is called a Morq data base. Yes, supposedly the developer was evidently a fan of the television show."
LDB: "So what is Mozilla FireFox?"
KS: "It is an Internet history browser. I'm sure most of you are familiar with Microsoft Internet Explorer, Mozilla FireFox is another type of Internet history browser."
LDB: "Do you have knowledge if this history browser automatically deletes history, does it clear the history on it's own or is that done manually by a user? "
KS: "I am not aware that it clears records automatically. It's possible, I would imagine to set it to do so... but uh, normally it does not do it automatically."
06-08-2011, 03:08 PM
JB w/Sgt. Stinger
don't know why deleted history....can be done to speed up computer to erase history...these search done months before....first one shows up @ 1:43:41 pm (?) have to look - go ahead....(long time looking)....would have been 2:43:41 an hour off...
next entry is an app...@ 2:43:48 = 7 seconds person looking @ screen ....No Sir!
if go to CNN.com might notice there are ad's running all over that page....internet history can record alot of the ads appearing from other websites ...records it is downloading a commercial from another site....reconstructed from unallocated space...history comes from there....can reconstruct that page? under some circumstances you can and this one you can...it is possible within 7 seconds this person was looking @ something else....he would say no it is an ad appearing on the screen.
@ 1:43:51 - going to myspace.....at most talking 10 seconds.....someone looking at a screen mentions chloroform and then moved on...somebody did a search for the word chlroform! then went onto myspace.....aware that defense evidence 1 may I approach? you may...yes sir...understanding of the photo ...has seen photo - aware it was on RM myspace? yes sir!
sgt Stinger . why can't reconstruct page from unallocated space? go online to a particular website recorded in hx record...in addition all material display on screen movies and sound all placed in separate area in Cashe or temp internet files....droped into folders - computer rebuild on your screen...record of where you went kept in one place and content you are looking @ is kept @ another...may be able to recover history but may not be able to reproduce all webpage content on that day.....casheback can rebuild but only from unallocated space...rebuild from books on the shelf...if overwritten cannot recover anyway.
JB - those issues alone
can't reconstruct unallocated spaces...searches from blogs or websites? other than recognizing you don't know the authors of the websites...on history line you can tell keyword run from google....searches cant reconstruct page - cant give all that was on display....excuse witness...(Nothing said about neckbreaking or shovel?)
06-08-2011, 03:11 PM
LDB: "Sergeant Stenger, why can you not reconstruct the page that is in the deleted or unallocated space?"
KS: "When you go online you're surfing through the internet what happens, when you go to any particular website where you went is recorded in a history record such as what we're discussing here, in addition all that material that was displayed on your screen the web page, pictures, any movies that are on it, sound is all placed in a separate area that's often referred to as "the cache" (pronounced cash) or temporary internet files and it's dropped into these folders so that your computer can rebuild what you are seeing on your screen. The difference being is that the record of where you went is kept in one place and the contents of what you saw in another. What you're seeing is complex. It can have a number of different files in order to display whatever it is that you're looking at and when you delete that information, I may be able to recover the history but the chances are I may not be able to find all the records and all the files that go into actually reproducing that web page as you saw it on that day."
06-23-2011, 05:46 PM
Attorney's and HHJBP back 3:55
SIDEBAR (Jury not present) (3:55-4:10)
Jury back at 4:10
JB and LDB are trying to come to agreement as to what pages of the report will be entered into evidence.
DIRECT EXAMINATION OF DETECTIVE STINGER BY JB - continued:
He has reviewed Defense Exhibit DK. LDB does not object to the relevant parts as being moved into evidence (tabbed pages). His Honor told JB to remove the tabbed pages so that they can be marked into evidence.
Item DK (tabbed pages only) marked as Defense Exhibit 45.
This is a report of the deleted Firefox internet history using a program called Net Analysis. A competing software to Cache Back? Yes. Report run before having Cache Back? Yes.
He met Mr. Bradley in December of 2009.
Did you advise Mr. Bradley you had problems with his software?
OBJECTION - leading - SUSTAINED
He asked Mr. Bradley if he could use his tool to examine the items he had found in the unallocated space. They had encountered a problem with Net Analysis due to dates and times not being displayed properly because the time period included daylight savings time change.
Cache Back recover more files? He did not know. He did not know if they recovered the same number of files. Mr. Bradley needed some time to fix the issue - it was at least a day.
Did he have to rewrite the software?
OBJECTION - personal knowledge - SUSTAINED
Did you receive a report that you utilized that indicated he had to rewrite his software?
OBJECTION - SUSTAINED - same question
He was directed to the entry at 3/21/08 - 14:16:34. The website addressed was www.sci-spot.com/chemistry/chloroform.htm - 1 visit.
State's evidence #166 - same website at 15:16:13 - this is the Cache Back report and showed the website was visited 84 times. He agreed there was a difference between the two softwares.
14:16:13 on Net Analysis report - 4 websites with that time. First one- www.myspace.com - (report says website was typed in) 84 visits. He did not see an entry around the same time in the Cache Back report for My Space.
JB - could your Honor publish? I'm having technical issues again.
Net Analysis showed 1 visit for chloroform and MySpace was visited 84 times.
3/20/08 at 13:39:23 - myspace typed in again - 83 visits.
3/19/08 at 08:36:24 - myspace typed in browser - 82 visits.
3/13/08 at 10:37: - witness said he had no March 13 dates. JB then showed him his copy and the witness said he saw it. 3/13/08 - myspace typed entry - 81 visits.
You would not see these Cache Back report because the Cache Back report was for the one single day of the 21st. It did not include the myspace that was visited 84 times, which was two columns down on the Net Analysis report showing Chloroform visited 84 times. The Net Analysis report was having problems with date and time.
Because it was just an hour off?
OBJECTION - SUSTAINED
They were having problems with the dates and times.
Now you know that the Net Analysis report came up with more internet history? The reports ARE different.
He created the Cache Back report. He did not testify about that report.
State's Exhibit 165 - he prepared this report - a Cache Back report for 3/17. He did not testify about this report. He understands Mr. Bradley did.
Do you know why Mr. Bradley testified about his report?
OBJECTION - SUSTAINED - witness is not competent to answer that.
Have you ever had another computer expert testify about your reports?
OBJECTION - relevance - SUSTAINED
No further questions by JB
CROSS EXAMINATION BY LDB
You printed out the Cache Back report, but Mr. Bradley collected the data?
OBJECTION - hearsay - SUSTAINED
He had access to the developer to examine it - so he asked him to do it.
He was shown page 1 of Defense Exhibit 45. Do you see any of the Google searches done on 3/21/08? 8 rows above is a Google search. The Google search for How to Make Chloroform would be in the expanded Column H right above the myspace. Chloroform was spelled with and "A"
OBJECTION - outside of scope - OVERRULED
When you type a search into Google, you will see the results of the words you typed in the bar and that includes all the words that you actually typed into the search - HOW TO MAKE CHLORAFORM were entered. It would not appear that way if someone typed in how to make CHLOROPHYLL.
Do you have confidence that the dates and times on the Net Analysis report are correct, or would you rely on the Cache Back report for dates and times for the internet searches in the history? The dates and times on the two different reports appear to be accurate. He can't speak to how they were interpreted because he did not write the code for either program.
14:16:34 displayed the search for chloroform.
Even in the Net Analysis and the myspace.com and the how to make chloroform at 20 seconds apart.
No further questions.
REDIRECT EXAMINATION BY JB
The visits for chloroform on the Net Analysis report show that on 3/21/08 were the first time they were visited - one time - right? According to the Net Analysis report, correct.
The total amount of time spent on those websites - looking at chloroform - before moving on? Approximately 3 minutes.
Cache Back was purchased after the Net Analysis software and it doesn't have certain items that the Net Analysis does.
Not going to get your cash back?
Move to Strike sarcastic comment - SUSTAINED
RECROSS BY LDB
Even if it shows it was done in a 3 minute timespan, it does not negate that the user could be opening up more pages. Each tab could be opened for minutes or hours until the user decides to close the tab. The report does not tell how long the person spent reading or whether they printed the item.
REDIRECT EXAM BY LDB
The report doesn't give any info about the tabs. He does not know if that ever happened.
No one has told him that any pages were printed out about chloroform.
Witness was excused at 4:46
07-01-2011, 04:48 PM
Kevin Stenger - computer forensic examiner for OCSO - testified for this trial on 2 occassions previous....testified about a portion of internet history on HP siezed from A home deleted firefox history range of time deleted time internet history 3/4/08 thru 3/21/08...various forensic tools utilized to perform analysis on certain words...SA exhibit SB - recognize disc created with 2 different report files ....report from netanalysis and report from cacheback....entire deleted history.....no object to conditional admission until we have had a chance to review it....
LDB witness will testify to documents contained....witness has identfied to documents ....
JB requires a little explaination - ....approach sidebar
07-01-2011, 04:51 PM
Next, Kevin Stenger.
LDB: Expert witness on
On prior testimony you testified about aportion of the internet history that was in deleted files on the A. computer from March 17 and March 21.
The deleted history spans a broader time does it not?
Yes ait does. It starts on March 4 and goes through March 21.
Now you testified you used forensic tools to perform analysis on certain words, correct?
What is that?
A disc I created with two different reports, from metanalysis and from Cacheback.
Does this report deal with the entire deleted history?
Yes it does.
Entering into evidence.
JB saying he wants to see if they (DT) had time to review it. [Ugh.] Now in un-heard discussion with LDB.
07-01-2011, 04:55 PM
SIDEBAR in progress.
Deleted searches were from Mar. 4 through Mar. 21. Something must have happened on the 4th of March as well as perhaps date up until the 17th.
LDB: In that deleted internet history what key word search were you asked ot perform.
Anything related to chlorophyll, neck, hand sanitizer, and anything related to Gentiva.
How do you perform a keyword analysis in the metanalysis report?
You simply put in ...
ANOTHER COMMERCIAL HLN? So sorry folks!
07-01-2011, 04:56 PM
conduct keyword searches for chlorophyl, bamboo, neck, hand sanitizer and Gentiva...keyword search performed on netanalysis or cacheback...netanalysis is spead sheet in excell - use excell search function look for whatever word searching for....and the other is a html report....search report done as well...
netanalysis...SB offered for identfication...no objections SA #346 - publish to jury report....indicated one of the reports is excel base currently looking for netanalysis report....control F brings up search function.....keyword search ...search entire spread sheet @ once or the entire time....searched chlorophyl....if use only very first for or five letters can search for any version ....chlor into the search.....very first inst.....url address bar for internet explorer or anyother internet browser - shows as several lines....url reference to a chloroform habit webpage...
JB asks to approach
07-01-2011, 05:12 PM
Jury coming back 3:42
DIRECT EXAMINATION OF KEVIN STENGER BY LDB
Computer forensic examiner for OCSO.
He previously testified to Internet history in deleted files of HP from A's home for the dates of 3/17 and 3/21/08.
The deleted Firefox history is for 3/4/08 to 3/21/08.
He identified a disk that he created with the reports from Net Analysis and Cache Back. The report deals with the entire deleted history.
JB - no objection to conditionally admitting the disk into evidence. He wants a chance to review it. Wants a stipulation.
HHJBP: Are you offering it without conditions?
LDB: My offering is without condition.
HHJBP: What is the defect in the predict.
JB: I think it needs some explanation.
OBJECTION OVERRULED the disk will be accepted into evidence
SIDEBAR - 3:46
He was asked to perform key word searches for chlorophyl, neck, hand sanitizer and Gentiva.
The Net Analysis is a spreadsheet in Excel. You just search the spreadsheet. The Cache Back is an HTML report and Internet Explorer allows you to search for the words.
The disk was marked as State's Exhibit 346 and published.
The Net Analysis report is opened up in Microsoft Excel. Control F will bring up the search function. Then you enter the desired key word and you can search the entire spread sheet or one at a time.
Chlorophyl can be spelled many different ways. You can search using only the first four or five letters and that will search for any version of the spellings. They then search "chlor". It then produced a URL. It was a URL that had a reference to a chloroform habit web page - not chlorophyl.
OBJECTION BY JB
Using the "chlor" it pulls up chloroform, were a version of chlorophyl to appear?
He did not find any references to chlorophyl.
The same is true in the Cache Back report.
He also looked for hand sanitizer. The word sanitizer did not appear in any of the documents.
You searched for Neck?
OBJECTION - OVERRULED
It was in connection with neck break. There was another search in association with neck in conjunction with other terms.
Can you tell if this was a pop up that occurred?
OBJECTION - not rebuttal -
LDB: CA testified to a pop up
This is a Google search that is specific to neck breaking
Anything typed into the search box will appear after the Q - in this instance a human typed in "neck breaking" and then pushed search.
When you searched for chlorophyl, you said there were no hits? Correct. Would that mean there were no searches for chlorophyl with any of the chloroform entries? Correct.
He did not find any instances of bamboo appearing in the deleted Firefox file.
How did you determine if there was any access to a Gentiva website? He searched for Gentiva.com and there was no reference to that in the history.
Did you use any other forensic tools to confirm? Yes. He utilized a tool which breaks down the raw interest history file into records and it creates a text file and then searched that. Then the Mork database is essentially a text file, so he imported it into Word and used Word's search feature. He then imported it into FTK and InCase and he repeated the searches there and couldn't find anything. He then used a Hex editor and searched that way and could find no references to them.
Any reference to anything to do with dogs? How to get rid of fleas? Yes.
CROSS EXAMINATION BY JB
What is Yahoo.com? It is a domain. If I go there, what comes up? The webpage for Yahoo? Yes. A number of different things - the news, a map to the drug store, stock market..... It doesn't tell me much about what is going on that page? No, sir.
The file he has is of web addresses? Yes.
All you were searching for was web names? With the exception of the Google search pages.
Unless the website had bamboo or chlorophyl in the domain name, you wouldn't have gotten a hit? Yes.
Neck breaking - you are aware no one has had their neck broken in this case? Correct.
OBJECTION - SUSTAINED
After the Google search of neck breaking, the next web site is Fightingarts.com? Yes. The URL would indicate it has something to do with martial arts. That would have come up on the search page and the user would have clicked a link on that page to go to that site. Whoever did that search ended up looking up a self defense web site? If we assume that is a martial arts web site.
He can't say what's on that page unless he goes there.
He wasn't asked to do this in July of 2009. He was just contacted recently to impeach CA.
He did not do specific searches for alcohol and peroxide. He knows they exist and he has seen them.
07-01-2011, 05:12 PM
using word using chlor brings up all keyword searches that begin with those letters...it never came up chlorophyl ....nor did word sanitizer in any of these documents....searched for work NECK ....(object-overrule) this si result for search for neck....neck break....another search for neck....these are the instances for neck in conjuction with other words....can you tell if this was a pop up? this is a google seach specific with neck and breaking.....google search anything the user types appear after q= the words are what the user typed in in this instance it was result of human being entering neck and breaking into the google serach box....(jb and kc laughing).....
loud pitch in courtroom....
LDB - when you searched for chlorophyl there were no hits during keyword searches...that mean no search for chlorophyl in conjunction with chloroform entry...also asked to search for bamboo...find any instances for bamboo? NONE...asked to determine whether or not access to a Gentiva website....I was...did any access to Gentiva ....I searched for gentiva.com no refreence to gentiva.com in this history...aside from 2 reports did you utilize any other forensic tools...I did...in an effort to make sure these keywords ever in the history....searched text file....there were no references to this...it is a text file...simply import into microsoft word feature could not find any reference to these keywords... then put through 2 forensic files ....no findings in either of those....also used an old hexidecimal file....no reference to those in any.....anything to do with dogs ever in the history? one time someone searched on fleas...how to get rid of fleas..
JB - what is Yahoo. com...
webpage for yahoo......number of different things depend on what Yahoo has on the page for that day...could get news, horoscope, stock market, Paris hilton doing that day - possible....yahoo doesn't tell me what goin g on that page...yahoo not reallly a word depend on what part country from.....
webaddresses...all look @ domain addresses what on file for less than 1 month....unless website had bamboo or chlorophyl in domain name would not have gotten hit...correct...this neck breaking - no one got neck broken in this case....object
only given this info.....
JB let me go back to neck break....after google search of neck break very next web site is fighting arts. com.....kung fu wqebsite....url indicates some martial arts....
thatwould have come up on search page ....user would have clicked a link to go to that site...who ever did search ended up looking @ martial arts website...can't say what on that web page unless actually visit it.....not asked to do this search until CA gave testiony,,,back in 7/2009 gave depo....no....only contacted recently when sa wanted impeachment....didn't do alcohol or peroxide searches ....no I know they exist on this file...didn't have to look for them...
vBulletin® v3.8.1, Copyright ©2000-2013, Jelsoft Enterprises Ltd.