Sandra [Cawn] Osborne testimony (computer forensics)

Status
Not open for further replies.

Chiquita71

New Member
Joined
Feb 3, 2009
Messages
3,835
Reaction score
2
Witness is on the stand.

Sandra Osborne

LDB: how you are employed

computer examiner for OCSO

LDB: how long?

21 years

LDB: what assignments?

patrol, then to crime scene investigations, sex crimes, homicide...now computer

LDB: what qualifies you?

business degree with Columbia, computer forensic certification

LDB: more about your certification

IASIS: certification involves a lengthy process. class room setting. two week class. peer review phase, practical exam problems 100 question knowledge exam.

LDB: what are you asked to do in these programs? class room instruction and profecency tests what tested on?

to demonstrate proffency, basic level, how to report and document those findings accuratley

LDB: practical experience?

OCSO several hundred exams, computers cell phones PDA's any device with a digital file.

LDB: testify in court?

yes

LDB: permitted to give opinions on computer forensics?

yes

LDB: I tender this person as an expert

HHJP: is accepted as expert in computer forensic analysis

LDB: have a title? detective Osborne did you receive items?

I did

LDB: cell phone purported to belong to Casey?

yes

LDB: may I approach the witness?

HHJP: you may
 
LDB: recognize?

I do. The label is in my handwriting. My initials

LDB: what is contained inside?

a nokia cell phone

LDB: into evidence

JB: no objections

HHJP: received into evidence

LDB: are there forensic applications that can be utilized to retrieve data from a phone such as this?

yes

LDB: what?

cell bright

LDB: premire?

it is

LDB: what info can get?

contact list, text, call history incoming out going, picture, audio files

LDB: ability hampered by the phone itself?

sometimes

LDB: service provider?

yes, serveral ways info could be hampered, the company might not let you have info, the cord could be disabled by carrier sometimes our technology can't get into

LDB: does cell bright update the info to OCSO?

yes

LDB: when received looking for ZFG?

yes

LDB: what info gained?

the initial data was contact list and music files

LDB: why only that?

the limitations of my cell bright, it was not capable of fully extracting data at that time

LDB: what is SIM card?

it allows the phone to connect to the network

LDB: interchangable?

yes

LDB: the Nokia phone have a SIM card in it, from Miss Anthony?

I need notes

LDB: is having witness look at notes
 

Sandra Osborne-OCSO 21 years this year - computer

patrol, crime scene, sex crimes, child abuse, homicide and now computer crimes

college business degree - 700 hours training and 2 certifications for forensic computer examiner ...IASIS certification process ....2 week classroom...peer review phase.....practical exam problems....100 question practical knowledge exam successful completed.....classroom instruction and proficiency tests.....computer forensic exam...basic computers...where to locate on computer ..document those finding accurately

practical experience - several hundred exams..computers/cell phone/pda - anything with a digital file....expert witnesss in OC in FL - explained issues re: computer forensics.....no object - expert witness in area of forensic computer anaylsis

title? Detective Osborne.....received several items in disappearance of Caylee...first item cell phone belong to kc, envelope - label, reseal package, date and initials confirmed....item inside Nokia cell phone (is this the missing Nokia cell?)....received into evidence....forensic applications to utilize to retrieve data from cell ...process available ...cellbrite - tool ...able to give reliable data premier in field...contact list, text, incoming outgoing, voice message, audio and pic files, anything phone does......service provider can extract data can be hampered.....manufacturer of phone doesn't allow 3rd party tool....plug in port could be disabled from software....some data not available on that particular phone.....cellbrite updates software periodically...receive phone look for ZFG locate? initial data extrated contact list and music files...limits of cellbrite was not capable of fully extracting data on the phone....sim card little card chip allows phone to connect to network....sim cards interchangable in different phones attempt to contact ....don't recall if sim card was in kc's phone - look @ report to refresh recollect for sim card....it did have a sim card...use different forensic applications other cellbrite to retrieve data from sim card? put sim card into cellbrite device.....sim card have any more info than the cellbrite extractions from the cell? simcard was same info as device.....locate any info about ZFG? didn't notice any.....not her function ....didn't see any but she handed data extracted to detectives in the case....cellbrite does nice job in reporting data that is easy to read...eventually received other evidence items to initially locate ZFG....computer, laptop computer....from Det. Beasely brought in laptop serial #, desktop computer serial number# HP home computer....received this computer from Awilda McBride from missing persons unit - on 7/17/08 1:30 pm....laptop received on 7/16/08 8:00 pm ....cameras? yes....polaroid T730 digital camera 7/17/08 and Nikon coolpix on 7/21/08.....forensic tool to examine camera - endcase by guidance software - digital camera...didn't plug Nikon camera but pulled the SD card into the adapter and used endcase to view contents of the card.....locate any video files of Caylee? yes....using that tool able to determine date of video files generated....dates on the files from Nikon coolpix 6/15/08 - reviewed the video....video from nursing facility....appeared to be yes....date and time accurate when actual image was captured....most cameras or videocameras will imbed information date and time of pic taken. gps coordinates if it is a newer device ....shutter speed, etc.....Nikon coolpix ....date and time setting the camera set to @ the time video was taken....when she received it compared date and time setting w/current date and time 7/21/08 10:54 am, and setting on camera 7/21/08 10:56 am - 2 min difference....

laptop received from Det. Beasley....what condition was it when provided? on/off?
laptop was? doesn't recall if powered on or off @ time received it....make a difference for retrieving data? document condition @ the time....word doc open, on the internet...power it down and remove the battery.....methodology to make sure it is off before any attempt to retrieve data? Yes in lab setting power it off and remove hard drive from the machine...

Desktop floor model - HP 520 N...hard drive 160 gigbytes ....item powerd down not on @ time of receipt...different tools evaluate contents of computer vs....used the endcase software....standard tool in industry....don't know when endcase started ....she's been using since 2006..a dacade or more....industry standard reliable software tool...

endcase tool can examine every bit every zero and every one on the harddrive....whether user can see that info or not.....what did with HP to ensure data as it existed was not changed/altered standard practice to maintain evidence as received....harddrive ...condition of computer removed....rightblocker....prevents forensic machine from taking ahold of it....don't want that to happen....windows wants to reach out and touch others....right blocker holds that original harddrive....put the orig. back into evidence and work on the copy that right blocker made.....returned hard drive .....she stored data on another hard drive and brought with today

with a cellphone ....

15 min recess



 
it did have a SIM card yes

LDB: other than cell bright to get data?

a process of removing the car and instruct the cell bright devise that recognizes the SIM card and report it for you.

LDB: did the SIM card have info other than physical phone itself?

the SIM card was same as device

LDB: with that info at that time, was there any info regarding ZFG

I didn't notice but it is not my function to know what was looking for. I get info and give.

LDB: you reduce it to a report or format?

the cell bright does a nice job in a nice web based report that is readable.

LDB: did you receive other items to locate ZFG?

I did

LDB: computers?

yes

LDB: lap top computer?

I did

LDB: who from?

Det. Beasley a lap top

LDB: serial number you remember?

my report will reflect(looking at notes) the serial number is (gives number)

LDB: receive desk top computer as well?

a floor model yes I did

LDB: serial number?

HP mxm410hyl

LDB: who did you receive that computer from?

Wilda McBride: missing persons

LDB: date and time?

July 17th 2008 at 1:30 pm

LDB: lap top

Beasely July 16th 2008 8 pm in evening

LDB: cameras?

I did

LDB: kind?

poleroid D17 camera, a nikon cool pics camera

LDB: are there forensic applications to determine the contents of camera?

forensic tool to examine

LDB: nikon cool pics?

guidance soft ware

LDB: what info does that provide off of camera?

I did not plug in nikon camera into Incase, I pulled the card that had files and put SD card into adapter to view contents of card

LDB: able to

yes

LDB: any files of Caylee Anthony

yes

LDB: date the video was generated?

yes

LDB: dates?

the dates on the files June 15th 2008

LDB: review video?

yes

LDB: nursing video?

yes

LDB: how do you know date and time is right?

most cameras today inbed in each file info about itself. the make and model of camera, date and time. GPS if more advanced where picture was taken, shutter speed, the info on this Nikon gave me into: the model and date and time

LDB: when you received the camera did you make an assessment re: the date and time?

I compared the dates and time to current time. It was july 21 2008 at 10 54 in morning and the setting on the clock itself so there was a two minute difference.

LDB: the lap top, what condition was it in when provided. on? off?

I believe that camera was off, the lap top(checking report) I don't recall if that item was powered on or off when I received it.

LDB: does that make a difference to you?

as far as retriveing data? no, I will remove the battery. I document the condition of the machine if running, is a word doc open...I will make a note before I power it down.

LDB: when performing an examination is it your methodology to make sure it is off before attempt to retrieve info?

in a lab setting, yes power down and retrieve the hard drive

LDB: when you received the desk top what?

(gives numbers)

LDB: how large is hard drive?

160 gig

LDB: ?

powered down

LDB: tools you use to evaluate computer?

I used the (NK) software

LDB: NK used for a long time?

it is a standard

LDB: how long utilized?

I have been using it since 2006. A decade or more?

LDB: NK is reliable?

it is an industustry standard

LDB: you told us about cell bright. what do you get through NK?

every bit on the hard drive. every zero and every "one". it looks at all info on hard drive.

LDB: what did you do with HP to insure the data as it existed was not changed altered or corrupted?

standard practice to protect original info. after docmenting condition of computer. I attached it to the right blocker, it prevents my machine from taking a hold of that drive and making changes, I don't want files to change or my machine to do that, I connect it to a blocker in a read only mode and put original away and work with copy.

LDB: orignial drive?

back in evidence

LDB: ?

hard drive is returned to family

LDB: before returned what do you do to make sure you have access to data?

the NK file I get the original drive is preserved, I have in court today.

LDB: you don't necessarily look at the data?

with a cell phone I hand over to investigators

LDB: as far as computer you do evaluate the data from hard drive?

correct

HHJP: taking a recess 15 minutes.
 
HHJP: Let's return the jury

All rise

LDB: talking about your evaluating info that was preserved and extracted from hard drive

correct

LDB: what info does NK provide?

every bit of info on hard drive. every bit of info that was ever on it. system files. file system that is used by the operating system and deleted files.

LDB: on the HP in particular before you, perhaps during your evaluation do you record the date and time that is on the computer when you receive it?

yes

LDB: how is that done

I power it on, there is a function key to get in that area to get current date and time it is set to

LDB: can you give the data you obtained and relate it to current date and time

july 18th at 12:13 pm the computer was july 18th at 12:13 right on the money

LDB: what software?

windows XP, windows internet explorer, mozilla firefox, microsoft for XL spread sheets, facebook, myspace was loaded into user areas, peer to peer, yahoo messenger.

LDB: the micosoft XP program that is what was loaded on computer at time of purchase?

if it was completely overwritten I couldn't tell that, but it seems to have the one from purchase...(?)had been in use on that computer for quite a while

LDB: standard with microsoft?

you can load with what you want but mostly see windows

LDB: mentioned another browser?

mozilla firefox

LDB: need to download?

from internet

LDB: the HP?

Safari, a mac book but the main ones were mozilla and internet explorer

LDB: the computer have users that have own icon?

HP has two user accounts not be default. one user was: owner and other was: casey(she spelled name out)
 

Osborne info in the Bios - system clock and get current data....HP data obtained on 7/18/08 @ 12:13 pm ,....system set at exact same time "right on the money"....software Microsoft Windows XP, internet explorer, firefox, microsoft applications excel spreadsheets, fb, myspace, aol, yahoo messenger...many others don't recall and didn't record....microsoft XP loaded on computer @ time of purchase appears to be...if overwritten wouldn't be able to tell that...windows XP installed since 9/2005...HP come standard with microsoft softward - common to find...loaded with windows operating system seen frequently....another internet browser ...firefox can be downloaded from internet...another safari - typical apple/macbook application to access internet....firefox and internet explorer on this computer...2 user accounts .....one was entitled owner and other other is entitiled kasey....

tasked to do? fishing expedition on ZFG any info lead us to Caylee....exam of that type peruse thru user folders ....on desktop by the users.......what stored on desktop....internet history....webpages visited in files...phone numbers....phone books...who owns or use this computer? what person is using this alot ... business computer or gaming compuer - how is it used......located references in ZFG in temporary internet files.....date and time of the references determined by temp. internet files......webbrowser keeps cache results....computers all about speed ...get to data as fast as possible....look @ temporary files .....(ie: www.nascar.com the url will be stored on harddrive - record visited that site - page will reload from harddrive instead of going to the web where was found before)...records date and time and where I went recorded in temp. internet files....several searches peoplesearch...highschoool classmates....7/16/08 google websearch - ZFG age range 22-29 in Orlando or Jax FL....any references to ZFG prior to morning of 7/16/08? No I did not!

General usage of the computer....computer appears to be on running good bit of the time....not too many documents found several resumes.....no wills not a whole lot of business type or school...a lot history with temporary internet files .....longest found 4 1/2 years of history....never cleared internet history....you can right click on properties....clear internet history for microsoft it will not clear firefox....you have to go into each program and clear each one.....what happens when you clear...saved in unallocated space....depends usage and full harddrive is....if a lot of files being put in top of files you can delete quickly or can stay for years.....freespace/unallocated space is written over cannot retrieve original data.....keyword search.....encase has ability to search gobs/data.....plug in word of nascar.....will go thru every bit on the computer to search for nascar...

on user account - password protected? able to determine password rico23....password set on earlier in year 2008 .....attempting to verify that...maybe March 2008....skip over that.....

internet history on HP - evaluated by complicated question....internet history - website visited....temp. are the content of those pages....used Netanalysis put all of internet files, cookie files...etc....into spread sheet to look @ them any way Osborne would like to look at them....reliable tool for evaluation of data....

can tell which user making search? Yes internet history....object-overrule...temp. internet history which user is loged in and active @ time search conducted.....temporary internet files records which user logged in....cookies and history included.....if files are deleted tell you which user account generated that? no that info no longer available.....YM ask keyword search for chloroform or alternate spellings of that word around 8/2008 late in month....keyword search in same manner as ZFG - keyword search spelled correct and incorrect and came up with keyword search hits ....on unallocated/deleted space on the harddrive...view info associated with those hits - can see it...in deleted space....hit or miss whether entire record or not in this case we were able to recover complete history from beginning of the code to create page and end of page complete history from unallocated space.....sometimes it is difficult when overwriting with a very large file but that didn't happen in this case....recovered entire history record....she turned over to her sargent who is an expert in that area....Osborne is not...(object- sustained)....when encase reported back found word chloroform look @ that language recognize immediately as an internet file - not that familiar ....went back to beginning of the record....difficult to determine where that first appeared - found serch hit and turned over to supv.;

HP not only computer evaluated thru encase.....also received computer from Ricardo M... received on 10/28/08 submitted by Sgt. John Allen.....preserved data

removed hard drive - Macbook ....copied using encase software - date and time removed 10.28/08 3:24 pm...system clock set @ 7:24 pm....london or GMT....differential of 4 hours.....

 
LDB: using NK to look at different parts, what was it you were tasked to do initially?

a fishing expediton regarding ZFG and any info that would lead us to Caylee

LDB: what did you do to look for references of ZFG?

with an examination the first thing I do is look through user folders. I look at desk top, active files, start at desk top level what is stored. internet history where they visit, temp internet files to see where visit. any info re: who owns this computer and what person uses it. are they online a lot, business computer? Games, sometimes people only use for games.

LDB: able to locate references to ZFG

yes in temp internet files

LDB: determine date and time?

yes

LDB: how are you able to do that?

the temp files are a record. save on hard drive. it is about speed, every page you visit will save to hard drive. I can see what pages have been visited on there. If I go to www. nascar . com that URL will be stored on my hard drive and have a record that I visited that side and it will load from my hard drive. what I found on the 16th it records not only where I went but the date and time. That reference on the 16th is it being cashed to hard drive.

LDB: ?

several searches on internet: class reunion. searches for the name. on the morning of July 16th 2008. looking for a age range of 22 to 29 either in Orlando or Jacksonville.

LDB: any references to ZFG prior to the date of July 16th?

no

LDB: the process is trying to asses the general usage. any conclusions as to use this computer got?

on and running. not much office work. resumes of Mr. Anthony's. not a lot of business. no homework. a lot of internet history the temp files where four and a half years of internet history. they did not clear the history either.

LDB: how, browser?

click on it and clear

LDB: have to do it for each browser?

yes, if clear for Internet explorer will not clear fire fox

LDB: once you clear that cashe?

it gets saved on deleted space, but it resides on hard drive

LDB: how long can info stay in the allocated space/deleted space

depends, maybe for years.

LDB: if you have this free space on the computer and it is written over can you ever retrive the data that is underlying what writes over it?

no

LDB: what is a key word search?

NCase allows me to ask NCase: Nascar it will go through every bit of that hard drive looking for Nascar. I can ask for only one file or part if I like.

LDB: user accounts password protected?

one did

LDB: determine password?

rico23

LDB: able to determine when set?

yes(looking at report)(police sirens in back ground) sorry there is a lot of info in this report. (it is taking a while) set earlier in year in 2008 if I remember correctly. I am trying to verify that. Earlier in the year March of 2008, I believe.

LDB: the internet history on the HP. How evaluate that?

complicated question. internet files or history

LDB: two different things?

one is the page, difference. the history I would have copied those files out from Ncase using Net Analysis which puts cookies files, etc into spread sheet how I want to look at them: by date or however I wanted to look at them

LDB: is Net Analysis used in the computer forensic field?

yes

LDB: standard in the field

has been and yes

LDB: in files, cookies or internet history, can you tell which user is making the search?

yes, the internet history data base

JB: objection

HHJP: overruled

it records which user account is logged in and using account. not who is sitting there but which account is being used.

LDB: user account? internet history? cookies?

correct

LDB: once files are deleted, will the record associated with deleted files tell you who made search?

no, info no longer available

LDB: asked by YM to perform a key word search for chloroform?

yes

LDB: when?

late in Aug 2008

LDB: how was that performed?

the same as the ZFG key word was performed, put it into Ncase.

LDB: was there a location on the computer where you determined the key word hits occured.

in deleted space on hard drive

LDB: are you able to view the info associated with those hits?

yes

LDB: what can you see?

because it is in deleted space. hit or miss if get entire record. with chloroform we were able to recover the complete history. from the beginning to the end. complete history record.

LDB: you said that is sometimes difficult

sometimes when you delete there is a chance it gets covered but not in this case, we got entire record

LDB: how do you know?

I gave to sargent who is expert in that area, I am not

objection
sustained

LDB: you alerted another individual you reported a hit

chloroform: I was able to look at the language surrounding that and recogzied it as a data base internet file. I went to the beginning of the record because I did not know where it appeared, I found the search hit and turned it over to my sargent.

LDB: how does that happen?

he shoulder surfs, we are in a few feet of each other in the lab, he copied that out to another source and created report from there.

LDB: the HP was not only one through NCase?

yes

LDB: Ricardo Moralas?

yes, I did

LDB: what did you receive and from who?

I received a computer reportedly belonging to RM by John Allen

LDB: what did you do to preserve the data on RM computer?

the proceedure to document is the same as the other computers. removing hard drive and checking system clock. it was an apple, mac book, hard drive removed and copied using the Ncase software.

LDB: note date and time?

oct 28 2008 at 3:24 and system was oct 28 2008: London time or Grenwich mean time. difference of four hours.

LDB: if I may show the witness what was introduced as states 12. There is a monitor that looks like it has been turned. may I publish to jury since it has already been introduced?

HHJP: you may

LDB: can you see image?

I can

LDB: were you asked to deterime if that image was on his computer?

look for pictures of caylee with pink tee and info

LDB: able to locate states number 12?

yes

LDB: how?

searching the graphic files on the computer. I am sorry I don't know that I did, if I recognize that one. I do not have that report printed out, mine is on disk.
 

Picture of KC w/Caylee @ RM's bedroom w/bruise under eye.....

Osborne was asked to look for pics of Caylee w/pink shirt......graphics.....doesn't have a paper print out of her report has a disc......SA offers copies......

once photo found info imbedded info stays in the file of the pic - able to view that imbeded info.....

5 min recess


 
LDB: can you tell the jury once an image is located in graphic files can you tell when pic was taken?

yes like with Nikon cool pics info is embedded. that info stays with file, and I can view that.

HHJP: taking a five minute
 
JB: this is the photo with the bruise under her eye.

HHJP: I remember reading the instructions. Do I have them, that's the problem. (judge is looking for documents) I know it was handwritten but I am seeing if I kept it. (still looking) Madam court reporter, do you have access? Do a key word search using the word: "brose(?)"

Someone says something

HHJP: we will go off the record. june 24th at 11:33 am. may not june. may 26th that is another date. It should be May 26th and I think he testified around 11:33.

I guess HHJP knows what a "keyword search" is! :winko: :floorlaugh:
 
LDB: "Can you tell either in the temporary Internet files, or in the cookies or in the Internet history uh, which user, meaning you said there were two users on the computer, which user is making the search?"

SO: "Yes, the Internet history database is re.... (Baez objects: "It seems facts are not in evidence, I believe the witness testified to two user profiles, not two users. Overruled, witness continues) ...the temporary files database will record which user account was logged in and active at the time the search was conducted so that's what it's recording as opposed to an individual user sitting at the keyboard which obviously it wouldn't know, it can only know which user is active at the time the search is conducted."

LDB: "Alright, but the temporary internet files will record which user account is being accessed at the time?"

SO: "That's correct."

LDB: "Is that also true with the internet history?"

SO: "Yes."

LDB: "How about any of the cookies that appear?"

SO: "That's correct."

LDB: "What about once a file, or files are deleted? Will the record associated with the deleted files tell you which user account generated that original search?"

SO: "No. That information is no longer available."

LDB: "Were you asked by Detective Yuri Melich to perform a keyword search for the word "chloroform" *witness grins* or any alternate spellings of that word?"

SO: "Yes I was."

LDB: "When did that happen?"

SO: "Sometime around August 2008, I think late August 2008."

LDB: "and how was that keyword search performed?"

SO: "In the same manner that the Zenaida Fernandez-Gonzales keyword search was performed. I input that word into NCASE, spelled correctly and spelled incorrectly and came up with keyword search hits for both."

LDB: "Was there a particular location on the computer where you were able to determine where the keyword search hits were performed?"

SO: "Yes."

LDB: "Where was that?"

SO "The keywords appeared in unallocated or deleted space on the hard drive."

LDB: "Are you able to then view the information associated with those hits?"

SO: "I'm sorry? Am I able to what?"

LDB: "View any of the information that is in deleted space or unallocated space?"

SO: "Yes."

LDB: "What can you see?"

SP: "Well, because it's in deleted space, it's hit or miss as to whether you get an entire Internet record or not. In this case, with the "chloroform" keyword search hit we were able to recover a complete internet history from Mozilla FireFox. The complete history meaning right from the beginning of the code that begins the programming to create the page right to the very end of the page. So we basically, got a complete internet history record from unallocated space that had been deleted."

LDB: "You said that that is sometimes difficult depending on user activity, what did you mean?"

SO: "Right, when we were talking earlier about overwriting space with deleted files, there's always an opportunity when you delete a file especially a very, very large file that new data being saved to the computer will overwrite some of the data, some of the old data that was deleted. That did not happen in this case. We were able to recover an entire internet history record."

LDB: "And how is it, you know it is an entire record? What is it about the information that makes you able to tell us that?"

SO: *grin* "Because I turned it over to my sergeant who is an expert in that area. Um, I am not. (Baez objects to strike I did not hear why, HJBP: "sustained.")"

LDB: "Alright, so the information, that information, you alerted another individual you located, you had hits in unallocated space?"

SO: "When NCASE (?) reported back to me the fact that it found the word chloroform spelled correctly or not, I was able to look at the language surrounding that word and I realized, I recognized it as a file as an Internet database file. I looked around a little bit to see if I could figure out if it was Internet Explorer, or if it was some other type of browser but since I am not that familiar, I was not able to determine that. i went back to the beginning of the record because I don't know where within a web page the word chloroform would have appeared so, it was just very difficult for me at that time to figure that out so I found the search hit and turned it over to my Sergeant from there."

(commercial break)
 
HHJP: Lets' bring them in I will put something together right quick. You may return the jury.

All rise for the jury

HHJP: Ladies and gents the photo remember the previous instruction regarding the bruise of Caylee Marie it was not the result of abuse or anything of that nature.

LDB: able to locate the printed info regarding the photo?

yes

LDB: was this photo among a collection of photos given to you on a thumb drive from YM?

yes

LDB: was the photo on RM computer?

It was and it was on both, on the thumb drive and computer

LDB: you said that the abilty to determine the date is in photo

yes

LDB: when was it taken?

january 28 2008

LDB: when you say the camera, the date it was set to you did not have actual camera

it was not submitted for analysis

LDB: permission to publish and show to jury?

HHJP: you may

LDB: was this photo likewise provided on thumb drive by YM?

JB: objection to dates being provided

HHJP: approach the bench

side bar
 

HHBP - reminds jury about bruise under the eye of Caylee is not proof of any abuse whatsoever....

Osborne located photo on a thumb drive from YM originate from the Globe....photo in 12 on the thumb drive and on Mr. Morales computer ....found on both....date photo taken based on data imbedded date camera set 1/28/08...didn't have the camera as it wasnt' submitted for analysis....publish to jury

Pic of Caylee sit on couch w/kc holding a guitar....(object to dates...Approach)

 
HHJP: overruled

LDB: time and the date in states 13 was taken, the date the camera was set to

JB: objection

LDB: I will start over. can you tell from info from computer what type of camera took photo?

yes

LDB: what type

cannon power shot

LDB: other info embedded in foto?

yes

LDB: date and time when camera was set embeded, what date was the camera set to when pic taken?

march 169th 2008

LDB: nothing else

HHJP: cross examination :rolleyes:

JB: I want to clear up with user profiles on computer, there are two profiles?

user created profiles yes

JB: that does not mean only two users?

correct

JB: there are various searches are there not?

yes various searches

JB: there could be multiple users using one profile

correct

JB: one: no one has told password and computer is turned off and it is done.

okay

JB: is that a yes?

yes

JB: if I have a password protected area it is the owner area not the casey area right?

yes

JB: I have logged in and it goes to sleep I don't have to put in pass word again?

it depends on the setting on the computer

JB: but you don't know that?

not on this computer

JB: as far as you know someone could come along and not have to put in password?

yes

JB: key word for chloroform?

yes

JB: date and time?

aug 20th 2008 or shortly there after

JB: the date you think these searches were run?

my sargent has that info to testify to

JB: I understand. What we were talking about as far as the camera was concerned, you never saw?

which one? cannon power shot? I did not see that one

JB: you don't know if the time settings are correct or if they set them at all?

I do not

JB: may people find setting time difficult on VCRs and things. (VCR's Jose :tsktsk: )

is checking documents

JB: you inspected RM computer and you ran searches...

yes(is looking at records)

JB: you were asked to run searches for chloroform?

yes

JB: also no photos of chloroform on his computer?

yes, my record says no pics or searches for chloroform on that computer.

JB: defense evidence one: (pic of "win her over with chloroform" :eek:hoh: RM the BUS is headed your way!) Are you familiar with this photograph?

HHJP: ?

JB: yes may I?
 


Objection overruled...

The date the camera was set to....recognize 13 in evidence ...appeared on a thumbdrive given by YM, same photo on RM computer....can tell the type of camera took photo - cannon powershot sd870.....other info imbed into photo date camera set to....March 19,2008.

(Kc's birthday?)

Cross by JB

Det. Osborne - user profile on computer....2 profiles user created....not mean only 2 people using this computer...various searches internet on the computer....multiple users using 1 profile....password only means something if that person told someone password and if computer turned off...owner profile password protected - log in...computer stays on - goes to sleep - don't have to relog password? depends on computer settings....one min, 5 min, 5 hrs. or all day ....didn't ascertain that on the computer...if leave it on anyone could use it and not log on password.....correct......8/20/08 ish or shortly thereafter....don't know info about temp. internet searches prepare to testify to the Supv. did that ....cannon powershot never saw that camera....don't know if time settings were correct...don't know if person set time when purchased camera.....setting time on vcrs and cameras people find difficult (object- sustained) does every computer and camera have same exact time set? no....you inspected RM's computer? yes.....JB obtaining binder from kc - asked to run searches on RM for chloroform...indicated no photos of chloroform on his computer....no web pics or pages referencing chloroform on that computer. Defense evidence #1 - overhead - LDB tells how to position it on overhead.....JB doesn't have it on the screen...

recognize this pic? yes seen it....posted on RM myspace account? not aware....win her over with chloroform...what does this indicate to you? (object-sustain) see in photo...couple man woman dining man has white clothe reaching around behind her shoulder....if RM posted this on his myspace ...on another computer? She has no idea...how this photo doesn't show up on his computer posted on myspace....one way can do it from another computer or from phone....doesn't mean never there....not there when she examined - if deleted and overwritten inthe unallocated space if she didn't find it....pretty much with any computer searches dealing with unallocated space....no further questions....thank you


Re-direct: LDb keyword search would pixels imbedded in picture be accessible? no - pixels are represented in hexidecimal not discernable in readable form,...words in a picture doesn't appear as a word it appears as a pixelated picture - would not have been detected in word search.....RM computer did not contain any chloroform references..

In you report specified no references to word chloroform nor pictures that she found.

witnbess excused



 
I have seen it.

JB: did you know it was on RM computer?

no

JB: read

win her over with chloroform

JB: what do you see

a couple a woman and man sitting at chair and man is reaching around her shoulder.

JB: and if RM posted this on his myspace that would be from another computer?

I have no idea

JB: deleted, how can you explain? how this photo wouldn't show up on your inspection if he posted this on his myspace.

several reasons. multiple ways you can post on myspace: someone else's computer, a phone. just cause did not find it does not mean it was never there.

JB: could have been deleted?

and over written if I did not find it

JB: and that could be pretty much with any searches you did dealing with the unallocated space?

correct

JB: I don't have anything further judge. ( I noticed that when Jose is happy with HHJP he calls him HH but when not he says "judge" )

LDB: are the pictures accessable in the key word search?

no, they are not readable. it is garbled and not in readable form

LDB: words embedded in a picture will not be part of a search

part of a pixilated picture

LDB: the key word search in the temp history or the cookies or the unallicated space did not have any chloroform searches

correct

HHJP: excused

JB: any chloroform references on RM computer?

no
 
LDB: "Detective Osborne do you remember the last question?"

SO: "About the date and time?"

LDB: "Not the time. The date that the photograph in the states 13 was taken, oh, the date the camera was set to when the photograph was taken."

SO: "Yes. the date the camera was set to. (Baez, I think that question goes to the witness testifying about the camera not the photograph that was on it."

LDB: "Let me start over."

HJBP: "Yes, rephrase the question."

LDB: "Alright. Do you recognize 13 in evidence?"

SP: "Yes."

LDB: did that photograph appear on a thumb drive provided to you by Detective Yuri Melich

SO: "Yes."

LDB: "Were you able to identify the same photograph on Ricardo Morales' computer?"

SO: "Yes."

can you tell from the information provided by the computer what type of camera took this photograph

yes

was that information embedded in the photograph itself

yes

what type of camera took the photograph

a canon power-shot sd870

was other information embedded in the photograph

yes

is the information related to the date and time that the camera was set to when the photograph was taken imbedded in the photograph

yes

what date and time, I'm sorry. What date, you don't need to give me the time, was the camera set to at the time the photograph was taken?

March 19th 2008.

thank you your honor, no further questions of the witness

HJBP: "Cross examination of the witness?"

Good morning ma'am, it's sergeant Osborne correct?

detective

Detective, okay, sorry *grin

Detective Osborne, i i just want to clear up a couple things with the users profiles on the computers. There are two profiles on this computer, correct?

Yes, two user created profiles.

And that doesn't mean that two people are using this computer, correct?

correct and in fact there are various searches on both profiles, are there not? Various types of searches...

internet searches?

Yes

I would assume so, yes, I found searches.

and there could be multiple users using one profile correct?

correct.

And a password only means something if 1) That person's not told anyone else what the password is right

correct

and 2) the computer is turned off after that password is utilized and computer activity is done

okay

*grins and laughs* alright is that a yes or????

Yes.
 
3:18

DIRECT EXAMINATION OF SANDRA OSBORNE BY JB

A detective and computer forensic examiner.

Witness tendered as an expert in digital forensics - no objection

Who followed you in today?

OBJECTION - relevance - SUSTAINED

Did someone follow you in previously?

OBJECTION - relevance - SUSTAINED

She did the forensics analysis on the A's desktop. She was asked to do a key word search for chloroform. Did she then identified an unallocated space.

OBJECTION - leading - SUSTAINED

She did and then turned it over to her supervisor - Detective Stinger.

Prior to that she recovered the internet history with Net Analysis - a different forensic tool used - slightly different than Cache Back. They both help to view the internet history.

She doesn't use the Net Analysis reporting feature, rather she experts into Excel to work with the data easier. She then turned that over to the detectives.

She was shown Defense Exhibit DF.

OBJECTION -

Do you know what the disk is? She has never seen it and it does not contain her handwriting. The label says FireFox from unallocated space.

OBJECTION - SUSTAINED

She did not work on this particular item. She turned it over to Detective Stinger.

She was shown a print out version. Does it appear to be a portion of the Excel spreadsheet you prepared? She believes it is a document Detective Stinger prepared.

She issued a report in this case. She issued 2 reports.

On 10/20 - do you indicate that you prepared this spreadsheet? She said yes this is the portion of the deleted Firefox internet history where she found the search hit for chloroform which she exported and gave to Detective Stinger.

The disk she was given was Defense Exhibit DF.

What she was shown on the screen was in a different format than what she exported out because all the columns were expanded out.

JB moved to have it entered as an exhibit. LDB said she objected as the witness couldn't identify it as the document that SHE prepared. SUSTAINED


She was then shown a clean copy on her screen. She stated she believed Sgt Stinger prepared this. Even though your report says you did it? She said her report said that she identified the search hit, identified the file and copied it out. The spreadsheet that would have been made from there would have been Sergeant Stinger. She did not work on this document.

No further questions by JB.

CROSS EXAMINATION BY LDB

The hp had a password. The owner profile had a password of rico23 set on 5/14/08.

No further questions.

REDIRECT EXAMINATION BY JB

You wouldn't have to enter a pasword to go on. Depends on the settings as to whether it hibernates.

Witness excused subject to recall shortly. (3:35)
 

Sandra Osborne - expert computer....searched chloro and got all words for that using endcase....search took several hours all day and over nite...find any spelling of word chlorophyl.....one place found in dictionary that comes installed.....hand sanitizer never found.....bamboo....find references aside from dictionary at all....bamboo lanterns, flooring, figurines contain bamboo....furniture....jewlery boxes...fences cookware, basins, rugs, panda bears and tiki bars....any reference to bamboo leaves as a poisionous substance? no....asked to determine whether any indicators of access to Gentiva website....given 3 specific log in names for remote log in search for those 3 terms....never able to find remote log in for Gentiva....

Cross...
JB - when someone deletes somethin from computergoes to anallocated space overwriting....(audio problems)


deleted made reference to file itself residing on that hard drive is told that space is available .....will overwrite that orignal file....when delete things get overwritten never recovered again....the file system.....not done in order ....control over management of files
entire harddrive what has been overwritten hard to tell - it is unoccupioed space.

redirect- is this why sometimes of unallocated space you have fragments of a chat...when that happens when something partially overwritten quite evident to you because fragmented....correct

witness excused.
 
4:11

DIRECT EXAMINATION OF SANDRA OSBORNE BY LDB

Forensic computer examiner with OCSO.

She was asked to search the entire hard drive of the A's HP computer.

The search is done with her software - it's searches the entire hard drive. She used Encase - a forensic application that is widely accepted.

She was initially asked to search - chlorophyl, hand sanitizer and bamboo.

To ensure that any spelling of chlorophyl was found - she searched chloro. It took several hours and she let it run overnight.

In one place she found chlorophyl which was in a Microsoft dictionary that comes with the computer.

She searched for hand sanitizer and she did not find it anywhere on the computer.

She searched for bamboo. She found bamboo figurines, bamboo lanterns, flooring, reference to gaming. Household products would be furniture, lights, panda bears and tiki bars.

She did not find any reference to bamboo leaves.

She searched for access to the Gentiva website for the remote log in. She was not able to find any evidence of any remote log in into Gentiva.

CROSS EXAMINATION BY JB

When someone deletes something from their computer it goes into the unallocated spaces. The deleted data stays in the exact location where it is. When a file is stored on a computer, and then a user deletes the file, the reference to that file is deleted and it makes reference to the file system where the data resides - the computer is then told that that data is available and that will overwrite the original file that was there.

Overwritten items can never be retrieved. The file system has control over the management of the files. It is hard to tell what has been overwritten because the new data overwrites that space.

REDIRECT EXAMINATION BY LDB

Is this why sometimes in unallocated space you will have fragments? Yes.

When there is something that has been overwritten, that is quite obvious.

Witness excused.
 
Status
Not open for further replies.

Members online

Online statistics

Members online
80
Guests online
2,712
Total visitors
2,792

Forum statistics

Threads
590,013
Messages
17,928,986
Members
228,038
Latest member
shmoozie
Back
Top