709 users online (97 members and 612 guests)  


Websleuths News


Page 1 of 3 1 2 3 LastLast
Results 1 to 15 of 37
  1. #1
    Join Date
    Jul 2008
    Posts
    362

    Recreating the Google Search

    There has been recent activity on Facebook and in blogs talking about the
    timestamp anomalies in the files related to the Google search. Those
    postings posit that the .bmp file extension and the matching MACE
    timestamps indicate that the Google search files were planted.
    I thought it would be fun to learn a little about digital forensics and
    recreate the Google search and see what I get for timestamps.
    Over the next few posts I'll share my results and what I did, in case
    someone would like to repeat this.
    Last edited by macd; 07-29-2011 at 02:11 PM.

  2. #2
    Join Date
    Jul 2008
    Posts
    362
    The first step is collecting the tools.
    We need a tool to extract the $MFT file.
    I used FTK Imager Lite version 2.9.0 from Access Data.
    http://accessdata.com/support/adownloads

    We need a tool to format the $MFT.
    I used analyzeMFT.py
    http://integriography.wordpress.com/...-released-ood/
    This tool requires Python to be installed.
    http://www.python.org/getit/

  3. #3
    Join Date
    Jul 2008
    Posts
    362
    The next step to the do the Google search.

    I went to http://maps.google.com and entered "27518 to fielding drive, raleigh, nc". Then, I entered just "27518". This would be the map that the searcher saw when he searched on 27518, but with an added pin on Fielding Drive to help me pan and zoom.

    Fielding drive ends up about an inch to the right and a half an inch down from the calculated center of 27518. This corroborates the testimony that Field Drive was close to the center of 27518, even though it is in a different zip code. It does take pan with the zoom to get to Fielding Drive. Easy to do in 42 seconds, impossible to do by accident.

    I then zoomed and panned until I was at maximum zoom over Fielding Drive.

  4. #4
    Join Date
    Jul 2008
    Posts
    362
    The next step is to extract the $MFT file.

    Open up FTK. Click "File", then "add evidence item" and point to your hard drive. Open the system/root folder and you should see a file called $MFT.
    Click on "File", "Extract Files", select a destination folder and you'll have a copy of your $MFT.

  5. #5
    Join Date
    Jul 2008
    Posts
    362
    The next step is to format the $MFT.

    Open a cmd window and go to the folder that you installed analyzeMFT.py.
    Move your copy of the $MFT to this folder too.

    Run analyzeMFT like this:

    analyzeMFT.py -f $MFT.copy0 -o MFT.csv

    The formatted $MFT file is now saved as MFT.csv.

  6. #6
    Join Date
    Jul 2008
    Posts
    362
    Code:
    Field                                 Raw Data                         Formatted Time
    -----------------------------  --------------------------     ------------------
    Filename #1	                openhand_8_8[1].bmp 
    Std Info Creation date	        39265.95316	                 10:52:33.1
    Std Info Modification date	39265.95316	                 10:52:33.1
    Std Info Access date	        39265.95316	                 10:52:33.1
    Std Info Entry date	        39265.95316	                 10:52:33.1
    FN Info Creation date	        39265.95316	                 10:52:33.1
    FN Info Modification date	39265.95316	                 10:52:33.1
    FN Info Access date	        39265.95316	                 10:52:33.1
    FN Info Entry date	        39265.95316	                 10:52:33.1
    Some observations:
    All 8 timestamps for the cursor file are exactly identical.
    The extension of the cursor file is .bmp.

  7. #7
    I'm glad you're looking into this. I have a few questions for you though:

    --What operating system are you using?
    --If you are using Vista, have you enabled the updating for the timestamps? (We know BC's was enabled to update, because other files have updating timestamps, instead of the stagnant, which has been discussed on here).
    --Did you get a cookie file when you visited this site? (I'm really interested in your response to this question).
    --Did you clear the cache before you did this (I'm sure you did).

    I wish we had a copy of the FBI test from 2008 that did this exact same thing, that the judge wouldn't allow the defense to see. I don't know what difference 3+ years will make, but I think the closer in time, the more verifiable the results would be. If I recall correctly, I think the contention was that it was a .cur in 2008, but switched after that point. I'm not sure, but I know there have been quite a few posts about this recently on other site.

    I'm glad you went the extra step and extracted the $MFT and analyzed it with integriography. Do you know if FBI or defense used a similar program? I can't remember (or maybe they didn't release), which one was specifically used.

  8. #8
    Join Date
    Jul 2008
    Posts
    362
    Other Q and A

    What about those invalid timestamps?
    I haven't yet found a repeatable process to create invalid time stamps. But, I have a few on my computer, and Brad had over 12,000 files with invalid time stamps on his. That this is somehow proof that the files are planted doesn't hold water. It's been shown that it does happen for reasons other than "planted evidence". There are 8 timestamps stored for each file. There is nothing special about the SIA Entry Timestamp. It is a number, just like the others. The other seven timestamps point to 1:14pm. I believe that is the correct time.

    But Brad was so smart, how'd he miss this? And what about the missing cookie?
    Here is my theory.

    In July 2008, Window Internet Explorer Version 8 was publicly available as a Beta download. I would expect an alpha tester to be running Microsoft Beta code. Version 8 is the first version of IE with private browsing. In it's initial release it was revealed that: it did not save cookies (as designed), it did save history data (oops, fixed later), and it saved and then did a soft delete of temporary internet files.

    This would be consistent with what was found in Brad's $MFT. Search was in history.dat, there was no cookie file, and there were temporary still listed in the $MFT.

    Is there anything else that corroborates that this was a real search?
    - Window's System Event Log
    This showed Brad logging into his computer at a time before the search.
    - History.Dat
    The browser history showed a search of "27518" at the time of the search
    - Other Temporary Internet files
    Around the time of the search, other temporary internet files show that Brad was using the computer around this time.
    - Eyewitnesses
    Co-workers testified that they left for lunch with Brad between 1:00 and 1:30. Leaveing closer to 1:30 would corroborate that Brad was in his office with his computer at the time of the search.

    But 42 seconds? What good would that do?
    You'd have to ask Brad. My theory was that he had this all planned out already, and at 1:14 he was doing a quick run through in his mind of all the things he need to do cover his tracks that night.
    Last edited by macd; 07-29-2011 at 04:39 PM.

  9. #9
    Join Date
    Jul 2008
    Posts
    362
    Quote Originally Posted by WolfpackWoman View Post
    I'm glad you're looking into this. I have a few questions for you though:

    --What operating system are you using?
    I don't have Vista, so I'm running the latest version of XP.
    --If you are using Vista, have you enabled the updating for the timestamps? (We know BC's was enabled to update, because other files have updating timestamps, instead of the stagnant, which has been discussed on here).
    My research told me that a service pack to Windows XP added the same performance enhancement to disable updating the Modified Timestamp. (And my results confirmed that.) The only way to turn it on is the hand-edit the registry file. I don't believe there would be many people who would go through the trouble of hacking their own laptop to make it slower. Certainly an IT professional would not purposely slow down his own computer. There are other explanations for varying timestamps.
    --Did you get a cookie file when you visited this site? (I'm really interested in your response to this question).
    When I ran the browser in private browsing mode, I did not get a cookie.
    When I ran the browser in "normal" mode, I did get a cookie.
    --Did you clear the cache before you did this (I'm sure you did).
    No, I'm hacking all this on my personal computer. I don't want to lose my cookies and history. If someone wants to try this in laboratory environment, I'm happy to answer any questions about my procedure. But that is not my goal. I tried to be as "normal" as possible. My "normal" results were the same results as found on Brad's computer.
    I wish we had a copy of the FBI test from 2008 that did this exact same thing, that the judge wouldn't allow the defense to see. I don't know what difference 3+ years will make, but I think the closer in time, the more verifiable the results would be. If I recall correctly, I think the contention was that it was a .cur in 2008, but switched after that point. I'm not sure, but I know there have been quite a few posts about this recently on other site.
    I wish we could get a copy of that hard drive. I'd love to see the $MFT, the windows system event log, and the history.dat. Then we could guess less and talk about what's real.
    I'm glad you went the extra step and extracted the $MFT and analyzed it with integriography. Do you know if FBI or defense used a similar program? I can't remember (or maybe they didn't release), which one was specifically used.
    I don't recall for sure, but I thought maybe enCase?

  10. #10
    Join Date
    Jul 2008
    Posts
    362
    Isn't it easy to plant files?

    It's been thrown around how easy it is to plant files. As I was learning about the $MFT, I've come to the opinion that it is not.

    Each file has an entry in the $MFT. Each entry has 52 fields.

    Code:
    Record Number
    Good
    Active
    Record type
    Sequence Number
    Parent File Rec. #
    Parent File Rec. Seq. #
    Filename #1
    Std Info Creation date
    Std Info Modification date
    Std Info Access date
    Std Info Entry date
    FN Info Creation date
    FN Info Modification date
    FN Info Access date
    FN Info Entry date
    Object ID
    Birth Volume ID
    Birth Object ID
    Birth Domain ID
    Filename #2
    FN Info Creation date
    FN Info Modify date
    FN Info Access date
    FN Info Entry date
    Filename #3
    FN Info Creation date
    FN Info Modify date
    FN Info Access date
    FN Info Entry date
    Filename #4
    FN Info Creation date
    FN Info Modify date
    FN Info Access date
    FN Info Entry date
    Standard Information
    Attribute List
    Filename
    Object ID
    Volume Name
    Volume Info
    Data
    Index Root
    Index Allocation
    Bitmap
    Reparse Point
    EA Information
    EA
    Property Set
    Logged Utility Stream
    Log/Notes
    STF FN Shift
    uSec Zero
    The Google search was made up of 507 files. 507 x 52 = over 26,000 pieces of data to get right to point to those files. Then you have to get the files on there. And then, get the history.dat files and the windows system event log right to corroborate.

    I don't think that would have been easy.


  11. #11
    I don't have Vista, so I'm running the latest version of XP.

    snipped for space
    Thanks for taking the time to answer my questions. I am really interested in the cookie thing, because there wasn't one associated with BC's search. I guess it doesn't make sense to me that private browsing would have been selected (and he didn't check to make sure it was really deleting all the files). But that's an interesting idea.

    One last question, do you have 1 google cursor file for that search and multiple across the computer? Or do you have one in general?

    And I think you're right about EnCase, I do remember that being mentioned, along with FTK.

  12. #12
    Join Date
    Jul 2008
    Posts
    362
    Quote Originally Posted by WolfpackWoman View Post
    Thanks for taking the time to answer my questions. I am really interested in the cookie thing, because there wasn't one associated with BC's search. I guess it doesn't make sense to me that private browsing would have been selected (and he didn't check to make sure it was really deleting all the files). But that's an interesting idea.
    inPrivate browsing was released in Beta in March, 2008. So, it was relatively new to IE, but a popular feature already in competing browsers. It's meant to be used to cover one's tracks online. I've used private browsing on my computer, and I've never double checked to see how well it cleans up after me. Heck, it took me several days of research to learn how I might double check. It'd be like double checking the math on a new calculator. Some things you just trust.
    One last question, do you have 1 google cursor file for that search and multiple across the computer? Or do you have one in general?
    I can't say for sure, but in my brief testing I have generally found only one file at a time in the $MFT with "openhand" as part of the file name. I think in one case i may have found two. I definitely did not find dozens.
    And I think you're right about EnCase, I do remember that being mentioned, along with FTK.

  13. #13
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Location
    USA
    Posts
    10,272
    Thanks MacD!

    I just did the search exactly as you posted above, and I too got the same map with Fielding Dr. 1 inch over to the right and 1/2 inch below the point where Google placed the center red mark on the 27518 map. The default zoom level on Google maps is in the middle of the zoom gauge.

    In 42 seconds I was easily able to zoom in and then pan over to the area where the body was left, especially because the wishbone shaped aerial view made it stand out (which was even more obvious in 2008 before those houses had been built on Brittaby Ct). In fact, it took less than 42 seconds to do so, giving another 15+ seconds to look at the area on a closeup aerial view, to take up the full 42 seconds.

    There is no accidental way to do this, you're right. It is a purposeful search with the pan and multiple zoom.

    Remember too that the searcher also logged in to some secure (https) web sites around the time of the map search. One login was to a banking account to check the balance. Another was a login to a secure HiltonHonors website. Additional web usage was on Cisco internal websites. This was after logging in to the laptop on Cisco's secure network, internally, on Fri 7/11/08, as shown in the systems event log. Those secure website logins also had invalid timestamps, as did files accessed days before 7/11/08.

    The cluster of web logins to secure (https) websites all around the same time as the Google map search indicates that only the authorized person was entering those sites. The defense never alleged that the https secure web logins were anything but valid. And yet they too had invalid timestamps (thanks to MS Vista).

  14. #14
    Join Date
    Jul 2008
    Posts
    362
    Hi Madeleine,
    I assume you don't want to go through all the steps to extract the $MFT, which you need to find the Entry timestamps. But, you should be able to find the the Modified, Accessed, and Created timestamps through normal means.
    Google "find temporary internet files" and the version of windows and browser you are using. You should get a pointer to the right directory. Then look for the file openhand_8_8[1].bmp. If you click right on it and select properties, you should be able to see some of the timestamps.

  15. #15
    Madeleine74's Avatar
    Madeleine74 is offline Of course it's my opinion; who else's would it be?
    Join Date
    Apr 2011
    Location
    USA
    Posts
    10,272
    Hi mac,

    I didn't feel the need to recreate all the steps you took and examine the $MFT as I trust the results you posted. I could see from your log files what the $MFT looks like. Further, I am running XP on one system and Win7 on another. I was mostly curious if I too would see the 'center' point of the 27518 zip code search and if it looked the same as you described, with Fielding Dr just off to the right and a bit below. And yes, it did, exactly.

    I'm comfortable with the facts as known and verified, along with seeing those https sessions around the same time, that a single person did all those searches within a secure network environment. I was in court the day the http sessions were shown on the overhead screen (that was the day before the google search was shown to the jury, which I missed). I personally saw the Citibank and HHonors websites, the https secure session screen shots, so I know what those looked like. No one disputed those secure sessions as being valid web logins.

    Further, I've read all your postings in the past in which you explained and showed just how MS Vista and a then-beta copy of IE 8 would create exactly what was seen with the timestamp files, so I don't need to try and recreate it on my own system.

    You've done an outstanding job making what is an obscure technical set of details, into something very understandable for the average Joe/Josephine.

    Thank you for posting this. It is very interesting and quite illuminating.

Page 1 of 3 1 2 3 LastLast


Similar Threads

  1. Replies: 1
    Last Post: 05-02-2012, 06:30 PM

Tags for this Thread