Anthony's Computer Forensics

I think what fueled ICA's fantasies were lust & hate. I think the girl is quiet sadistic.

True, I didn't word that very well, did I. I shouldn't blame a book or a game for ICA's evil deeds, they are her own. Point taken.
 
Author talks about the book. [ame="http://www.dailymotion.com/video/x403v9_thrill-a-minute-in-timer-game_shortfilms"]Dailymotion - Thrill-a-Minute in TIMER GAME - a Film & TV video[/ame]

Sounds like a lie she was feeding the family.
 
Urban dictionary for Shovel--

http://www.urbandictionary.com/define.php?term=shovel

I like #3: To bull*****. (to shovel the *****)
When he said he won the lottery, I knew he was shoveling.

This makes so much sense. I could never understand why anyone, even as stupid as her, could possibly have a reason to google 'shovel'.

Now I'm wondering ... Will Baez attempt to discredit the 'shovel' search by claiming someone called her a slang term for a bs artist & she looked it up ? As bizzare as his behavior has been so far, I can see him doing this & thinking it helps his client.
 
At this link here I described my conclusion that Casey logged into the home computer sometime during the early morning hours of July 16 and deleted the Firefox web browser history file in an attempt to cover her tracks in performing the chloroform and other nefarious searches in mid-March, 2008. In this article I stated as evidence:

Casey – not yet a named suspect or person of interest – was more or less free to wander the house. Somehow she came up with an excuse to hop onto the computer, and I think it was to be “helpful” and get some pictures of Caylee to give the police. At 04:41 AM there was a brief blip of activity from the “casey” account – the U3 flash screen from a SanDisk thumb drive registered. What better way to quickly turn over photos of Caylee as part of the missing persons investigation?


Given Casey now had an excuse for being seen at the computer, she managed to find a quiet moment just before 5 AM to log into her “owner” account and quickly erase one or more items she knew might be incriminating, including the Firefox browser history.


Five minutes or so after the login someone surfed to the ATT wireless website and attempted to login to a wireless account. This was done from the “casey” account, so whatever tracks she tried to cover on the “owner” account happened fast and furious. Access to the wireless account appears to have been a success, but I cannot be certain based on the limited information. I think it is a safe bet it was Casey, and she may have been trying to be “helpful” again, this time by locating a number for Zenaida. Perhaps she thought she could erase her phone records, but the fact this was done from the “casey” account indicates she was not being terribly secretive about it, so I think it was the “helpful” Casey in action.
This activity happened 20 to 30 minutes after Casey's taped interview with Yuri Melich concluded. At the time I wrote the article, I had no information as to when Casey and Yuri left on their first tour through Casey's Wonderland. The possibility was still open that Casey was gone when that login occurred, although I felt that, circumstantially, she was the one who logged in.

Well, wouldn't you know...Yuri Melich testified that Casey did in fact turn over a thumb drive with photos of Caylee to "help" in finding he kidnapped daughter. Furthermore, Yuri also testified that Casey printed out a copy of her ATT cell phone records in the hope that the OCSO could identify Zanny's number and track that evil woman down.

What Yuri did not know - but is clearly shown in the computer forensic data - is that someone logged into the password-protected "owner" account that Casey alone used sometime in that short time period between loading the thumb drive (to distract Yuri with a veil of cooperation) and printing out the phone records (icing on the cake of deceit). I have no doubt that LDB's request to discuss the computer forensics with a consultant is to cement the proof that this was the opportunity that Casey took in order to delete the computer searches for chloroform.

I know most of us have been unable to believe Casey had the wherewithal to do anything with chloroform, but clearly she was worried enough by something in her Firefox internet history to delete it while a detective was in the other room.
 
This makes so much sense. I could never understand why anyone, even as stupid as her, could possibly have a reason to google 'shovel'.

Now I'm wondering ... Will Baez attempt to discredit the 'shovel' search by claiming someone called her a slang term for a bs artist & she looked it up ? As bizzare as his behavior has been so far, I can see him doing this & thinking it helps his client.

Perfect.
 
At this link here I described my conclusion that Casey logged into the home computer sometime during the early morning hours of July 16 and deleted the Firefox web browser history file in an attempt to cover her tracks in performing the chloroform and other nefarious searches in mid-March, 2008. In this article I stated as evidence:

This activity happened 20 to 30 minutes after Casey's taped interview with Yuri Melich concluded. At the time I wrote the article, I had no information as to when Casey and Yuri left on their first tour through Casey's Wonderland. The possibility was still open that Casey was gone when that login occurred, although I felt that, circumstantially, she was the one who logged in.

Well, wouldn't you know...Yuri Melich testified that Casey did in fact turn over a thumb drive with photos of Caylee to "help" in finding he kidnapped daughter. Furthermore, Yuri also testified that Casey printed out a copy of her ATT cell phone records in the hope that the OCSO could identify Zanny's number and track that evil woman down.

What Yuri did not know - but is clearly shown in the computer forensic data - is that someone logged into the password-protected "owner" account that Casey alone used sometime in that short time period between loading the thumb drive (to distract Yuri with a veil of cooperation) and printing out the phone records (icing on the cake of deceit). I have no doubt that LDB's request to discuss the computer forensics with a consultant is to cement the proof that this was the opportunity that Casey took in order to delete the computer searches for chloroform.

I know most of us have been unable to believe Casey had the wherewithal to do anything with chloroform, but clearly she was worried enough by something in her Firefox internet history to delete it while a detective was in the other room.

JWG: Brilliant as ever. Good to see you old-school sleuther! and double-thanks.
 
JWG: Brilliant as ever. Good to see you old-school sleuther! and double-thanks.

Add my double thanks, JWG (does that make it quadruple thanks? :rocker:). I pray that these facts come across at trial as eloquently and clearly as it did in your post!! Consciousness of guilt, indeed!
 
Wonder if Deputy Sandra G. Cawn, Orange County Sheriff’s Office was among the computer forensics team spotted in the hallway today? IIRC she is on the SA's witness list.
 
Sandra Cawn (Osborne) on stand testifying about her training relevant to cell phone and computer data extraction. Confirmed she examined a Nokia cellphone once owned and used by ICA, a laptop and desktop (Anthony home) computer and a Nikkon camera.

Game on!
 
Detective Osborne testifiying to accuracy of time and date on video of Caylee Marie taken at the nursing home on June 15, 2008. Compared date and time setting on the camera with current date and time when she received the camera in July. Said there was about a 2 minute difference.
 
Hard drive on desk top examined to locate and retrieve data using N-Case application tool which can examine every bit of information on a hard drive whether the user can see that information or not.
 
Original evidence files created by N Case were stored on a separate hard drive to preserve them. Dectective Osborne does extensive exams on computers and does evaluate information extracted from hard drive as opposed to cell phones which is given to investigators for them to examine the info and make their own conclusions.
 
LDB just told the Judge [Trial June 4, 2011] that she needs permission to have a computer consultant talk with State computer expert witnesses Kevin Stenger and Sandra Cawn Osborne ... LDB said that a month ago this would not have been necessary (George wasn't thrown under the bus so obviously, by the Defense) but issues have arisen, and now it is necessary. We will eventually find out if the Defense is going to say that George did those escort searches and anything else on the computer

Baez said in opening statements that the Inmate "learned to lie"/keep secrets, from her parents - and went on to mention George's alleged affair with River, and implied other things George did with the money scams and such, which the Inmate was forced to keep SECRET (from Cindy). Baez wants to paint George as dishonest and sleazy as he can, so the jurors can have reasonable doubt about George sexually abusing his daughter. Imply that George and his daughter had lots of secrets between them. IMO

http://www.thehinkymeter.com/?p=1826
JWG said: { Mar 5, 2010 - 08:03:09 }
"Janielane – I think it is safe to assume George is responsible for the escort searches. In reviewing the internet history, the searches more often than not coincide with visits to job-hunting sites in the security field, visits to car sites and home improvement sites. The pattern is something like this: Do a little job hunting, read some car reviews, check out a few escort sites.
As I said, creatures of habit."

Could it possibly have something to do with the deposition of John Bradly? In this deposition Baez's asks him how many times were the chloroform pages visited and Mr Bradley says there was ONE visit only to each page on 17 Mar and 21 Mar. Now today he testified there were 84 visits. I have to admit I'm a bit confused about this as no doubt Baez was, although Baez wasn't trying to impeach the witness on his deposition but rather a report made by someone else. I wonder why Baez didn't bring up the depo?

I wonder if Mr Bradly was asked to look at more refined computer reports with consultation from Mr Stenger and Ms Osborne and work out the number of times the pages had been looked at, hence the 84 times - something he didn't have access to when he did his deposition.

Link to Mr Bradly's deposition, only 10 pages are available.

http://www.cfnews13.com/static/arti...thony-deposition-john-dennis-bradley-0413.pdf
 
NICE-- thank you so much for outlining the google searches like this-- I was wondering what google book results she got specifically. And also having trouble actually reading all the hits, so thank you! Also, Ricardo uploaded the "Win her over with chloroform" image to his Facebook account on March 18. I have the screencap of his page here.

Thank you to Nancy who got a screencap of Ricardo's myspace page which shows he added the photo to his account on 18 March.

So if the defense team are dragging Ricardo into the trial and using him and his uploaded image as the reason why ICA was surfing for chloroform, then how do they explain her doing this research a day earlier than when he posted the image? This is really bugging me now.
 
Thank you to Nancy who got a screencap of Ricardo's myspace page which shows he added the photo to his account on 18 March.

So if the defense team are dragging Ricardo into the trial and using him and his uploaded image as the reason why ICA was surfing for chloroform, then how do they explain her doing this research a day earlier than when he posted the image? This is really bugging me now.

IDK...she found or saw the image somewhere showed it to Ricardo ... he thought it was funny, posted it
..ICA in her evil mind saw it as sinister.?
Who knows!
moo
 
Trying to tie a bunch of random conclusions I am drawing together in one neat package. Not sure if it is "neat" to anyone but me. :rolleyes:

As I mentioned previously, the absence of KC surfing history in the internet history file was quite noticeable and seemed to indicate that KC deliberately tried to cover her tracks when surfing the web. George, on the other hand, made no attempt whatsoever - otherwise he would have eliminated evidence he was viewing escort sites.

Although KC covered her tracks, it is likely she took the easy route in doing so. This amounts to hiding her activities from her parents, but it was not enough to hide it from LE.

URL history

If you open either Internet Explorer or Firefox and press CTL-H, you will get the surfing history for that user on that browser. Both organize the history in "folders". Firefox has separate folders for the current and previous six days, as well as a single folder for all activity older than six days. IE has separate folders for the current day, the past week, 2 weeks ago, and 3 weeks ago.

What I believe KC does to cover her tracks is, quite simply, at the end of a surfing session she:

  • Presses CTL-H to bring up the IE history sidebar
  • Right-clicks on the Today folder
  • Presses delete
  • Presses CTL-H to hide the IE history sidebar
The above will erase all surfing activity from 12AM to the current time. This is why I am inclined to believe that KC is responsible for the June 16 2-3PM activity on the home computer. We know from one of the document dumps that someone was on the computer doing quite a bit during that time period, yet the history file shows no activity until 10PM. Someone erased the June 16 history earlier in the day, but not after 10PM. George did not have a habit of erasing his surfing history (such as visits to escort sites), but KC did. :cool:

FWIW, I would not be surprised if KC periodically looked at the contents of the history file to see where George was surfing, and noticed the visits to escort sites. It could be why she spread the story that her parents were getting divorced because of alleged infidelity on George's part.

Cookie history

Note that deleting the history does not delete the cookies - it only deletes the visited URLs.

Cookies can be deleted in IE by clicking Tools then Internet Options on the menu bar. A multi-tabbed window will open, and you would select the General tab. In the middle of that window you will see a Delete Cookies button.

Unfortunately, pressing that button deletes all cookies collected up to that date. There is no evidence this is ever done because cookies are scattered all through the home computer's internet history file.

While not all sites visited on the web leave cookies, many sites KC visited do, such as Facebook, Myspace, Photobucket, and Yahoo. Yet, no cookies from those sites can be found. How did she delete them? :waitasec:

Deleting them selectively is very time-consuming, so I believe that instead she disabled cookies whenever she surfed, then re-enabled them when she finished. This is very simple. Going back to the multi-tabbed window mentioned above, if you click on the Privacy tab you will see a slider that is set to Medium as the default. Sliding it to the top enables the Block All Cookies setting. When done with surfing, she only had to go back to that tab and press Default. It is that simple. :thumb:

The internet cache

As we surf, files used to build web pages are stored on the computer in the Temporary Internet History folder. This mostly consists of images on a web page but can also include style sheets and shockwave files. These files are automatically deleted after some period of time, the default being 20 days in Internet Explorer. The files can also be cleared manually by clicking the Delete Files button on the General tab mentioned above.

It is unknown if KC deleted the cached files, because the computer was seized more than 20 days after her last activity, and the cached files would have been automatically deleted anyway. :banghead:

How did LE recover the deleted history?

As several people have pointed out, when files are deleted, they are not really erased from the hard drive.

Think of your hard drive as a giant library with hundreds of thousands of books (files). Just as you need a simple and fast way to find a specific book in the library, Windows needs a simple and fast way of finding a file on the hard drive. Windows has the equivalent of a card catalog that points to the location on the hard drive of each file. When a file is deleted, windows does nothing more than erase the catalog entry - the file itself remains. :eek:


The space where the deleted file resides is added to the "unallocated sectors" list, meaning it can be used to store a new file or files. Over time, the original file might be partially or completely over-written by one or more other files, but this is not guaranteed. What forensic computer specialists do is use special software to search unallocated space for complete or partial files. This is how KC's Google searches were found. While she may have deleted them, they went into unallocated space and were never over-written. :dance:

KC's chloroform and weapons search

We know KC searched for chloroform, household weapons, and the like between 1:30 and 2:30 PM on March 17 and 21 (Caylee's nap time :mad:). We know the history of these searches had been deleted, as the record was found in the unallocated space.

What I find interesting is that there are cookies present for both days in the internet history file, but none during the search period. Given that George never appears to have turned cookies off when he surfed, this is a strong indication that KC performed the searches and that her standard operating procedure was to turn cookies off.

Of course, the searches may not have been motivated by anything other than curiosity and stream-of-consciousness surfing behavior, but I am pretty confident at this point that it was KC and not George.

BBM

Freaky! This is the exact analogy that was used in court.
 

Members online

Online statistics

Members online
69
Guests online
2,539
Total visitors
2,608

Forum statistics

Threads
590,011
Messages
17,928,937
Members
228,037
Latest member
shmoozie
Back
Top