KenoshaKid
All the darkness in the world cannot put out a sin
- Joined
- Feb 5, 2009
- Messages
- 1,147
- Reaction score
- 0
My hubby's a cop and he says they can get back stuff even after the HD is reformatted. They've got the cool tools. :dance:
Anthony's Computer Forensics
- Thread starter DAWN TREADER
- Start date
New Posts
-
Abby & Libby - The Delphi Murders - Richard Allen Arrested - #182
- Latest: steeltowngirl
-
My hubby's a cop and he says they can get back stuff even after the HD is reformatted. They've got the cool tools. :dance:
Ripley007
New Member
- Joined
- Nov 22, 2008
- Messages
- 1,296
- Reaction score
- 1
*snip*
Yes, Ripley, I really do.
And, yes, IIRC, the Blockbuster video time stamp starts around 7:55PM and ends around 8:04PM.
I dunno if I can convince you. I can spell it out on a Theories thread and you're welcome to poke holes in it...which I'm sure won't be that hard to do.Can also include there why the 5/14 traffic stop has something to do w/ 6/9, which has something to do w/ interpretting 6/16.
...again...my apologies for wandering off the beaten path. :blushing:
For my penance, I'll go check George's EPass records and see if that provides any insight into the 6/16 or 6/20 computer usage. :angel:
ETA: Summary of the EPass records here. They are silent re: George between 6/7 and 6/29. Grrrrrrrrr. :doh: Now I just gotta say 10 "Hail Marys" and 10 "Our Fathers" and I'm good. :angel:
Bond-I've got nothing on you! In case you haven't noticed, my posts are personal opinon based. I rely on the truely smart folks like you to give me the "facts". That's why I love to ask questions of you and yours. I'M The one who needs to say a few prayers!!!
So are you saying it's your belief that KC KILLED Caylee just a mere 1/2 hour before being caught on BB's security tape? If so, she's even more heartless and evil than I could have ever imagined!!!
I read a post of yours a long while back, maybe on the other real facts thread...about your theory about the reason for the 6/9 date mix up. Won't spell it all out here...but know that I know...I SO agree with this theory. There is just SO little to support it though...maybe we will be proven right when this case comes to trial. Surely LE knows LOTS that we still don't know, despite all the record releases....I keep going back to the fact that a GJ found reason to indite long before Caylee's body was found.
JWG
Active Member
- Joined
- Oct 22, 2007
- Messages
- 1,786
- Reaction score
- -47
Trying to tie a bunch of random conclusions I am drawing together in one neat package. Not sure if it is "neat" to anyone but me.
As I mentioned previously, the absence of KC surfing history in the internet history file was quite noticeable and seemed to indicate that KC deliberately tried to cover her tracks when surfing the web. George, on the other hand, made no attempt whatsoever - otherwise he would have eliminated evidence he was viewing escort sites.
Although KC covered her tracks, it is likely she took the easy route in doing so. This amounts to hiding her activities from her parents, but it was not enough to hide it from LE.
URL history
If you open either Internet Explorer or Firefox and press CTL-H, you will get the surfing history for that user on that browser. Both organize the history in "folders". Firefox has separate folders for the current and previous six days, as well as a single folder for all activity older than six days. IE has separate folders for the current day, the past week, 2 weeks ago, and 3 weeks ago.
What I believe KC does to cover her tracks is, quite simply, at the end of a surfing session she:
FWIW, I would not be surprised if KC periodically looked at the contents of the history file to see where George was surfing, and noticed the visits to escort sites. It could be why she spread the story that her parents were getting divorced because of alleged infidelity on George's part.
Cookie history
Note that deleting the history does not delete the cookies - it only deletes the visited URLs.
Cookies can be deleted in IE by clicking Tools then Internet Options on the menu bar. A multi-tabbed window will open, and you would select the General tab. In the middle of that window you will see a Delete Cookies button.
Unfortunately, pressing that button deletes all cookies collected up to that date. There is no evidence this is ever done because cookies are scattered all through the home computer's internet history file.
While not all sites visited on the web leave cookies, many sites KC visited do, such as Facebook, Myspace, Photobucket, and Yahoo. Yet, no cookies from those sites can be found. How did she delete them? :waitasec:
Deleting them selectively is very time-consuming, so I believe that instead she disabled cookies whenever she surfed, then re-enabled them when she finished. This is very simple. Going back to the multi-tabbed window mentioned above, if you click on the Privacy tab you will see a slider that is set to Medium as the default. Sliding it to the top enables the Block All Cookies setting. When done with surfing, she only had to go back to that tab and press Default. It is that simple. :thumb:
The internet cache
As we surf, files used to build web pages are stored on the computer in the Temporary Internet History folder. This mostly consists of images on a web page but can also include style sheets and shockwave files. These files are automatically deleted after some period of time, the default being 20 days in Internet Explorer. The files can also be cleared manually by clicking the Delete Files button on the General tab mentioned above.
It is unknown if KC deleted the cached files, because the computer was seized more than 20 days after her last activity, and the cached files would have been automatically deleted anyway. :banghead:
How did LE recover the deleted history?
As several people have pointed out, when files are deleted, they are not really erased from the hard drive.
Think of your hard drive as a giant library with hundreds of thousands of books (files). Just as you need a simple and fast way to find a specific book in the library, Windows needs a simple and fast way of finding a file on the hard drive. Windows has the equivalent of a card catalog that points to the location on the hard drive of each file. When a file is deleted, windows does nothing more than erase the catalog entry - the file itself remains.
The space where the deleted file resides is added to the "unallocated sectors" list, meaning it can be used to store a new file or files. Over time, the original file might be partially or completely over-written by one or more other files, but this is not guaranteed. What forensic computer specialists do is use special software to search unallocated space for complete or partial files. This is how KC's Google searches were found. While she may have deleted them, they went into unallocated space and were never over-written. :dance:
KC's chloroform and weapons search
We know KC searched for chloroform, household weapons, and the like between 1:30 and 2:30 PM on March 17 and 21 (Caylee's nap time). We know the history of these searches had been deleted, as the record was found in the unallocated space.
What I find interesting is that there are cookies present for both days in the internet history file, but none during the search period. Given that George never appears to have turned cookies off when he surfed, this is a strong indication that KC performed the searches and that her standard operating procedure was to turn cookies off.
Of course, the searches may not have been motivated by anything other than curiosity and stream-of-consciousness surfing behavior, but I am pretty confident at this point that it was KC and not George.
As I mentioned previously, the absence of KC surfing history in the internet history file was quite noticeable and seemed to indicate that KC deliberately tried to cover her tracks when surfing the web. George, on the other hand, made no attempt whatsoever - otherwise he would have eliminated evidence he was viewing escort sites.
Although KC covered her tracks, it is likely she took the easy route in doing so. This amounts to hiding her activities from her parents, but it was not enough to hide it from LE.
URL history
If you open either Internet Explorer or Firefox and press CTL-H, you will get the surfing history for that user on that browser. Both organize the history in "folders". Firefox has separate folders for the current and previous six days, as well as a single folder for all activity older than six days. IE has separate folders for the current day, the past week, 2 weeks ago, and 3 weeks ago.
What I believe KC does to cover her tracks is, quite simply, at the end of a surfing session she:
- Presses CTL-H to bring up the IE history sidebar
- Right-clicks on the Today folder
- Presses delete
- Presses CTL-H to hide the IE history sidebar
FWIW, I would not be surprised if KC periodically looked at the contents of the history file to see where George was surfing, and noticed the visits to escort sites. It could be why she spread the story that her parents were getting divorced because of alleged infidelity on George's part.
Cookie history
Note that deleting the history does not delete the cookies - it only deletes the visited URLs.
Cookies can be deleted in IE by clicking Tools then Internet Options on the menu bar. A multi-tabbed window will open, and you would select the General tab. In the middle of that window you will see a Delete Cookies button.
Unfortunately, pressing that button deletes all cookies collected up to that date. There is no evidence this is ever done because cookies are scattered all through the home computer's internet history file.
While not all sites visited on the web leave cookies, many sites KC visited do, such as Facebook, Myspace, Photobucket, and Yahoo. Yet, no cookies from those sites can be found. How did she delete them? :waitasec:
Deleting them selectively is very time-consuming, so I believe that instead she disabled cookies whenever she surfed, then re-enabled them when she finished. This is very simple. Going back to the multi-tabbed window mentioned above, if you click on the Privacy tab you will see a slider that is set to Medium as the default. Sliding it to the top enables the Block All Cookies setting. When done with surfing, she only had to go back to that tab and press Default. It is that simple. :thumb:
The internet cache
As we surf, files used to build web pages are stored on the computer in the Temporary Internet History folder. This mostly consists of images on a web page but can also include style sheets and shockwave files. These files are automatically deleted after some period of time, the default being 20 days in Internet Explorer. The files can also be cleared manually by clicking the Delete Files button on the General tab mentioned above.
It is unknown if KC deleted the cached files, because the computer was seized more than 20 days after her last activity, and the cached files would have been automatically deleted anyway. :banghead:
How did LE recover the deleted history?
As several people have pointed out, when files are deleted, they are not really erased from the hard drive.
Think of your hard drive as a giant library with hundreds of thousands of books (files). Just as you need a simple and fast way to find a specific book in the library, Windows needs a simple and fast way of finding a file on the hard drive. Windows has the equivalent of a card catalog that points to the location on the hard drive of each file. When a file is deleted, windows does nothing more than erase the catalog entry - the file itself remains.
The space where the deleted file resides is added to the "unallocated sectors" list, meaning it can be used to store a new file or files. Over time, the original file might be partially or completely over-written by one or more other files, but this is not guaranteed. What forensic computer specialists do is use special software to search unallocated space for complete or partial files. This is how KC's Google searches were found. While she may have deleted them, they went into unallocated space and were never over-written. :dance:
KC's chloroform and weapons search
We know KC searched for chloroform, household weapons, and the like between 1:30 and 2:30 PM on March 17 and 21 (Caylee's nap time
). We know the history of these searches had been deleted, as the record was found in the unallocated space. What I find interesting is that there are cookies present for both days in the internet history file, but none during the search period. Given that George never appears to have turned cookies off when he surfed, this is a strong indication that KC performed the searches and that her standard operating procedure was to turn cookies off.
Of course, the searches may not have been motivated by anything other than curiosity and stream-of-consciousness surfing behavior, but I am pretty confident at this point that it was KC and not George.
It's Not the Nanny
Member
- Joined
- Oct 22, 2008
- Messages
- 596
- Reaction score
- 3
JWG - Excellent work!!
I have one question....so not computer savvy here....when KC would log in under her name on their computer and then check the History as you stated above, it would show all users history on the entire computer or just the history of the person logged in?
ETA: Why would she go to the trouble of deleting her history if no one could see it since they were logging in under different ID's?
Ripley - How are you certain that the shorts Caylee was wearing in the Father's Day video were the ones described at the crime scene?? I thought crime scene = white shorts with pink stripes and the video showed pink shorts??? (of course, I'm probably very wrong!)
I have one question....so not computer savvy here....when KC would log in under her name on their computer and then check the History as you stated above, it would show all users history on the entire computer or just the history of the person logged in?
ETA: Why would she go to the trouble of deleting her history if no one could see it since they were logging in under different ID's?
Ripley - How are you certain that the shorts Caylee was wearing in the Father's Day video were the ones described at the crime scene?? I thought crime scene = white shorts with pink stripes and the video showed pink shorts??? (of course, I'm probably very wrong!)
JWG
Active Member
- Joined
- Oct 22, 2007
- Messages
- 1,786
- Reaction score
- -47
Thank you INTN.
It appears George, Cindy, and KC all used the same account on the computer. This is why she found it necessary to cover her tracks.
The following accounts on the computer are all password protected: casey, Guest, Owner, HelpAssistant, SUPPORT_388945a, SUPPORT_fddfa9. The last three accounts listed are vendor help and support accounts and would not be seen on the Windows XP welcome screen.
The Guest account had not been accessed since 05/28/07. The Owner account had a last login of 7/16/08, as did the Casey account. These are the only two possible accounts used by the family.
Internet activity shows up only under the Casey account (a user), and it kind of makes sense they stayed away from the Owner account (an administrator). It is awfully dangerous to surf the internet as an administrator unless you have some hefty firewall software, and I think KC was savvy enough to avoid doing that. Either that, or she was not savvy enough to create accounts for George and Cindy.
Of course, I am assuming they had XP professional installed. Maybe not - maybe it was the home edition, which I am unfamiliar with. The home edition may have certain limitations on account usage and configuration.
ETA: The passwords for all six accounts were updated simultaneously on 05/14/08 at 08:49:19AM. Just an observation...not sure how one does that though, unless the accounts are all one and the same.
It's Not the Nanny
Member
- Joined
- Oct 22, 2008
- Messages
- 596
- Reaction score
- 3
Thanks so much, JWG.
Searchfortruth
New Member
- Joined
- Jan 10, 2009
- Messages
- 5,971
- Reaction score
- 8
Based on my limited knowledge I believe the only time the information can not be retrieved is when the computer is wiped, reformatting and deleting do not get rid of the information.
OneLostGrl
I'm going against the grain- I'm going sane
- Joined
- Jul 21, 2004
- Messages
- 14,316
- Reaction score
- 27
Thank you so much for answering me!
JWG
Active Member
- Joined
- Oct 22, 2007
- Messages
- 1,786
- Reaction score
- -47
KC did not attempt to erase files in unallocated space, as her infamous Google searches from one year ago tomorrow
mad were found in unallocated sectors.As an aside, no LE agency possesses the type of sensor equipment needed to identify the possible 1's or 0's that have been over-written on a drive, nor the computer horsepower to separate the wheat from the statistical chaff - as Gutmann theorizes is possible to do. Maybe, maybe, the CIA or NSA could do it on a high-value hard drive, but the cost of doing so would be extraordinary.
In other words, if a deleted file was written over in unallocated space, LE would never find it.
OneLostGrl
I'm going against the grain- I'm going sane
- Joined
- Jul 21, 2004
- Messages
- 14,316
- Reaction score
- 27
Trying to tie a bunch of random conclusions I am drawing together in one neat package. Not sure if it is "neat" to anyone but me.
As I mentioned previously, the absence of KC surfing history in the internet history file was quite noticeable and seemed to indicate that KC deliberately tried to cover her tracks when surfing the web. George, on the other hand, made no attempt whatsoever - otherwise he would have eliminated evidence he was viewing escort sites.
~Snipped~
[/COLOR][/COLOR]
Snipped for space. Bold is mine
LOL, ya know I was gonna ask you last night if he was visiting *advertiser censored* sites.
As always, thanks for your hard work!
Avid Reader
Member
- Joined
- Sep 24, 2008
- Messages
- 70
- Reaction score
- 0
Is there any place I can read the above theory about 6/9? Thanks!
BondJamesBond
Blunt Instrument
- Joined
- Aug 21, 2008
- Messages
- 3,871
- Reaction score
- -12
OT to computer forensics, but, here you go...
Post#54 of the thread here is a good place to start. FWIW, IIRC, the description George gave of Caylee's clothes for 6/16 may be the same as or very similar to the description he allegedly gave of the friends-of-the-family-@-a-mall-near-Seminole-County-sighting 6/12.
mitzi
Watch us lie to cover for 'Princess'
- Joined
- Nov 2, 2008
- Messages
- 4,338
- Reaction score
- 9
Trying to tie a bunch of random conclusions I am drawing together in one neat package. Not sure if it is "neat" to anyone but me.
As I mentioned previously, the absence of KC surfing history in the internet history file was quite noticeable and seemed to indicate that KC deliberately tried to cover her tracks when surfing the web. George, on the other hand, made no attempt whatsoever - otherwise he would have eliminated evidence he was viewing escort sites.
Although KC covered her tracks, it is likely she took the easy route in doing so. This amounts to hiding her activities from her parents, but it was not enough to hide it from LE.
URL history
If you open either Internet Explorer or Firefox and press CTL-H, you will get the surfing history for that user on that browser. Both organize the history in "folders". Firefox has separate folders for the current and previous six days, as well as a single folder for all activity older than six days. IE has separate folders for the current day, the past week, 2 weeks ago, and 3 weeks ago.
What I believe KC does to cover her tracks is, quite simply, at the end of a surfing session she:
The above will erase all surfing activity from 12AM to the current time. This is why I am inclined to believe that KC is responsible for the June 16 2-3PM activity on the home computer. We know from one of the document dumps that someone was on the computer doing quite a bit during that time period, yet the history file shows no activity until 10PM. Someone erased the June 16 history earlier in the day, but not after 10PM. George did not have a habit of erasing his surfing history (such as visits to escort sites), but KC did.
- Presses CTL-H to bring up the IE history sidebar
- Right-clicks on the Today folder
- Presses delete
- Presses CTL-H to hide the IE history sidebar
FWIW, I would not be surprised if KC periodically looked at the contents of the history file to see where George was surfing, and noticed the visits to escort sites. It could be why she spread the story that her parents were getting divorced because of alleged infidelity on George's part.
Cookie history
Note that deleting the history does not delete the cookies - it only deletes the visited URLs.
Cookies can be deleted in IE by clicking Tools then Internet Options on the menu bar. A multi-tabbed window will open, and you would select the General tab. In the middle of that window you will see a Delete Cookies button.
Unfortunately, pressing that button deletes all cookies collected up to that date. There is no evidence this is ever done because cookies are scattered all through the home computer's internet history file.
While not all sites visited on the web leave cookies, many sites KC visited do, such as Facebook, Myspace, Photobucket, and Yahoo. Yet, no cookies from those sites can be found. How did she delete them? :waitasec:
Deleting them selectively is very time-consuming, so I believe that instead she disabled cookies whenever she surfed, then re-enabled them when she finished. This is very simple. Going back to the multi-tabbed window mentioned above, if you click on the Privacy tab you will see a slider that is set to Medium as the default. Sliding it to the top enables the Block All Cookies setting. When done with surfing, she only had to go back to that tab and press Default. It is that simple. :thumb:
The internet cache
As we surf, files used to build web pages are stored on the computer in the Temporary Internet History folder. This mostly consists of images on a web page but can also include style sheets and shockwave files. These files are automatically deleted after some period of time, the default being 20 days in Internet Explorer. The files can also be cleared manually by clicking the Delete Files button on the General tab mentioned above.
It is unknown if KC deleted the cached files, because the computer was seized more than 20 days after her last activity, and the cached files would have been automatically deleted anyway. :banghead:
How did LE recover the deleted history?
As several people have pointed out, when files are deleted, they are not really erased from the hard drive.
Think of your hard drive as a giant library with hundreds of thousands of books (files). Just as you need a simple and fast way to find a specific book in the library, Windows needs a simple and fast way of finding a file on the hard drive. Windows has the equivalent of a card catalog that points to the location on the hard drive of each file. When a file is deleted, windows does nothing more than erase the catalog entry - the file itself remains.
The space where the deleted file resides is added to the "unallocated sectors" list, meaning it can be used to store a new file or files. Over time, the original file might be partially or completely over-written by one or more other files, but this is not guaranteed. What forensic computer specialists do is use special software to search unallocated space for complete or partial files. This is how KC's Google searches were found. While she may have deleted them, they went into unallocated space and were never over-written. :dance:
KC's chloroform and weapons search
We know KC searched for chloroform, household weapons, and the like between 1:30 and 2:30 PM on March 17 and 21 (Caylee's nap time
What I find interesting is that there are cookies present for both days in the internet history file, but none during the search period. Given that George never appears to have turned cookies off when he surfed, this is a strong indication that KC performed the searches and that her standard operating procedure was to turn cookies off.
Of course, the searches may not have been motivated by anything other than curiosity and stream-of-consciousness surfing behavior, but I am pretty confident at this point that it was KC and not George.
Sorry, can't snip any of this. WOW! Just WOW! I hope LE and FBI have a computer forensic guy as good as you!
DebC
New Member
- Joined
- Feb 1, 2005
- Messages
- 274
- Reaction score
- 1
FBI do have agents like that. They would make us look like amatuers.
BTW Windows XP home edition doesn't have limitations on accounts. You can do the same as you can with XP Professional, and a bit more.
DebC
New Member
- Joined
- Feb 1, 2005
- Messages
- 274
- Reaction score
- 1
Excellent work JWG.KC did not attempt to erase files in unallocated space, as her infamous Google searches from one year ago tomorrow
As an aside, no LE agency possesses the type of sensor equipment needed to identify the possible 1's or 0's that have been over-written on a drive, nor the computer horsepower to separate the wheat from the statistical chaff - as Gutmann theorizes is possible to do. Maybe, maybe, the CIA or NSA could do it on a high-value hard drive, but the cost of doing so would be extraordinary.
In other words, if a deleted file was written over in unallocated space, LE would never find it.
Here we see KC being her usual self:
Sneaky. Enough to fool her parents.
Lazy. Couldn't be bothered to find out about how files are deleted - she could have googled THAT and worked it out. She is intelligent enough.
Arrogant. Thought that fooling her parents would be enough to hide her activities. I'll bet it was like following footsteps in the snow for LE.
1. I don't believe KC turned off cookies while surfing. Too many sites, including many she frequented, require that cookies are turned on. Otherwise, they (the sites) won't work. There has to be another reason certain cookies are missing... Sure, selectively deleting cookies is time consuming, but she had plenty of time and was on the computer a lot.
JWG
Active Member
- Joined
- Oct 22, 2007
- Messages
- 1,786
- Reaction score
- -47
I see what you mean publius. I tried using Facebook without cookies enabled, to no avail. :doh:
I guess it would not be too difficult to go to C:\Documents and Settings\Casey\Cookies, sort by date, and just delete the ones she knew she just set during her previous browse time.
In fact, again revisiting the thought that KC knew George was occasionally surfing escort sites, viewing the sorted cookie folder would be a very easy way for her to have stumbled upon his surfing history, IMO. :blushing:
ziggy
Active Member
Which reminds me, I hope we get a jury that can follow some of this stuff because it will be very important to pin the surfing on KC. I saw Judge Judy on Larry King last night and she thought a young person buying "wallpaper" was actually going to do a wall and had no idea what wallpaper was for a cell phone. That made me think of this case and cringe!!!!