State v Bradley Cooper 4-28-2011

New Posts

Status
Not open for further replies.
ncsu95 said:
still not sure what the columns represent. But since the first column has 2012 timestamps, I'm wondering if the second is the Unix time associated with determining the experiation time (or whatever that first column is).
Click to expand...
Header attached.

"Unix time" (or more appropriately described now as POSIX Time) is not a classification of timestamps. It is a statement of what format the timestamp is in. They are all POSIX times.

BTW, there are many timestamps in my TIF files that look probably invalid. E.g., dates in the late 80's and early 90's. I only picked the obviously invalid ones.

BTW2, in my research, I found nothing that indicated that all 8 timestamps being identical is suspicious. There are many sites that tell you what to look for as indicators of intrusion. None of them mentioned identical timestamps.

In fact p. 235 of this document says:

To summarize, when a file is created from scratch, all $STANDARD_INFORMATION and $FILE_NAME values are set to the current time.
Click to expand...

The .bmp files are created from scratch (unless they already exist). So, it seems like you should expect them to have identical times unless something happens to cause the browser to have to go open/read them again, hence updating the access time.

But, I'd strong encourage you to do your own research. You're not going to believe mine anyway. Or, stick to believing the "experts", their accuracy has been great so far. :crazy:
 

Attachments

  • filelocatorheader.jpg
    filelocatorheader.jpg
    3.6 KB · Views: 11
SleuthSayer said:
Header attached.

"Unix time" (or more appropriately described now as POSIX Time) is not a classification of timestamps. It is a statement of what format the timestamp is in. They are all POSIX times.

BTW, there are many timestamps in my TIF files that look probably invalid. E.g., dates in the late 80's and early 90's. I only picked the obviously invalid ones.

BTW2, in my research, I found nothing that indicated that all 8 timestamps being identical is suspicious. There are many sites that tell you what to look for as indicators of intrusion. None of them mentioned identical timestamps.

In fact p. 235 of this document says:



The .bmp files are created from scratch (unless they already exist). So, it seems like you should expect them to have identical times unless something happens to cause the browser to have to go open/read them again, hence updating the access time.

But, I'd strong encourage you to do your own research. You're not going to believe mine anyway. Or, stick to believing the "experts", their accuracy has been great so far. :crazy:
Click to expand...

I'm curious if you watched yesterday's Offer of Proof?
 
SleuthinNC said:
So we have quacked the case of the missing ducks but what is the significance of the sticks?

We know there was a broken hyoid bone and a line on the neck but not a distinct ligature mark. Could a stick or something similar have been used to commit the crime?
Click to expand...

No, these were small decorative sticks.
 
SleuthSayer said:
Header attached.

"Unix time" (or more appropriately described now as POSIX Time) is not a classification of timestamps. It is a statement of what format the timestamp is in. They are all POSIX times.

BTW, there are many timestamps in my TIF files that look probably invalid. E.g., dates in the late 80's and early 90's. I only picked the obviously invalid ones.

BTW2, in my research, I found nothing that indicated that all 8 timestamps being identical is suspicious. There are many sites that tell you what to look for as indicators of intrusion. None of them mentioned identical timestamps.

In fact p. 235 of this document says:



The .bmp files are created from scratch (unless they already exist). So, it seems like you should expect them to have identical times unless something happens to cause the browser to have to go open/read them again, hence updating the access time.

But, I'd strong encourage you to do your own research. You're not going to believe mine anyway. Or, stick to believing the "experts", their accuracy has been great so far. :crazy:
Click to expand...

It's not the timestamps are equal on all files that's suspicious--it's that the timestamps are identical on the CURSOR file. That file, by it's nature, MUST update, according to all three experts now (Johnson, Masucci and Ward), when a page is navigated.
 
sunshine05 said:
I forgot to add, invalid timestamps can occur if something isn't recognized by the computer so it doesn't issue the file a valid time stamp.
Click to expand...

If only the Fielding Drive Zoom file had the invalid time stamp, then that would be an Ah-Ha. Since there were 500+ files with invalid time stamps, and in fact every single google file, clearly there was something systemic that caused all these files to end up in this state.

500+ files with the same symptoms is not consistent with the Fielding Drive Zoom file being dropped on the system.
 
WolfpackWoman said:
Regarding the Invalid Timestamp issue, Kurtz and Masucci stated yesterday, while showing the graphs, that no files with a creation date before June 23 had invalid timestamps. They made a point to say that included all of the system files that reflected 2001 or 1970 dates for instance. Then there were no invalid timestamps until that week in July that Nancy went missing. The invalid timestamps were ones that literally said "invalid" or had crazy in the future dates like 2897, etc.
Click to expand...

Was the crazy future date 2038?
The Unix time counts the number of seconds since 1/1/1970. On a 32-bit system:
Minimum Unix Time (0) = 1/1/1970
Maximum Unix Time (0xFFFFFFFF) = 1/19/2038
 
macd said:
Was the crazy future date 2038?
The Unix time counts the number of seconds since 1/1/1970. On a 32-bit system:
Minimum Unix Time (0) = 1/1/1970
Maximum Unix Time (0xFFFFFFFF) = 1/19/2038
Click to expand...

OK wait you are suddenly making very good sense to me. If the search was originally done on a linux machine the timestamps would be in unix time. If those files were then dropped on to a Windows Vista machine there would be an operating system mismatch. This could cause those timestamps to show as invalid. Right?
 
Status
Not open for further replies.

DNASolves

Who is Escambia County John Doe (1989)?

Members online

... and 131 more.
Total: 3,171 (members: 132, guests: 3,039)

Online statistics

Members online
132
Guests online
3,039
Total visitors
3,171
Totals may include hidden visitors.

Forum statistics

Threads
592,567
Messages
17,971,143
Members
228,818
Latest member
TheMidge
Back
Top