wenwe4
Well-Known Member
- Joined
- Oct 6, 2008
- Messages
- 9,499
- Reaction score
- 7,359
HHBP asks if jury allergic to seafood ...may have surprise tonite
Kevin Stinger - Sgt. Computer Crimes OcSo x25 yrs....computer crimes unit formed in 2002, he is Sgt., unit responsible for investigating computer crimes ie: hacking/child *advertiser censored*, cellphone/computer/pda's for evidence....certified credential forensic computer examiner...attended all conferences of IASIS since '96, attended and put on classes, access data and syquest(?) guest lecturer and subject matter expert.....testified in both state and federal court as forensic computer expert....accepted as expert in computer forensics to give opinions....
recovery of info HP computer given by SO by the A family...role ...review Det. Osborne's work - peer review...if she was unfamiliar with something he assisted her....keyword search for chloroform done on HP...active role attempt to preserve info...Osborne observed search hit for word chloroform on the computer asked assistance in what context - she knew internet search unfamiliar with structure it was in....unallocated space - delete file not gone...library analgy - card catelogs = found where stored on the shelf...in order computer can find file has to look up name and find it on unallocated....card gets destroyed no reference to where ....book is still on the shelf...recognized Mozilla Firefox....fan of the tv show - internet history browser much like internet explorer...auto delete clear history on it's own...not aware clears records auto...it may be possible to set it to do so....not auto done....some size limit where action taken? could be a size limit for that version but not aware of it...get rid of internet search history? delete history to dump history records....it is still on your hard drive until such time that space is used again for another file...Mozilla firefox store name of user? no....not record user name in records not set up to do that .....identify where it started and ended and use manual history files to retract info....most files start with a header...this data base says MORK - footer ends with unique # of bytes ....found header & footer and extracted info out into a file...where file begins..tell forensic tool where it starts and how many bytes long file is....it manually extracts info for him - save it into a file name he creates.....tool used encase program.....forensic tools used to intrepret the data...examine hx records....hx file spans date between daylight savings time switches.....at the time he sets his @ daylight standard time...half of the record was always an hour off...use cashe back tool - history record spanned that length of time.....recall/records reflect time spanned...refresh with look @ report for exact dates...spans 3/4/08 - 3/21/08....utlizing casheback provides info not available with other tool - single largest difference show dates and times correctly regardless of how he set his computer...no matter standard or daylight savings time....request Mr. bradley from casheback to review data file copy extracted - subsequent exam and provided a statement with his findings....filter info out of hx of 3/4/08 - 3/21 - two reports for 3/17 and 3/21....dates filtered dates contained info relating to chloroform searches and others done in mozilla firefox....report for 3/17 generated from the computer using casheback program....cashback report generated for 3/21......introduce as evidence ...no object - enter in records....
Info provided to Mr. Bradley in the form of copies of the file that he did exam on....used that same file to do his findings...copy provided exact copy from unalloacted space on that computer
no other questions -cross