Recreating the Google Search

Status
Not open for further replies.

macd

New Member
Joined
Jul 21, 2008
Messages
362
Reaction score
0
There has been recent activity on Facebook and in blogs talking about the
timestamp anomalies in the files related to the Google search. Those
postings posit that the .bmp file extension and the matching MACE
timestamps indicate that the Google search files were planted.
I thought it would be fun to learn a little about digital forensics and
recreate the Google search and see what I get for timestamps.
Over the next few posts I'll share my results and what I did, in case
someone would like to repeat this.
 
The next step to the do the Google search.

I went to http://maps.google.com and entered "27518 to fielding drive, raleigh, nc". Then, I entered just "27518". This would be the map that the searcher saw when he searched on 27518, but with an added pin on Fielding Drive to help me pan and zoom.

Fielding drive ends up about an inch to the right and a half an inch down from the calculated center of 27518. This corroborates the testimony that Field Drive was close to the center of 27518, even though it is in a different zip code. It does take pan with the zoom to get to Fielding Drive. Easy to do in 42 seconds, impossible to do by accident.

I then zoomed and panned until I was at maximum zoom over Fielding Drive.
 
The next step is to extract the $MFT file.

Open up FTK. Click "File", then "add evidence item" and point to your hard drive. Open the system/root folder and you should see a file called $MFT.
Click on "File", "Extract Files", select a destination folder and you'll have a copy of your $MFT.
 
The next step is to format the $MFT.

Open a cmd window and go to the folder that you installed analyzeMFT.py.
Move your copy of the $MFT to this folder too.

Run analyzeMFT like this:

analyzeMFT.py -f $MFT.copy0 -o MFT.csv

The formatted $MFT file is now saved as MFT.csv.
 
Code:
Field                                 Raw Data                         Formatted Time
-----------------------------  --------------------------     ------------------
Filename #1	                openhand_8_8[1].bmp 
Std Info Creation date	        39265.95316	                 10:52:33.1
Std Info Modification date	39265.95316	                 10:52:33.1
Std Info Access date	        39265.95316	                 10:52:33.1
Std Info Entry date	        39265.95316	                 10:52:33.1
FN Info Creation date	        39265.95316	                 10:52:33.1
FN Info Modification date	39265.95316	                 10:52:33.1
FN Info Access date	        39265.95316	                 10:52:33.1
FN Info Entry date	        39265.95316	                 10:52:33.1

Some observations:
All 8 timestamps for the cursor file are exactly identical.
The extension of the cursor file is .bmp.
 
I'm glad you're looking into this. I have a few questions for you though:

--What operating system are you using?
--If you are using Vista, have you enabled the updating for the timestamps? (We know BC's was enabled to update, because other files have updating timestamps, instead of the stagnant, which has been discussed on here).
--Did you get a cookie file when you visited this site? (I'm really interested in your response to this question).
--Did you clear the cache before you did this (I'm sure you did).

I wish we had a copy of the FBI test from 2008 that did this exact same thing, that the judge wouldn't allow the defense to see. I don't know what difference 3+ years will make, but I think the closer in time, the more verifiable the results would be. If I recall correctly, I think the contention was that it was a .cur in 2008, but switched after that point. I'm not sure, but I know there have been quite a few posts about this recently on other site.

I'm glad you went the extra step and extracted the $MFT and analyzed it with integriography. Do you know if FBI or defense used a similar program? I can't remember (or maybe they didn't release), which one was specifically used.
 
Other Q and A

What about those invalid timestamps?
I haven't yet found a repeatable process to create invalid time stamps. But, I have a few on my computer, and Brad had over 12,000 files with invalid time stamps on his. That this is somehow proof that the files are planted doesn't hold water. It's been shown that it does happen for reasons other than "planted evidence". There are 8 timestamps stored for each file. There is nothing special about the SIA Entry Timestamp. It is a number, just like the others. The other seven timestamps point to 1:14pm. I believe that is the correct time.

But Brad was so smart, how'd he miss this? And what about the missing cookie?
Here is my theory.

In July 2008, Window Internet Explorer Version 8 was publicly available as a Beta download. I would expect an alpha tester to be running Microsoft Beta code. Version 8 is the first version of IE with private browsing. In it's initial release it was revealed that: it did not save cookies (as designed), it did save history data (oops, fixed later), and it saved and then did a soft delete of temporary internet files.

This would be consistent with what was found in Brad's $MFT. Search was in history.dat, there was no cookie file, and there were temporary still listed in the $MFT.

Is there anything else that corroborates that this was a real search?
- Window's System Event Log
This showed Brad logging into his computer at a time before the search.
- History.Dat
The browser history showed a search of "27518" at the time of the search
- Other Temporary Internet files
Around the time of the search, other temporary internet files show that Brad was using the computer around this time.
- Eyewitnesses
Co-workers testified that they left for lunch with Brad between 1:00 and 1:30. Leaveing closer to 1:30 would corroborate that Brad was in his office with his computer at the time of the search.

But 42 seconds? What good would that do?
You'd have to ask Brad. My theory was that he had this all planned out already, and at 1:14 he was doing a quick run through in his mind of all the things he need to do cover his tracks that night.
 
I'm glad you're looking into this. I have a few questions for you though:

--What operating system are you using?
I don't have Vista, so I'm running the latest version of XP.
--If you are using Vista, have you enabled the updating for the timestamps? (We know BC's was enabled to update, because other files have updating timestamps, instead of the stagnant, which has been discussed on here).
My research told me that a service pack to Windows XP added the same performance enhancement to disable updating the Modified Timestamp. (And my results confirmed that.) The only way to turn it on is the hand-edit the registry file. I don't believe there would be many people who would go through the trouble of hacking their own laptop to make it slower. Certainly an IT professional would not purposely slow down his own computer. There are other explanations for varying timestamps.
--Did you get a cookie file when you visited this site? (I'm really interested in your response to this question).
When I ran the browser in private browsing mode, I did not get a cookie.
When I ran the browser in "normal" mode, I did get a cookie.
--Did you clear the cache before you did this (I'm sure you did).
No, I'm hacking all this on my personal computer. I don't want to lose my cookies and history. If someone wants to try this in laboratory environment, I'm happy to answer any questions about my procedure. But that is not my goal. I tried to be as "normal" as possible. My "normal" results were the same results as found on Brad's computer.
I wish we had a copy of the FBI test from 2008 that did this exact same thing, that the judge wouldn't allow the defense to see. I don't know what difference 3+ years will make, but I think the closer in time, the more verifiable the results would be. If I recall correctly, I think the contention was that it was a .cur in 2008, but switched after that point. I'm not sure, but I know there have been quite a few posts about this recently on other site.
I wish we could get a copy of that hard drive. I'd love to see the $MFT, the windows system event log, and the history.dat. Then we could guess less and talk about what's real.
I'm glad you went the extra step and extracted the $MFT and analyzed it with integriography. Do you know if FBI or defense used a similar program? I can't remember (or maybe they didn't release), which one was specifically used.
I don't recall for sure, but I thought maybe enCase?
 
Isn't it easy to plant files?

It's been thrown around how easy it is to plant files. As I was learning about the $MFT, I've come to the opinion that it is not.

Each file has an entry in the $MFT. Each entry has 52 fields.

Code:
Record Number
Good
Active
Record type
Sequence Number
Parent File Rec. #
Parent File Rec. Seq. #
Filename #1
Std Info Creation date
Std Info Modification date
Std Info Access date
Std Info Entry date
FN Info Creation date
FN Info Modification date
FN Info Access date
FN Info Entry date
Object ID
Birth Volume ID
Birth Object ID
Birth Domain ID
Filename #2
FN Info Creation date
FN Info Modify date
FN Info Access date
FN Info Entry date
Filename #3
FN Info Creation date
FN Info Modify date
FN Info Access date
FN Info Entry date
Filename #4
FN Info Creation date
FN Info Modify date
FN Info Access date
FN Info Entry date
Standard Information
Attribute List
Filename
Object ID
Volume Name
Volume Info
Data
Index Root
Index Allocation
Bitmap
Reparse Point
EA Information
EA
Property Set
Logged Utility Stream
Log/Notes
STF FN Shift
uSec Zero
The Google search was made up of 507 files. 507 x 52 = over 26,000 pieces of data to get right to point to those files. Then you have to get the files on there. And then, get the history.dat files and the windows system event log right to corroborate.

I don't think that would have been easy.
 
I don't have Vista, so I'm running the latest version of XP.

snipped for space

Thanks for taking the time to answer my questions. I am really interested in the cookie thing, because there wasn't one associated with BC's search. I guess it doesn't make sense to me that private browsing would have been selected (and he didn't check to make sure it was really deleting all the files). But that's an interesting idea.

One last question, do you have 1 google cursor file for that search and multiple across the computer? Or do you have one in general?

And I think you're right about EnCase, I do remember that being mentioned, along with FTK.
 
Thanks for taking the time to answer my questions. I am really interested in the cookie thing, because there wasn't one associated with BC's search. I guess it doesn't make sense to me that private browsing would have been selected (and he didn't check to make sure it was really deleting all the files). But that's an interesting idea.
inPrivate browsing was released in Beta in March, 2008. So, it was relatively new to IE, but a popular feature already in competing browsers. It's meant to be used to cover one's tracks online. I've used private browsing on my computer, and I've never double checked to see how well it cleans up after me. Heck, it took me several days of research to learn how I might double check. It'd be like double checking the math on a new calculator. Some things you just trust.
One last question, do you have 1 google cursor file for that search and multiple across the computer? Or do you have one in general?
I can't say for sure, but in my brief testing I have generally found only one file at a time in the $MFT with "openhand" as part of the file name. I think in one case i may have found two. I definitely did not find dozens.
And I think you're right about EnCase, I do remember that being mentioned, along with FTK.
 
Thanks MacD!

I just did the search exactly as you posted above, and I too got the same map with Fielding Dr. 1 inch over to the right and 1/2 inch below the point where Google placed the center red mark on the 27518 map. The default zoom level on Google maps is in the middle of the zoom gauge.

In 42 seconds I was easily able to zoom in and then pan over to the area where the body was left, especially because the wishbone shaped aerial view made it stand out (which was even more obvious in 2008 before those houses had been built on Brittaby Ct). In fact, it took less than 42 seconds to do so, giving another 15+ seconds to look at the area on a closeup aerial view, to take up the full 42 seconds.

There is no accidental way to do this, you're right. It is a purposeful search with the pan and multiple zoom.

Remember too that the searcher also logged in to some secure (https) web sites around the time of the map search. One login was to a banking account to check the balance. Another was a login to a secure HiltonHonors website. Additional web usage was on Cisco internal websites. This was after logging in to the laptop on Cisco's secure network, internally, on Fri 7/11/08, as shown in the systems event log. Those secure website logins also had invalid timestamps, as did files accessed days before 7/11/08.

The cluster of web logins to secure (https) websites all around the same time as the Google map search indicates that only the authorized person was entering those sites. The defense never alleged that the https secure web logins were anything but valid. And yet they too had invalid timestamps (thanks to MS Vista).
 
Hi Madeleine,
I assume you don't want to go through all the steps to extract the $MFT, which you need to find the Entry timestamps. But, you should be able to find the the Modified, Accessed, and Created timestamps through normal means.
Google "find temporary internet files" and the version of windows and browser you are using. You should get a pointer to the right directory. Then look for the file openhand_8_8[1].bmp. If you click right on it and select properties, you should be able to see some of the timestamps.
 
Hi mac,

I didn't feel the need to recreate all the steps you took and examine the $MFT as I trust the results you posted. I could see from your log files what the $MFT looks like. Further, I am running XP on one system and Win7 on another. I was mostly curious if I too would see the 'center' point of the 27518 zip code search and if it looked the same as you described, with Fielding Dr just off to the right and a bit below. And yes, it did, exactly.

I'm comfortable with the facts as known and verified, along with seeing those https sessions around the same time, that a single person did all those searches within a secure network environment. I was in court the day the http sessions were shown on the overhead screen (that was the day before the google search was shown to the jury, which I missed). I personally saw the Citibank and HHonors websites, the https secure session screen shots, so I know what those looked like. No one disputed those secure sessions as being valid web logins.

Further, I've read all your postings in the past in which you explained and showed just how MS Vista and a then-beta copy of IE 8 would create exactly what was seen with the timestamp files, so I don't need to try and recreate it on my own system.

You've done an outstanding job making what is an obscure technical set of details, into something very understandable for the average Joe/Josephine.

Thank you for posting this. It is very interesting and quite illuminating.
 
Thanks for pinging me on this, I will take a detailed look.

One thing though - I have entertained the possibility that BC did do a search...but 3 days later after he was advised to the location of the body.

I seriously doubt any files were planted per se, but I do believe both that some files may have been "looked at" prior to a bonifide forensic exam, and that timestamps of those files might be inaccurate.

GM did proffer that there were traces of "human interface", and tampering (his testimony is posted here). He did testify that the cookie / Google watermark appeared "forged". That could mean any number of things - again not necessarily a planted file.

The foreman essentially said that this piece of evidence was the evidence that convicted BC, and that no one testified that it was tampered with. This will put tremendous scrutiny on Judge Gessner's decision to preclude GM's testimony, and limit JW's testimony. In truth, expert witnesses - to be qualified to testify to something - need only be more knowledgeable about that "something" than the collective experience of the jury.

Will take a detailed look at your process and reply to that later - thanks again!
 
This is a response to a blog post from another site made today.
A summary of computer related facts:

Cary Police neglected to follow forensic protocols – the computer was left on and connected to the internet for 27 hours while in police custody.
The Cary Police followed there protocol: seal the crime scene until a trained detective gets there. The computer was left exactly as Brad left it, until a computer-trained detective arrived to collect it. The computer was inside the house, the house was sealed with yellow tape and kept under guard. The computer remained powered on with the screen and keyboard locked, and with the network secured by VPN.
During that 27 hour time frame, close to 700 files were altered and they were not all due to normal updates. Included was internet history files and email archives.
The updates were normal updates pushed from Cisco through the VPN. Normal updates include software updates, automated backups, automated email downloads, and defragmentation.
The computer wasn’t hashed until August 22nd, ’08 so files could have been planted on the computer anytime up until that point.
ok
All of the timestamps associated with the “search” were invalid, 100% of them, compared to only 2% over the lifetime of the computer.
There were 8 timestamps associated with each file. 7 of the 8 were valid and indicated that Friday afternoon. One was reported "invalid". No testimony was given on what was invalid about it.
The Cary Police neglected to subpoena Google for the cookie data on the computer, even though it is a common thing for law enforcement to do to verify that files originated from the computer being investigated. Even cookies from after the search could have provided the browsing history.
ok
Cary Police never requested verification of the search through the Cisco routers.
Routers do not store logs of packet routing.
No cookie exists for the alleged search. This is suspicious because it is the only type of file that can not be manufactured.
Or, it means that private browsing was used, or it means that Brad erased it.
Cary police waited until after the Google Privacy policy expired to give the defense access to the computer and files – making it too late for the defense to contact Google to obtain the metadata on the cookies.
ok
No cookie exists but the temporary internet files were there. There is no explanation why anyone would take the time to delete the cookies but leave the temporary internet files.
Use of private browsing is one explanation.
Cookies for other searches were found on the computer.
Private browsing turned off is an explanation for that. Turning private browsing on and off regularly is normal for that feature.
The alleged search lasted a total of 42 seconds, not long enough to locate a site to place a body.
I suggest the plan was in place for at least a week and he had searched this area before. Who knows what he was thinking: second thoughts, mental rehearsing? Certainly the planning did not begin on Friday morning.
Passwords were changed.
The script that pushes software updates to a company's computers would use the administrator's password. It would be normal for this password to be changed remotely as part of an update.
Time/date and timestamps were changed while the computer was in police custody.
That would be normal due to the normal automated processes: backups, downloads, defrags, and updates.
The prosecutors used “national Security” concerns as a reason not to share the MFT and file extraction methods with the defense team so that their own experts could duplicate the file extraction.
The judge ruled that the MFT did not have to be handed over, but the prosecution handed it over anyways. The MFT was on the evidence table for the jury to see, and GM's powerpoint slides on the MFT was part of defense closing arguments.
Chain of custody documentation is unclear.
ok

All told, to sum up everything is normal or just saying the police didn't do a thorough enough job collecting data. I wish they did get more data from Google... I'll bet there would have been searches on choking, decomposition, and cleaning. He got those things right.
 
There's much talk about a .cur file. However, Google stores the file as a .bmp file in the cache. This is shown, very clearly, in screen shot below. Look at the name of the cache file in the middle (closedhand_8_8[1].bmp)

There is no conspiracy with these files.


attachment.php
 
Further, the last access time on BC's computer is around 21:00 UTC on 7/15/08. That translates to around 5pm on that day and that is also the last time BC was on his laptop computer in his home office.

According to testimony, the house was secured right after 5pm, yellow tape went up, and CCBI later did their exam outside on the car and loaded that up on a flatbed to take to be processed. Testimony is that no one else entered the upstairs office, no one touched the laptop, and the records show the detectives left the premises and went home until CCBI was available to come back the next morning with a new shift starting. There were hours where no one was in the house, there were cops posted to ensure no entry...each one of them testified.
 
The foreman essentially said that this piece of evidence was the evidence that convicted BC, and that no one testified that it was tampered with.

I'll wait for your complete reply before responding to your other points, but since the foreman isn't here to correct the record, I'll post his exact words on this subject. The point being that they did recognize and consider other circumstantial evidence.
The evidence presented by Special Agents Johnson and Chappell drove the outcome on this
case. It caused [a lot of] the other circumstantial evidence to become relevant and credible.
 
Status
Not open for further replies.

Members online

Online statistics

Members online
85
Guests online
740
Total visitors
825

Forum statistics

Threads
589,927
Messages
17,927,755
Members
228,002
Latest member
zipperoni
Back
Top