Anthony's Computer Forensics

New Posts

TURBOTHINK said:
I believe Casey sent those to herself thorough an anonymizer and put in the name she wanted so she could "show" her mother something from work which said she needed to be out that night and CA would keep Caylee for her.
Click to expand...

Correct, it was false. Set up to make it look like she was working for a reputable employer. (As was her phone with all numbers of the people she had set up as ZFG knowers and friends who "knew" about missing Caylee.)


So we know much is faked on her computer. Let's talk about what is there!
 
BondJamesBond said:
Thought the post fit here as well as anywhere.

There are some key items from the computer forensic report that was released w/ the 600pgs that still don't appear on the WS calendar (e.g. IIRC, 6/17 download of pics from 6/15, 7/2 draft of "Diary of Days", etc.).


I just thought I'd throw it out there if anyone want to plow some time into it.
Click to expand...

That's the ticket! But do we have enough info now to infer what was deleted or tanked (by KC or LA) yet?
 
Okay, I was asked by another poster on another thread for the links to the dates Casey searched online for ZF-G prior to Caylee's disappearance. Another forum stated June 12th. Can anyone verify this for me please? I'm not looking for the July 16th date, I want prior to June 15th or earlier. Thanks...
 
nobody2 said:
Thanks, didn't realize we had a thread for this already.

SO, for the optimists in the group, the computer forensics SHOULD probably solve once and for all the issues of whether the child was kidnapped. If she was, or if Casey gave her to someone, I imagine she would be doing research online about it. As "sloppy" as she appeared to be with much of her coverup, I seriously doubt that she would understand that "deleted" computer info can generally be retrieved.
Click to expand...


I really think that KC believed LE would buy her story and hie off like foxhounds looking for the notorious ZFG child kidnapping ring. That the focus would not be on her per se. All her stage design was just that--hollow, paper / electronic images of a faux reality. And you are right: it is very stupid of KC to think that erasing really meant all info was gone. Should have spent less time at Fusian, more time on WS threads? ; )

a ) Alrighty, first dibs on this topic on this thread: Many have already suggested on a prior thread that KC was looking at missing children sites well before Caylee also went "missing" in order to construct a good tale.

However, I also believe she was looking at how aggrieved mothers act and what they say. Got the words just about right, but missed the crocodile tears.

True, this is also o/t since it belongs in psych thread.

b) Chloroform searches really bother me. If, as some have suggested, it was to process meth or for certain sexual practices (ignoring pool idea, too silly), why that sudden clutch of searches, then no more? This follows from the screening of a CSI episode featuring that old fave chloroform as a knock-out agent to subdue a person.

True, this is also o/t since it belongs in theory thread.


HOW do we get out of this cycle?

Anyone have more info?
 
LinasK said:
Okay, I was asked by another poster on another thread for the links to the dates Casey searched online for ZF-G prior to Caylee's disappearance. Another forum stated June 12th. Can anyone verify this for me please? I'm not looking for the July 16th date, I want prior to June 15th or earlier. Thanks...
Click to expand...

Cannot verify with thread tags but there were 3: an early one in Oct 07, a late one July 15-17 2008, and one in June 2008 that is really signficant per timing. Sorry not to be of more help.
 
Mrs. Peel said:
Cannot verify with thread tags but there were 3: an early one in Oct 07, a late one July 15-17 2008, and one in June 2008 that is really signficant per timing. Sorry not to be of more help.
Click to expand...

Thank-you! The Oct. '07 and the June ones are the ones I knew I'd seen. This other poster would not believe without a link. Insisted that July 16th was the only one.
 
LinasK said:
Okay, I was asked by another poster on another thread for the links to the dates Casey searched online for ZF-G prior to Caylee's disappearance. Another forum stated June 12th. Can anyone verify this for me please? I'm not looking for the July 16th date, I want prior to June 15th or earlier. Thanks...
Click to expand...



Ideas: ask Turbothink (seems to have a good handle on info), check the calendar sticky the upper right of the forum, ask the media pundit (Patty G?). BondJamesBond also seems to have facts at fingertips.

I am here mostly to learn about comp forensics. So interesting!
 
LinasK said:
Thank-you! The Oct. '07 and the June ones are the ones I knew I'd seen. This other poster would not believe without a link. Insisted that July 16th was the only one.
Click to expand...

Ha ha ha. :crazy:

I'm not a fact link, but I do remember. Hate the darned dyscalcula. Can't remember numbers unless linked to verbals. : )

But yes, three times. That really got me.

Also another place to look (of course) using advanced search in a ZFG thread.

Tell it!
 
TURBOTHINK said:
I believe Casey sent those to herself thorough an anonymizer and put in the name she wanted so she could "show" her mother something from work which said she needed to be out that night and CA would keep Caylee for her.
Click to expand...

Amazing. She sure worked hard at not working.
 
truthsleuth said:
Amazing. She sure worked hard at not working.
Click to expand...


And the funny thing is, she is really bad about the subject and field. Even I, 52 yo know that data is not erased when you hit delete or even crash a computer. Ie, KC is truly ignorant. But for LE and most of us, that is a plus sign.

Type away, murderous vixen that destroys it's young.

Ok back to computers.
 
Mrs. Peel said:
Cannot verify with thread tags but there were 3: an early one in Oct 07, a late one July 15-17 2008, and one in June 2008 that is really signficant per timing. Sorry not to be of more help.
Click to expand...

Excerpt from the forensics report...

ORANGE COUNTY SHERIFF'S OFFICE
08-069208 COMPUTER FORENSICS REPORT
Zenaida Fernandez Gonzalez
A keyword search for "Zenaida" was conducted on the HP desktop computer. The
following files are records of web pages indicating that someone was searching
for that name on the Internet.

Name: casey@www.reunion[2].txt
Description: File, Archive
File Created: 07/16/08 06:21:17AM
Last Accessed: 07/16/08 06:21:27AM
Last Written: 07/16/08 06:21:27AM
Full Path: 08-069208\S013J10X237614\D\Documents and Settings\casey\Cookies\casey@www.reunion[2].txt
zenaida

Name: history.dat
Description: File, Archive
File Created: 10/22/07 01:13:21PM
Last Accessed: 07/16/08 12:03:24PM
Last Written: 07/16/08 12:03:24PM
Full Path: 08-069208\S013J10X237614\D\Documents and Settings\casey\Application
Data\Mozilla\Firefox\Profiles\mfhaxjkl.default\history.dat
http://friends.myspace.com/index.cfm?fuseaction=user.viewfriends\ =203461948897ec12-9984-4944-b65e-
6dcef3d5a590=zenaida

Name: index.dat
Description: File, Archive
File Created: 06/12/08 11:15:29PM
Last Accessed: 06/12/08 11:15:29PM
Last Written: 07/16/08 04:20:12PM
Full Path: 08-069208\S013J10X237614\D\Documents and Settings\casey\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
http://clk.atdmt.com/RUC/go/whtpgreu0210000164ruc/direct;at.rucreu00001670;ct.1/01?dispatch=show
SearchRegistration&action=peopleSearch_wp_resultcount&city=&mname=&peopleSearchFrom=wp&affiliate
id=131&searchFirstName=zenaida&searchLastName=Gonzalez&searchAge=25

Name: index.dat
Description: File, Archive
File Created: 06/12/08 11:15:29PM
Last Accessed: 06/12/08 11:15:29PM
Last Written: 07/16/08 04:20:12PM
Full Path: 08-069208\S013J10X237614\D\Documents and Settings\casey\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
http://preview.ussearch.com/preview/ala/newsearch?&searchLName=Fernandez&searchState=FL&searchCi
ty=jacksonville&searchFName=Zenaida&adID=303014F936&adsource=8&TID=0&cid=people&searchtab=people
·ð-·newsearch[2]​

Hope this helps. I am not computer forensic savy, but, you need to make sure you pull the string on exactly what this info means before drawing conclusions. I'm sure some WS's will assist w/ any specific questions.
 
The written record is the key here. The file creation date means nothing and the access date depends on the file and when reviewed. File creation is the history files pertinent creation date. You can create a history in IE for instance once you start collection of history. Each time you hit a website it is added as a record to the file as a written record. When you access history to see what history you have in the file, that is accessing the file.

That is the way I understand it as a former IT director. I am not a forensics expert, nor was I in anyway certified in networks or software. Just headed up the departments some years ago.
 
The ZFG searches were talked about in this thread as well...http://www.websleuths.com/forums/showthread.php?t=70663&highlight=zfg+cookies&page=7

Start at post # 161

Lots of explanations and thoughts about the prior July searches...

I am of the opinion that it is not possible to really know from what LE has released if there were prior searched before the July search, the July search is the only one that is validated.
IMOO though I believe there were but can not of course back it up.
 
BondJamesBond said:
Excerpt from the forensics report...

ORANGE COUNTY SHERIFF'S OFFICE
08-069208 COMPUTER FORENSICS REPORT
Zenaida Fernandez Gonzalez
A keyword search for "Zenaida" was conducted on the HP desktop computer. The
following files are records of web pages indicating that someone was searching
for that name on the Internet.

Name: casey@www.reunion[2].txt
Description: File, Archive
File Created: 07/16/08 06:21:17AM
Last Accessed: 07/16/08 06:21:27AM
Last Written: 07/16/08 06:21:27AM
Full Path: 08-069208\S013J10X237614\D\Documents and Settings\casey\Cookies\casey@www.reunion[2].txt
zenaida

Name: history.dat
Description: File, Archive
File Created: 10/22/07 01:13:21PM
Last Accessed: 07/16/08 12:03:24PM
Last Written: 07/16/08 12:03:24PM
Full Path: 08-069208\S013J10X237614\D\Documents and Settings\casey\Application
Data\Mozilla\Firefox\Profiles\mfhaxjkl.default\history.dat
http://friends.myspace.com/index.cfm?fuseaction=user.viewfriends\ =203461948897ec12-9984-4944-b65e-
6dcef3d5a590=zenaida

Name: index.dat
Description: File, Archive
File Created: 06/12/08 11:15:29PM
Last Accessed: 06/12/08 11:15:29PM
Last Written: 07/16/08 04:20:12PM
Full Path: 08-069208\S013J10X237614\D\Documents and Settings\casey\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
http://clk.atdmt.com/RUC/go/whtpgreu0210000164ruc/direct;at.rucreu00001670;ct.1/01?dispatch=show
SearchRegistration&action=peopleSearch_wp_resultcount&city=&mname=&peopleSearchFrom=wp&affiliate
id=131&searchFirstName=zenaida&searchLastName=Gonzalez&searchAge=25

Name: index.dat
Description: File, Archive
File Created: 06/12/08 11:15:29PM
Last Accessed: 06/12/08 11:15:29PM
Last Written: 07/16/08 04:20:12PM
Full Path: 08-069208\S013J10X237614\D\Documents and Settings\casey\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
http://preview.ussearch.com/preview/ala/newsearch?&searchLName=Fernandez&searchState=FL&searchCi
ty=jacksonville&searchFName=Zenaida&adID=303014F936&adsource=8&TID=0&cid=people&searchtab=people
·ð-·newsearch[2]​

Hope this helps. I am not computer forensic savy, but, you need to make sure you pull the string on exactly what this info means before drawing conclusions. I'm sure some WS's will assist w/ any specific questions.
Click to expand...



As my post above explains, the written record to what keywords or history is the only important date. The records on retrieved search results indicates when exactly the actual history "record" was written to the history "files". Creation date is meaningless and only indicates when the file was created and started having records written to it. Access dates are when someone perused history records written in the file.
 
Broderick said:
As my post above explains, the written record to what keywords or history is the only important date. The records on retrieved search results indicates when exactly the actual history "record" was written to the history "files". Creation date is meaningless and only indicates when the file was created and started having records written to it. Access dates are when someone perused history records written in the file.
Click to expand...

OK...I dunno what I'm talking 'bout here :) ...just trying to restate to test my understanding of Broderick's post w/ hope that it'll be confirmed or corrected and help someone else. My selfish/personal interest is in seeing another WS w/ curiosity, tech knowledge & available time, willing to go through the full forensic report and update the Calendar w/ relevant info (e.g. Father's Day pic downloads 6/17, Diary of Days creation, etc.)

Sooo...Broderick...

IOW...for example, the "index.dat" file was created on 6/12. And, IIRC, this particular file will be likely be written to anytime a user browses w/ that software (e.g. IE5 or Mozilla). If this is correct, then 6/12 may represent a date when the browser software was re-loaded, or something to that effect? That would suggest the 6/12 date corresponding to the index.dat file containing ZFG search text tells nothing more than ZFG was searched for as late as 7/16. Correct? Same w/ the history.dat file and Mozilla too, right?

The "last written" dates will IMHO correspond to Lee et.al. doing searches after Casey gave them info.

Again...my goal just to toss this out there if anyone else is interested/available to tackle. IMHO, it would be helpful. TIA!​
 
BondJamesBond said:
OK...I dunno what I'm talking 'bout here :) ...just trying to restate to test my understanding of Broderick's post w/ hope that it'll be confirmed or corrected and help someone else. My selfish/personal interest is in seeing another WS w/ curiosity, tech knowledge & available time, willing to go through the full forensic report and update the Calendar w/ relevant info (e.g. Father's Day pic downloads 6/17, Diary of Days creation, etc.)

Sooo...Broderick...

IOW...for example, the "index.dat" file was created on 6/12. And, IIRC, this particular file will be likely be written to anytime a user browses w/ that software (e.g. IE5 or Mozilla). If this is correct, then 6/12 may represent a date when the browser software was re-loaded, or something to that effect? That would suggest the 6/12 date corresponding to the index.dat file containing ZFG search text tells nothing more than ZFG was searched for as late as 7/16. Correct? Same w/ the history.dat file and Mozilla too, right?

The "last written" dates will IMHO correspond to Lee et.al. doing searches after Casey gave them info.

Again...my goal just to toss this out there if anyone else is interested/available to tackle. IMHO, it would be helpful. TIA!​
Click to expand...

Yes you are correct as I see it. The index.dat file was created on 6-12 or more importantly the last time the history file was created (it can be created upon first use, reload, load, or deletion of a history file). This setup of the file can also be done in the registry or in the browser setup depending on how much filespace you allocate and how many days you wish to record. The only record found related to searching ZFG was done as a record written to the index file on 7-16 - the same with all the history files. Had there been more searches, it would have reflected that. The forensic team was very specific in saying that no searches or history was created on ZFG prior to 7-16 and the detail proves that. Some folks see the history files, or index files' creation dates whereby records are written to as someone doing something prior to 7-16 which is not the case whatsoever.
 
Broderick said:
Yes you are correct as I see it. The index.dat file was created on 6-12 or more importantly the last time the history file was created (it can be created upon first use, reload, load, or deletion of a history file). This setup of the file can also be done in the registry or in the browser setup depending on how much filespace you allocate and how many days you wish to record. The only record found related to searching ZFG was done as a record written to the index file on 7-16 - the same with all the history files. Had there been more searches, it would have reflected that. The forensic team was very specific in saying that no searches or history was created on ZFG prior to 7-16 and the detail proves that. Some folks see the history files, or index files' creation dates whereby records are written to as someone doing something prior to 7-16 which is not the case whatsoever.
Click to expand...

Thanks, Broderick. That makes sense to me. Still - I understand why it may be confusing.

Still no takers on updating the calender :(
 
Nana46 said:
TY for posting this but I cannot get the link to work...is it not there anymore?
Click to expand...

"No good deed goes unpunished", eh? I shoulda tested the link. I grabbed it from the Jury Room. Sorry.
 
You must log in or register to reply here.

DNASolves

Who is Escambia County John Doe (1989)?

Members online

... and 166 more.
Total: 4,433 (members: 167, guests: 4,266)

Online statistics

Members online
167
Guests online
4,266
Total visitors
4,433
Totals may include hidden visitors.

Forum statistics

Threads
592,484
Messages
17,969,518
Members
228,782
Latest member
ChasF419
Back
Top