I think I have a mental picture worked out now that reconciles some of the inconsistencies we were seeing, and brought a few surprises to me.
First, a BIG TY to Valhall :clap: for closely reading the Photobucket investigative report and for finding the link to "
Work a Case with EnCase" which answered a number of nagging questions I had about the software. Some still remain because all we have are two pages of grainy black-and-white bar graphs, but that link helped immensely. :thumb:
Val's info straightened me out in a couple of areas. First, the
Photobucket timestamps are Mountain Time and not Central Time. Way back when I created Photobucket upload graphs (before investigative material had been released), I had assumed the timestamps were Eastern Time. When the Photobucket investigative report was released, included were materials from Bright House Networks (the ISP provider for the Anthony's
and for Tony) listing events in Central Time. I assumed then that the uploads were in Central Time. Notice I assumed twice...and we know that when one assumes, they make an :butthead: out of you and me.
This means I have a bit of work to do ... I need to go back and fix my Photobucket upload graphs. :bang:
The big thing I learned is that the three dots in several slots of the encase graphs are not noise found in a poor-quality image...
they are real and significant data. I had thought those slots indicated no computer activity. Instead,
they indicate extremely heavy computer activity.
IMHO, the 17th becomes a significant and rather
twisted day of activity at the Anthony home. :crazy:
Val's link
here shows a red line when George was at work, but she notes it ignores his commute time. I think we need to consider that as well as the fact that George often left home even earlier to run some errands. Thus, on the 17th, I believe George was gone well before 2:30 PM.
KC pings from the Anthony home by 2:30 PM, and she could have been there as early as 2:25 PM. She leaves between 4:05 PM and 4:10 PM.
Encase shows light to moderate use of the desktop from 12 to 1 and then very light use from 1 to 2 PM. I believe this was George, and the density of activity indicates he got off the computer shortly after 1 PM. (BTW, there is a record of him doing job searching from 11 to 12 that morning and this does not show up in EnCase...this is one example of why Bond thinks there is a 1-hour shift in the EnCase report)
Assuming for now EnCase does not need time shifting (maybe the cookies need it)....
The activity from 2 -3 PM on the desktop is through the roof. This implies that once KC arrived at the home, she powered up the system and went solidly to work. Activity on the laptop, while not "though the roof" is very, very high. She may be doing a mass-copy from one system to the other.
From 3 - 4 PM the activity on both systems is "though the roof", further validating a mass-copy is underway.
From 4 - 5 PM the desktop is quiet and the laptop activity is rather light, indicating some activity up to a few minutes after 4 and then a shutdown.
Cell ping indications from KC and Tony's phone, along with Tony's testimony, tell us that KC left her parents shortly after 4PM to meet Tony at a house he and three buddies were considering renting. KC drove Tony back to his apartment in her car, making this the only time Tony rode in her car after Caylee went missing.
What was surprising to me was that, according to neighbor Brian B., the 17th was one of the three days he noticed KC had backed into the garage. I had assumed (there I go again
) this meant she was spending time trying to deal with the body.
Instead, computer activity and cell phone activity tell us she was doing something else entirely.
