Recreating the Google Search

Discussion in 'Nancy Cooper' started by macd, Jul 29, 2011.

Thread Status:
Not open for further replies.
  1. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    There has been recent activity on Facebook and in blogs talking about the
    timestamp anomalies in the files related to the Google search. Those
    postings posit that the .bmp file extension and the matching MACE
    timestamps indicate that the Google search files were planted.
    I thought it would be fun to learn a little about digital forensics and
    recreate the Google search and see what I get for timestamps.
    Over the next few posts I'll share my results and what I did, in case
    someone would like to repeat this.
     
  2. Loading...


  3. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
  4. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    The next step to the do the Google search.

    I went to http://maps.google.com and entered "27518 to fielding drive, raleigh, nc". Then, I entered just "27518". This would be the map that the searcher saw when he searched on 27518, but with an added pin on Fielding Drive to help me pan and zoom.

    Fielding drive ends up about an inch to the right and a half an inch down from the calculated center of 27518. This corroborates the testimony that Field Drive was close to the center of 27518, even though it is in a different zip code. It does take pan with the zoom to get to Fielding Drive. Easy to do in 42 seconds, impossible to do by accident.

    I then zoomed and panned until I was at maximum zoom over Fielding Drive.
     
  5. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    The next step is to extract the $MFT file.

    Open up FTK. Click "File", then "add evidence item" and point to your hard drive. Open the system/root folder and you should see a file called $MFT.
    Click on "File", "Extract Files", select a destination folder and you'll have a copy of your $MFT.
     
  6. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    The next step is to format the $MFT.

    Open a cmd window and go to the folder that you installed analyzeMFT.py.
    Move your copy of the $MFT to this folder too.

    Run analyzeMFT like this:

    analyzeMFT.py -f $MFT.copy0 -o MFT.csv

    The formatted $MFT file is now saved as MFT.csv.
     
  7. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    Code:
    Field                                 Raw Data                         Formatted Time
    -----------------------------  --------------------------     ------------------
    Filename #1	                openhand_8_8[1].bmp 
    Std Info Creation date	        39265.95316	                 10:52:33.1
    Std Info Modification date	39265.95316	                 10:52:33.1
    Std Info Access date	        39265.95316	                 10:52:33.1
    Std Info Entry date	        39265.95316	                 10:52:33.1
    FN Info Creation date	        39265.95316	                 10:52:33.1
    FN Info Modification date	39265.95316	                 10:52:33.1
    FN Info Access date	        39265.95316	                 10:52:33.1
    FN Info Entry date	        39265.95316	                 10:52:33.1
    
    Some observations:
    All 8 timestamps for the cursor file are exactly identical.
    The extension of the cursor file is .bmp.
     
  8. WolfpackWoman

    WolfpackWoman Inactive

    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    0
    I'm glad you're looking into this. I have a few questions for you though:

    --What operating system are you using?
    --If you are using Vista, have you enabled the updating for the timestamps? (We know BC's was enabled to update, because other files have updating timestamps, instead of the stagnant, which has been discussed on here).
    --Did you get a cookie file when you visited this site? (I'm really interested in your response to this question).
    --Did you clear the cache before you did this (I'm sure you did).

    I wish we had a copy of the FBI test from 2008 that did this exact same thing, that the judge wouldn't allow the defense to see. I don't know what difference 3+ years will make, but I think the closer in time, the more verifiable the results would be. If I recall correctly, I think the contention was that it was a .cur in 2008, but switched after that point. I'm not sure, but I know there have been quite a few posts about this recently on other site.

    I'm glad you went the extra step and extracted the $MFT and analyzed it with integriography. Do you know if FBI or defense used a similar program? I can't remember (or maybe they didn't release), which one was specifically used.
     
  9. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    Other Q and A

    What about those invalid timestamps?
    I haven't yet found a repeatable process to create invalid time stamps. But, I have a few on my computer, and Brad had over 12,000 files with invalid time stamps on his. That this is somehow proof that the files are planted doesn't hold water. It's been shown that it does happen for reasons other than "planted evidence". There are 8 timestamps stored for each file. There is nothing special about the SIA Entry Timestamp. It is a number, just like the others. The other seven timestamps point to 1:14pm. I believe that is the correct time.

    But Brad was so smart, how'd he miss this? And what about the missing cookie?
    Here is my theory.

    In July 2008, Window Internet Explorer Version 8 was publicly available as a Beta download. I would expect an alpha tester to be running Microsoft Beta code. Version 8 is the first version of IE with private browsing. In it's initial release it was revealed that: it did not save cookies (as designed), it did save history data (oops, fixed later), and it saved and then did a soft delete of temporary internet files.

    This would be consistent with what was found in Brad's $MFT. Search was in history.dat, there was no cookie file, and there were temporary still listed in the $MFT.

    Is there anything else that corroborates that this was a real search?
    - Window's System Event Log
    This showed Brad logging into his computer at a time before the search.
    - History.Dat
    The browser history showed a search of "27518" at the time of the search
    - Other Temporary Internet files
    Around the time of the search, other temporary internet files show that Brad was using the computer around this time.
    - Eyewitnesses
    Co-workers testified that they left for lunch with Brad between 1:00 and 1:30. Leaveing closer to 1:30 would corroborate that Brad was in his office with his computer at the time of the search.

    But 42 seconds? What good would that do?
    You'd have to ask Brad. My theory was that he had this all planned out already, and at 1:14 he was doing a quick run through in his mind of all the things he need to do cover his tracks that night.
     
  10. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    I don't have Vista, so I'm running the latest version of XP.
    My research told me that a service pack to Windows XP added the same performance enhancement to disable updating the Modified Timestamp. (And my results confirmed that.) The only way to turn it on is the hand-edit the registry file. I don't believe there would be many people who would go through the trouble of hacking their own laptop to make it slower. Certainly an IT professional would not purposely slow down his own computer. There are other explanations for varying timestamps.
    When I ran the browser in private browsing mode, I did not get a cookie.
    When I ran the browser in "normal" mode, I did get a cookie.
    No, I'm hacking all this on my personal computer. I don't want to lose my cookies and history. If someone wants to try this in laboratory environment, I'm happy to answer any questions about my procedure. But that is not my goal. I tried to be as "normal" as possible. My "normal" results were the same results as found on Brad's computer.
    I wish we could get a copy of that hard drive. I'd love to see the $MFT, the windows system event log, and the history.dat. Then we could guess less and talk about what's real.
    I don't recall for sure, but I thought maybe enCase?
     
  11. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    Isn't it easy to plant files?

    It's been thrown around how easy it is to plant files. As I was learning about the $MFT, I've come to the opinion that it is not.

    Each file has an entry in the $MFT. Each entry has 52 fields.

    Code:
    Record Number
    Good
    Active
    Record type
    Sequence Number
    Parent File Rec. #
    Parent File Rec. Seq. #
    Filename #1
    Std Info Creation date
    Std Info Modification date
    Std Info Access date
    Std Info Entry date
    FN Info Creation date
    FN Info Modification date
    FN Info Access date
    FN Info Entry date
    Object ID
    Birth Volume ID
    Birth Object ID
    Birth Domain ID
    Filename #2
    FN Info Creation date
    FN Info Modify date
    FN Info Access date
    FN Info Entry date
    Filename #3
    FN Info Creation date
    FN Info Modify date
    FN Info Access date
    FN Info Entry date
    Filename #4
    FN Info Creation date
    FN Info Modify date
    FN Info Access date
    FN Info Entry date
    Standard Information
    Attribute List
    Filename
    Object ID
    Volume Name
    Volume Info
    Data
    Index Root
    Index Allocation
    Bitmap
    Reparse Point
    EA Information
    EA
    Property Set
    Logged Utility Stream
    Log/Notes
    STF FN Shift
    uSec Zero
    
    The Google search was made up of 507 files. 507 x 52 = over 26,000 pieces of data to get right to point to those files. Then you have to get the files on there. And then, get the history.dat files and the windows system event log right to corroborate.

    I don't think that would have been easy.
     
  12. WolfpackWoman

    WolfpackWoman Inactive

    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    0
    Thanks for taking the time to answer my questions. I am really interested in the cookie thing, because there wasn't one associated with BC's search. I guess it doesn't make sense to me that private browsing would have been selected (and he didn't check to make sure it was really deleting all the files). But that's an interesting idea.

    One last question, do you have 1 google cursor file for that search and multiple across the computer? Or do you have one in general?

    And I think you're right about EnCase, I do remember that being mentioned, along with FTK.
     
  13. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    inPrivate browsing was released in Beta in March, 2008. So, it was relatively new to IE, but a popular feature already in competing browsers. It's meant to be used to cover one's tracks online. I've used private browsing on my computer, and I've never double checked to see how well it cleans up after me. Heck, it took me several days of research to learn how I might double check. It'd be like double checking the math on a new calculator. Some things you just trust.
    I can't say for sure, but in my brief testing I have generally found only one file at a time in the $MFT with "openhand" as part of the file name. I think in one case i may have found two. I definitely did not find dozens.
     
  14. Madeleine74

    Madeleine74 Of course it's my opinion, who else's would it be?

    Messages:
    10,283
    Likes Received:
    8
    Trophy Points:
    38
    Thanks MacD!

    I just did the search exactly as you posted above, and I too got the same map with Fielding Dr. 1 inch over to the right and 1/2 inch below the point where Google placed the center red mark on the 27518 map. The default zoom level on Google maps is in the middle of the zoom gauge.

    In 42 seconds I was easily able to zoom in and then pan over to the area where the body was left, especially because the wishbone shaped aerial view made it stand out (which was even more obvious in 2008 before those houses had been built on Brittaby Ct). In fact, it took less than 42 seconds to do so, giving another 15+ seconds to look at the area on a closeup aerial view, to take up the full 42 seconds.

    There is no accidental way to do this, you're right. It is a purposeful search with the pan and multiple zoom.

    Remember too that the searcher also logged in to some secure (https) web sites around the time of the map search. One login was to a banking account to check the balance. Another was a login to a secure HiltonHonors website. Additional web usage was on Cisco internal websites. This was after logging in to the laptop on Cisco's secure network, internally, on Fri 7/11/08, as shown in the systems event log. Those secure website logins also had invalid timestamps, as did files accessed days before 7/11/08.

    The cluster of web logins to secure (https) websites all around the same time as the Google map search indicates that only the authorized person was entering those sites. The defense never alleged that the https secure web logins were anything but valid. And yet they too had invalid timestamps (thanks to MS Vista).
     
  15. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    Hi Madeleine,
    I assume you don't want to go through all the steps to extract the $MFT, which you need to find the Entry timestamps. But, you should be able to find the the Modified, Accessed, and Created timestamps through normal means.
    Google "find temporary internet files" and the version of windows and browser you are using. You should get a pointer to the right directory. Then look for the file openhand_8_8[1].bmp. If you click right on it and select properties, you should be able to see some of the timestamps.
     
  16. Madeleine74

    Madeleine74 Of course it's my opinion, who else's would it be?

    Messages:
    10,283
    Likes Received:
    8
    Trophy Points:
    38
    Hi mac,

    I didn't feel the need to recreate all the steps you took and examine the $MFT as I trust the results you posted. I could see from your log files what the $MFT looks like. Further, I am running XP on one system and Win7 on another. I was mostly curious if I too would see the 'center' point of the 27518 zip code search and if it looked the same as you described, with Fielding Dr just off to the right and a bit below. And yes, it did, exactly.

    I'm comfortable with the facts as known and verified, along with seeing those https sessions around the same time, that a single person did all those searches within a secure network environment. I was in court the day the http sessions were shown on the overhead screen (that was the day before the google search was shown to the jury, which I missed). I personally saw the Citibank and HHonors websites, the https secure session screen shots, so I know what those looked like. No one disputed those secure sessions as being valid web logins.

    Further, I've read all your postings in the past in which you explained and showed just how MS Vista and a then-beta copy of IE 8 would create exactly what was seen with the timestamp files, so I don't need to try and recreate it on my own system.

    You've done an outstanding job making what is an obscure technical set of details, into something very understandable for the average Joe/Josephine.

    Thank you for posting this. It is very interesting and quite illuminating.
     
  17. jrb0124

    jrb0124 New Member

    Messages:
    1,234
    Likes Received:
    0
    Trophy Points:
    0
    Thanks for pinging me on this, I will take a detailed look.

    One thing though - I have entertained the possibility that BC did do a search...but 3 days later after he was advised to the location of the body.

    I seriously doubt any files were planted per se, but I do believe both that some files may have been "looked at" prior to a bonifide forensic exam, and that timestamps of those files might be inaccurate.

    GM did proffer that there were traces of "human interface", and tampering (his testimony is posted here). He did testify that the cookie / Google watermark appeared "forged". That could mean any number of things - again not necessarily a planted file.

    The foreman essentially said that this piece of evidence was the evidence that convicted BC, and that no one testified that it was tampered with. This will put tremendous scrutiny on Judge Gessner's decision to preclude GM's testimony, and limit JW's testimony. In truth, expert witnesses - to be qualified to testify to something - need only be more knowledgeable about that "something" than the collective experience of the jury.

    Will take a detailed look at your process and reply to that later - thanks again!
     
  18. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    This is a response to a blog post from another site made today.
    The Cary Police followed there protocol: seal the crime scene until a trained detective gets there. The computer was left exactly as Brad left it, until a computer-trained detective arrived to collect it. The computer was inside the house, the house was sealed with yellow tape and kept under guard. The computer remained powered on with the screen and keyboard locked, and with the network secured by VPN.
    The updates were normal updates pushed from Cisco through the VPN. Normal updates include software updates, automated backups, automated email downloads, and defragmentation.
    ok
    There were 8 timestamps associated with each file. 7 of the 8 were valid and indicated that Friday afternoon. One was reported "invalid". No testimony was given on what was invalid about it.
    ok
    Routers do not store logs of packet routing.
    Or, it means that private browsing was used, or it means that Brad erased it.
    ok
    Use of private browsing is one explanation.
    Private browsing turned off is an explanation for that. Turning private browsing on and off regularly is normal for that feature.
    I suggest the plan was in place for at least a week and he had searched this area before. Who knows what he was thinking: second thoughts, mental rehearsing? Certainly the planning did not begin on Friday morning.
    The script that pushes software updates to a company's computers would use the administrator's password. It would be normal for this password to be changed remotely as part of an update.
    That would be normal due to the normal automated processes: backups, downloads, defrags, and updates.
    The judge ruled that the MFT did not have to be handed over, but the prosecution handed it over anyways. The MFT was on the evidence table for the jury to see, and GM's powerpoint slides on the MFT was part of defense closing arguments.
    ok

    All told, to sum up everything is normal or just saying the police didn't do a thorough enough job collecting data. I wish they did get more data from Google... I'll bet there would have been searches on choking, decomposition, and cleaning. He got those things right.
     
  19. Madeleine74

    Madeleine74 Of course it's my opinion, who else's would it be?

    Messages:
    10,283
    Likes Received:
    8
    Trophy Points:
    38
    There's much talk about a .cur file. However, Google stores the file as a .bmp file in the cache. This is shown, very clearly, in screen shot below. Look at the name of the cache file in the middle (closedhand_8_8[1].bmp)

    There is no conspiracy with these files.


    [​IMG]
     
  20. Madeleine74

    Madeleine74 Of course it's my opinion, who else's would it be?

    Messages:
    10,283
    Likes Received:
    8
    Trophy Points:
    38
    Further, the last access time on BC's computer is around 21:00 UTC on 7/15/08. That translates to around 5pm on that day and that is also the last time BC was on his laptop computer in his home office.

    According to testimony, the house was secured right after 5pm, yellow tape went up, and CCBI later did their exam outside on the car and loaded that up on a flatbed to take to be processed. Testimony is that no one else entered the upstairs office, no one touched the laptop, and the records show the detectives left the premises and went home until CCBI was available to come back the next morning with a new shift starting. There were hours where no one was in the house, there were cops posted to ensure no entry...each one of them testified.
     
  21. macd

    macd New Member

    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    0
    I'll wait for your complete reply before responding to your other points, but since the foreman isn't here to correct the record, I'll post his exact words on this subject. The point being that they did recognize and consider other circumstantial evidence.
     
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice