Anthony's Computer Forensics

[nancy botwin]

I've been looking through the mountain of computer forensic data released last September and uploaded yesterday to a file sharing site by dedicated websleuther Muzikman. :rocker:

I posted yesterday on the escort service surfing activity, and I will have more to say about that in a future post. Suffice it to say, I am 99% certain George is solely responsible for the visits to escort sites, :blushing: and KC is uninvolved in that surfing activity.

This evening I took a close look at the visits to missing person's websites widely reported last September in the media. My conclusion is that KC did not visit missing persons websites prior to Caylee's disappearance. In fact, I do not believe she is responsible for those visits at all.

Following is the raw data for the visits in question:

07/16/2008 14:51:37 06/24/2008 16:01:46 http://www.missingkids.com/photographs/NCMC1097725c1t.jpg
07/16/2008 14:51:31 07/03/2008 01:28:12 http://www.missingkids.com/photographs/NCMC1099693c1t.jpg
07/16/2008 14:51:25 07/10/2008 11:37:33 http://www.missingkids.com/photographs/NCMC1096469c1t.jpg
07/16/2008 14:51:24 05/27/2008 12:58:47 http://www.missingkids.com/photographs/NCMC1096536c1t.jpg
07/16/2008 14:51:24 04/24/2008 16:06:48 http://www.missingkids.com/photographs/NCMC1094062c2t.jpg
07/16/2008 14:51:24 04/24/2008 16:06:48 http://www.missingkids.com/photographs/NCMC1094062c1t.jpg
07/16/2008 14:51:24 05/03/2008 17:07:29 http://www.missingkids.com/photographs/NCMC1094659c1t.jpg
07/16/2008 14:51:24 06/23/2008 15:30:12 http://www.missingkids.com/photographs/NCMC1098504c1t.jpg
07/16/2008 14:51:24 04/24/2008 16:06:48 http://www.missingkids.com/photographs/NCMC1094062c3t.jpg
07/16/2008 14:51:24 06/24/2008 14:14:01 http://www.missingkids.com/photographs/NCMC1098088c1t.jpg
07/16/2008 14:51:24 07/02/2008 19:50:00 http://www.missingkids.com/photographs/NCMC1099149c1t.jpg
07/16/2008 14:51:24 07/01/2008 00:06:13 http://www.missingkids.com/photographs/NCMC1099410c1t.jpg
07/16/2008 14:51:24 03/17/2008 15:47:48 http://www.missingkids.com/photographs/NCMC1091268c1t.jpg

07/16/2008 14:51:24 04/10/2007 12:29:03 http://www.get-involved.com/mashup/marker.swf
07/16/2008 14:51:22 http://www.get-involved.com/mashup/RSS_Read.php?state=XX
07/16/2008 14:51:22 http://www.get-involved.com/mashup/RSS_Read.php?state=XX
07/16/2008 14:51:21 06/19/2007 06:32:24 http://www.get-involved.com/mashup/map_small.swf
07/16/2008 14:51:20 04/26/2007 08:04:49 http://www.get-involved.com/mashup/images/kids_widget_04.gif
07/16/2008 14:51:20 04/26/2007 08:04:48 http://www.get-involved.com/mashup/images/kids_widget_01.gif
07/16/2008 14:51:20 04/26/2007 08:04:49 http://www.get-involved.com/mashup/images/kids_widget_05.gif
07/16/2008 14:51:20 04/26/2007 08:04:49 http://www.get-involved.com/mashup/images/kids_widget_02.gif
07/16/2008 14:43:09 http://www.get-involved.com/mashup/RSS_Read.php?state=XX

There are a few things to note about each item listed. First, the items are objects on the website, such as an image (.gif or .jpg) or shockwave video (.swf). The web browser will store the objects on the computer so that the next time the website is visited, it will appear to load faster than the first time. This is called caching.

The date / time shown in red indicates when the object was accessed by the web browser. This is indicative of when the website was surfed.

The other date / time (if there is one) indicates when the object was last modified by whoever created it or otherwise owned the object. Using an image, for example, this date / time could indicate when the picture was taken, resized, photoshopped...you name it. It is often indicative of when the web page was created or modified. It is not indicative of when the web page was surfed.

Unfortunately, the media saw the old dates and assumed that they were surf dates. LE did not make that assumption. There is nothing in the complete forensic report that indicates they ever thought this was something to look into.

I should further point out that the sites were visited from the laptop computer and not the home computer.

So what really happened? :waitasec:

Recall that Lee picked up KC's computer on the evening of the 15th from Tony's. (I will need to post later on the activity beginning late that night, but in an attempt to keep this post to under five pages, I will stay on topic. )

Sometime during the afternoon of the 16th the "cayleeismissing" myspace page goes live. This page becomes a missing person's website - Caylee's. Work on this page occurred between 2:37 PM and 2:52 PM on July 16th - completely encompassing the time the missing person's sites were accessed.

Given KC was pre-occupied during this time, the best candidate for this activity is ... Lee. He was just trying to get Caylee's name out there as a missing person. :angel:

wow! This is very interesting! Excellent work--
JB would do well to set http://www.websleuths.com/forums/search.php?searchid=1889621 as his homepage :wink:

 

[Dr. Know?]

JWG, I couldn't open many of the links you posted. I did open some to a small picture. Thanks for the post.

 

[CapsDeej]

MySpace will remember your ID but not your password - you have to type that in every time. (at least I do)[/

Unless you LOG off, myspace will stayed logged in if you have a window open. I can check myspace all day long when i have a window open. Once all your windows are closed it will automatically log you off.

True - but JWGs analysis clearly shows that Tony powered on the laptop indicating that the laptop was off - so no windows cold have been open.

 

[JWG]

Everyone makes mistakes, especially me. Because I had trouble unzipping the entire archive, I just accessed the files from within the archive. I did not closely check the file structure when doing so. :bang:

Turns out I was not looking at the history for the laptop when I did this analysis.

I was looking at the temporary history for the desktop.:loser:

The analysis I did for the missing person's website was correct - it was taken from the internet explorer history file.

So, knowing it was the desktop and not the laptop, it could not have been Tony on the 'puter. It had to be someone at the Anthony's. Given activity stops from just before midnight to just after 2:30 AM - the window of time Lee went up to Tony's, it had to be Lee on the desktop deleting away.

Thanks to ElizaAvalon for showing me the error of my ways. Eliza...if you would like to expand, please have at it. I should probably go into a sleuthing time out for this faux pas.

I will try to answer RR0004. magic-cat, and shgrbkr in this post.

First, I will point out again that the computer was left at Tony's when Cindy came over to get KC, as were KC's clothes and other belongings.

Based on the fact that the computer was booted around 10:15 and activity ceased just before midnight, it is clear that Tony was the one on the computer and not Lee. Lee was still at his parents. Lee arrived at Tony's around midnight and left around 2:00 AM.

Lee did say in his interview that he called Tony in advance to tell him he was coming over to get KC's stuff. Given that Lee had to this point never met nor spoken to Tony before, I think it is highly unlikely that the two of them immediately launched into a conspiracy to protect KC.

Trying to connect the dots and put myself into the player's minds that evening of July 15, what I think happened is...

Tony calls KC's phone at 8:22 PM in an attempt to try to find out from KC what was going on between she and her mother. However, KC had left her phone at Tony's, and he locates it in the process of calling her.

At 9:12 a text comes in from Will W. At 9:27 Tony attempts to call Amy on KC's phone but does not reach her. At 9:35 another text comes in from will and at 9:37 one comes in from Andy F. It is possible that Tony sees these and decides to take a peek at KC's other texts, and discovers quite a few messages that cause him to question KC's fidelity. :waitasec:

Another attempt to call Amy is made at 10:07, immediately followed by a call from Mark H. that goes to VM. Tony calls Amy again and they connect. This is when Tony learns KC cleaned out Amy's bank account.

Ya think maybe Tony's a little bit suspicious of this girl KC now? :sick:

He flips open her laptop and tries to get into her ATT account to see who she might have been calling. Based on the links to "forgotten" or "lost" password on that site, he is not successful.

Next he looks at her browser history to get a sense of where she's been. He notices that the "lava life" dating site had been visited so he goes there to see if he can figure out how to view her profile. It looks like he registered in order to do this.

Tony tries to get into her Facebook, but cannot.:banghead:

Next he tries myspace and is successful logging into her account (thanks Muzikman for digging up her numeric ID - it matched!!!). :dance: Tony spends 10 minutes looking through LOTS of profile comments and mailbox messages, and I am guessing what he sees only makes him that much more upset with her.

Sometime during his viewing of KC's myspace he figures out how to get into her Photobucket and Facebook. For the next hour he is viewing photos on both sites and messages / photos on myspace. I am guessing that what he sees infuriates him, and out of anger starts deleting stuff that upsets him. :furious:

Remember - he does not know at this point that Caylee is missing. He only knows his girlfriend is a thief and a cheat.

Somewhere along the way, in the process of deleting material, Tony accidentally corrupts a system file. This is what causes the blue screen of death. About the time this happens he gets a call from Lee who is headed over.

So Tony gathers up KC's belongings, folds them and stacks them neatly, and waits for Lee to arrive to get that woman's stuff out of his house.

 

[Where's Andre]

True - but JWGs analysis clearly shows that Tony powered on the laptop indicating that the laptop was off - so no windows cold have been open.

This is a laptop. There's a possibility it could have been a power up into a resume. I rarely truly cold-boot laptops.

 

[ElizaAvalon]

JWG - first of all, you've done GREAT sleuthing work on this case and we need ya!

The profile user name on the laptop is Bobby.

The profile user name on the desktop is Casey.

Very easy to see how the desktop and the laptop could be confused.

 

[kew17]

I'm seeing the comment that "he knows what he's done" could refer to Lee's attempt at clearing potentially damning info off the computer as part of the obstruction of justice? My question is I've always heard nothing except a complete reformat of the hard drive will erase it. Even though items were deleted, are they still there - deeply embedded there somewhere?

 

[Jess1985]

Does anyone think that perhaps, after Tony found out all this information, which was probably overwhelming....and logged in to her myspace and read some messages from probably other guys, that he could have thrown or punched the laptop, causing it to die out(blue screen)??
OR....could it have been Lee, which then after talking with Tony, and reading some messages and realizing that she was lying to him, got upset and proceeded to take it out on the computer??

 

[Jersey*Girl]

Not just back in the day....I have been using Xanax for a few months now for PMDD which is basically PMS to the extreme.
(But it has been prescribed as a last resort, since we have tried everything else available over the last 8 yrs.)
I noticed in KC's photobucket acc that she had several PMS related icons, and wondered if she had significant mood shifts when she was premenstrual?

I also have some questions about the pc....If it was already wiped when LA got to TL's or it wouldnt start up, then how did they access the pictures to make the missing posters?
Or was that from another PC and results of both searches have been included? Sorry if its a repeat question- wish I had time to read all the posts but I dont.
ETA- Could this be why the file is called bobby?

The original Bobby was a free online tool provided by the Centre for Applied Special Technology (CAST) used to validate websites for WAI and Section 508 compliance. Launched in 1995 [1], it became well known for the usage of the Bobby Approved icon that website authors could use to indicate they have successfully passed the Bobby online test.

The CAST tool was officially closed on May 1, 2005. However, the Bobby name lives on in Watchfire Corporation's Watchfire Bobby program. Watchfire provided the same free service that CAST did with Bobby in their Watchfire WebXACT tool. Watchfire's current offering, now part of an IBM suite described below, tests pages of web content for quality, accessibility and privacy issues.

The free tool was officially closed by the owners, IBM, on February 1, 2008 [2]. The software is now available as part of IBM's Rational Policy Tester Accessibility Edition. [3]

Currently, the Web Accessibility Evaluation Tool (WAVE) provides this free service at http://wave.webaim.org "[2]".

[edit] References
^ Centre for Applied Special Technology (CAST), Bobby, cited 4 May 2008.
^ Watchfire, Bobby and WebXact, cited 4 May 2008.
^ Rational Policy Tester Accessibility Edition, "[1]".

JWG - first of all, you've done GREAT sleuthing work on this case and we need ya!

The profile user name on the laptop is Bobby.

The profile user name on the desktop is Casey.

Very easy to see how the desktop and the laptop could be confused.

Eliza, I remembered this from a prior thread earlier on, so thought I'd just bring it over to this thread. Not sure if this is what the reference to Bobby really is, but it seemingly could be. It explains the term Bobby rather clearly...although, not exactly sure if it really pertains to the A's comp.

JWG - Do you have any knowledge with this? I've gone through our computers and I've found no reference to Bobby. This could be b/c our computers are newer and we've never used that free utility (or program so to speak). I've searched our harddrives and throughly went through safe mode...still found nothing with reference to Bobby. So, either the A's used the Bobby free utility, it was a file or something set up by one of them, or it was from a previous owner...right? Do you maybe have any insight to this? Thanks bunches! Jersey

 

[ibyoungr]

Does anyone think that perhaps, after Tony found out all this information, which was probably overwhelming....and logged in to her myspace and read some messages from probably other guys, that he could have thrown or punched the laptop, causing it to die out(blue screen)??
OR....could it have been Lee, which then after talking with Tony, and reading some messages and realizing that she was lying to him, got upset and proceeded to take it out on the computer??

JWG has recanted and stated that the information was from the DESKTOP not the LAPTOP

However, that does not change the forensics.. it just changes that it was
LEE on the family desktop and NOT TONY on the Laptop.
LETS NOT LET THIS BECOME A MISUNDERSTANDING!

JWG does great work and it one of the best sleuthers - often his work is very factual and not emotional. We all could take a page from his book and remember not to put too much emotion into the sleuthing.


JWG--- I have not had time to go through the forensics... are there any records of the EVENT VIEWER - system or application properties?? This would give us exact times of reboots, application hangs.

 

[ibyoungr]

For those that are not computer savvy...

Profiles are created for each log in. On Windows XP computers, the profile is created when you set up the computer login(user account) for the first time. The profile is located in C:\Documents and Settings\nameofuseraccount

The profile contains all the settings and information for that user account. This is helpful if more than one person uses a computer and each user wants a seperate "Desktop", "Document" or Favorites.
A profile contains the following folders
Desktop folder contains the "icons" that are on the desktop
My Documents folder contains the documents the user saves to the computer this folder usually contains "My Pictures" and "My Music".
Favorites contains the favorite links that one chooses to save to use within Internet Explorer.
Application Data folder contains information about various applications ex: Outlook express settings and the outlook/outlook express mail. Application data holds information like the dictionary (during spell check when you want to save a specific word to the dictionary.. this is where the info goes)

The "bobby" profilecould have been from a previous user, a generic name or some inexperienced IT guy used his own first name when setting up the PC.

In Windows Xp, you will see other profiles such as Administrator, Default User, or All Users. When there are Desktop icons in All Users that means the icons are available to ALL USERS that log in no matter which profile they use.

Forensic evidence that would be very interesting for me to see would be the event logs in the Control Panel-Admin Tools- Event Viewer as well as what was in the My Documents folder.

I would love to get a hold of the hard drive and run a data recovery application that I use on a regular basis that has retrieved data from over 20 "crashed" hard drives. Gilware, Inc will also retrieve photos, documents, etc for a fee. They own a clean lab which will retrieve data from water, fire and platter damaged PC's.

 

[ibyoungr]

Another lesson for those less than computer savvy...


There are many Free applications that clear your internet tracks...
One that I suggest is CCLEANER. This will also remove registry entries that tend to clog up the the registry. This comes from removing and installing applications. This only helps with your tracks on your computer.
This will not help with posting or updating items on Myspace or Facepage.
Casey would not have been able to cover those tracks at all.

However, keep in mind.. with a nice data recovery program alot of these deleted files can be retrieved. The best way to cover your tracks is to completely destroy the hard drive or do a Department of Defense standard format. This would require a full install of the operating system and applications and restoration of data files from a backup. ( I would not suggest anyone to do this if you are NOT experienced.)

 

[ElizaAvalon]

JWG--- I have not had time to go through the forensics... are there any records of the EVENT VIEWER - system or application properties?? This would give us exact times of reboots, application hangs.

Unfortunately, the Event Viewer system or application log is not in the docs for either the laptop or the desktop.

No time today to review them, but it does look to me like on the laptop Safari was used for the Internet and IE was used to view photos on the computer itself - most likely IE was the default viewer for photos.

The IE history only shows hits to local files and very rare hits to Internet addresses (2 hits - yahoo insider or at&t).

Either the 'unfiltered' IE history is actually filtered or I suspect a virus on the laptop, hence the Blue Screen of Death, which may or may not have been real (sometimes a virus will put up a fake BSD).

 

[ElizaAvalon]

Another lesson for those less than computer savvy...


There are many Free applications that clear your internet tracks...
One that I suggest is CCLEANER. This will also remove registry entries that tend to clog up the the registry. This comes from removing and installing applications. This only helps with your tracks on your computer.
This will not help with posting or updating items on Myspace or Facepage.
Casey would not have been able to cover those tracks at all.

However, keep in mind.. with a nice data recovery program alot of these deleted files can be retrieved. The best way to cover your tracks is to completely destroy the hard drive or do a Department of Defense standard format. This would require a full install of the operating system and applications and restoration of data files from a backup. ( I would not suggest anyone to do this if you are NOT experienced.)

I second that.

Make sure you use ccleaner on all user profiles on the computer.

Cleanup! is another good one...

 

[faefrost]

I'm seeing the comment that "he knows what he's done" could refer to Lee's attempt at clearing potentially damning info off the computer as part of the obstruction of justice? My question is I've always heard nothing except a complete reformat of the hard drive will erase it. Even though items were deleted, are they still there - deeply embedded there somewhere?

They are still there. Even a standard format will not prevent a forensics program from locating it on the disk surface.

The only "user capable" things that will prevent data recovery on a drive are a "low level format", which directly rewrites every sector on the driive platters, and requires a special software tool from he drives manufacturer. A government quality data erasure tool, which are very expensive and not very effective once the FBI is involved. Or actual physical damage to the hard Drive. Subjecting it to a very strong magnetic field, such as proximity to an MRI scanner, or driving several 1/4" holes through it with a power drill.

And even if one of the above is used, while it may prevent a local or state lab from recovering much, the FBI is the best in the world. They have recovered portions of useable data from unbelievably damaged drives.

 

[ibyoungr]

Unfortunately, the Event Viewer system or application log is not in the docs for either the laptop or the desktop.

No time today to review them, but it does look to me like on the laptop Safari was used for the Internet and IE was used to view photos on the computer itself - most likely IE was the default viewer for photos.

The IE history only shows hits to local files and very rare hits to Internet addresses (2 hits - yahoo insider or at&t).

Either the 'unfiltered' IE history is actually filtered or I suspect a virus on the laptop, hence the Blue Screen of Death, which may or may not have been real (sometimes a virus will put up a fake BSD).

Bolded by me.. there was a virus last summer that seemed to exhibit that behavior I ended up having to reinstall the OS on several machines. Good call.
Also I believe Safari has a feature to allow private browsing as does Internet explorer 8.

I just think that either LE is holding back info on the PC's or they did not do a very throughly look of the state of the PC. I just think she would have alot of items in the "My Documents or My Pictures" folder.

 

[ElizaAvalon]

Eliza, I remembered this from a prior thread earlier on, so thought I'd just bring it over to this thread. Not sure if this is what the reference to Bobby really is, but it seemingly could be. It explains the term Bobby rather clearly...although, not exactly sure if it really pertains to the A's comp.

JWG - Do you have any knowledge with this? I've gone through our computers and I've found no reference to Bobby. This could be b/c our computers are newer and we've never used that free utility (or program so to speak). I've searched our harddrives and throughly went through safe mode...still found nothing with reference to Bobby. So, either the A's used the Bobby free utility, it was a file or something set up by one of them, or it was from a previous owner...right? Do you maybe have any insight to this? Thanks bunches! Jersey

Jersey - bobby was just the username that was used on the laptop. She could have bought the laptop used or from a friend or whatever and just didn't create a new profile.

It may also have been the ONLY profile. And then she wouldn't have even had to log into the laptop. The name bobby would have been transparent. She may not have even known.

Also - I do believe the computer was cleaned up at some point. I'll have to go way back into my notes but I think there was something that made me think they brought it in for service. Maybe the creation dates of the history.dat files? I forget so don't quote me. My point is, it could have been the name of the person who did the work.

 

[Lanie]

Snipped from JWG. Thanks as you and Bond and many others are amazing.

"Not sure exactly how the laptop internet history got trashed in the process of Tony "cleansing" KC's accounts of images / messages that upset him, but it appears it did because there is very little activity shown pre-7/14, yet we know she was uploading to Photobucket quite frequently (as well as posting on FB and MS)."

Reply:

I have and older HP and they have a restore point which is to safely restore your computer to a saved restore point in case you have a problem or virus etc... I remember in the beginning that LA said something like everything from the 15th of June to the time he turned it over to police was gone (July 15th or 16th). Yahoo accounts etc. Was that disproven? Sorry, I kind of worked with computers in my day and try not to read this thread. Too much like my old work!

Also, I would think, and again I am sorry for not reading this thread close enough, but doesn't anyone else remember DOS codes? I remember the f/xxxx to wipe out everything. Easy blue screen of death possibly. I have not tried it on my newer computers but 5 years ago, yes and it still worked if needed.

Anyone else that old? J/K

LOL, amatuer computer tech here from way back before windows. These days I learn what I need to to fix whatever is wrong with one of our computers or my friends', but haven't stayed on top of everything that has come out. So I understand some of this computer forensic stuff, and the rest is Greek to me.
Lanie

 

[ibyoungr]

They are still there. Even a standard format will not prevent a forensics program from locating it on the disk surface.

The only "user capable" things that will prevent data recovery on a drive are a "low level format", which directly rewrites every sector on the driive platters, and requires a special software tool from he drives manufacturer. A government quality data erasure tool, which are very expensive and not very effective once the FBI is involved. Or actual physical damage to the hard Drive. Subjecting it to a very strong magnetic field, such as proximity to an MRI scanner, or driving several 1/4" holes through it with a power drill.

And even if one of the above is used, while it may prevent a local or state lab from recovering much, the FBI is the best in the world. They have recovered portions of useable data from unbelievably damaged drives.

ITA! Most users are not that savvy and if they were a government quality data erasure would take some time to run on a good sized hard drive.. hour not minutes and definitely not seconds.

Remember BTK was caught because of data left on a floppy drive.

Lesson to be learned from this case...
If you are going to commit a crime, do not use a cell phone, computer or any digital equipment. You will and can be traced.

 

[ElizaAvalon]

Bolded by me.. there was a virus last summer that seemed to exhibit that behavior I ended up having to reinstall the OS on several machines. Good call.
Also I believe Safari has a feature to allow private browsing as does Internet explorer 8.

I just think that either LE is holding back info on the PC's or they did not do a very throughly look of the state of the PC. I just think she would have alot of items in the "My Documents or My Pictures" folder.

The virus that causes the fake BSD is killer, for sure. Doesn't allow running or installing of any of the anti-malware programs. Requires manual deletion of dlls. :bang:

I think KC had IE5 on the laptop.

There are a lot of hits to My Documents in IE on the laptop. But not the documents/pictures themselves. Probably because it would add to the confusion of a juror.