Anthony's Computer Forensics

[ibyoungr]

Snipped from JWG. Thanks as you and Bond and many others are amazing.

"Not sure exactly how the laptop internet history got trashed in the process of Tony "cleansing" KC's accounts of images / messages that upset him, but it appears it did because there is very little activity shown pre-7/14, yet we know she was uploading to Photobucket quite frequently (as well as posting on FB and MS)."

Reply:

I have and older HP and they have a restore point which is to safely restore your computer to a saved restore point in case you have a problem or virus etc... I remember in the beginning that LA said something like everything from the 15th of June to the time he turned it over to police was gone (July 15th or 16th). Yahoo accounts etc. Was that disproven? Sorry, I kind of worked with computers in my day and try not to read this thread. Too much like my old work!

Also, I would think, and again I am sorry for not reading this thread close enough, but doesn't anyone else remember DOS codes? I remember the f/xxxx to wipe out everything. Easy blue screen of death possibly. I have not tried it on my newer computers but 5 years ago, yes and it still worked if needed.

Anyone else that old? J/K

I don't know if I am that old but one code I remember is:
DOS code to undelete a file would be UNDELETE [d:][path][filename] [/DT|/DS|/DOS]

But that would not do much good if they have used the computer since deleting a file because the data would rewrite over those sectors. There are many good data recovery tools. FBI would not need to mess with old DOS commands. Since the hard drive was not crashed and the OS was accessible they could run any number of data recovery tools to find deleted data and fragments of data.

 

[ibyoungr]

The virus that causes the fake BSD is killer, for sure. Doesn't allow running or installing of any of the anti-malware programs. Requires manual deletion of dlls. :bang:

I think KC had IE5 on the laptop.

There are a lot of hits to My Documents in IE on the laptop. But not the documents/pictures themselves. Probably because it would add to the confusion of a juror.

O/T There was the one last summer with the manual deletion of the dll's but the other bad one was the one that created the many dll's in %systemroot%/Windows/system32 Everytime you deleted the .dll's another one was created on boot up. Some registry entries also had to be removed as well. I believe it is the Virtumonde???

IE5??? Holy cow, that could explain a virus or two. I really need to spend more time analyzing the forensic docs but since I do IT for a living.. I have other things IT related I like to do in my spare time.

 

[BondJamesBond]

So, knowing it was the desktop and not the laptop, it could not have been Tony on the 'puter. It had to be someone at the Anthony's. Given activity stops from just before midnight to just after 2:30 AM - the window of time Lee went up to Tony's, it had to be Lee on the desktop deleting away.

*snipped*

Hey, JWG...it's all good. :thumb: Quite frankly, the activity on the desktop is every bit as interesting/important as the laptop, IMHO.

And we know the media has been releasing information attributing things to Casey when, without backing it up with detail, it could come from either computer. So, learning details on either computer gives us the granularity that IS the higher standard of a good WS, eh? :highfive:

IIRC, on the 7/15 & 7/16 ping threads a detailed (eg. by the hour) timeline of Casey's location & activities was in the process of being constructed. I thought I recalled Cindy making some statements about Lee and Casey going in to work on the computer and creating the cayleeismissing page together - a collaboration. IMHO, it would makes sense Casey had to be present at least part of the time to provide Lee with the passwords as he rifled through applications.

Put yourself in that room that night, LE swarming the place, body dumped a quarter-mile down the road...Lee and Casey frantically going through AT&T, Yahoo, MySpace, etc....then getting on with the work of the cayleeismissing space. Per your earlier post, IIRC, that they tried logging into AT&T first (right?) is very telling.

:clap: Thanks again for all the hard work! :clap:

 

[ElizaAvalon]

O/T There was the one last summer with the manual deletion of the dll's but the other bad one was the one that created the many dll's in %systemroot%/Windows/system32 Everytime you deleted the .dll's another one was created on boot up. Some registry entries also had to be removed as well. I believe it is the Virtumonde???

IE5??? Holy cow, that could explain a virus or two. I really need to spend more time analyzing the forensic docs but since I do IT for a living.. I have other things IT related I like to do in my spare time.

Virtumonde is still out there but easy to clean with anti-malware programs. If I remember correctly, the one I'm talking about is TDSSserv. I was wrong, it was deleting a driver entry...

Anyway, yes IE5. And the use of Safari also makes me suspect a virus. People are usually happy with IE until they start getting pop-ups...

 

[BondJamesBond]

Not directed @ anyone in particular, and I understand the interest in discussing it, but, please consider going to this thread in the Parking Lot to discuss generic computer virus stuff.

http://websleuths.com/forums/showthread.php?p=3419499#post3419499

I included a link back here in that thread for convenience.

 

[Shaymus at The Rock]

"I posted yesterday on the escort service surfing activity, and I will have more to say about that in a future post. Suffice it to say, I am 99% certain George is solely responsible for the visits to escort sites, and KC is uninvolved in that surfing activity."

Hoo-boy! Cindy isn't going to like this at all!

By the way, JWG, nice signature line.......... and nice photos in your profile!

Agree 100%, this is where George spent the money not the Nigerian Email Scam.

So many implications could be drawn from this. I wonder how important it was in driving the As behavior:

+ GA not really challenging KC about the "job", the thefts, etc

+ KC and LA's apparent disdain for their father which included NO celebration for Father's Day

+ CA's overly flirtatious and touchy approach to multiple men

I'm sure there are others.

 

[Hot Dogs]

So many implications could be drawn from this.

Certain specific things have not been established as facts. It is a fact that GA said he was taken by a Nigerian Scam. It is not established as fact that it was GA surfing escort sites, nor that he ever spent a dime on any escort.

 

[ibyoungr]

Virtumonde is still out there but easy to clean with anti-malware programs. If I remember correctly, the one I'm talking about is TDSSserv. I was wrong, it was deleting a driver entry...

Anyway, yes IE5. And the use of Safari also makes me suspect a virus. People are usually happy with IE until they start getting pop-ups...

I ran into Virtumonde before the anti-malware had a fix. YES! The TDSSserv is the one I ran into when working on my daycare provider PC. That pc had that one as many other viruses and trojans.(it was BAD) She was so infected that I just wiped the drive and reloaded everything and then told her to buy a router to put between her DSL connection and PC. I do not do much desktop work anymore, I work as a Server admin. Sorry this is so off topic.. I have been off work for a surgery the past 2 weeks and I am itching to talk shop!

However, I am always willing to impart knowledge to the less savvy. The more savvy users the better!

 

[ibyoungr]

Not directed @ anyone in particular, and I understand the interest in discussing it, but, please consider going to this thread in the Parking Lot to discuss generic computer virus stuff.

http://websleuths.com/forums/showthread.php?p=3419499#post3419499

I included a link back here in that thread for convenience.

Thanks BJB.. didn't mean to get so off topic... :crazy:

 

[ibyoungr]

Do we have any spreadsheets that combine the cell phone records, pings, computer forensics and interviews to get a play by play of the time period between July 15th from the time Cindy picked up Casey to the July 16th when Casey was arrested?

 

[JWG]

As I was looking through the internet history files recently "rediscovered" from the September document dump, I noticed something odd about the Internet Explorer history from the desktop computer. Before I get into this oddity, let me provide some background.

There are 4 files of interest from this 95MB behemoth:

• Internet History unfiltered.csv - Desktop Internet Explorer browser and cookie history. This history goes back to August 8, 2007, although the older history is much more sparse than the newer history.
• Unfiltered Temporary Internet History for Casey Profile.csv - Desktop Internet Explorer cache listing. This file dates go back to June 27, 2008. It appears, however, that there are some "holes" between June 27 and July 16. This does not imply anything nefarious as I don't know what caching policy was set in the Anthony's browser.
• Unfiltered History for user bobby.csv - Laptop Internet Explorer browser and cookie history. This history goes back to July 3, 2008.
• Unfiltered Safari Internet History for bobby.csv - Laptop Safari browser (Apple) and cookie history. This history goes back to July 13, 2008.

This looks like a lot of information, but I want to point out that much is still missing and leaves a lot of questions unanswered. Some key things that are missing:

• Internet history and temporary internet history from unallocated space, meaning deleted histories, from both computers. This is where the infamous Google searches for chloroform were found.
• Temporary internet history (cache listings) from the laptop.
• Safari internet history from the desktop, if it exists. I am thinking not, as it appears that Safari was installed on the laptop on July 13, 2008.

The desktop Internet Explorer browser and cookie history has the most and oldest information available, so this is where I have focused my attention. The oddity I noticed is that the cookies and URLs listed all looked like they were the result of George using the computer, and no one else. Up until the evening of the July 15, that is.

What I find odd is that we know KC used the desktop computer to visit Myspace, Facebook, and Photobucket yet prior to July 15 there are no urls or cookies from any of those sites recorded in the internet history. Based on this, it seems to me KC was in the habit of covering her tracks as she surfed. She did not clean everything because George's history is still there, so she was pretty sophisticated in this regard.

Of course it could have been Lee, but it is a lot harder to selectively clean a year's worth of history at once versus doing it as she goes. My money is on KC doing it as she goes. :twocents:

Knowing the surfing was George, I wondered if I could discern a usage pattern and compare it with what we know of KC's Photobucket uploads and the chloroform searches in March. :waitasec:

It turns out George is quite the creature of habit. While he does not surf every day, when he does surf it seems to always fall into the following time windows:

• 10 AM to Noon
• 10 PM to midnight

To a lesser extent:

• 5AM to 7AM
• 4:30PM to 6:30PM

George's surfing did not fall firmly within those boundaries, but staring at the time windows it is pretty clear his habits were fixed.

Pulling in the graph from a post I did back in early January, we can see KC's Photobucket uploads clearly took place when George was not on the computer - largely between noon and 3PM:

The infamous computer searches took place at the following times:

The clicks from March 17:

17-Mar 9:36:12 Clicked a Google-hosted ad from a myspace page
13:43:41 Search chloraform
13:43:41 Search chloroform
13:54:26 Search alcohol
13:54:42 Search acetone
13:55:34 Search peroxide
13:53:25 to 13:58:38 Wikipedia searches for inhalation, chloroform, alcohol, acetone, peroxide, hydrogen peroxide, death
​

The clicks on March 21:

21-Mar 14:16:30 Search how to make chloraform
14:16:30 Search how to make chloroform Google automatically suggested correct spelling
14:19:16 Clicked a Google syndicated ad
14:20:32 Search self defense
14:21:14 Clicked a Google syndicated ad
14:21:58 Search household weapons
14:22:01 Clicked a Google syndicated ad
14:23:08 Clicked a blog poll hosted by Google http://www.google.com/reviews/polls/...kclr=%235588aa
14:25:12 Clicked a Google syndicated ad
14:25:33 Search household weapons
14:25:54 Clicks http://books.google.com/books?id=_QMJNJIOKPEC&pg=PA79
14:26:18 Clicks http://books.google.com/books?id=_QMJNJIOKPEC&pg=PA79
14:26:24 Search neck breaking
14:28:18 Search shovel
​

Notice that the above computer searches took place during a time window that was consistent with KC's Photobucket uploads and outside the time window of George's usage. :thumb:

 

[dunlurken]

As I was looking through the internet history files recently "rediscovered" from the September document dump, I noticed something odd about the Internet Explorer history from the desktop computer. Before I get into this oddity, let me provide some background.

There are 4 files of interest from this 95MB behemoth:

• Internet History unfiltered.csv - Desktop Internet Explorer browser and cookie history. This history goes back to August 8, 2007, although the older history is much more sparse than the newer history.
• Unfiltered Temporary Internet History for Casey Profile.csv - Desktop Internet Explorer cache listing. This file dates go back to June 27, 2008. It appears, however, that there are some "holes" between June 27 and July 16. This does not imply anything nefarious as I don't know what caching policy was set in the Anthony's browser.
• Unfiltered History for user bobby.csv - Laptop Internet Explorer browser and cookie history. This history goes back to July 3, 2008.
• Unfiltered Safari Internet History for bobby.csv - Laptop Safari browser (Apple) and cookie history. This history goes back to July 13, 2008.

This looks like a lot of information, but I want to point out that much is still missing and leaves a lot of questions unanswered. Some key things that are missing:

• Internet history and temporary internet history from unallocated space, meaning deleted histories, from both computers. This is where the infamous Google searches for chloroform were found.
• Temporary internet history (cache listings) from the laptop.
• Safari internet history from the desktop, if it exists. I am thinking not, as it appears that Safari was installed on the laptop on July 13, 2008.

The desktop Internet Explorer browser and cookie history has the most and oldest information available, so this is where I have focused my attention. The oddity I noticed is that the cookies and URLs listed all looked like they were the result of George using the computer, and no one else. Up until the evening of the July 15, that is.

What I find odd is that we know KC used the desktop computer to visit Myspace, Facebook, and Photobucket yet prior to July 15 there are no urls or cookies from any of those sites recorded in the internet history. Based on this, it seems to me KC was in the habit of covering her tracks as she surfed. She did not clean everything because George's history is still there, so she was pretty sophisticated in this regard.

Of course it could have been Lee, but it is a lot harder to selectively clean a year's worth of history at once versus doing it as she goes. My money is on KC doing it as she goes. :twocents:

Knowing the surfing was George, I wondered if I could discern a usage pattern and compare it with what we know of KC's Photobucket uploads and the chloroform searches in March. :waitasec:

It turns out George is quite the creature of habit. While he does not surf every day, when he does surf it seems to always fall into the following time windows:

• 10 AM to Noon
• 10 PM to midnight

To a lesser extent:

• 5AM to 7AM
• 4:30PM to 6:30PM

George's surfing did not fall firmly within those boundaries, but staring at the time windows it is pretty clear his habits were fixed.

Pulling in the graph from a post I did back in early January, we can see KC's Photobucket uploads clearly took place when George was not on the computer - largely between noon and 3PM:

The infamous computer searches took place at the following times:

The clicks from March 17:

17-Mar 9:36:12 Clicked a Google-hosted ad from a myspace page
13:43:41 Search chloraform
13:43:41 Search chloroform
13:54:26 Search alcohol
13:54:42 Search acetone
13:55:34 Search peroxide
13:53:25 to 13:58:38 Wikipedia searches for inhalation, chloroform, alcohol, acetone, peroxide, hydrogen peroxide, death
​

The clicks on March 21:

21-Mar 14:16:30 Search how to make chloraform
14:16:30 Search how to make chloroform Google automatically suggested correct spelling
14:19:16 Clicked a Google syndicated ad
14:20:32 Search self defense
14:21:14 Clicked a Google syndicated ad
14:21:58 Search household weapons
14:22:01 Clicked a Google syndicated ad
14:23:08 Clicked a blog poll hosted by Google http://www.google.com/reviews/polls/...kclr=%235588aa
14:25:12 Clicked a Google syndicated ad
14:25:33 Search household weapons
14:25:54 Clicks http://books.google.com/books?id=_QMJNJIOKPEC&pg=PA79
14:26:18 Clicks http://books.google.com/books?id=_QMJNJIOKPEC&pg=PA79
14:26:24 Search neck breaking
14:28:18 Search shovel
​

Notice that the above computer searches took place during a time window that was consistent with KC's Photobucket uploads and outside the time window of George's usage.

Thank you so much for that research. Why do I get a different "spin" on all this. Could George have been planning to kill Casey? And then Caylee would be safe? Instead of being taken out at all hours of the night and day. They knew there was no Nanny and maybe they were concerned for Caylee's safety. So let's "off" Casey and be sure Caylee stays safe.

George made Caylee's breakfast every morning. I'm sure he found it heart wrenching to watch that child leave his house every day, not knowing where she was going or what she could be exposed to.

Just throwing out some thoughts.

 

[sumbunny]

Thank you so much for that research. Why do I get a different "spin" on all this. Could George have been planning to kill Casey? And then Caylee would be safe? Instead of being taken out at all hours of the night and day. They knew there was no Nanny and maybe they were concerned for Caylee's safety. So let's "off" Casey and be sure Caylee stays safe.

George made Caylee's breakfast every morning. I'm sure he found it heart wrenching to watch that child leave his house every day, not knowing where she was going or what she could be exposed to.

Just throwing out some thoughts.

I've never heard the story of george making caylee's breakfast every morning.
Did he make it on june 16th as well?

 

[JWG]

Thank you so much for that research. Why do I get a different "spin" on all this. Could George have been planning to kill Casey? And then Caylee would be safe? Instead of being taken out at all hours of the night and day. They knew there was no Nanny and maybe they were concerned for Caylee's safety. So let's "off" Casey and be sure Caylee stays safe.

George made Caylee's breakfast every morning. I'm sure he found it heart wrenching to watch that child leave his house every day, not knowing where she was going or what she could be exposed to.

Just throwing out some thoughts.

Careful here...I am not at all trying to imply George was the one who did those searches. In fact, I believe what I clearly show is KC performed the searches. This is because the time-of-day corresponding to those searches is consistent with KC's computer activity and inconsistent with George's.

 

[BondJamesBond]

JWG:

Are you now able to support/debunk the 6/16 2-3PM desktop computer usage was George vs. Casey? :waitasec:

Based on the pings, IMHO, Casey never returned to G&C's the afternoon of 6/16. IMHO, the pings suggest she went from G&C's to Lee's just after 1PM, and the flurry began on her way up to Tony's leaving directly from Lee's. Note that the 4:11PM ping amidst the flurry on the Narcoosee tower was SW-N vs. the typical NW-NE on that tower. Also note that she did the very same thing (i.e. 'flurry') on 6/9 when she was enroute to Ricardo's, AND, when she was leaving G&C's on 6/24 after the gas can scene enroute to Tony's.

Not to say the Casey couldn't talk & surf at the same time , but, she was on the phone w/ Amy 1:44-2:20PM. Then on with Jesse 2:52-3:10PM. That left only 2:20-2:52PM for Casey usage. IIRC, George typically left for work ~2:30PM...giving him an equal opportunity to be responsible for the usage we saw in the original forensics. cguru:

I'm ready to wager 6/16 2-3PM activity was George just before he left for work.

What say ye?

 

[JWG]

JWG:

Are you now able to support/debunk the 6/16 2-3PM desktop computer usage was George vs. Casey? :waitasec:

Based on the pings, IMHO, Casey never returned to G&C's the afternoon of 6/16. IMHO, the pings suggest she went from G&C's to Lee's just after 1PM, and the flurry began on her way up to Tony's leaving directly from Lee's. Note that the 4:11PM ping amidst the flurry on the Narcoosee tower was SW-N vs. the typical NW-NE on that tower. Also note that she did the very same thing (i.e. 'flurry') on 6/9 when she was enroute to Ricardo's, AND, when she was leaving G&C's on 6/24 after the gas can scene enroute to Tony's.

Not to say the Casey couldn't talk & surf at the same time , but, she was on the phone w/ Amy 1:44-2:20PM. Then on with Jesse 2:52-3:10PM. That left only 2:20-2:52PM for Casey usage. IIRC, George typically left for work ~2:30PM...giving him an equal opportunity to be responsible for the usage we saw in the original forensics. cguru:

I'm ready to wager 6/16 2-3PM activity was George just before he left for work.

What say ye?

Well...I can't be positive one way or the other who was on the computer, as only one new URL was added and it was in the evening. The temporary internet history (caching information) does not go that far back. I'd need to see what is in the unallocated sectors, to be certain.

I will say that one week earlier, on the 9th, around 4:30 PM someone - I am guessing George - visited a couple of sites on car sales and a couple of job sites.

So it is possible the computer usage was due to George, but I am not completely sold on this. The usage between 2 and 3 on the 16th was quite heavy, which indicates to me someone was surfing big time and creating a lot of cache files. Yet the actual computer history files we have show absolutely nothing. KC seemed to have a habit of covering her computer tracks as it is near impossible to find any activity related to her, even with all of the Photobucket, Facebook, and Myspace visits.

Therefore, although I'm hearing you on the pings, my nickle is still on KC, and she covered her tracks as she always did. :twocents:

 

[BondJamesBond]

Therefore, although I'm hearing you on the pings, my nickle is still on KC, and she covered her tracks as she always did. :twocents:

*snip*

I couldn't take that nickel from you... how 'bout a beer? :beersign:

Any idea if the activity-o-meter registers CPU vs. solely online activity?

George workin' on a resume for his upcoming interviews? nline:

 

[JWG]

*snip*

I couldn't take that nickel from you... how 'bout a beer? :beersign:

Any idea if the activity-o-meter registers CPU vs. solely online activity?

George workin' on a resume for his upcoming interviews? nline:

Hmmmm...beer...St. Patty's is coming up on us.

Unfortunately, we have very little information as to what was going on that computer. The "activity-o-meter" does not discern online activity from other activity. Certainly resume updates are a possibility, but again I note that lots of files were modified - it was a pretty active day. Someone added or modified a lot of files. Smells like internet surfing to me.

I wish I could be more specific. But I just don't have the data.

 

[BondJamesBond]

Hmmmm...beer...St. Patty's is coming up on us.

Don't know 'bout you, but, I try to avoid the rush and get an early start.

Unfortunately, we have very little information as to what was going on that computer. The "activity-o-meter" does not discern online activity from other activity. Certainly resume updates are a possibility, but again I note that lots of files were modified - it was a pretty active day. Someone added or modified a lot of files. Smells like internet surfing to me.

*bold by me*
...wasn't that Nirvana?

Yeh, I hear you.

Looks to me like either George or Casey woulda had 'bout equal time (~30mins) to generate the usage, whichever one it was.

I wish I could be more specific. But I just don't have the data.

Ahhhhhh....c'mon! Data'smata! Invoke the Nancy-rule! When without data...make sumthin' up and run w/ it.

Got those timecards handy? I've long-since jettisoned George's E-Pass records too. (OT, but, would look @ both for 6/20 too).

 

[OneLostGrl]

As I was looking through the internet history files recently "rediscovered" from the September document dump, I noticed something odd about the Internet Explorer history from the desktop computer. Before I get into this oddity, let me provide some background.

There are 4 files of interest from this 95MB behemoth:


~SNIP~




:thumb:

Snipped for space.

Great work as always, JWG!

What would she have had to have done to wipe her info out? I mean is it something as minor as deleting her temperary internet files, browser and cookie history's every time she logged off? Because George's info is still there. Or is what she did more detailed?

I am always impressed with the things you come up with.. you have a sharp mind!