Anthony's Computer Forensics

[Ripley007]

JWG:

Are you now able to support/debunk the 6/16 2-3PM desktop computer usage was George vs. Casey? :waitasec:

Based on the pings, IMHO, Casey never returned to G&C's the afternoon of 6/16. IMHO, the pings suggest she went from G&C's to Lee's just after 1PM, and the flurry began on her way up to Tony's leaving directly from Lee's. Note that the 4:11PM ping amidst the flurry on the Narcoosee tower was SW-N vs. the typical NW-NE on that tower. Also note that she did the very same thing (i.e. 'flurry') on 6/9 when she was enroute to Ricardo's, AND, when she was leaving G&C's on 6/24 after the gas can scene enroute to Tony's.

Not to say the Casey couldn't talk & surf at the same time , but, she was on the phone w/ Amy 1:44-2:20PM. Then on with Jesse 2:52-3:10PM. That left only 2:20-2:52PM for Casey usage. IIRC, George typically left for work ~2:30PM...giving him an equal opportunity to be responsible for the usage we saw in the original forensics. cguru:

I'm ready to wager 6/16 2-3PM activity was George just before he left for work.

What say ye?

I'm one of those posters who poo-poos things without 100% proof, usually. But... (Sorry) I have ALWAYS stated that I believe GA was LYING about seeing KC and Caylee "between 9-1" on 6/16/08. BS!!!! I say. The fact that Caylee's bones were found with the SAME pair of shorts she was FILMED wearing on 6/15/08 supports an earlier demise....Remember the Peterson case?

 

[BondJamesBond]

I'm one of those posters who poo-poos things without 100% proof, usually. But... (Sorry) I have ALWAYS stated that I believe GA was LYING about seeing KC and Caylee "between 9-1" on 6/16/08. BS!!!! I say. The fact that Caylee's bones were found with the SAME pair of shorts she was FILMED wearing on 6/15/08 supports an earlier demise....Remember the Peterson case?

Hey, Ripley. IKWYM. Kinda ot, but, IIRC, it was Casey statement that she dropped Caylee off "between 9-1", in fact, I think over on the 6/9 vs. 6/15 thread in the analysis forum we went through what Casey scratched out on her handwritten statement about the time. Also went over there regarding George's memory and his statement 'bout seeing them leave ~12:50PM. Post#54 of the thread here is a good place to start.

I didn't follow the Peterson case...so, sorry, I'm clueless (as usual) 'bout that one.

JWG's spent a tremendous amount of time going digging into the guts of the computer forensics here and I was asking him to see if any of the "new" data he was looking at supported who was using the computer 6/16 2-3PM (and 6/20). Its not terribly important really. Just trying to see if any of the available information can paint a clearer picture about some of the details of the key dates.

 

[Ripley007]

Hey, Ripley. IKWYM. Kinda ot, but, IIRC, it was Casey statement that she dropped Caylee off "between 9-1", in fact, I think over on the 6/9 vs. 6/15 thread in the analysis forum we went through what Casey scratched out on her handwritten statement about the time. Also went over there regarding George's memory and his statement 'bout seeing them leave ~12:50PM. Post#54 of the thread here is a good place to start.

I didn't follow the Peterson case...so, sorry, I'm clueless (as usual) 'bout that one.

JWG's spent a tremendous amount of time going digging into the guts of the computer forensics here and I was asking him to see if any of the "new" data he was looking at supported who was using the computer 6/16 2-3PM (and 6/20). Its not terribly important really. Just trying to see if any of the available information can paint a clearer picture about some of the details of the key dates.

Thanks Bond...as far a comparisions to the Peterson case, Lacey and Scott went to Lacey's sisters hair salon the evening of 12/23. Her sister was able to tell LE what Lacey was wearing. LE found the shirt her sister described rolled up into a ball stuffed deep down inside the laundry hamper. The pants were never found TILL Lacey's body washed ashore. Her skeletal remains were "wearing" a bra and the pants she was seen in 12/23. It was surmised that Lacey was getting ready for bed when Scott killed her. she had only removed her shirt, nothing else, before her death/murder. I find the fact that Caylee's shorts she was FILMED wearing 6/15 with her skeletal remains as PROOF she was killed 6/15.

PS. I have NEVER believed CA's story that her and Caylee went swimming in the family pool late 6/15 (pre-fight?) NOR GA's claim of seeing KC and Caylee leave on 6/16. Quick pop quiz- name ANY article of clothing ANY family member of yours was wearing exactally a month ago!!! Aha! Can't can you. NONE of us can/could. Total BS! I just wish LE would have called him out to his face ON TAPE.

 

[DebC]

Snipped for space.

Great work as always, JWG!

What would she have had to have done to wipe her info out? I mean is it something as minor as deleting her temperary internet files, browser and cookie history's every time she logged off? Because George's info is still there. Or is what she did more detailed?

I am always impressed with the things you come up with.. you have a sharp mind!

Just deleting the file would not be good enough. It can be retrieved as long as that part of the hard disk has not been overwritten with another file. However, there are plenty of freeware programs available on-line which do just that. The software I have does a Gutmann delete (overwrites 35 times). I wonder is KC had something like this installed? All these files are kept in your profile, so she could run the software and it would only delete her internet history, not GA's

 

[SarahR]

If the actual pc had different login/user accounts (like on mine at home on winXP, we all have seperate accounts to log into our own desktops on same PC its like 3 PC's in one) and all users apart from main login/administrator was deleted, and George's account was the original admin account, would that maybe explain why just his searches are there, would all the cookies and internet info relating to the deleted accounts also delete. I hope that makes sense.

 

[Ripley007]

Hey, Ripley. IKWYM. Kinda ot, but, IIRC, it was Casey statement that she dropped Caylee off "between 9-1", in fact, I think over on the 6/9 vs. 6/15 thread in the analysis forum we went through what Casey scratched out on her handwritten statement about the time. Also went over there regarding George's memory and his statement 'bout seeing them leave ~12:50PM. Post#54 of the thread here is a good place to start.

I didn't follow the Peterson case...so, sorry, I'm clueless (as usual) 'bout that one.

JWG's spent a tremendous amount of time going digging into the guts of the computer forensics here and I was asking him to see if any of the "new" data he was looking at supported who was using the computer 6/16 2-3PM (and 6/20). Its not terribly important really. Just trying to see if any of the available information can paint a clearer picture about some of the details of the key dates.

You are absolutely right. My mistake. GA did not claim to have seen KC/Caylee between 9-1. It was KC who told LE that's the guesstimated time she went to work AT UNIVERSAL (!) that day. As I've RANTED before...the hours 9-1 cover TWO different work shifts, sort of. Either she worked a full time day shift beginning in the am or she didn't! That statement from KC is one of the top 10 most stupid things she ever uttered to LE in my opinion!

Re: your post...remind me again why you and JWG are looking at activity on the A's computer on 6/16? For what it's worth, I'll reinterate my own beliefs...Caylee was dead hours before the afternoon of 6/16. Sorry if that sounds harsh.

Have you been able to come up with any more info about KC's whereabouts the week between 6/9 and 6/16? I'm right there with you with on this therory....

 

[Searchfortruth]

Thanks Bond...as far a comparisions to the Peterson case, Lacey and Scott went to Lacey's sisters hair salon the evening of 12/23. Her sister was able to tell LE what Lacey was wearing. LE found the shirt her sister described rolled up into a ball stuffed deep down inside the laundry hamper. The pants were never found TILL Lacey's body washed ashore. Her skeletal remains were "wearing" a bra and the pants she was seen in 12/23. It was surmised that Lacey was getting ready for bed when Scott killed her. she had only removed her shirt, nothing else, before her death/murder. I find the fact that Caylee's shorts she was FILMED wearing 6/15 with her skeletal remains as PROOF she was killed 6/15.

PS. I have NEVER believed CA's story that her and Caylee went swimming in the family pool late 6/15 (pre-fight?) NOR GA's claim of seeing KC and Caylee leave on 6/16. Quick pop quiz- name ANY article of clothing ANY family member of yours was wearing exactally a month ago!!! Aha! Can't can you. NONE of us can/could. Total BS! I just wish LE would have called him out to his face ON TAPE.

ITA that George was making up the 16th sighting, his "memory" of exactly what each was wearing doesn't pass the smell test, IMO. LE took a picture of a blue jeans skirt of Caylee's and a pink shirt (granted she probably had lots of pink shirts) in the drawer, at the Anthony home, after the remains were found. I believe in the picture the jeans skirt is lying next to a pink shirt in the same drawer. I got a funny feeling when I saw that picture, in that it might be used to help debunk George's story about seeing Casey and Caylee on the 16th. I am having trouble finding the photo now though.

 

[Ripley007]

As I was looking through the internet history files recently "rediscovered" from the September document dump, I noticed something odd about the Internet Explorer history from the desktop computer. Before I get into this oddity, let me provide some background.

There are 4 files of interest from this 95MB behemoth:

• Internet History unfiltered.csv - Desktop Internet Explorer browser and cookie history. This history goes back to August 8, 2007, although the older history is much more sparse than the newer history.
• Unfiltered Temporary Internet History for Casey Profile.csv - Desktop Internet Explorer cache listing. This file dates go back to June 27, 2008. It appears, however, that there are some "holes" between June 27 and July 16. This does not imply anything nefarious as I don't know what caching policy was set in the Anthony's browser.
• Unfiltered History for user bobby.csv - Laptop Internet Explorer browser and cookie history. This history goes back to July 3, 2008.
• Unfiltered Safari Internet History for bobby.csv - Laptop Safari browser (Apple) and cookie history. This history goes back to July 13, 2008.

This looks like a lot of information, but I want to point out that much is still missing and leaves a lot of questions unanswered. Some key things that are missing:

• Internet history and temporary internet history from unallocated space, meaning deleted histories, from both computers. This is where the infamous Google searches for chloroform were found.
• Temporary internet history (cache listings) from the laptop.
• Safari internet history from the desktop, if it exists. I am thinking not, as it appears that Safari was installed on the laptop on July 13, 2008.

The desktop Internet Explorer browser and cookie history has the most and oldest information available, so this is where I have focused my attention. The oddity I noticed is that the cookies and URLs listed all looked like they were the result of George using the computer, and no one else. Up until the evening of the July 15, that is.

What I find odd is that we know KC used the desktop computer to visit Myspace, Facebook, and Photobucket yet prior to July 15 there are no urls or cookies from any of those sites recorded in the internet history. Based on this, it seems to me KC was in the habit of covering her tracks as she surfed. She did not clean everything because George's history is still there, so she was pretty sophisticated in this regard.

Of course it could have been Lee, but it is a lot harder to selectively clean a year's worth of history at once versus doing it as she goes. My money is on KC doing it as she goes. :twocents:

Knowing the surfing was George, I wondered if I could discern a usage pattern and compare it with what we know of KC's Photobucket uploads and the chloroform searches in March. :waitasec:

It turns out George is quite the creature of habit. While he does not surf every day, when he does surf it seems to always fall into the following time windows:

• 10 AM to Noon
• 10 PM to midnight

To a lesser extent:

• 5AM to 7AM
• 4:30PM to 6:30PM

George's surfing did not fall firmly within those boundaries, but staring at the time windows it is pretty clear his habits were fixed.

Pulling in the graph from a post I did back in early January, we can see KC's Photobucket uploads clearly took place when George was not on the computer - largely between noon and 3PM:

The infamous computer searches took place at the following times:

The clicks from March 17:

17-Mar 9:36:12 Clicked a Google-hosted ad from a myspace page
13:43:41 Search chloraform
13:43:41 Search chloroform
13:54:26 Search alcohol
13:54:42 Search acetone
13:55:34 Search peroxide
13:53:25 to 13:58:38 Wikipedia searches for inhalation, chloroform, alcohol, acetone, peroxide, hydrogen peroxide, death
​

The clicks on March 21:

21-Mar 14:16:30 Search how to make chloraform
14:16:30 Search how to make chloroform Google automatically suggested correct spelling
14:19:16 Clicked a Google syndicated ad
14:20:32 Search self defense
14:21:14 Clicked a Google syndicated ad
14:21:58 Search household weapons
14:22:01 Clicked a Google syndicated ad
14:23:08 Clicked a blog poll hosted by Google http://www.google.com/reviews/polls/...kclr=%235588aa
14:25:12 Clicked a Google syndicated ad
14:25:33 Search household weapons
14:25:54 Clicks http://books.google.com/books?id=_QMJNJIOKPEC&pg=PA79
14:26:18 Clicks http://books.google.com/books?id=_QMJNJIOKPEC&pg=PA79
14:26:24 Search neck breaking
14:28:18 Search shovel
​

Notice that the above computer searches took place during a time window that was consistent with KC's Photobucket uploads and outside the time window of George's usage. :thumb:

Thank You so much for all your hard work and effort. I'm quite sure it is appreciated by all fellow registered members as well of those who are still just lurking cause they can't sign on for all the various reasons. (Took me 4 months)
I 100% believe that KC killed her daughter in a 1st degree fashion. However, I have NEVER bought into the theory that she had been systimatically poisoning/drugging/knocking out Caylee. I believe what I believe. KC had been fantising about killing her parents, therefore, she was kind of numb to this/death thing. Therefore, when her mother started a fight with her on 6/15 about either something Caylee said or something she THOUGHT Caylee might say (threatening to quiz her the next day 6/16) KC panicked. She killed Caylee to silence her. This was easier for her because she had already been getting herself into the "mindset" of a killer, with her fantasies about killing GA & CA. I really did read some article on the web about it being easier to kill after one has been fantising about it... Again, JMHO.

 

[DebC]

If the actual pc had different login/user accounts (like on mine at home on winXP, we all have seperate accounts to log into our own desktops on same PC its like 3 PC's in one) and all users apart from main login/administrator was deleted, and George's account was the original admin account, would that maybe explain why just his searches are there, would all the cookies and internet info relating to the deleted accounts also delete. I hope that makes sense.

If an account is deleted, then all the files in that user's profile would be deleted, but the sectors they used on the hard drive would still be recoverable to a computer forensic person. When a file is deleted, it is not actually removed, just the pointer to it. What was in the file could be easily recovered, unless the sectors have been overwritten by other data.

 

[BondJamesBond]

RE: George's memory and his statement 'bout seeing them leave ~12:50PM. Post#54 of the thread here is a good place to start.

*snip*

Please use the thread in the link provided above to expand on the 6/16 vs. 6/9, etc. My apologies for clogging this one up. Details there on my opinion and others. Reasonably well developed IMHO.

RE: this thread. IMHO, the pings indicate Casey went to Lee's after leaving just after 1PM 6/16 and very possibly didn't return to G&C's that afternoon. The computer usage between 2-3PM is the strongest evidence IMHO that Casey may have returned to the house. However, since George typically left for work ~2:30PM I've proposed to JWG that the computer activity may belong to George.

The above line of speculation is primarily important to discounting a drowned-in-the-pool scenario.

And without clogging up here, IMHO, Casey's call records suggest Caylee was still alive until ~7:20PM...and met her demise in the parking lot of Tony's apt. complex. When/if we ever get confirmation Casey posed as ZFG for 5/14 citations...it'll further reinforce an even stronger case for Caylee still being alive as they drove toward Tony's that afternoon. There are two many independent pieces of info that support the ZFG-impersonation currently to ignore it.

...ok...computer forensics now

 

[Ripley007]

Juries are instructed to go by "reasonable doubt" right? Well, forget what we all KNOW! If you were on a jury, and you learned that in March, KC had a boyfriend who had a "chloroform joke" on his computer and then days later SOMEONE on KC's Family home computer looked up chloroform,...well there's your resonable doubt. I see NO way around this IF this is the only eviedence of chlorform in this case. (Given the fact that SO many posters have given us links and info about chloroform/cleaning products). Which brings me back around to own personal fav pet peeve query....How could LOTS of maggots been found in KC's trunk IF someone had tried to "clean" it first. Lousey cleaners? Explain please?

 

[Ripley007]

ITA that George was making up the 16th sighting, his "memory" of exactly what each was wearing doesn't pass the smell test, IMO. LE took a picture of a blue jeans skirt of Caylee's and a pink shirt (granted she probably had lots of pink shirts) in the drawer, at the Anthony home, after the remains were found. I believe in the picture the jeans skirt is lying next to a pink shirt in the same drawer. I got a funny feeling when I saw that picture, in that it might be used to help debunk George's story about seeing Casey and Caylee on the 16th. I am having trouble finding the photo now though.

QUICK POP QUIZ-Name ANY article of clothing that ANY human being you saw exactally one month ago was wearing????
I believe that NO ONE could answer this question. Interesting about the photo of the clothes GA claims Caylee was wearing. Would love to see the photo if you find it. Why did GA think anyone would "buy" this? Oh yeah, his WIFE made him do it. I forget sometimes....

 

[KenoshaKid]

Do we know what browser Casey used? I used Firefox and have mine set to delete history on exit. Could it have been something as easy as that?

 

[SarahR]

If an account is deleted, then all the files in that user's profile would be deleted, but the sectors they used on the hard drive would still be recoverable to a computer forensic person. When a file is deleted, it is not actually removed, just the pointer to it. What was in the file could be easily recovered, unless the sectors have been overwritten by other data.

Thanks Debc

 

[Ripley007]

*snip*

Please use the thread in the link provided above to expand on the 6/15 vs. 6/9, etc. My apologies for clogging this one up. Details there on my opinion and others. Reasonably well developed IMHO.

RE: this thread. IMHO, the pings indicate Casey went to Lee's after leaving just after 1PM 6/16 and very possibly didn't return to G&C's that afternoon. The computer usage between 2-3PM is the strongest evidence IMHO that Casey may have returned to the house. However, since George typically left for work ~2:30PM I've proposed to JWG that the computer activity may belong to George.

The above line of speculation is primarily important to discounting a drowned-in-the-pool scenario.

And without clogging up here, IMHO, Casey's call records suggest Caylee was still alive until ~7:20PM...and met her demise in the parking lot of Tony's apt. complex. When/if we ever get confirmation Casey posed as ZFG for 5/14 citations...it'll further reinforce an even stronger case for Caylee still being alive as they drove toward Tony's that afternoon. There are two many independent pieces of info that support the ZFG-impersonation currently to ignore it.

...ok...computer forensics now :

Do you REALLY believe there's eviedence to show Caylee was alive as late as 7:20 PM 6/16? Isn't the film footage from a video store (blockbuster?) from right at 8:00 pm 6/16. Convince me. And how does the 5/14 ZG traffic incident come into play? TIA.

And further-is there ANYTHING TonE could have possibly known or done to save Caylee's life?

 

[DebC]

Do we know what browser Casey used? I used Firefox and have mine set to delete history on exit. Could it have been something as easy as that?

I think KC used IE7. Not 100% sure about that though.
You can delete your browsing history, but the files created are still in their sectors on the hard disk. (see my posts above). This link tells you a bit about secure deleting and what it involves:
http://en.wikipedia.org/wiki/Gutmann_method
There is still a debate going on about how NOT recoverable files deleted with this method are. The FBI would have the most sophisticated procedures for recovering deleted files, and I think they are a lot smarter than KC as well.

 

[BondJamesBond]

Do you REALLY believe there's eviedence to show Caylee was alive as late as 7:20 PM 6/16? Isn't the film footage from a video store (blockbuster?) from right at 8:00 pm 6/16. Convince me. And how does the 5/14 ZG traffic incident come into play? TIA.

And further-is there ANYTHING TonE could have possibly known or done to save Caylee's life?

*snip*

Yes, Ripley, I really do.

And, yes, IIRC, the Blockbuster video time stamp starts around 7:55PM and ends around 8:04PM.

I dunno if I can convince you. I can spell it out on a Theories thread and you're welcome to poke holes in it...which I'm sure won't be that hard to do. Can also include there why the 5/14 traffic stop has something to do w/ 6/9, which has something to do w/ interpretting 6/16.

...again...my apologies for wandering off the beaten path. :blushing:

For my penance, I'll go check George's EPass records and see if that provides any insight into the 6/16 or 6/20 computer usage. :angel:

ETA: Summary of the EPass records here. They are silent re: George between 6/7 and 6/29. Grrrrrrrrr. :doh: Now I just gotta say 10 "Hail Marys" and 10 "Our Fathers" and I'm good. :angel:

 

[BondJamesBond]

I think KC used IE7. Not 100% sure about that though.
You can delete your browsing history, but the files created are still in their sectors on the hard disk. (see my posts above). This link tells you a bit about secure deleting and what it involves:
http://en.wikipedia.org/wiki/Gutmann_method
There is still a debate going on about how NOT recoverable files deleted with this method are. The FBI would have the most sophisticated procedures for recovering deleted files, and I think they are a lot smarter than KC as well.

*bold by me* justasmidge

FWIW, IIRC, in the chat dialogue 'twixt Casey and Iassen he mentioned something to her 'bout clearing her IM logs and she acknowledged that she knew how and was accustomed to doing it.

Now, that's a very foggy memory...so, heavy emphais on the IIRC. :bang:

ETA: OK...found it. Although...it seems my memory embellished Casey's response. :bang:

Sunday, 7/13/08: Time ~12Noon

Casey: Hey call me later. what are you doing tonight?
Iassen:Delete your logs so you dont get into trouble
Casey:Haha. no worries​

 

[sumbunny]

Juries are instructed to go by "reasonable doubt" right? Well, forget what we all KNOW! If you were on a jury, and you learned that in March, KC had a boyfriend who had a "chloroform joke" on his computer and then days later SOMEONE on KC's Family home computer looked up chloroform,...well there's your resonable doubt. I see NO way around this IF this is the only eviedence of chlorform in this case. (Given the fact that SO many posters have given us links and info about chloroform/cleaning products). Which brings me back around to own personal fav pet peeve query....How could LOTS of maggots been found in KC's trunk IF someone had tried to "clean" it first. Lousey cleaners? Explain please?

From what I can tell, the maggots weren't found in the trunk, but in the white plastic garbage bag that was removed from the trunk in the tow yard.

 

[Ripley007]

From what I can tell, the maggots weren't found in the trunk, but in the white plastic garbage bag that was removed from the trunk in the tow yard.

Now, see I can't tell that from the testimony and such I've heard. I need clarification. Thank you for pointing me in direction of the garbage bag eveidence...still... didn't Henry L state on NG that he found maggots in the trunk when he was brought to florida? I'm confussed.