OK, I'm caught up again, so much that my eyes are crossed and my brain scrambled, so if I'm not "getting it", please be gentle. I know enough about computers to be dangerous, but even so this is just not making sense to me. Those of you who go to sleep reading computer type stuff just scroll on by but I'm hoping someone will understand my confusion and point out where I got so confused.
Melendez testified he was at the scene on the 9th, said the computer was asleep when he checked it, so he powered it off and removed the plug. Came back the next day to pick it up and log it into evidence. I cannot seem to find the exact date for when he did his exam but it was June 2008 - I would suspect that it was shortly after bringing it in. He powered it on and did a mirror image using Encase & writeblock. He testified to most of what he looked at and it sounds like he did a thorough job, at least one good enough to have noted anti-virus activity but nothing like this was mentioned AFAIK. He stated there was no *advertiser censored*, no naked women, no browser history showing *advertiser censored* sites or software that users typically use to access *advertiser censored*. Defense had their guy examine this image and he found nothing either.
So a whole year later, according to Nurmi, Flores takes the computer out of evidence and deletes/shreds 1,000s of files, plus the browser history and registry. A detective does this, knowing full well that the forensics team has preserved the data from that computer a whole year prior?
Their new forensics person is somehow able to find evidence of this in a computer years after he says Flores deleted huge amounts of data. Am I correct in assuming they actually received the physical computer and that's where they found all of this? Someone up thread said it was found in overwritten files, although I missed reading where info this originated. But if they found them in 2014, and found evidence that the files were deleted in 2009, how do they explain the image copies that Melendez made days after the murder that don't show these deleted files? They had to have been there in 2008 to have been deleted in 2009, right?
Several here are talking about a trojan and antivirus cleanup being the reason these links were left on the computer. But if these files were on the computer, the anti-virus would have had to have been activated prior to Melendez making his image copy, so why did he or the defense expert not notice something like this? Whether or not anti-virus writes over the files it deletes, either Encase softwear or a forensic examiner would find a bunch of nonsense data that is used when a program wipes/overwrites files. Or there would be huge unallocated clusters from thousands of files being deleted if they were not overwritten. Both forensics guys would have noticed the anti-virus software startup in the activity logs too. But Nurmi says that Flores deleted all these files in 2009, so they couldn't have been left from anti-virus activity in 2008. Now if there were in fact only a few links planted by a trojan and then overwritten by anti-virus software, that might be easier to understand, but I still say Melendez would have noted it being activated in the activity log, and Nurmi is saying huge amounts of data were deleted/wiped in 2009.
Help?
But I am the kind of nut that just likes to clean.
