Jury enters court
The jury has entered the court after a lengthy delay on Wednesday morning.Digital forensics expert takes the stand
The jury has heard Fox-Henry has worked for Vic Police, helping to recover files, since 2020.He joined the Cyber Crime Squad in July 2023.
Since joining Vic Police, Fox-Henry estimates he has worked on “hundreds” of cases and examined more than 1000 devices.
How does digital forensics work?
The court has been shown powerpoint notes on how digital forensics are carried out on computers and phones.The notes are as follows:
Digital forensics - computers
- Take details -> remove internal storage -> connected to computer via a Write Blocker -> image -> process image, export portable case -> then return to investigator.
- Write Blocker - stops any data being changed on the device
- Image - a digital copy (file) of the hard drive
- Processing the image refers to importing the image and software interpreting the data
- Portable case - is the interpreted data in a non-editable form for the investigators
- Take details -> extract digital data via an extraction tool -> process data -> export portable case -> return to investigator
- Extractions of mobile phones require specialised extractions generating a digital copy
- Processing the data refers to importing digital copy and software interpreting the data
- Portable case - in the interpreted data in non-editable form for the investigators
He said data in digital forensics is referred to as “artefacts”, which can include files, folders, and internet searches.
Fox-Henry said specific forensic software programs can then be used to generate information about artefacts, such as when they were created or last accessed.
Magnet Axiom and Cellebrite are the software programs used within his department to analyse computers and phones, respectively, Fox-Henry said.
Different types of artefacts
The prosecution have asked Fox-Henry to explain different types of data commonly found on computers.Fox-Henry earlier told the court that pieces of data, in digital forensics, are called “artefacts”.
Here are the descriptions of artefacts that can be contained on computers as shown on a powerpoint presentation presented in court:
Files and Folders
- A file is the common storage unit in a computer. Programs and data are “written” into a files and “read” from a files.
- An example - word document - contains data that a user types that can be opened and read by the user later with an applications that supports it
- A folder holds one or more files and a folder can be empty until it is filled.
Thumbnails
- Smaller images that represent larger images designed to speed up processing and allow for faster review of photos and media.
- Email files. Generally comprised of three parts - header, message body, and attachment.
- Records of the local user visiting a site/file path/website
- Is a record of the autofill values that browsers save for different types of text fields across different webpages. The main value is the saved autofill value for specific fields. This value can track when it was created and when it was last used in a field.
- This artefact contains the favicons that browser displays in the title/address bar. A favicon is the icon associated with a website displayed
- Is an artefact that contains the URL that is associated with the Google search engine
- Is an artefact that contains the URL that is associated with search engines, except Google
- Cookies are small files of information that web servers generate, to inform websites about the user, to allow for personalisation of the users’ experience, typically for ads.
- Are keywords that were searched for on the system
- Is an artefact that contains the content that Edge/Internet Explorer 10-11 caches, this can include webpages, pictures and other resources
IE InPrivate Recovery URLs
- Is an URL that is recovered from somewhere on the device
- These URLs can be located anywhere on a user’s system
- For example:
-Can also be recovered or extracted from PDFs of manuals of software
Windows Timeline Activity
- Contains information about application usage
- Can hold information such as start and end times, duration, and the number of seconds that device was engaged within the application
- Example:
-Or when a browser (Edge) was opened and when it was closed
Searches on Patterson’s laptop shown to the court
Fox-Henry has told the court there are two types of storage devices in a computer - a Solid State Drive (SSD) and Hard Disk Drive (HDD).He said SSDs function on electricity, while HHDs operate using spinning disks.
Fox-Henry said he was given three storage devices to analyse in relation to Patterson’s case: a 120GB Samsung Vivobook SSD, a 250GB Hitachi hard drive, and a 120GB silicon powered SSD.
Fox-Henry told the court he searched for artefacts using the keywords “death caps,” “mushrooms” and “poisons”.
The court was then shown a report compiled of artefacts found on Patterson’s computer.
The report indicated software identified several records of Bing searches that linked to citizen science website iNaturalist on the evening of 28 May, 2022.
Those records were stored on the Samsung SSD.
According to the report, the term “inaturalist” was entered into Bing at 7:20pm.
At 7:21pm, the iNaturalist website was then visited.
The court was then shown four records of website activity on iNaturalist between 7:22pm and 7:23pm that same night.
They included visits to three URLs on the iNaturalist website. Two of those URLs were titled “observations iNaturalists” and were each visited once.
The third URL visited was titled “Deathcap from Melbourne VIC Australia on May 18, 2022 at 2:36pm by Ivan Margita Bricker Reserve Moorabbin”.
The last URL was visited twice.
The records show, moments later, a Google Chrome search was then made for the term “Korumburra middle pub”.
Jury told not to look up the search URLs
Justice Christopher Beale has warned the jury not to seek out the URLs identified in the search records.Patterson’s personal autofill information used on laptop moments after searches
The court has been shown records that indicate Patterson’s personal information was logged into her laptop moments after visits were made to iNaturalist.The two records indicate that Chrome autofill entered Patterson’s saved mobile number and her name into a website or websites at 7:24pm and 7:25pm, respectively, on 28 May 2022.
Fox-Henry said there was not enough information in the record to ascertain which websites were accessed during those instances.
Further data records support iNaturalist visits
The court has been shown other artefacts that support the notion that visits were made to iNaturalist on Patterson’s computer on the evening of 28 May, 2022.The artefacts include data records from Chrome Cookies, Chrome Favicons, Chrome Shortcuts, Edge Internet Explorer, and Windows Timeline Activity, which all link to iNaturalist during the same timeframe.
Digital forensics experts extracted messages between Patterson and mother-in-law Gail
The court has heard a Cellebrite extraction was performed on Gail Patterson’s phone on 20 November 2023.Several messages between Patterson and Gail will be shown to the jury at a later date.
Court wraps up for the day
Court has finished for the day.Follow along tomorrow for more updates.
Searches on Patterson’s laptop shown to the court
Erin Patterson is accused of killing three people with poisonous death cap mushrooms.
7news.com.au
