Monday, July 11, 2011

Casey Anthony Digital Evidence - Chloroform Searches

Digital Detective posted an excellent analysis of the MORK file that was part of the Casey Anthony trial evidence related to the computer searches, particularly for chloroform.

Here is a link to the post. Digital Evidence Discrepencies - Casey Anthony Case  it is highly technical, but I would expect no less from the people who make NetAnalysis, a forensic tool I have used for several years now.

I don't know how they got a copy of the history.dat file used in the case.  However, as the consulting expert that assisted the defense team in this area, I can say that based on the analysis I did of all of the digital evidence in the case, that Digital Detective got it right.

The history.dat file was carved from unallocated space.  At the time I carved it from the hard drive, I knew is was not a complete history file as the end of the file was not "clean".  However, what was carved from unallocated space could be parsed.  At the time that I did the original analysis, I used NetAnalysis, since at the time, there were no other forensic tools I was aware of that could parse a MORK file.

I also went and found the programming documents describing the MORK file format and studied it to make sure that what I was seeing matched the construction of the data.  This was also critical in making sure that was what carved from unallocated space was as complete as possible.

When John Bradley of SiQuest, makers of CacheBack, testified that there were 84 hits for the chloroform page, I was shocked.  That certainly did not match my analysis results or those of Sandra Cawn Osborne.  So I went back and reparsed the file using the most current version of NetAnalysis and compared it to the original parse results I got back in 2008.  They matched exactly.

An immediate red flag to me about the 84 hits was that the normal progression you see in Internet history records was missing.  I went back and re-analyzed the data and came to the conclusion that the other program had incorrectly parsed the MORK database file.

Anytime you examine Internet history, you are looking for certain things that indicate that the history file parsed correctly; Dates and times that are in the correct order, the proper progression of visit counts, and the presence of correct headers, page titles, etc.

Since I was a consulting expert and could not testify at trial, I supplied the cross examination information for Jose Baez to use in confronting the 84 hits when the opportunity came at trial.

I think Jose did a great job using the information I prepared for him and exposed a glaring error in the evidence presented to the jury.

2 comments:

  1. Larry, can you explain to non US examiners why you couldn't give evidence? In the UK your report would be submitted and the prosecution and yourself would be expected to come up with areas of agreements and disagreements ie the visit count to the webpage. You would then be required to give your evidence yourself rather than just have Baez try to counter the prosecution "expert".

    ReplyDelete
  2. Hi Artemis,

    I am not an attorney, but here is the gist of it in the US. If you are going to testify, you have to be disclosed on a witness list, and depending on the state, you may be deposed as well in advance of your testimony. I was originally on the witness list as a testifying expert, but was taken off to work as a consulting expert on more than just the computer evidence, meaning that I would not testify. We had another expert who was supposed to testify but he withdrew from the case. That left us with no testifying expert, so everything had to be done through cross examination.

    ReplyDelete

I have moderated my comments due to spam.