Monday, July 11, 2011

Casey Anthony Digital Evidence - Chloroform Searches

Digital Detective posted an excellent analysis of the MORK file that was part of the Casey Anthony trial evidence related to the computer searches, particularly for chloroform.

Here is a link to the post. Digital Evidence Discrepencies - Casey Anthony Case  it is highly technical, but I would expect no less from the people who make NetAnalysis, a forensic tool I have used for several years now.

I don't know how they got a copy of the history.dat file used in the case.  However, as the consulting expert that assisted the defense team in this area, I can say that based on the analysis I did of all of the digital evidence in the case, that Digital Detective got it right.

The history.dat file was carved from unallocated space.  At the time I carved it from the hard drive, I knew is was not a complete history file as the end of the file was not "clean".  However, what was carved from unallocated space could be parsed.  At the time that I did the original analysis, I used NetAnalysis, since at the time, there were no other forensic tools I was aware of that could parse a MORK file.

I also went and found the programming documents describing the MORK file format and studied it to make sure that what I was seeing matched the construction of the data.  This was also critical in making sure that was what carved from unallocated space was as complete as possible.

When John Bradley of SiQuest, makers of CacheBack, testified that there were 84 hits for the chloroform page, I was shocked.  That certainly did not match my analysis results or those of Sandra Cawn Osborne.  So I went back and reparsed the file using the most current version of NetAnalysis and compared it to the original parse results I got back in 2008.  They matched exactly.

An immediate red flag to me about the 84 hits was that the normal progression you see in Internet history records was missing.  I went back and re-analyzed the data and came to the conclusion that the other program had incorrectly parsed the MORK database file.

Anytime you examine Internet history, you are looking for certain things that indicate that the history file parsed correctly; Dates and times that are in the correct order, the proper progression of visit counts, and the presence of correct headers, page titles, etc.

Since I was a consulting expert and could not testify at trial, I supplied the cross examination information for Jose Baez to use in confronting the 84 hits when the opportunity came at trial.

I think Jose did a great job using the information I prepared for him and exposed a glaring error in the evidence presented to the jury.

No comments:

Post a Comment

I have moderated my comments due to spam.