PaulSanderson wrote:
I am not sure if anyone has mentioned that the accuracy of the BIOS clock now/when it was seized does not necessarily mean that the clock was right at the time of the search. Even if the computer was synched to a time server the user could manually adjust the clock and either change it back or it woyuld be changed back at the next synch.
Determining whether the clock has been adjusted can be a bit of a fishing expedition, i.e. you dont know without examining the image what logs will show evidence of tampering - i.e. which logs are present.
All in all this may not be an investigation where you can ask for a copy of the registry and the firefox logs (not a forensic image of the firefox browser as you asked privately).
Thanks Paul,
I will ask the states attorney's computer crimes officer if they can provide a forensic image for a specific date. They have advised me the will charge $20,000 to provide a "scrubbed" forensic image of the complete hard drive. They estimated their man hours in months. So having the computer hard ware in the custody of law enforcement, is definitely an obstacle to this investigation. But, I have been provided .dat files and history on a CD. So they will work with me on this.
Keith
↧