I am involved as the defendant in a court case where the local TI did an image of my computer using Encase 6.8 and concluded that I had done three google searches of the insurance investigator 23 days prior to the fire in my home. Each was from an overwritten file and each search had identical time stamps.
Our forensic expert using a Unix based system found the actual google search which was 24 days after the fire when I was trying to follow up with the investigator after he interviewed me. In other words, there is a difference of 47 days from the time the local TI says the search was made to the actual date.
It should also be noted that there was a five month lag between the time the TI acquired the computers and the images were made.
The insurance investigator was an outside contractor working for a firm with over 100 investigators and who had not been hired by my insurance company but rather by their owner company. (My insurance company was a wholly owned sub) The investigator was not hired until after the fire and he was not local (coming from 150 miles away) Of course, I had no way of knowing this person.
It is also noteworthy that the local TIs results showed that I had approx. 3200 web searches with identical time stamps. I did not recognize any of these searches and they appear to have a suspicious origin.
Not to poison the well but there have been many other problems in this case.
The court has already made a ruling that the timestamps are not reliable but I am more interested in how they became NOT reliable.
Speculation: Did the local TI change the dates using Nirsolft or something similar and then flood my system with searches to cause the system to overwrite attempting to hide his tracks? How was this done? Did he merge databases into my system and then do the images? I have seen many items which show time problems related to daylight savings time or time zones or GMT but nothing on this scale. Has anyone out there heard of anything remotely resembling this set of circumstances where dates are off by nearly 7 weeks. It would seem that Guidance would be getting killed with product liability suits if there were no human hand involved in the manipulation of the dates with the purpose of incrimination.
Any ideas?
↧