Monday, January 17, 2011

windowserver.log, Raffaele Sollecito's alibi witness

In the Massei report there is a ton of wild conjecture that passes for proven fact.  In the section dealing with the computer forensics however we run into statements that are reproducibly falsifiable.  That is Massei has findings of fact in his report which are not only contrary to literally thousands of pages of documentation published by Apple computer on how their operating systems work, but in fact can be falsified easily with every Macintosh computer sold in the last decade.  This is the very height of exculpatory evidence, it is evidence that can be infinitely attested to.  It is from an empiricist definition the very definition of a false statement.  Now this attack on the computer forensics, may sound like me getting on a high horse and nitpicking.  You might say something like "sure Massei is an arrogant buffoon for claiming as a matter of law that he understands OSX better than Apple computer, but he was deciding a murder case not a computer case" and you would be right.   But the computer forensics came up for very good reasons.  The false forensics were the means by which the police convinced Raffaele to give an alternate alibi to his original one.  That is without the computer forensics there is no reason to suppose that Raffaele and Amanda were not in his apartment watching Amelie at 11:00 when the prosecution believes that Meredith Kercher was killed.  They have an alibi again and we can go back to trying to decide this case on the facts on not on Mignini's hunch.    Moreover, if Raffaele has his 11:00 PM alibi then the prosecution doesn't have to argue their own medical examiner botched the autopsy to get their theory of the timeline to match what they consider the key material evidence.  Suddenly we are back to the murder happening at 9:00, Amanda and Raffaele being blocks away, and if they were involved at all only being involved in the clean up.   So this is a very big deal.  I'm going to do my best to try and make the debate between the prosecution and the defense on the computer forensics understandable, so you can follow as much of this as you can take and at least people have a reference they link off of.  The actual documentation submitted is very difficult to read because, IMHO, whoever wrote the documentation is parroting things they heard rather than understanding what they are writing.

The core argument between the prosecution and the defense has been regarding the use of Encase which is a computer forensics tool.  Encase was used to interact with Macs, running the OSX operating system on the POSIX level, the stuff common to every UNIX.  So the prosecution did not look at anything which is OSX specific, for example the defense objected to the fact that the prosecution only examined the 3 types of timestamps used by POSIX vs. all 5 types of timestamps that OSX supports.  The defense argues that there is evidence in some of the OSX files and flags showing signs of human activity, and that these signs are not present in the POSIX things that the prosecution examined.  To give you an analogy  If I were describing a book in Chinese I might have to talk about its color, its weight, the front cover illustration if there is one, the number of pages.  That's a limited amount of information.    While if I were talking about a book in English I could talk about its title, the description on the back or dust jacket, other books by the same author.  And the defense's argument is that they have found evidence in that additional information proving human activity at the time of the murder.

Getting more specific the defense argues that there is exactly the kind of exculpatory evidence that could have been missed via. inappropriate methodologies in the windowserver.log file.  Windowserver.log is part of OSX's NeXTSTEP heritage.  On most POSIX systems the sorts of messages in the Windowserver.log file would have been caught at the X11 level, not by the windowserver and thus wouldn't have been logged.   Since this is one of the  key points in the appeal it is worth answering the questions:
  1. What does the Mac's windowserver do?
  2. What sorts of things does it log?

Take a quick peek at this diagram to the left.  You can see basic I/O actions like typing on your keyboard or moving your mouse get dealt with at the lowest level by Kernel drivers these can also basic translations So user hold shift - a - release shift - n - g - e - l - space - f becomes user types "Angel f".  Then  the system needs context if the system is booting or in some sort of single user mode you don't want to send messages to a complicated GUI.  The context determination is done by "Core Services".   For hardware actions that are going to require interaction with end user applications, like spreadsheets, web browsers or games the message is passed through to the Windows Server.  It then can handle the message itself, which is generally the case with mouse movements; or it can pass the message onto the correct application depending on where various things are on the screen, which is generally the case with keyboard input.   Lets see an example of both.  Microsoft Windows machines also have window servers and while things don't work quite the same, but close enough for this demonstation.

I want you to grab another window other than this web browser and move your mouse really quickly so that you keep covering and uncovering this line from various angles.  Next I'd like you to reload this webpage and have the browser's rendering engine redraw everything. The first kind of redraw was fast.  What happened was your window server saw the two windows were going to overlap, had already buffered what the applications wanted in their windows broke everything down into primitives and fed it to the your graphics card.  When you changed your mouse direction the window server used the relative eternity of those hundredths of a second to repeat this process and the two windows passed smoothly.  The second time we had the application actually redraw everything and let the window server know what was needed.  Orders of magnitude slower.

So hopefully I've convinced you:
  • To be grateful to your window server for the years of eye strain it has saved you from suffering
  • Why the window server is a very credible witness to a human interaction with a computer. Exactly the sort of process that would know when Raffaele (or another user) was clicking his mouse or banging on his keyboard.
So you might think "perfect, we just ask the WindowServer what it was doing at the time of the murder and we either confirm or refute Raffaele's alibi".  Oh if only it was that easy.  WindowServer listened to your childhood coach about focusing on this play "keeping your head in the game".  It is fast it lives unencumbered by the past, existing in a permanent now.  Your obnoxiousness with the mouse  and the two windows is forgotten.  WindowServer itself is the perfect witness with an amazingly bad case of Alzheimer's.  Oh but it does keep a log book a place where it writes down some important stuff, called windowserver.log.
    I've highlighted where the Window Server sits on the OS side. This is just like our other picture but with more stuff on it, you still see hardware, kernel, core services, the window server, the application environments and the applications themselves.   The point I wanted to make is where this plugs into on the OS side, the Quartz system, if you are a Mac user this is probably not your first time hearing about "Quartz" the part of the OS that handles graphics for applications and hopefully seeing Window Server in this context helps you make the mental shift to thinking of this from the application's perspective.  If you start to think in terms of Quartz then you can think of this as the applications make calls to the Window server to draw, resize, hide, and move windows using Quartz graphics primitives.   It also handles extraneous interactions like the screen passing over, from the previous example.  What you would expect Quartz to do.  If you haven't heard of Quartz don't worry about it,  The main thing you need to understand is that it sits in the Quartz layer that most applications use to handle the screen.    If you look directly above WindowServer, you'll see references to Carbon, Classic...  the various applications environments.

    Cocoa has the best support for Window Server so lets look at this from Cocoa's perspective rather than the Window Server's as we switch over to the logging.
    I've highlighted the NSWindow binding which is where Window Server interactions will occur.  You can see it is inside of NSResponder, which makes sense, this is how the system is going to pass events to you as an application that it believes you need to respond to.  Conversely creating a Window needs to create a reference with Window Server so it can manage it....

    It is this interaction between NSWindow as an abstract binding and WindowServer as an actual entity that will generate log.  Anytime for example an application requests something impossible, like a window bigger than the screen it is on, if an applications reports that it has no idea what do with a message that was passed to it, etc... Window Server writes a short message in windowserver.log recording this failure and then "uses its judgement" about how to handle the problem.  If you look at your own windowserver.log (if you are on a mac) you'll see that depending on your applications somewhere from every few seconds to every ten minutes something like this happens and a note is recorded.  They may seem a bit cryptic but they are designed for the applications programmers to see where and when these times when windowserver had to guess occurred.  Apple's documentation for the NSWindow class, discusses in detail what sorts of events specifically will generate log.  For example in the section on setBackingType Apple indicates that if buffering is changed after initialization that will generate an error, a log entry in windowserver.log.  I don't see any advantage in going another level deep but I hope the discussion above makes it clear what the connection is between NSWindow and Window Server, and why that documentation should be taken as authoritative on Cocoa applications generating windowserver.log entries.

    For the other environments:
    • Carbon the default is to register windows and get messages more or less like the OS9 windowserver unless kOSAModeNeverInteract is set.
    • Java the interaction happens at the JRE level.
    • Quartz-wm: handles the interaction for X11 applications.
    • Quicktime has a lower level primitive that can peer with windowserver (this is complex)
    • Classic didn't run on Raffaele's computer so we can ignore.
    And that's basically it.  Most every application uses Quartz, Quartz uses Window Server to manager the windows, Window Server logs all errors or anytime an application doesn't know how to respond to but mostly when they make an invalid request.  Common invalid requests are documented.  That is the defense's theory and it is fully 100% supported by Apple.  I leave it to you whether you consider Apple or Massei/Mignini more credible on what generates log.   Needless to say everything in this post is reproducible and verifiable on any Apple computer running OSX.

    _

    Let me move away for teaching for a second, and do a pure editorial. I've never personally done forensics in a case involving violence; when I've done it has always been theft or fraud or mostly just trying to figure out and reverse the cause of corrupted data that is driving the investigation. That being said a programmer's laptop should be analyzed more like you would a server and less like you would a general end user's. Encase is fine for Amanda or Meredith's laptops had the prosecution not "accidentally" destroyed them. I don't think it is appropriate at all for Raffaele's.   Since he was doing a computer science thesis he's a programmer it is going to require a skilled operator to do the investigation things are not going to in most obvious places or setup in the most obvious way and your typical forensic analysis will be wrong. For example the prosecution focuses heavily on cache data, and that is exactly the sort of thing you would typically check on an end user's laptop to look for activity. I agree with the prosecution's thinking. Most end users on a Mac would have their cache's in /Users/[Raf's username]/Library/Caches and /Library/Caches. But on Raf's machine I'd want to check places like /opt/local/var/cache (Apple's Darwinports default cache location), /sw/var/cache (Fink's default cache location) and he might even have a personal one like ~/caches. Encase won't check for those sorts of caches and thus the investigators won't find these in a cache's report. I agree with Raffaele's defense's intuitively, professionally, the examination the defense argues should have occurred, is exactly what I would have done were I investigating. I do consider this to have been a mistake.

    Moreover, I'll say it is the sort of mistake that a forensic accountant / examiner is likely to make; so at least on this point I don't see evidence of an intent to mislead the court. I think the prosecution is innocently incorrect.  I hate to take Mignini off the hook ever, but I don't see signs of the prosecution deliberately lying on this point.

    There is one another bad news for the defense.  Raffaele being a programmer cuts both ways.  Because he programs we can assume he knows or can easily learn how to have programs generate events that look like interactions with hardware.  He also knows how to change the windowserver.log file.  Which means on his system we have to consider the contents of these files less definitive than they otherwise would be.  I'd want to look at samples of his code from that time to get a grasp on whether the computer is telling me is likely to be true at worst or highly likely to be true at best.    I would scratch definite however in either direction.

    17 comments:

    wald1900 said...

    CD-Host
    While I don’t pretend to fully understand the technical explanation you provided here, I think what I’ve just read tell me that there are “other” timelogs the prosecution failed to test that prove Raffaele’s computer was in use at 11:00? Did I read correctly that the defence has already looked at the OSX logs not examined by Encase, and knows for a fact that these logs prove activity at a time that helps validate at least a portion of Raffaele and Amanda’s alibi?

    Also, just a general question....why doesn’t Encase not look at these “other” OSX logs. Given your discussion, wouldn’t it seem that they should always be looked at as a matter of course in any routine forensic examination of a Mac? To put the question another way, is there something unique about this case that makes looking at these “other” logs critical, that in other cases makes their review unnecessary?

    Rose Montague said...

    I got lost at the Quartz part but I get the general gist of things. I appreciate your post. wald1900 makes a good point and an excellent question. In my opinion, the police expert didn't really want to find anything that would support Raffaele's alibi. He didn't look very hard. A similar situation on the DNA lab with the perfect record on no contamination. The best thing that can be said about that is if they have a perfect record then they are not looking very hard for something that would spoil that record.
    How hard did they look for small pieces of glass on the ground under the window that would show that the exterior shutters were open at the time Filomena's window was broken (in contrast to the Massei theory that they were closed and the window broken from the inside)? The photo's I have seen show the cops smoking cigarettes under that window. Nice way to maintain a crime scene. Now they did look pretty hard for some DNA on the knife blade.

    CD-Host said...

    Wald1900 --

    I think what I’ve just read tell me that there are “other” timelogs the prosecution failed to test that prove Raffaele’s computer was in use at 11:00?

    That is the defense claim. I don't have the actual message just where the message occurred. So I can make an argument as a semi hypothetical if the message is one that arise from a human operator then it provides Raffaele with an alibi. Right now the argument is whether to admit this alibi witness or not. Massei had ruled that the data from Encase was "definitive", which is why I'm blasting him. The appeals court is still dawdling. The issue of windowserver being a credible witness, and more credible than the data that from Encase is clear cut.

    Also, just a general question....why doesn’t Encase not look at these “other” OSX logs.

    Basically it comes down to that for Encase being standard is better than being right. Let me expand:

    1) The POSIX stuff is governed by the IEEE and IEEE standards have tons of case law attached to them. It wouldn't shock me if Sollecito is the very first case involving windowserver.log. In a murder trial that doesn't matter to much but in a civil trial or say something like a burglary, both sides would want to avoid getting stuck in a rathole (i.e. money) of having to litigate out the sorts of issues in my post.

    2) Encase's file format for reporting of information is vetted by courts and is vendor neutral. They try as much as possible to stay away from things specific to computer vendors.

    3) Righting the software to pull from the POSIX level is cheap. Virtually every operating system has a POSIX compliant layer. By sticking to POSIX, Guidance (the makers of Encase) cut their development costs by say 90%.

    4) In a murder investigation involving a programmer's laptop most American semi-skilled forensic people would have recommended a fully skilled person also do the investigation. My comment that you treat a programmer's desktop like you would a server which means you do a standardized forensic analysis and then a custom forensic analysis.

    But yes if our courts were trying their best to "right" these logs should always be looked at.

    CD-Host said...

    Rose --

    In my opinion, the police expert didn't really want to find anything that would support Raffaele's alibi. He didn't look very hard.

    My opinion is that he really isn't an expert. He's semi-skilled, that he knew enough to be dangerous. If someone says something like, "I know how to work this machine. I press the green button until the red light flashes then I throw the 2nd switch."

    Let's assume that the situation were reversed and Encase showed possible activity while the logs showed that the system was running unattended if they would have looked harder. I tend to think the police used a strategy of keep looking at evidence until you find evidence of guilt then stop. A "if you have made the sale shut up and take the order". In that case I could easily imagine them pulling in an appropriate expert. I just can't tell if the guys doing this knew better or not.

    Sorry, I'd love to agree with you on intent, I just can't bring myself to see evidence for it. They suck and they are dishonest and it is sometimes hard to tell one from the other. Your smoking example is a great example of the "they suck" or the failure to change gloves is also in the "they suck". I've seen people make this kind of mistake by accident too many times, "they suck" is just more likely given the type of mistake than "they were covering it up".

    wald1900 said...

    Keep on, keepin on, CD-Host. That's why we love you....and hate you. You call 'em as you see 'em. While I don't always agree with you, I respect the tennacity and intellectual honesty of your logic.

    CD-Host said...

    OK there are various comments about this article on different sites.

    The Amanda Knox and Raffaele Sollecito facebook page liked this line:
    Moreover, if Raffaele has his 11:00 PM alibi then the prosecution doesn't have to argue their own medical examiner botched the autopsy to get their theory of the timeline to match what they consider the key material evidence.

    ____

    On PMF the article came in for heavy criticism. Lots of variations of "fuck you" were directed my away along with 3 general classes of comments:

    a) The log can't have any real content because otherwise we would have heard about it.

    b) The log can't have any real content because otherwise Encase would have picked it up in other locations.

    c) The log doesn't matter we should follow standard procedure.

    ___

    (a) Is actually a pretty good argument in a lets ignore the trial sort of way. Obviously the court shouldn't rule this way, my point was how the appeals court should rule. But I must admit to some concern that this evidence is just a flash in the pan.

    (b) Is just false for the reasons mentioned in this article. Encase doesn't check everything and programmers do things outside the normal directories.

    I've never interviewed Raf to figure out if he's a macports guy, a fink guy or a roll your own guy but he's likely going to be one of them. He could easily have all sorts of tools operating in different hierarchies. He may have chrooted an environment for his experiments. BSD's don't have runlevels except for 1 (single user mode); but I could imagine he didn't want all the CPU overhead of a higher runlevel and just wanted a few Text Terminals while doing a simulation. There is a version of grub for mac. Quite simply there is no way a fairly simple piece of software is going to be able to explore the possibilities. Someone is going to have to get in their and look.

    c) Is something I just can't relate to. I know millions of people think this way but the idea of harming someone so grievously via. a quarter century in jail rather than breaking some silly standard practice are incomparable alternatives. I can't even imagine hesitating on trying to decide which to do, much less deciding the other way.

    I can't even come up with a way to refute this, its just outside my moral universe. I hope they were just trying to be obnoxious to me and didn't actually mean they really would do this.

    Rose Montague said...

    CD-Host,
    I believe you left off this one regarding PMF. CD-Host's argument is invalid because we don't like CD_host. He is a bad person who said a bad thing, don't listen to him. Let's dig up some stuff on him that will make his arguments invalid.

    CD-Host said...

    No it was worse than that. The clear intent was a violent threat: shut up or we are going to go after you. There is plenty of embarrassing stuff that CD-Host has said, if the intent was just to embarrass so obviously the intent is more than that.

    CD-Host tried contacting Michael about this two days ago to make it clear I considered this play out of bounds. He laughed it off. So I'm taking the threat at least semi-seriously. There aren't that many ties between CD-Host and (Real Name) which means Jools did a pretty good job of intelligence gathering. Given that she is a foreigner active in an anti-American movement that has domestic ties....

    CD-Host doesn't have real life children that could be targeted, CD-Host doesn't have information access to medical systems that if stolen could put lives at risk. CD-Host doesn't have information on his systems that would be of value to terrorists. (Real Name) does. The only person dealing with Amanda Knox is CD-Host. They have no political reason to be going after (Real Name) who is a private person not involved in anything news worthy except for about a 2 dozen articles / press releases in the computer realm which doesn't concern them. Ergo there reasons are not political in the traditional sense.

    So I consider that a violent threat not a an argument. Its worth taking all those kinds of threats seriously but at this point I'm not responding to it in any substantial way.

    CD-Host said...

    Rose --

    Actually I just talked to the other managing partner and junior partner in (my company). If we are going to be "outed" might as well do it on our terms. One of the services we had been informally pushing was forensic investigation (mainly internal investigation, though we would take civil & white collar crime). We could do a press release on that, being critical of Encase for more than a 1st pass solution.

    I'm hesitant to tie ourselves directly in anyway to a foreign murder investigation since:

    a) We don't do foreign
    b) We don't do violent crime

    My clients mainly want their money back or the accounting right. They don't care too much if the guilty are punished. Which is the kinda the opposite in violent crime. In the Kercher murder, no one is focused on the £300 missing. If it were more like £3,000,000 and everyone was worried about that and not the dead British kid; or more realistically there was no dead British kid. that's more the sort of thing we would solicit.

    But if PMF were to tie us to this case, well hell controversy is publicity. As (real name) I could troll for interviews I can't do as CD-Host. So I'm starting to get more comfortable with this, but I don't like being forced. Well the ethics of outing are controversial, when S. Irene Virbila outing by Noah Ellis came up people compared it to a sort of internet rape, others found that analogy extremely offensive though most agreed it was immoral.

    So there may be a silver lining. That being said the ethical thing would be for them to just delete all those posts and keep saying nasty things about CD-Host and leave it to that.

    CD-Host said...

    I hate to keep harping on this poor me thread but this post by Skeptical Bystander, a moderator on PMF not just a member takes the cake:

    I hope it does the same thing with regard to cyber-bullying, especially when it takes the form of posting the real names and addresses of posters whose only crime it to express an opinion and who are exercising their right to do so using a pseudonym. I notice the bullies don’t use their real names when they “out” others. Why is that?

    Margaret Ganong (who posts as Skeptical Bystander and, when that name is not allowed, as Lectrice or Lectrice56)
    link. (I should say I don't know the truth of this claim and Margaret Ganong was involved with this case in support of perugia-shock).

    How much more clear cut does hypocrisy have to get?

    Rose Montague said...

    It's their habit to attack the arguer as much or more than the argument. They have done the same with Kevin Lowe and London John and even managed to get the history for the wrong Steve Moore and Bruce Fisher.

    There are a few posters that I respect on that board and it surprises me that none have spoken up about this.

    CD-Host said...

    It's their habit to attack the arguer as much or more than the argument.

    There are a few posters that I respect on that board and it surprises me that none have spoken up about this.


    They very rarely attack arguments. Most of their stuff is just argumentum ad hominem. Frankly its all they really do. Look the moderates encourage it, who is going to speak up? "The Bard" does little more than personal attacks.

    I posted a safety warning about a site they were talking about (pirate site linked to a group well known to be into carding). The warning was met with a round of "fuck you" a few posters commented they thought "fuck you" was probably not the right response to a sort of thing and the consensus was they were mistaken. That incidentally is what provoked Jools into crossing into incitement / personal threats since I wasn't upset by the "fuck you" dialogue.

    They really are an awful group. Like a lot of cults, there might be decent people in there if they got away from the cult but for now they are just a public menace.

    Anyway the thing was about this attack they weren't attacking the arguer but an uninvolved 3rd party. CD-Host is the arguer not (real name). As a result of attacking an uninvolved 3rd party they may have changed that, that's how I see this whole thing at least.

    For example if they had attacked CD-Host for the positions I took in my attacks on Doug Phillips that would be attacking the arguer. Thinking back on it PeterQ in my dialogue on IMDB was threatening all sorts of legal action, I just considered it laughable. I'll give Jools credit, I didn't think her attack was laughable.

    But PMF is basically scum. Since they consider Meredith a virtual saint I wonder how they think this sort of scummy behavior honors her memory.

    Otheus said...

    On the eve, or perhaps penultimate eve, of the appeals decision, I couldn't help ruminating about this case. As an IT guy, I do system UNIX admin, have a MacOS-X system at home, and have in the past done driver development for FreeBSD and Linux. So I'm relatively well position to understand the details of the topic, but I have to say, I don't follow your reasoning or technical explanations here.

    First, I couldn't find a translation of the expert testimony of the computer investigator. Is it his testimony that he use encase and nothing else? Does he have credentials for working with this kind of computer? Further, it is extremely unusual that hard drives will be damaged beyond repair; damage to the circuity can easily be overcome with a simple platter transfer. Was there no follow up of this matter, including re-analysis of the Macs contents ( the prosecution did make a frozen copy of the drive, did they not?)

    Second, Mac an BSD keep a plethora of
    Logs on various activities. There should be clear Evidence that the computer was suspended, put to sleep, or even entered screen saver mode. I saw nothing of these details, which is very very odd.

    Third, am I correct In understanding that The logs you me
    mention would be interesting for indicating positive interaction, but an absence if log activity would not indIcate a lack of human interaction?

    Is it correct that since the computer was not recovered for several days after the slaying, that subsequent an normal activity would likely "mask" earlier activity, an so for the investigator to make precise determinations about times and so forth, either he is looking at logs, or he is looking at the timestamps of files which were ONLY accessed / modified during that time? Did the investigator note what particular data he used to establish his times?

    Assuming RS used Safari ( as opposed to IE, Chrome, Firefox or Opera or perhaps even lynx), would there be cache and cookie droppings to indicate his self professed web surfing, or would that data have been obliterated by the time the computer was seized?


    To sum, is the lack of evidence due to technical reasons, lack of human activity, or
    Lack of competence on the part of the investigator?

    CD-Host said...

    Otheus --

    Welcome to the blog. Let me start off by saying I'm way out of date on this issue at this point. This article was accurate when written I have no idea what its status is now.

    I've never been able to get a full copy of what the prosecution did or didn't do. But no, there does not appear to have been a low level copy done.

    Second, Mac an BSD keep a plethora of
    Logs on various activities


    That depends on what he was doing. More importantly where those logs are depends a great deal on what he was doing with his system. That's really the key issue. If he were using the computer in a desktop sort of way, the prosecutions case makes sense. If Raffael were using it strictly like a BSD then it doesn't.


    Further, it is extremely unusual that hard drives will be damaged beyond repair; damage to the circuity can easily be overcome with a simple platter transfer.

    I agree with you. Yet somehow the prosecution destroyed 3 of the 4 hard drives on different laptops, in this case.

    Third, am I correct In understanding that The logs you mention would be interesting for indicating positive interaction, but an absence if log activity would not indIcate a lack of human interaction?

    That is correct. And they show human interaction.

    Did the investigator note what particular data he used to establish his times?

    Yes, modification time stamps in the directories was what was used.

    Assuming RS used Safari ( as opposed to IE, Chrome, Firefox or Opera or perhaps even lynx), would there be cache and cookie droppings to indicate his self professed web surfing, or would that data have been obliterated by the time the computer was seized?

    Yes there would have been activity. But...

    If he used lynx the way most Mac people install it, none.
    If he used Fink or Darwin ports Firefox (Firefox X11) none.
    If he used edbrowser, emacs, arora, epiphany, galeon, httrack, netrick...
    the information would have been in places like /opt/local/var or /sw/var which they wouldn't have checked.

    To sum, is the lack of evidence due to technical reasons, lack of human activity, or
    Lack of competence on the part of the investigator?


    Lack of interest / desire to do a good job. Possible desire to railroad. And a lack of competence in handling a developer's computer and understanding that normal desktop procedure should not be followed and instead this should be treated like a server investigation.

    Otheus said...

    Sollecito and Knox have been found not-guilty in the appeal. However, the computer forensics case is still of interest to me.

    Reading more deeply into the Massei report (the summation of the original court decision, http://www.beforeyoutakethatpill.com/2011/3/Massei_Report.pdf), the computer was obtained 12 days after the crime, the investigators used Encase 6.7 and Write Protect from Logic Cube were used to clone, and Encase 6.8 to analyse. Sollecito's Defense were handed a copy of the disk. They verified the computer's CMOS date/time matched local time, an important first step to take. File activity was detected to have been used by Firefox.

    The film they watched, Ameile, is associated by two times:

    * 18:27:15 when the VLC program was launched

    * 21:10:32 is last updated with the access time stamp.

    But this later timestamp represents the last time the file was *opened*, not the last second it was *read from*. So unless the VLC program is constantly opening/closing the file, this is the last time the program was used to open the file for reading.

    The experts testify that according to the Encase manual, the access-file timestamp could be updated by such actions including right-clicking on a file, or the conclusion of viewing a video file, the termination of playing a file.

    I don't think Encase is correct here; at least with Linux, that timestamp is not updated on a close.

    On page 304 of this report, the officers conduct a trial experiment using a virtual machine with the hard disk image loaded; they play the movie and compare timestamps. I'm looking at their conclusion and scratching my head, because that conclusion seems to conflict with their evidence. Mind taking a look?

    Otheus said...

    Just a follow-up. I just read something from the Massei report I've not read repeated in the press -- that the Defense analysed the computer usage and (the Court agreed with this) found that there was definite human interaction at just before 1am -- when QuickTime or iTunes was opened, triggering a very brief Internet surfing operation on Apple's international website.

    I wonder why this hasn't been made more of -- probably because it generally corroborates the Defense's alibi, even though the Court itself found it of no consequence, since Kercher's time of death was likely before 1am.

    CD-Host said...

    In terms of your first comment that's why windowserver is a useful log. It reacts to things like interaction or running program errors, it doesn't require a file being opened or closed. So something like a pause of VNC might have created log but not changed the access time on a file.

    Given that the court has ruled that Amanda and Raffaele definitely did not commit the murder its possible the defense log argument will be part of the ruling.

    I wonder why this hasn't been made more of -- probably because it generally corroborates the Defense's alibi, even though the Court itself found it of no consequence, since Kercher's time of death was likely before 1am.

    There is no question her time of death was well before 1 am. To even get her time of death as late as 11:00 rather than the ME's 9:00-9:30 the prosecution needed to assert the ME botched the autopsy.