I examined the drive images acquired from two hard disk drives obtained from police investigating the fires. Using commonly accepted computer sciemc forensic procedures and standards, I determined that a person using the homeowner’s computer from the homeowner’s residence dialed into the homeowner’s email account at 3:50 a.m. the morning of the fire. The session lasted just over eight minutes. While logged into the homeowner’s AOL account, the person used the homeowner’s screen name to send an email message to another woman. Artifacts on the defendant’s hard disk drive indicate her computer had accessed the victim’s AOL account and viewed numerous emails involving this other woman’s email address. The day after the fire, a major event occurred on the defendant’s computer, possibly involving reinstallation or repair of the Windows Operating System. The computer showed a new file creation date as of that date, yet several documents and settings folders retained the original Windows installation date.
Usually, when the Windows Operating System is repaired or reinstalled over an existing installation, the system file creation dates like the Master File Table and other system files do not change from the dates that the operating system was originally installed. In this case, the file creation dates were reset, which would indicate a new Windows installation. However, a new Windows installation would also reset the file creation date for the documents and settings folder, the folders for each user account, and the files storing the various registry hives. This is not the case, as all these folders and files have maintained their original file creation date. Without knowing exactly what was done to this computer it is hard to explain the inconsistencies in the file creation dates. On the other hand, there was at minimum an attempt made to reinstall or repair the Windows Operating System on the defendant’s PC the day after the fires. The attempt may have been prematurely terminated before all the system files were updated.
The expert has conducted numerous computer forensic examinations in more than 30 years in the industry. He has qualified to testify in numerous state and federal courts on computer forensic issues.
