Computer Forensics

The subject has stated in interviews that he did not keep these objectionable files. He admits that he may have down loaded them inadvertently as a batch through Lime Wire and that those he found objectionable he immediately deleted. What sort of puzzles me is that ALL the files they found were in unallocated space and what corroborates his story is that the created, last written and last accessed times are all the same. i.e.

C\Users\Owner\AppData\Local\Microsoft\MediaPlayer\ArtCache|LocalMLS\{CLISD number}.jpg File Created 7/14/08 08:34:17am Last Accessed 7/14/08 08:34:17am Last written 7/14/08 08:34;17am

The next file will have either a different date and time or just a different time but in all cases the date and times are all the same. If I was looking at this in a Windows GUI in real time in allocated space I would say it was created but never looked at again....

Graphic files carved from unallocated areas are almost impossible to attribute date and time information to, however since the investigating team have done so, they must have a good reason for doing so especially if the date and times given are inconsistent with the seemingly associated movie files. This inconsistency could be explained by an unfaithfully maintained system clock so your assertion that the files could not have been accessed at the stated time (i.e. after seizure) relies on the accuracy of said clock.

It may be the case that the cached Art files are 'lost' or 'orphaned' files and hence the attributed timestamps and full paths being quoted. Their existence and provenance as Windows Media Player Art cache thumbnails suggests that they have been created as a result of their originating movie file having being viewed/played using Windows Media Player.

If you are suggesting that the investigating team...