Friday, July 04, 2014

The Status Of The Various Computers In The Case And Whether Anything Nefarious Happened To Them

Posted by Sallyoo



Trial court 2009 on one of several days computer and internet activity was testified to

1. Computer use as high-stakes evidence

There have been many arguments about computers during the case.

They began at the very beginning, and there is even now, in the final appeal by Sollecito to the Court of Cassazione, one remaining somewhat fantastical theory.

The facts surrounding the computer evidence collected by the prosecution have been obfuscated and contradicted by the defence using exactly the same techniques as have been used about the DNA and other forensic evidence in the case.

Blind the court (and the public) with hypotheses which very few people can follow, and use this ignorance to spread confusion and doubt.

Let’s try to shed some light.

2. Five key computers, plus

We know that Sollecito is pretty familiar with computers, he had two at the time, a MacBook and an Asus [1],  both portables.[2]  His apartment had a decent broadband connection, supplied, (using the Telecom Italia infrastructure) by Fastweb.

We know that both of these computers were sequestered from his apartment on the morning of Nov 6 2007, when Sollecito accompanied a squad of policemen despatched to search his apartment.

We know that the police removed, (on Nov 7), from the house in Via Della Pergola (where there was no telephone nor broadband service) a MacBook belonging to Meredith, a Toshiba belonging to Knox, and a portable computer belonging to Laura Mezzetti.

The police also took an HP portable from Lumumba’s apartment.

There is even another computer which the police already had possession of, and that is a Sony portable belonging to Filomena Romanelli. This computer Filomena herself had taken away from her bedroom shortly after the discovery of the murder, and which the questura, in the evening of Nov 2, required her to hand over to them because it formed part of the ‘crime scene’.

3. The police HD analysis begins

On Nov 13 a postal police technician (Marco Trotta) received a box containing five computers (two from Sollecito, Knox, Meredith and Lumumba).

On Nov 15, in the presence of Formenti, (a consultant nominated by the defence) Trotta took them apart (removed the hard disks) and attempted to make copies of the data recorded on them.

This is the point at which it is alleged the destruction of three hard disks occurred.

It is difficult to believe that this is the case. Not only because the equipment used had never before (or since) managed to trash a hard disk (and it had no problems with Lumumba’s disk) but also because of the state of Filomena’s computer, which never got anywhere near Trotta.

All of the computers had of course been in the hands of the squadra mobile for some days before being consigned to Trotta, allowing for the possibility of some earlier interference by some malfeasant policeman.

This isn’t likely, not only because Trotta insists that the computers were complete and superficially undamaged, and the hard disks factory sealed when he dismantled the computers, but also because of Filomena’s computer.

4. Filomena’s Sony machine

It is now time to go a little deeper into the history of Filomena’s Sony.

This was a fairly new machine, which she kept in a substantial computer carrying case. It was working perfectly on Oct 30 when she last used it. She had left it in her bedroom, the case standing upright beside her bed, when she went off to spend the brief holiday with her boyfriend.

She found it, still in the carrying case, lying flat in a pile of stuff under the broken window of her disturbed bedroom. [3]

The defence commissioned a Computer Expert Report, entered during the Massei trial, which talked about the reason for the data being irrecoverable on the three computers’ disks.

Their conclusion was that the electronic circuitry controlling the hard disks had, in all three cases, suffered damage, most probably due to an electrical overtension. The circuitry had been ‘fried’.

They were unable to be certain how or when this might have occurred, or to opine on whether it was deliberate.

Filomena, in the presence of Gregori, (another communications police officer), at the Questura on the evening of Nov 2 attempted to turn on her Sony. It wouldn’t work. The hard disk would not respond properly.

When she got it back on Dec 18 and gave it to a private computer technician, he said the control circuitry on the hard disk is ‘fried’. Exactly the same fault as had occurred on the other three, which we are expected by th defense to believe was either a deliberate piece of police sabotage, or proof of police incompetence.

5. The Sollecito computers

The important computers, of course, are those owned by Sollecito because he is, even now, still trying to force an alibi out of them.

The MacBook has been accurately interrogated to death, most particularly by a defence expert named Antonio d’Ambrosio who gave very clear testimony at Massei on 26 Sept 2009.

He was even generous enough to acknowledge that the investigations carried out by the postal police were correct, and well interpreted, and that he was able to uncover a little more information simply because he wasn’t limited by forensic protocols (and could therefore reveal information not visible to the Encase software used by the police) when he examined a copy of the cloned disk from the Mac.

Basically the only ‘news’ in this interesting testimony was an interaction with the Apple website at 00.58 on Nov 2, which he did consider a human interaction with the computer. 

6. Activity on the Internet

Sollecito maintains he spent the whole evening and night in his flat. At first his story was that he was sending e-mails and surfing the web. This was quickly demolished by reference to the IP log supplied by Fastweb, the broadband supplier.

It’s necessary to get slightly technical here.

Most of what we call The Internet, and certainly everything which is called The Worldwide Web, including e-mail clients, subscribe to a protocol which (in shorthand) means everything is a Port 80 request.

The individual computer, via its router, contacts the ISP (Fastweb, in this case) and identifies itself by means of a unique IP address. The ISP then directs the communication to the IP of the website requested.

This is all recorded on the Fastweb network. It is certain that no Port 80 requests were made from Sollecito’s apartment (whichever computer he may have been using) between 18.00 on Nov 1 and 00.58 on Nov 2. 

There are parts of the international communications network which don’t use Port 80 protocols. The most ‘innocent’ of these are Peer to Peer (P2P) networks ““ in widespread use for distributing and downloading music and video files.

Sollecito certainly availed himself of these services, using a program called Amule on his Mac. He had a folder containing downloaded files, which was accessible to the program, and thus also accessible to anyone in the world who wanted a copy of something which Sollecito had in this shareable folder on his computer.

If he wished to save the file for posterity, he would move or copy it from this accessible folder into his own archive.

Video files are large, and they take a long time to download. Clearly, to download a file, or to make your publicly accessible folder available, the computer has to be turned on and connected to a router.

If you use these file sharing services extensively, it implies that you keep your computer turned on and connected all the time. It seems likely that this was Sollecito’s habit.

Clearly, you need to automate this sort of transfer ““ often a large file will be accessed in part from one remote computer, and another part will be located on another remote computer ““ so you simply instruct Amule to get you a film, or a list of films, and you can walk away from the computer.

Even D’Ambrosio is unable to be certain that a human interaction occurred at 21.26 on Nov 1, or whether a pre-requested download of Naruto commenced.

However, no IP addresses are exchanged when connecting to a P2P network, and so it is impossible (from ISP records) to trace any traffic.

It is possible though, from the hard disk, to discover what has been downloaded and saved to a computer on a P2P network, and exactly when ““ but to distinguish an automated process from a user instigated one is not possible.

7. Computers and Hellmann appeal

Now we move onto the Hellmann appeal, where a report from this same consultant D’Ambrosio was accepted into the case files. I haven’t been able to find this report, and Judge Hellman doesn’t even refer to it in his sentencing report.

However, the gist of this D’Ambrosio report is included in the current ricorso (appeal) from Sollecito to the Court of Cassazione.

8. Computers and Cassation appeal

We hear a bit about screensaver behaviour, and quite a lot about post Nov 1 interactions overwriting earlier actions.

The major ‘fresh’  theory now depends on asserting (more than four times in the ricorso) that the postal police destroyed Sollecito’s Asus, and that this action has meant that Sollecito’s alibi cannot be proved.

The lack of any signs of interaction on the Mac can be explained (so we are informed) by the Mac and the Asus being networked together, using a file sharing utility named Samba, and if the (broken) Asus could have been accessed it might have shown that it had been controlling the Mac.

So the Mac would have been doing things at the command of its owner, but because the owner was interacting with the keyboard of the Asus rather than that of the Mac, these actions are undetectable on the Mac.

This is what we are now being asked to believe.

9. Conclusion and way forward

I think this is an accurate summary of the relevant parts of ‘computer evidence’ discussed, or deposited, during the hearings and in the ricorso.  I look forward to any comments, clarifications, corrections, but above all, to any new theories about how and when the four hard disks got trashed.

From other sources there are an additional two hints at possible new or ignored evidence:

The BBC reported, on 14.03.2009, the following sentence. “A second computer belonging to Mr Sollecito also showed no activity but the suspect had himself admitted it had been broken before the crime was committed.”  [4]

And then we have Sollecito, in his prison diary of 11.11.2007, being rather more than aware that his computer is not going to be useful to him as an alibi.

I have been very anxious and nervous in the last few days, but to see my father who tells me “do not worry, we will get you out” makes me feel better. My real concerns are now two: the first one derives from the fact that, if that night Amanda remained with me all night long, we could have (and this is a very remote possibility) made love all evening and night only stopping to eat… it would be a real problem [casino] because there would be no connections from my computer to servers in those hours…

No connections in those hours? Hmmm.

10. My references

[1] This computer is sometimes referenced as an Acer. In Trotta’s testimony (he is reading from notes) it is listed as an Asus, so I have used this name. There is only one computer whether it’s an Asus or an Acer.

[2]  There is a reference to a non portable computer in Sollecito’s apartment (in the testimony of Popovic). This is the only mention of any non-portable (i.e. desktop or tower cased machine with separate monitor).  Given the position from which Popovic saw the screen (on a desk, with Knox sitting in front of it) it seems likely that she was mistaken.

[3]  Amanda Knox frequently refers to seeing Filomena’s computer on her desk after the ‘break in’. At one point in her testimony she changes her mind and corrects herself to change the computer to camera.

[4]  http://news.bbc.co.uk/2/hi/uk_news/7943828.stm I have not found another source for this comment.

Comments

Great post Sallyoo. We needed this. Its pretty hard to fry the platters, its usually the hard-wiring that goes. Did they get data off any of the platters?

Notebooks in November in Italy makes me think. Look at what is around: http://italianalmanac.org/06nov/lightning.htm

I have used UPS’s with a battery for workstations and also notebooks (not those $10 items) since a spike fried one of my drives years ago. I clone all drives in use weekly too.

This storm in Italy below was in November though it was further north.

<object width=“640” height=“360”><param name=“movie” value=”//www.youtube.com/v/UK_P7NSa9sg?version=3&hl=en_US”></param></param></param><embed src=”//www.youtube.com/v/UK_P7NSa9sg?version=3&hl=en_US” type=“application/x-shockwave-flash” width=“640” height=“360” allowscriptaccess=“always” allowfullscreen=“true”></embed></object>

Posted by Peter Quennell on 07/04/14 at 07:11 PM | #

Two reasons why (in my opinion) lightning doesn’t enter into this particular computer frying.

Firstly, Filomena’s computer was parked in its case (as far as we know) and Sollecito’s Asus wasn’t at Via Della Pergola (as far as we know).

Secondly, an overtension on the supply side would fry other bits too, not selectively the hard disk circuitry.

Yes, the data was finally retrieved from all of the trashed hard disks. Nobody has ever mentioned this in court as far as I know.

Posted by Sallyoo on 07/04/14 at 07:44 PM | #

If the data has been retrieved then look for more leaks to occur as we get closer to extradition.

The FOA seems to think that the Italians don’t care whether they are maligned or not which of course is stupid. No country any more than anyone else excepts this kind of negative press.

In this case though, and as I have said before, trashing Italy by lying about it and denouncing the Italian Jury system, never mind the cops, plus maligning the court, the jury system , the forensics, the autopsy reports or anything else the FOA can conceive of only makes the Italian Law enforcement more dedicated in getting everything right, They may be slow but they will leave nothing to chance.

Knox will be pilloried and exposed for the murderer she is. Plus Curt Knox and Chris Mellas and of course the infamous P/R effort to malign Mignini among so many others.

The P/R thing was a very very stupid idea to begin with since it kept Knox in the public eye.  Curt Knox, by his very history, obviously saw $$$ because of the book and perhaps movie rights. That has come to bite him. Not smart at all.

Anybody with eyes to see or ears to hear with knows that the worm has turned.

Posted by Grahame Rhodes on 07/04/14 at 08:17 PM | #

Thanks for making all this clear Sallyoo…I was slightly puzzled before!
If the data was eventually retrieved, that should be that anyway.

Posted by SeekingUnderstanding on 07/04/14 at 09:38 PM | #

The data was retrieved by the defence, and afaik the data (not the retrieval) has never been made public. (Which made Grahame’s comment about a potential future leak quite interesting).
I would be delighted if someone could help me find a reference to the data having been retrieved. This information is out there from an unimpeachable source (not press) but I haven’t researched it recently (will do tomorrow, because it is important).

Posted by Sallyoo on 07/04/14 at 09:58 PM | #

Okay, the successful recovery of the data from the hard disks of Sollecito’s Asus and from Meredith’s Mac is covered in the Computer Expert Report signed by Marco Angelucci and addressed to Avv. Della Vedova. (31.03.2008). The complete report is found here

http://www.injusticeinperugia.org/computer_consultant_report.pdf

The attempt at data retrieval from Knox’s Toshiba (according to this report) was less successful.

Posted by Sallyoo on 07/04/14 at 10:31 PM | #

Hi Sallyoo

You do make a very good case for the damage not being deliberate. We needed that as conspiracy claims are out there by the dozen. Beats me what could be on any of the drives that would make any difference now and that is not on the internet.

Some questions:

1) Why were the drives removed to clone? Surely theres a good reason, but I wonder why.

I ask because I clone drives several times a week, I prefer that to incremental backup, using eSATA now for notebooks and removable hard drives that go in the front slot of workstations at home and work and then get squirreled away. And yet never even one problem (with Acronis software) in years.

2) How did the girls connect to the internet if they had no landline phone? Did they use mobile phones?

3) Was RS paying for movies downloaded? When you say peer to peer you mean bit-torrent? Content providers are pretty good at tracking who is using peer to peer to contravene copyright, though if he was a small-fry downloader they might not ever have gone after him.

4) For a guy “famous” for really having no close friends and no girlfriend, who were all those emails to?

5) RS failed to get on the IA course at Verona, right? Had to do a general course? Wants to program games? At his age? If freed can he look forward to a career? (Chris Mellas who has a computer business was saying Microsoft were to interview Sollecito; that went nowhere.)

You believe you saw somewhere a shot of three of the hard drives. I could get shots from Perugia but dont see any more on the computers on the web. Even of RS at his school.

Posted by Peter Quennell on 07/05/14 at 04:35 AM | #

Here below are all the passages on the computers from Sollecito’s book - as usual he is the genius and the cops are all fools. And the lost material could have set them both free. He describes none of the computer testimony other than what is below, and the only expert name that is in both the post above and in the book is D’Ambrosio - only in the credits at the back.

Ya wanna pick the dummy up and shake him when he makes out he is oblivious to the fact that all computer activities on the internet are also kept track of “up there”. Prosecution brought in internet experts on the timings of his connections, but he leaves that out. He also leaves out that all of his email in and out would still be “up there”.  In the book he says he was doing some emails late at night proving he was home. No proof of that “up there”.

Only belatedly did the police show an interest in my computer. I suggested they turn it off and close the keyboard before carting it off, but they didn’t listen. They pulled the plug out of the wall socket and carried it away still open. I’m convinced to this day that the computer could have exonerated me completely, and probably Amanda too, if it had been handled properly. But almost all of that evidence would soon be destroyed.

At one point I was asked for my computer password. The Questura’s computer analysis software only worked with PCs, I was told, not Macs like mine. That should have raised my suspicions, but I gave them the password as instructed. I was exhausted and incapable of thinking straight.

I even allowed myself a little optimism: my computer, I decided, would show if I was connected to the Internet that night and, if so, when, and how often. Unless Amanda and I had somehow made love all night long, pausing only to make ourselves dinner and nod off to sleep, the full proof of our innocence would soon be out in the open.

If only it could have been that simple. I did not yet know that the Polizia Postale—supposedly experts in handling technology issues—had seized two of my computers along with Amanda’s and Meredith’s and somehow wrecked three of the four hard disks while trying to decipher them. The police blamed the problem on an electrical surge, although they could not begin to account for it happening three times in a row. The bottom line was that the damaged disks were now deemed unreadable. That left just my MacBook Pro to provide an alibi for the night of the murder. According to the police, it showed no activity from the time we finished watching Amélie at 9:10 p.m. until 5:30 the next morning.

That sounded all wrong to me, and my defense team’s technical experts would later find reasons to doubt the reliability of this finding. But there would be no easy way out of the mess Amanda and I were now in.

My father hired consultants to report on my computer activity on the night of the murder, other consultants to look at the shoe-print evidence, and yet more consultants to go through the coroner’s report and assess the likelihood that any of my knives could have produced the fatal wounds.

A computer expert recommended by Luca Maori didn’t know anything about Macs, only PCs.

We met in one of the public rooms used for family visits and interrogations. I used a blackboard there as a projector screen. The police and prison staff were no doubt baffled by my presentation; my thesis was on genetic programming, a way of using computers to mimic the generational changes of Darwinian natural selection and process mountains of data to solve complex problems. Just one of my professors, Alfredo Milani, asked a question; the others seemed unsure if they were allowed to speak.

My family’s reaction to Gioffredi was that he was just another pestamerda, an annoyance much like Kokomani, whom we could swat away with relative ease. It didn’t take long for one of the computer consultants hired by my father to establish that, at the exact time Gioffredi said I was meeting Amanda and Meredith and Guede, I was in fact at home, on my computer, reading and taking notes on a complicated genetic-programming paper I was reading for my thesis.

All of us knew from the beginning that Maori had doubts about taking on the case. We chalked it up to his uncertainty about Amanda, which my family understood and largely shared. To be fair, the issue was not just whether I was innocent. The longer the case went on and the more rulings went against me, the greater the risk to Maori’s reputation and career in Perugia. Still, we had to wonder, if he had this little faith in me, why had he gotten involved at all?

Papà told him about the data from my computer [what data??? it was meant to have been destroyed] but still Maori was skeptical. “Why don’t you let me see it?” he asked.

My father didn’t have the data with him, but he said his brother, Giuseppe, could fax it over.

They mentioned nothing positive about the relationship. No word on Meredith and Amanda’s socializing together, or attending Perugia’s annual chocolate festival, or going to the concert on the night Amanda and I met. If either Meredith’s or Amanda’s computer had survived the police examination, there might have been photographs, e-mails, and other evidence to point to a more meaningful interaction. Instead, the girls’ testimony only served to drive them apart.

By early October, we were ready to petition the court for an independent analysis of the prosecution’s most important data: the DNA evidence, the autopsy results including the estimated time of death, and the computer analysis that had burned through three computers and potentially compromised a fourth.

Posted by Peter Quennell on 07/05/14 at 05:36 AM | #

In response to some of Peter Quenell’s questions:

1:    The police have to be very careful not to write anything to a hard disk which is going to be used as evidence, so they remove the disk from the powered down machine and attach it to the police computer (which is running the Encase software) via a device named FastBlock. This works like a one way valve, ensuring a forensically perfect copy.

You can be much more ‘bland’ in your treatment: I use that word because it is the word D’Ambrosio uses when he explains why the postal police got less information from the hard disks than he was able to do.

In addition, the remit of the postal police was very limited - to only examine the computer activity happening in the time period between 18.00 on Nov 1 and 12.00 noon on Nov 2, (and this is the only period for which the Fastweb IP logs were requisitioned).

2:  The girls used internet cafes or friends’ places for internet connections (Filomena’s testimony).

3:  I presume he wasn’t paying for his P2P (bit torrent) downloads. I agree that nowadays the traceability of these P2P/TOR interactions has got much more sophisticated, mainly because of criminal porn use, (and Silk Road) - but in 2007 I don’t think anyone worried about being picked up for a bit of copyright infringement!

Sollecito’s Fastweb service was ‘flat’ - he paid a monthly fee irrespective of how long he was connected or how much data he exchanged, and Fastweb did not measure or record the volume of data traffic.

4:  The only e-mails I have seen specific reference to are with Sollecito’s professor.

5:  There is, in fact, a great deal of money to be made if you can code computer games well!

Thanks for the book extracts - that’s very useful.

The unplugging of the computer (I think it’s the Mac) is covered in Sisani’s testimony. It occurred at 10.20 on the morning of Nov 7.

I must re-read the password story - it comes up in someone’s testimony.

D’Ambrosio does (to my satisfaction on a quick read) use the Mac to show that Sollecito was at home on the computer when Giofredi claimed to have seen him in company with Guede on Oct 30. If anyone is anxious about this I could re-read D’Ambrosio’s testimony more carefully.

Finally, someone has helpfully found mention of the Asus being ‘already broken’ in testimony given on 20 Mar 2009, which aids in sourcing the BBC story.

Posted by Sallyoo on 07/05/14 at 11:54 AM | #

Very interesting, again. Clearly Sollecito missed computing 101, the part about how to back-up. Though except for his assignments, maybe nothing of importance would be there that is not also on the internet.

The devil really is in the details in this case. Points the defense forces raise that will supposedly free them are all at a high level of generality.

But Italian courts work at a level of minute detail - much more zoomed in than most American courts.

Time and again we dig here on TJMK and especially on the two PMF forums and voila there are the pesky details that belie them.

Sollecito should be confronted with these numerous open questions below to give himself any slight chance of an advantage:

http://www.truejustice.org/ee/index.php?/tjmk/C758/

But of course he and AK always run away from the questions, the great bait and switch hoaxes in this case

He will be confronting such questions in his book trial in Florence where he will have to take the stand or lose totally. (Gumbel too.)

Posted by Peter Quennell on 07/05/14 at 01:02 PM | #

OT but today’s DailyMail online has a “world exclusive” of Knox handing James Terrano $100 in a Seattle park and doing a lot of crying. She is also photographed in a coffee shop with him, and leaves several times for ladies’ room presumably to wipe away tears. She wears pink harem pants, tank top with crosses printed on it, and a super short haircut, along with eyeglasses. The exchange of money in the park does seem odd.

See July 5th, 2014 Daily Mail online version.

Posted by Hopeful on 07/05/14 at 03:24 PM | #

@Sallyoo

Does the Mac encodes ALL directories?

Looking from another angle, that the hard disk controllers have been fried can be considered a good point: the data from the hard disk is now impossible to manipulate.

Once the hard disk is cloned, it is mounted in a read-only mode and contents examined. The most useful information will come from the log files. The most recent log files will always be there.

If the hard disk controller on the hard disk has been fried, the only way to recover the data is to remove the platters and install them in an identical (good) hard disk and try to read. This is often not guaranteed to succeed.

But why they needed his password? Was the machine was booted after being confiscated?

Usually a specially trained branch of police is tasked with this job.

Both P2P and TOR remains very difficult to trace, even today. Using databases, we can make intelligent predictions based on statistics only.

Posted by chami on 07/05/14 at 03:43 PM | #

Very true chami But we only have his word that he was asked for his password. I bet it’s not written down anywhere but at best just a verbal request. People such as these two are very adroit at muddying the waters, a talent learned very early on
in childhood in order to survive what they perceive as a threatening existence.

Posted by Grahame Rhodes on 07/05/14 at 04:50 PM | #

An explanation of why the police needed Sollecito’s password for his Mac. Remember, the hard disk of the Mac was cloned without any problems.

The police attached (on Nov 27 2007) this cloned hard disk to an identical Mac computer, and instructed the ‘new’ computer to start, using the OS and data off the cloned HD. The opening screen asked for a user name and password (so we are talking about a password protected computer, on the video side, rather than password protected directories). The HD provided the police with a password hint, a combination of the maternal and paternal surnames of Sollecito, and entering this combination the ‘new’ Mac it opened up with the desktop screen as left by Sollecito when he last used the computer. (This is from Trotta’s testimony, confirmed by Trifici’s testimony.) These two policemen together with Gregori (and perhaps others) are indeed from a specialist unit of the postal police which deals with ‘communication issues’ (internet fraud and similar technical investigations).

Here is a link to the computer expert report in English (by Marco Angelucci). It goes into detail about exactly which parts of the (damaged) hard drives circuitry were fried. It also tells us how they recovered the data from (two of ) these damaged drives. (Filomena’s technician was also able to recover her data from her damaged drive).
http://www.themurderofmeredithkercher.com/Defence_Computer_Expert_Report_(English)

Your mention, chami, of the ‘most recent logs always being available’ is important, because this is one of the main planks of the defence criticisms of using any computer evidence at all – in that a more recent access to a file can overwrite an earlier one, (and they argue that the Encase software was unrevealing in this regard). Some programs though, such as I Tunes and (when enabled) browser histories will retain a record of every interaction. I believe it was the I Tunes ‘library’ which confirms the use of the computer on the morning of Nov 2 about 05.30.

Posted by Sallyoo on 07/05/14 at 05:30 PM | #

Thank you..Sallyoo 😊

Posted by Bettina on 07/05/14 at 08:11 PM | #

@Sallyoo on 07/05/14 at 11:30 AM

I was talking about a different thing.

After the hard disk has been cloned, it is attached with a functional computer (does not matter whether it runs Mac, Windows or Linux) in a read-only mode. This mode allows the contents of the hard disk to be read and examined but not modified. First thing we usually do is to make another clone of the clone.

Each file is associated with three dates: date of creation, date of last modification and the date of last access (means read access). Usually only the date of creation is shown but the others are still there.

By log files, I mean the system logs that are often rotated (the oldest logfile is reused) but logfiles for the last 15-20 days will always be available without being overwritten.

For example, the system log file on my PC says:

Jul 6 00:34:04 NetworkManager[1155]: last message repeated 3 times
Jul 6 00:34:04 chami rsyslogd: [origin software=“rsyslogd” swVersion=“5.8.6” x-pid=“965” x-info=“http://www.rsyslog.com”] rsyslogd was HUPed
Jul 6 00:34:04 chami rsyslogd: [origin software=“rsyslogd” swVersion=“5.8.6” x-pid=“965” x-info=“http://www.rsyslog.com”] rsyslogd was HUPed
Jul 6 00:34:30 chami anacron[1063]: Job `cron.daily’ terminated
Jul 6 00:34:30 chami anacron[1063]: Normal exit (1 job run)
Jul 6 00:35:38 chami ddclient[1181]: WARNING:  file /var/cache/ddclient

Although cryptic, these contain a wealth of information. I see dozens of log files on my PC and the case is similar for windows. The oldest logfile on my PC is of June 18.

This technique will not work if the entire hard disk is encrypted. In that case, you must boot off the clone and you cannot mount it read-only. Still, you can copy all the logfiles into another disk or even on a pen-drive.

Posted by chami on 07/06/14 at 05:05 PM | #

Great piece.  I work in It and appreciate the explanation of the computers’ hard drive status, investigation, evidence in court, etc., in short = the truth.  Thanks Sallyoo, and the great posters.

As an aside, did anyone else have to do several double-takes to recognize RS in that photo?  I was viewing the article on my mobile device & kept wondering who that chubby middle-aged woman was.  What a catch he is, Mr. Manga Freak.  Don’t get me wrong, I love a geek, but he’s just a nerd, and a weasle, and a murderer without conscience or shame.

Posted by all4justice on 07/10/14 at 05:38 PM | #

Thanks very much all4justice. I’m not an IT person really, and certainly not a ‘forensic’ IT person (in that I have no idea about the protocols in place for a defence-proof analysis.)

chami’s comment that the system log is “gospel” worried me a bit, and I have yet to fully comprehend exactly what D’Ambrosio was saying about why the system log lacked the necessary information to support Sollecito’s alibi.

He seems to me to be saying that a piece of software in use (I deduce it is the program VLC, a media viewer which was in 2007 in beta) failed to write entries to the system log, and therefore, even though (in his view as a defence consultant) there are no system log entries, that doesn’t mean there was no interaction!

It is truly a desperate attempt to wring an alibi out of negative information. (All the above is about the Mac).

Probably the absolute killer for the more recent wild theory that the Asus was controlling the Mac, is that it was widely reported that Sollecito told the prosecutors that he had never used the Asus since July 2007. This statement must be in a verbale in the case files.

Posted by Sallyoo on 07/10/14 at 09:03 PM | #

There has been a new mention of computers in the appeal (ricorso) to the Court of Cassazione by Amanda Knox.

You will recall Sollecito’s ricorso mentioning the Asus controlling the Mac. While I think I have demonstrated this was not done, (mainly because Solecito claimed he hadn’t used the Asus since July 2007), at least the argument was logically constructed.

Knox, however, claims that Laura Mezzetti’s computer suffered an electric shock, attributable to the police technicians. Not only was Mezzetti’s computer undamaged in any way, there is no record of it ever having been looked at by the police.

To be charitable, the ricorso document might simply have confused Mezzetti’s computer with that of Romanelli - but I hope you agree that Romanelli’s computer never got the chance to be trashed by the police.

Posted by Sallyoo on 08/05/14 at 12:44 PM | #

Post A Comment

Smileys



Where next:

Click here to return to The Top Of The Front Page

Or to next entry Spitting In the Wind: Sollecito News Conference Backfires On Him AND Knox - What The Media Missed

Or to previous entry Rome Press Conference Reports: Sollecito Separates From Knox, Bongiorno Misleads On Her Text