DNA Lounge update

DNA Lounge update, wherein we officially own a pizza restaurant. Also photos.
Tags:

Vaudeville Ventriloquist Dummy Portraits

Your nightmares thank me in advance.

Tags: , ,

Mork keeps on giving: When the database worms eat into your murder trial

You may recall that back in 2004, I tried to extract the recently-visited URLs from Mozilla's history database, re-discovered some major, major insanity, and did some colorful swearing. See "When the database worms eat into your brain", the halfassed perl script I eventually came up with, RESOLVED WONTFIX bug 241438, and where it all started, "Netscape Mail Summary Files", 1998.

(For some reason, one of the wikitards thought that this bug report was of such significance to the Global Repository of All Human Knowledge that there's an entire sub-section on my Wikipedia page about it. I spent perhaps a grand total of 24 hours of my life thinking about this -- ok maybe 25 by now -- and this is what gets memorialized? WTF. Seriously. W the F.)

Anyway, you may be interested to know that seven years after that bug report, and thirteen years after it should have happened:

@chrisblizzard 5 Jul 2011
I'm told that the last of mork has been excised from the Mozilla tree. (this is kind of for @shaver, but really for @jwz)

But what brings us here today is a gentle reminder that when you write code this bad, you can actually kill people.

I'm leaving the DB-dump images in the following quote as a reminder of just how insane this code was. Think of these as skulls on sticks at the edge of the wasteland, saying "Never pass this way again".


Digital Evidence Discrepancies -- Casey Anthony Trial

The digital forensic evidence in this case is of particular interest to me as it involved the recovery and analysis of a Mozilla Firefox history database. The Internet history records within this database turned out to be extremely important to the prosecution case as the existence of Google searches relating to "chloroform" and other possibly relevant records prior to the child's disappearance could have indicated premeditation. This, of course, could have meant the difference between a conviction for murder in the first degree and manslaughter if found guilty. The State of Florida also has the death penalty as a punishment option for capital crimes.

During a keyword search of Anthony's computer, a hit was found for the word "chloroform". The hit was identified in what appeared to be a Mork database belonging to Mozilla Firefox. The file was identified as residing in unallocated clusters, and rather surprisingly, is reported to have been intact. Furthermore, all of the blocks belonging to the file were said to be contiguous. [...]

He pointed out the discrepancy between the first analysis the sheriff’s office did that showed one visit to a website about chloroform and an analysis done later with a second program that appeared to show 84 visits. However, according to Baez, the first report showed a progression that made it clear that the 84 visits were actually to MySpace. This was a major discrepancy with critical digital evidence presented in an extremely serious trial. [...]

The Mork record containing "http://www.sci-spot.com/Chemistry/chloroform.htm" is identified as record 174EF. The Index record from the original file is highlighted and shown in Figure 10 below.


Figure 10

The entire record is contained within square brackets. The highlighted line above shows the full record. The first field 82 ("URL") is stored in cell 27F4B, as shown in Figure 11.


Figure 11

The second field 84 ("LastVisitDate") is stored in cell 27F4C, as shown in Figure 12 (2008-03-21 19:16:34 UTC / 2008-03-21 15:16:34 Local Time). Once again, this integer represents the number of micro-seconds from the 1st January 1970, 00:00:00 UTC.


Figure 12

The third field 85 ("FirstVisitDate") is stored in cell 27F4C. This is the same cell value as for ("LastVisitDate") and indicates this is the first visit to this web site during the scope of the current recorded history. The First and Last visit times are the same.

The fourth field 83 (“Referrer”) is stored in cell 27F49, as shown in Figure 13.


Figure 13

There are two critical points to make with this record. Firstly, there is no field 86 ("VisitCount") therefore this URL has only been visited once (not 84 times). This is further corroborated by the fact that field 85 ("FirstVisitDate") shows the exact same date/time as the "LastVisitDate". The second point is that the visit was recorded at 15:16:34 hours (local time) and NOT at 15:16:13 hours as was stated during the trial (from the report produced by the second forensic tool).


(Let me emphasize that those images above are not hex dumps or something: that's the actual, literal text of this file format!)

Previously, previously.

Tags: , , , , ,