A forensic computer/computer electronics expert witness reviews a case involving an insurer seeking subrogation from a woman accused of burning man’s home. The defendant in this insurance subrogation action was accused of setting fire to an man’s home. Fire investigators found four distinct fires were intentionally set in the early morning. The insurance network company paid the homeowner more than $150,000 for the fire damage and living expenses then brought a subrogation case against the alleged arsonist. The insurer alleges trespass to real property, because the defendant interfered with the possessory interests of the insured in the property, and trover and conversion because, by setting the fire, the defendant effectively converted the property to her own use. The insurer alleges the destruction of the property was not previously agreed upon, was intentional, without permission and justification, and constituted a conversion. The insurer sought money it expended to compensate its insured for his loss as well as the deductible he paid.
Question(s) For Expert Witness
- What does the computer evidence in this case show?
Expert Witness Response
I examined the drive images acquired from two hard disk drives obtained from police investigating the fires. Using commonly accepted computer sciemc forensic procedures and standards, I determined that a person using the homeowner’s computer from the homeowner’s residence dialed into the homeowner’s email account at 3:50 a.m. the morning of the fire. The session lasted just over eight minutes. While logged into the homeowner’s AOL account, the person used the homeowner’s screen name to send an email message to another woman. Artifacts on the defendant’s hard disk drive indicate her computer had accessed the victim’s AOL account and viewed numerous emails involving this other woman’s email address. The day after the fire, a major event occurred on the defendant’s computer, possibly involving reinstallation or repair of the Windows Operating System. The computer showed a new file creation date as of that date, yet several documents and settings folders retained the original Windows installation date.
Usually, when the Windows Operating System is repaired or reinstalled over an existing installation, the system file creation dates like the Master File Table and other system files do not change from the dates that the operating system was originally installed. In this case, the file creation dates were reset, which would indicate a new Windows installation. However, a new Windows installation would also reset the file creation date for the documents and settings folder, the folders for each user account, and the files storing the various registry hives. This is not the case, as all these folders and files have maintained their original file creation date. Without knowing exactly what was done to this computer it is hard to explain the inconsistencies in the file creation dates. On the other hand, there was at minimum an attempt made to reinstall or repair the Windows Operating System on the defendant’s PC the day after the fires. The attempt may have been prematurely terminated before all the system files were updated.
The expert has conducted numerous computer forensic examinations in more than 30 years in the industry. He has qualified to testify in numerous state and federal courts on computer forensic issues.