My father-in-law, a retired accountant, once told me, “Past performance is not an indicator of future success.” Wise words. I think we were talking about loans or the fact that I had built an outdoor shower at the cottage, and I now had to move and rebuild it. I can’t remember.

Regardless, it speaks to a fairly common event that most humans face—sucking. Not the good kind, the bad kind. Making a mistake you shouldn’t have. Assuming you had it handled, or a professional had it handled, or that expert you trusted had it handled, and they fucked up so hard that, now, there are consequences. 

I think many of us, especially in the investigation/OSINT/intelligence analysis community, tend to lionize folks who work or have worked for the government, law enforcement, or the military. We assume they have some of the best training, the best tools, the best abilities, and they all generally kick ass. Perhaps we suck up to them because we need those sweet, sweet government contracts for our new OSINT tool, or we watch too many spy movies, or we think folks in uniform are total smoke shows. I’ll let you in on a little secret, though. All those hotties in their little government uniforms, well, they are just like you and me—mere mortals. Susceptible to the greatest and dumbest mistakes that make you wonder, “If they screwed this up, what other blundered skeletons exist in their closets?”

At Permanent Record, we have a criminal case that we are helping “unfuck.” You know the disclaimer: I can’t say much. But we are working with a legal team, and they have us reviewing the entire case, the evidence, the digital forensics, everything. 

Just as a shameless plug here, please reach out if you are looking for help in a similar vein. We are experts at “unfucking” things.

Perhaps the most FUBAR’d aspect of this case was the forensic analysis of a personal computer from a few years ago performed by an “expert” hired by the prosecution who worked for a large U.S. federal law enforcement agency. You’ve heard of them. 

At the original trial, this “expert” explained that the defendant’s computer contained over three dozen ‘Bookmarked’ URLs to various websites containing content of ill repute. Some bad shit, definitely. You can use your imagination. The worst of the worst. These bookmarks were neatly organized into sub-folders in the Bookmarks area, and the prosecution ran with it.

It looked bad, very bad. And it painted a picture for the jury. 

The “expert” explained that it showed the defendant went about bookmarking all these websites, with the defence attorney objecting every few seconds, and that the defendant had a penchant for some pretty awful stuff. Moreover, the bookmarks and their sub-folders were deleted sometime later, which only made it seem worse as if the defendant was trying to hide it. They were gunning to destroy his character, and boy, did they succeed.

Fast-forward several years, and we at Permanent Record get a call from one of our favourite clients (if you know, you know) asking us to take a look at this case. The defendant, who is now in prison, has always maintained his innocence. We are told there may be some new evidence that will clear his name. We don’t know for sure. We aren’t lawyers. But we agree to go over the evidence for the client.

We get the rundown of the situation. We get a massive file dump of evidence from the original police investigation, forensics data, trial transcripts, motions, and everything else.

One key aspect of the case mentioned by our client was these bookmarked URLs and the testimony about them at trial. Was it possible that the defendant didn’t actually bookmark them? He says he didn’t.

So, I start there. I make my way to the digital forensics portion of the trial transcript and start reading over the testimony from the U.S. federal law enforcement “expert.” As I was reading, I opened up the computer forensics file that was included in the evidence. In really simple terms, the data is a giant Excel spreadsheet with thousands and thousands of data points. 

Imagine if we took your computer, and every single bit of it was converted into a spreadsheet; that’s what it looks like. Now, there are tools that we will use to “image” the computer, but that is a different post, and I won’t get into that here.

So, I’m reading this “expert’s” testimony, and I get to the bit about these bookmarked URLs. I find the logs in the defendant’s computer. So far, so good. It matches. I find the neatly organized bookmark subfolders mentioned by the “expert.” I find the bookmarked URLs, roughly 30 of them, to the various websites that, if I could meet the owners of, would have no problem sending John Wick after their asses.

After an hour or so, I decide to take a break. The forensics matches the testimony and what the “expert” is saying. Not looking good.

I get a Coke Zero from the refrigerator. I take a walk around the house. I feed my cat. I stand outside on my front stoop. I look at my lawn, realizing I need to cut the grass. I ponder the existence of time and how we are all slaves to its unwavering and unbending ability to pin us down to a particular place in reality. An unmovable and unchangeable force governed by the expansion of a universe that doesn’t owe us anything and is wholly … holy shit balls! Time! That’s it! 

I run back into the house, telling the grass to “go fucking mow itself,” and sit down in front of my computer. The forensic data is still sitting there on my monitor. 

I must have missed it the first time around. 

When the “expert” exported this giant computer forensic spreadsheet for the prosecution all those years back, he didn’t organize it by date and time. Data points that should have been chronologically next to each other? They weren’t. They were all over the place. 

I look back at the trial transcript. The expert says the defendant created these bookmarks and the subfolders on February 23rd.

Back to the forensic data.

“CTRL-F.”

I type in ”02-23.”

“Enter”

Green highlights show me every single timestamp for that date as I scroll through the endless data points. 

Back to the trial testimony. I find one of the mentioned subfolders and subsequent bookmarks. 

Back to the forensic data. Both the folder and the bookmark were created on February 23rd at 6:05 PM.

I look back at the “expert’s” testimony and note the second folder he mentions and the bookmarked URLs.

Created on February 23rd at 6:05 PM.

Then, the third folder and bookmarks.

Created February 23rd at 6:05 PM.

It's one thing to fuck up; it's another thing to fuck up with so much confidence that you sit there, in a courtroom, on record, telling everyone someone did something bad when time itself would simply not allow them to do it. 

When all was said and done, running through the forensic data, the defendant would have to create twelve bookmark subfolders, label each one, and then bookmark between five and eight URLs in each folder from many different websites in a handful of seconds.

Every single bookmark, every single subfolder, all created at exactly the same time—February 23rd at 6:05 PM. 

The wild thing is that no one caught it. The "expert" himself missed it. The prosecution didn't ask questions. The defence attorney had no clue. How the literal fuck does a guy do all this in that short of time? It's impossible. Time wouldn't allow it. No hand can type that fast. Click that fast. Traverse dozens of tabs across an internet browser that fast. 

So as I sat there, sipping my Coke Zero, staring at the forensic data, I asked myself, "Is it possible this expert sucked so bad that he missed something so obvious?"

He did.

I leaned forward, with the slow and lazy pace of a man who had nothing but confidence, and hit "CTRL-F."

I typed in "02-23 18:05." 

And then, with some force and a bit of bravado, I slapped the "Enter" button.

I leaned back in my chair and slowly scrolled through the various green highlights in the spreadsheet. 

If no man could create nearly a hundred bookmarks and subfolders in a matter of seconds, and yet they were in the data, we were left with one possible culprit. It wasn't a who, but "a what."

And sure enough, there they were. 

Two data logs indicating the installation of two nasty types of malware, installed on February 23rd at 6:05 PM. They can hijack your system, and, according to multiple online security providers, create bookmarks and subfolders in a specific internet browser. Moreover, they attack a specific and vital system folder on your PC. And sure enough, at 6:06 PM, one minute later, on the defendant's computer, I found multiple logs for those files being installed.

So, how did these little bastards find their way onto this PC? Perhaps someone, perhaps the defendant or perhaps someone else living at the residence, clicked on an internet ad concerning “loan refinancing” moments before.

Their eventual deletion—well, that was caused by a user running a “system restore” and also logging in the data, probably because they noticed the computer was infested with multiple viruses.

Perhaps this “expert” was just off his game that day. Perhaps he suffered from “analyst bias.” Perhaps he actually sucked and no one had ever noticed.

The fact is that something so simple as a timestamp, a minute detail, can make the difference between freedom and incarceration.

Now, this was simply one aspect of a much larger and more complicated case. And, to be honest, our job as investigators and analysts isn’t to fight legal battles or mount a defence. We don’t have the luxury to believe someone is innocent or guilty. Belief is the enemy. We simply look at the data and the evidence, and follow their paths to logical conclusions.

“Past performance is not an indicator of future success.” Wise words to live by. Well those, and “Timestamps, you idiot!”

Interested in learning more about Permanent Record Research, and how we can help you with your projects and investigations? Shoot me a message.