Justiceforbradcooper.files.wordpress.com



Tampering the IBM ThinkPadTable of ContentsResponse to the Anonymous Computer Rebuttal Report1Tampering not Contemplated in the Report6Evidence of Tampering Apparent on the Machine7Inability to Verify Data on the IBM ThinkPad10Appendix A: SAM Chart for the IBM ThinkPad13Appendix B: Sample of Invalid Timestamps14Appendix C: Sample of Invalid Change Dates16Appendix D: Google Cookies23Appendix E: Deleted Google Cookies24Appendix F: Expert’s Certification25Response to the Anonymous Computer Rebuttal ReportIn order to either place files onto Bradley Cooper’s ThinkPad laptop computer (ThinkPad), or cause them to be created by the OS in normal fashion, the attacker would be required to have either physical or remote access to it. That remote access could come through physical proximity to the computer itself, or remote proximity through the same network. However, the attacker would not have to break into the computer or login as a user to create the files locally on the vulnerable machine. The attacker could have hijacked the DNS and misdirected a user to a fake web page without their knowledge and effected penetration using one of many free and readily available tools like Meterpreter (which was demonstrated in the video). The specific iteration of QuickTime on the ThinkPad was vulnerable to exploitation. A Trojan could exploit the machine via this particular program or any number of others. Attached to this report is the SAM file from the hard drive of the ThinkPad. There is no “bracoope” account. It has only the administrator account and a disabled guest account. Mr. Cooper was functioning as part of Cisco’s Vista beta program, and it has been confirmed that the local administrator password for the Vista beta program does not match the password on the machine. The only other password ever used by Cisco was also entered, with every capitalization and number combination available. These tests failed. The Administrator password on the IBM ThinkPad is not the current Cisco administrative password, nor any other known password. Further, the rainbow tables that are 99.9% effective was unsuccessful, despite running for days, testing all combinations and tablesets. It is also notable that the FBI has not provided that password, despite numerous requests.In the report it states “in order to break into a wireless network with WEP security, one must be within physical proximity to the wireless router for the network in question.” This is true. However, that physical proximity can extend well throughout a neighborhood using a Cisco Router designed for a small office like the 871, which was the router in place. Even a layman can understand the benefit to such a router having six antennae as opposed to the standard consumer grade wireless router, which typically has two. In order to assess wireless reception ranges, you have to take into account the type of equipment, the elevation of the transmitter/receiver, and the access point to pontificate on the large signal reception radius. At the very least, it would be quite possible to sit anywhere on Wallsburg Ct and receive the signal from the Cooper home. With the additional purchase of a directional antenna, the physical proximity of the router could extend from blocks to miles away and still receive the signal, capture packets, and authenticate the network.The home network did not have MAC Address filtering enabled. So this entire point is entirely moot. Even if the router did have MAC filtering enabled (which it did not), an attacker can easily bypass the filtering. Hackers can see MAC addresses that are associated to the WEP access points. An attacker can spoof the MAC address to allow the computer onto the network with a simple command. But even if MAC filtering was enabled, as was inaccurately posited, it is simply bypassable, even by an amateur.The report contends that if the content is created on the ThinkPad in real time by the operating system, the file creation timestamps would be legitimate. When the $MFT for the IBM was extracted using FTK Imager, 100% of the timestamps for the google map search show as “invalid timestamps” under the Standard Information Entry category. The only internet history folder that was not modified on July 16 also has 100% of the files with valid timestamps. This is not a function of internet explorer, but rather a sign of tampering, file placement or coving up a crime.The report contends that the file system, because it stores time values in UTC it is not affected by changes in time zone or daylight savings time. Floating-point arithmetic on digital computers is inherently inexact. Unlike the real number system, which is continuous, a floating-point system has gaps between each number. If a number is not exactly representable, then it must be approximated by one of the nearest representable values. Double precision floating-point numbers are 64-bit values with 53-bits of significance. Floating point numbers use a form of rounding to significant digits but with binary numbers effectively making timestamp values stored in this way having a precision often of less than 6 bits of significance. Timestamp values are stored as seconds before or after midnight 2000-01-01. The precision degrades even further for dates as they move further away from this benchmark. Additionally, simply storing time values in UTC does not detract from the vulnerability of a computer to a time change. Simply changing the system time will trick the computer into storing the incorrect time values, without regard for time zone or daylight savings time. Additionally, many of the files in question, such as the index.dat files are stored in local time on the machine, not UTC.The report further contends that in order to manufacture temporary internet content the attacker would need to place the files in multiple folders. This is not accurate. It is not necessary to place the temporary internet files in multiple folders at all. The forensics software utilized (FTK) does not analyze the placement of files in folders. Further, the attacker would not need to manufacture the files themselves. They could simply navigate the computer to the map site as needed, and the files would automatically organize themselves.Index.dat files are stored in a text format, so they are easily editable. When attempting to recreate the map search through NetAnalysis, the program is unable to recreate the search using the appropriate index.dat file, the html page, and all corresponding files. Further, index.dat files are not stored chronologically, so content created out of sequence would not be apparent. The Index.dat file that matches the maps. visit was modified after the computer was in exclusive police custody, contains an invalid timestamp, and does not dictate with specificity the location sought beyond simply ‘27518.’There is no google cookie on that machine that correlates to a map search on July 11, 2008 at 1:14pm. On Windows Vista, the cache for internet explorer is usually located at: %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 here %LOCALAPPDATA% is a variable pointing to %USERPROFILE%\AppData\LocalDue to Vista’s Mandatory Integrity Control, which creates Low Privilege, virtual folders the Cookie folder in Vista is now located at:C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies\Low There are seven Google cookies found on the machine. Not one of them matches in date and time to the maps. search on the 11th. If a cookie had been found on that computer that could pertain to the correct search, then a court order to Google servers would verify if it did in fact occur from the correct IP address in the correct location, at the correct time. Despite the fact that Cary Police Department apparently submitted numerous court orders and search warrants to Google over the span of a year, none was ever submitted for a Google cookie, any Google cookie. As anyone remotely familiar with computer forensics must be aware, Google has (and had in 2008) a privacy policy that places restrictions on the length of time it will retain data. After 9 months, Google scrubs all identifying data from the cookie. There is nothing left to verify time of search or IP address. The Defense did not receive the IBM ThinkPad until after that privacy policy had expired, despite completion of the examination six months prior. There is no corresponding Google cookie. There are also no deleted cookies in the $MFT that would correspond to this Google search. It is inconceivable that the FBI’s forensic examiner would not have brought this to the attention of the investigators as the cookie’s absence itself is indicative of tampering.The portion of the prosecution’s computer report that alleges neighbor’s not being concerned by a strange vehicle being parked closed to the Cooper home is a nonpoint. There were numerous police cars parked in and around the Cooper home for a period of days and all were within access to the Cooper wireless network. There were numerous neighbors who had access to his wireless account, through proximity and through sharing of his pass code. Private investigators in the employ of the victim’s family may have rented a nearby home for surveillance, and been able to hack into the computer from there. The Cary Police Department had physical access to the machine in the home for 27 hours before it was turned off. Additionally, they waited two weeks before turning the computer over to the FBI, and an additional month before the computer itself was imaged. Placing the intrusion on a specific date and time would be speculative and is unnecessary. The data itself manifests tampering. Additionally, there is nothing that says that this happened all within the same time frame. For instance, an attacker can crack someone’s WEP encryption and not do anything with it for a long time. Or, alternatively an attacker could install malware (or it could have been installed by any number of programs inadvertently) or leverage a hole in any of the applications installed.There are, again, obvious signs of malware on the machine in its current state, as imaged.Windows event logs in Vista are exploited by programs like Metasploit without leaving any trace of logs at all. As a general rule, most of these auditing logs are not enabled by default. Brute forcing does not register a log, especially if trying to logon as an Administrator, since its reserved SID cannot be locked out. To monitor account lockout (on a Domain level anyway), the following would have to be enabled on the Domain Level:Account Logon Events?– FailureAccount Management?– SuccessLogon Events?– FailureAdditionally, the Administrator Account does reflect failed login attempts on the 15th as well as an Administrator password change when Mr. Cooper was not in the home. All users on Beta teams at Cisco have administrative access to their machines, though they do not have the password for the primary Administrator account. There would be no reason to reset the Administrator password. In the most recent information given by the prosecution, it is asserted that the screen would lock after a short period of time. However, this is asserted for a different OS than was currently on the ThinkPad. As a beta tester for Vista, Mr. Cooper had changed the lock function on his machine to expire after 9999 minutes when he was at home. Further, the account was logged in when Mr. Cooper left the home on the 15th.It is not this examiner’s opinion that the intrusion happened on July 11. At that time, the computer was logged in at Cisco while Mr. Cooper was away at lunch. Unless the real murderer was employed and present at Cisco while Mr. Cooper was away at lunch, this scenario is laughably implausible. The defense has no intention of suggesting that Cisco’s firewalled and hardened WPA2 system was hacked. However, another point to consider is that Vista supports dual homed networking. That is to say that while the computer was connected to the Cisco network,?the connection to the home network via the Wi-Fi connection is still active and functional, both as a router and as a VPN directly into Cisco. Hence if the home network was penetrated and the attacker had validated access to the target system (they know Mr. Cooper’s username and password) they can initiate a connection to the other (Cisco) network. There is a portion of the report that discusses the UAC dialog box requesting the user’s permission to allow the program to run in the example WEP cracking and hacking video. The video was run on a default installation of Vista for the purposes of showing what actually happens on the computer. The UAC was likely not turned on Mr. Cooper’s ThinkPad because it is disruptive during processes and presentations. The video was a demonstration of one way in which tampering could have happened, it was not meant to be dispositive of the only way. UAC is highly likely turned off on his machine, and even if it weren’t, many users simply click through any pop up boxes. I am not suggesting the video is the only way an attack could have happened, just one of many simple, and undetectable ways to access the system and place files. Further, Meterpreter allows creation of shortcuts without UAC prompts in Vista systems. In the case of redirection or data manipulation, depending on the tools utilized the attacker can modify and intercept many types of data.? A common use is to force the target users web browser to a site of your choosing, as you can intercept the outgoing web site request and rewrite it to something completely different. This requires no knowledge of the targets passwords or usernames, only that the victim is surfing the web while the attacker is connected. ??In this attack the user selects for example to go to site A and the attacker modifies that request sending him to site B, or?the user looks for information on Site C and the attacker modifies that request to bring back different information from site C (changing search or lookup parameters). ?This method may also be utilized to redirect a target system to a web page containing malicious software and thus infecting a computer system deliberately.The anonymous report also contends that there is some importance to file sequence. The Windows OS does not chronologically keep all files in a file sequence. NTFS file allocation process varies from Operating Systems and versions. In addition NTFS file systems does not increase a record index for each new file created Hence, there is no way what order files are created. After analyzing $MFT we can clearly show files have no chronological order other then dedicated sectors on the physical hard drive. These physical locations are like apartment address with different rooms. As more space is needed the NTFS file system allocated additional locations for new files. As you can see below files created after July 11th will end up in the same physical location as if someone created the files on July 15th. A simple analysis of the $MFT file clearly shows this proof of concept. The files created during the Google map search allegedly on July 11 are from Parent File Record Numbers 113776, 113778, 113782, 99126, 99305, 99310 and 99314. There were 3,956 files allocated to hose locations starting from July 7 to July 16. Almost every file in these specified locations have invalid timestamp data. There are 14,063 files in the parent file record numbers. Only 14 Parent File Record Numbers have some invalid date stamps. So, less than 0.1% and they just so happen to correspond to the files we are discussing in this report. Even the author of the book discussing NTFS file allocation and time sequencing does not know for sure how the OS allocates file locations. What he does note is that different operating systems behave differently.The statement “I have never seen anyone who could break into a network and/or a computer and leave absolutely no evidence they have been there” is speculative and cannot be proven. There are obvious signs of tampering on the machine and the files themselves are not valid. Additionally, there are tools that can manipulate files without ever engaging a logging system. Because computer evidence is so trivial to manipulate, the WEP network can be so easily hacked, and the means of exploitation of files are so variable, data manipulation can easily and quickly occur without detection by any forensic software tool. Tampering Not Contemplated in the ReportAnother scenario to consider is utilization of a Man in the Middle attack with software like Ettercap to gain username/password information or to have the ability to modify information going to and from the targeted systems.? Utilizing ARP poisoning, the attacker creates a situation where all traffic to and from the target system goes through the attackers system first, allowing for eavesdropping and manipulation of the data. This can lead to the acquiring of passwords that may provide access to the targets computer, if for example they have some kind of remote desktop access software running (VNC, Windows Remote Desktop etc.) and utilize the same access password as they use for a web based service. ?If this is the case, no brute force or password attacks are required to access the targets system as that attacker would have the user password?by other means.?Additionally, the hacker could utilize Timestomp on files that were on the machine, but on an innocuous date. This would simply require changing the timestamp on a series of files, which Timestomp can do efficiently and quickly to an entire targeted folder. It can also function recursively. Because there were traces of malware on the computer, it cannot be ruled out that malware already installed could allowed alternative access to files. For example, google_com[1].htm > linked to Trojan.Vundo.H and to website redirection complaints.The Defiler’s Toolkit is designed to prevent forensics tools and examiners from identifying hacking and activities by removing evidence normally left behind. The Toolkit hides and destroys data by associating good blocks with the bad block inode to store data by marking a section of the host’s hard drive as bad. Normally, it identifies blocks that do not function properly so that another function of the Toolkit used to recover files will not look in the bad blocks. The only possible way to detect this would be noticing a change in the size of the drive, but without determining what has been stored there. The hacker can redirect any files or logs to be stored in that portion of the hard drive. Two programs for data destruction are also included in the toolkit. Normally, when a file is deleted, only the data is removed, leaving the underlying metadata intact. Directory entries normally make it possible for a forensics investigator to identify deleted filenames and their files. Necrofile is the program that will use deletion time criteria to remove metadata, making it difficult for a forensic investigator to determine a file has been deleted. Klismafile identifies directory entries for deleted filenames and eliminates them. Using these two programs in conjunction removes evidence that data has been added, deleted, or altered. Lastly, it would have been possible to exploit a known vulnerability on a windows machine. Vista was notoriously buggy, and weak. The perfect method of tampering with files would include using a widely available exploit, then installing the windows update that would remove that vulnerability. As of July 8, 2008, there was a serious vulnerability in Windows Vista that would have allowed exploitation of holes in the vista system. “An authenticated attacker could install programs; view, change, or delete data; or create new accounts with full administrative rights.” The update that was installed on Mr. Cooper’s ThinkPad after it left his possession was KB950582. That update came out on July 8, 2008. His computer was not set to automatically install updates, it required a user password. Yet it was not installed until after the computer was in police custody. Another possibility is to reboot the machine with a LiveCD and place content on the hard drive. There is evidence of this occurring on the machine. There is a forced restarted and a sudden reboot. The user would only need to set the time back before reboot to an innocuous time period, then place the files on the machine. A hacker can easily use a bootable CD or USB to break through the admin password on a machine. There are numerous programs to use, and hundreds of online tutorials to execute the crack freely and easily. Using a LiveCD will also give you full control of the physical drive and with the proper tools a hacker could leave little or no trace. Another option is to copy the original and unaltered Temp Directory(s) and Meta data onto a USB drive and drop files onto a computer that is set to a previous date which a user can then perform the Google Map search. All you need to do now is to append the altered files on the original computer with the metadata intact using a program that restores files and Meta data. There are 100’s of free tools and liveCD’s to perform these tasks. Some programs that can perform thses tasks include Rsync, Unix Touch, Robocopy, XCopy,XXCopy and Pinpoint Labs SafteCopy 2 to name a few. A user could also backup the folder with dd and restore via ntfsclone. A simple Google search came up with which is a BootCD that comes with a Time editor. There are 100’s of other LiveCD’s that have similar functions. Since Windows will not be running there will be little trace left of tampering. However, all files dealing with this case show invalid entry timestamp dates in the $MFT file. Which is a clear sign of tampering or failed attempt in a coving up. A built in tool in Vista called PowerShell can easily update timestamps. Listed below is a simple example.Touch on Windows via PowerShell A forensic investigator recently inquired about a touch equivalent for the Windows environment. If you don't know touch is a command in the *nix environment that allows you to modify file timestamps arbitrarily.My first thought was that maybe wmic could accomplish the task. Turns out wmic can only read timestamps, not set them.More digging revealed that Microsoft's PowerShell could be used to modify file timestamps.Below is the nitty and the gritty.From within powershell:$(Get-Item ).creationtime=$(Get-Date "mm/dd/yyyy hh:mm am/pm")$(Get-Item ).lastaccesstime=$(Get-Date "mm/dd/yyyy hh:mm am/pm")$(Get-Item ).lastwritetime=$(Get-Date "mm/dd/yyyy hh:mm am/pm")There are also utc timestamp attributes (CreationTimeUtc, etc.). I haven't touched (no pun intended) those.Here's a sample run from my PowerShell prompt (PS>):PS > dateThursday, August 14, 2008 9:38:47 amPS> echo > test.txtPS> dirMode LastWriteTime Length Name---- ------------- ------ -----a--- 8/14/2008 9:38 AM 0 test.txtPS>$(get-item test.txt).lastwritetime=$(get-date "08/31/2012")PS>dirMode LastWriteTime Length Name---- ------------- ------ -----a--- 8/31/2012 12:00 AM 0 test.txt This is one of the easiest ways to do it. Another way can be to simply change the time on the computer. Simply to reset the system time, and restart the computer, then show what time displays in the logs, it should be system time as reset. If the hacker changed the date/time of the system, then restarted the machine, the logging would indicate the time that the system was changed to. When the system restarted, they would have needed a password. If they did not already have the bracoope password, they could use the admin crack CD to blow through the password. At this point, the Google map search could have been performed, and it would appear exactly as if someone had done it 5 days prior.Similarly files could be altered after the machine has been turned off, but prior to imaging. The machine would have to be shut off, and the attacker would need to hook the hard drive up to another computer as an external drive. At that point, the attacker can add or delete files without altering logs, can alter metadata without installing any programs on the IBM hard drive, and all logs would be reflected on the machine that is running the program, not the IBM that is booted as an external drive. It would be difficult to imagine a simpler means by which tampering can be done. It is also why imaging and hashing a machine soon after receiving it into custody is of such critical importance.Evidence of Tampering Apparent on the MachineThe Cary Police Department arrived in the home before 3:00 on July 15, 2008 and remained in the home monitoring Mr. Cooper until he left the home at 5:20pm on July 15, 2008. Mr. Cooper’s computer activity ceased. He left his computer running, connected to the wireless network, without a browser open, and without logging out of his computer. The screen, while at home, is set to lock after 9999 minutes. As an administrator, Mr. Cooper was able to permanently change the default settings. In the most recent set of discovery, this question was posed to Cisco, but the response back did not contemplate that the OS Mr. Cooper was using was, as a member of a beta team, Vista. Computers were not taken into evidence until very late on July 16. Police were in the house for 27 hours before the computers were seized. The router was not ever tested, and requests for router logs have been denied.On this machine there are several anomalies that are evidence of tampering. The cached password files for the bracoope user account are missing. The account is not detected as containing a password in any brute force rainbow table scan. Although bracoope is a domain account, password cache files would still need to be stored on the machine in order to access the data without logging in through Cisco. Further, while the computer was in the sole control of the Cary Police Department, registry changes to the bracoope user account were made, one of which would indicate a password change.All internet history dat files are modified on July 16, 2008 at 4:42 after Mr. Cooper was out of the home for almost 24 hours. In the “recently opened docs” section, there is an internet history file from June. The Date/Time for the machine was last edited on July 15, 2008 at 21:00 UTC, this is 40 minutes after Mr. Cooper left the home. The bracoope profile Key Properties was last written on July 16, 2007 at 17:55 UTC a full day after Mr. Cooper had left the home. The system experienced an unexpected shut down and reboot while Mr. Cooper was out of the house, followed by an Admin Login change. Under Cisco’s Beta Testing group, the bracoope account cannot be shut down without manual input. The system either requires a forced reboot, or a password to restart the computer, it will not restart itself even for updates. Additionally, the system reflects a failed logon attempt on July 15th at 19:10 UTC while the Bracoope user account was currently logged in and researching the Kurtz & Blum office.According to the FBI, there are 692 files modified during the time period where the computer is under exclusive control of the Cary Police Department. There are 251 files deleted and created on the 16th as well as 70 files created only. There is evidence of the Cary Police Department using information from this computer as early as July 26, 2008 despite the computer not being imaged by the FBI until late August of 2008. After analyzing the $MFT, all of the files dealing with the Google search on the 11th have invalid “Standard Information Entry” Dates. When compared to all other files in the $MFT, the only files that are invalid are from the July 9th IE temp directory and folders created after July 9th. The June 16th IE directory has 0 invalid Standard Information Entry Dates. The Temporary Internet Files are located in /users/bracoope/appdata/local/temporary internet files/content.ie5. The last time Mr. Cooper had access to his computer, the folder A68JPGTI had 504 items. This was on Tuesday July 25, 2008 at 5:09:49. Two new folders were created on July 16th, but house less items in the directory. There is no legitimate reason for two folders to be created on the 16th. (**** I was wrong ***** These files were created on July 3th. Which actually works in my theory that all folders where edited using a script. If these were freshly created then we would see no tampering)When a file is created in an NTFS file system, there are 8 timestamps set for each file, four MACE values for SIA and FN values. Caine Forensics, a Ubuntu tool has a file analysis tool to view Access Time, Modify Time and Change time. Access is defined as the time created, Modify Time is the time the file is last edited and the Change time determines the time the file was last accessed. The order of the times should increase for each step. Access should be the first date, modify should be the second date, and the change should occur last. If the timestamps are not in the correct order, the files are not valid. There are 13 internet folders on the IBM Machine. Of the 13 folders, 5 of the folder and 387 files have nothing to do with the relevant time period. In each of those 5 folders, the Caine Forensic File Analysis Tool shows no tampering and a correct file timestamp sequence. During the time Mr. Cooper had his computer set up until 5:09 on the 15th, 6 folders were created. Every single file involving the Google Map search shows an incorrect timestamp sequence. Once Mr. Cooper no longer had access to his computer, 2 new folders were created, and they both show an incorrect file sequence. All of the folders showing incorrect timestamp behavior are modified on the 16th, after the computer is out of Mr. Cooper’s control. The modified time stamps show extreme past or extreme future dates. On a normal Google Map Search, the metadata remains valid through the timestamp details and dates.All of the files dealing with the Google Map Search have the exact create and modified date down to the nanosecond. This is then followed by an incorrect Change Date that is either wildly in the past, or wildly in the future. No other files in the directories have the same Access Time and Modified Time. Normally, timestamps should satisfy conditions $SI.M <= $SI.E, $SI.C<$FN.C, $SI.C < $SI.A. If any is fals, the timestamps were probably tampered by anti-forensic tools. But some intra-volume replacement may cause $SI.C>$FN.C or $SI.C>$SI.A and the corresponding $SI.E indicates the time of replacement. If $SI.E<$FN.E, the timestamps are unreliable. Files other than Office files and .exe files. If $SI.C>$SI.M and SI.C>$SI.E, we can conclude that the file was copied from another volume.This is concrete evidence of file tampering.As the prosecution has asserted, 4 random cache folders are created by internet explorer to house temporary internet logs. However, what was not mentioned is that internet explorer will add additional folders in multiples of four when additional space is needed. On Wednesday July 16, Internet Explorer did create 2 additional folders. Internet Explorer creates folders in multiples of four only. (**** This Statement is incorrect ***** My analysis was incorrect. These folders were created on July 3rd.) Additionally, last event logged through Windows System 32 Event Logging Application is not on Tuesday July 15, or Wednesday July 16, but is rather Saturday July 12, 2008 at 13:43:53. This is evidence of a time change. Furthermore, the C:CSCOADLS.log corresponds with the last time the computer was run. These are the last entries: 7/12/2008 1:43:47 PM - CSCOADLS.VBS - Start of script execution7/12/2008 1:43:47 PM - Ensure NS Client is enabled7/12/2008 1:43:54 PM - NS Client is installed7/12/2008 1:44:03 PM - Apply AD Kerberos Reg Keys if missing7/12/2008 1:44:05 PM - Apply Altiris Reg Keys7/12/2008 1:44:05 PM - Cleaning Log Files for CiscoTrustAgent7/12/2008 1:44:05 PM - CSCOADLS.VBS - End of script execution There are seven Google cookies found on the machine. Not one of them matches in date and time to the maps. search on the 11th. They are google[1], [2], [3], [5], [6], [7], and [8]. There is no corresponding Google cookie. There are no deleted cookies in the $MFT that would correspond to this Google search. There is no evidence that Mr. Cooper has ever worked to erase history on his machine. There is no evidence of running an erasing program like DBan on the machine. Mr. Cooper clearly did not delete cookies or internet history, as is evidenced by files dating back to April, when the OS was installed. He would not have deleted the matching cookie, especially without taking the easier step of erasing all internet data. And despite checking the other machines for cookies in their report, the FBI did not mention cookies on the ThinkPad, nor did it mention what those modified or deleted files on the 16th actually were. Despite this basic step, it was avoided in the analysis of this particular machine, indicating knowledge on the part of the examiner. Additionally, even the FBI computer report is not confident in the validity of the map files. It states “appears to have been created” when all other activities use affirmative and secure language.Inability to Verify Data on the IBM ThinkPadAccording to NIST, the program used to evaluate the IBM, FTK, was never tested for Vista. FTK Imager Version 2.5.3.14 was tested as late as June 2008. It was tested by NIST on Windows XP, Windows Server 2003, and Windows 2000. It was never tested on the operating system currently on the IBM (Windows Vista). This means there is no standard for evaluating anomalies in FTK on the machine in question. Additionally, the Vista OS was known for being notoriously buggy, exceedingly more than any other current Windows OS. Without having tested it with FTK, there can be little to no confidence that Vista performed as well with the program as its predecessors. This could result in missed files, not attaching to altered log files, or a less than thorough ability to cull data. There has been a claim that the computer was analyzed for tampering, and that no tampering was found. Of course, there has been tampering, as evidenced above. It is significant that the prosecution will claim that they have done an analysis for tampering when they have not. The programs used by the police to evaluate computers are not effective at detecting tampering. FTK simply carves data. NetAnalysis simply interprets internet history files based on their timestamps. It does not corroborate the validity of that timestamp or verify with logs if it actually occurred.Even if the programs used were actually able to detect tampering and evidence on that computer, the mere fact that it was not kept secure and imaged immediately negates all confidence in the data. Anyone who comes in contact with digital evidence should know the importance of keeping it secure. Since merely starting a computer changes every drive it has access to, anyone accessing a computer can unintentionally cause changes. Spoliation can happen very easily with a computer that is not imaged. Digital evidence is latent, yet easily altered, damaged, or destroyed. If a computer is not kept secure and imaged immediately, it is possible to lose or alter digital evidence. In a proper forensic examination, the image must be taken in a way to guarantee that the original was not puters are imaged to verify the integrity of the data. A hash code can bolster the forensic process. The has code on the computer should match the code on the original and the image. Well over a month had passed before the IBM ThinkPad was imaged and hashed. This computer was seized as potential evidence in a homicide. Prior to its imaging, it was not immediately put into evidence. Prior to seizure by the police, it sat connected to wireless for 27 hours. There is no way to verify the data on that machine is in the same state as when Mr. Cooper left that computer at 5:20 on July 15th. If a computer is not immediately imaged and hashed, then anyone can dump illicit material into the machine. The subsequent hash generated will match, even though it had already been altered. According to the FBI database, there are at least 692 files modified after they are out of Mr. Cooper’s custody on the 15th. This database does not include or indicate those files that were deleted during this time frame. There are a set number of files in the Access Database. This cannot possibly list all possible files on the computer. It also does not take note of the files that had been deleted. If the computer had been immediately imaged and hashed, there would be no question of additional files created after it left Mr. Cooper’s custody.Because there is a large gap in time before the computer is imaged and hashed, it is important to note that metadata can easily be modified. Programs exist to modify metadata, whether it’s changing the date and time, the user, or the author. Anyone can download and operate these programs for free. These programs can change the metadata to reflect that a certain document was downloaded or opened at a specific time, or that a certain user modified a file. These are very easy to run, and if used correctly, will lead no traces.Steps should have been taken to secure the computer immediately after Mr. Cooper left the home. The computer could easily have been accessed either directly or via wireless. The computer was sitting on the desk, logged into the user account, for a period of 27 hours. The wireless password had been given out already, and it was not difficult to crack (12341234123412). It would be very easy to plug an external drive into the computer to pull data off of the machine, to wirelessly access the machine, or to boot the machine to a CD or USB that would have the ability to change data without leaving logs. In order to ensure integrity of the data, the computer should have immediately been unplugged and forced to shut down.Anti-forensics tools are widely available to modify data parameters and timestamps in order to mislead computer forensics investigators. One of those tools that can be used is Backtrack or Timestomp through the metasploit framework. This allows the user to modify the NTFS timestamp parameters, which would have been used in Windows Vista. With Timestomp, all four file attributes (MACE) can be altered permanently causing forensic tools like Encase and FTK to consider these values as legitimate timestamps.Timestomp works by uses Window system calls NtQueryFile () and NtSetInformationFile (). The Setfiletime () call is not used to modify timestamps, because that would signal easier detection, because it is a well-documented API call used to modify file timestamps. The popularity of that call makes it detectable by forensic tools. But by using the unpublished windows system calls we already mentioned, all four MACE attributed can be tampered with, without detection. Timestomp can alter the timestamps down to the nanosecond, or it can set those values to zero. Timestomp can be used alone, or as part of Meterpreter, which will allow the user to connect remotely to a target computer without directly accessing the hard disc or leaving traces in the registry through direct memory injection.Since all Meterpreter and Timestomp operations are conducted in the RAM, no digital evidence is left in the systems to indicate traces of anti-forensics activity. It would be impossible for a computer forensic investigator to notice timestamp modification, since its parameters will look legitimate. Timestomp even provides a specific option tailored to confuse Encase and FTK. Timestomp MACE modification “renders all file timestamps useless and compromise forensics to the extent that digital evidence is unreliable.” The only way to verify the timestamp is through a third party tool, such as a Google cookie.Both the FBI and CPD are well aware of the corresponding logs and details that could have proved or disproved that IBM logs were accurate and untampered. Contacting Google seems well within the FBI means as they did in this case by faxing an order to preserve evidence of a Google email account. It would have been easy—if not expected—to corroborate evidence that’s in question. CPD contacted Google on 12/2/08 and specifically asked for search history, IP address, but only for a Google email account. It is illogical and suspect that they did not include a request at that time for the corresponding search details of July 11, 2008 that supposedly would have matched Mr. Cooper’s computer. It is clear that the FBI specifically realized the time constraints of digital evidence, as they sent an order of preservation to google to preserve a Google email account of Mr. Cooper’s, but made no effort to preserve the most critical piece of evidence, the alleged corresponding Google cookie. Only after 10 months did the defense get access to the computers, after numerous phone calls, emails, and finally filing a motion to get access. The defense alerted all parties to the volatile nature of computer data. Google scrubs as identifying data after 9 months. By the time the defense had access to the IBM laptop, all information had been purged and no corroboration could be gained from Google. Finally, it is an unavoidable conclusion that the State’s anonymous expert’s claim that there was a Google cookie on the ThinkPad that matched the search on July 11, 2008 was simply dishonest and misleading.Appendix AAppendix BAppendix CFile:`AYIOOGQY/TPCAZQ2GAMCATC4R0GCATT6NI6CA4FZXVECALL82OGCAXGLFRRCAHAFRRPCAZRZZ19CAFM4FBZCAD0A0H2CAM1X4S0CA0QPKOZCA50BU3DCA8P9AZGCAG1ZQ1LCAKJYPFSCAKLNUN1CAJYL74QCA9LH1V1.png'Size: 1084 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102926 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:33.225334700 ‐0600Modify: 2008‐07‐11 11:15:33.256583900 ‐0600Change: 2001‐11‐30 09:05:06.420643800 ‐0700File:`AYIOOGQY/NRCAU5UVKZCA3VNOXBCAV1P7FRCAPYD4F6CAWNWAFRCA79Q6RGCACF1FLNCAIQ5581CADVBVRYCADBKBRWCAGEIM8QCAB365FWCAPYVD1ZCA7NOOTFCAGC5985CAM44NHECAS21YZUCA32VVMKCAHYGDRA.jpg'Size: 19254 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102928 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:33.287833100 ‐0600Modify: 2008‐07‐11 11:15:33.350331500 ‐0600Change: 2002‐08‐06 03:08:04.639861400 ‐0600File:`AYIOOGQY/KNCA9M8XW9CAAUGCAJCAC3976GCA6ZRDKECAV4XUCWCA6JPFPGCADRHN7OCA8U3VI1CA2LR6O7CA8ZOEMECAA9YJAWCAW29AR4CAT3BW0ZCAA1ZIZKCAXGW0Y1CAJ3IT9PCA2I0WDRCABXSRG8CA54V3ZG.jpg'Size: 20080 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102927 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:33.240959300 ‐0600Modify: 2008‐07‐11 11:15:33.256583900 ‐0600Change: 1935‐01‐10 18:27:59.396921400 ‐0700File:`AYIOOGQY/9KCAIWPL4YCADPNOWNCA19FDWRCABLWU2ACAJ48UQZCAXYG7YYCA5HNJRBCAAMHAE7CAL4LOIECAUGQJ5TCAKRI8TGCAGTIOXMCAFVXPXLCABGMUWUCATEDW0ECAVAKDQ7CAL71QBOCAU99Y5HCADVACME.png'Size: 116 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102925 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:33.209710100 ‐0600Modify: 2008‐07‐11 11:15:33.256583900 ‐0600Change: 1984‐01‐29 13:11:12.711776600 ‐0700File:`AYIOOGQY/09CAUSSTVXCA34A1Y0CAKOJZDKCAP3NSE1CAM4N775CADODPJVCAZ5X64ACAW5Y6CNCAJ0BZUWCA7TJRRCCAGFOIJ7CAZRKVQJCATXXP9WCAHWH3L6CA31WR0FCA9KK0QZCAKN93K6CANAZ9YPCANP18DJ.png'Size: 116 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102924 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:33.194085500 ‐0600Modify: 2008‐07‐11 11:15:33.256583900 ‐0600Change: 2025‐02‐10 18:03:37.255988600 ‐0700File:`AYIOOGQY/ESCASQ3IMMCAPYAVW7CAMXR47ECAQZQ0M8CAL9C67QCAHL5353CAGSC8CXCAWQQAT3CANQKGU8CA08ZAWRCAU2YQH8CAVHXGYWCAR21YQOCA8D4HPICA0WY93HCAVH1RQFCAQ407J2CAZ2ZB62CAQS4XKK.jpg'Size: 20975 Blocks: 48 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102911 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:30.006667100 ‐0600Modify: 2008‐07‐11 11:15:30.022291700 ‐0600Change: 1984‐01‐29 13:11:12.711776600 ‐0700File:`AYIOOGQY/S9CAK7XLFWCACQO95TCA2S37X1CA26RDT2CA0BF46YCACN6BNHCA3D4LUZCA84S2U0CAFE3M9SCAQIKJXMCABHEU3PCA876TEXCAVSWHX3CA7HSSD7CASQ2P3VCA4O4XUSCAM4X3LICAVIQVMXCAX51EWJ.jpg'Size: 18812 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102903 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:29.647301300 ‐0600Modify: 2008‐07‐11 11:15:29.662925900 ‐0600Change: 1984‐01‐29 13:11:12.711776600 ‐0700File:`AYIOOGQY/Q3CARYIJK1CANNX569CA523XJACA1ZCXOACA5TWAEHCANBG6GICAPOSJ1KCAPW35LJCA6X8M3BCA17Y98KCA0N94RHCA43RH0DCAI1MFL3CAGOVF1ACAN7XFQ3CAHNJD1QCAN7FK8ECABJ1STOCAFX83LO.jpg'Size: 16076 Blocks: 32 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102895 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:29.194187900 ‐0600Modify: 2008‐07‐11 11:15:29.194187900 ‐0600Change: 2001‐11‐30 09:05:06.420643800 ‐0700File:`AYIOOGQY/BACAHQLIL0CAEZAAI3CA3YNYT2CAPZWUA2CAHXXP21CARU4MJ8CAB4Q3LXCA8BDWRQCAQRVQ3CCA2P2R9ACA57DZB3CABZR10ICAT1P0ZPCAGFLF8YCASCQ8VKCAMWK2TTCAWPQ1FECAYKHFJ1CAOV01FP.jpg'Size: 19788 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102865 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:29.069191100 ‐0600Modify: 2008‐07‐11 11:15:29.069191100 ‐0600Change: 1937‐11‐07 04:16:16.102110600 ‐0700File:`AYIOOGQY/07CA16WAQ9CAGGKU6RCAQNWSQECAFDAWFNCAB30AALCA2D03U3CABDZVW8CATDJX70CAZUNX3ICAEDQALBCA505BN6CAAPMIUPCA2EWOKLCAMSAENSCA4Y79IRCAI6Z1IUCACV47I3CAB8IHHFCABJEC1M.png'Size: 3341 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102843 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:28.022342900 ‐0600Modify: 2008‐07‐11 11:15:28.022342900 ‐0600Change: 1973‐12‐31 06:51:16.261799000 ‐0700File:`AYIOOGQY/0BCAJUZ7SVCA6EPZUBCA6Z0JG1CAN9O4GMCAZ6UVHXCAM0JFU0CAPCM4S1CA8DAPFDCARY9SI6CAVSOD75CA7IEZH0CAT8723KCAQMHVPACA705BE1CAM0XV2JCAW3UNXWCANV1EJTCAD9CK89CA46M5IL.jpg'Size: 19232 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102855 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:28.772323700 ‐0600Modify: 2008‐07‐11 11:15:28.772323700 ‐0600Change: 1973‐12‐31 06:51:16.261799000 ‐0700File:`AYIOOGQY/EECAYA33XLCAJH6F6BCAW40AMFCAAY1KH2CA69U4SJCA5SB80FCAP06JAVCAXCPQ50CAFRTLG8CA8A7J5VCAC5XGI2CA38CCJWCAKPGO4ZCA8U3TYACAN4YAWICAGXA6RXCAHDAMVVCADT0O54CA3BEVTV.png'Size: 116 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102762 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:27.397358900 ‐0600Modify: 2008‐07‐11 11:15:27.397358900 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/AHCA8A5R7NCA3BS18KCA87QKCGCAZ3ZA8UCANV70YPCA5Z22L1CAM74MCYCAVXJ5PBCABBTTX0CA0J0UZ9CAEXXMLCCAPTWYB4CASULKQ1CA5V0XE9CA72Y91CCAQ774O2CAPU07LUCA4BD4R2CAEPZD3I.jpg'Size: 18490 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102838 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:27.725475500 ‐0600Modify: 2008‐07‐11 11:15:27.725475500 ‐0600Change: 1918‐04‐02 14:25:15.503769400 ‐0700File:`AYIOOGQY/1ZCAI107UHCA3XWEZYCAJPQA51CAQW4DHRCAXK9JGTCADPKKEBCAH7OA2CCAQSQFJ6CAOV3063CAK7S57XCADPJ9VZCASPTSXKCARU3JRGCAHK1ANDCAZU2M3SCAO1KS2ICAMLAD23CAQJYPRQCAKJRAP6.jpg'Size: 19190 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102743 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:27.131740700 ‐0600Modify: 2008‐07‐11 11:15:27.131740700 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/J8CAXUGFZZCADMKC7MCAI1UKBOCAL9CUROCA494SH2CAAHLRD2CALO2HARCAQ6DRRZCADII1BDCAHCA9WKCA662SHECACJFJJ0CAF9UDEECACHENV5CAEEG2D4CAFZPM6NCAZ3Y52XCAF2JXHACAAO8VA2.jpg'Size: 20347 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102719 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:26.866122500 ‐0600Modify: 2008‐07‐11 11:15:26.866122500 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/ZBCAEFGDK9CA7ZPJF1CA1W8PO5CAR99143CA8P8RANCAYZ02VVCAM4NM8BCADLPJE1CAV9U23GCANLJ1OYCATVTO3RCAN26ADOCAVBAEO0CAVRPPB7CAPP4NJ3CAE9JDKCCA81ZN13CA75BSN9CA9N2OKC.png'Size: 4080 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102661 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:19.991298500 ‐0600Modify: 2008‐07‐11 11:15:20.022547700 ‐0600Change: 1953‐07‐04 16:31:40.884533000 ‐0700File:`AYIOOGQY/VCCA1BZ5DNCA08JLMWCAQNDT1ICAJ1RA4VCAKQUF1TCAKNE8RLCAK808P5CAD0U10BCAMSKBMUCA2D3JPZCAINWWL5CA36RCZLCA1BYQ92CA4IA991CA96Y3AXCAS7A65JCA0XUE2OCAG93V69CA532OON.png'Size: 4596 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102658 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:19.960049300 ‐0600Modify: 2008‐07‐11 11:15:20.022547700 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/NTCA1N1RY2CAWYJGU2CA8EVTNDCAXHBMWPCAX3Z5LYCAUCFVQGCAJNL6A5CAOOJYTBCA5KBCT5CABCU06QCA4611QNCAD7GYBUCAOGES2ICA23Y77UCA6TBV6NCA39GF2PCA2IZKEHCAL4K06ZCAMO1X1M.png'Size: 5454 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102663 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:20.131919900 ‐0600Modify: 2008‐07‐11 11:15:20.194418300 ‐0600Change: 1984‐01‐29 13:11:12.711776600 ‐0700File:`AYIOOGQY/GXCAVYQ61TCA0PKY5UCAAYBMRLCA4R99IJCA121JQPCARKV0V8CACOLRAXCAO3MPXYCAEFR1G4CA3A7Z96CA55KF67CAMKD888CAC6Z6PICAOXM9IHCAZ10KEACAU0V8CKCA3TTO37CALT8C89CA15P12N.png'Size: 5084 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102659 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:19.975673900 ‐0600Modify: 2008‐07‐11 11:15:20.022547700 ‐0600Change: 1973‐12‐31 06:51:16.261799000 ‐0700File:`AYIOOGQY/YPCAQGAUWLCAOFCUN8CA3F5QH9CAA0B835CANS6833CAA96NILCA2OI6A2CAZIMKSLCAGWSGVUCAATUDXLCAYBR34ZCAO36OZQCA1740UKCAJENGZGCARWQAKHCA2QZXWLCAT73A2QCAJWJVXJCA5U9M2Z.png'Size: 4246 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102634 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:19.460062100 ‐0600Modify: 2008‐07‐11 11:15:19.460062100 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/1MCA9K02QNCA71KFRNCANUW9HSCA6JFTTLCAY9E0P7CAJLIUR1CA82BA29CA8D0MGDCAWS2HM8CAUOL7G9CA48PL2UCAG82E6ICASMB2WKCAPD1R2OCASKQVPSCA0A5LKUCAPH10FGCA6X3R1HCAWD0JCV.jpg'Size: 17292 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102621 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:19.053822500 ‐0600Modify: 2008‐07‐11 11:15:19.053822500 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/VPCAFQ9TSHCA3G133FCAZP9DNUCAM1OTGGCARNKWU3CAB7XBH6CA1VDFRDCA4XGLRYCAEB6VRWCA3Y6OPDCAD7OSADCADITO6RCAE8V2GQCAA3ORU0CA80CR7XCAJFL2CRCA9IPCEJCA24N09FCAGW1520.png'Size: 6820 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102614 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:18.741330500 ‐0600Modify: 2008‐07‐11 11:15:18.803828900 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/6ACA60PUQLCAM33XYMCAU2WXR3CAF4JWXYCA3FZT02CA578V6ZCA2AXVBTCAI8XB5MCAIR2F0PCAFKAEHICAX3FORACAX0H9M9CA9GN1MOCATN3G6OCA9V586ICARC2H8NCATTPPXZCAESBY6MCA17IRE9.jpg'Size: 20070 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102589 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:18.085097300 ‐0600Modify: 2008‐07‐11 11:15:18.100721900 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/2TCAGEU63UCASV4Y7WCANJBBQMCAG3R5XUCAT6IQXFCA0ZMMNJCAN9PH76CAWJT2PUCABKYU6ZCA7GCC4LCA5V7RAICA20R0D1CA18GC49CA2WZGFDCAW8YYNUCARGFQ88CAKFVQ9RCAL611OYCARVE1U4.png'Size: 4545 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102603 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:18.460087700 ‐0600Modify: 2008‐07‐11 11:15:18.460087700 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/CVCA8IKZP9CAQI756TCA8GKL1QCA2UQRS1CA72O0N1CA125WSHCA422G63CAXJP0PXCAW8ZHL7CAKC7G90CAIB3MRHCAQN7KL4CA5JOE16CAWUSU7VCAPWKOF3CAQXC1MRCAC4CXGVCAUZ9TOCCA3ZNVFO.png'Size: 3287 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102563 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:17.288242700 ‐0600Modify: 2008‐07‐11 11:15:17.288242700 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/4YCAI2DI3RCAERSCZLCAAVE9EWCA66UGABCA6QT3A6CAN4UKWWCAMZQ2O1CA8JRPXOCAVF263UCALBWYUECA5KRRYCCADQ8D1FCAXEC52QCAXPRD1ICAK77ZQUCAICR0JNCASVD0F1CAUKGXIXCA0JCUJE.png'Size: 4147 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102575 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:17.756980700 ‐0600Modify: 2008‐07‐11 11:15:17.772605300 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/4GCAQPWYW7CAM80779CA184WTCCANJ808KCAK019DRCAEBJPLRCAKD29C3CAW1TMASCAJH3CIXCABJBX21CAI00CV6CA32FB16CA0FC31NCAC4LKN1CA1I6R9QCAH1ITASCAL0PKMXCA0E891OCATMJ8S1.png'Size: 5120 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102569 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:17.538236300 ‐0600Modify: 2008‐07‐11 11:15:17.538236300 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/00CAGMOYPKCA9P4QL1CA0GL7DNCATEAD77CARYOR1PCAAOSK8CCAWU5YG9CAKU07N8CAXJBYRWCAZU9E76CAYMGF0MCANL9Z9NCA81BB6VCAUXDBEVCAOPXQXNCAMHNOCRCAXYN4IMCAHJKC7MCA093RGK.png'Size: 116 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102553 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:17.131996700 ‐0600Modify: 2008‐07‐11 11:15:17.131996700 ‐0600Change: 2020‐03‐10 18:06:10.157527000 ‐0600File:`AYIOOGQY/RZCA9EAZP1CA44JJS2CAV2U9PJCA3SSIB3CAJ8KWO3CAPWUJDOCAS0KNOBCAFIMH5JCAMK9ZSSCASMNS5SCAP8QY7ZCALF1D4QCA469N2ZCAAM7GTNCACCHPI9CA5ZAUHSCAMSGHGWCAOFDEJYCA8YD2JG.png'Size: 12302 Blocks: 32 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102518 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:15.600785900 ‐0600Modify: 2008‐07‐11 11:15:15.600785900 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File:`AYIOOGQY/R2CA7T1XSGCAZQCYH7CAB5J2J9CAZ12NK3CA2E49H1CA3Q3HTOCA65V7Z2CA773T2QCA1VQNWUCAOSL914CAJVF00PCA5E9TY7CAFYF0L9CASFT9VOCAX558SECAKRPD8KCAR4NMC7CA33HZZOCAX8HOB1.png'Size: 1039 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102358 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:12.725859500 ‐0600Modify: 2008‐07‐11 11:15:13.257095900 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File:`AYIOOGQY/L1CAQ9FVQMCAM14MVGCA6HYF06CAXYOP6RCAJH07R9CAIGY25RCAEPIOHVCA2ZS5NPCADW538KCAW825Z6CA42RQFLCA78NOR2CAD7YXCKCA1QXW0XCAG29YQSCAY2AT09CACFCFO1CA9S8PR4CADCMJIV.png'Size: 9308 Blocks: 24 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102359 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:13.303969700 ‐0600Modify: 2008‐07‐11 11:15:13.491464900 ‐0600Change: 1984‐01‐29 13:11:12.711776600 ‐0700File:`AYIOOGQY/AOCA03OHXHCAMG2JYLCA252T73CAC9FTZDCAKD8BJMCAJ39MRFCANRFO5YCAEI9URVCA4VWKPMCAKUPB0ECALSA59BCAY47HBKCAW7JYIMCARRZTUCCA0N52P9CA8M5G8QCASCIZZDCAJ5WNCWCAWVB4Q4.png'Size: 13011 Blocks: 32 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102360 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:13.319594300 ‐0600Modify: 2008‐07‐11 11:15:13.319594300 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File:`AYIOOGQY/FVCAO1NOIDCAOCNYVHCABBDEZECAAHN7S7CAR3F1WNCAPB32T3CAKNKRNMCA31FN1OCAU4TLQ0CAPUJ2HZCA9PZZ96CAU4FQYVCAEQJ48DCA99XWBDCARG0BFBCAC4S1G4CARS9MFDCAFINSZXCAQZHX0V.jpg'Size: 21238 Blocks: 48 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102348 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:12.319619900 ‐0600Modify: 2008‐07‐11 11:15:12.319619900 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/kh[11].jpg'Size: 21517 Blocks: 48 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102291 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:11.100901100 ‐0600Modify: 2008‐07‐11 11:15:11.100901100 ‐0600Change: 1924‐02‐17 08:50:54.650711800 ‐0700File: `AYIOOGQY/kh.jpg'Size: 20970 Blocks: 48 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102304 Links: 1Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:11.460266900 ‐0600Modify: 2008‐07‐11 11:15:11.460266900 ‐0600Change: 1924‐02‐17 08:50:54.650711800 ‐0700File: `AYIOOGQY/h.jpg'Size: 20754 Blocks: 48 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102318 Links: 1Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:11.757134300 ‐0600Modify: 2008‐07‐11 11:15:11.757134300 ‐0600Change: 1924‐02‐17 08:50:54.650711800 ‐0700File: `AYIOOGQY/t.png'Size: 7579 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102249 Links: 1Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:10.210298900 ‐0600Modify: 2008‐07‐11 11:15:10.210298900 ‐0600Change: 1924‐02‐17 08:50:54.650711800 ‐0700File: `AYIOOGQY/kh[10].jpg'Size: 19471 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102259 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:10.694661500 ‐0600Modify: 2008‐07‐11 11:15:10.710286100 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/kh[9].jpg'Size: 21460 Blocks: 48 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102239 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:10.054052900 ‐0600Modify: 2008‐07‐11 11:15:10.054052900 ‐0600Change: 1924‐02‐17 08:50:54.650711800 ‐0700File:`AYIOOGQY/2WCANBXQP9CA17IM8NCANYGYA4CAW19FEMCA1VQHQZCA41UO6FCA94MPALCAH0GLQQCAOEOL0FCABCF93UCA3BGWU0CA1Q1ZSGCAO466QZCA4MK81ZCAPK87M3CABX24WFCACL3IP8CA00WNLUCAMMU73A.png'Size: 11172 Blocks: 24 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102260 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:10.710286100 ‐0600Modify: 2008‐07‐11 11:15:10.741535300 ‐0600Change: 1953‐07‐04 16:31:40.884533000 ‐0700File: `AYIOOGQY/mt.png'Size: 8919 Blocks: 24 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102232 Links: 1Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:09.866557700 ‐0600Modify: 2008‐07‐11 11:15:09.882182300 ‐0600Change: 1924‐02‐17 08:50:54.650711800 ‐0700File: `AYIOOGQY/kh[8].jpg'Size: 17887 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102217 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:02.226128300 ‐0600Modify: 2008‐07‐11 11:15:02.226128300 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/mt[11].png'Size: 593 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102187 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:01.710516500 ‐0600Modify: 2008‐07‐11 11:15:01.710516500 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/mt[10].png'Size: 14247 Blocks: 32 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102166 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:01.429273700 ‐0600Modify: 2008‐07‐11 11:15:01.444898300 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/mt[9].png'Size: 13255 Blocks: 32 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102155 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:01.148030900 ‐0600Modify: 2008‐07‐11 11:15:01.148030900 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/kh[7].jpg'Size: 20840 Blocks: 48 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102208 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:01.991759300 ‐0600Modify: 2008‐07‐11 11:15:01.991759300 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/kh[6].jpg'Size: 17043 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102175 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:01.601144300 ‐0600Modify: 2008‐07‐11 11:15:01.601144300 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/mt[8].png'Size: 8863 Blocks: 24 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102146 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:00.944911100 ‐0600Modify: 2008‐07‐11 11:15:00.944911100 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/mt[7].png'Size: 7651 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102139 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:00.804289700 ‐0600Modify: 2008‐07‐11 11:15:00.804289700 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/mt[6].png'Size: 8445 Blocks: 24 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102132 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:00.601169900 ‐0600Modify: 2008‐07‐11 11:15:00.601169900 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/3939350[1].jpg'Size: 4436 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102120 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:15:00.101182700 ‐0600Modify: 2008‐07‐11 11:15:00.101182700 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/cbk[1].xml'Size: 763 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 101829 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:59.898062900 ‐0600Modify: 2008‐07‐11 11:14:59.898062900 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/mt[5].png'Size: 116 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102066 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:58.148107700 ‐0600Modify: 2008‐07‐11 11:14:58.148107700 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/kh[5].jpg'Size: 7875 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102091 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:58.273104500 ‐0600Modify: 2008‐07‐11 11:14:58.288729100 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/iw2[1].png'Size: 8629 Blocks: 24 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102099 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:58.882463900 ‐0600Modify: 2008‐07‐11 11:14:58.882463900 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/mt[4].png'Size: 116 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102005 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:57.875660000 ‐0600Modify: 2008‐07‐11 11:14:57.891284600 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/kh[4].jpg'Size: 7764 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 102012 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:57.984052700 ‐0600Modify: 2008‐07‐11 11:14:57.986005700 ‐0600Change: 2027‐05‐19 05:33:59.915084200 ‐0600File: `AYIOOGQY/kh[3].jpg'Size: 7177 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 101999 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:57.047556200 ‐0600Modify: 2008‐07‐11 11:14:57.047556200 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/kh[2].jpg'Size: 7750 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 101994 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:57.016307000 ‐0600Modify: 2008‐07‐11 11:14:57.016307000 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/mt[3].png'Size: 7092 Blocks: 16 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 101984 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:56.828811800 ‐0600Modify: 2008‐07‐11 11:14:56.828811800 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/mt[2].png'Size: 18795 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 101974 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:56.313200000 ‐0600Modify: 2008‐07‐11 11:14:56.328824600 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/kh[1].jpg'Size: 19560 Blocks: 40 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 101979 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:56.360073800 ‐0600Modify: 2008‐07‐11 11:14:56.375698400 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/mt[1].png'Size: 11381 Blocks: 24 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 101968 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:55.985083400 ‐0600Modify: 2008‐07‐11 11:14:55.985083400 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/hpimgs2[1].png'Size: 2648 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 101932 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:53.407024400 ‐0600Modify: 2008‐07‐11 11:14:53.407024400 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600File: `AYIOOGQY/home3[1].htm'Size: 568 Blocks: 8 IO Block: 4096 regular fileDevice: 700h/1792d Inode: 101927 Links: 2Access: (0777/‐rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2008‐07‐11 11:14:53.391399800 ‐0600Modify: 2008‐07‐11 11:14:53.407024400 ‐0600Change: 2011‐05‐17 20:10:56.524855800 ‐0600Appendix DAppendix EAppendix F ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download