Computer Expert Witness
Graham Dilloway CITP MBCS
Computer Expert Witness

Chartered IT Professional and Member of British Computer Society

Listed in Register of Expert Witnesses


Member of the Academy of Experts


View Graham Dilloway's profile on LinkedIn

Computer Test and File Recovery

The defendant bought a laptop computer from a company under a finance agreement.  Subsequently, the defendant stopped making payments under the finance agreement and the finance company took legal action.  The computer company was joined to the action when it was alleged that the computer was faulty.

I inspected the computer and found that the hard drive had been formatted and that this had deleted the content.  I was able to recover the content using specialist software and described the content in my expert witness report.  I also tested the computer and reported upon its operation.

Note:   This expert witness report is reproduced exactly as it was when served excepting that company and personal names have been removed.

Personal

1. This report was prepared by Graham Dilloway of 39 Conham Hill Bristol BS15 3AW. Mr Dilloway is a Member of the British Computer Society, the recognised professional body for the computer industry in the UK. Mr Dilloway has worked with computers for 30 years. This work has all involved the implementation and configuration of computers, their operating systems and the core software applications of a computer environment (e.g. word processors and spreadsheets). Mr Dilloway has worked with personal computers almost exclusively for more than fifteen years.

Instructions

2. Letters were provided from Solicitor S, the solicitors for Mr B and from Solicitor T, the solicitors for Company A. These letters both contained similar instructions that have been interpreted as:

"You are asked to inspect and test the computer and to produce a report on the condition of the computer and of any defects"

3. Both solicitors gave the same list of specific matters to be reported upon:

"The use of the computer made by Mr B."
"The storage of the computer."
"Is the computer of satisfactory quality?"
"The functioning of the computer generally and with specific reference to the playing of CD-ROMs and the speakers."
"If any fault is found, how can the same be remedied and its likely cost."
"The effect of any fault found on the functioning of the computer."
"How quickly any fault could be rectified."

Packaging

4. The computer was supplied for testing in what appeared to be all of its original packaging.

Identification

5. The case of the computer was marked with a badge that appeared to be a logo for "Company A". The computer was labelled as model number "[material deleted]" and serial number "[material deleted]".

Inventory

6. The hardware supplied was:
Laptop computer
Power supply
Power lead
Parallel lead for diskette drive
Carry bag
Windows 95 CD
Nine diskettes containing support material
Windows 95 boot diskette
Diskette with handwritten label "Acumen Win 95 bootup disk"
User's Manual for computer
CD-ROM drive
CD-ROM Notice sheet

Signs of Damage

7. No marks were found on any of the components.

Test Battery Power

8. An attempt was made to start the computer using battery power. This attempt was unsuccessful because the battery was flat. Subsequently and after the battery had been charged, the computer operated successfully on battery power and there were no indications of a fault when using the computer on battery power.

Start on Mains Power

9. The computer was started running on mains power. The boot sequence failed because the computer attempted to boot from the hard disk and the hard disk did not contain an operating system. The computer was found to be configured to attempt a boot from the hard disk before attempting to boot from the diskette drive. This configuration was changed to force the computer to attempt to boot from an operating system on the diskette drive. This resulted in a successful start from the diskette drive.

Computer Operating Systems

10. The operating system is the special programs on a computer that provide the environment to run application software (e.g. word processors and spreadsheets). It is not possible to run applications unless an operating system is first installed on the computer. An example of an operating system is Windows 95 and it is understood that Windows 95 was the operating system to be run on this computer. A computer is not useful unless an operating system is installed on the hard drive.

Content of Hard Drive.

11. The hard drive of a computer is a magnetic disk used to store programs and document files. Most computers have a hard drive that contains the operating system, the application software and the documents and other files created by using the application software. The hard drive of the computer had no files on it. The hard drive did not contain an operating system. The computer could not be used in a useful way without an operating system on the hard drive.

Format Command

12. The state of the hard drive of the computer was consistent with the drive having been emptied of all files by using the "format" command. The "format" command is used to prepare a hard drive for the installation of an operating system. The command marks out on the disk the small segments that are used to hold files. Most files require more than one of these small segments. The "format" command creates an "index" that shows which files occupy which segments.

13. When the "format" command is run on a computer which has files on its hard drive, it marks out the small segments in the same places as the segments that already contain the files. The "format" command recreates the "index" and, in the process, destroys the existing content of the "index". The result of running the "format" command on a hard drive that already contains files is that the data is left largely intact in the small segments but the data cannot be accessed because the "index" contains no information.

14. The "format" command is almost always used as part of a process and is followed by some other step such as installing an operating system. There is no obvious technical reason for running a "format" command and then taking no further action as this would leave the computer without an operating system on the hard drive.

Data Recovery

15. From time to time, computer hard disks are accidentally "formatted" or suffer other problems that cause loss of data. There are a number of tools available that attempt to recover lost data. One such tool is Easy Recovery from the company Ontrack Data International. Easy Recovery can be run from a diskette that starts the computer using the MS-DOS operating system. Easy Recovery does not use the MS-DOS disk access mechanism. The software uses it own disk access mechanism that is able to bypass a missing "disk" index. The software reads each of the small segments on the drive and rebuilds a facsimile of the content of the "index". This is similar to a librarian recreating a lost card index by visiting each shelf of books and recreating the catalogue by listing all of the books found.

16. The manual for Easy Recovery is in Appendix A. This Appendix contains highly technical material and need only be read as much as is necessary to understand the technical nature of the Easy Recovery software.

Data Recovery from the Laptop Computer

17. A demonstration version of Easy Recovery version 4.10 was run to examine the hard disk of the computer. The software was able to list a very large number of files that had "disappeared" as a result of what appeared to be a "format" command. The software showed the name for each file together with its size and the date that that the file was created. It was possible to see from this list that the computer had previously been installed with an operating system and several software applications and that the computer had been used on several occasions.

Start Menu

18. Software applications are started in Microsoft operating systems produced since 1995 by clicking (with a mouse) on an item in a menu. The menu is accessed from a Start button that appears in the bottom left corner of the screen and is know as the Start menu. The content of the menu is based upon files stored on the hard disk. It is possible to ascertain the content of the Start menu by examining these files. The files are usually created by the process of installing a software application onto the hard drive of the computer. The date that the menu files were created indicates the date on which the software was installed.

19. Examination of the Start menu files on the hard drive showed software applications and installation dates:

Software Application

Installation Date

Windows

24 Jan 98

Microsoft Office

6 Feb 98

Winzip

6 Feb 98

Vet 95 Anti-Virus

6 Feb 98

Quicktime

6 Feb 98

McAfee Anti-Virus

6 Feb 98

Page Plus

14 Feb 98

Corel graphics

21 Feb 98

IMSI applications

21 Feb 98

Adobe Acrobat

1 Mar 98

Microsoft Hellbender Trial Version

31 Jul 98


Temporary Files

20. Some applications, most especially word processors and other text editors, use a temporary file as a "work in progress" repository while a file is being edited. These temporary files are deleted when the application closes normally. The temporary files can remain on the hard disk when the application does not close normally, perhaps as the result of a power failure or of the computer being switched off before the application is closed.

21. These temporary files are sometimes stored in a "TEMP" folder created specially for this purpose. Examination of the "TEMP" folder showed some temporary files. The creation dates for these files indicates some of the dates that the computer was used (for some days there was more than one file):
4 Feb 98
5 Mar 98
28 Apr 98
6 May 98
22 May 98
23 May 98
29 May 98
11 Jul 98
12 Jul 98
31 Jul 98

Recent Files

22. The Start Menu includes a list of recently used documents. Each item in this list is represented by a file on the hard drive. Theses files are pointers to the actual document and do not contain the document data that is stored elsewhere. The pointer files are stored on the hard drive in a "RECENT" folder and show that the documents created elsewhere were:

Document Name

Creation Date

[material deleted].doc

19 Sep 98

Cleaners3.doc

19 Sep 98

[material deleted].doc

26 Sep 98

[material deleted].doc

19 Sep 98

[material deleted].doc

19 Sep 98

[material deleted].doc

19 Sep 98

Cleaners4.doc

19 Sep 98

[material deleted].doc

19 Sep 98

[material deleted].doc

21 Sep 98

[material deleted].doc

26 Sep 98

[material deleted].doc

19 Sep 98

Sponsor Addresses.doc

2 Sep 98

Parking.doc

19 Sep 98

[material deleted].doc

19 Sep 98

[material deleted].doc

19 Sep 98

County Court.doc

24 Sep 98

All of these files were shown as being stored on the A: drive, that is the diskette drive.

Other Files

23. Examination of the hard drive found other documents that were probably created by the use of software applications:

Document Name

Creation Date

~$CV2.doc

29 May 98

 

24. The ".doc" in the document name indicates that this document is probably a temporary file left from the use of Microsoft Word for word processing. The document was marked as "hidden" probably because of the same problem that caused the file to remain on the hard disk. Documents that are marked as hidden do not normally appear in Explorer lists or the list from other tools for showing hard drive contents.

25. Several documents with names ending ".XLS" were found. The ".XLS" indicates that the files were probably created using Microsoft Excel, a spreadsheet program. The creation dates for these files were (for some days there was more than one file):
12 Feb 98
6 May 98
7 May 98
11 May 98

Significance of Document Creation Dates

26. The document creation dates shown earlier indicate dates that the computer was used. There is no technical reason why these documents would have these creation dates if the computer was not used on these days. A more exhaustive search of the hard drive might reveal documents with dates other than those listed. The computer may have been used on other dates without leaving traces on the hard drive. For example, editing a document on a diskette and closing the word processor normally would probably not leave a trace on the hard drive.

Hardware Testing

27. The search of the hard drive tested the computer internals and the screen, keyboard, hard drive and diskette drive. No indication of faults was found.

CD-ROM Testing

28. The diskette drive was removed and the CD-ROM drive was inserted in its place. The diskette drive was attached to the computer via the parallel port (also know as the printer port). These changes were made as directed in the User's Manual.

29. The computer was then started from a MS-DOS start diskette created on another computer.

30. Computers include a non-existent device called the NUL: device. The "Copy" command supports the NUL: device and allows files to be copied to it. Copying files to the NUL: device has the effect of copying these files to nowhere.

31. The CD-ROM drive was tested by inserting a CD that has a single folder containing more 300 million characters of data. These files where then copied to nowhere. This exercises the CD-ROM drive as it reads data without writing the data to the hard drive or to anywhere else.

32. The CD-ROM drive read the data and there was no indication of a fault. Two sounds could be heard from the CD-ROM drive during the copy. The first sound was the quite hum of the CD spinning. This was similar to the sound made by any other CD-ROM drive. The second sound was an intermittent sound as the mechanism of the drive sought and found each file as it progressed through the copy. The test was repeated on a CD-ROM drive in another computer. The intermittent sound occurred more frequently and more loudly on the laptop computer than on the other computer. The probable cause of the difference is the internal mechanism of the two different CD-ROM drives. The drive in the laptop computer is less than half an inch in height and about four inches square. The other drive is about one inch thick and about five inches square. The noise from the CD-ROM in the laptop computer was not excessive and the successful copy operation showed no evidence of a fault.

33. The test was performed a second time. Disk caching software was used in the second test and the test was otherwise identical to the first test. The use of disk caching software reduced considerably the frequency of the intermittent sound. Disk caching software is a standard part of all the operating systems that were (and still are) in use with computers at the time that this computer was supplied to the customer.

34. The noises made by the CD-ROM drive seemed to be part of its normal operation. The CD-ROM drive was not found to be vibrating. There was no indication of any fault with the CD-ROM drive.

Disk Caching Software

35. Disk caching software uses a part of the memory of the computer as a cache to store data that is being read to or written from a disk. Disk caching software improves the efficiency with which the disks in the computer are accessed. For example, the disk caching software will read data from a disk while some other function is in progress. The effect was apparent during the tests of the CD-ROM drive. The CD-ROM drive stopped reading data after each file while the copy program wrote the data to nowhere when the test was performed without caching. The CD-ROM drive made a noise as it restarted the reading of data for each file. The CD-ROM drive continuously reads data into the cache when the test is performed with caching software. The drive stops reading when the cache is full. The drive makes a noise as it restarted the reading of data for each operation to fill the cache. The frequency of the noise is much reduced when the CD-ROM drive is used with disk caching software of the type found in operating systems in common use since 1995 or earlier.

Other Hardware Testing

36. The parallel (or printer) port was tested as part of the test of the CD-ROM drive. This test was performed using the MS-DOS operating system started from a diskette. Nothing was found to indicate a fault with the parallel port.

37. The sockets for connecting a monitor (that is, a screen) and keyboard were tested. Nothing was found to indicate a fault with the sockets for connecting a monitor and keyboard.

38. The touchpad (used to emulate a mouse) was tested. Nothing was found to indicate a fault with the touchpad.

39. No software that would work with MS-DOS was available to test the computer speakers. Several hours were spent seeking such software. The speakers could be tested using software that runs with Windows 95. Windows 95 would have to be installed to the hard drive of the computer. Installing Windows 95 would destroy evidence on the hard drive. Windows 95 was not installed and the speakers were not tested to avoid the destruction of evidence on the hard drive.

40. It is probably possible to preserve a copy of the hard drive and then to install Windows 95. This would require extensive work because the hard drive is in a "formatted" state and the usual operating system and other software tools would function as if the drive was empty.

41. The socket for the PCMCIA card was not tested because no PCMCIA card was available. PCMCIA cards are very small versions of devices such as modems.

42. The loudspeaker and microphone sockets were not tested because this would require the installation of Windows 95 and the destruction of evidence on the hard drive.

43. The socket for the connection of a docking station were not tested because a docking station was not available.

44. The serial port (usually used to connect a modem) was not tested because this would have required the installation of Windows 95 and the destruction of evidence on the hard drive.

Software Compatibility

45. A letter dated 4 March 1998 from Mr B to Company A (Page 138) includes the phrase "… your product is not compatible with widely used software …".

46. The data on the hard drive of the computer show that the computer has been used to produce typed documents and spreadsheets using Microsoft Word and Microsoft Excel. These software applications require a version of the Windows operating system to run. The successful use of these applications under Windows indicate that the computer is compatible with the most widely used software in the world.

47. The letter does not identify the "widely used software" that the computer is not compatible with. The successful use of Word and Excel suggest that any problem with other software is likely to be as a result of problems with the software rather than with the computer. This can be confirmed if the "widely used software" is identified and made available for testing.

BIOS Problem

48. Mr C of Company A describes a BIOS problem in his statement dated 16 March 2000 (Page 39 Para 7). The BIOS is a special program that resides in the computer permanently. The BIOS software provides the interface between the computer hardware and the operating system.

49. It is an inevitable consequence of the complexity of computers that problems of this type occur. Almost all complex computer programs contain errors (often called "bugs" in the jargon). The BIOS of a computer and the Windows 95 operating system are both complex programs and errors in them are to be expected. One of the factors that differentiate one supplier from another is the manner in which they respond to the discovery of software errors.

50. The customer support process described by Mr C in his statement is a satisfactory way of dealing with a problem of this type.

51. Nothing was found in any of the statements or correspondence to indicate that this computer was affected by this BIOS problem.

Summary

52. The computer appeared to have been supplied for testing in all of its original packaging.

53. The computer was received with no workable operating system installed. It is not at all likely that the computer was put in this state other than by the deliberate act of some person.

54. Inspection of the computer hard drive using specialist software revealed that a workable operating system and several software applications had previously been installed on the computer.

55. The same inspection revealed files that showed that the computer had been used on several occasions between January 1998 and September 1998. The computer may have been used on other occasions without leaving any trace of that use.

56. Testing of the computer revealed no indication of any faults with any of the components that were tested. The components that were not tested were; the speakers, the PCMCIA port, the docking station connector, the serial connector, the microphone and loudspeaker connectors.

57. The computer was of satisfactory quality.

58. I understand my duty to the court and have complied with that duty.

59. I believe that the facts I have stated in this report are true and that the opinions I have expressed are correct.

Graham Dilloway
Expert Witness 
39 Conham Hill
Bristol
BS15 3AW

19th May 2000

Appendix A

EasyRecovery(TM)

- SOPHISTICATED DATA RECOVERY -

Copyright(c) 1999 by Ontrack Data International, Inc.

RTM.EXE and DPMI16BI.OVL are copyrighted by Borland International, Inc.

ZIP and JAZ are registered trademarks from Iomega Corp.

A more complete manual in PDF format is available at www.ontrack.com

CONTENTS

1. OVERVIEW

1.1. Features

1.2. Versions of EasyRecovery

2. SYSTEM REQUIREMENTS

2.1 EasyRecovery for FAT16

2.2 EasyRecovery for FAT32

2.3 EasyRecovery for NTFS

2.4 EasyRecovery for Novell

2.5 EasyRecovery for Zip/Jaz

3. INSTALLATION

3.1. Boot diskette - Zip/Jaz only

3.2. General considerations

3.3. Specify swap area

3.4. Select drive to recover.

3.5. How to copy some or all files to a safe medium

4. RESULTS

5. RESTRICTIONS

6. OPTIONS

6.1. Swap Area

6.2. Excluded Main Directory Entries

6.3. Logging (Logfile)

6.4. Force recovery without FAT

6.5. LFN (long file name) support

6.6. Automatic Identification (Verify correct file system structure)

6.7. Start Identification At Sector X (multi partition problem)

6.8. Bad File Entry Acceptance

6.9. Restart from last / Keep for next session - FAT32, Novell or NTFS only

6.10. Valid FAT Required - Novell only

6.11. DET maintenance mode - Novell only

7. SPECIAL ISSUES

7.1 EasyRecovery- Novell only

7.2 EasyRecovery - NTFS only

8. TROUBLE SHOOTING

8.1. Computer frozen or Runtime error

8.2. Wrong Disk Size

8.3. Drive Structure Recognition Routine

8.4. Missing files or directories

8.5. The resulting files are all invalid

8.6. No partition found: EasyRecovery for NTFS

8.7. "Restrict sectors" must match previous setting

8.8. Other Disk Tools

9. OTHER FUNCTIONS

9.1 Long file names (LFN) - FAT32 and NTFS only

9.2 Save & Load a Recovery - FAT32, NTFS and Novell only

10. REGISTRATION

11. NO WARRANTY

12. LICENSE AGREEMENT

*********************

1. OVERVIEW

1.1. Features

EasyRecovery is NON DESTRUCTIVE and READ ONLY. The analysis process does not

put any data onto your crashed drive.

Recovered data is restored to another destination, such as a disk, diskette,

or network.

It is recommended that another IDE hard drive be used as a destination option.

EasyRecovery is software for retrieving data from crashed hard drives.

It can help when the drive has been:

* hit by a virus

* formatted

* 'fdisk'ed

* zapped by a power failure

* damaged by applications

NOTE: Be aware of strange noises coming from your hard drive. If you hear a

strange noise or grinding sound, turn off your

computer immediately and call Ontrack. Further operation may damage your

hard drive beyond repair or cause irretrievable

data loss.

 

EasyRecovery scans the drive even if there is physical damage. However, if

you have mission critical data on a drive with

hardware damage we recommend using Ontrack Data Recovery services rather than

any software.

EasyRecovery can recover data from drives without readable boot sectors,

readable FATs or readable directories. It can

recover data if you are unable to start Novell's SERVER.EXE. It can also

handle drives that are no longer recognized by the

operating system.

EasyRecovery automatically creates a VIRTUAL DRIVE in memory. This virtual

drive looks like a normal file manager. In it

you can see the lost directories and files from your crashed drive. Files

and directories can be viewed and copied to a safe

medium. Never use the drive with data problems as the copy destination.

The extensive use of our sophisticated pattern recognition technology enables

EasyRecovery to put the right pieces of data

together again. Even disks with very little administrative information left

can still yield files of high quality.

 

Note: The rest of this manual was included in the original expert witness report but has been deleted here to save space.