Copying and Viewing Indecent Images.
My expert witness report discusses the possibly accidental copying of indecent images from one disk to another.
The Police seized a computer and a Zip disk (a type of high capacity diskette) from the Defendant's home. Upon examination, the Police found indecent images of children on the computer hard disk and on the Zip disk. The Defendant was charged with Possession of Indecent Images of Children and with Making Indecent Images of Children.
The Defendant was attending a computer course at College. He said that he had found the Zip disk lying around at College and had brought it home to see what it contained. He said that he had had trouble reading the Zip disk and that an attempt to copy the content of the Zip disk to the hard disk of his computer had failed.
The defense solicitors requested an expert report to establish whether the evidence from the computer was consistent with the Defendant's version of events.
Note: This expert witness report is reproduced exactly as it was when served excepting that company and personal names have been removed.Personal
1. This report was prepared by Graham Dilloway of 39 Conham Hill Bristol BS15 3AW. I am a Member of the British Computer Society, the chartered professional body for the computer industry in the UK. I am a member of the Academy of Experts and of the Expert Witness Institute. I have worked with computers for more than 30 years. This work has all involved the implementation and configuration of computers, their operating systems and the core software applications of a computer environment (e.g. word processors and spreadsheets). I have worked with personal computers almost exclusively for more than fifteen years.
Instructions
2. My instructions are contained in a letter from Solicitor A,
solicitors, dated 4 April 2002;
"1. Confirmation as to whether the
computer seized and accredited to Mr D has ever been connected to the
Internet.
2. Confirmation of the date those pseudo-photographic
images were put into the computer either from memory or otherwise.
3.
We believe all the images that have been downloaded have come from a Zip
disk, which Mr D says he found at College. Can this be confirmed.
4.
Have any images from that Zip disk been copied onto other disks?
5.
Mr D leads us to believe that he attempted to access the Zip disk but
had difficulty in so doing. Can this be confirmed from a forensic
examination.
6. Mr D instructs that in accessing the Zip disk it is
possible that images have been stored within the computer which have
never physically been viewed on screen. Again, is that possible."
3. This report is based upon the bundle of documents sent to me by
Solicitor A, solicitors, together with a letter dated 4 April 2002 that
describes the documents as;
"1. Bundle of documents comprising the
Crown’s case.
2. Instructions obtained from Mr D being his comments
on the depositions dated variously the 31st January 2002, 16th January
2002 and 22nd February 2002.
3. Client’s instructions of the 19th
December 2001.
4. Instructions to Counsel , dated the 9th February
2002.
5. Advice from Counsel to Solicitor A dated 9th March 2002.
6. Relevant correspondence between Solicitor A and Crown Prosecution
Service, …"
44. I visited the offices of the Police Computer Investigation Unit on 26 July 2002 and examined copies of the hard drives from Mr D’s computer. DC P created some computer files containing Internet History information and folder listing information. I copied these files to a computer disk, brought the computer disk away with me and I have used the information in these files during the preparation of this report.
Internet History
5. Typically, a person using a computer to read pages of information and images from the Internet uses a program called a browser. The browser stores information about the pages that are being viewed and this information is stored in various places on the computer.
6. Information is stored in a folder usually called Temporary Internet Files that is often referred to as the cache. The information in the cache is used when a particular page is viewed on a second or subsequent occasion to avoid the delay involved in again obtaining the information from the Internet./p>
7. The pages in the cache may be deleted automatically by the browser to make room for more recent pages. The pages in the cache may be deleted manually by the person using the computer. The cache may not contain all of the Internet pages that have been viewed on the computer.
8. Information is stored in a folder usually called History. This information is an identifying record for every page on the Internet that has been viewed. Typically, the History folder contains information for every page viewed during the four weeks prior to the most recent use of the browser. Additionally, the History folder contains information about accesses to some of the files stored on the hard disk of the computer.
9. The software used by the Police during their examinations of computers is called EnCase. One of the functions of EnCase is to merge the content of the cache and History folders to show all references to Internet pages for which information is still available on the computer. This merged information also includes references to accesses of some of the files stored on the hard disk of the computer. DC P used EnCase to create a merged file during my visit and I brought the file away with me.
10. The file created by EnCase includes a column headed "User Accessed" that indicates the most recent date that a computer user accessed the file. This date is a strong indication that the computer was connected to the Internet on that date. The "User Accessed" dates for Internet files are;
· 12 March 2001
· 18 March 2001
· 19 March 2001
· 24 March 2001
11. One of the references to an Internet file reads;
# |
Type |
Server Modified |
User Accessed |
Link |
23 |
URL |
03/12/01 05:37:01PM |
03/19/01 10:09:34AM |
:2001031220010319: Demi God@http://lw14fd.law14.hotmail.msn.com/cgi-bin/HoTMaiL?login=somename &disk=64.4.20.66_d625&curmbox=F000000005 &curmbox=F000000005 &a=912811991ac6ddf740e24b3a997fb70c |
112. The "Link" column indicates an attempt (that may or may not have succeeded) to connect to an email account using a "login name" of "somename". The "User Accessed" column indicates that this attempt was on 19 March 2001.
File Dates
13. The dates recorded on disks are the date that the computer is set to at the time that data is written to the disk. The computer has a clock that automatically maintains this date. The date of this clock is easily changed by a person using the computer. Any assumption that the dates relating to files are correct requires a parallel assumption that the computer clock is correct. In my experience, the date of computer clocks is usually accurate unless it has been deliberately changed. I know of no reason why the date of a computer clock would be deliberately changed in normal operation.
14. I have not viewed any of the images in this case. I have not used any computer technique to compare files to demonstrate that any two files are identical. My instructions include, "We believe all the images that have been downloaded have come from a Zip disk, which Mr D says he found at College." I have assumed that where two files have the same name and are the same size on a computer disk, then these two files are two copies of the same file./p>
15. The EnCase software is able to retrieve information about files and folders stored on a computer disk. Folders are containers that hold files and a folder may contain other folders. In this case a file contains the information necessary to allow a computer program to create a picture on the computer screen.
16. DC P used EnCase to create three lists of files and folders together with information about the files and folders. This information included the dates recorded on the computer disk to show the date that each file was created on that disk, the date each file was most recently modified and the date that each file was most recently accessed:
· A list of files on a floppy disk.
· A list of folders and files on a Zip disk.
· A list of folders and files in a folder called "mm" on a hard disk from the computer that matched closely, but not exactly, the folders and files on the Zip disk.
17. The "File Created" date recorded for all of the files and folders on the Zip disk was 29 January 2001. The "File Created" date also includes a time and all of these times were between 4.46 PM and 5.10 PM.
18. The "File Created" dates and times recorded for the files on the Zip disk suggest that all of the files on the Zip disk were created as part of a bulk copy of the files from somewhere to the Zip disk that occurred on 29 January 2001.
19. The files and folders in the "mm" folder on the hard disk had "File Created" dates recorded against them;
Date |
Number of files and folders with a "File Created" entry of that date. |
23 January 2001 |
186 |
24 January 2001 |
1 |
25 January 2001 |
126 |
27 January 2001 |
36 |
28 January 2001 |
149 |
29 January 2001 |
2 |
7 February 2001 |
4 |
10 February 2001 |
2 |
24 February 2001 |
6 |
13 March 2001 |
21 |
20 March 2001 |
8 |
24 March 2001 |
2 |
25 March 2001 |
2 |
18 June 1999 |
1 |
20. The "File Created" dates for the files in the "mm" folder on the hard disk suggest that the files were created on several different days.
21. The 21 items in the "mm" folder on the hard drive that have "File Created" dates of 13 March 2001 are the folders that contain the files. The "File Created" dates for the files contained within these folders are, in many cases, earlier than the "File Created" dates for the folders. I have been unable to create this situation in normal operation.
22. In my own tests, including moving and copying folders and files from disk to disk and from CD to disk, the "File Created" date for folders was the same as the "File Created" date for the files within the folders and matched the date that the test was performed.
23. Some of the files that are present on the Zip disk and/or in the "mm" directory on the hard disk are shown (.jpg has been omitted from the end of the file names):
Hard Disk |
Zip Disk |
|||||
File Name |
Last Accessed |
Last Written |
File Created |
Last Accessed |
Last Written |
File Created |
lor_002 |
25 Jan 01 |
25 Jan 01 |
25 Jan 01 |
29 Jan 01 |
25 Jan 01 |
29 Jan 01 |
sm39a |
23 Jan 01 |
23 Jan 01 |
23 Jan 01 |
29 Jan 01 |
23 Jan 01 |
29 Jan 01 |
socks010a |
25 Jan 01 |
25 Jan 01 |
25 Jan 01 |
File not on Zip disk |
||
socks250a |
25 Jan 01 |
25 Jan 01 |
25 Jan 01 |
29 Jan 01 |
25 Jan 01 |
29 Jan 01 |
LAIKA07 |
26 Mar 01 |
28 Jan 01 |
28 Jan 01 |
29 Jan 01 |
28 Jan 01 |
29 Jan 01 |
MELODIES02 |
19 Mar 01 |
28 Jan 01 |
28 Jan 01 |
29 Jan 01 |
28 Jan 01 |
29 Jan 01 |
msjen130 |
25 Mar 01 |
27 Jan 01 |
27 Jan 01 |
29 Jan 01 |
27 Jan 01 |
29 Jan 01 |
24. If lor_002.jpg had been copied from the Zip disk to the hard disk then the "File Created" date on the hard disk should be later than the "File Created" date on the Zip disk. It is not later and this suggests that the file was not copied from the Zip disk to the hard disk.
25. If lor_002.jpg had been copied from the hard disk to the Zip disk then the "Last Accessed" date on the hard disk should be equal to or later than the "File Created" date on the Zip disk. It is not equal to or later and this suggests that the file was not copied from the hard disk to the Zip disk.
26. It is not likely that sm39a.jpg was copied from the Zip disk to the hard disk because the "File Created" date on the hard disk is earlier than the "File Created" date on the Zip disk.
27. It is not likely that sm39a.jpg was copied from the hard disk to the Zip disk because the "Last Accessed" date on the hard disk is earlier than the "File Created" date on the Zip disk.
28. The files socks010a.jpg and socks250a.jpg are in a sub-folder of the "mm" folder on the hard drive. The sub-folder is called \mm\DIY\model\karlee & brittnee\. This folder on the hard disk contains 37 files including 6 with file names that begin "socks". An equivalent folder exists on the Zip disk and contains 31 files including one with a file name that begins "socks". A file brit00.jpg is present in this folder on the hard disk and not on the Zip disk. All of the 31 files in the folder on the Zip disk are present on the hard disk.
29. It is not likely that the files in the \mm\DIY\model\karlee & brittnee\ folder on the hard disk were created by copying the folder (and its files) from the Zip disk because the some of the files on the hard disk are missing from the Zip disk.
30. It is not likely that the file socks250a.jpg (and many other files that are also in the \mm\DIY\model\karlee & brittnee\ folder) was copied form the hard disk to the Zip disk because the "Last Accessed" date on the hard disk is earlier than the "File Created" date on the Zip disk.
31. It is possible that the files LAIKA07.jpg, MELODIES02.jpg and msjen130.jpg were copied from the hard disk to the Zip disk because "File Created" dates on the hard disk are earlier than the "File Created" dates on the Zip disk and the "Last Accessed" dates on the hard disk are later than the "File Created" dates on the Zip disk.
32. It is not likely that the files LAIKA07.jpg, MELODIES02.jpg and msjen130.jpg were copied from the Zip disk to the hard disk because the "File Created" dates on the hard disk are earlier than the "File Created" dates on the Zip disk.
33. Many of the files on the hard disk with "File Created" dates earlier than 29 January 2001, but not all of them, were also on the Zip disk. I did not find any file on the Zip disk that also existed on the hard disk and had a "File Created" date later than 29 January 2001 on the hard disk.
34. I am unable to reach a conclusion regarding the copying of files between the Zip disk and the hard disk because the "File Created" and "Last Accessed" for many files are inconsistent with a conclusion that the files have been copied in one direction and also inconsistent with a conclusion that the files have been copied in the other direction.
35. I do not know of any way that it is possible to establish conclusively whether files were copied from one disk to another. It is possible that files were independently copied to the hard disk and to the Zip disk from a third location. It is possible that files were copied using a software program that did not correctly update the "Last Accessed" or "File Created" dates.
36. A file with the name "inn295" and a file size of 63,562 is present on the hard disk, the Zip disk and the floppy disk that I examined. The location and dates for this file are:
Media |
Location |
"Last Acccessed" |
"Last Written" |
"File Created" |
Hard disk |
mm/DIY/model/other |
25 Mar 01 |
18 Jun 99 |
18 Jun 99 |
Zip Disk |
model/other/ |
29 Jan 01 |
18 Jun 99 |
29 Jan 01 |
Floppy disk |
23 Jan 01 |
18 Jun 99 |
20 Jul 95 |
37. It is my opinion that the "File Created" dates for this file on the hard disk and on the floppy disk are incorrect. I cannot explain how these dates came to be wrongly recorded nor have I been able to find a situation during tests that results in an incorrect "File Created" date being recorded. My opinion is based upon the fact that all of the other files in the "mm" folder and sub-folders on the hard disk were created in 2001 as is shown in the earlier table.
38. The "Last Accessed" dates are consistent with the file having first existed on the floppy disk.
Accessing the Zip Disk
39. I have not examined the Zip disk that was seized. DC P reports no difficulty reading the disk during his examination.
Viewing files on Screen
40. It is possible to copy files from a Zip disk to a hard disk, or vice versa, without viewing the files on screen. Files copied using "Drag and Drop" with a mouse using Windows Explorer would not be displayed on screen during the copy. Files copied using the "COPY" or "XCOPY" commands would not be displayed on screen during the copy.
41. Earlier in this report I wrote, "… the History folder contains information about accesses to some of the files stored on the hard disk of the computer."
42. The history file created for me by DC P using EnCase includes references to accesses to files in the "mm" folder or its sub-folders on the hard disk of the computer. Examples include;
"User Accessed" Date |
File Name |
26 March 2001 |
BANGE002.jpg |
26 March 2001 |
LAIKA14.jpg |
18 March 2001 |
jmai017.jpg |
11 March 2001 |
BC_CH022.jpg |
43. I do not know of any way that these files would appear in the history without having been displayed on the computer screen.
Summary
44. The computer has been connected to the Internet and an attempt was made to access an e-mail account using a login name of "somename".
45. I am unable to reach a conclusion regarding the copying of files between the Zip disk and the hard disk because the "File Created" and "Last Accessed" for many files are inconsistent with a conclusion that the files have been copied in one direction and also inconsistent with a conclusion that the files have been copied in the other direction.
46. A file with the name "inn295" and a file size of 63,562 is present on the hard disk, on the Zip disk and on the floppy disk that I examined.
47. I have not examined the Zip disk that was seized. DC P reports no difficulty reading the disk during his examination.
48. It is possible to copy files without viewing them. I know of no way that files could appear in the history file without having been displayed on screen and files mentioned in the Case Summary prepared by Mr X dated 18 April 2002 appear in the history file.
49. I understand my duty to the Court and I confirm that I have complied with and will continue to comply with that duty.
50. I confirm that insofar as the facts stated in my expert witness report are
within my own knowledge I have made it clear which they are and I
believe them to be true, and that the opinions I have expressed
represent my true and complete professional opinion.
Graham Dilloway |
12 August 2002 |
39 Conham Hill Bristol BS15 3AW |