Deleted Files and Diskettes
My expert witness examination found technical mistakes in the work of the police computer examiner.
The police seized a personal computer together with diskettes, a CD, video tapes and printed material from the Defendants home. An police inspection of the CD and diskettes found numerous images (some deleted from the diskettes) that appeared to have been obtained from the Internet. The Defendant was charged with making indecent images.
Defence counsel requested a computer expert witness report that showed that one or more of the diskettes was "second hand", that it is not possible to discover the date that files were deleted and that the Defendant's computer was not equipped to write to a CD.
I attended the two day trial and was not required to give evidence.
Note: This expert witness report is reproduced exactly as it was when served excepting that company and personal names have been removed.Personal
1. This report was prepared by Graham Dilloway of 39 Conham Hill Bristol BS15 3AW. I am a Member of the British Computer Society, the chartered professional body for the computer industry in the UK. I am a member of the Academy of Experts. I have worked with computers for 30 years. This work has all involved the implementation and configuration of computers, their operating systems and the core software applications of a computer environment (e.g. word processors and spreadsheets). I have worked with personal computers almost exclusively for more than fifteen years.
Instructions
2. My instructions were agreed
in a telephone conversation on 10 April 2002 with Mr D, defence
counsel and I understand my instructions to be:
"Report on
the paper labels on the diskettes seized.
Provide an opinion
and substantiating evidence regarding the recording on a disk of the
date that a file was deleted.
Provide an opinion and
substantiating evidence regarding the operation of the CD drive in
the computer that was seized when the CD drive is used to write to
CDs."
Diskette Labels
3. In his statement dated 17 April 2001, at Continuation Sheet No. 4, DC P says, of Disk0019 (Marked Ref. P 10), "… original disk is marked ‘Smart Ringnode … Disk 1 of 3 …". DC P is referring to a disk used in the diskette drive (usually the A: drive) of a computer. These disks are sometimes called diskettes and I shall use "diskettes" throughout this report.
4. DC P is referring to the paper label that is attached to the diskette, Disk0019, for people to read. Diskettes may also store labels that computers can read.
5. The label on Disk0019 indicates that the diskette was originally supplied with a Madge token ring network card and that the diskettes contained software drivers for the card.
6. A token ring network is a method of networking that is used to connect computers so that they can share information and is rarely found outside of large corporations. During about fifteen years of working with computer networks at more than about fifteen companies, I can recall only one company that used token ring networks rather than some alternative. This company was NatWest Bank.
7. Madge is a company that supplies a hardware component (a "card") that can be installed into a computer so that the computer can be connected to a token ring network. The Madge website is at www.madge.com.
8. The name that Madge give to some of the token ring cards that that they supply is "ringnode". A page on the Madge website that refers to ringnode is www.madge.com/_assets/downloads/lsshelp8.0/LSSHelp/LANSS8.htm.
9. I can think of no reason why the owner of a home computer would have a diskette for a token ring network card unless that diskette had been acquired "second hand" from someone else.
10. The use of "second hand" diskettes for storage is easily achieved. The original content of the diskette can be deleted using a few mouse clicks and new files can be stored on the diskette.
11. In the past, easily available sources of diskettes were the monthly computer magazines. Many of these magazines had diskettes taped to their front covers. These cover disks were used to distribute, for example, demonstration versions of computer software.
12. I have used many such diskettes for storage. Appendix A is a photocopy of two such diskettes that I have used. It can be seen that the original labels show that the disks were from the computer magazines PC Plus and Computer Buyer and that I have attached handwritten labels over the original labels.
File Deletion Date
13. In his statement dated 5 June 2001, at Continuation Sheet No. 2, DC P says, of a list of files and dates (P 32), "… The date is the date the files were last modified (in this case, deleted) and it appears from the times shown that each file was deleted in sequence on 18/11/98."
14. I have been unable to reproduce the behaviour regarding dates and file deletes described by DC P and my own tests show that deleting a file does not change the "last modified date".
15. Appendix B contains a
series of prints of a computer screen that show in sequence:
1) A directory listing of a diskette with a file called TEST.TXT and
a file called UNDELETE.EXE. The undelete file is a program that can
be used to reinstate files that have been deleted. The time shown
against TEST.TXT is 11:09p (the "p" indicates P.M.).
2) The ERASE
command being used to delete TEST.TXT. The 23:42:11.36 and
23:42:32.89 indicates the time that the computer is set to when the
erase command is being executed.
3) The UNDELETE command being
used to undelete TEST.TXT. The 23:44:08.13 indicates the time that
the computer is set to when the undelete command is being executed.
4) A directory listing of the diskette after the undelete. The
TEST.TXT file shows a time of 11:09p in the directory listing.
CD Drive
16. During the afternoon of 11 April 2002, I spoke on the telephone with DC P and asked him to find out for me the manufacturer and model number of the CD drive in the computer seized by the police (P/5). DC P kindly agreed to have the computer shipped back to his office and to obtain the information that I had requested. I had overlooked the fact that the computer was not being stored at the office of DC P and regret any delay caused by this oversight.
17. During the afternoon of 12 April 2002, I spoke on the telephone with DC P and was told that DC P had opened the case of the computer and that the label on the CD Drive reported the drive to be a NEC Corporation CD-ROM Reader model number CDR-273.
18. The CDR-273 drive is fitted in computers by companies that include Dell. Dell describe the drive at docs.us.dell.com/docs/dta/09158/00000002.htm. This drive cannot write to a CD disk.
Summary
19. One or more of the diskettes seized by the police was obtained by Mr A "second hand".
20. Deleting files does not change the "last modified date" for a file.
21. The CD drive in Mr A's computer could not be used to write CDs.
22. I believe that the facts I have stated in this expert witness report are true and that the opinions I have expressed are correct.
Graham Dilloway
Expert Witness
39 Conham Hill
Bristol
BS15
3AW