Computer Expert Witness
Graham Dilloway CITP MBCS
Computer Expert Witness

Chartered IT Professional and Member of British Computer Society

Listed in Register of Expert Witnesses


Member of the Academy of Experts


View Graham Dilloway's profile on LinkedIn

Internet Access, Hacking and Evidence Contamination

My examination of the evidence found technical mistakes by the police computer examiner regarding the dates of indecent images.

The Defendant, Mr D, was charged with indecent assault.  Mr D's computer was seized and was found to contain images of children.  Mr D's counsel was of the view that the witness testimony regarding the assault was not adequate to secure a conviction and that the prosecution needed their case to include evidence of the images found on the computer.  The prosecution evidence included about a dozen "samples" of the images found on Mr D's computer.  Mr D was not charged with regard to these images.

At an early hearing, the police informally gave the defence solicitors a full listing of Internet accesses from Mr D's computer.  The solicitor's understood this report to show the dates and times that Mr D's computer had been used to access the Internet.  Mr D was able to provide strong evidence to show that he was not at home for many of the dates and times in the police report.

My instructions were to examine Mr D's computer and prepare a report of the dates that the computer had accessed the Internet to provide confirmation of the police report.  I inspected the computer and prepared a report. At a subsequent meeting with counsel, I was shown the police report for the first time and was initially embarrassed to find that the dates in my report were different to the dates in the police report.  Subsequent investigation showed that the dates in my report were correct and that there had been a misunderstanding regarding the dates in the police report.  I was asked to prepare a second report to clarify the various dates being quoted regarding Internet access. Mr D did not have alibis for the correct dates of Internet access.

Mr D continued to deny responsibility for the images on his computer and suggested that the images must be the result of someone "hacking" into his computer or of contamination after the computer was seized.  I was asked to investigate hacking and contamination and prepared a letter that showed that hacking and contamination were not at all likely.

At a pre-trial hearing, defense Counsel argued to minimise the effect of the evidence regarding images on Mr D's computer.  I gave evidence on the second day of the hearing to clarify any misunderstandings that may have arisen on the first day.

Note:   This expert witness report is reproduced exactly as it was when served excepting that company and personal names have been removed.

Personal

1. This report was prepared by Graham Dilloway of 39 Conham Hill Bristol BS15 3AW. I am a Member of the British Computer Society, the chartered professional body for the computer industry in the UK. I am a member of the Academy of Experts and of the Expert Witness Institute. I have worked with computers for more than 30 years. This work has all involved the implementation and configuration of computers, their operating systems and the core software applications of a computer environment (e.g. word processors and spreadsheets). I have worked with personal computers almost exclusively for more than fifteen years.

Instructions

2. My instructions were agreed at a meeting with Company S Solicitors and Counsel at Croydon Crown Court on 7 May 2002 and I understand my instructions to be:
"1. Provide a history of Internet access for Mr D's computer.
2. Report upon information regarding a Sealink booking on 2 December 2000.
3. Report upon information regarding an email from colonel@name-deleted.com.
4. Report upon hacking as a means of achieving unauthorised access to a computer."

3. This report is based upon the bundle of documents sent to me by Company S Solicitors, together with a letter dated 26 April 2002 that describes the documents as;
"Statements of Police Technical Officer Mr W" and "Exhibits W 76 - 86".

4. I visited the offices of the police computer crime unit on 13 June 2002 and examined copies of the hard drives from Mr D’s computer. Subsequently, and at my request, Mr W created some computer files containing Internet History information and copies of the folders and files containing e-mails sent and received from the computer using the AOL e-mail program. I received these files from Mr W on a CD that I collected from Staple Hill police station in Bristol on 29 July 2002. I have used the information in these files during the preparation of this report.

5. The dates recorded on a computer are the date that the computer is set to at the time that data is written to the disk. The computer has a clock that automatically maintains this date. The date of this clock is easily changed by a person using the computer. Any assumption that the dates recorded on the computer are correct requires a parallel assumption that the computer clock is correct. In my experience, the date of computer clocks is usually accurate unless it has been deliberately changed. I know of no reason why the date of a computer clock would be deliberately changed in normal operation.

6. Mr W says in his statement dated 21 February 2002, "The current date and time of the machine is not retrievable". I do not know of any technical way that the reliability of the dates recorded on the computer can be checked if the computer clock cannot be checked for accuracy.

Internet History

7. Typically, a person using a computer to read pages of information and images from the Internet uses a program called a browser. The browser stores information about the pages that are being viewed and this information is stored in various places on the computer.

8. Information is stored in a folder usually called Temporary Internet Files that is often referred to as the cache. The information in the cache is used when a particular page is viewed on a second or subsequent occasion to avoid the delay involved in again obtaining the information from the Internet.

9. The pages in the cache may be deleted automatically by the browser to make room for more recent pages. The pages in the cache may be deleted manually by the person using the computer. The cache may not contain all of the Internet pages that have been viewed on the computer.

10. Information is stored in a folder usually called History. This information is an identifying record for every page on the Internet that has been viewed. Typically, the History folder contains information for every page viewed during the four weeks prior to the most recent use of the browser. Additionally, the History folder contains information about accesses to some of the files stored on the hard disk of the computer.

11. The software used by the police during their examinations of computers is called EnCase. One of the functions of EnCase is to merge the content of the cache and History folders to show all references to Internet pages for which information is still available on the computer. This merged information also includes references to accesses of some of the files stored on the hard disk of the computer. Mr W used EnCase to create a set of merged files and I received the files on 29 July 2002.

12. The merged files were in a format that allowed me to read the files in to the Excel spreadsheet program and the Access database program. I read all of the files into a single spreadsheet that then contained all of the Internet access information provided by Mr W.

13. The file created by EnCase includes a column headed "User Accessed" that indicates the most recent date that a computer user accessed the file. This date is a strong indication that the computer was connected to the Internet on that date.

14. Using Excel and Access, I have created a list of the "User Accessed" dates that have an entry including the text "http". These are the dates for which there is one or more records of an access to material on the Internet:

 

31/01/1999

13/10/1999

07/11/2000

09/01/2001

02/03/1999

19/10/1999

11/11/2000

10/01/2001

23/03/1999

20/10/1999

12/11/2000

12/01/2001

25/03/1999

21/10/1999

15/11/2000

14/01/2001

28/03/1999

22/10/1999

21/11/2000

16/01/2001

23/05/1999

05/02/2000

24/11/2000

18/01/2001

25/05/1999

04/03/2000

29/11/2000

19/01/2001

09/08/1999

07/10/2000

02/12/2000

20/01/2001

16/09/1999

11/10/2000

24/12/2000

21/01/2001

19/09/1999

15/10/2000

27/12/2000

23/01/2001

23/09/1999

19/10/2000

28/12/2000

24/01/2001

27/09/1999

21/10/2000

03/01/2001

25/01/2001

28/09/1999

24/10/2000

04/01/2001

27/01/2001

06/10/1999

28/10/2000

05/01/2001

30/01/2001

08/10/1999

29/10/2000

06/01/2001

09/02/2001

10/10/1999

02/11/2000

07/01/2001

14/02/2001

15. The automatic maintenance of the cache and the history deletes records and it may be that the Internet was accessed on other days in addition to those listed.

16. The history file that I examined also contains records for accesses to files stored on the local computer. Using Excel and Access, I have created a list of the "User Accessed" dates that have an entry for either or both of one or more files on the Internet and one or more files on the local computer:

 

11/08/1998

08/10/1999

07/11/2000

14/01/2001

31/01/1999

10/10/1999

11/11/2000

16/01/2001

02/03/1999

13/10/1999

12/11/2000

18/01/2001

23/03/1999

16/10/1999

15/11/2000

19/01/2001

25/03/1999

19/10/1999

21/11/2000

20/01/2001

28/03/1999

20/10/1999

24/11/2000

21/01/2001

29/03/1999

21/10/1999

29/11/2000

23/01/2001

23/05/1999

22/10/1999

02/12/2000

24/01/2001

25/05/1999

05/02/2000

24/12/2000

25/01/2001

01/06/1999

04/03/2000

27/12/2000

27/01/2001

09/08/1999

07/10/2000

28/12/2000

30/01/2001

16/09/1999

11/10/2000

03/01/2001

03/02/2001

19/09/1999

15/10/2000

04/01/2001

09/02/2001

23/09/1999

19/10/2000

05/01/2001

10/02/2001

24/09/1999

21/10/2000

06/01/2001

11/02/2001

27/09/1999

24/10/2000

07/01/2001

12/02/2001

28/09/1999

28/10/2000

09/01/2001

13/02/2001

03/10/1999

29/10/2000

10/01/2001

14/02/2001

06/10/1999

02/11/2000

12/01/2001

 

17. The dates in this table show every date for which one or more records in the history file indicates that the computer was used.

18. The automatic maintenance of the cache and the history deletes records and it may be that the computer was used on other days in addition to those listed.

Sealink Booking

19. The Internet history includes an entry of http://www.seafrance.com/images/banners/ban_earlyBooking.gif with a "User Accessed" date recorded as 2 December 2000. This indicates an access to the Seafrance website on 2 December 2000.

20. Exhibit W/78 is a print of an e-mail from Seafrance. The header information for this e-mail is printed at the end of the exhibit and shows that the e-mail was sent on 2 December 2000. I was able to find this e-mail in the MrD e-mail file in the AOL files from Mr D's computer supplied to me by Mr W.

21. Independent entries in both the history file and the e-mail file indicate that the booking was made on 2 December 2000 via the Internet.

E-mail from name-deleted.com

22. Exhibit W/86 is a print of an e-mail from www.name-deleted.com. The header information for this e-mail is printed at the end of the exhibit and shows that the e-mail was sent on 30 October 2000. I was able to find this e-mail in the MrD e-mail file in the AOL files from Mr D's’ computer supplied to me by Mr W.

23. I was also able to find, in the MrD e-mail file in the AOL files supplied to me by Mr W, an e-mail sent to www.name-deleted.com on 28 October 2000. The e-mail sent on the 28 October 2000 contains the text that is shown in Exhibit W/86 as "MrD@aol.com wrote: …".

Hacking and Unauthorised Access

24. It is technically possible for a person who is not sat at a computer to control the operation of that computer. The term sometimes used to describe such control when performed by an unauthorised person is "hacking".

25. Sophos is respected company that supplies anti-virus software. Appendix A contains material from two pages (among many others) on their website at www.sophos.com that describe viruses.

26. One virus is described "… can be used to remotely perform a number of tasks such as shutdown, password stealing, uploading files, running programs, capturing keyboard keystrokes or sending messages". A second virus is described "… allows a remote user to have unauthorised access to a PC".

27. I have not checked for the presence of these, or any other viruses, on Mr D's computer.

Summary

28. Mr D's computer has records of access to the Internet on the days shown in this report and the computer may have accessed the Internet on other days.

29. Mr D's computer has records of access to files on the Internet and on the local computer on the days shown in this report and the computer may have been used on other days.

30. Mr D’s computer has records to show that the computer was used on 2 December 2000 to book Seafrance ferry tickets via the Internet.

31. Mr D's computer has records to show that the computer was used to send an e-mail to www.name-deleted.com on 28 October 2000 and to receive a reply that was sent on 30 October 2000.

32. The dates recorded on the computer cannot be checked for accuracy because the current date recorded by the computer’s clock cannot be checked.

33. It is technically possible for a person who is not sat at a computer to control the operation of that computer. I cannot say whether a virus or other software for this purpose is installed on Mr D's computer.

34. I understand my duty to the Court and I confirm that I have complied with and will continue to comply with that duty.

35. I confirm that insofar as the facts stated in my report are within my own knowledge I have made it clear which they are and I believe them to be true, and that the opinions I have expressed represent my true and complete professional opinion.

Graham Dilloway
Expert Witness

12 August 2002

39 Conham Hill

Bristol

BS15 3AW

 

 Appendix A

Troj/Bdoor-CV

Aliases

Backdoor-CV, Backdoor.SecretService, BKDR_SECRET

Type

Trojan

Detection

Detected by Sophos Anti-Virus since April 2002.

Description

Troj/Bdoor-CV is a backdoor Trojan. When the Trojan server program runs on
a machine the machine is exposed to unauthorised access attacks from an intruder running the Trojan client program.

A part of Troj/Bdoor-CV is a configuration program which can be used to create fake installation programs that contain a Trojan server program.

If a user runs the Troj/Bdoor-CV installation program the program will drop and run the Trojan server program.

Troj/Bdoor-CV sends a notification message to an intruder email address. The attacker may then use the Trojan client program to connect to an infected machine.

Troj/Bdoor-CV client program can be used to remotely perform a number of tasks such as shutdown, password stealing, uploading files, running programs, capturing keyboard keystrokes or sending messages.

Troj/Netspy

Type

Trojan

Detection

Detected by Sophos Anti-Virus.

Resident

Yes.

Description

Troj/Netspy allows a remote user to have unauthorised access to a PC. Several versions of this Trojan exist.

The Trojan adds a registry value containing the name of the Trojan file to
HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

This Trojan was first reported in April 1999.