Computer Expert Witness
Graham Dilloway CITP MBCS
Computer Expert Witness

Chartered IT Professional and Member of British Computer Society

Listed in Register of Expert Witnesses


Member of the Academy of Experts


View Graham Dilloway's profile on LinkedIn

No Evidence of Intent to Download Illegal Files

I found no evidence of a deliberate attempt to access indecent photos of children after extra detailed work by the police computer examiner.

I wrote an expert witness letter in response to a letter of instruction from a solicitor and the initial evidence enclosed with that letter.  The initial evidence did not include anything to show that images had been deliberately and knowingly made.

My initial letter was followed by additional expert witness letters as additional evidence was produced and after a meeting with a police computer examiner.

 February

Mr S

S Solicitors

Dear Mr S

Mr D

Thank you for your letter dated January  enclosing the witness statement of the police computer examiner, Mr P, and his reports regarding Exhibits M1, M2 and E1.

I have seen nothing to show the acts performed by Mr D that caused the movies and photos in Counts 1 – 4 to be “made” by Mr D.

The material that is the subject of the “making” Counts are the four files listed as items 1 – 4 on pages 3 and 4 of the “Examination Report for exhibit E 1”.  Items 1 and 2 are movie files and are in folders and the files would be accessible to anyone using the computer.

I have seen nothing to show how these files came to be on the computer.  It may be that the files were obtained by, for example, clicking on a button labelled “Download” on a web page.  I cannot know the text that might have been on that web page (if it exists).  It may be that the hypothetical web page contained misleading text regarding the file to be downloaded.

It may be that the files were obtained using, for example, file sharing software.  This is software that I, for example, might run on my computer.  The file sharing software on my computer would connect to similar software running on many (thousand) other computers.  I could use the file sharing software to search for files.  I might search for “Queen” and would receive a long list of Queen songs stored on squillions of computers all over the planet.  I might click on the first and last items in a list of hundreds and click to download all of the files.  I might find, when the download has finished, that, in addition to many Queen songs, I had also downloaded pictures and movies of the Queen.

I have seen nothing to indicate downloads from a web page and nothing to indicate downloads using file sharing software.

It is my understanding that police computer examiners limit their initial examination and produce only enough evidence to get a guilty plea.  If a guilty plea is not forthcoming the examiner may conduct an additional examination and may find additional evidence.

I cannot know what might be found should Mr P undertake an additional examination.  It may be that an additional examination by Mr P would find evidence of Google searches or searches using file sharing software and these searches might include words that explicitly seek photographs rather than cartoons.

I have not seen the transcripts of any interview with Mr D.  It is my understanding that there is nothing in any interview that the Prosecution could rely on as evidence to support a Count of “making”.

The names of the movie files give no indication that the content of the movies involves children.  It may be that the only way to know the content of the file would be to view the movie.  For both movie files, the “File Created” and “Last Accessed” dates are the same.  To view a movie file, it would be necessary to access the file after the file had been created.  Identical created and accessed dates and times are consistent with the movie not having been viewed.

All of the above also applies to the photo files listed as items 3 and 4 with the additional factor that the photo files are deleted files.  The photo files have no file names and no dates.  The photo files could not be viewed in any typical way at the time that the computer was seized. 

I would welcome the opportunity to discuss the next steps and I look forward to hearing from you.

Yours sincerely

February

Mr S

S Solicitors

Dear Mr S

Mr D

Thank you for your letter dated  February  and the enclosed interview transcript.

In the interview on June at Counter 38.58, Mr D says, “ … I've downloaded them in big bulk folders off U-Torrent ...”.  U-Torrent is file sharing software.  Mr D would have been downloading files from computers that are in all manner of homes and offices.  The files that he was downloading would have been given file names and labels by the people making them available for download.    I might use U-Torrent to download a file with a file name and labels that indicate that the file is a Queen song.  I might find that the file is actually a Beatles song.

Mr D says, “... downloaded them in big bulk folders …”.  I might have many pictures of motor cars and I might wish to share my pictures.  I might compress all of my motor car pictures into a single large file (often called a zip file).  I might give the file a name of “Motor car pics” and other labels indicating that the file contains pictures of motor cars.  I might make the file available for download using Utorrent.  You might download the file expecting only pictures of motor cars and be horrified to discover that I have included a picture of a railway train among the motor cars.

I have seen no evidence to show that Mr D had viewed the files in Counts 1 – 4.  I do not know of any way that the Prosecution can use the evidence as it is to show that Mr D knew that he was “making” illegal material.

I have looked in more detail at the dates for the cartoon files and it seems that my initial thoughts were incorrect.  The files appear to have been created on rather more dates than I first thought.  The “File Created” dates for the files listed in “Examination Report for exhibit E1” include:

•           27 May

•           30 May

•           31 May

•           1 June

•           3 June

•           4 June

•           5 June

•           8 June

•           9 June

•           12 June

•           14 June

•           15 June

The great majority of the files were created on 3 June and 5 June.  Some of the other dates have only two or three files created.

The second page of the examination report says that Windows was installed on the computer on 19 January .  DC P says, in his statement dated 7 July , that the computer was seized on 15 June .  It may be worthy of note that all of the files listed in the examination report were created in a period of less than three weeks immediately before the computer was seized.

DC P says, “There were in excess of 1000 such images, I bookmarked 758 of these images to an examination report”.  It may be that DC P found illegal pictures on the computer that were created before 27 May and these pictures are not included in his examination report.

The dates for items 411 and 412 are illegible in my copy of the examination report.

The “File Created” date and the “Last Accessed” date and time are the same for almost all of the cartoon files.  The is consistent with the pictures having not been viewed after they were created at their current location.

Files on the USB stick (Exhibit M 1) have “File Created” dates of 19 May  and times that span a fourteen second period.  This is consistent with all of these files having been created in a single operation.

Please call if any of this requires clarification.

Yours sincerely

Graham Dilloway
Expert Witness

22 February

Mr Richard S

S Solicitors

Dear Mr S

Mr D

I met with DC P on 21 February . I do not have a list of matters on which we are agreed (or not agreed).

I do not want to put words into the mouth of DC P and it may be that I have misunderstood some of what he said.

It appears that DC P regards the two movie files to be on the computer because of some deliberate and knowing act by Mr D.

DC P's view appears to be based on factors that may include …

The text of the chatlog included at the end of the “Examination Report for Exhibit E 1”.  It may be that DC P is of the view that an attempt at grooming did occur.

The presence of more than a thousand cartoon pictures of children.

The folders that contain the two movie files. DC P may be of the view that files could only be in these folders because they were deliberately put there.

I sought to discuss the evidence that directly shows that the movie files were on the computer deliberately. For example, I asked what evidence was there that Mr D had searched for images of real children. DC P's reply focused on the chatlog and the folders that contained the movies.

DC P's response to any discussion of direct evidence of deliberate acts (movies obtained from a web site or from file sharing?) involved one or more of the chatlog, the cartoons or the folders.

We briefly looked at the lists of files in the two folders that contained the movie files.

The “Users D Videos” folder contained three files.

A “Videos” folder is not created automatically by Windows. It may be that Mr D created a folder and gave the folder a name of “Videos”. It may be that Mr D installed some software and that software offered to create a folder called “Videos” as part of the software installation. It may be that Mr D clicked “Next” during the software installation and the software installation created the folder called “Videos”. It may be that the software installation offered to install “with default settings” and Mr D clicked “Yes” or “Next” without knowing that a “Videos” folder was being created.

The “User D Downloads” folder contained about 400 files.

The “Downloads” folder would have been created automatically by Windows when the computer was first used. It may be that software used by Mr D used the “Downloads” folder as the default.

I have learned that the “Last Accessed” date is not used in Windows 7 and (Windows Vista) unless it is deliberately switched on. I don't know why I didn't discover this years ago and I apologise for this oversight. I had previously suggested that “Last Accessed” values indicated that the movies had not been viewed because the values were the same as the “File Created” values. I now know that the “Last Accessed” values are the same as the “File Created” values because the “Accessed” values are never updated. This leaves us with no evidence to show that a file has been viewed (or not).

It is now my understanding that the chatlog can be read with the message being sent by the upper user name and received by the lower user name. For example, the first message “SIR! HEY!” was sent by sp.

DC P drew my attention to messages in the chatlog that show that Mr D had seen a girl using a webcam. It is my understanding that each of the two movie files show a girl as she might appear on a webcam. It may be that DC P is of the view that there is something inappropriate regarding the events discussed in the chatlog.

A formal report might say that I have still not seen any evidence to show that Mr D …

• Searched for images of real children.

• Clicked on some explicit text (or whatever) to knowingly download an image of a real child.

• Viewed the movies (or the still pictures) or knew what they contained.

A formal report might also say that I have not seen any evidence to show that Mr D …

• Attempted to groom a child.

• Had any pictures or movies of the alleged victim of the alleged grooming.

It may be that, in the absence of evidence, any reference to alleged grooming would be misleading and should not be heard in Court.

Please call if any of this requires clarification.

I look forward to our meeting tomorrow.

Yours sincerely

Graham Dilloway
Expert Witness

21 March

Mr S

S Solicitors

Dear Mr S

Mr D

Thank you for your letter dated March  and for DC P's statement dated March .

DC P has re-examined the computer and lists his findings under several headings …

Firefox Form History.  The Firefox web browser software uses various files to store information.  The stored information includes terms typed into the search box at the top right of the Firefox window.  DC P is saying that “Teen sex vids” was typed into the search box.

DC P does not describe his search of the computer in detail.  I do not know, but I would expect that DC P searched the computer for many and various terms that are used by those who are seeking illegal pictures of children.  It may be that the term “teen sex vids” is used by many young men when searching the Internet and does not indicate an interest in illegal material.  I would have expected to see additional and incriminating search terms on the computer of a person who was actively seeking illegal material over a period.

Firefox Downloads.  DC P is adding additional detail regarding the download of the two movie files.  This additional detail does not show that the movies were downloaded by someone who knew that they contained illegal material.

DC P says, on Page 4 of 5, “The source of both movie files was not accessible upon the Internet” .  It appears that the files were obtained from a site called “fs” that had been used to share copyright material.  The proprietors of “fs” appear to have been scared off by recent legal action against other such sites.  “Fs” is no longer making available copyrighted files or any other files for public download.

DC P does not say (and, probably, cannot say) what was displayed on the webpage that was the source of the two downloaded movie files.  The closure of the “fs” site as a source for public downloads means that we may never know what was on these web pages.

It is my understanding that sites such as “fs” delete illegal material involving children when the presence of that material is reported to them.  I cannot recall a previous case where allegedly illegal material was obtained from a well known and public site.  It may be that the movies from “fs” do not obviously include children.  They may be movies of teenagers and the age of these teenagers may be open to debate.

Filefox Carved Web History.  DC P is saying that he found records in other locations that duplicates the information that we already have regarding file downloads and search terms.

Link Files.  I can click the Start button in the bottom left corner of the screen and display the Start menu.  The Start menu includes an item “Recent” and I can click on “Recent” to display documents and files that I have recently used.

Windows keeps track of documents and other files that I have recently used by creating and updating “link files” .  For example, I can create and save a file of text.  A link file is created and appears in the “Recent” list.  The created date for the link file is the same as the created date for the text file.  I can open the text file on a later date to look at the content.  The modified date for the link file will be updated to show the date that I opened the text file.

DC P is saying that he found link files for each of the two movie files.  The link file for the “bbarbie” movie was created on 31 May  at 9.50 and modified on the same day at 14.18.  DC P is likely to say that the movie “bbarbie” was viewed at 9.50 and 14.18 on 31 May .

DC P is also saying that the link file for the “i lovee youu x” movie was created on 31 May  at 15.26 and modified on 2 June  at 18.53.  DC P is likely to say that the “i lovee youu x” movie was viewed at 15.26 on 31 May and at 18.53 on 2 June.

It may be that the link files were created and modified by the use of software that did not display the movies on the screen of the computer.

DC P does not appear to have found anything that significantly changes the situation.  I wrote, in my report dated 28 February , …

•    I have seen no evidence to show that Mr D searched the Internet for photos or movies of real children.

•    I have seen no evidence to show that Mr D clicked on explicit text on a webpage or did anything that would have caused him to knowingly download photos or movies of real children from a website.

•    I have seen no evidence to show that Mr D clicked on explicit text on a webpage or did anything that would have caused him to view photos or movies of real children on a website.

•    I have seen no evidence to show that Mr D clicked on an explicit filename or did anything that would have caused him to knowingly download photos or movies of real children using file sharing or other software.

 All of the above still stand.

 I also wrote …

 •    I have seen no evidence to show that Mr D had viewed the movie and photo files listed on Pages 3 and 4 of DC P's “Examination Report for exhibit E 1”.

 DC P's evidence regarding link files indicates that the movies have been viewed.  But …

•    The movies files may have been accessed, and the link files created, by the use of software that did not play the movies on the screen.

•    It may be that the link files were created when the movie was downloaded.  It may be that each of the movies (or part of the movies) were only viewed once and that was on the “Last Written” date of the link file.

•    The movies may not have been played from beginning to end.

In summary …

•    Count 1 is a deleted file of a still photograph.  There is no evidence that the photo was deliberately viewed or downloaded or saved.

•    Count 2  is a deleted file of a still photograph.  There is no evidence that the photo was deliberately viewed or downloaded or saved.

•    Count 3 is a movie. There is no evidence that the movie was  knowingly downloaded.  There is evidence that the movie, or some part of the movie, was possibly / probably viewed after it was downloaded.

•    Count 4 is a movie. There is no evidence that the movie was  knowingly downloaded.  There is evidence that the movie, or some part of the movie, was possibly / probably viewed after it was downloaded.

If I was writing my earlier report after seeing DC P's statement dated 13 March , I would re-phrase Para. 9 to say that …

•    I have seen no conclusive evidence to show that the movies have been viewed.

•    The movies, if viewed, may not have been viewed from beginning to end.

•    The most likely explanation for the link files is that some part or all of the movies have been viewed.

Please call if any of this needs clarification.

Yours sincerely

Graham Dilloway
Expert Witness