Computer Expert Witness
Graham Dilloway CITP MBCS
Computer Expert Witness

Chartered IT Professional and Member of British Computer Society

Listed in Register of Expert Witnesses


Member of the Academy of Experts


View Graham Dilloway's profile on LinkedIn

Test Photo Sharing Software

My expert witness examination of evidence found that the password in software could be bypassed.

Mr D was accused of being involved in the distribution of indecent images of children using photo sharing software.  I prepared letters as an expert witness that described the evidence for the defence solicitors.

Letters

Miss S
S Solicitors

Dear Miss S

Expert Witness Examination

Hello software provided two functions:

Google, the owners of Hello, withdrew the service in May 2008 and the software stopped working.  I have not attempted to install and operate Hello because it not likely to work and results would be misleading without the Google service.

Hello software could be downloaded and installed on a computer.  A username and password would be asked for by the software as part of the installation process. 

Hello could be used to connect to one or more people at their computers and to send and receive pictures and to chat.  A computer screen running Hello would appear …

[Screenshot of computer screen removed]

The row of pictures along the bottom of the screen are the pictures that are being sent or received.  Clicking on a picture displays a larger version of that picture.  The lines of text to the right of the large picture are chat messages that have been typed back and forth.

Hello requires a “person to person” link to send pictures.  Pictures are not stored on any central computer. 

I might use Hello with a username of “G”.  I would start the Hello software and enter my username of “G”.  Hello would connect to a central server and the server would store information temporarily about my “location” on the Internet.  Someone might start Hello on their computer and ask Hello to connect to “G”.  The location information on the central server would be used to establish a link between their computer and my computer.

It is likely that each username used by people with Hello must be unique.  It would not be possible to connect to me if there is more than one person using Hello with a username of “G”.  It is likely that the username is checked for uniqueness when that username is provided as part of the software installation process.

A central server would store “location” information for my computer when Hello is up and running on my computer.  This “location” information would be the Internet address of my computer.  An Internet address is to a computer the same as a telephone number is to a telephone. 

Simply stated, every computer has a unique Internet address.  However, there are several telephones in my house and they all share one telephone number.  There are several computers in my house and they all share one Internet address.  In the context of this case, we should regard the Internet address as being unique to one street address.

The companies that provide Internet services must ensure that Internet addresses are unique and they keep logs of which street address was using an Internet address and when.  The police might obtain an Internet address from a chat (or other) log on some computer.  The Internet company will usually be able to provide a street address to match the Internet address.

Google shutdown the central server for Hello software in May 2008.  This central server provided services to Hello software including ensuring that usernames are unique and providing location information (Internet addresses) to allow computers running Hello to connect.  Hello software would not work without the central server.

X02 refers, in her statements dated September and May, to various Exhibits.  I have not seen these Exhibits and they are not in the “List of Exhibits”.

To begin a “session” between two people using Hello software, it is necessary that (at least) one of the people involved knows the Hello username of the other person.  I have seen no evidence to show how X02 came to be in contact with “f”.  Did X02 do anything to encourage “f”?

In his statement dated February, Mr N says, at Sheet No. 3, that the “InstallDate” for the Windows software (on the computer seized from Mr D) is September.  Google had shutdown the Hello software service by September.  Mr Nash does not say that he found evidence that Hello software had been installed or used on the computer.

It is likely that the installation of Windows in September eliminated any evidence that Hello had been on the computer.  There would have been no reason to re-install Hello in September because the software would not work.

X02, in her statements dated September and May, describes the use of Hello software in March.  I do not know of any way to show that Hello software was on Mr D’s computer in March.

The installation process for Hello software requires that a username must be supplied.  The username is stored on the computer.  I have seen nothing to show that the username could not be changed after the software installation (by a person with expertise and experience in computers).

Someone might install Hello on their computer with a username of “John”.  They might discover that I am using Hello and that my username is “G”.  They may be able to change their computer so that Hello uses a username of “G” (if they have expertise and experience).

My research suggests that Google have stated that Hello passwords were not stored centrally (on a Google server).  An attempt to change a username would be likely to fail if Google did hold passwords centrally.  I do not know why Hello would have used passwords if the passwords were not being stored centrally.

X02, in her statements dated September and May, describes the use of Hello software in March.  The statements of police officers P, B and P say that the computer equipment was seized from Mr D in January.  I have seen no evidence to explain the interval between March and January.  I have seen no evidence to show how a connection was established between the events described by XO2 and Mr D.

The evidence can be summarised:

There may be evidence that I have not seen.

X02 refers to Exhibits that I have not seen.  These Exhibits may include logs that contain an Internet address.  The Internet address might have been used to obtain a street address.

Mr B, of the Australian police, refers, in his statement dated April, to a letter dated March to the “United States Legal Attache”.  I have not seen the letter to the Attaché nor any documents or other correspondence arising from that letter.  It may be that the letter to the US Attaché is a request for the US authorities to obtain from Google an Internet address to correspond with the events of March described by X02 in her statements.  It may be that Google provided an Internet address and that address was used to obtain a street address from an Internet Service provider in the UK.

My research suggests that Hello does not record Internet addresses in its logs.  It is likely that Internet address information was obtained from Google.

It may be that the Prosecution have (and not included in the bundle):

It may be that we cannot be sure that Mr D’s computer was involved in a Hello session in March without evidence regarding the Internet address that was in use.

I would welcome the opportunity to discuss all this and I look forward to hearing from you.

Yours sincerely

Graham Dilloway

Expert Witness

 

 
Miss S

S Solicitors

Dear S

Expert Witness Examination

Thank you for your letter dated May.

I received your letter dated April.  The letter describes the documents with the letter as “a full set of the prosecution’s papers”.

I have Mr D’s Proof of Evidence.  This is a 2½  page document.  On re-reading, I suspect that a page (or several) may be missing.

If Mr D used Hello software with the username “f” (which he admits), his use of Hello and his username would be known by anyone that he contacted using Hello.

It might be argued that many people could have spoofed Mr D’s information and used Hello software while “pretending” to be Mr D.  This argument might go something like …

The Prosecution have provided no information about the operation of Hello software.  For example, the Prosecution have said nothing about where Hello passwords or usernames are stored.

The Hello service is shutdown and it is not possible to realistically test the operation of Hello software.

Searching the Internet finds information to suggest that the Hello password is stored on the computer of the person using Hello and is not stored centrally by Google on their server. Therefore, it may be possible to install Hello software using one username and password and subsequently change the username.

The theoretical end result of such spoofing might be two computers that can both use Hello software with a username of “f” and with each computer having a different password.

In your letter of May, you say that “Prosecution Council at the last trial conceded that there was no IP address”.  I am surprised that there is no Internet address …

Software is available that will log every “message” sent and received by a computer to and from the Internet together with the Internet addresses of the computers that are sending and receiving these messages.  I would have expected such logging software to be installed as a standard part of the software toolkit used by police officers doing work of the type described by X02.

It is my understanding, from my Internet researches, that Google stored some Internet address information regarding the use of Hello software.  I am surprised that this Internet address information was not sought and obtained.

I have re-read the statement of Mr B of the Australian Police regarding the letter to the US Attaché.  It appears, from Mr B’s description of the letter, that the Australian Police sought to identify the person using the Hello username of “f” solely from the email address a@a.

It may be that many people knew that a@a was a valid email address.  I looked for, and did not find, information to show that Hello software could not be operated using an email address belonging to someone else.

In summary, Mr D admits to having used Hello software with a username of “f” and an email address of a@a.  Anyone who communicated with Mr D using Hello software would have (or could have) known Mr D’s username and email address.  I have seen nothing to convince me that it would not be possible for someone to fiddle about with the Hello software installation on their own computer and change Hello to appear as “f” and a@a.

For completeness, it may be a red herring to discuss whether someone else could use Mr D’s password.  It may be that Google did not check the password centrally and it would not be necessary to use Mr D’s password.  I have seen information that tells us that Google have been quoted as having said that passwords are not stored centrally.  I have not seen a direct confirmation from Google.

And finally, (handwritten) Page No. 249 is from the transcript of an interview and DC P says that he has copies of the chat logs from the March.  It seems that the Exhibits from X02 made it to the UK but not into the bundle.  An analogy might be a witness statement that says “I took photographs that show Mr Smith stealing the …” and a bundle that does not include the photographs.

I would welcome the opportunity to discuss all this and I look forward to hearing from you.

Yours sincerely

 

Graham Dilloway

Expert Witness