Computer Expert Witness
Graham Dilloway CITP MBCS
Computer Expert Witness

Chartered IT Professional and Member of British Computer Society

Listed in Register of Expert Witnesses


Member of the Academy of Experts


View Graham Dilloway's profile on LinkedIn

Terrorism and Anarchist's Cookbook

My expert witness examination of evidence from computers found nothing to indicate a serious attempt at terrorism. The defendants were found not guilt by a jury.

Dear Mr S

I have seen Mr P’s statements dated 2 October 2007, 3 October 2007, 4 October 2007 and 9 October 2007, a Case Summary and Counsel’s Advice dated 24 June 2008.

The timeline alleged by the Prosecution appears to be:

Unknown

“Cookbook” downloaded using Limewire.

Unknown

“Cookbook” that had been downloaded using Limewire is deleted.

13 Sep 2005

Specification.doc created on computer (KAS/1) and saved to floppy disk (KAS/9) by user D.

14 Sep 2005

S.doc created on floppy disk (KAS/9) by user F.

15 Sep 2005

SHOP1.XLS file created on floppy disk (KAS/9) by user A.

9 Nov 2005

Files.doc modified in unknown circumstances.

22 Nov 2005

Files.doc created on floppy disk (KAS/9) by unknown user.

22 Nov 2005

123.doc created on floppy disk (KAS/9) in unknown circumstances..

5 Dec 2005

Files.doc accessed on Mr D’s computer (KAS/1) by user A.

3 May 2006

“Cookbook” downloaded to Exhibit ASH/1.

12 May 2006

“Cookbook” created on Exhibit ASH/38.

9 Oct 2006

“Cookbook” created on Exhibit ASH/38.

9 Oct 2006

“Cookbook” file created on Mr D’s computer (KAS/1).

10 Oct 2006

“Cookbook” accessed on Mr D’s computer (KAS/1).

11 Oct 2006

MSN chat regarding “targeting the B”. (Case Summary Para.22)

11 Nov 2006

MSN chat regarding potassium nitrate, B and “… blow them all up”. (Case Summary Para. 18)

7 Sep 2007

“Cookbook” accessed on Mr D’s computer

9 Sep 2007

Files.doc accessed on Mr D’s computer (by user A).

Mr P says, in his statement dated 2 October 2007, at Page 2, “In the following file location … My Received Files I found a file … The proper anarchists cookbook.pdf “

“My Received Files” is the default location to hold files that have been sent to a computer using MSN chat. Files can be moved into “My Receieved Files” using Windows Explorer and by other methods. I may be that the Prosecution would agree that a file found in “My Received Files” was possibly or probably sent using MSN chat and that we cannot be sure how the file got into “My Received Files”.

Mr P says, in his statement dated 2 October 2007, at Page 2, “In the Recent (1) folder for the user profile name D I found a link file to the above file …”. And “This shows tha the file The proper anarchists cookbook.pdf was last opened on 07/09/07 …”

I have seen no evidence to show the software program that was used to open the file nor any evidence to show that the content of the file was displayed on screen nor evidence to show how long the file was displayed on screen (if at all).

On my own computer I opened a .pdf file using Microsft Word software. The software was not able to interpret the content of the file and the display on screen was garbled and unreadable. An entry was added to the recent documents list available via the Start button.

It may be that the Prosecution will agree that they cannot say whether the “cookbook” file was displayed on screen in a legible way (if at all) and that they cannot say the duration of any display on screen (if at all).

Mr P says, in his statement dated 2 October 2007, at Page 4, “Using the forensic software I was also able to analysis the Internet History files …” and, at Page 5, “… this file was first opened on 10 October 2006 …”.

It may be that the Prosecution will agree that they cannot say whether the file was displayed on screen in a legible way (if at all) and that they cannot say the duration of any display on screen (if at all).

Mr P says, in his statement dated 2 October 2007, at Page 7, “It is not directly possible to be able to say that the copy found on exhibit KAS/1 came from exhibits ASH/1 or ASH/38”.

It may be that the Prosecution will agree that copies of the “cookbook”, each having identical MD5 hash values, exist on thousands or on tens of thousands of computers and that the copy found on Exhibit KAS/1 may have come from any of these computers and that the method of transfer may not have been MSN chat.

Mr P discusses, in his statement dated 2 October 2007, in the last paragraph on Page 7 and continuing on Page 8, the “cookbook” on Exhibit ASH/1. I do not understand the use of date/times in this paragraph and it appears that Mr P is contradicting himself.

I have seen no evidence listing the files in the “My Received Files” folder. The name of the “cookbook” file might stand out in a short list of files and be less noticeable in a long list of files. It is not for me to discuss the likelihood that the “cookbook” might be mistaken for a book of food recipes!

Mr P discusses, in his statement dated 3 October 2007, the file called files.doc and found on floppy disk KAS/9.

I can create a file on my computer using Microsoft Word software. The name of the file is listed in the “Documents” or “My Documents” list on the Start Menu. The file appears in the Documents list because a link file has been created containing information about the Microsoft Word file. Mr P is discussing a link file in his statement dated 3 October 2007.

The link file was created on 5 December 2005 and this indicates that files.doc was accessed on KAS/1 on that date. Files.doc was accessed on 5 December 2005 using the user name A.

There is date information inside the link file to show that files.doc was created on the floppy disk (KAS/9) on 22 November 2005. The Modified date within the link file is 9 November 2005.

It may be that the Prosecution will agree that:

I have seen no evidence regarding the last accessed dates for files.doc or for 123.doc on the floppy disk KAS/9. These dates are available from the disk but have not been mentioned by Mr P in his statements.

Mr P says, in his statement dated 4 October 2007, of the “cookbook”, “This reference points to the previous existence of this file in the following folder location …”. The folder location is consistent with the “cookbook” having been obtained using file sharing software and that the user of the file sharing software was using the user name D at the time of the download. The “cookbook” was subsequently moved to another folder or deleted from the computer.

It may be that the Prosecution will agree that events surrounding this file are unknown including, for example:

Mr P’s statement, dated 9 October 2007, discusses files that had been on the floppy disk (KAS/9) and had been deleted before the files called files.doc and 123.doc were created on the disk. Mr P’s findings are consistent with:

The files SHOP1.XLS and S.DOC no longer exist. A copy of the file SPECIFICATION.DOC exists on computer KAS/1.

It may be that the Prosecution will agree that the evidence regarding the person or persons using floppy disk KAS/9 is inconclusive.

I have not seen the evidence regarding MSN chat logs. The Case Summary says, at Para. 15, “Numerous files … containing MSN instant messaging conversations …” and “One of these files contained a conversation between the two defendants about a plan … explosives”.

It may be that examination of the “Numerous files … containing MSN instant messaging conversations …” will shed light on the nature of the relationship between Mr D and Mr A and explain why only “One of these files contained a conversation between the two defendants about a plan … explosives”.

The Case Summary dates the incriminating chat as 11 November 2006 in Para. 18 and as 11 October 2006 in Para. 22.

I have not seen the Exhibits. The Case Summary says, at Para. 23, “One of the floppy disks contained a number of documents including innocent material such as the Curriculum vitae of D’s sister … (and) a document containing instructions how to make napalm …”.

I have seen nothing in Mr P’s statements to show that he produces any Exhibits regarding the floppy disk KAS/9 or any other floppy disk.

Counsel’s Advice enquiries, at Para. 9, regarding files being “copied, renamed and/or deleted”. Windows does not keep direct evidence of these actions.

Counsel’s Advice enquiries, at Para. 9, regarding the “cookbook” and MSN. The folder where this file was found is the folder that typically holds files sent via MSN. This does not exclude the possibility that the file got into the folder by some other means. I do not know of any way to tell who sent a file via MSN.

Counsel’s Advice enquiries, at Paras. 11 and 12, regarding file accesses. The file date evidence that Mr P relies on in his statements is not consistent with automatic access such as anti-virus scanning. However, I expect that Mr P would agree that the evidence does not show that any of the documents were definitely displayed on screen for a significant period.

I have seen no evidence to show that software that is able to display the content of .pdf files and of .doc files is installed on computer KAS/1. It is likely that the Prosecution can show that appropriate software is installed on computer KAS/1.

In summary:

I would welcome the opportunity of discussing this further and look forward to hearing from you.

Yours sincerely

 

Graham Dilloway
Expert Witness