• How to do the Worst Job Possible

    Posted on August 8, 2010 by Lee Whitfield in Methodologies & Best Practices.

    Occasionally we all see forensic reports that are as close to perfect as they could be. Where procedures and presentation are clear and concise and where the author has conducted research relevant to the investigation. Sadly this isn’t once of those instances…

    This is a real report prepared by a real defence ‘expert’. Any references to those involved have been changed.

    Sadly I can’t take the credit for finding this gem. The folks at Cranfield University know its origin and share it with their students as a very very bad example. I’d love to hear your thoughts on the report. I’ve also included a pdf of the report at the following location http://www.forensic4cast.com/wp-content/uploads/2010/08/report.pdf

    REPORT

    1.1 My Qualifications

    I am Alfie Moon, MBCS. I work as a Director for The Queen Victoria PH plc, an IT business Management Consultancy. I have worked for The Queen Victoria PH since 1997 and prior- to that I was a Director of Angie’s Den. As a consultant my primary fields of activity are project and organisational effectiveness reviews, in a variety of technical environments and the production of expert reports under Civil Procedure Rules. I am a member of the British Computer Society.

    I have worked full-time in the IT industry since 1963. Over this period I have been a programmer, designer, analyst, team leader, project manager and line manager responsible for several hundred staff. I have always, professionally and personally, been an advocate for, and a user of, the PC and internet environment. I have written code, reviewed organisational intra/internets and developed web sites.

    1.2 The Charges

    I have taken the charges from the Indictment and have addressed the 18 counts individually in the section on findings. Note that these charges all address the possession of indecent photographs of children, not of making them. I have not addressed the issue of whether such photographs were made by Dermis Watts.

    1.3 Questions addresses

    I was given the following instructions and have responded as indicated in italics

    • Nothing that the prosecution expert computer witness asserts in his witness statement should be taken at face value. The evidence presented by Grant Mitchell and DC Phil Mitchell has been reviewed and verified by examination of the floppy disks and computer hard disk.
    • Nothing that Dennis Watts says in his police interview should be taken at face value.Noted
    • The Defence needs to know whether the images or traces of images of child pornography are actually on the hard disk in Mr Watts’s computer. Internet cache on the hard disk was reviewed; deleted files were recovered where possible and also reviewed.
    • Mr Watts cannot remember the dates and times at which he was at home.Noted
    • What dates and times were the child pornographic images downloaded from various websites on the internet by Mr Watts’s computer? Addressed in findings
    • Can it be confirmed whether or not Mr Watts’s computer was used to download child pornographic images onto floppy disks? Addressed in findings

    1.4 Evidence provided

    On the 13th May 2002 I was provided with:

    1. the Indictment on 18 counts.
    2. Statements / Evidence from
    • Dennis Watts, draft and final
    • Pauline Fowler
    • Ian Beale
    • Katherine Slater
    • Dorothy Cotton
    • Phil Mitchell
    • Grant Mitchell

    On 17th May 2002 I was provided with:

    • PF/1, four floppy disks and KS/1 Time Computer Tower

    2. METHOD

    2.1 Unsolicited email

    Dennis Watts admits to providing his address to an unspecified number of pornographic web sites. In this circumstance I believe that he had no control over the material that might be sent to him, whether it is soft porn, hard porn or child pornography.

    I tested this assumption by setting up a free Hotmail account (the web mail service used by Dennis Watts), surfing for porn sites and providing my Hotmail address to the first site that requested it. I received about 5 unsolicited emails, over a 3-day period, as a result.

    2.2 Computer

    I received the computer for examination on Friday 17th May 2002. It appears to be a standard Windows 98 machine using Internet Explorer for internet access through Orange Net. I have not used it to connect to the internet.

    • There is no password protection in place. This is normal domestic behaviour but it does mean that the full range of facilities provided can be used by a casual user.
    • The date and time were incorrect. Specifically the date was 16th April 2002, the time about 05.00. Thus the machine was running about one month, one day and 12 hours slow. I corrected the date and time using normal Windows facilities. I note that the evidence of DC Phil Mitchell of 13th November 2001 states that on initial examination of the computer the date was correct, the time nearly so. I conclude that the machine had been without power for some time.

    I installed an undelete facility on the computer to allow me to examine any files that had been deleted by the user. The facility usually allows deleted files to be recovered and viewed. Where the defragmenter utility had been run (to make disk access more efficient or to hide deleted files) this utility is unable to recover deleted files. Note however that the defragmentation process is not selective. It can only be applied to a complete disk.

    I undeleted all files possible, 2486 files. The earliest was dated 05/08/93, the latest, prior to my intervention was dated 10/07/01. Prior to that the latest dated 24/06/01. There were no deleted files dated 14/06/01.

    I also created a set of folders on the hard drive to contain the floppy disk contents and working images from the internet cache and deleted files.

    Once this report was completed I defragmented the hard drive to verify that all the deleted files had in fact been deleted, uninstalled the undelete utility and deleted the hard drive folders that I had previously set up.

    2.3 Floppy disks

    I received cloned copies of the four disks with the computer. I copied the contents to temporary folders on the hard drive for speed of access and ran the undelete utility on the disks themselves. No deleted files were found on any of the four disks.

    2.4 Internet Cache

    The intern et cache is a key issue in internet access and it is worth describing the fole it fulfils. All

    internet files (formatting, text or images) are, in the first instance, received from the internet into the cache and in this process is not under user control. Where pages are requested from the internet the browser (Internet Explorer in this instance) will, in the interests of speed, first attempt to find the file in the cache. If it cannot be found it will access the file from the internet. As the cache fills up the space occupied by the oldest files will be reused.

    While there are exceptions to this general rule (some pages can force the browser to access the internet for a more up to date version), the cache is essentially a good record of intemet access activity. If the user elects to save files then the saving process will copy the files from the cache to the selected location. The original will remain in the cache.

    3. Findings

    All photographs in the charges are stated to have been in Watts’s possession on 18th June 2001. Findings on them are given individually in the table below.

    Photograph from Charges Prosecution evidence Location Origin Last Accessed
    1 0023.jpg

    (evidence states 00223.jpg. I have taken the name on the charge to be a mis-type)

    Page 3 of PM Exists on disk 2/lollypop1

    Not in internet cache

    Not in deleted files

    PM page 3 states attached to incoming email from ‘Noddy’ PM page 3 states email on 5.6.2001

    00:47:41

    2 000.jpg As above Exists on disk 2/lollypop1

    Not in internet cache

    Not in deleted files

    As above As above
    3 0010.jpg As above Exists on disk 2/lollypop1

    Not in internet cache

    Not in deleted files

    As above As above
    4 0000.jpg As above Exists on disk 2/lollypop1

    Not in internet cache

    Not in deleted files

    As above As above
    5 0005.jpg As above Exists on disk 2/lollypop1

    Not in internet cache

    Not in deleted files

    As above As above
    6 0147.jpg Page 3 of PM Exists on disk 2/lollypop2

    Not in internet cache

    Not in deleted files

    PM page 3 states attached to incoming email from ‘Noddy’ Email on 5.6.2001

    00:59:12

    7 0198.jpg As above Exists on disk 2/lollypop2

    Not in internet cache

    Not in deleted files

    As above As above
    8 0156.jpg As above Exists on disk 2/lollypop2

    Not in internet cache

    Not in deleted files

    As above As above
    9 0177.jpg As above Exists on disk 2/lollypop2

    Not in internet cache

    Not in deleted files

    As above As above
    10 014.jpg As above Exists on disk 2/lollypop2

    Not in internet cache

    Not in deleted files

    As above As above
    11 12.jpg Page 3 of PM Exists on disk 2/lollipop3

    8 variants of 12.jpg exist in the internet cache, none are this image

    9 variants of 12.jpg exist in the internet cache, none are this image

    PM page 3 states that this is attached to incoming mail from ‘Popeye’ Email on 6.6.2001

    12:31:24

    12 080.jpg

    There is no 080.jpg on the floppy disks but there is an aa080.jpg in the PF/1 listing

    PF/1 listing Disk3/04

    Not in internet cache

    Not in deleted files

    Created

    9.6.01

    Accessed

    26.6.01

    13 0704.jpg PF/1 listing Disk 3

    Not in internet cache

    Not in deleted files

    Created

    14.6.01

    Accessed

    14.6.01

    14 2veryyoung.jpg PF/1 listing Disk 3

    Not in internet cache

    Not in deleted files

    Created

    3.6.01

    Accessed

    6.6.01

    15 21.jpg PF/1 listing Disk 4

    Not in internet cache

    Not in deleted files

    Yippee

    Holland

    Created

    8.6.01

    Accessed

    11.6.01

    16 10.htm

    Note that this is an .htm file and therefore not a photograph. It references YU107213910270 (a photograph on disk 4 though not one of the photographs above) as one book may reference another, but it is not a photograph.

    N/a N/a N/a N/a
    17 13.htm

    Note that this is an .htm file and therefore not a photograph. It references hayley13 (a photograph on disk 4 though not one of the photographs above) as one book may reference another, but it is not a photograph.

    N/a N/a N/a N/a
    18 8.htm

    Note that this is an .htm file and therefore not a photograph. It references 08 (a photograph on disk 4 though not one of the photographs above) as one book may reference another, but it is not a photograph.

    N/a N/a N/a N/a

    3.1 Conclusions

    There are 18 ‘photographs’ defined in the table above, all located on floppy disks, of which the first 15 are actually photographs. I propose to ignore items 16-18, the .htm files for the reasons given above.

    While the computer has clearly been used to surf the net for pornographic sites, some of which deal with incest and child pornography, to interact with internet chat rooms and receive emailed images it should be stressed that, according to my examination, none of the images on the floppy disks that are presented in the charges can be found on the computer hard drive, whether in the internet cache, in deleted files or elsewhere.

    3.1.1 Emailed Items

    Items 1 to 5 above were received, according to the prosecution evidence with which I have no reason to disagree, in a single email on the 5th June. Dennis Watts admits to having given his email address to an unspecified number of pornography web sites or chat rooms and, in this circumstance, he had no control on what might have been sent to him as a result. It seems to me that, while he had advertised his willingness to receive pornographic mail, he had not advertised a specific interest in child pornography.

    The same observation holds for items 6 to 10 and item 11 above for emails received on the 5th and 6th June.

    3.1.2 Were images viewed?

    A general question arises on whether Dermis Watts actually viewed any images sent to him. He states that he always loaded pornographic images to his A drive (the floppy disk) for review later. Hotmail was developed for the US market where local calls to internet numbers tend to be free. This is not the case in the UK and Hotmail users here do develop behaviour to limit the cost of telephone calls. While Hotmail will generally open (and therefore present images to the user) any attachments in emails (photographs in this case) it is not invariably so. While my own equipment will do so I have friends who are not able to. It depends on a number of circumstance which can exist in complex combinations:

    • The format in which the sender has sent the mail.
    • The capability of the receiving computer
    • The extent to which the user is ‘computer literate’
    • Whether Hotmail itself has been modified, e.g. by the user changing security settings, to accept attachments

    My view is that it cannot be proven that Dennis Watts would invariably view any email attachment sent to him before he saved it to a floppy disk.

    3.1.3 Items 12 to 14

    As noted in the table above I can find no evidence that these images exist on the computer hard drive in either the internet cache or as deleted files.

    3.1.4 Item 15

    As noted in the table above I can find no evidence that this image exists on the computer hard drive in either the internet cache or as deleted files.

    This image appears to be from a Yippee site in Holland. I note that, in Dennis Watts’s witness statement, the police view that he would have needed a password to access this. It seems to me that Yippee is freely available in any language, if he were sent a hyperlink to such a site (as ‘here’s an interesting site, look at it’) then clicking on the hyperlink would have yielded the image. I have accessed the Yippee site directly; though it was empty it appeared to be available for access. I find it unlikely that access to images in this way would be possible without viewing the image.

    3.1.5 Were the images on the floppy disk from the computer?

    Dennis Watts does not claim that the floppy disks were given to him. It would be possible someone else to ‘fake’ the floppy disk contents but this would require time (to access the appropriate files using another computer, then to transfer them to a floppy disk) and the technical ability (changing the clock on the computer used to ‘fake’ the disk to give the desired time and date). Such a process would not need to make use of Dennis Watt’s computer. As noted the computer is not protected (i.e. it does not requirea user name and password to function).

    It should be noted that (unless ‘faking’ was involved) all images written to the floppies would pass via the internet cache on the computer. It is possible, using utilities freely available to Dennis Watts, to delete the content of the internet cache, or to be more complex, to rename them such that they appear to be something completely different.

    On balance, if files exist on the floppy disks and also on the hard drive, it can be reasonably assumed that they are the same. The corollary, that If they exist on the floppies but not on the hard drive, leads to the conclusion that:

    • The content of the floppies have been faked or
    • The contents of the hard drive have been modified

    If the contents of the hard drive had been modified by deletion, this should have been visible in the contents of the deleted files.

    I believe that the case for ‘faking’ the contents of the floppy disks is supported by the following set of observations:

    • Disk 3 contains a number of folders but, in the root segment, are 7 images of children, 3 of one child, 4 of a second child. One image of the second child (0704.jpg) is presented in the charges
    • These 7 images on disk 3 all have a modification date (i.e. the date on which they were saved to the floppy disk) of 14/06/01, timed between 10.08 and 10:45
    • There is no activity identified (access to the internet or otherwise, or in the deleted files) on the computer hard drive for the date of 14/06/01 other than a game of minesweeper whlch is timed at 17.33.

    SCHEDULE SHOWING WHICH IMAGES CAME FROM

    WHICH FLOPPY DISK

    1 00223.jpg Disk 2
    2 000.jpg Disk 2
    3 0010.jpg Disk 2
    4 0000.jpg Disk 2
    5 0005.jpg Disk 2
    6 0147.jpg Disk 2
    7 0198.jpg Disk 2
    8 0156.jpg Disk 2
    9 0177.jpg Disk 2
    10 014.jpg Disk 2
    11 12.jpg Disk 2
    12 080.jpg Disk 3
    13 0704.jpg Disk 3
    14 2veryyoung.jpg Disk 4
    15 21.jpg Disk 4
    16 10.htm Disk 4
    17 13.htm Disk 4
    18 8.htm Disk 4

    End of Report


    FINAL RESULT

    Following expert examination of the hard disk and floppy drives which resulted in the extraction and de-coding of link files from both allocated and unallocated space the defendant pleaded guilty to all (amended) counts and was sentenced to 12 months imprisonment. The above report was NOT submitted in evidence by the defence or used as any basis for mitigation.

8 Responsesso far.

  1. […] This post was mentioned on Twitter by Lee Whitfield, Forensic 4cast. Forensic 4cast said: New post: How to do the Worst Job Possible http://is.gd/e8Lfi […]

  2. […] This post was Twitted by phenrycissp […]

  3. A. Stettgard says:

    Hmmm… Tell me again: Was “Alfie Moon” working for the prosecution or for the defense?

    😉

  4. tk says:

    To me this seems shocking… namely he installed software on the actual computer, changed the system date, modified (undelete) over 2000 files etc – all of this done without making a copy of the unaltered hard drive first??

    Seems like bad procedure.

    Even a novice would know to not alter the evidence like that but instead copy the drive (use gHost or something similar) and fool around with the COPY not the original, retaining the original unaltered in chain of evidence. I’m not in any type of law enforcement, but it would seem common sense no?

    Also no need to use original equipment – can run it in VMWare or similar.

    Sorry if I seem a novice (I am) but that’s my opinion.

    – TKukler

  5. Lee Whitfield says:

    tk, you are quite correct. I know many forensic investigators that banged their heads on their desks after reading this. I think that this is why people need to seek out proven forensic investigators for forensic work rather than their IT experts or the local computer repair shop (yes this does happen). If anyone can do this kind of work why would we bother to go to university or attend training events? The whole thing is just staggering to me.

  6. Anders Thulin says:

    It should be clear that you ask an ass to do the work of a racing horce, a stud horse or a farm horse, … it will not do the job of either.

    This report, taken on its own, certainly appears to be extremely poor from a forensic point of view. I’m not sure, though, that that is the only point from which to evaluate it.

    An interesting point is that the writer does not claim any forensic expertise, nor any experience from similar investigations. It would be interesting to know why the defense selected this particular consultant for this job, and why the defense did not know that asking an IT consultant if he can do a job in 95 out of a 100 cases will produce the answer ‘yes’, regardless. The writer should have known better, true, but I think that the defense should a considerable part of the blame.

    Nor do I understand why the writer was allowed to get technical with the computer … it might, for all I know, be standard practice in the UK, but it doesn’t ring true to my ear.

    At least the defense seems to have had the sense not to present the writer as an expert.

    That, together with a few other points, makes me wonder if this document may not be more of a student exercise than an ‘only edited to protect the guilty’ version of s report. Perhaps even a ‘find as many errors as you can’ kind of exercise. If it was genuine, it would me more professional to replace sensitive information with Xxxxx etc. instead of using not always obviously false information.

  7. Simon Whitfield says:

    A copy of the above report was given to me at Cranfield University by the person who worked for the prosecution on this case, so it’s genuine. Names and some of the details have obviously been changed, but the process, etc. was real. This is by no means the only one either. They’ve seen a few howlers.

    It seems that in days gone by (hopefully it doesn’t still happen) defence barristers would seek out anyone who was “good with computers” to do a defence examination. We can see the kind of results they get when they employ such people. I bet he didn’t charge much, which was great because the defence didn’t bother to present any of this in Court.

Leave a Reply to tk Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.