As a result of the Judges’ comments in a recent case at the Old Bailey I find myself writing in an attempt to advise others regarding the evidence that may be require if relying on evidence attained from a restore point and Internet caches.

The case in question related to sexual assault on a young person.

During the course of the investigation two laptops were seized, at different times and subsequently analysed.
These will be known as the new laptop (seized at the time of arrest) and old laptop seized some months later.

Scope

Our remit was to establish whether any evidence existed on the submitted media that would assist the investigation as far as the defendants ‘mens rea’ was concerned.
i.e. was there any circumstantial evidence of the defendant accessing or possessing material of a sexual nature.
Analysis and Findings

Old Laptop

The only evidence was found in some antivirus logs, which had recorded the file path and filenames and link files to files, the names of which would imply that they contained content relevant to the investigation, it could also be determined from the filenames that peer-to-peer file sharing software had been in use. There was also evidence that LimeWire had been uninstalled and therefore had existed at some time prior to the analysis. Lots of zeros found in file slack and unallocated space!!

New Laptop
The following information was found on the new laptop:

• Six restore points all dated the same day were found to contain some 30 or so images that needed grading on Copine scale.

Note: Not all the same images were duplicated in all the restore points.

• Several hundred grown up images that appeared to be relevant were identified on the system primarily in Internet cache files and a few in unallocated space.
• Internet Explorer, Firefox and Google Chrome had all been identified as being in use at potentially relevant times.
• No significant evidence was found associated with Internet Explorer
• Search terms associated with images and information that may require grading on the Copine scale were found in the Firefox cache.
• These searches were dated the day before the restore points were created and the day they were created.
• Six images that would also require grading were found in the data container of Google Chrome.
• The creation dates and times of these images could not be established as the information had ‘dropped out of the index file’ associated with the data container.
• Three images that also required grading were found in the unallocated space.
• Lots of consecutive zeros were found across the disk space.

During the course of the analysis we discussed the matter with those instructing and as this was supplementary evidence, no attempts were made to undertake restores so potentially establish, the original file location of the images.
The image file sizes were consistent with Internet activity as opposed to thumbnails etc.

Trial

At the time of the trial it became clear that counsel had included a number of counts on the indictment in relation to the making and possessing of the ‘images that required grading’.
During the course of giving evidence it was made clear and accepted that:

As not all the images were found in all the restore points, it would be reasonable to assume that they were the subject of some activity during the period that the restore points were being created and that this could effectively corroborated by the Internet activity found in Firefox.

The creation dates and times of the restore points were consistent with the New laptop having additional software installed and undergoing windows update activity.
After giving evidence in chief, cross examination a nearly a day of legal argument etc. etc. I was asked by the judge, “whether a person with what would be considered to be average computer knowledge would be aware of the contents of a restore point at the time of creation?”

In my opinion the answer is no for the simple reason that most people I know seem to think that a restore point contains everything to take you back to when your computer last worked correctly, including your personal data, which of course it doesn’t.

As a result of my answer to this question the judge directed that the accounts in relation to these images be dropped
According to prosecution counsel the judges interpretation of case of R v Attwood (in the UK) means that the defendant has to know the location of the files that form part of the evidence.

I should would mention that the prosecution was not given an opportunity to attempt to restore data from the restore points in effort to establish their original locations and in any case if they had come the from the Google Chrome data container the chances the associated data from the index file data was not available and therefore would not have taken place any further.

N.B. The grown up stuff was admitted!!

Implications

From my understanding of the Judge’s findings, are that if you going to rely on any evidence contained within a restore point or an Internet Cache you need to be in a position to show:

1. the data’s original location and creation dates and times
2. the person who is the subject of the investigation could reasonably expected to know that the information was originally stored in such a place.

I see a lot more virtual forensics on the horizon!!

Hope this helps

Phil Hards