Mr D was picked out in a video identity parade and charged. The offence was known to have occurred during a specific one hour period and some distance from Mr D's home. It was Mr D's recollection that he had been at home at the time and may have been using his computer. I examined the computer and produced a letter and then a report detailing the times of use of the computer. The charges were dropped.
Dear Miss S
I visited Mr D on Wednesday, 17 November and removed the disk drive from Mr D’s computer.
I examined the disk drive and searched for indications that Mr D’s computer was in use on 28 June.
The Windows operating system maintains several log files. Messages are added to these log files to record events that indicate activity by the computer. I examined the security event log file from Mr D’s computer and created screenshots that show the times of messages that indicate computer activity …
Screenshots of Event Logs have omitted from this webpage.
The four screen shots show three periods …
13.51 to 14.08. The computer has been switched on and is starting up. A message at 14.02 shows that Mr D’s username logged on to the computer. A password is needed to logon to the computer using Mr D’s username indicating that a person was present at this time.
14.08 to 17.35. There are two messages for this period. The computer was switched on during this period and may have been doing work that did not cause messages to be written to the event log. A person may have been present during this period. I do not know if the two messages at 15.35 were caused by a person being present.
17.35. The messages at 17.35 include a message to show that Mr D’s username logged on to the computer. A password is needed to logon to the computer using Mr D’s username indicating that a person was present at this time.
I searched for, and did not find, indications to show that a person was definitely using the computer during the afternoon. For example, I found six files that had been accessed on 28 June. Automatic processes on the computer had accessed all of these files. The times of the file accesses were at about the same times as messages in the event logs.
The absence of indications of computer use is not evidence that the computer was not in use. A computer can be used without generating event log messages or other indications or the indications may have been deleted automatically in the period since 28 June.
I look forward to hearing from you.
1. This report was prepared by Graham Dilloway of 39 Conham Hill Bristol BS15 3AW. I am a Member of the British Computer Society, the chartered professional body for the computer industry in the UK. I am a member of the Academy of Experts. I have worked with computers for more than 30 years. This work has all involved the implementation and configuration of computers, their operating systems and the core software applications of a computer environment (e.g. word processors and spreadsheets). I have worked with personal computers almost exclusively for more than twenty years.
2. My instructions are in a letter from Cartwright King Solicitors dated 11 November 2010 that says, “We would please like you to prepare a report confirming when his computer was logged on and off between the times of 1om and 4pm on 28 June 2010. If you could also confirm whether a password is needed …”
3. I visited Mr D’s home on 17 November 2010. I observed an Acer laptop computer in operation and observed that a password was required to logon to the computer. I removed the hard drive from Mr D’s Acer laptop computer.
4. I created a copy of the hard drive from Mr D’s computer using FTK Imager software and Logicube “write protect” hardware on 18 November 2010.
5. The Windows operating system maintains files of messages that are generated by parts of Windows while Windows is operating. The files of messages are called Event Logs and include an Event Log of messages generated by security components of Windows.
6. I examined the security event log for 28 June 2010.
7. The security event log for 28 June2010 contains a group of messages timed from 13.51 to 14.08. These messages are consistent with the computer being switched on and then logged on. Switching on and then logging on the computer required that someone be present to operate the computer.
8. The security event log contains two messages in the period from 14.08 to 17.35. The absence of messages is not evidence of an absence of activity on the computer. It may be that the computer was being used in a way that did not cause messages to be written to the event logs.
9. The security event log contains a sequence of messages beginning at 17.35 to show that the computer is again being logged on. Logging on the computer required that someone be present to operate the computer.
10. A person must have been present to operate Mr D’s computer at about 14.05 and at about 17.35 on 28 June 2010.
11. I found no evidence to show that a person was or was not using computer between about 14.05 and 17.35.
12. I understand my duty to the Court and I confirm that I have complied with and will continue to comply with that duty.
13. I confirm that insofar as the facts stated in my report are within my own knowledge I have made it clear which they are and I believe them to be true, and that the opinions I have expressed represent my true and complete professional opinion.
Computer Expert Witness
39 Conham Hill
Bristol BS15 3AW