Computer Expert Witness
Graham Dilloway CITP MBCS
Computer Expert Witness

Chartered IT Professional and Member of British Computer Society

Listed in Register of Expert Witnesses


Member of the Academy of Experts


View Graham Dilloway's profile on LinkedIn

Computer as Alibi Witness

Computer Examination

I expect that a computer expert witness would find good evidence that a computer was being used at a particular date and time if the computer was examined within a few days of that use.  Ongoing use of the computer will reduce the likelihood that evidence of use will be found.

Evidence of computer use can persist for many weeks or months and an examination by an expert witness will find any evidence of computer use that still exists.

An expert witness examination for evidence of computer use is usually worth attempting if the computer was being used and can provide alibi evidence.

Dates and Times

Dates and times get recorded in lots of places when I am using my computer. It is quite likely that I could use evidence from my computer to prove that I was at my desk, using my computer, if I should ever be accused of being somewhere else.

Three dates are stored against every file on a computer.

The Created Date is saved when a file is first given a name and saved to the computer. I might say that I began work on a report at lunchtime. The Created Date would be evidence to support that.

The Modified Date is changed every time that the content of a file is changed. Only one Modified Date is stored and the date is replaced every time that the file is updated. I might say that I spent all afternoon working on a report. The Modified Date would show the time of the last change to the file.

The Accessed Date is changed when a file is accessed for reading and for updating. The Modified and Accessed Dates will be the same when the last use of a file was to change the content. I might say that I spent an hour reading through my report after I finished typing. The Accessed date would be an hour later than the Modified Date.  The accessed date is not used by default in recent versions of Windows.  A examination of the computer and its circumstances will be able to show the reliability of the Accessed Date on a computer.

Event Logs

The Windows operating software records messages about events in the Event Log.

Notable examples of these event log messages include messages recording the date and time that a computer is switched on and switched off. The start and end of “sleep” is also recorded.

The Event Log does not record all of the activity on a computer. There can be periods of an hour or more when no messages are written to the Event Log even though the computer is being used.

Not all messages that are written to the Event Log are evidence that the computer is being used. There is some software that is running continuously on the computer to perform housekeeping tasks. This housekeeping software causes messages in the Event Log even when the computer appears to be doing nothing.

Web Browsing

Some software programs include features and functions that store dates and times. Web browsers are a good example of software that stores dates and times.

Everything that is displayed on screen when browsing the web is also stored on the computer. Viewing a single web page can cause several files to be created and stored on the computer. Each of these files will have a created date.

I might spent an hour browsing the web and clicking from page to page. One or more files will be stored for each page that I view. Subsequent examination of the Creation Dates for these files will show the period of web browsing.

Web browsers include a History function. I can display a list of all of the websites that I viewed yesterday and going back thirty days. This History is stored on the computer and can be examined.

Other Software

There are many different software programs that store information from previous uses. Some software stores revision and version information in data files to allow us to revert to a previous version of a document.

The computer needs to be examined to see the files that have been stored and the software that has been used to create these files. This examination may find unexpected sources of evidence regarding the use of the computer.

Preserve the Date and Time Evidence

The capacity of a computer is not limitless. Most of the mechanisms for storing dates and times have are designed to prevent the computer becoming full of log files and other stored date and time information.

Web browser software stores files that have been viewed on screen. The space used to store these files is limited and older files are deleted to make space for new file.

Event Logs are limited in size. Older Event Log messages are deleted to make space for new messages.

Only a single Modified or Accessed Date is stored for a file. I might update a file every day for a month and then read the content of that file on several subsequent days. An examination of the computer would only find evidence of the most recent update and the most recent reading.

Any computer that is thought to contain evidence of use at a particular date and time should be switched off and not used until it can be examined.

Computer as Alibi Witness

I was asked to examine the computer of a defendant charged with committing a crime at a very specific time and place. A witness has called 999 to say that the crime ha been committed moments earlier and only a few metres away. The witness had later picked out the defendant in a video identity parade.

Examination of the Event Logs and other data on the computer showed that the computer had been switched on, used for a few minutes, allowed to go to sleep and then woken and used again some time later. The interval between the time of the first use and the second use was not long enough to allow the accused to get to the scene of the crime.

The defendant lived alone and there was nothing to suggest that anyone else had used the computer on the day in question.

The prosecution accepted that the witness identification was mistaken and the charges were dropped.

Who Used the Computer?

Several people were charged in a conspiracy to import drugs. Parcels of drugs were transported using legitimate shipping companies. Documents were fabricated to identify the parcels of drugs as spare parts, manuals and other material.

I was instructed by the solicitors for one of the defendants. The police had examined the defendant's computer and had found examples of the fabricated documents used to identify the parcels of drugs. My instructions were that there should be evidence of use of the computer by persons other than the defendant.

My examination of the computer found architectural drawings and other documents that had been prepared as part of a property redevelopment project. The defendant had been involved in the property project and had paid for the drawings to be prepared using the computer. The person paid to do the work was the son of one of the others charged in the conspiracy.

The prosecution accepted that it was not possible to be sure that the defendant had created all or any of the incriminating documents and the charges were dropped.

Internet Access as an Alibi

A solicitor called seeking advice. His client was charged with committing an offence at a specific time. The client was saying that he was playing an online game at the time. An online game is where many people connect to a game via the Internet.

The solicitor had obtained confirmation from the game company that someone using the clients username had played the game at the relevant time. The game company had provided the Internet address of the computer used to play the game.

I was able to identify the Internet service company that had provided an Internet connection using the Internet address provided by the game company. Internet service companies keep a record of Internet address and the customers that use them. It is likely that the solicitor would have been able to confirm the street address being used by the Internet address provided by the game company.

Online Gaming

After a burglary, it was said that the alleged thief had entered the home through an open window while the occupant was in another room.  The occupant had been out of the room for only a few moments and the time of the crime was known to within about five minutes.

The accused told police that he was at home playing an online video game at the time of the crime.  I was contacted by the defence solicitor early in the proceedings and I told the solicitor that there was a good chance of finding evidence of online activity if the computer was switched off and not used until it could be examined.

I examined the computer several weeks after I had first spoken to the solicitor.  My examination found evidence that the computer had been used on days before and after the burglary but not on the day of the burglary.  Additionally, I found evidence that someone had emptied the computer's event logs after the burglary.  The event logs contained only messages that had been created after the logs had been emptied..  The absence of any evidence that the computer had been used was not evidence that the computer had not been used.

Summary

There are many and various ways that information stored on a computer can be used to show when a computer was being used.

It is sometimes possible to show that a computer was being used by more than one person.

Some of the date and time and other information stored on a computer has a limited shelf life and is automatically deleted after a time. It is important to switch off and to stop using a computer that may contain useful evidence.

An expert witness in IT and computers may be able to find alibi evidence on a computer many weeks or months after the event.