1. This report was prepared by Graham Dilloway of 39 Conham Hill Bristol BS15 3AW. I am a Member of the British Computer Society, the chartered professional body for the computer industry in the UK. I am a member of the Academy of Experts and of the Expert Witness Institute. I have worked with computers for more than 30 years. This work has all involved the implementation and configuration of computers, their operating systems and the core software applications of a computer environment (e.g. word processors and spreadsheets). I have worked with personal computers almost exclusively for more than fifteen years.

2. My instructions were agreed in a telephone conversation with Company S Solicitors on 22 October 2002 and I understand my instructions to be:
"Report upon the timing and other differences between the three sources of information regarding Internet access."

3. This report is based upon the bundle of documents sent to me by Company S Solicitors, together with a letter dated 26 April 2002 that describes the documents as;
"Statements of Police Technical Officer Mr W" and "Exhibits NJH 76 - 86".

4. I visited the offices of the police computer crime unit on 13 June 2002 and examined copies of the hard drives from Mr D’s computer. Subsequently, and at my request, Mr W created some computer files containing Internet History information and copies of the folders and files containing e-mails sent and received from the computer using the AOL e-mail program. I received these files from Mr W on a CD that I collected from Staple Hill police station in Bristol on 29 July 2002. I have used the information in these files during the preparation of this report.

5. I attended a meeting at the offices of Company S Solicitors on about 10 October 2002. At that meeting, I was given a printed list of files from the Internet. A date and time was recorded against each file. I was told that the list had been received from the police and that the solicitors understood the list to be a record of all Internet accesses by Mr D's computer with the time that each access occurred.

6. The dates recorded on a computer are the date that the computer is set to at the time that data is written to the disk. The computer has a clock that automatically maintains this date. The date and time of this clock is easily changed by a person using the computer. Any assumption that the dates and times recorded on the computer are correct requires a parallel assumption that the computer clock is correct. In my experience, the date of computer clocks is usually accurate unless it has been deliberately changed. I know of no reason why the date of a computer clock would be deliberately changed in normal operation. In my experience, the time of a computer clock is usually wrong by a few minutes and sometimes wrong by a few hours.

7. Mr W says in his statement dated 21 February 2002, "The current date and time of the machine is not retrievable". I do not know of any technical way that the reliability of the dates and times recorded on the computer can be checked if the computer clock cannot be checked for accuracy.

8. Typically, a person using a computer to read pages of information and images from the Internet uses a program called a browser. The browser stores information about the pages that are being viewed and this information is stored in various places on the computer.

9. Information is stored in a folder usually called Temporary Internet Files that is often referred to as the cache. The information in the cache is used when a particular page is viewed on a second or subsequent occasion to avoid the delay involved in again obtaining the information from the Internet.

10. Each folder on a computer includes a directory of the files in that folder. The directory records information about each file that includes the "Last Accessed", "Last Written" and "File Created" dates for each file as described by Mr W in his statement of 21 February 2002. The Internet cache folder has a directory that records this same date information. The dates and times in the table in Mr W’s statement of 21 February 2002 were obtained from the directory.

11. The Internet cache folder also includes an additional index that holds information about each file in the cache. This additional information includes data that is not relevant to "ordinary" files (such as documents created with word processing software). An example of the additional information stored in the cache index is the date and time that a file in the cache was "Server Modified". This is the date and time that a file in the cache was most recently changed on the Internet server from which the file was obtained.

12. The dates and times in the printed list that was given during my visit to the solicitors on 10 October 2002 were obtained from the cache index and not from the directory.

13. The dates and times in the records on the CD that was prepared for me by the police and that I received on 29 July 2002 were obtained from the cache index and not from the directory.

14. The pages in the cache may be deleted automatically by the browser to make room for more recent pages. The pages in the cache may be deleted manually by the person using the computer. The cache may not contain all of the Internet pages that have been viewed on the computer.

15. Information is stored in a folder usually called History. This information is an identifying record for every page on the Internet that has been viewed. Typically, the History folder contains information for every page viewed during the four weeks prior to the most recent use of the browser. Additionally, the History folder contains information about accesses to some of the files stored on the hard disk of the computer.

16. The software used by the police during their examinations of computers is called EnCase. One of the functions of EnCase is to merge the content of the cache and History folders to show all references to Internet pages for which information is still available on the computer. This merged information also includes references to accesses of some of the files stored on the hard disk of the computer. Mr W used EnCase to create a set of merged files and I received the files on a CD on 29 July 2002.

17. The merged files were in a format that allowed me to read the files from the CD into the Excel spreadsheet program and the Access database program. I read all of the files into a single database that then contained all of the Internet access information provided by Mr W.

18. Mr W’s statement of 21 February 2002 includes a table of files together with a "Last Accessed" date, "Last Written" date and time, and "File Created" date and time for each file. The version of Windows used on Mr D’s computer does not record a "Last Accessed" time value.

19. For every file in Mr W’s statement, except "angel12", the "File Created" date is the same as the "Last Accessed" date. This indicates that the file was most recently viewed on screen on the same day that the file was obtained from the Internet and first viewed on screen.

20. Appendix A contains a table with the columns: (The content of the table has been deleted from this copy of the report.)

21. For all files that have an entry in the "Last Accessed" (obtained from the CD) column, except the file called "1", the entry in the "Last Accessed" column is within a few seconds of being one hour later than the entry in the "File Created" (obtained from Mr W’s statement) column.

22. It is not likely that every one of these files was accessed again (i.e. "Last Accessed") almost exactly one hour after the file was first accessed and the file was created in the cache (i.e. "File Created"). It is more likely that that each file was accessed only once and that the "Last Accessed" and "File Created" times should be almost exactly the same.

23. The Microsoft web site includes pages that describe date and time values. Appendix B includes partial content from three of the pages on the Microsoft web site that discuss time values.

24. The first document in Appendix B (filetime_str.asp) says, in part, "FAT records times on disk in local time." The technology used to maintain files, folders and directories in the version of Windows used on Mr D's computer is known as FAT. "Local time" means the time shown on the computer clock. "Local Time" does not take account of variations due to time zones across the world.

25. The second document in Appendix B (file_times.asp) says, of daylight saving time (e.g. British Summer Time), "When you restart the machine, the cached time retrieved by GetFileTime will be correct."

26. The third document in Appendix B describes the data stored in an Internet cache index entry and says, of "Last Modified Time" and of "Last Access Time" that the time is stored in "Greenwich Mean Time" format.

27. All of the "File Created" dates in Appendix A are in December 2000 or January 2001 and "Local Time" on the computer would be the same as Greenwich Mean Time because "Summer Time" does not apply. The "Local Time" used by FAT to store dates and times in the directory should be the same as Greenwich Mean Time used to store dates and times in the cache index.

28. It is my understanding from the pages on the Microsoft web site that the time values in the "Last Accessed" value from the cache index and from the "File Created" value in the cache folder directory should be almost the same when the file is viewed only once and the file is created and last accessed simultaneously.

29. The time in the "File Created" column of Appendix A (obtained from Mr W’s statement of 21 February 2002 using data from the cache folder directory) should be the same as the time in the "Last Accessed" column (obtained from the CD created by Mr W using data from the cache index) and should not be almost exactly one hour different.

30. It is likely that there have been two different files called "1" stored on Mr D’s computer and that some of the entries recorded in Appendix A are for one file and some entries are for another file.

31. The values in the "Date and Time" column (obtained from the solicitors list) rarely correspond with the values in the other columns of the table.

32. In all cases where a value was found in the solicitor’s list, the values in the "Date and Time" column (obtained from the solicitors list) are identical to the "Server Modified" values in the records on the CD. The printed list that I was given by the solicitors is a list of the times that the operators of the various web sites updated each of the pages listed on their server on the Internet.

33. Mr W, in his statement of 21 February 2002, says, of a file copied to a floppy diskette, "… you would notice that the file (on the floppy) was created after it was last written or even accessed." I have been unable to recreate this as regards "Last Access". In my tests, the "Last Access" date for a file copied to a diskette is the same as the date that the file was copied and is never earlier than the "File Created" date. My tests were run under Windows 2000 and Windows 98.

34. The date and time values that a file in the Internet cache was "File Created" and "Last Accessed" should often be almost the same and should not be almost exactly one hour different for every file.

35. The date and time values in the list given to me by the solicitors on 10 October 2002 are the dates and times that files were created or modified on servers on the Internet and are not the dates and times that these files were accessed by Mr D’s computer.

36. The "Last Access" date for a file on diskette will not be earlier than the "File Created" date after the file is copied to the diskette.

37. I understand my duty to the Court and I confirm that I have complied with and will continue to comply with that duty.

38. I confirm that insofar as the facts stated in my report are within my own knowledge I have made it clear which they are and I believe them to be true, and that the opinions I have expressed represent my true and complete professional opinion.

Value	Meaning
EDITED_CACHE_ENTRY	Cache entry has been altered since it was downloaded from the Internet.
NORMAL_CACHE_ENTRY	Normal cache entry; can be deleted to recover space for new entries.
SPARSE_CACHE_ENTRY	Not currently implemented.
STICKY_CACHE_ENTRY	Sticky cache entry that is exempt from scavenging for the amount of time specified by dwExemptDelta. The default value set by CommitUrlCacheEntry is one day.
TRACK_OFFLINE_CACHE_ENTRY
TRACK_ONLINE_CACHE_ENTRY

Indicates what is being cached. This member can be one of the following values.

Value	Meaning
COOKIE_CACHE_ENTRY	Cookie cache entry.
URLHISTORY_CACHE_ENTRY	Visited link cache entry.

dwUseCount

Current user count of the cache entry.