Computer Expert Witness
Graham Dilloway CITP MBCS
Computer Expert Witness

Chartered IT Professional and Member of British Computer Society

Listed in Register of Expert Witnesses


Member of the Academy of Experts


View Graham Dilloway's profile on LinkedIn

Internal and Windows File Dates

The defendent was accused of cultivating cannabis for many years based on the creation date of a spreadsheet file. My examination showed that the date could not be relied on.

Mr D was accused of being involved in the cultivation of cannabis.  The Prosecution alleged that this cultivation had been ongoing for many years and cited the internal file creation date from a spreadsheet file.  I was able to show that the internal date of a spreadsheet file was not a reliable indicator of the true creation date for the file.

Computer Expert Witness Report

Regina vs. D

The Author

1.                  This report was prepared by Graham Dilloway of 39 Conham Hill Bristol BS15 3AW.  I am a Member of the British Computer Society, the chartered professional body for the computer industry in the UK.  I am a member of the Academy of Experts.  I have worked with computers for more than 30 years.  This work has all involved the implementation and configuration of computers, their operating systems and the core software applications of a computer environment (e.g. word processors and spreadsheets).  I have worked with personal computers almost exclusively for more than twenty years.

Instructions

2.                  I was first instructed by Sa Solicitors in 2010 and prepared a report to meet their instructions.  I have been instructed by S Solicitors in January 2011 following their receipt of additional Prosecution evidence.

3.                  My instructions have been discussed with Sa Solicitors and I understand my instructions to be that I should prepare a report discussing the creation and other dates for computer files related to growing cannabis.  Additional instructions are in a letter  January 2011, received by email, from S Solicitors that says, “ … comment upon the creation date and authorship of the Prosecution exhibit ‘grow.xls’ excel spreadsheet”.

4.                  I received a bundle of documents from Sa Solicitors with a covering letter dated  August 2010.  The bundle included a “Forensic Analysis Report” authored by Mr B and dated October 2009.  I have a copy of DC B’s statement dated December 2010 received by email from S Solicitors.

5.                  On September 2010, I received an email from K of Police enclosing a copy of a spreadsheet file called “grow.xls”.

UK420 Web Page

6.                  Pages 15 through 27 of DC B’s report appear to be a print of a web page that has been saved to the hard drive of a computer.

7.                  I can view web pages using web browser software such as Internet Explorer.  I can click File and then Save As … to create a file that contains a saved version of the web page that is being displayed on screen.

8.                  The web page displayed on pages 15 through 27 of DC B’s report is from the UK420 website.  This site is concerned with the cultivation and use of cannabis.  The site includes a bulletin board where visitors to the site can post messages and reply to messages left by others.

9.                  The web page displayed on pages 15 through 27 of DC B’s report is several pages of messages posted by visitors to the UK420 website.  Page 27 includes the date “September 20” (the year has been truncated) and this indicates the date that the web page was displayed and saved.  The print in DC B’s report says, “File Created xx/09/yy …” (at the top of each page) and this is the date that the file was created on the hard drive of the computer.

10.              The evidence regarding the print on pages 15 through 27 of DC B’s report is consistent with a web page from the UK420 web site having been saved on September and no earlier.

File Dates

11.              The Windows operating system maintains three dates for a file:
·         Date Created is the date that a file was first created.  Copying a file from one folder to another can change the created date.  The current created date is not always the original created date.
·         Date Modified is the date of the most recent change to the content of the file.  A change to a file might not always be visible.  For example, I might open a file to view the content.  I might accidentally touch the keyboard causing a change to the file.  I might delete the change so that the content of the file reverts to be the same as when I opened the file.  The date modified will still be changed.  The date modified is not always the date of the most recent visible change to the content of the file.
·         Date Accessed is the date of the most recent access to the file for any purpose.  The last accessed date will be changed by an action that does not change the content and does not change the last modified date.  The last accessed date is also changed if the last modified date is changed.  Some software might cause the last accessed date to be changed when the content of the file has not been viewed.  For example, I might move a file from one folder to another without viewing the content.  The software that I use to move the file might cause the last accessed date to be changed.

12.              On Page 9 of the Forensic Analysis Report prepared by DC B, and referred to as B/1, the file grow.xls is shown to have a File Created date of March.  This date is the date maintained by Windows and may not be the date that the file was originally created.  The file may have been copied or moved in a way that caused the Created date to be changed.

13.              I spoke on the telephone with DC B on  January regarding the dates for grow.xls.  DC B told me that the Date Modified was  February and the Date Accessed was March.

grow.xls

14.              Pages 9 through 14 of DC B’s report appear to be a print of a spreadsheet file called grow.xls.

15.              I have a copy of the spreadsheet file sent to me by Police.

16.              I can open grow.xls using Excel software.  I can click on File then Properties and click on the Statistics tab …

17.              DC B, in his statement dated October says, of the file grow.xls, ”… viewing the properties, the actual date of creation was xx/12/yy”.  DC B is describing the process that I have followed to produce the screenshot above.  The Created date shown in the screenshot above has been inserted into the spreadsheet file by the Excel software and is not altered by moving or copying the file in the same way as the Created date maintained by Windows.

18.              I clicked File and then Save As … and saved the spreadsheet file with the file name “NOTgrow.xls”.  I deleted the content of the spreadsheet and closed and re-opened the NOTgrow.xls file and then displayed the properties …

19.              The screenshot above shows an empty spreadsheet with the file name NOTgrow.xls and a Created date of December.

20.              The Created date held in the properties of a spreadsheet file is retained when the content and name of the file are changed.

21.              The current name and content of a spreadsheet file are not evidence that the file has had similar content or the same name throughout the period since the Created date shown in the file Properties.

22.              In his statement dated December, DC B says, of grow.xls, “… the author of the file is recorded as follows: D” and “When a user first installs Office on their computer it requests the owner’s details …” and “ … it is these details that are transferred to any file …” and “ … this title can be manually altered at a later date …”.

23.              I was asked to enter my name when I installed Excel software on my computer.  Every spreadsheet that is created using Excel on my computer will have my name as the Author in the same way that “D” is the author as described by DC B in his statement dated December.  I am not the only person to use my computer and the computer may have been used to create a spreadsheet file that has my name as the author of the file even though I had nothing to do with the creation of the file.

24.              I can open NOTgrow.xls using Excel software.  I can click on File then Properties and click on the Summary tab …

25.              The screenshot shown above was produced using the same process as described by DC B in his statement dated December .

26.              The screenshot above shows that the value in Author, i.e. “D”, does not change when the content and name of the spreadsheet file are changed.

27.              It is my opinion that the presence of “D” as the author of grow.xls does not make it more likely or less likely that the file has had similar content or the same name throughout the period since the Created date shown in the file Properties.

Dates on Letter

28.              Page 59 of DC B’s report appears to be a print of a letter file called deeds.doc.

29.              The text of the letter deeds.doc includes the date “November”.  The “File Created” date shown by DC B for this file is “xx/03/yy”.  “xx/03/yy” is the date assigned to the file by the Windows operating system.  The variation in dates is because the letter file has been moved or copied and a new creation date was created by the move or copy.

30.              The created date assigned to a file by the Windows operating system cannot be relied upon as the original date that a document was first created.

Summary

31.              The evidence regarding the print on pages 15 through 27 of DC B’s report is consistent with a web page from the UK420 web site having been saved on September and no earlier.

32.              The current name and content of a spreadsheet file are not evidence that the file has had similar content or the same name throughout the period since the Created date shown in the file Properties.

33.              The created date assigned to a file by the Windows operating system cannot be relied upon as the original date that a document was first created.

34.              It is my opinion that the presence of “D” as the author of grow.xls does not make it more likely or less likely that the file has had similar content or the same name throughout the period since the Created date shown in the file Properties.

35.              I understand my duty to the Court and I confirm that I have complied with and will continue to comply with that duty.

36.              I confirm that insofar as the facts stated in my report are within my own knowledge I have made it clear which they are and I believe them to be true, and that the opinions I have expressed represent my true and complete professional opinion.

Graham Dilloway
Computer Expert Witness

January
39 Conham Hill
Bristol  BS15 3AW