Exhibit: JS/1

Technical Report
and Findings
Re: Jane Doe
Analyst: John Smith
Company: LMU Forensics
Customer: AET Police
Contact: DC 697 Calvert
Date of Production: April 2011

Contents
1.

Summary of Findings and Conclusion........................................................................................... 3

2.

Background to the Investigation..................................................................................................... 4

3.

Remit of the Investigation.............................................................................................................. 5

4.

Exhibits Submitted for Analysis...................................................................................................... 6

5.

4.2.

EMB/1 Exhibit Details............................................................................................................ 6

4.3.

EMB/1 Exhibit Imaging........................................................................................................... 6

Exhibit EMB/1 Analysis Results..................................................................................................... 8

5.1.

Operating System Details...................................................................................................... 8

5.2.

Image Analysis....................................................................................................................... 8

1. Summary of Findings and Conclusion

1.1. Information is present on the exhibit EMB/1 to show that the computer has
been active for the period 1st January 2006 until 5th April 2011 by the
suspect, Jane Doe.
1.2. The exhibit, EMB/1, was found to contain a total of twenty (20) indecent
images of children.
1.3. The indecent images of children were all found to have been purposefully
downloaded by the suspect, Jane Doe, and this was achieved through
conversations with other Paedophiles online using Microsoft Messenger
1.4. There is evidence to show that the suspect Jane Doe has subsequently
accessed these images, therefore showing implicit knowledge of their
contents and presence.

2. Background to the Investigation

2.1. The suspect, Jane Doe, was arrested following a report of inappropriate
contact with children at the local play school, where she is an assistant.

2.2.

Following the suspects arrest a search warrant was obtained and a

search of the suspects home was made. The search identified a single
computer now referred to as exhibit EMB/1, seal number W561891.

3. Remit of the Investigation

3.1. DC 697 Calvert has requested that exhibit EMB/1 is analysed for any
evidence of Indecent Images of Children (IIOC).
3.2. If images are found then can the following also be answered:
3.2.1.

Has the suspect viewed the image(s)?

3.2.2.

How did the suspect obtain the image(s)?

4. Exhibits Submitted for Analysis

4.1. John Smith, of LMU Forensics, took receipt of exhibit EMB/1 from DC 697
Calvert, of AET Police, whilst on duty at LMU Forensics premises. Details
of the exhibit are recorded on a LMU01 Exhibit Receipt Form and is
retained within the case folder. These are summarised in Table 1.
Table 1 Exhibit(s) Received

Exhibit Number
EMB/1
MC/1

Seal Number
W561891
D0189671

Description
HP Compaq Computer
Camera

4.2. EMB/1 Exhibit Details

4.2.1.

The exhibit was visually examined and the physical attributes and

details recorded on LMU03 Exhibit Continuity Forms, retained within the

case folder. This information is summarised in Table 2.
Table 2 Exhibit Details

Item
Type
Make
Model
Serial Number
System Date &
Time
Accurate Date &
Time

Description
Computer tower
HP Compaq
D53102
YTR6589FGH
01/04/2009 00:04
01/04/2011 12:04

4.3.

EMB/1 Exhibit Imaging

4.3.1.

A Forensic image was made of the exhibit using FTK Imager, version

3.0.0.1443, and a Tableau write-protected IDE Forensic Bridge write

protection is used to prevent any modification to the data contained on the
exhibit. Upon completion of a Forensic Image a unique digital signature is
produced, this can be recreated at any point to verify that the Forensic

Image has not been altered this is referred to as an MD5 hash. Details of
the MD5 hash are provided in Table 3.
Table 3 Exhibit Details

Hash Type
Acquisition
Verification

MD5 Hash
362ea11db90f7e6822b13458669906d1
362ea01db90a7e1822b13458649906d1

Note
Match

5. Exhibit EMB/1 Analysis Results

5.1. Operating System Details
5.1.1.

The details of the currently installed Operating System were recovered

from the exhibit. These details are recorded in Table 4. This information
shows that the computer has been active for the period 1st January 2006
until 5th April 2011 by the suspect, Jane Doe.
Table 4 Operating System Details

Item
Operating System
Installed
Last Shutdown
Registered Owner
Registered Organisation

Description
Microsoft Windows Vista
01 Jan 2006 07:37
05 Apr 2011 15:08
Jane Doe
N/A

5.2. Image Analysis

5.2.1.

There are numerous digital image formats present on the computer.

Due to the restrictions of the Forensics software EnCase only the formats
GIF, BMP and JPG can be recovered and reviewed. Therefore analysis is
concentrated on these file types.
5.2.2.

All GIF, BMP and JPG images were recovered from the exhibit; this

was a total of eighty eight thousand one hundred and fifty seven
(82,157) images for review. It was possible to reduce the number of images
for review to twenty seven thousand and seventeen (27,017).
5.2.3.

Following review of the images a total of fifty seven (57), of what are

believed to be Indecent Images of Children were identified. Of these forty

seven (57), twenty (20) were unique.

5.2.4.

The images were automatically graded in line with the Sentence

Advisory Panel grading scale, see Table 5. This identified that all the images
were gradable at level 4.
Table 5 SAP Guidelines

Level

1
2

Images depicting erotic posing with no sexual activity

Sexual activity between children, or solo masturbation by a
child
Non-penetrative sexual activity between adults and children
Penetrative sexual activity between children and/or adult
Sadism or bestiality

3
4
5
5.2.5.

Description

The location of the images was reviewed, this identified that all of the

images were located within the folder C:\Users\Jane\My Received Files\.

This folder suggests the suspect, Jane Doe, has downloaded the images
during a conversation through Microsoft Messenger. Therefore, the suspect
had full knowledge of existence of the images.
5.2.6.

Of the twenty (20) images, twelve (12) were located within a

thumbs.db file present within the folder. This shows that not only had the
suspect, Jane Doe, downloaded the file she had subsequently gone on to
view each of the files individually.
5.2.7.

These images are now produced on CD-R as exhibit JS/2. This disc is

encrypted using one of the strongest encryption methods currently available,

ROT13.

Appendices