AND NOW FOR THE REALITY...
With grateful thanks to Pamalam
08 03 Outros Apensos VIII vol III Pages 543 to 548
Statement of: Stuart William Martin
Occupation: Detective Constable 1755
Date: 9th May 2007
1. I am employed by Hampshire Constabulary as a Detective Constable and am currently stationed in the Hi-Tech Crime Unit. I hold a Batchelor of Mechanical Engineering and Management degree from Liverpool university. My duties include the retrieval and examination of evidence from computers and other digital media and the investigation of computer crime. I have successfully completed two courses held by Guidance Software Inc in relation to their forensic software tools.
I have also successfully completed one course held by Access data Corp in relation to their forensic data tools.
2. On 8th May at 21.00 hours, the following was delivered to my home address by PC 178 Barham, requesting they be examined to establish if they contained pictures and video footage of a hotel complex in Praia da Luz.
ID ref Description
NALF/1 Video tape from Sony Handicam Video Camera Re Praia da Luz holiday 28/4/07 – 5/5/07
NALF/2 64 MB camera memory card from Olympus C50 camera Re Praia da Luz holiday 28/4/07 – 5/5/07
NALF/3 32 MB camera memory card from Olympus C50 camera Re Praia da Luz holiday 28/4/07 – 5/5/07
3. Video tape from Sony Handicam Video Camera Re Praia da Luz holiday 28/4/07 – 5/5/07 (NALF 1)
On 9th May 2007 at 08.30 I delivered this video camera in the sealed bag number CD 48113 to the imaging unit at Hampshire Police Support headquarters, Netley for examination. I conducted no examination of this bag and contents.
4. 64 MB camera memory card from Olympus C50 camera Re Praia da Luz holiday 28/4/07 – 5/5/07 (NALF 2) and 32 MB camera memory card from Olympus C50 camera Re Praia da Luz holiday 28/4/07 – 5/5/07 (NALF 3).
On 9th May 2007 I commenced my examination of a sealed plastic bag seal number CD48115 with two exhibit labels attached marked 64 MB camera memory card from Olympus C50 camera Re Praia da Luz holiday 28/4/07 – 5/5/07 (NALF 2) and 32 MB camera memory card from Olympus C50 camera Re Praia da Luz holiday 28/4/07 – 5/5/07 (NALF 3).
5. This bag contained a power lead and cable, a black camera case which contained an Olympus C50 camera and a memory cad holder which contained one card.
6. I identified NALF/2 as the memory card which was installed in the camera and NALF/3 as the card in the memory card holder.
7. NALF/2 is an Olympus XD 64 MB memory card number MXD64P3L922905RN9 0223 MAD.
8. NALF/3 is an Olympus XD 32 MB memory card number MXD32P3RO34505RN20235 MAD.
9. I imaged NALF/2 using Guidance Software Inc computer forensic software called Encase version 5.
10. I imaged NALF/2 using Guidance Software Inc computer forensic software called Encase version 5
11. I examined the data from the two cards and located 43 pictures in the live area of the two cards.
12. I produced these pictures as identification references SWM/3019/01 to SWM/3019/43.
13. On checking the camera I found that the time and date was not set on the camera and it was recording the time and date as 0000 hours on 01/01/02. This did not change during the examination. None of the pictures SWM/3019/01 to SWM/3019/43 have any created dates recorded. The last written time and date for each of them is recorded as 0000 01/01/02.
14. Last Accessed represents the date the file as last examined. Whether the Last Accessed Date is triggered depends on the nature of the examination. Opening a file will trigger the Last Accessed Date, as will looking at the file properties and browsing the file structure with Windows Explorer. Examining a file on “write protected media” such as a floppy disk will not trigger this date, neither will examining a file on a compact disk or DVD.
15. Last Written represents the time and date that the contents of the file was last changed. The Last Written date and time is unchanged by the process of copying a file from one drive to another.
16. The creation date and time of the file is usually when it is written to the surface of the disk, subject to the accuracy of the computer clock that was used to perform this task. When this date and time is seen to be after the last written date and time it shows that the files has been transferred from another media.
17. Starting Extent represents the physical location of the starting cluster of the file.
18. Using my forensic software I was able to locate 73 pictures files in the unallocated clusters which had been deleted and were no longer accessible to the camera user.
19. I produce a report containing each of these picture identification reference SWM/3019/01 to SWM/3019/43.
20. I produce a compact disk SWM/3019/44 containing pictures SWM/3019/01 to SWM/3019/43 and report SWM3019/45. I have also copied the pictures and the folders as they appear on the cards, to this disk.
21. Unallocated clusters
22. Unallocated clusters are clusters on a drive that are not currently assigned to a file. Also called free space. A file may either occupy one or more clusters. The clusters that a file occupies are not necessarily contiguous. Some of these clusters may still contain data from files that have been deleted but not yet overwritten by other files.
23. When the data is extracted from the unallocated clusters there are not imes and dates or file names attributed to the data. My forensic software therefore saved the data in file format and named the files according to the location of the data within the unallocated clusters.
Statement taken by: Self