R v Sexton
[2016] SADC 155
•16 December 2016
DISTRICT COURT OF SOUTH AUSTRALIA
(Criminal)
R v SEXTON
[2016] SADC 155
Reasons for the Verdict of Her Honour Judge Davison
16 December 2016
CRIMINAL LAW - PARTICULAR OFFENCES - OFFENCES AGAINST DECENCY AND MORALITY - CHILD PORNOGRAPHY AND CHILD EXPLOITATION MATERIAL OFFENCES
Accused in possession of multiple electronic devices - seized by Police - analysed by E-Crime - child pornography and/or remnants of it located on four separate devices - denials by accused - possible explanations malware or third party intervention.
Prosecution prove offences beyond reasonable doubt.
Verdict - guilty all counts.
Evidence Act 1929 (SA) s 34P(2)(a), s 34P(2)(b); Criminal Law Consolidaton Act 1935 (SA) s 62, s 63A(1)(b), referred to.
Harriman v The Queen (1989) 167 CLR 590; R v Soteriou [2013] SASCFC 114; R v MJJ, R v CJN [2013] SASCFC 51; Abrahamson v The Queen (1994) 63 SASR 139; Pfennig v The Queen (1995) 182 CLR 461; Perry v The Queen (1982) 150 CLR 580; Peacock v The King (1911) 13 CLR 619; Plomp v The Queen (1963) 110 CLR 234; Barca v The Queen (1975) 133 CLR 82; R v Villaroman (2013) ABQB 279; F,BV v Magistrates Court of South Australia (2013) 115 SASR 232; R v Finnigan (No 3) [2015] SADC 166; R v Daniels (2004) 191 CCC(3d) 393; He Kaw Teh v The Queen (1985) 157 CLR 523; Police v Kennedy (1998) 71 SASR 175; R v Morelli [2010] 1 SCR 253; R v Oliver [2003] 1 Cr App R 28, considered.
R v SEXTON
[2016] SADC 155Introduction
On Wednesday 31 August 2011, detectives from the Sexual Crime Investigation Branch conducted a search of the residential premises of Barrington Sexton (‘the accused’) at Ophir Crescent, Seacliff Park. The accused was not at home. Police executed a search warrant and entry was gained through a window. Police seized a number of computers and electronic storage devices, consisting of three computer towers, one laptop and four portable storage devices also known as USBs.
In late October 2012 forensic electronic analysis of those items commenced and occurred over about 18 months. It is the prosecution case that three computers and a USB displayed evidence that is relevant in this court. The MOEBIUS computer tower which was connected to a monitor in the study of the premises was on and functioning at the time of the police search. This tower was examined and it was found that it contained two hard drives ‘HD1’ and ‘HD2’. The prosecution case is that HD1 and HD2 contained electronic material relevant to proof of the charges however the material which comprises the charges was located on HD2. On the prosecution case all charges of obtaining access involved the use of a Peer to Peer (P2P) file sharing program. In the case of two items of child pornography they were duplicated on HD1and HD2.
The accused was charged with four counts of Obtaining Access to Child Pornography, five counts of Aggravated Obtaining Access to Child Pornography and one count of Possessing Child Pornography.
First Count
Statement of Offence
Obtaining Access to Child Pornography. (Section 63A(1)(b) of the Criminal Law Consolidation Act, 1935).
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 10th day of March 2010 at Reynella, intending to obtain access to child pornography, obtained access to child pornography.
Second Count
Statement of Offence
Aggravated Obtaining Access to Child Pornography. (Ibid).
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 13th day of February 2011 at Reynella or Seacliff Park, intending to obtain access to child pornography, obtained access to child pornography.
It is further alleged that Barrington Maxwell Peter James Sexton committed the offence knowing that the victim of the offence was, at the time of the offence, under the age of 14 years.
Third Count
Statement of Offence
Aggravated Obtaining Access to Child Pornography. (Ibid).
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 13th day of February 2011 at Reynella or Seacliff Park, intending to obtain access to child pornography, obtained access to child pornography.
It is further alleged that Barrington Maxwell Peter James Sexton committed the offence knowing that the victim of the offence was, at the time of the offence, under the age of 14 years.
Fourth Count
Statement of Offence
Obtaining Access to Child Pornography. (Ibid).
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 13th day of February 2011 at Reynella or Seacliff Park, intending to obtain access to child pornography, obtained access to child pornography.
Fifth Count
Statement of Offence
Obtaining Access to Child Pornography. (Ibid).
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 21st day of February 2011 at Reynella or Seacliff Park, intending to obtain access to child pornography, obtained access to child pornography.
Sixth Count
Statement of Offence
Aggravated Obtaining Access to Child Pornography. (Ibid).
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 21st day of February 2011 at Reynella or Seacliff Park, intending to obtain access to child pornography, obtained access to child pornography.
It is further alleged that Barrington Maxwell Peter James Sexton committed the offence knowing that the victim of the offence was, at the time of the offence, under the age of 14 years.
Seventh Count
Statement of Offence
Obtaining Access to Child Pornography. (Ibid).
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 21st day of February 2011 at Reynella or Seacliff Park, intending to obtain access to child pornography, obtained access to child pornography.
Eighth Count
Statement of Offence
Aggravated Obtaining Access to Child Pornography. (Ibid).
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 21st day of February 2011 at Reynella or Seacliff Park, intending to obtain access to child pornography, obtained access to child pornography.
It is further alleged that Barrington Maxwell Peter James Sexton committed the offence knowing that the victim of the offence was, at the time of the offence, under the age of 14 years.
Ninth Count
Statement of Offence
Aggravated Obtaining Access to Child Pornography. (Ibid).
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 28th day of February 2011 at Reynella or Seacliff Park, intending to obtain access to child pornography, obtained access to child pornography.
It is further alleged that Barrington Maxwell Peter James Sexton committed the offence knowing that the victim of the offence was, at the time of the offence, under the age of 14 years
Tenth Count
Statement of Offence
Possessing Child Pornography. (Section 63A(1)(a) of the Criminal Law Consolidation Act, 1935)
Particulars of Offence
Barrington Maxwell Peter James Sexton on the 31st day of August 2011 at Seacliff Park, possessed child pornography, knowing of its pornographic nature.
Upon arraignment, the accused pleaded not guilty to all counts. I have heard the trial without a jury.
There is no dispute that the material found at the accused’s premises falls within the definition of child pornography in s 62 Criminal Law Consolidation Act 1935 (‘CLCA’).
The prosecution case
Much of the evidence in this trial related to how the child pornography was deposited on the accused’s electronic devices. The issue to be determined is whether the accused obtained access to the material or whether it was obtained by another source, such as a hacker and whether he was in possession of the material the subject of count 10.
I received a document, P1, that represented the particular files that Detective Fitzgerald identified as containing child pornography. There were 10 entries identified. The prosecution allege that count 10, Possessing Child pornography relates to an AVi multimedia file, or video, in the accused’s possession within an electronic folder otherwise containing astronomy images and present on HD1 and HD2. The material subject to count 1 was also located on the two hard drives and counts 2-9 were located in a folder on HD2 labelled ‘incomplete’.
The prosecution case is although the material that is the subject matter of counts 2-9 was contained in the ‘Incomplete’ folder its presence at that location on the computer and the estimated percentage of data contained within each file, which was less than 100%, is indicative of those files being in the process of being downloaded by use of P2P file sharing software. The prosecution case is that those eight pictures or movies, as the case may be, notwithstanding that they were not completely downloaded, were accessible to view by the user of the computer on which they were present.
It is the prosecution’s case that electronic analysis of devices shows evidence of computer software, namely GuitarPro6, was used to erase or overwrite a number of files. The prosecution say the names of the files which have been overwritten are discernible and have apparent child pornography titles. Where material has been deleted, overwritten or simply viewed on a computer the prosecution points to evidence of the file’s name that refer to child sexual activity to prove the offence in addition to the SHA1 value.
The prosecution says that the hard drive that contained files that relate to counts 2-9 shows evidence of the use of a P2P file sharing program, LimeWire. LimeWire stores and references files by their SHA1 value to ensure a complete and accurate download at the end of the downloading process. The prosecution case is that police electronically searched the accused’s computers for evidence of SHA1 values connected to the use of LimeWire and found matches on two of them including the MOEBIUS computer the prosecution says contained the material subject of the charges. This was compared to the Child Exploitation Tracking System (CETS) and yielded a number of matches, each of which contained child pornography.
The prosecution contends that the downloads the subject of the charges are not isolated and the combination of files being in a state of partial download and evidence of deleted or overwritten files suggest that the modus operandi of the accused was to download child pornography onto his computer and then transfer it onto a storage device such as a USB for storage.
The prosecution case is that the computer which was primarily used by the accused was the MOEBIUS computer tower comprising two hard drives located under the desk in his study. This was the computer that the accused indicated to police in his record of interview as his main computer and the one which he uses.
Mr Jolly did not outline the issues in contention.
Legal Directions
I set out here some of the fundamental directions which apply in a criminal trial.
The accused comes before this court with a presumption of innocence in his favour. The law regards him as innocent unless and until his guilt has been proven by the prosecution beyond reasonable doubt.
I must assess each witness as to their truthfulness and their reliability. I must determine whether I can rely upon the evidence that a witness gives. I can reject or accept all or a part of a witness’ evidence.
The accused has given evidence. He was not obliged to give evidence but chose to do so. His evidence must be considered along with the other evidence in the case. By giving evidence and presenting a case he has not assumed any burden of proof. That always remains with the prosecution.
I must bring an open and unprejudiced mind to the case. I must make my decision without sympathy, without prejudice or fear, and not influenced by public opinion in relation to this matter.
In this case, certain persons said to be experts in particular fields, have been called to give evidence. The ordinary rule is that witnesses may speak only to the facts and not express opinions. An exception to that rule is that persons who are qualified in a particular area may express an opinion. That opinion must be relevant to their particular areas of expertise. As I am a sole judge of the facts, I am entitled to accept or reject any opinion evidence as I see fit. Before rejecting that evidence, I must give it consideration, and consider how it fits with any other evidence that I have heard on that topic.
The accused is charged with ten separate counts. Each of these counts must be considered separately and only in relation to the evidence that is admissible in respect of each.
Discreditable conduct evidence
On 27 November 2015 the prosecution filed a notice pursuant to s34P of the Evidence Act 1929. They gave notice that they sought to adduce evidence that the charged acts were not isolated incidents of obtaining access to or possessing child pornography by the accused. They submitted that forensic electronic analysis of the computers and electronic storage devices that were seized from his premises revealed that he had previously viewed, obtained access to and possessed computer picture and video files containing, concerning and/or referring to child pornography. They further submit that evidence of further viewing, obtaining access to and possessing child pornography demonstrates that the accused had a disposition or a tendency to acquire and use such material and that this tendency or disposition is relevant in proof of the charges. They submit that the accused had an ongoing interest in obtaining access to this material and that it was open to me to draw inferences from the electronic evidence that the accused had repeatedly and at times proximate to the charged offences sought out child pornography via the internet. It follows from that, it was said, that the accused has a propensity or a disposition to obtain access, to view and/or possess child pornography.
It was submitted that the particular issues at trial of which the evidence has strong probative value are, in relation to counts 1-9 on the Information:
1Whether the accused in fact obtained access to child pornography;
2Whether he obtained access to child pornography intending to access material of that type; and
3In the case of charges of aggravated obtaining access to child pornography, whether he knew that the victim of the offence was at the time of the offence under the age of 14 years.
In relation to count 10 on the Information, it is submitted that the evidence has strong probative value, in particular in relation to whether the accused was knowingly in possession of material of that type.
It was submitted that evidence of substantial participation in the process of obtaining access to child pornography via the internet can support an inference of continued or ongoing participation in a way which is analogous to indicia of ongoing participation in a drug trade.[1] I accept that submission.
[1] Harriman v The Queen (1989) 167 CLR 590 and R v Soteriou [2013] SASCFC 114.
34P—Evidence of discreditable conduct
(1) In the trial of a charge of an offence, evidence tending to suggest that a defendant has engaged in discreditable conduct, whether or not constituting an offence, other than conduct constituting the offence (discreditable conduct evidence)—
(a) cannot be used to suggest that the defendant is more likely to have committed the offence because he or she has engaged in discreditable conduct; and
(b) is inadmissible for that purpose (impermissible use); and
(c) subject to subsection (2), is inadmissible for any other purpose.
(2) Discreditable conduct evidence may be admitted for a use (the permissible use) other than the impermissible use if, and only if—
(a) the judge is satisfied that the probative value of the evidence admitted for a permissible use substantially outweighs any prejudicial effect it may have on the defendant; and
(b) in the case of evidence admitted for a permissible use that relies on a particular propensity or disposition of the defendant as circumstantial evidence of a fact in issue—the evidence has strong probative value having regard to the particular issue or issues arising at trial.
(3) In the determination of the question in subsection (2)(a), the judge must have regard to whether the permissible use is, and can be kept, sufficiently separate and distinct from the impermissible use so as to remove any appreciable risk of the evidence being used for that purpose.
(4) Subject to subsection (5), a party seeking to adduce evidence that relies on a particular propensity or disposition of the defendant as circumstantial evidence of a fact in issue under this section must give reasonable notice in writing to each other party in the proceedings in accordance with the rules of court.
(5) The court may, if it thinks fit, dispense with the requirement in subsection (4).
Section 34P draws a distinction between discreditable conduct evidence which relies on a particular propensity or disposition of the defendant and discreditable conduct evidence which otherwise has probative value. In order to rely upon a particular propensity or disposition of the accused, as circumstantial evidence of fact in issue, it must pass a higher threshold test for admissibility than discreditable conduct evidence which otherwise has probative value but does not rely on a particular propensity or disposition of the defendant. Discreditable conduct evidence which relies upon a particular propensity or a disposition must possess strong probative value having regard to the particular issues or issues arising at trial. It must be more than a mere or general propensity and it must demonstrate a particular propensity or disposition which is strongly probative of the offence charged.
The question of the assessment of the probative value of evidence of discreditable conduct was discussed by Kourakis CJ in R v MJJ; R v CJN[2] in the following terms:
The impermissible use identified in s 34P(1) of the Evidence Act is the drawing of an inference of guilt from the fact that the accused has engaged in other conduct which has no relevant connection to the offence other than to share the epithet discreditable. Evidence of discreditable conduct of that kind may, admittedly with some imprecision, be described as evidence of a mere, or general, propensity. Section 34P(2)(b) expressly provides for the admission of discreditable conduct evidence which shows a particular propensity or disposition of the defendant. The particular propensity or disposition must be strongly probative of the offence charged, and outweigh its prejudicial effect. Discreditable conduct which has a permissible use, other than by way of demonstrating a particular propensity, need only have a probative value, whether weak, moderate or strong, which substantially outweighs its prejudicial effect.[3]
At the core of the assessment of the probative value of discreditable conduct evidence are two analytical steps. The first is to identify the particular fact which is in issue. The second is to consider how, if at all, the discreditable conduct evidence circumstantially increases, as a matter of human experience, the probability of the existence of that fact. Resorting to generalities such as “context”, “background” and “underlying unity” will seldom illuminate the analysis.
[2] R v MJJ; R v CJN [2013] SASCFC 51 at [18]-[19].
[3] Evidence Act 1929 (SA), s 34P(2)(a).
It is clearly a necessity to consider these issues having regard to the particular issues arising at trial.
In this case, the defence did not challenge the admissibility of the material but rather suggested that the finding of the material on the devices was not capable of proof that the accused was responsible for the introduction of it or accessing of it from the internet via his computer or storage of it upon any of the storage devices.
Evidence of discreditable conduct on the part of the accused may be admitted pursuant to s34P(2)(b) if the evidence is not to be tendered for the prohibitive purpose namely to show that the accused is more likely to have committed the charged offence because he has engaged in discreditable conduct but to show a particular propensity of disposition of the accused, which is relied upon as circumstantial evidence of a fact in issue and the judge is satisfied of the following two matters: first, that the probative value of the evidence substantially outweighs any prejudicial affect it may have on the accused and second that the evidence has strong probative value having regard to the particular issue or issues at trial.
The issue in relation to this trial is whether the accused in fact obtained access to child pornography and if he did whether he intended to access material of that type. In addition to this in relation to count 10, the issue is whether the accused was knowingly in possession of material of that type. The fact there may be an ongoing and sustained course of conduct in relation to behaviour of the same type over a number of years and across a number of different devices has strong probative value in relation to these issues. Further, I am satisfied that the probative value of this evidence substantially outweighs any prejudicial effect it may have on the defendant given the nature of this trial and the nature of the material that is to be led in any event. The evidence relating to each of the charged acts and the uncharged acts and the timing of those events along with the manner of the access is relevant to the consideration of each of the counts on the Information. As I have said, I am satisfied that the probative weight of the evidence, for the purposes I have identified, substantially outweighs any prejudice that could arguably flow from it.
In a trial by judge alone there is little scope for arguing that relevant evidence should be excluded by reason of prejudicial content. As King CJ observed in Abrahamson v The Queen:[4]
The principle that a judge should exclude evidence the prejudicial effect of which outweighs its probative force can have very little part to play in a trial by judge alone. The rule is designed to protect juries from exposure to prejudicial material which has but little probative force. The learned judge in this case was quite able to discard any prejudicial effect of the evidence of this kind and focus on such probative weight as he considered that it properly bore.
[4] Abrahamson v The Queen (1994) 63 SASR 139 at 143.
I have however borne in mind that in determining whether the prosecution has proved its case in relation to the charged offences, the potential for prejudice that such evidence can generate.[5]
[5] Pfennig v The Queen (1995) 182 CLR 461 at 512; Perry v The Queen (1982)150 CLR 580 at 592-593, 586.
For the reasons that I have given the evidence of discreditable conduct is admissible.
Circumstantial evidence
The prosecution case in respect of each of the charged and uncharged acts is circumstantial in nature. I have reminded myself that when the case against an accused person rests substantially on circumstantial evidence, a verdict of guilty cannot be returned unless the circumstances are such as to be inconsistent with any reasonable hypothesis other than the guilt of the accused.[6] To enable a trier of fact to be satisfied beyond reasonable doubt of the guilt of an accused person, it is necessary not only that his guilt should be a rational inference, but that it should be the only rational inference that the circumstances would enable the trier of fact to draw.[7]
[6] Peacock v The King (1911) 13 CLR 619 at 634.
[7] Plomp v The Queen (1963) 110 CLR 234 at 252.
Of course, mere speculation or conjecture does not constitute a reasonable inference. As the High Court said in Peacock v The King: [8]
An inference to be reasonable must rest upon something more than mere conjecture. The bare possibility of innocence should not prevent a jury from finding the prisoner guilty if the inference of guilt is the only inference open to reasonable men upon a consideration of all the facts in evidence.
[8] Peacock v The King (1911) 13 CLR 619 at 661 quoted with approval in Barca v The Queen (1975) 133 CLR 82 at 104.
The distinction between an inference and mere conjecture was discussed by Yiamauchi J in the Canadian case of R v Villaroman:[9]
… the Crown cannot ask this Court to rely on suppositions or conjecture to draw inferences that the accused committed the offences with which it has charged him. Similarly, the accused cannot ask this Court to rely on supposition or conjecture that flows from a purely hypothetical narrative to conclude that the Crown has not proven he is guilty of the offences with which the Crown has charged him.
[9] R v Villaroman (2013) ABQB 279 (Alberta Court of Queen’s Bench)
Legislation
The accused is charged with offences contained in Part 3, Division 11A of the CLCA. At the time of the alleged offences in 2010 and 2011, Division 11A relevantly stated:
62—Interpretation
In this Division—
child means a person under, or apparently under, the age of 16 years;
child pornography means material—
(a) that—
(i) describes or depicts a child engaging in sexual activity; or
(ii) consists of, or contains, the image of a child or bodily parts of a child
(or what appears to be the image of a child or bodily parts of a child)
or in the production of which a child has been or appears to have
been involved; and
(b) that is intended or apparently intended—
(i) to excite or gratify sexual interest; or
(ii) to excite or gratify a sadistic or other perverted interest in violence or
cruelty;
disseminate—a person disseminates child pornography if the person—
(a) sends, supplies, exhibits, transmits or communicates it to another, or enters
into an agreement or arrangement to do so; or
(b) makes it available for access by another (including access by means of a
computer) or enters into an agreement or arrangement to do so;
material includes—
(a) any written or printed material; or
(b) any picture, painting or drawing; or
(c) any carving, sculpture, statue or figure; or
(d) any photographic, electronic or other information or data from which an
image or representation may be produced or reproduced; or
(e) any film, tape, disc, or other object or system containing any such information
or data;
pornographic nature of child pornography means the aspects of the material by
reason of which it is pornographic;
private act means—
(a) a sexual act; or
(b) an act involving an intimate bodily function such as using a toilet; or
(c) an act or activity involving undressing to a point where the body is clothed
only in undergarments; or
(d) an activity involving nudity or exposure or partial exposure of sexual organs,
pubic area, buttocks or female breasts;
prurient purpose—a person acts for a prurient purpose if the person acts with the intention of satisfying his or her own desire for sexual arousal or gratification or of providing sexual arousal or gratification for someone else.
63A—Possession of child pornography
(1) A person who—
(a) is in possession of child pornography knowing of its pornographic nature; or
(b) intending to obtain access to child pornography, obtains access to child
pornography or takes a step towards obtaining access to child pornography,
is guilty of an offence.
Maximum penalty:
(a) for a first offence—
(i) if it is a basic offence—imprisonment for 5 years;
(ii) if it is an aggravated offence—imprisonment for 7 years;
(b) for a subsequent offence—
(i) if it is a basic offence—imprisonment for 7 years;
(ii) if it is an aggravated offence—imprisonment for 10 years.
(2) It is a defence to a charge of an offence against subsection (1) to prove that the
material to which the charge relates came into the defendant's possession unsolicited and that the defendant, as soon as he or she became aware of the material and its pornographic nature, took reasonable steps to get rid of it.
Elements of the charged offences
The accused is charged with nine counts of obtaining access to child pornography, five of which are aggravated offences. For the accused to be found guilty of this offence, the prosecution must prove beyond reasonable doubt that:
1he voluntarily performed an act or acts;
2he performed the act or acts with the intention of obtaining access to child pornography (recklessness in that regard is not sufficient);[10] and
3that the act or acts caused him to obtain access to child pornography.
4In the case of the aggravated counts that the accused knew the victim was under the age of 14 years.
[10] F, BV v Magistrates Court of South Australia (2013) 115 SASR 232 at [48].
The expression “obtains access” is not defined in the CLCA however this matter was considered by Judge Millsteed in R v Finnigan (No 3).[11] His Honour after extensive argument by counsel and reviewing legislation both within Australia and internationally, concluded:
For the purposes of the offence of “obtains access” it is sufficient if the person
1. possesses an intention to access child pornography.
2. intentionally performs the final step required to make the images available for display on the computer screen, and
3. that the images comprise or contain child pornography regardless of if, when or how the images were actually viewed.
[11] R v Finnigan (No 3) [2015] SADC 166 at [102].
A person commits the offence of possessing child pornography if it is proven beyond reasonable doubt that:
5the person has physical control or custody of the material in question;
6the person intended to have physical control or custody of the material;
7the material comprised or contained child pornography as defined in section 62 of the CLCA; and
8that the person knew or was aware of the pornographic nature of the material.
A person does not have to actually see the material before it can be said to be in his possession. It is not necessary for the material to have been viewed. For example a person may obtain pornographic material in an envelope but without viewing it secrete it. It is the element of control including deciding what will be done with the material that is essential to possession.[12] The common law provides that to be in possession of an item a person must intend to have custody or control over the item. This necessarily requires that the person knows or is aware that the item was in his or her possession. This is the minimum knowledge required for a person to be in possession of an item as distinct from the question of whether the person was aware of the nature and quality of the item in their possession.
[12] R v Daniels (2004) 191 CCC(3d) 393 (ML) at 12.
In relation to statutory offences, knowledge of the circumstances which make the doing of the act an offence is presumed to be an element of the offence unless the statute clearly indicates otherwise.[13] Accordingly, statutory offences which prohibit possession of an item are presumed to require, as an element of the offence, that the person knew that he had physical control or custody of the item and had knowledge of the criminal character of the item.
[13] He Kaw Teh v The Queen (1985) 157 CLR 523 at 582.
Where the word ‘knowingly’ is used in the statute, it expressly introduces knowledge as an element of the offence.
Section 63A(1) makes it an offence for a person to be in possession of child pornography “knowing of its pornographic nature”. If the words “knowing of its pornographic nature” were not in the provision, the prosecution would be obliged to prove that the accused knew that the material comprised or contained “child pornography”. However, under section 63A(1)(a) the word ‘knowingly’ is used to make plain that the requirement of knowledge is limited to the pornographic nature of the material. In other words, the prosecution is not obliged to prove that an accused person knew that the pornographic material involved a child (a person under or apparently under 16 years of age).[14]
[14] Police v Kennedy (1998) 71 SASR 175.
The offence of possession of child pornography is not committed merely by viewing images of such material on a computer screen. In order to commit the offence of possession of child pornography, the person must knowingly acquire the data files and store them in a place under his control. It is the underlying data that is the stable object that can be transferred, stored and possessed. The automatic caching of a file to a hard drive as a result of viewing child pornography on the internet does not, without more, constitute possession.[15]
[15] R v Morelli [2010] 1 SCR 253.
The defence in s63A(2)
There is a defence available in relation to an offence pursuant to section 63A(1) that arises if the material came into the defendant’s possession unsolicited and as soon as he became aware of the material and its pornographic nature, he took reasonable steps to get rid of it. This defence would only arise in the circumstance where a person has received the material “unsolicited” and then takes steps to dispose of it. It could only ever apply in relation to an offence of possession because in the case of obtaining access there must be an intentional act or acts to obtain the child pornography. In those circumstances it could not be said to be unsolicited.
In this case the accused contends that he did not knowingly download or access child pornography. This defence may have some application in relation to count 10 on the information in the sense that he may have received the material unsolicited. However, he deposes in his evidence to having no actual knowledge of the existence of this material at all. In those circumstances, this defence has no application.
Glossary of terms
I have included a glossary of terms without which much of what is said may not be understood
‘Adware’
The intent is pop-up adverts for you to click on and buy things, mostly fake products
‘AVi file’
A multimedia container format that can contain both audio and video data.
‘Back door virus’
Malware that allows a person who has written the malware or person who is controlling it to access a computer which has been infected. It allows an attacker to remotely control the victim’s keyboard as if they are sitting at the keyboard.
‘Botnet’
A large number of computers which have all been compromised with the same malware which sits in the background and is not visible to the user of the computer. The person who is running the botnet will issue commands to all of the bots to do something, for example spam emails that are sent from compromised computers.
‘Caching’
The process of accessing data across the internet or other networks. To enable a web page to be displayed to a computer it will download that webpage and any pictures or files embedded within that page, store that locally on the computer in a cache and then use that local cache to display it on the computer screen.
‘Child Protection System (CPS)’
A tool developed that identifies any internet protocol address that use file sharing programs to share with other computers, that identifies child pornography. The tool is able to narrow the search down to different jurisdictions, for example, South Australia.
‘Cookies’
Sit on a computer and watch what is happening in relation to a particular website and record information about that.
‘Cyber worm’
Malware designed to infect a computer and then propagate itself and then infect other computers connected to that computer, in effect, it worms its way through a network.
‘Denial of service attacks’
Occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers.
‘Dialler’
An entire class of fraud where malware calls numbers and charges money for each call. This was more typical when there were analog modems before ADSL but still exists today using voice over IP knowledge. It forces your computer to connect to the very expensive services over and over and you end up with a bill.
‘Firewall’
Software which examines network traffic, usually the focus is on incoming traffic to a computer. If the traffic is not expected or set by the software to be blocked it will not allow that traffic through to the computer.
‘FKC file’
A log file of a back-up program that shows files that have been backed up.
‘Folder’
A container where files can be placed into.
‘Google Picasa’
A software that allows a user to search through a hard drive and index photographs and video files that are on there so a user can view them.
‘Hard drive’
Hardware found in a desktop, tower or laptop that is required to make the computer work. There can be a number of hard drives located in a computer device. This is the part of the computer on which data or information is physically stored.
‘Java’
A type of programming language used to write software. It is a multiplatform language that can run on Windows and the MacIntosh operating systems.
‘JPEG’
A commonly used method of lossy compression for digital images, particularly for those images produced by digital photography.
‘Key logger’
Malware that will monitor a keyboard of a user and record the key strokes to encapture information such as a bank account or password.
‘Link file’
A shortcut file created by the Windows operating system which when a file is accessed, Windows will create a reference to it which will show the original path for the file.
‘Malware’
Software, commonly termed as viruses or trojans, which can come into a computer through a network or USB or another sort of device connected to a computer.
‘Node’
A JavaScript runtime built on Chrome's V8 JavaScript engine.
‘Operating system’
What a user would use to be able to do things on a computer. It is found on a hard drive or USB which is plugged into a computer. Examples include Microsoft Windows or Apple Macintosh.
‘Peer to peer (P2P) file sharing’
Through the network users can use software to make data and files available for other users. Users share files amongst themselves through a network. When a file is placed into P2P software it divides the file up into small pieces and collates a value for the whole file and then as the file is shared amongst other people the other peers also make that available. If a person downloads the file it may take one piece from one computer and another piece from another computer and assemble it onto the computer itself. Any sort of electronic file can be shared for example, pictures, videos or documents.
‘Play’ list file’
Relates to a Windows media program that keeps a record of a video file that has been played. The ‘Play’ list keeps a listing of files that have been played on the computer.
‘Pop ups’
When you are looking at a particular webpage and as far as you know, unrelated to what you were doing, another page would pop up on the screen.
‘Protocol address’
A numerical label attached to a hardware device that enables police detectives to contact with other hardware devices on the internet. Police then go to the internet service provider and find out the account holder who has been allocated the internet protocol address.
‘Proxy server’
A server that sits between the client and the final end point. You communicate with the proxy and the proxy communicates on your behalf to the end point, it receives a response back and then gives it back.
‘Ransomware’
A version of malware which is designed to encrypt a user’s data, it may be a folder or an entire drive or devices connected to a computer and demand a ransom to provide a password to unencrypt the data that has been corrupted.
‘RAR’
A compression format to use the size of the files but still to retain the contents, similar to a zip sort of file. If a user wanted to download a lot of files the person that supplies that could compress them into one file so that just one file has been downloaded rather than potentially hundreds of files.
‘RAT’
Remote access trojan.
‘Remote Access Software’
Allows another person over a network to remotely access another device or other computer connected to a network.
‘Router’
A networking device that forwards data packets between computer networks. Routers perform the traffic directing functions on the Internet. A data packet is typically forwarded from one router to another through the networks that constitute the internetwork until it reaches its destination node.
‘Routing attack’
Where computer network traffic which is meant for one particular node is rerouted to a different node so that traffic may appear to be legitimate and may be sent to or coming from a different source but it appears to be correct.
‘Secure hash algorithm (SHA value)’
Used when P2P software is searching for and compiling the composite pieces which make up the file to keep track of the pieces it has and the pieces it requires to complete the file. The file would list information such as how many chunks are there for the file and how much the file is overall. A value is calculated from the data so it knows when the file is downloaded correctly.
‘Seeds’
On P2P networks this shows the number of other peers who are making that file available.
‘Spyware’
A piece of a computer code which is designed to look at what you’re doing and reflect that information to whoever is running the malware. For example, tracking every website someone viewed.
‘Thumb cache database’
Found within a computer that keeps a small version of a picture viewed within Windows File Explorer. A thumb cache contains lots of thumbnail files.
‘Thumb drive’
A USB stick
‘Trojan’
Termed from the trojan horse story which in relation to computer software it is software that appears to be one thing but has something else within it which isn't apparent to the user.
‘URN’
Uniform Resource Name (URN) is the historical name for a Uniform Resource Identifier (URI) that uses the urn scheme. A URI is a string of characters used to identify a name of a web resource.
‘ZZZ files’
These files relate to potential use or erasing of cleaning software.
‘Zero-day malware’
Malware for which the vendors have not put out a patch and the antivirus companies do not know about it and there is no possible protection.
The Evidence
The Prosecution called Mr Matthew Lyons, a detective sergeant, currently attached to the Special Crimes Investigations Branch (SCIB). He was involved in the search of the accused’s premises at Seacliff Park on 31 August 2011. Part of his role at the Special Crimes Branch is to conduct online investigations where information is gathered from the public or through a tool called the Child Protection System (‘CPS’). That information may give rise to reasonable cause to suspect that an internet protocol address (IP address) has been used to obtain, share or disseminate child pornography and then this is investigated. The CPS suggests an IP address has been engaging with child pornography on the internet.
On 31 August 2011 he was in receipt of information that the IP address connected to the accused had been engaging with this type of material. He conducted a briefing for his colleagues in relation to searching the accused’s premises. They attended the accused’s premises. When they arrived no one was home and under a general search warrant, entry to the premises was gained through the window. A number of items were seized and taken away. After a walk-through of the premises he phoned the accused to organise to speak to him further in relation to the investigation.[16]
[16] Exhibit P2.
On 2 September 2011 the accused attended at the offices of the Sexual Crime Investigation Branch and participated in a video recorded interview[17] conducted by Detective Sergeant Lyons and Detective Brevet Sergeant Fitzgerald, the Investigating Officer in this matter.
[17] Exhibit P3 and transcript MFI P4.
The accused denied that he had accessed and shared child pornography from his computer. He said that he had had arguments in the past with his internet provider about his downloads that had suddenly been reached and he had been speed limited. He said that his computer was open to everybody including his friends, relatives and children and that they would use it when they were visiting. He said a friend was living with him in early 2000 with her two daughters and they were playing on the computer “the whole time”. The accused said he did not recall anyone using his computer on 18 July 2011, 19 July 2011 and 1 August 2011 and he did not know where he was on these dates. He said there were times when he found his wireless connection without protection and he had to put it back on again and he could not recall whether this had happened over the last eight weeks. He said that he did not use a file sharing program but did use LimeWire once for some music files. He said that he was not conscious of Wi-Fi security and he let his virus check program ‘go once’ and he lost $2,000 out of a bank account. He said in July and August 2011 his anti-virus was up to date. In the interview he said he could not say how many people knew his Wi-Fi password and he had given it to a few people. He said some friends knew what his password was as he would fix their computer when it had broken down. He said his son would also have the password.
In cross examination Mr Lyons said he did not seize a router in the house. In re-examination he said he had never seized a router before in investigations of this nature.
Mr David Fitzgerald was called to give evidence. He is a Detective Brevet Sergeant (DBS) at the Protective Security Investigation Section and previously worked at the SCIB. He is the primary Investigating Officer. In his previous role he would view child pornography for the purpose of categorising the material. During the categorisation procedure he became familiar with certain terms that were regularly encountered. These terms include PTHC an acronym for pre-teen hard core, little Lolita and a number which depicts an age of the child followed by the years depicted as ‘yo’. He said that there are also unusual ones including the name ‘ray gold’ with the ‘a’ removed and replaced with an ‘@’ symbol. He went on to explain that Mr Gold was a big purveyor of child pornography in America and his name became used in file extensions and file terms when searching for child pornography. In addition to this, there are some girls’ names that become popular and are used as a search term for child pornography.[18]
[18] T 100.
He was involved in the briefing on 31 August 2011 and he attended the accused’s premises that morning. He had the role of exhibits officer and he took various photos of items at the premises. A booklet of photos taken at the premises was tendered as P5 and a schedule prepared, which set out the details of the electronic exhibits seized.[19] During the search he pulled the plugs out of the wall and seized an ACER computer tower and a MOEBIUS computer tower. A laptop, AMR computer tower and 4 thumb drives were also seized. The exhibits were placed in secure storage and submitted to the Electronic Crime Section.
[19] Exhibit P6.
In late November 2011 and early December 2012 the first analysis of the ACER and MOEBIUS computer towers took place.[20] During this analysis he identified a number of items of interest that fit the definition of child pornography on the MOEBIUS computer tower and this material was provided to Mr Quick who produced an evidentiary disk. All exhibits were analysed in May and June 2013. He went through the same process and indicated a number of items of interest that fit the definition of child pornography that correlates with material identified during the first analysis. A third analysis took place in May or June 2014 in relation to the possibility of locating deleted material. A document was tendered,[21] which set out ten files that Mr Fitzgerald indicated to Mr Quick from his review of the MOEBIUS computer tower that fit the description of child pornography, with a categorisation according to the ‘Oliver Scale’.[22]
[20] T 119.
[21] Exhibit P1.
[22] R v Oliver [2003] 1 Cr App R 28.
At the conclusion of Mr Quick’s second phase, when Mr Quick had forensically identified and analysed all the devices, he received a document from Mr Quick entitled ‘Timeline’ which contained references to the files in P1 and electronic information relating to other material of significance. Having regard to the timeline he then accessed emails present on Mr Sexton’s electronic devices for the purpose of looking at email activity at the same time that child pornography was available for sharing on that device. He identified a number of emails found on the MOEBIUS computer tower that he considered to be relevant and those were tendered.[23]
[23] Exhibit P7.
When cross examined Mr Fitzgerald said he observed the computer was on but did not check and see if the router was on and operating. Following the accused’s record of interview he made a request to the accused’s internet provider iPrimus who sent him a series of statements and technical emails relating to the accused’s account. These were tendered as D8 and D9. MFI-D8B contained technical notes from iPrimus ranging from 30 July 2012 to 29 July 2014 noting that the accused had contacted them due to the Wi-Fi dropping, slow browsing and other issues relating to the internet. MFI-D8A contained customer care notes from 2 January 2009 to 3 March 2014 noting that the accused had contacted them due to wanting greater downloads and greater speed, billing enquires, internet usage increasing and a slow connection. D9 contained records held by iPrimus in relation to the accused including his IP Address. He said he made inquiries as to what type of work the accused did when he was working with computers and took a number of statements from people.
Mr Fitzgerald said he received a disk from Mr Quick that had a string of file names that identified titles that were suggestive of child pornography but he could not view any of them as there was no image associated to them. He said he understood that they had been overwritten. He said in relation to the drives other than the MOEBIUS computer tower he saw a lot of images that were not related to child pornography.
In re-examination Mr Fitzgerald said that specific items were seized at the accused’s premises as they had been informed by the details from the CPS that there was child pornography available for sharing. This meant that the system needed to be plugged into the internet and available while someone else is requesting the material from that computer. He said the CPS system would not detect other material or devices around the house that were not connected to the internet.
Mr Darren Paul Quick was called to give evidence. He is a digital forensic investigator employed by the Australian Border Force and was previously an electronic evidence specialist within the Electronic Crime Section at SAPOL. In that role he undertook forensic analysis of a number of computers and storage devices which were submitted by the investigators in the matter before the court. His role included the analysis of computers and electronic storage devices to look for information that was stored on them and produce a report in relation to it. He reviewed the electronic information in a manner that would not alter the original source of data. He used programs in order to extract data from the devices in a way that was forensically sound. In that role he made a copy of the item available for the investigator to look through and select which part or files were relevant to their investigation and they would make a report in relation to the files that the investigator had selected.
When exhibits are analysed they are photographed and the physical features of the devices are documented before the hard drives are removed and connected to their hardware. The items are then forensically imaged or copied and the data is then processed using software which builds an index of what is on the drive. The software captures everything on a hard drive. There is some data captured that a user would not see and it has the capacity to capture what is not visible to the original user, for example the thumb cache databases. The copying software is also capable of capturing material which a user has deleted. When undertaking a forensic examination of a hard drive he can identify the operating system and that forms part of the report generated upon analysis.[24] He can determine whether particular types of software are operating on a hard drive and this sometimes forms part of the report in respect to a device. It is important to know whether there was a wireless or physical connection for a device when investigating something like a denial of service or a hacking incident.
[24] T 175.
He said files are organised on the hard drive by file name and extension, which usually indicates the sort of file and details of folders can also be analysed. This information is then complied into the report. When files are deleted the file will still remain on the drive. There is software that can be pointed to a file, folder or location that will erase or remove the file itself and overwrite the actual location. During forensic analysis he can discern evidence of this type of software and sometimes is able to see what type of evidence the software has been used to erase or overwrite.
I received in evidence screen shots from FrostWire, a P2P network, similar to LimeWire.[25] Mr Quick explained how the software operated generally. When asked about LimeWire specifically he said that when the software was in the process of downloading material it stored the material in a folder called ‘incomplete’, which is created on the computer in the user’s folder structure. Once downloaded, LimeWire would move the material to a user’s ‘my folders’ folder or ‘my files’ depending on the version of Windows. Once downloaded a user had the option to open up a settings page and change where it has been moved to.
[25] Exhibit P11.
Mr Quick produced forensic copies of the contents of HD1 and HD2 within the MOEBIUS computer and made those available to Detective Fitzgerald. Detective Fitzgerald selected a number of files of interest to him and indicated those to Mr Quick. All of the exhibits in P6 were submitted to him and he made forensically sound copies of each of those and made them available to Detective Fitzgerald who conducted a further review and again indicated to him a number of files. These files are the ones found in P1. He then produced the second review which involved all devices and created reports for the files. The reports contain information including the file name, file path, whether the file was deleted or not, the created, modified, access dates, the file size and the file type. Subsequent to this review an analysis report was requested. P12 was tendered as the analysis report that was prepared in relation to the eight items contained in P6. Each section of the analysis report relates to different items and provides information on details of the physical examination, details of requests which he received from the investigators, where files of interest were located and details of analysis which were undertaken.
Imation 4GB thumb drive (BS4)
No files were selected on the Imation thumb drive.
ACER computer tower (BS7)
No files were selected on the ACER computer tower.
MOEBIUS computer tower (BS8)
Two separate hard drives were identified within this device and were distinguished as HD1 and HD2. A number of files were selected from across these hard drives. HD2 had a system report however HD1 did not. It was explained that the operating system would run from HD2 when it was running and HD1 would be available as another hard drive to store data. HD1 was in an external caddy so it was able to be removed from the drive without undoing the screws and put a different drive into the caddy. The HD2 time zone was set to Central Australian standard time, which is Adelaide time and during the analysis Mr Quick found that the period of set-off was potentially a twenty minutes difference between accurate time and the setting. He explained this can happen because a computer clock is not necessarily as accurate as internet time. The MOEBIUS (BS8) was operating Microsoft Windows XP, Version 5.1 and had been updated to the third version of the service pack. There was no evidence on HD2 that there was a user account set up specifically to have limited access.
Laptop computer (BS9)
No files were selected on the laptop computer.
AMR computer tower (BS10)
Two separate hard drives and a compact disk where contained in this device. No files were selected on the AMR computer tower.
Red Lexar thumb-drive (BS11)
No files were selected on the Red Lexar thumb-drive.
Kingston Technologies 4Gb thumb drive (BS12)
Files were selected by Detective Fitzgerald between 29 May 2014 and 5 June 2014.[26]
[26] P12 pages 26, 27.
Dick Smith 2Gb thumb-drive (BS13)
No files were selected on the Dick Smith 2Gb thumb-drive.
The third analysis in May or June 2014 was to examine what other information there may have been on the computers in relation to files that Detective Fitzgerald had selected in the reviews. NUIX software was used by Detective Fitzgerald and EnCase Software was used by Mr Quick. EnCase software allows a user to see the raw data for each of the files and has other capabilities in relation to recovering deleted files and looking into further files. In the third analysis he looked for deleted files and he made them available to Detective Fitzgerald to review.
P1 is a report from the NUIX software that Detective Fitzgerald utilised to view the material on the forensic copy which was produced. The final column was material applied by Detective Fitzgerald in the selection process using the NUIX software. P1 consisted of material from HD1 and HD2 within the MOEBIUS.
In relation to P1, Mr Quick explained that when a file is created on a specific hard drive it will put a ‘created time and date’ at the time and if it is moved around within the hard drive it will keep the same time. If it is copied to another piece of media, it may have a new created date for the time that it was moved or copied. When a file is modified for example a document where the user has typed something and saved it, the file modified time will be updated. When a user opens a file and a virus scan runs over and looks at the file the file accessed time may be updated. File size refers to the size of the file in its completed state. The second to last row and second row of P1 are files located within the ‘Incomplete’ folder on HD2 and it was likely that they were being downloaded by P2P software such as LimeWire and likely that they were in the process of downloading.
Mr Quick produced a ‘timeline’, which he prepared isolating files of relevance selected by Detective Fitzgerald from all the devices he examined. This was tendered as P13.[27] He also filtered the mass of information across all the devices by certain terms which as ‘Lolita’, ‘Preteen’, ‘PTHC’, ‘LimeWire’ and ‘FrostWire’. The entries in blue font are located within log files or within reports that were created from files, namely Google Picasa log file reports. He explained that when Google Picasa is used to view material it leaves an electronic imprint on the hard drive and creates an index of the pictures and stores them in a thumb index. The entries in dark red are files selected by Detective Fitzgerald, and the lighter red colour are the ‘ZZZ’ files. Entries in purple font is information derived from a Link file which was located. Entries in green font represent information taken from a ‘Play’ list file. The balance of the entries are in black font and represent the other types of files which are included in the timeline. The report was produced using EnCase forensic software in relation to all of the files which is a different type of software to the NUIX used to produce P1.
[27] T 222.
Mr Quick explained what each of the columns in P1 relates to. In the ‘Description’ column there are references to ‘File deleted’, this represents that the file has been deleted, there are some entries where it has been marked as ‘overwritten’ so the file has been completely or partly overwritten, so the ‘Deleted entry’ would mean that the file has been marked as deleted and an entry may have been in the recycle bin for that file. 'Invalid cluster' is where the reference to the location of the file may have become corrupted so it is not able to read where the original location of the file was. If a file was marked ‘no’ in the ‘Is deleted’ column the initial user would be able to view the file and if the file was marked ‘yes’ the user may be able to access the file depending on whether it was available in the recycle bin or had been emptied from the recycle bin. If it was emptied you would not be able to see it. The ‘Last accessed’ and ‘File created’ columns are identical to P1 and the column ‘Last written’ correlates to the column ‘File modified’ on P1. The ‘Entry modified’ column in P13 relates to when the reference in the master file table has been modified. The ‘Logical size’ column refers to the size that has been allocated for the file and the ‘Full path’ column contains the item that the file was located on and the folders and subfolders in relation to the folder. The column ‘Is overwritten’ indicates whether the location of the file has been overwritten, whether it is a deleted file or an existing file’. The column ‘Is deleted’ refers to whether a file has been marked as deleted.
On P13 there are entries indicating that LimeWire software had been used on HD1 and HD2 in 2006, 2007 and 2008 as there are LimeWire folders present on them. Entry 14 is a video file that was played or engaged on 4 February 2010 at 10:01pm. Entries 15 to 25 are viewed using Google Picasa between 11:51am and 10:19pm on 13 February 2010 on HD1 of the MOEBIUS. Entries 26 and 27 are named ‘Incomplete’. Entry 32 was created on 10 March 2010 at 11:06am which was located in a folder named ‘LimeWire 2’ in the Fonts folder. Mr Quick explained it is not usual for LimeWire software to create a folder at that location and it was likely created or selected by the user. Entry 33 on 10 March 2010 was in the ‘LimeWire 2’ folder on HD2 of the MOEBIUS. An entry of this type could have been made if a user created a folder at that location either through Windows or through other software. Both these entries relate to HD1 and HD2 respectively and indicate that there was some activity on each of the hard drives concerning LimeWire at those times.
Entry 34 indicated that it is a file on HD2 of the MOEBIUS and that it is in the folder named ‘LimeWire 2’. Entry 35 relates to the duplicate of that file as seen in the second column of P1 found on HD1 of the MOEBIUS. This indicates that the material is both on HD1 and HD2. Entries 34 and 35 are the subject of count 1 on the Information.
Entry 36 relates to a file created on 15 March 2010 at 11:06pm. The entry was a ‘FKC’[28] file relating to HD1. HD1 contained a lot of files that had been backed up. When files are backed up it makes a copy of each of the files in a particular location to another location but it is not necessarily something that the user needs to tell the computer to do and the software can be set up to automatically do a backup. A document was produced that set out details of file names which the software attributed to a backing up process relating to Entry 36, this document was tendered as P14.
[28] See Glossary – A log file of a back-up program that shows files that have been backed up.
P14 showed entry numbers and then what appeared to be file names in relation to back up software and was a log file purely of the file names.
| DictID | Name |
| 6510 | T-105488-pictures from ranchi torpedo dloaded in 2009- pedo kdv kidzilla pthc toddlers 0yo 1yo 2yo 3yo 4yo 5yo 6yo 9yo tara babyj (189).jpg |
| 6511 | T-137440-pictures from ranchi torpedo dloaded in 2009-pedo kdv kidzilla pthc toddlers 0yo 1yo 2yo 3yo 4yo 5yo 6yo 9yo tar aba byj (122)(2).jpg |
| 6512 | T-142768-pictures from ranchi torpdo dloaded in 2009- pdo kdv kidzilla pthc toddlers 0yo 1yo 2yo 3yo 4yo 5yo 6yo 9yo tara babyj (17).jpg |
The first part of the file name with the 'T-' and a number is indicative of P2P file sharing-type software which puts that information in the data for the file name. The only information that can be provided about the dates relating to these files is the backup date on entry 36. There is no information as to where it was backed up from or where it was backed up to. The log file only relates to some of the material, and was filtered according to the key words applied in the creation of the timeline in P13. There was approximately 156,000 entries in relation to other files and folders in the back-up log.
Entries 37 and 38 are video files with the same file created date and time being 2:40pm on 19 March 2010. Entry 37 is located on HD2 and entry 38 is located on HD1 and both were found in a folder named 'nasa/space/srtrn'. These entries are subject to count 10 on the Information.
Entry 41 is a file created date and time for 12 April 2010 at 9:53am and has some connection to LimeWire. The material is in a folder in user account ‘Mine’ in a folder called 'My documents' in a folder called 'LimeWire'. These folders are standard existing folders.
Entries 43 to 46 are link files.
Entry 47 is in green font and relates to a video file in the ‘Play’ list that had a reference in the description as ‘New folder incomplete 2’ and a 'T’ which is indicative of P2P file sharing. The video file was played on 21 April 2010 at 9:06pm on the laptop (BS9). The file was not on the laptop when examined by Mr Quick. The device had a drive letter allocated ‘F’ suggesting that it was on a USB device or portable hard drive connected to the laptop.
Entries 60 and 61 relates to the laptop and had entries with ‘ZZZ.ZZZ’. There was a process occurring over about 19 minutes of the laptop where the cleaner software was run to remove entries in relation to web browsing and to remove and overwrite files, the files names, and the master file table entries in relation to those files in P12, page 18, Mr Quick reports that there were approximately 14,639 entries that appeared to relate to that cleaning or erasing exercise.[29]
[29] T 249.
Entry 62 relates to activity on HD2 of the MOEBIUS on 16 January 2011 at 12:29. Similar entries were found through to entry 130 on 16 January 2011 at 2:12pm. All files had the 'T’ number indicative of P2P software. The files themselves were unable to be accessed and they were all marked as ‘Yes, deleted’. However Mr Quick was able to extract the file names from the master table using EnCase software. The preview component of the file descriptor indicated that a preview or snippet of a video file or smaller version of a JPEG file was viewed. Mr Quick said in his experience it was not possible for previews of this type to in effect drop into a hard drive without a user having conducted a search.
Entry 131 relates to activity occurring on 13 February 2011 at 4:38pm. Activity was also observed that day ranging to entry 168 which occurred at 6:59pm on the same day. All entries in blue font relates to HD2 on the MOEBIUS and indicated the use of Google Picasa viewer. Entry 146 has a file name as ‘Incomplete’ which potentially relates to LimeWire or FrostwWire. Entry 149 is a file within the ‘Incomplete’ folder and created on HD2 at 5:41pm. The ‘Incomplete’ folder on HD2 contains evidence of 22 more video files.[30]
[30] T 253.
Entry 157 represents a video or movie and relates to the ‘Incomplete’ folder on HD2 of the MOEBIUS. This represented a partial download from LimeWire. This entry is subject to count 2 on the Information.
Entry 159 represents a video or movie and again relates to the ‘Incomplete’ folder and a partial download from LimeWire. This entry is subject to count 3 on the Information.
Entry 171 represented a video or movie and relates to the ‘Incomplete’ on HD2 and appeared to be a partial download from LimeWire. This entry is subject to count 4 on the Information.
Entry 174 is in purple font and has a file created date and time of 21 February 2011 at 1:15pm.
Entries 175 to 194 are in blue font and represent evidence of picture files viewed using the Google Picasa viewer. Entry 189 could be a still image or movie. These files have a created date of 21 February 2011.[31]
[31] T 256.
Entry 191 was found on HD2 of the MOEBIUS which was the hard drive where the Google Picasa thumbnails were. The file was an ‘AVi’ or video file and appeared in the ‘Incomplete folder’ meaning that it was partially downloaded using the LimeWire software program. This entry is subject to count 5 on the Information.
Entry 193 is a video file also found on HD2 in the 'Incomplete’ folder. This entry is the subject of count 6 on the Information.
Entry 195 references a file in the ‘Incomplete’ folder on HD2 and there was some activity in respect of that file at 11:42am on 21 February 2011.
Entries 196 and 197 relate to activity at 11:42am and 11:43am on 21 February 2011. The entries were video files both in the ‘Incomplete’ folder on HD2. These entries are subject to counts 7 and 8 on the Information.
Entry 198 is in purple font.
Entries 199 to 212 are in blue font and were viewed by Google Picasa on HD2 between 3:16pm and 4:37pm on 28 February 2011.
Entry 213 relates to activity on HD2 of the MOEBIUS at 5:10pm on 28 February 2011. This file was a movie file. Entries 215 to 222 in black font represent similar types of files engaged with HD2 up to 5:21pm on that date.
Entry 214 represents a similar type of file and was engaged with at 5:13pm. It appeared in the ‘Incomplete’ folder and it represented a partial download from a P2P group. This entry is subject to count 9 of the Information.
Lines 223 and 224 contain references to the cleaning and erasing software. The first of those entries was date and time stamped on 17 March 2013 at 3:17pm and the later entry was date and time stamped at 3:47pm. Both of these entries relate to HD2 of the MOEBIUS. Mr Quick counted approximately 91,419 files with extensions such as ‘ZZZ.ZZZ’ between November 2008 and March 2011.[32]
[32] T 259.
Entries 225 and 229 are in purple and another example of a link file.
Entries 227 and 228 relate to 22 April 2011 and are link files. They both contained the prefix ‘T’ indicating P2P software being associated with the files.
Entries 230 to 257 relates to the Kingston Technologies 4Gb thumb-drive, (BS12) created on 9 July 2011. There appeared to be picture files that had been deleted and the contents overwritten. The files themselves were not available to Mr Quick at the time of his analysis however he was able to discern the file names from the record held on the master tape.[33]
[33] D20.
Entry 263 also relates to the Kingston Technologies 4Gb thumb-drive and was a Windows executable program that overwrote all other entries on the USB. GuitarPro6 at entry 263 overwrote the files at entries 230-257. The entry has a file created date and time of 30 August 2011 at 1:49pm.
Entries 258 to 262 indicate the use of FrostWire on HD2 of the MOEBIUS on 24 August 2011.
As a part of Mr Quick’s analysis he attempted a SHA1 value matching exercise where he searched across all drives for any recorded SHA values associated with the URN SHA1 listings and complied them into a table. He searched for the term ‘URN SHA1’ because when LimeWire stores a SHA1 value it stores it with that reference. He located 21 matches on hard drive 1 of the AMR computer tower and 1,460 matches on HD2 of the MOEBIUS. Mr Quick compared the SHA1 values that were stored in the Child Exploitation Tracking System (CETS) database for previously identified child exploitation material to see if there were any matches. He detected a number of matches between the material from the AMR computer tower and the MOEBIUS computer tower and where those matches occurred he included a table. This table was tendered as P15.
The ‘source’ column indicates the device that gave rise to the match and the ‘SHA1’ column referred to the Secure Hash Algorithm relating to that particular file. The ‘CETS’ column references a term of categorisation within the system. The column headed ‘LimeWire SHA1(32)’ relates to a system where when LimeWire stores the SHA value, it stores it as a 32 hit number were as the CETS system stores it as a number.[34] It was effectively the same value but a different number. The ‘folder path and filename where present’ column relates to the associated file name and path information for that entry. Given that there were hits on the term ‘URN SHA1’ it indicated that at some point, files with those names commenced the process of downloading to one or other of the two devices.
[34] T 266.
Mr Quick made estimates of data present in each of the 10 files in P1. He made the following estimates:
·Row 1: 99.36% present;
·Row 2: 91.52% present;
·Row 3: 65.67% present;
·Row 4:69.79% present;
·Row 5: 4.14% present;
·Row 6: 30.70% present;
·Row 7: 90.75% present;
·Row 8: 32.16% present;
·Row 9: 64.63% present;
·Row 10: 99.15% present.[35]
[35] T 269.
Mr Quick searched across the devices for documents appearing to be in the name of or relating to the accused and he observed a number of invoices in the name of the accused on the Imation 4Gb thumb-drive and on HD2 of the MOEBIUS.
In cross examination, Mr Quick said that a network of itself does not need to be connected to the internet. He said that data can be downloaded if one has a web browser open, via Wi-Fi depending on the security settings, by someone placing a CD or DVD into an optical reader in a computer or a USB drive.
He said in relation to the MOEBIUS computer he identified two user accounts on HD2, one with the username ‘Administrator’ and the other named ‘Mine’. The ‘Administrator’ username was the default account to which the operating system automatically goes to and is usually the first account that is accessed to enable other accounts to be set up. The account can have a password but it is also the case that a user can choose not to have a password for that account. The username ‘Mine’ had administration rights and they could do anything they liked to the computer. He could not say whether the two accounts had passwords or not.
He said he did not examine the MOEBIUS computer to see if it had antivirus software installed and did not examine HD2 to see if it had an active firewall. Firewalls and anti-virus software are not infallible in terms of preventing viruses and unexpected connections. He examined both drives of the MOEBIUS to see whether they had any malware on them and found malware on HD2.[36]
[36] T 281-282.
He said that he believed Windows XP had remote access software allowing someone who has set up the remote access to be away from where the computer is physically located and connect to it from another computer remotely. He could not recall whether he saw any active remote access software installed on the MOEBIUS but there may have been internal Windows XP remote desktop software.
He said depending on the router it can also operate as a line of protection by the way of a password. The IP address is assigned to the router which means a number of computers or devices can be attached to the router. If the protective provisions are not engaged it may be that anybody who is within the vicinity of the router would be able to access the Wi-Fi network and access the internet through that. Usually the Windows operating system computers default to not allowing access and unless it was specifically enabled, someone accessing the Wi-Fi would be able to access individual computers on the network.
In relation to the emails in P7 he was unable to say what machine the emails were sent from and agreed that emails can also be accessed by going to the internet server provider’s web address.
Denial of service attacks can originate from P2P networks and also directly over the worldwide web. He said that malware, known as spyware, is designed to sit quietly and not necessarily be detected and the owner of the system would not necessarily be aware that was occurring. For example, the malware would sit quietly and wait for a user to type in their bank account number or password and then quietly send that back to the people that designed the malware. He said that hyperlinks potentially expose people to the risk of malware.[37]
[37] T 292.
He said that P2P networks can distribute trojans and they can be transmitted as part of zip files and compressed music files. Back door viruses, ransomware and worms can be transmitted by P2P networks.
He explained P2P software works by sending and receiving files, it is not one-way traffic. It does not require one large centralised server and when a user’s computer comes onto the network they become a mini server in their own right. The networks can be vulnerable to routeing attacks because each computer is effectively acting as a node.
He said the master file table would not be accessible to an ordinary computer user and they would need to use specific software to be able to get into the master file table. Some software can be used to modify the master table but the software EnCase that he used would not allow any modifications. Other software such as WinHex would allow an individual to completely change the file name, the log entries and make the data invisible in terms of whether it existed or not.
A Masterfile table from the Kingston Technologies 4Gb thumb-drive was tendered as D20. The ‘last written’ column is similar to the previous reports of the ‘file modified column’.
Mr Jolly produced numerous articles to Mr Quick for him to comment on. Mr Quick stated that no network is immune and it does not matter whether it is running P2P software or not. He said that antivirus software may not be able to pick up malware being on a computer. He said he did not examine LimeWire and was unable to say what the default settings for it might be.
Mr Quick said he did not see any signs of malware infection when he was doing his analysis. It was technically possible that the LimeWire files on P1 were automatically downloaded as part of malware embedded in the P2P software where they have appeared to be an apparently genuine download. In re-examination he said it was unlikely based on the period of time as indicated by the dates associated with the files.
He said it was possible but unlikely that the files on P13 with a ‘T’ prefix had been downloaded via a P2P network as a result of malware activity on the computer at the time. In re-examination he said that from line 62 to 130 his opinion was that there was some user activity involved in downloading and reviewing files. He concluded that P13 shows file activity on numerous hard drives and also on a laptop and USB device, as opposed to one hard drive or one computer.
In re-examination Mr Quick said he had not seen malware contained within the LimeWire software. He said he had not seen malware specifically designed to infect a particular IP or computer and that it usually infects and spreads itself through a range of computers. He said he was not aware of malware creating entries as found in entries 14 to 25 on P13 and he was not aware of any form of malware that could be responsible for creating a back-up log such as represented by P14. He said he had not seen any examples of malware taking the form of propagating child pornography. He said that it is not common for files with media file extensions to contain malware.[38]
[38] T 377-378.
Ms Sara Frances Dobbyn was called as a witness. She is 25 years old and studying law whilst working as a data entry officer. She has known the accused since she was young and considers him as a godfather to her younger sister Alice.[39] When she was nine or ten she resided with the accused with her sister and mother while they were waiting for a house to be built at Sellicks Beach and she stopped living there when she was nine or ten. After they moved into their house they continued to see the accused at his house in Reynella. She engaged with computers at his house in the period that she has known the accused. When she was aged nine or ten she would use computers for games.
[39] T 400.
Once she had moved out of the house at Reynella she would see the accused quite frequently over the years until he moved out of the house at Reynella. She was unsure of the date that this occurred. She said she would visit the accused at the Reynella house a couple of times a month and would go alone or with others. She would visit the accused for the assistance with research assignments and for an ear to listen to her. She would use the computers during her visits and would upload images for social media and do projects on it.[40] She used the accused’s computer to upload photos onto his computer and then upload the photos onto social media such as Facebook.
[40] T 402.
She moved into the accused’s premises at Reynella when she was completing year 12 for a couple of months. During this time she used the computer predominantly for study. She had her own laptop but she used the accused’s computer for research assignments on the internet and printing. She used her own laptop for social media, projects and assignments. She believed she used LimeWire when she was younger and she was not aware if she used it on any of the accused’s computers. She continued to see the accused when he moved to the premises at Seacliff but not as often as previously. She said she could not recall whether she used the computer at the Seacliff residence.
When cross examined Ms Dobbyn said she saw the computer she used at Reynella in the Seacliff residence. She said the accused owned just the one computer and she did not recall it being password protected. She was present when her sister and mother used the computer, along with a lot of his friends who would come and borrow his computer. The accused did not ever tell her that there were parts of the computer off limits and she had full access to the computer and there was never an occasion when the accused would not let her use the computer. When she was on the computer she did not ever see images of child pornography.
She had her laptop at the accused’s premises and would connect to his Wi-Fi network at his house that required a password to connect to the Wi-Fi. As far as she was aware of the password did not ever change and that once you entered the password you did not have to re-enter it again unless it has changed. She said when she was younger she did not ever see the accused have an interest in astronomy but she has seen him have an interest in it recently as he has a telescope.
Mr Kernick had not seen examples of Spyware, ransomware, Botnet, Electronic worms, trojan viruses used for the purpose of disseminating child pornography. He said that for a RAT to operate the computer must be turned on and connected to the internet in some way and to remain connected to the internet. If the computer was switched off then their access would be prevented. When looking for evidence of a RAT you would be looking for other indicia of a person other than the user having used the computer such as access times or access to websites that do not form part of the normal operation of the machine or use of software that the user was unaware was installed.
Mr Kernick said that viruses do not hang around forever and it is hard to keep them there. If a machine gets patched it is likely the problem will go away. A RAT persisting for a year is unlikely to happen and he would be surprised if that happened. He said it would be implausible for it to persist for three years.
In relation to P13, Mr Kernick agreed that EnCase’s detection of the files in blue is consistent with files bearing those names having been viewed using Google Picasa. He had not encountered any examples of Google Picasa being responsible for introducing child pornography onto a computer.
In relation to entries 62 to 130 he said that they were preview files and it was more likely some user operation was involved in engaging with them as opposed to some other phenomenon because of the way preview files are generated and how they are required for a ‘search’ to be typed. He said it is possible that some sort of malware could have deposited the preview files onto the computer but it was not plausible because there is no reason for anyone to package up a version of LimeWire that includes child pornography and then put it on a site and he has never seen an example of this occurring.
In relation to entries 157 and 159 he said it looked like someone was trying to download the files and that the fact that something was in the process of being downloaded sat more comfortably with a user action having initiated that process rather than malware. He had not encountered any example of malware or a virus being responsible for initiating the downloading process of child pornography material through P2P networks.
In relation to entries 230 to 257, Mr Kernick said that were all marked as deleted and overwritten by EnCase which meant they did not exist on the computer now but it was found that at some point in the past a file of that name existed but it has both been deleted and the blocks on the disk that were used for that file were now used by another file. In the context of a USB it was likely that GuitarPro6 had been used to overwrite the files as it was a small device and the operating system has to more aggressively overwrite blocks. He said that it was possible for the GuitarPro6 program to have been used to overwrite entries 230 to 257 and if the user would have done something that caused the program to be put on the USB. He said the only malware that could have overwritten files on a USB stick would be a remote access approach but remote accessing would not have been able to plug in a USB or could not do anything that required real hands. He said it was vastly more likely that a USB was written and created by someone who was sitting in front of the computer.
In re-examination Mr Kernick said that as the size of the GuitarPro6 program was the size of 28 megabytes and the USB that is referred to had a capacity of 4 gigabytes it was unlikely that a file size of 28 megabytes would force an overwrite on a 4 gigabyte USB drive and unless the device was completely full it will not choose to overwrite things that are used before, it only writes what it has to. He said that if there was sufficient space on the USB for a 28 megabyte executable file, it would not overwrite other material on that USB.
Counsel addresses
Counsel addressed. I am not going to attempt to summarise everything they say. The addresses were a very complete presentation of their relative cases.
Ms Matteo suggested that the defence position that malware had infected the electronic devices used by the accused and then possessed and controlled these devices such that material was downloaded, viewed, deleted and moved was in the circumstances an absurd proposition. She submitted that the finding of child pornography or remnants across four separate devices and the way that it was used demonstrated that the child pornography was being deliberately engaged with and that the accused was linked to each of the devices upon which it was located or remnants were located. She submitted that the four items being MOEBIUS (BS8), the laptop being (BS9), the AMR computer tower (BS10) and the Kingston thumb drive (BS12) were each located in the accused’s home. At that time he lived alone and the items were in his sole and exclusive possession. She submitted that the accused is a person who by his own admission is knowledgeable about computers. He is a person who is careful and considered. It is unlikely that he would be careless in the handling of illicit material. He has the motivation and the know how to cover his tracks. It is only because of the nature of the E-crime software that his behaviour has been exposed. It is the very fact that he has attempted to cover his tracks and the large volume of material that he has been engaging with that has been his undoing.
Ms Matteo submitted that the accused’s link to the premises at Reynella and Seacliff Park in conjunction with the timeline that has been prepared being P13 needs to be considered. The accused was at the premises in Reynella from 2 December 1999 to 2 March 2011. He commenced residing at Seacliff Park 28 March 2011. The timeline P13 evidences a file erasure process occurring at the time he left the Reynella premises and within days of being at the Seacliff Park premises there is re-engagement with child pornography that can be found at lines 225-229 of P13. The need to disconnect the system in order to have moved from Reynella to Seacliff Park, it is submitted, means that any prospect of a remote access trojan (RAT) operating whereby an entity is remotely controlling another entity could not have occurred as it required power to be on and internet to be connected at the other end of the computer. This clearly was not happening during the time of the move. In addition to this, the timeframes consistent with the accused having used and manipulated the devices, deleted material and uploaded material.
Ms Matteo submits that the accused was an unimpressive witness and his explanations are not reasonably possible. He was evasive and unconvincing. He claimed to have a sound working knowledge of computers when it suited him but invoked ignorance where it would be incriminating for him to reveal how extensive his knowledge was. He was evasive when it suited him. He lacked n credit.
The prosecution submitted there were three critical matters the combined force of which render malware, third party mischief, or both, utterly improbable as an explanation for the offending material. These are the accused’s knowledge about computers, the presence of child pornography including with repetitive themes and titles being present across four of his electronic devices and the evidence of both experts that malware or viruses can realistically be responsible for importing this material into this computer in this case. It was said that it is not possible to conceive of a constellation of events which could be responsible for evidence of child pornography appearing across those four devices and existing predominantly on the accused’s main computer which does not involve knowing and purposeful behaviour on the part of the accused.
Mr Jolly addressed on behalf of the accused. He submitted that it is undoubtedly the case that someone must be responsible for the material that has been forensically discovered. However, to suggest that the accused is the only person who could be responsible is to ignore the weight of the evidence. He submitted that Mr Sexton’s IP address had remained the same despite his move from Reynella to Seacliff Park and the computer in essence had remained the same between the properties. He said that Mr Sexton’s evidence was consistent with the evidence given by Sarah and Alice Dobbyn that the computer was generally left on and left connected to the internet via the router and this occurred in both properties. This could give the opportunity for the introduction of malware or viruses that could be responsible for what was located on the computer. Mr Jolly reminded me that there needs to be careful analysis in relation to P13 that does not represent all of the computer information but rather selected material. In relation to P14, the backup files that relates to entry 36 on P13, he reminded me that Mr Quick could not identify the actual drive from which it was backed up, nor could he identify the drive that it was backed up to. The log itself does not tell you what process was actually followed on HD1 or HD2, nor does it follow that the files as exhibited in P14 solely or exclusively existed on HD1 or HD2.
Mr Jolly submitted that in respect of entries 230-257 on P13, it was possible to add up the size of the files that had been deleted and bearing in mind the space on the Kingston USB, when compared to the size of the Tower Pro 6, it is ridiculous to suggest that program was placed there to force an overwrite of the offending material.
Mr Jolly submitted that the prosecution engaged in a cherry picking exercise that needed to be treated with caution and in this regard referred me to exhibit P7, the emails. He submitted that the correlation or comparative exercise that had been undertaken by the prosecution was a simplistic way of saying look at the dates and times and they match the dates and times of the computer activity in relation to child pornography. He submitted that the dates and times as referred to in P13 may not accurately reflect the times when these things happened.
Mr Jolly submitted that the analysis done by Mr Quick might be more readily accepted if there was what he called a sealed system with a unique user and a unique password. In that case it could be attributable to the accused. However, in this case there is not one unique identifiable user and there is a generic user account with no password protection. For this reason a number of people could have used the system and I heard evidence from three of them. He submitted that the prosecution could not reasonably exclude a third party being involved, whether it be a hard drive, a disc or a USB drive connected to the computer that was unknown to the accused and then either backed up or copied child pornography.
Mr Jolly further submitted that malware in one form or another may be the explanation for the presence of the child pornography and that it cannot be simply discounted. He submitted that I needed to exercise care in not just brushing to one side this possible explanation. He submitted that an unknown remote third party may be able to access a computer and utilise the programs notwithstanding a fully operative firewall and antivirus. He submitted that if RAT is going to be used by an unknown third party in relation to child pornography then as a matter of logic, the person who is accessing the material and downloading and viewing it does not want to be associated with it. It may then allow that person to download and view it on someone else’s computer.
Mr Jolly submitted that a program such as LimeWire would make the computer vulnerable and that having happened once may happen repeatedly. The fact that there are different devices is irrelevant as they are networked and if the USB drive is on the computer whilst it is connected to the internet then the USB device is part of the network.
Mr Jolly submitted that the accused does not have to prove anything but there are multiple explanations given the actual physical set up of the computer and the prosecution cannot exclude that there has been intervention in some way by a third party that has resulted in the finding of child pornography. Mr Jolly submitted that the accused exposed himself to extensive cross-examination, that he made reasonable concessions when one would logically expect that to occur, that he spoke openly to the police and that the accused was effectively a man who had the wherewithal to have cleansed his electronic devices of this material if indeed he had been viewing it.
Discussion
I am going to deal initially with the evidence given by the expert witnesses, Mr Quick and Mr Kernick who was called by the defence. Their evidence was to a large extent ad idem. Both Mr Kernick and Mr Quick are well qualified experts to speak on the areas about which they gave evidence. Their expertise was not challenged.
The main issue is the question of whether the activity that has been detected on the four electronic devices could possibly have occurred other than by the positive activity of the accused and in particular by the operation of malware or virus’. Both agreed that malware can take the form of botnets, spyware, trojans, backdoor viruses, worms and ransomware. It can infect an electronic device by various operations including emails that contain executable software, clickbait and P2P networks. The manner in which it is seen depends upon the purposes of the criminal enterprise and what the hacker is trying to achieve. Mr Kernick agreed that in most cases the purpose of malware is to hijack the computer to use as the hacker wishes whilst not being detected. Of course in most cases there needs to be a reason to do this either to benefit the attacker or harm the network or the victim.
Both experts agreed that no computer network is immune from malware. All manner of malware can be introduced through P2P networks and anti-virus software is not infallible in detecting malware. However, both experts also agree that there were no signs of malware operating in relation to the electronic devices in this trial. Malware is more likely to be transmitted by executable files rather than JPEG or AVi files. Both experts agree that whilst it may be technically possible for LimeWire files to be automatically downloaded by malware, with some form of trojan, there were no signs of it having occurred here. Neither of them have had experience of it.
In Mr Quick’s years of experience he has never seen and is not aware of malware that could create entries such as those on P13 being the Google Picasa viewings and in relation to P14, the backup log file. Mr Quick was not aware of any malware that would create that sort of information or data seen in this matter. In 13 years in E-crime he has conducted over 600 examinations in respect of 1,800 devices and has never seen examples of malware taking the form of propagating child pornography.
Similarly, Mr Kernick has never encountered any examples of Google Picasa being responsible for the introduction of child pornography on a computer. In his opinion, the fact that there were preview files indicated that it was more likely that there was user operation responsible for their engagement rather than some other phenomena because the very nature of this material is such that it requires a search term to be entered. Mr Kernick did not consider it plausible that malware deposited child pornography on to the computer. He said that this was so because he could think of no reason for anyone to package up a version of LimeWire that included child pornography and put it on to a site. He has never seen this occur.[61]
[61] T 710, lines 9-36.
QDoes the fact these are preview files indicate it is more likely some user operation was involved in engaging with them as opposed to some other phenomenon.
A. Yes.
Q. Why.
A.Because the way preview files get generated is you type a search in and as a result it finds a bunch of things that match it. Preview files are those things. Even if you didn't download them. So it is probably the creation of preview files is almost certainly resulting in someone typing a search into LimeWire to find material of a particular sort.
HER HONOUR
Q. That is how a preview is generated.
A. Yes
XXN
Q.Is it possible that some sort of malware could have deposited these preview files onto this computer.
A. It is possible but it is not plausible.
Q.Is it, in part, implausible because of the time spacing that pertains to the file created dates and times.
A.No, it is implausible because there is no reasonable reason for anyone to package up a version of LimeWire that includes child pornography and then put it on a site. I can't conceive of a reason anybody would do that.
Q. You have never seen any example of that occurring.
A. I have not.
In determining whether there has been malware interference with the electronic devices such as a Random Access Trojan (RAT) or use by a known user. Mr Kernick said you would look for features such access occurring at times when the legitimate user does not normally use the machine; access to websites that do not occur in the normal operation of the machine or use of software you did not know was installed as an indicator and you would look at timing in terms of the sequence rather than the time and date. He said you would look at unexplained activity alongside known activity and that sequence can be relied upon to in effect tell a story. Mr Kernick also said that one of the indicators of a RAT versus legitimate use would be the period of time over which the activity transpired. Over one month he thought would be fairly suspicious, one year he thought less likely in terms of a RAT. He explained this in these terms:[62]
Q. Why is that getting less likely over the period of a year.
A.Because if you have - these things don't hang around forever. It is hard to keep them there. That is why there aren't 10 billion bots out there. If the machine gets patched it is likely the problem will go away. If the person pays for antivirus subscriptions the problem will likely go away. Retaining remote persistent access in a botnet sense for a year is unlikely. Again, I will clarify and say in NationStates cases which we have investigated it could be years, absolutely, but they are very persistent. In a botnet sense I would be surprised if a machine stayed compromised for a year if it is a computer. We did talk about compromise video cameras they can stay compromised for decades but an ordinary desktop or laptop is unlikely. If you went to three years it is implausible.
[62] T 707-708, lines 35-13.
In addition to this, Mr Kernick thought that the previewing of a file also indicated legitimate user use rather than a RAT and this would be supported if indeed material had been downloaded. In this case that is significant because the subject of count 2 as evidenced at line 157 of P13 being a download of child pornography on 13 February 2011 was previewed at line 95 on 16 February 2011. The same pattern can be demonstrated in relation to the file the subject of count 3. In relation to his other evidence, he thought that the swapping of hard drives in and out did not really make a difference and the multiplicity of users that is relied upon by the defence as a possible explanation where there was no password would not make a difference.
Mr Kernick also checked the report that had been generated by Mr Quick and the materials as generated by Mr Quick including P13 and did not take issue with them.
In relation to some evidence that was given by Mr Quick that he would not rely upon articles that were shown to him in evidence unless he could reproduce the results, Mr Kernick gave evidence in relation to research and the way that it is used within his area of expertise and in particular by other experts of whom he is aware. In the usual course, an expert will inform themselves in a number of different ways. One way may be by keeping abreast of the literature that is published in respect of their field of expertise. Another is attending at conferences, reading textbooks etc. It will not always, indeed it may never be necessary, for an expert to be able to reproduce the results of research in order to rely upon it. Much would depend upon the research and whether or not the expert forms an adverse opinion in relation to it.
At the end of the day whilst there is some disagreement between Mr Quick and Mr Kernick in respect of this point, there were no disputes of any substantial or substantive nature in relation to the evidence given by either. In that event I do not consider that this dispute is of any moment in this trial.
I accept the evidence given in this trial by Mr Quick and by Mr Kernick. In short, they agree that malware is a phenomena that exists and can be used to manipulate electronic devices. They both agree about the necessity to look at the objective features of a particular case to determine whether it is reasonably possible that malware has had an involvement in relation to known events. Neither can see any evidence of the involvement of malware in this case. That does not mean it is not possible and what must be considered is whether it is reasonably possible that malware or some other explanation is responsible for the results that were obtained in relation to this particular case.
Alice and Sara Dobbyn and Levi Sexton each gave evidence that they have used the computers in particular the MOEBIUS computer at the accused’s premises. Their evidence is relevant to the submission made by the accused that he did not have sole and exclusive use of his computers and a suggesting that may be how his computer became infected with malware or a virus. There was no suggestion by the defence that any of these people had in fact accessed or downloaded child pornography. I accept the evidence of all three. I accept that at various stages all three utilised the computer at the accused’s home. I am also satisfied that Levi Sexton and probably Alice Dobbyn utilised Wi-Fi and accessed the internet from the home in this way. However there is no evidence that any activity by them resulted in the results as revealed by the forensic analysis.
In relation to the witness Brad Miller his evidence was also relevant in relation to the opportunity that there has been for others to utilise the electronic devices of the accused and the internet. There was in particular a suggestion that Mr Miller borrowed a laptop from the accused. This laptop was found at the house by the police when they attended. Mr Miller utilised the desktop computer probably the MOEBIUS at the house at Reynella on two or three occasions utilising Facebook and downloading some music. In order to do this he obviously had access to the computer, the password for the computer and access the internet.
A computer belonging to Mr Miller had been backed up by the accused. This evidence is relevant to the questions of who had access to the accused’s computers, who had access to the internet by his Wi-Fi password, and the possibility of transference of material through the backup from Mr Miller’s computer. There was no suggestion that Mr Miller had accessed or downloaded child pornography. There was no suggestion that his computers were affected by malware or that he had any untoward activity occurring on his computer. I accept the evidence of Mr Miller as reliable and credible.
The accused participated in a record of interview with the police and gave evidence in this trial. It is important to bear in mind in assessing the evidence and the out of court statement of the accused that he is not required to prove anything at all. Importantly, he is not required to provide any explanation for material that may be upon his computer or has been in the past upon his computer. Of course if he does provide an explanation then that is a matter to take into account in assessing whether the prosecution have proved any or all of the charges beyond reasonable doubt. His explanation may cast doubt upon this in which case he is entitled to be acquitted in relation to the charges that have not been so proven.
The accused was on notice when he attended at the police station in relation to the nature of the inquiry. He was aware that computers had been removed from his premises. He was told at a very early stage in the formal record of interview[63] that the police suspected that he had accessed and shared child pornography from a computer. The accused immediately began suggesting to the police that others were either setting him up or had misunderstood and misinterpreted a situation that occurred sometime before. He continued with these explanations despite the fact that the police told him that the information they had was not from a human source but rather from computer generated material.
[63] P3, Transcript MFI P4.
In the course of this trial, all the explanations that he proffered to the police have been full explored. As I will come to, I do not find any of the explanations to be reasonably possible. Similarly,on the evidence that the accused gave in this court, his explanations and his denials are rejected by me. He was an unconvincing witness. I was not impressed by his explanation that he is essentially such a smart man that he would have been able to cover his tracks sufficiently if he had engaged in this type of behaviour. It is interesting to note that on the evidence presented to me whoever was engaging in this behaviour was in fact trying to cover their tracks by deleting material, moving material onto external hard drives, and in the case of the Kingston USB (BS12) overwriting all the material with the GuitarPro6 program.
I am satisfied that the accused although he thought he could cover his tracks and although he thought he had the capacity to outsmart or outwit the forensic technology now employed by the police he was simply not capable of doing so. As I have said earlier I bear in mind that there is no obligation on the accused to disprove these allegations. The onus remains at all times upon the prosecution to prove the charges beyond reasonable doubt. I do not find the evidence of the denials of knowingly accessing or possessing child pornography reasonably possibly true. I do not accept his explanations for the evidence of engagement with child pornography reasonably possibly true. In short I do not find him to be a credible witness in relation to these matters.
Findings of fact
In making these findings I have taken into account all the evidence that has been given by the experts, the civilians and the inferences to be drawn from the material that has been presented to me. I have considered all the arguments put by both the prosecution and the defence in relation to each of the aspects of the trial. I have considered the evidence of the accused and his explanations. I have borne in mind the onus of proof and the burden of proof.
I reject the submission that malware has had any part to play in relation to the child pornography that has been located or where only the file names remain, the files having been deleted. Whilst I accept that malware does exist, I am persuaded by the evidence of the experts that it would not have continued to exist over such a lengthy period of time and that there is no rational explanation for why malware would operate in this way. There is no material that is capable of any explanation as to why the accused’s computers would be infected in this way without him becoming aware of it. There is no evidence that this was a general strike in relation to multiple computer users or that there was any reason why the accused would be singled out.
Whilst it is plain that Mr Sexton was not the only user of his computer there is no reason to think that any other person who has been nominated as being a user has had any part to play in accessing or downloading child pornography. It is interesting that no person who has utilised the computer has seen any of this material, however it must be borne in mind that Mr Sexton is a man with considerable knowledge in relation to computers and would be capable of putting material into folders that would not be accessed by others.
The evidence in this case shows a pattern of behaviour consistent with an interest in the user of the devices viewing, downloading, deleting and transferring child pornography from the internet.
The prime source of this material is P2P networks and the material is generally in the form of JPEG and AVi files.
The evidence supports a finding that while P2P networks are susceptible to malware the incidence is higher in downloaded executable files than in JPEG or AVi files. That is not to say there could never be malware associated with these files but it is less likely.
I am also satisfied that there is evidence of continuous use of the computer on different days to engage with different types of material. On 13 February 2010 as shown by lines 131-173 of P13, there appears to be almost continuous viewing of child pornography using Google Picasa, downloading material from P2P networks, previewing material, including videos with names suggestive of child pornography .
This pattern is repeated on 21 February and on 28 February. On 21 February 2011 there are Google Picasa viewings on entries 175-190, in addition to partially downloaded movies in the incomplete folder indicative of P2P network involvement and materials the subject of counts 5 – 8 at lines 191, 193, 196, 198. On 21 February 2011 there is also material that indicates that the accused was utilising the MOEBIUS computer and in particular HD2 on the MOEBIUS. There are a series of emails to be found behind tab E of P7, sent and received on that day just before the Google Picasa viewings commenced. There are also emails at 10:20 and 10:23 that sit precisely between the Google Picasa viewings of entries 177 and 178 where there appears to be a window in which the viewing of the Google Picasa material ceased for approximately 17 minutes. The accused accepts that he sent these emails form the MOEBIUS computer at his home.[64]
[64] T 573.
This evidence is powerful evidence that it was the accused who was engaging with the child pornography on the MOEBIUS computer at or about the same time he was sending emails from that computer.
The same pattern is evident on 28 February 2011 with Google Picasa viewings commencing at about 16:50, partially downloaded child pornography in the incomplete folder as evidenced by entry 214 and engagement by the accused with email on the same day albeit not at the same time. Thereafter there is evidence of a complete clean of HD2 from MOEBIUS computer on 17 March 2011 in preparation to the move to Seacliff Park.
There is positive evidence that there is child pornography of a similar or the same nature across the four devices. The defence argument is that there is a possibility that during the course of the accused’s work he backed up a client’s hard drive and that transferred the material to his devices. I reject this argument. To accept it as a reasonable possibility would mean that the four quite separate devices could at different times become infected by malware at the hands of a third party. That in the circumstances of this case is implausible when all the evidence and the reasonable inferences from that evidence are considered.
I am satisfied that the prosecution have proved the discreditable conduct beyond reasonable doubt and that it is relevant to each of the charged acts. I have not used it for the impermissible purpose. I am satisfied that it clearly demonstrates a disposition on the part of the accused to obtain access to and possess child pornography on an ongoing basis. Further it demonstrates a system by which the accused would preview, download including to portable hard drives, delete and cleanse devices and conceal his offending.
The charged and uncharged acts give rise to such a system that I can exclude the rational hypothesis as suggested by the defence that something or someone other than the accused is responsible for the activity as detailed in the forensic analysis of the devices in the possession of the accused – namely the MOEBIUS with HD1 and HD2, the AMR computer, the laptop and the Kingston USB.
The overwhelming inference is that the accused is responsible for each action as documented in P13. The very nature of the offending occurring with human input across four different devices, sometimes interspersed with use of the computer such as using email satisfies me beyond reasonable doubt that it was the accused intentionally accessing and on occasions downloading child pornography.
I make these findings of fact being satisfied beyond reasonable doubt
·The accused was in possession of the MOEBIUS (BS8), the laptop (BS9), the AMR computer tower (BS10), and the Kingston thumb drive (BS12). The MOEBIUS and the laptop were located in the accused’s study. The AMR computer was in the lounge room adjacent to the television and the Kingston thumb drive was in his lounge room.
·The accused downloaded P2P software, LimeWire, as early as 2006 and thereafter has access to that program until he downloaded LimeWire 2 in 2010 to both HD1 and HD2. When LimeWire was shut down he downloaded FrostWire.
·P2P software downloads to a folder named “incomplete”.
·The accused viewed child pornography utilising Google picasa on HD1 on 4 and 13 February 2010.
·The accused previewed music utilising P2P software on 7 March 2010 that was saved to HD1 and HD2.
·I am satisfied that on 10 March 2010 the accused accessed child pornography saved into the Fonts folder that he had created on HD2 and it was then duplicated onto HD1 (Count 1). That the fullpath is the same as the music downloads 3 days earlier that he admits doing and proves a purposeful action by him. In addition, the “Real private daughter” series that he has accessed on 10 March 2010 is viewed utilising Google picasa on 13 February 2011
·Further I am satisfied that when the backup occurred on 15 March 2010 (entry 36 on P13) the file was saved as it appears as entry 6706 on P14.
·I am satisfied that the accused accessed child pornography as set out in P1 and P13 being counts 2-9 inclusive.
·I am satisfied that the accused knowing possessed the material the subject of Count 10 at the time the police attended on 31 August 2011.
·I am satisfied that the Counts 2, 3, 6, 8 and 9 are aggravated in that the accused knew that the victims were under the age of 14 years.
·I am satisfied that the MOEBIUS computer engaged with child pornography in particular on HD 2 from February 2010 to April 2011. The majority of this engagement ceases on 28 February 2011 and there was a complete clean out of HD2 on 17 March 2011. Thereafter, there are preview files and an incomplete download on HD2 that ceases on 22 April 2011. Thereafter, there is evidence from the Kingston USB of engagement with downloaded JPEGs of child pornography created on 9 and 10 July 2011 and overwritten by the GuitarPro6 program on 30 August 2011 being the day before the police attended at the premises.
·I accept the evidence that an analysis of the computer engagement and the emails contained within P7 show that the accused was using his emails, both sending and receiving them at or about the same time that he was engaging with child pornography on the MOEBIUS computer on 21 February 2011.
·I find that the accused was accessing the Moebius computer to send emails on 28 February 2011 and that there was activity in relation to child pornography on that day.
·I accept the evidence that there have been previews of files that have been subsequently downloaded and I accept that in order to preview files a search term needs to be entered into the computer.
·I accept that there has been or is child pornography on the four separate devices that I have referred to earlier.
·I am satisfied that none of the persons who have been nominated by the accused as having access to his computers, Wi-Fi, or password has caused the child pornography to be present on the devices including the laptop.
·I am satisfied that the downloading of the child pornography onto the Kingston USB required human intervention as explained by Mr Kernick as did the downloading of the GuitarPro6 program and that in all likelihood this was done by the accused in an attempt to ensure that that the child pornography files on the USB were overwritten.
·I am satisfied that the accused has personally engaged with the electronic devices in accessing and downloading child pornography and that he did so intentionally. The sheer volume of material that has been accessed and the patterns in relation to the access of previews and subsequent downloads cannot be coincidental.
·I do not consider it a reasonable possibility that malware has been responsible for any of the activities that are evident from an analysis of the accused’s electronic devices.
·I reject as not being reasonably possible the denials by the accused and the possible explanations that he gives for the presence of child pornography or remnants thereof of the electronic devices.
I am satisfied beyond reasonable doubt that the accused has been engaging with the internet and knowingly accessed child pornography the subject of counts 1- 9 and has knowingly possessed child pornography the subject of Count 10.
Verdicts
I find each of the elements of each offence proven beyond reasonable doubt. Verdict: guilty all counts on the Information.
15
1