VSJ – October 2002 – Work in Progress

Several police investigations involving paedophiliac Internet pornography have been reported lately. By and large, they have not held general lessons for the IT community as a whole. However, a case in which Jim Bates, the IAP President, acted as an expert witness should inform our collective thinking. Here, he sets the scene. Next month, he’ll draw the morals.

The Roper case involved large numbers of pornographic images held on a network at the Defence Research Evaluation Agency in Malvern. It was the largest – in terms of quantity – that I have been involved in and, at the time, probably the largest in the U.K.

The facts were not in dispute. The computer used by Paul Roper at work did contain pornographic image files. Some involved children and some had been deleted. However, these facts had to be interpreted within the context of the machine’s use. The story that emerged from the witness statements made this clear.

Early one Monday morning, a security guard was patrolling the buildings at the Malvern site. As he crossed the computer room, he noticed, ‘a particularly eye-catching screen saver’ on a monitor. He moved the mouse, clearing the screen saver. Amongst the desktop programs displayed he saw, ‘an unusual icon on the screen, which caught my eye’. He clicked it and saw a picture of ‘2 very young girls in a state of undress lying on a bed’. Clicking other icons revealed images of a similar intimate, even pornographic, nature. He returned the screen to its original state and left the building. He informed his supervisor and was told to report the matter to the security manager when he was next on duty (the following Friday). He did so and was asked to return to duty and report back to the manager at 18:00 hrs that afternoon. The security manager reported the incident to various other managers. At around 18:15 hrs, the group of managers, with the guard, went to the computer room and told the supervisor why they were there. The supervisor asked the staff to finish their work and leave the building. The statements describing what followed varied in detail since no one had thought to make accurate notes.

The managers then asked the guard to show them what he had uncovered the previous Monday. After some searching, he found a few pictures of young girls but none of the child pornography he had seen earlier. Members of the group began examining other computers. Some adult pornographic movie clip files were located on one machine but they were on a network drive whose physical location wasn’t immediately apparent. Eventually, the drive was located in yet another computer. One manager then attempted to copy some files to floppy disk ‘for evidence’ but found that they had ‘disappeared’. It later transpired that at least one of the people cleared from the room had logged on to the network from his home machine and deleted some files from the network drives. Another manager, attempting to view images on a computer, found that files were being deleted as he watched. Some files were eventually copied to floppy disks and then the system was shut down. Roper’s computer and several removable hard disks were taken to the Ministry of Defence Police, who, having examined them, passed them to the MoD Forensic Division. The resulting report correctly concluded that large quantities of pornographic material had been downloaded to the disks from the Internet. Meanwhile, internal inquiries had begun, culminating in the suspensions of Roper, among others.

The case took over a year to come to court, by which time all but two of the suspended personnel had found other jobs (some still at the Malvern site). Charges of possession were proffered against Paul Roper and I was instructed to examine the evidence on behalf of the defence. With some small but interesting differences, what I found agreed broadly with the case as I have stated it. The main difference concerned traces of activity noted on Roper’s machine around when the guard noticed the ‘eye-catching screen saver’. The MoD forensic team had verified the accuracy of the computer clock and file time stamps suggested that someone accessed a game, MechWars, at 03:12 hrs. Around 04:12 hrs a program called SUCKER was run and at 04:18 hrs an attempt (probably abortive) was made to run a movie display program. Various periods of activity throughout the week were noted until the room was cleared on the Friday. On just one drive, a total of 37 files had been altered, created or deleted during this period, totalling about 3 megabytes. Further activity on the following Monday compromised, contaminated or destroyed a further 2 megabytes.

More detailed analysis indicated that quantities of images had been downloaded – specifically at times when Paul Roper had been at different locations. A complicating factor was the network configuration. Virtually any machine on the network had read/write privileges to virtually any network drive. My report noted: –

‘A detailed analysis of the position of the computer on the network is impossible without detailed information on how the server was configured and precisely what access was available between participating workstations. It is possible for example, to connect to the Internet from a networked machine and specify a network drive (rather than a local one) to receive downloaded material. Obviously a networked drive exists on another computer and will thus gain files without any activity on the part of its operator and probably without the operator even being aware of it’.

Also, it was common practice for anyone to use any machine. Roper’s was popular because it was known to contain several games and was close to a terminal connected to a different network. This introduced new levels of complexity in considering the provenance of files. The picture was complicated further when I discovered that most of the images had been downloaded, not from the Internet proper, but from the newsgroup area of an internal server named TROG. This server, maintained and housed at Malvern, mirrored most of the newsgroup services (apparently without filtering) including those specifically concerned with pornography. Thus it was possible for a user on the Malvern network to switch on a machine, be connected to the network without any password requirement and access the newsgroups directly. The Internet Protocol (IP) address normally used in conjunction with a password to control and monitor access to the Internet was available without password control on TROG. So a reasonably experienced user who wished to conceal his machine’s access to TROG could simply ping a known IP address. If the return showed that the number was not in use, he could configure his machine to that number and gain immediate, untraceable access. Within the computer department, IP addresses were issued in quantity to various personnel as part of their function in the installation and maintenance of the network around the country.

Any attempt to trace who had downloaded what to where and when was thus doomed to failure. A user could switch on a machine and connect to the network. He could ping known IP addresses until he found a free one and use it to connect to TROG. Then, he’d use SUCKER to search messages in specified areas of the newsgroups and extract and download, to a previously specified drive/directory, any JPG or GIF images found. The activity log from TROG indicated massive use of this program in wide-ranging areas of pornography both in and out of normal working hours. Verbal reports suggested that a common practice was to start one’s machine in the morning, connect to TROG, launch SUCKER and leave it running in background all day. Unsurprisingly, personnel were regularly running out of disk space! Other papers indicated that at least some of the management had been aware of the problem for a while but had done nothing.

Given all this, it seems obvious that no particular individual could be held responsible for possessing child pornography. Nevertheless, charges were brought and the case went ahead. After a five-day trial at Droitwich Magistrates Court, Paul Roper was acquitted. What would have happened had he been found guilty? Since the images had been downloaded from TROG (located in fact, in the same room as his computer), if he was guilty of possession then surely so was TROG’s owner – Her Majesty’s Ministry of Defence!

[Interesting project or development? Let us know at eo@iap.org.uk!]

Comments are closed.