Computer evidence has proved to be a highly significant source
of evidence in virtually all cases of terrorism, including the 2006
transatlantic aircraft bomb plot cases.
For some years it has been standard practice when raiding a terrorist
suspect's home to seize all computers and storage media. Given the
age of many suspects, that strategy will often reveal large numbers
of PCs and storage media that were once used by parents/siblings
and may have long since been consigned to the cellar or loft.
The disadvantage of this approach has been the difficulty in many
cases of attributing material found on a shared computer/storage
device to use by a specific family member. This "all-in" strategy
has yielded an avalanche of evidence and police computer examiners
have had to adopt appropriate tactics, including the use of automatic,
scripted searches using appropriate search terms.
In R v Donald Stewart Whyte (Woolwich Crown Court, 7 September
2009), the defendant was charged with conspiracy to cause explosions
on aircraft and conspiracy to murder.
Using a scripted search with appropriate search terms, a police
computer examiner identified a fragment of a file in unallocated
space that contained the term "Hydrogen peroxide". When I examined
the contextual evidence around this fragment I found that it had
come from the home page of a US company that described itself as:
FMC Corporation is one of the world's foremost, diversified
chemical companies with leading positions in agricultural, industrial
and consumer markets.
The hidden metadata keywords of the FMC home page listed a number
of chemicals, and they included Hydrogen peroxide. There was no
other hit for the term Hydrogen peroxide on the entire hard disk
Examining the browser history records, I constructed a timeline
and found that the visit to the FMC site was in an online session
largely devoted to searching recruitment agency web sites for positions
in the retail sector.
The defence then argued that my findings were consistent with
the defendant's instructions that at the time of the police raid,
he was unemployed and actively looking for work; he had previously
worked for a major white goods retailer; and that this retail sector
was known by the term "Fast Moving Consumer Goods" or its acronym.
Furthermore, it was argued, it appeared likely that the visit to
the FMC website resulted from a typo of a single letter - FMC instead
of FMCG. If true, that one letter typo may have cost the defendant
a 29 month spell on remand, including 16 months spent in custody.
I was subsequently instructed to locate and date versions of a
leaflet Look at Islam that denounced violence and was alleged
to have been written by the defendant.
The defendant was acquitted following a seven-month trial.