My name is Fred Cohen, and I am writing this report in regards to the case of Defendant-Name vs. State-Name. By way of a brief background, I have some substantial experience in various facets of information protection, including but not limited to substantial background in doing forensic analysis of computer systems and media. This experience includes many years of research, development, and education in this area. Some examples include:
- I developed a digital forensic analysis tool called "ForensiX" which is used by many Federal, State, and Local government agencies.
- I developed and currently teach accredited graduate courses in digital forensics whose students have included senior investigators from many federal investigative agencies including but not limited to the FBI, Naval Criminal Investigative Service, and the Royal Canadian Mounted Police. I have also taught these courses at SEARCH and the Federal Law Enforcement Training Center. I am also certified to teach digital forensics and network investigation courses to law enforcement under the California POST program.
- I run a research group at Sandia National Laboratories which has developed a set of forensic analysis tools designed to make the task of digital forensic analysis more efficient, more easily tracked, more reliable, and more accurate.
- I have done consulting on digital forensic cases for many corporations, for several government agencies, and have provided advice and assistance to many digital forensic investigators on many cases.
- I have been invited as a keynote speaker at many international, national, regional, and local conferences on aspects of digital forensics, and have testified before congress on issues related to digital and network forensics.
A more complete resume is available, however, I would like to add one item that I consider to be of import. I rarely work for defendants in such cases. This is a quote from the part of my web site that deals with forensic analysis services:
Standard Warning: From time to time, council in cases have tried to engage us to support a position that was untenable. Our policy is a simple one. We will take any case so long as we are allowed to seek the truth and present our results in a truthful, fair, complete, and honest manner. If you are looking for an advocate for a position, look elsewhere.
In this case, the prosecution claims that Mr. Defendant-Name knowingly possessed and accessed specific contraband data. This data was found by the prosecution's expert after more than 100 hours of forensic search which included detailed examination of data on two hard disks, scores of CD-ROMs and hundreds of floppy disks. Out of the almost 100 million pages of information contained in this media, the only evidence found by the prosecution is a portion of a file in the form of residual data that had, at some prior time, been part of a file contained on floppy disk 217 out of 243 floppy disks (as numbered sequentially by the prosecution's expert).
The prosecution's expert witness holds two beliefs that the prosecution asserts as fact; (1) that the defendant knew of the presence of this residual data and used technical skills and knowledge to conceal that residual data from others while accessing it selectively when desired; and (2) that the defendant attempted to delete the residual data a long time before the forensic analysis was done but failed to do this job completely enough to eliminate the evidence found by the prosecution's expert.
The question posed to me in regard to this matter is whether these assertions made by the prosecution are supported by the evidence.
It is not possible that the defendant both (1) knew that the data was present and used it and (2) did not know the data was present and had believed that it was deleted at some earlier time.
| Either | The defendant know the data was there |
| Or | The defendant did not know the data was there. |
These two incompatible possibilities can be addressed separately but they cannot both be true. The prosecution has not apparently chosen one of these two possibilities to put forth as their interpretation, but rather has chosen both. I will attempt to address each in turn.
Possibility 1 - The defendant did not know that the data was present.
There is the obvious problem that possession would seem to imply knowledge of the presence of the data. If the defendant did not know that the data was present, how could this be called possession? The prosecution attempts to circumvent this problem by asserting that the defendant knew of the presence of the data at an earlier time, attempted to erase it, partially succeeded, and partially failed. The question that remains is whether there is evidence to support this contention.
Without additional evidence, there is no way to tell, and indeed the prosecution provides no evidence to support their contention that the defendant erased data from disks other than the opinion of their forensic examiner. This opinion asserts, essentially, (a) that the defendant's 'hard' disk appeared to have no residual data and therefore that it was cleaned intentionally, and (b) that the defendant was sufficiently expert to have erased the data from all of the other floppy disks but not sufficiently expert to have gotten the part found by the examiner on the one floppy disk containing the identified residual data. It is noteworthy that the prosecution is both asserting that the defendant was highly skilled and conscientious at removing residual data and that the defendant failed to do so.
The prosecution's position leaves two obvious questions:
Question 1: Is there any trace evidence to support or refute the contention that the defendant knew of the presence of contraband material on disk 217?
Answer:
In the case of computer systems, there is a great deal of 'trace' evidence associated with a wide range of activities. For this reason, it is highly likely that if the data was placed there by the defendant there would be additional evidence of how and when it got there or, if it was erased by the defendant, how and when it was erased. The prosecution has presented no such evidence, however, I have found some evidence that may help to clarify some part of the sequence of events that took place.
The prosecution asserts that the defendants' computer was somehow lacking in this residual information, but I found substantial amounts of it in the normal files on the computer. There is, for example, a substantial collection of residual data from access to web sites, including web cache files, logs of web accesses, and logs from other software associated with web access on the defendant's 'hard' disks. Similarly, there are log files associated with various software packages that would be used to view and extract data from files, transfer data to and from the defendant's system, and a wide array of other similar residual data. All of these sorts of residual data were present on the defendant's system.
Despite this substantial body of trace evidence associated with the defendant's computer and network use, none of this evidence that I examined supports either access to the deleted and partially overwritten contraband content found on floppy disk 217 or access to other similar content or Internet sites that contain that sort of content from anywhere else on the Internet.
The prosecution more specifically contends that the 'slack' space and 'deleted file' space of the disks was lacking the normal level of residual data that would be present in a computer system, however, the prosecution failed to identify the fact that the system was apparently last powered off during a 'disk defragmentation' operation.
In many Windows-based disk operating systems, including the one operated by Mr. Defendant-Name, disk usage is allocated and reallocated over time in such a manner that files often become 'fragmented'. This means that, rather than files being stored in a contiguous sequence of 'clusters' on the disk, files end up stored in fragments - clusters that are strewn throughout the disk. This typically slows performance, so programs are provided as part of the Windows operating environment to 'defragment' disks. This is a common operation that is, in some cases, fully automated, and in other cases suggested to the user by the Window's operating system or other add-on products.
The defendant's system was in the process of defragmenting a disk. Because the defragmentation process involves moving clusters of data around the disk so as to create contiguous areas on other parts of the disk, it is normal for this disk to appear to lack residual data of the sort sought by the prosecution's expert. The default Windows defragmentation program overwrites almost all areas of the disk and manipulates all file areas of the disk in its normal process to assure that parts of the disk that are unreliable are identified and taken out of service. The other residual data that you would expect to be present in this situation, as described above, was indeed present. I have not established the specifics of the program being used to defragment the disk, however, most of those programs do additional disk testing and residual data overwrite operations in their normal course of operation.
It should be specifically noted that many computer users of differing levels of sophistication regularly clean and defragment the contents of their disks. So many, in fact, that it is a standard feature of the Windows operating system, and there are scores of commercial products that have been in widespread use for many years to perform variations on this theme. I personally do so as part of my periodic process for updating my computers and have advised others to do so when computer performance degrades with use. It is also advised by Microsoft 'to make files open more quickly' and to 'speed up access to your hard disk'. Other vendors also advocate its use. The default installation of at least one version of Windows 98 also automatically schedules defragmentation of the hard disk. I did not determine whether Mr. Defendant-Name's installation has this set as it's default.
This defragmentation operation can in no way be associated with criminal behavior nor is it in any way indicative of any sort or intent to cover anything up. It is generally thought of as a prudent practice for computer users who want to retain high performance.
Question 2: Did the defendant create or place the data on disk 217, or intend it to be there?
Answer:
It is very common for disks to contain residual data from previous use. For example, I have purchased 'new' floppy disks and, in one case, found a disk containing data from a contract that was then being negotiated. As recently as this spring, I worked on a consulting basis for a company that, in the process of a major sale of computer inventory, 'cleaned' its computer disks by removing only the first sector of each disk. This left the entire data contents of the disks unaltered. One recently published national news article describes how enormous amounts of such residual data is commonly found on used computer disks. There can be no doubt that such data is commonplace and it is highly likely that residual data exists on floppy disks in the possession of most owners of computers. If you had a few hundred floppy disks, you would almost certainly have residual data on many of them, as did Mr. Defendant-Name.
Having established that residual data is common, the natural question is whether such data would be expected on the particular disks in question. In the case of disks 216 and 217, the residual data suggests that the following sequence of events occurred:
According to the prosecution, the markings on these two disks indicate that they were originally used for software distribution by an online service provider. After that, some other uses may have been made, however, their histories certainly diverged slightly for a time:
- Disk 216 was used by at least one party who wrote some set of graphical image files on that disk on Jan 15, 1998. On or about March 25, 1998 these were deleted and their contents overwritten by other graphical image files. Most of this overwriting was done between 11PM and 2AM.
- Disk 217 was used by at least one party for writing some content over the entire usable area of the disk, not following the normal format of these disks. It appears that this was done by a commonly used software component of Microsoft's NetMeeting package. This package was found on the defendant's computer system, but there was no specific indication found of its use impacting this floppy disk.
- After this, disk 217 was overwritten with some set of graphical image files on Dec 18, 1997. These files had similar names and sizes to those on disk 216, suggesting that they may have been written by the same individual and process. On the evening of Jan 23, 1998 a file transfer program, most likely 'ws_ftp', was used to send one file from disk 217 to another computer.
Both disks were then overwritten with one large file on or about April 5, 1998. In the case of disk 216, this was done between 6:51 and 6:52 PM, while for disk 217, it was done at 7:14 PM. When disk 216 was overwritten, the file was named KRE3240.tmp, and it covered the entire disk. For disk 217, however, the file name was KREE0F0.tmp, and it only over-wrote 560640 bytes of the disk. Neither disk was apparently accessed or used after this time. This overwriting process appears to have been done by the 'Kremlin Wipe' program which is part of the "Kremlin" security suite, a copy of which which was loaded on Mr. Defendant-Name's system. This program produces the observed effect in 'Thorough' wipe mode when the number of wiping operations is a multiple of 3 plus 1 (i.e., 1, 4, 7, 10, etc.) and it performs this operation only on files on the floppy disk which are deleted. Regions of the disk that are still parts of files are not destroyed as are regions that are erroneously associated with files due to system errors.
In order to make certain of this sequence, I created a series of floppy disks with different content and demonstrated similar outcomes. It seems clear that this sequence of events or a very similar sequence took place.
After this operation, all data appeared to be gone from these two disks, but some residual data remained on disk 217 which would not be observed either from Windows or from other common access methods. This data appears to have been the result of errors in the floppy disk directory structure. The result was that portions of files that had been deleted were left incompletely erased on the floppy disk.
This pattern of overwriting and of filenames would tend to indicate that disks 216 and 217 were overwritten by the same process using the same computer program and that this was done in sequence. This would be consistent with normal and prudent business practices and processes for a situation in which large volumes of floppy disks were being recycled for reuse or because a virus had been discovered on them. This is not unusual for large well-run businesses such as the one that Mr. Defendant-Name worked for but would be less usual for an individual or small corporation not familiar with this practice. There has been no evidence presented or found to date of similar patterns either of filenames or of overwritten disk areas on other floppy disks in the possession of Mr. Defendant-Name, and a quick review of a sampling of the remaining floppy disks found in the possession of Mr. Defendant-Name shows no other disks with similar patterns. There were many other disks that were covered with '0' (zero) byte values, but their appearance was not consistent with the use of the Kremlin tool because no residual information remained on these disks.
The extent of overwriting done to disk 217 was indicated clearly by the file size in the directory of disk 217. This result would not be produced by an attempt to write a larger file that was aborted in an unusual manner such as by the premature removal of the disk from the floppy disk drive. Such a removal would produce a directory area indicating a different file length. Therefore, the condition of disk 217 was not likely to have resulted from the removal of the disk from the drive prior to the completion of an attempted data removal.
One additional piece of relevant trace evidence was present in the details of the file transfer log file identified in the residual data of disk 217. This entire file transfer process took less than one minute and involved only a single file. The transfer was apparently made by a program called WS-FTP on Jan 23, 1998. This is a very popular program, it is widely used and versions of it have been available for free for many years. Other residual data from Mr. Defendant-Name's 'hard' disk system indicates that a free sample version of the file transfer program WS-FTP was downloaded and tested by Mr. Defendant-Name on May 23 of 1999, more than a year after this program would have had to have been used to make the transfer indicated on the floppy disk. A WS_FTP.log file was not generated by the normal operation of Windows 98 systems under test conditions. Such a file does appear on many web sites when directories are examined, so it is possible that this was the result of a duplication of a directory from a web site, however, I found no evidence that the system operated by Mr. Defendant-Name had the capability of doing this in such a manner as to produce the contents of disk 217 and if this were generated by a web site duplication it would not likely have taken the amount of time indicated by the file times associated with the file allocation table residual data on floppy 217.
If these dates are correct, it is not possible that Mr. Defendant-Name made the transfer in 1998 using the program he installed in 1999 and the normal Windows file transfer program did not produce those records according to our tests. This would tend to indicate that some other computer was used to make this transfer or that a previous version of WS_FTP was used on Mr. Defendant-Name's system at the earlier date. Since no evidence of such a previous program has yet been found, the indication is that between the time that the original contraband content was placed on disk 217 and the time its content was partially overwritten with Kremlin Wipe, some other computer was used for this transfer. We cannot definitively establish the time at which Mr. Defendant-Name gained control of floppy disk 217, but there is some evidence that it was not in his computer on Jan 23, 1998 when the file transfer was done.
These dates may be subject to error depending on the systems in which they were used, but because most modern computer systems have fairly accurate clocks and many applications depend on those clocks, they are likely to be reasonably accurate. Furthermore, the fact that the '0' values and filenames of the tmp files on these two systems are closely aligned and the dates and times of their overwriting are so close would seem to indicate that these disks had their contents overwritten as part of a sequence of overwriting of files on disks.
All of the file pointers contained at the beginning of disk 217 pointed to areas overwritten with '0' (zero) byte values, the date and time stamps associated with the files in question were from a time before the disks were overwritten, and all of those files were marked as deleted. This would tend to indicate that the deletion of these files failed because there were cross linked directory entries on the floppy disk, an accidental condition that would lead to an outward indication that the disk was thoroughly deleted when in fact residual data remained.
There was no indication that any data was written on either of these disks after April 5, 1998 and no indication of 'read' access to the files on these disks after that date despite the fact that the disks were, according to the prosecution's expert, write enabled when confiscated, the normal operation of the Windows system would have recorded dates of last access, and the defendant's system retained reasonably accurate date information. The time frame in question for the matter at hand is a polygraph examination more than a year later in June of 1999 and possession after that.
I found no evidence linking any of the contraband material written on this floppy disk with the particular computer system owned by the defendant and the prosecution has provided no evidence in support of this contention.
The one other question that remains is whether Mr. Defendant-Name could have reasonably produced these patterns on disk 216 and 217 in any other manner using the tools on his computer system. This appears highly unlikely.
On the defendant's computer system, there were a number of tools that could be used to conceal or destroy content on disks, however, I examined the system logs and the logs associated with these tools and found no evidence that they had been used in this manner. I found that, of these tools, only one could have produced the effects observed and that in order to produce those effects with that tool, it would not have been possible to have done so in such a fashion as was asserted by the prosecution. Specifically, an attempt to wipe out the content of the disk by overwriting the disk content with '0' (zero) byte values using the Norton software found on the system would not have resulted in the overwriting of only select areas of the disk in the manner observed on disk 217 because the tool in question overwrites contiguous areas. It would have been very difficult to intentionally produce the observed effects on disk 217 in a failed attempt to destroy its contents using this tool. In particular, it would have taken at least 20 steps each of which would have been specifically designed to not overwrite large portions of disk 217. Any reasonable attempt to use this tool for this purpose would have clearly indicated that the effort was a failure.
I can only conclude that the tools on the defendants systems could only have reasonably produced these effects in the manner described above. This would speak against the defendant's having acted as the prosecution asserts.
Possibility 2 - The defendant did know that the data was present in 1999.
While the second possibility asserted by the prosecution is incompatible with the first, the underlying evidence that must be considered in evaluating it is the same. As in the possibilities described above, the available tools would have to have been used as the means to carry out any operations performed by the defendant. The available tools were almost certainly not used or usable for this purpose.
The prosecution asserts that the defendant (a) knew of the presence of the residual data on disk 217, and (b) was able to extract that data at will to view it and did so.
I have decided to describe the process the prosecution asserts must have been used by the defendant to view this residual data on floppy 217. This is similar to the process that the detective did to extract the data in this case and similar to the methods I used to test this process on a test system using a similar disk. I was barred from doing the same tests as the detective did because of the prohibition against copying any of the data from disk 217 as part of my examination.
The prosecution asserts that the Norton tool was used for this purpose and, after a minimum of effort, I have been able to use this tool to extract data from floppy disks. The process involves several steps as follows:
(Step 1) The floppy disk is put in the disk drive and the tool, which is a computer program, is run. Because the tool is not designed to operate under the Windows environment, Windows must normally be shut down in order to use this tool to access this data properly. This takes several minutes and places the computer into a mode in which it is not usable for viewing the data that is produced when the extraction process is completed. For this reason, if the resulting content is to be viewed as anything other than a sequence of byte values (i.e., sequences of '0's and '1's or hexadecimal digits), the resulting data must be stored in usable form on either the computer's 'hard' disk or some other media. Since the computer in question likely has only one floppy disk drive, the data must be stored on the 'hard' disk in a file for use by a file viewer.
(Step 2) The file is extracted into a file on the 'hard' drive of the user's computer. This involves entering at least 2 correct numerical values in the range of 0 through 2880 and selecting a location on the hard disk for storage. It also involves a number of menu selections. If the file is not contiguously stored on the floppy disk (as the file in question was not), several such value pairs must be entered correctly in order to assemble the resulting partial digital image file. Thus the defendant would have to remember a series of something like 16 4-digit numerical values or have them written down for use in doing this extraction. The prosecution provides no evidence of any written records of such values, so we must assume that it is the prosecution's contention that these were memorized by the defendant for this purpose.
(Step 3) After the file is extracted, the program is exited and Windows is restarted. This takes several minutes and is necessary in order to use the graphical interface to view any extracted content. This must be done by running a Windows program designed for viewing this sort of file. Because of restrictions placed by the court on my ability to copy and of the data in question I was not able to test the ability of the programs on the defendant's disk to actually view the partially extracted data file that would result from this process, however, the prosecution has not indicated that they have tried to determine if any of these programs are capable of viewing partial graphical image files such as those that would result from such an extraction or whether those programs were actually used for such a purpose. These programs were used to view other images and retain some residual data about previous viewings in their stored data files and audit tails. I examined these to see of there were any indicators of use for the purpose asserted by the prosecution and found no evidence that would support that any of these programs were used to view files other than those stored in their default locations. I found a considerable number of files that those programs were used to create, and all of those files were either humorous 'cartoon'-like presentations or presentations created for business use at the defendant's place of employment. It also appears that these programs were not used to generate or manipulate the image in question because the file header information associated with this image identifies it as being manufactured by a tool not present in the defendant's system.
(Step 4) After viewing the images, the defendant would then have to exit the viewing program and overwrite the stored file with some other content so as to remove any evidence that would otherwise remain on the 'hard' disk. In order to do this effectively, a special purpose program would be required because Windows does not normally overwrite previous file space in this manner when one file is simply 'copied' over to another file's name. It turns out that the defendant had several programs capable of wiping out the content of such a file on his system, however, the specific programs on the defendant's disk that were designed for this purpose produce specific patterns that can be readily identified in a forensic examination and I found no such patterns in on the defendant's hard disks. The only other way to produce the asserted result with the available tools on the defendant's system would have involved using the same tool used in step 1, only in this case, the specific tool was not designed to perform this operation and, since the defendant would not know where on the physical disk the file had been placed, it would require a search of the 'hard' disk using this tool to locate the residual data and alter it.
If practiced regularly and if the storage locations are memorized, steps 1 through 3 take something like 15 minutes to complete, not including any viewing time. Otherwise it takes on the order of an hour to complete because of the difficulty of locating the sectors on the floppy disk. Step 4 is a lot harder and I am not certain it could be done in less than a few hours because of the long time required to search the hard disk in detail for the content that must be overwritten. If an overwriting program were used, this would be far faster, but I looked for evidence of the patterns produced by the overwriting programs on the defendant's system and found no evidence on the hard disk that would be compatible with the result of step 4.
I also tested the extraction of a file of similar size from a floppy disk using another tool on Mr. Defendant-Name's system that is capable of reassembling a file from a floppy disk onto a hard disk. In this case the process took about 15 minutes once I found the beginning of the file and involved several thousand mouse clicks. Mistakes in this process, which are easily made, result in an unusable file.
The prosecution also mentioned another possibility, in that they identified a commonly used forensic analysis tool called 'enCase' as a tool that might have been used for this purpose. A copy of enCase was found on the defendant's system, however, I examined this particular copy and found that it is a 'demonstration' copy. In the case of enCase, demonstration copies do not have the full functionality of the product and, in my testing of the actual program on the defendant's system, I was unable to cause it to perform the operations cited by the prosecution, or indeed any useful sequence of operations that would have aided in extracting file content from a floppy disk.
The prosecution's assertion becomes even more questionable when we look at alternatives available to the defendant if his objective were to be able to view the file in question without leaving residual data or hints to a forensic examiner. For example, on the defendant's system there was the 'Kremlin' program described above. If the earlier description of the history of disk 217 and the background of Mr. Defendant-Name are accurate, he would have been very knowledgeable of the use of such programs as Kremlin.
Kremlin is designed to encrypt data content with a strong encryption technology and to do so in a manner that leaves no residual remnants of the original content. If Kremlin were used for the stated purpose, Mr. Defendant-Name could have viewed entire files (not just remnants as is asserted by the prosecution) with a point and click of the mouse and the entry of a pass phrase. It would take very little effort and be very hard to decrypt by a forensic examiner. I tested this particular program to see if residual traces of its use would be identifiable on the system. I found that, while the original data was completely overwritten on the test disk, a pattern was generated by Kremlin to allow it to identify files it encrypts for the purpose of decryption. I then examined the system disks for indicators of Kremlin encrypted files or files of other sorts compatible with this sort of use and found none.
While it would be nearly impossible to prove that the defendant never did any of the steps identified above, the prosecution has not produced any evidence that any of these things were done. Furthermore, the substantial amount of residual data found on the defendant's computer system refutes any contention that such operations were done.
While it is possible that the defendant did all of the things identified by the prosecution in this case, all of the evidence that I have found speaks against it, and the prosecution has produced no credible evidence to support their contention of knowing possession or use.
I have tried to produce the evidence that the prosecution has failed to produce, but despite my efforts, I have found only exculpatory evidence and nothing that would tend to indicate guilt. While the ideas of what might have happened as set forth by the prosecution seemed on the surface to be possible, when I tried to implement these ideas under the actual conditions of the defendant's computer system, I found that they did not and could not be made to fit the prosecution's case.
Despite the prosecution's claim that the defendant's system is 'super clean' and that therefore the defendant must be guilty, there is, in fact, a great deal of trace evidence in the residual data on the defendant's system and disks, and all of this evidence points to the defendant's innocence.
The prosecution seems to want to have it both ways. The defendant is clever enough to conceal everything he does perfectly, but he also fails to do the most rudimentary task of overwriting a file properly. While criminals have a long track record of being caught because they make mistakes, it stretches credibility to believe what the prosecution is claiming in this regard in this case.
It is my opinion, based on the available evidence as analyzed to this point, that the defendant did not act in the manner described by the prosecution.
Furthermore, I believe that under such a detailed examination, there is a substantial probability that any normal computer user's CD ROMs, hard disks, and floppy disks might be found to contain this quantity of residual contraband content.
Q: Is it credible that the defendant knew the residual data was present and that he used technical techniques described by the prosecution to access and view it?
A: I do not believe that the prosecution has made a credible case for this and the evidence available speaks strongly against this.
Q: Is the system unusually 'clean'?
A: No. It is neither unusually clean nor is it unusual to perform the manufacturer's recommended maintenance operations performed by the defendant. These are operations recommended by the manufacturer, used by millions of customers, and necessary for maintaining the system at good performance levels. They are almost certainly the operations that produced the effects observed by the prosecution's expert.
Q: Do floppy disks often have residual data?
A: Yes. They sometimes have residual data when delivered as new from manufacturers, they commonly have residual data when disks are reused as was clearly the case here, and normal Windows format operations do not remove this residual data. If this data were present on floppy disks in your possession you would probably not be aware of it.
Q: Is there any evidence that the defendant accessed the contraband contents of floppy disk 217 at any time?
A: No. None of the evidence identified by the prosecution or found in my search tied the defendant to the contraband content on disk 217.
Q: Could the patterns on the disk 217 have been created by a Windows format operation or by Norton Utilities?
A: No. These tools produce patterns on the disk that are substantially different from the patterns found on disk 217.
Q: Is there any evidence presented that would indicate that the defendant knew of or used the residual content on Floppy 217?
A: No. The prosecution has provided none and I have found none despite having looked for it.
Q: Is there any evidence presented that would indicate that the defendant did NOT know of or use the residual content on Floppy 217?
A: Yes. It is quite difficult and inconvenient to detect, extract, and use this content and such operations would normally leave residual data both on the system's 'hard' disks and in the log files of other programs. None of these locations had any such evidence and all had normal evidence of other normal activities.
Q: Is there any evidence that the patterns found on disk 217 could have resulted from an aborted attempt to destroy the evidence in question?
A: No. No such evidence was presented by the prosecution and this is not consistent with the evidence presented here.