web browsing as forensic evidence in Norwegian murder case
Friday, December 16, 2011 12:23:32 AM
I have no inside information here, I have only paid some attention to media reports because the case is so peculiar. (Personally I don't find the police's scenario very convincing. Who would leave their web surfing, walk back to their garage to commit a messy knife murder of a random person, walk back up again and continue surfing only ten minutes later?) But the latest news from one of Norway's most respected daily newspapers reveals some more details about the computer evidence - and it says that the accused even was an Opera user:
(..) between 16.03.48 and 16.13.11 there was no clear evidence of user activity on the computer (..) - In this interval we do have the timestamps that have been a topic as evidence, Holden [police lawyer] points out.
The court debates whether these so called timestamps are created due to user activity or by the computer's software.
The conclusion from Kripos [special police unit] was that other software than the accused's Opera E-mail client may have created the debated timestamps, but they can not confirm what kind of software may be involved.
Defence lawyer Petter Nordgreen Sterud (..) says five timestamped files and one cookie are from the interval between 16.03 and 16.13, and he believes that no other good explanations than user activity have been put forward.
Of course, a web browser is absolutely not a reliable witness for user activity. Today's all-singing all-dancing websites can reload bits and pieces at any time, thus cause new cached files without anyone being present at the computer. We don't get any information about what type of files one is dealing with - but the specific reference to the mail client is interesting. If the mail client fetched mail (either at an automated interval or because of a manual "check now" action) it may well have created five new files for downloaded E-mail - but in that case, it should be pretty obvious to the Kripos experts what software was responsible.. If it is about mail client files, the defence should ask whether Kripos checked the interval between mail client timestamps against the interval for automated checks. An unexpected timestamp in the sequence would be a strong indication of user activity.
The cookie may not be significant as evidence either, but it certainly could be, depending on its name, what site served it, and its value. I certainly hope Kripos is professional enough to check where the cookie came from and what sort of process would set it (and I hope the defence lawyers are skilled enough to check whether this has been done). If it is typically set in response to user activity, it could give significant weight to the defence's argument that the accused man was in his flat.
For me, the case raises deeper questions too: how do we explain the details of computing to the public and the authorities? Your aunt might have a very fuzzy interpretation of what a "cookie" is, but one day she may be asked to sit on a jury and listen to computer-related evidence.. Sometimes there is no good substitute for computer literacy..