I'm fascinated as to the timeline of events here. You say the computer was wiped some time well before you interviewed the suspect. Was there some notification to him prior to this point that might cause the deletion as a method of spoliation? Because if not, I'm wondering how this is not analogous to receiving drugs in the mail, discovering they are drugs, and flushing them down the toilet.
I'm not opining as to the guilt/innocence of the suspect, but I do think if the timeline is as described, and he has no prior notice, that there's a reasonable doubt that you could drive a truck through.
Unless of course your carving of unallocated space shows a history of intentionally seeking out contraband or recovered MRU / link file analysis shows a history of viewing this type of material. A standard install of Windows should leave a huge amount of unallocated with potential evidence.
The other thing is, has anyone ever made such a virus. While it is technically possible, it is only within the last year that I've heard of any malware actually downloading contraband. As such, you could research those malicious programs (I've only heard of one, so I can't imagine there would be too many even now), and use that as a checklist of artifacts to look. Of course, your job will be quite a bit harder if the virus would be in unallocated space.
Terry,
I worked on this case a few years back
http//
It was the first and only malicious program (technical a trojan, not a virus) I've been aware of that placed CP on a user's machine.
I'd be interested in more details of the program you refer to (if you're able to share).
Richard
That sounds like the malware that I heard of. I don't recall the name any longer.
Care to share your experience? Did the malware downloading and displaying images populate internet history or cache? Did it create any other artifacts (searches, link files, etc) that might lead one to think that the user, rather than malware, viewed the contraband?
Terry