Reliability of Limewire as a forensic software

a) Is limewire a valid forensic tool do determine that the user actually downloaded and viewed the illicit material (based on the sha1 values left by limewire traces) ?

If you're interested in whether the user viewed the material, why not check things like viewer MRU lists, RecentDocs key entries, etc? If the user double-clicked the file to view it, you can expect to find a shortcut/.lnk file. If the OS you're examining is Windows 7, you may even find a Jump List entry.

b) Are the sha1 values created by limewire regarded as solid evidence, or can these values be modified or created without actually downloading any files?

Any "evidence" in isolation is suspect, in part because its without any context. Always look for supporting, corroborating data.

In addition to what keydet89 said, according to the paper listed below, a presence of a file in the "Incomplete" folder with the with a prefix of "Preview-T-" is an indicator that the user previewed the file.

See http//www.dfrws.org/2008/proceedings/p96-lewthwaite.pdf

Unfortunatly, even the incomplete folder was not found. It must be on the external drive. But atheriot, your point is very noteworthy.

In addition to what keydet89 said, according to the paper listed below, a presence of a file in the "Incomplete" folder with the with a prefix of "Preview-T-" is an indicator that the user previewed the file.

See http//www.dfrws.org/2008/proceedings/p96-lewthwaite.pdf

I'd be really careful saying that preview-t is an indicator that the user previewed the file. I would reword that saying it's a possible indicator.

In addition to what keydet89 said, according to the paper listed below, a presence of a file in the "Incomplete" folder with the with a prefix of "Preview-T-" is an indicator that the user previewed the file.

See http//www.dfrws.org/2008/proceedings/p96-lewthwaite.pdf

I'd be really careful saying that preview-t is an indicator that the user previewed the file. I would reword that saying it's a possible indicator.

In addition to what keydet89 said, according to the paper listed below, a presence of a file in the "Incomplete" folder with the with a prefix of "Preview-T-" is an indicator that the user previewed the file.

See http//www.dfrws.org/2008/proceedings/p96-lewthwaite.pdf

I was quoting the paper referenced. If I reword it, I would not be quoting the paper correctly. See paragraph 2.2 in the paper referenced.

Thanks guys for your interest.

To summerize, there are a number of shortcuts (.lnk)

and

sha1 values, loacations, dates and keywords used from the examination of the limewire application files.

Doubt we can proceed with possession of illicit material since the incomplete and saved folders were not found.

Maybe we can try to proof that the user accessed the illicit material using the sha1 values found (but I cannot verify if these are real sha1 or not)

comments welcome…

Thanks guys for your interest.

To summerize, we have a number of shortcuts (.lnk)

and

sha1 values, loacations, dates and keywords used from the examination of the limewire application files.

Doubt we can proceed with possession of illicit material since the incomplete and saved folders were not found.

Maybe we can try to proof that the user accessed the illicit material using the sha1 values found (but I cannot verify if these are real sha1 or not)

comments welcome…

What sort of "illicit material" are we talking about? Sus Indecent Images? Sus Extreme Pornography? Or is it other material? What offences are you looking at?

If it is the IIOC then you cannot charge for 'possession' under UK legislation if you have not found images in an 'accessible' location.

Thanks guys for your interest.

To summerize, we have a number of shortcuts (.lnk)

and

sha1 values, loacations, dates and keywords used from the examination of the limewire application files.

Doubt we can proceed with possession of illicit material since the incomplete and saved folders were not found.

Maybe we can try to proof that the user accessed the illicit material using the sha1 values found (but I cannot verify if these are real sha1 or not)

comments welcome…

What sort of "illicit material" are we talking about? Sus Indecent Images? Sus Extreme Pornography? Or is it other material? What offences are you looking at?

If it is the IIOC then you cannot charge for 'possession' under UK legislation if you have not found images in an 'accessible' location.

Filenames suggest illegal pornography of persons under the age of 18.

OK. You're prob aware of most of this but here goes…

1) The filenames in Limewire are usually very misleading and can't be relied upon at all to reflect the content. Many of the filenames will suggest IIOC (Indecent Images of Children), pornography etc, but the file's content will be very different (Many are malware).

In relation to some of your original questions….

"Doubt we can proceed with possession of illicit material since the incomplete and saved folders were not found. "

2) If there are no images, there can be no possession.

“a) Is limewire a valid forensic tool do determine that the user actually downloaded and viewed the illicit material (based on the sha1 values left by limewire traces) ?”

3) Limewire evidence could support a ‘Possession’ charge IF you had found images in an area accessible to a user. Even if the IIOC were in unallocated or thumbcache they would not be suitable for a ‘Possession’ charge. For example, a Limewire user could have done a mass download of files whilst looking for legal adult pornography. The user could have then viewed the material and deleted all of the images after being horrified. From an evidential point of view – There may be LNK files, Limewire evidence and IIOC in unallocated. However, the user was not in ‘Possession’ of the images because they had deleted them immediately.

Additionally a ‘Making’ charge would not be likely unless you have found specific evidence that IIOC had been searched for, requested etc.
See this guidance for law / case law relating to IIOC in the UK.
http//www.cps.gov.uk/legal/h_to_k/indecent_photographs_of_children/

“Maybe we can try to proof that the user accessed the illicit material using the sha1 values found (but I cannot verify if these are real sha1 or not)”

To do this you would need to match the SHA1 to a Known IIOC. Again – the user may have accessed an image and the poor user may have been distraught after seeing shocking child abuse for the first time. I.e This evidence by itself is NOT proof of an offence.

Hope this helps a little.