Criminal Defense
Since 1993
Since 1993
Carved Images
When you delete something off your computer, it’s not really gone. It’s still there. The best analogy is to view your hard drive like a filing cabinet. The filing cabinet has a bunch of papers in it, and there’s a tag on the front of the door describing what’s inside. When you delete a file from a Windows computer, all you’re really doing is tearing the tag off the front of the filing cabinet. All of the papers are still there.
When you delete a file, Windows removes the label from the front of the filing cabinet and makes that hard drive space available for other data, but the raw data of the image is still on the hard drive until it’s written over with something else. Often, citizens use programs like Eraser and CC Cleaner to make sure everything is erased that should be erased. This hard drive space is called “unallocated space”–and law enforcement may “carve” out raw image files from this part of the hard drive to retrieve evidence (they did this to Bin Laden’s computers, all sorts of investigations utilize carving techniques). The only way to retrieve carved images is to use very expensive programs like Forensic Tool Kit (FTK) to scan the raw data in the unallocated space of the hard drive.
There are several problems with any government attempt to prosecute a Possession of Child Pornography case based upon carved images. First of all, the user cannot view carved images without special software (and, most law enforcement experts conveniently fail to look for such software on the computer, so that they “can’t say” whether or not the defendant was able to view the images).
Second, it is virtually impossible to prove that a computer user has knowledge of a carved file’s existence on the computer (absent a confession, of course!). To make matters worse for the State, carved files typically have no names, and no dates. If that’s not bad enough for the State’s case, there is nothing about a carved file which indicates that it has ever been opened or viewed.
Basically, you can’t tell the name of a carved file, don’t know where it came from, don’t know when it got there, and you don’t know if it was ever opened or viewed. Not much of a case, right? Typically, you won’t see a prosecutor charge a defendant on carved files if they find actual, existing files on a computer.
Images Found in a Thumbnail Database
Thumbnails are tiny pictures that represent an actual picture. I realize that images found in a thumbnail database do not meet the definition of a “carved” image, but the topic sort of fits here because we’re dealing with images that can only be viewed forensically, in other words, images that the computer user cannot access without special software.
Here’s how thumbnails work. When looking at files on your computer, Windows automatically creates a small picture (thumbnail) of any images found on your computer (a jpeg, typically). These thumbnail images are then saved to a database.
The problem is, even if you’ve deleted the actual file, the thumbnail may still be retrieved from this database. Thumbnail images are computer generated, not user generated, so most users don’t even realize these images are on their computer. There are at least two thumbnail databases on a Windows system, the main thumbnail database, and one buried deep inside the computer in the system volume information folder utilized for Windows restore. The thumbs in the restore file are created when Windows decides to install an update. The system will create a restore point containing lots of data (like the thumb images) for use if the Windows update fails, it can roll back to the point before the update. Again, there’s no way for the average user to access these thumbnail images.
Link Files
Once again, I’m about to talk about something that is not related to carved images, yet these files come up in law enforcement’s forensic reports, so we might as well discuss them. Link (.lnk) files are not images, but they give law enforcement a tiny indication that certain files may have been present on the computer. Here’s how it works: if you have an image on your computer and then you move it to a thumb drive, the operating system would record a link file indicating that, “naked girls in bathtub” was moved from C:/ drive to F:/ drive–that’s all the link file shows. A link file doesn’t contain an image, and no one can be arrested for having link files on their computer that make reference to child pornographic materials.
However, because the file names of child pornographic images are known to law enforcement, their forensic expert will be able to say that a particular image was first on the computer, and then moved to external storage. Link files typically do not have dates, but they often contain the date of the original linked file. In the scheme of things, having a file name that is of known child pornographic nature doesn’t really prove anything–it is only the HASH value of a file that can most accurately label a particular file as being child pornography (HASH values are a topic for another day). Another problem with link files is that it doesn’t tell you if the image/video file was opened, or for how long it was opened, nor can it tell you if the image was even viewed. Furthermore, a link file cannot say whether or not the file it is referencing actually worked, as it may have been corrupted or partial.