Minister promises that Part III is coming
Ian Brown
ukcrypto at chiark.greenend.org.uk
Sat, 13 May 2006 09:52:23 +0100
Caspar Bowden wrote:
>> admin@chiark.greenend.org.uk] On Behalf Of Richard Clayton
>> ... but you were envisaging that illegal images would be left on the
>> disk (for the police to find them). So you need to write that material
>> in a way that is consistent with other metadata on the system.
>
> Why? I don't think the police are going to let someone off just because
> there's no metadata.
But it makes a defence case of "it wos the malware wot dun it" more
plausible to the jury.
>> If the illusion you are generating is use of a browser to download the
>> files, then it would be wise to ensure that caches and logs are
> consistent >with that... the flip side to using that metadata to
> demonstrate >wickedness.
>
> More simply, the author of the malware could just release a
> pornography-viewer application which read data bizarrely stegoed into
> the interstices of your hard drive, by a worm which never itself touches
> the disk. Neither the worm nor the viewer leave any metadata, by design.
Which application would the prosecution therefore allege had been used
by the suspect to view the KP?
Could you be sure your worm would at no point be swapped to disk by the
OS, leaving evidence in the swapfile?