In cases relating to indecent images of children, the prosecution often relies on material drawn from web browser caches. I am frequently asked by Counsel to explain the nature and function of these caches, and this short article is intended to provide a brief introduction to their purpose and function.
It is easy to forget that broadband internet access, with near instant access to online content, is a relatively recent innovation, with the first UK commercial broadband service being instigated in 2000. Earlier, dial-up connections had very limited bandwidth (the volume of data that can be passed in any given period). A domestic broadband connection in 2019 can very comfortably provide data transfer rates well over a thousand times faster than its 1999 dial-up predecessor.
So – what has this to do with the investigation of allegedly unlawful images on a computer? The answer lies in strategies employed in the days of dial-up connections to minimise the amount of data that needed to be transferred, and thus to speed up the response times of web browsers.
Pictures form relatively large chunks of data, and to download those chunks every time a web page is accessed was considered to waste bandwidth. The solution to this problem was to create a locally held “cache” of images, automatically downloaded when a web page is accessed and stored for instant access if that page is accessed again. In the case of Internet Explorer, the cache is within a folder structure named “Temporary Internet Files”. Other browsers use different structures with a similar purpose.
This process remains the default in all modern web browsers, regardless of the speed of the Internet connection. All the images on a page will be downloaded to the cache in the moments following the initial access, regardless of whether they are in a location on the page in which they would be visible to a user without further user action (such as scrolling down the page), or whether the user moves on to a different page right away. It is not uncommon for a web page to contain dozens of individual images, all of which would be automatically downloaded.
Accessible to the user?
The cache and its content are hidden from a user under default conditions and, even if a user were to change the settings to allow the viewing of hidden files, in some common browsers (such as Google Chrome) they would not be recognised by the computer as picture files. Despite this, because some of the cached images are held as individual (though not recognisable) files in the live file system, prosecution reports often describe these images as “accessible to a user”.
Images in the cache have a limited lifespan, being automatically deleted either after a specific time period or when the cache reaches a certain size. When deleted, the area of the disk in which the data of the images is present is marked by the computer as available for re-use (the “unallocated disk area”), but the data will remain until it is overwritten with new data. Forensic software can recover the picture, unless it has been overwritten. When such recovery occurs, the prosecution often simply refers to the recovered pictures as “deleted images”, implying, perhaps unintentionally, that a user would have been aware of the images and have actively caused their removal.
As a deliberately light-hearted analogy, a Newcastle United supporter could access that club’s web page, on which a reference to a match with Sunderland football club was reported, including photos and logos relating to that team. Although the thought of the presence of such images on their device would cause them to recoil in horror, the pictures of Sunderland players would still be present in his/her browser cache and may, following their automated deletion, be found in the unallocated disk area.
Consider, though, the serious implications for a client if the inadvertently accessed material on a purportedly adult site included unlawful images, such as indecent images of children.
Independent analysis and reconstruction
When we analyse a case in which images from the cache are charged, we can often reconstruct a detailed timeline demonstrating user search behaviour, the pages accessed, and navigation between pages. This can be highly beneficial in demonstrating the likelihood of inadvertent access and/or intent (or its absence). It is possible, however, that the result may comprise a clear demonstration of a deliberate course of action, in which case the opportunity to provide the most effective advice to a client is presented and avoids potential “bomb shells” when the prosecution submit full or further technical reports at a late stage in the proceedings.
Having regard to images that have passed to the unallocated disk area, it is often stated by the prosecution that it is not possible to ascertain any provenance as to the origin of those images. This is in many respects a true, though not always complete, assertion, as the file system records that would identify file names, locations, and dates are no longer present. Within our casework, however, we have seen cases in which “thumbnail” images have been recovered from the unallocated disk area and have been identifiable as forming a series of similar images or a group of images each of which bears an identical website “logo”. If such thumbnails are of a limited quantity, it can be possible to identify that these may have been as a result of a single web page access. In the absence of any evidence as to the identity of the web page, or the manner in which the page was accessed, this may introduce a significant element of doubt as to whether the material had been intentionally accessed by a user.
If you have a case involving unlawful images, please contact the team at Keith Borer Consultants on 0191 332 4999.
Steve Guest, Computer Forensics Specialist.