The disturbing case of Weiwu Zhao

Weiwu Zhao in 2017

Note: In this blog post, I refer to public court transcripts related to a child pornography case, which include witness testimony as to content and hence, I have decided not to link to them. If you wish to review the transcripts or get further information on the case, please contact me directly.

In late 2017, an elderly Chinese man, Weiwu Zhao, after a brief and bizarre trial, was convicted of several charges related to child pornography and is currently serving time in prison.

Except that he might very well be innocent.

I got involved in this case because I once helped a schoolteacher, Julie Amero, get out of prison, and ever since then, I get various requests for help and generally turn them down. However, this case of Mr. Zhao is one that I can’t seem to let go. It makes no sense, and many others agree with me (even the NAACP tried to help). Offered a deal to get probation, he refused, as he continues to protest his innocence. His family continues to desperately fight to clear his name, and he’s facing extradition to China, where life for someone convicted of child pornography will be hell.

Reviewing the case, there are significant issues: a) disastrous legal representation (of which, in my opinion, much of the fault lies with the Zhao family), and b) many evidentiary discrepancies that cast significant doubt on his guilt.

The Chinese community coming out of support of Zhao

A Great Leap Forward

The saga started in March of 2014. Mr. Zhao had come from China to visit with his daughter, Qing, who was married (later divorced) to a local man, Jason Nicholas Veres, and chose to stay.

Of note is that Mr. Zhao is an elderly ethnic Chinese man, who has spent most of his life in the PRC, and survived the Great Chinese Famine, the Great Leap Forward and the Cultural Revolution (and even has a recent Certification from his local government that he’s a Good Comrade).

This context is important: his viewpoint (and the viewpoint of the many other ethnic Chinese in this story) is that governments are corrupt, the courts are corrupt, the police are corrupt — and let’s face it, from where they’re from, it’s true. However, this very attitude had significant impacts on how the case moved through the court system, how the defense was managed, and Zhao’s ultimate penalty. To Americans used to living a free society, some of the allegations made by Zhao (“the police planted the evidence”, etc.) are silly; to the family, they’re completely logical.

Whatever the reason, from an evidence standpoint, there’s a mountain of reasonable doubt.

A PC discovered in a pile of trash

According to Mr. Zhao’s daughter, Qing, it all started around the end of 2014, the family was taking a walk in the neighborhood and noticed a computer sitting on a pile of trash. They took it home, cleaned it up, turned it on and started using it.

And that’s when things started to go very wrong, because the computer was – at some point in time – running eMule1, a peer-to-peer file sharing program. And if we believe Qing’s date, the several of the files in question were downloaded at least a week earlier.

About a week later, Qing installed a copy of Windows XP onto the PC. She set no passwords or any other protections on an operating system which is notoriously insecure.

(According to Qing, Mr. Zhao has a basic knowledge of computers – browsing the news and writing emails. She is more knowledgeable and was helping him.)

On January 5th, using a specially modified version of eMule, Pennsylvania State Police Corporal Jim Goodyear was doing a search for child pornography, using a hash value (a unique signature for a file). Bizarrely, he found the file on an IP address associated with the Zhao residence (eMule searches for files all of the world, so it’s more than a bit odd that Goodyear “happened” on a computer located in Pennsylvania). A few days later, a court order was served on the ISP (RCN Telecom) for subscriber information on the IP address. By the end of March, RCN provided the address and a few weeks later, Trooper James Ford was assigned the case, gets a search warrant and in late April, seized a Dell Inspiron computer from the Zhao residence.

Finally, in October 2017, the case went to trial and after a relatively brief jury deliberation, Mr. Zhao was found guilty of multiple charges related to child pornography.

He’s been fighting the verdict ever since.

So what’s wrong?

This case is riddled with problems, and I’ll go through some of them.

No defense forensic analysis was ever done. There was never any defense forensic analysis of the actual hard drive.2 Why? Mr. Zhao, acting as his own attorney, apparently never requested that it be done, seemingly not understanding the forensic analysis could actually help him. This was a disastrous mis-step (among many) and we then must piece together data from what we do have – an Encase examiner’s report, some log files (zip) and various other bits and pieces.

The date stamps don’t make sense. In the world of computer forensics, Windows date stamps are referred to as MAC Modified (or Written), Accessed and Created. The Access time for a file will change when it is viewed3 . “Last Written” can be delayed to when the OS finally gets around to writing the file onto the disk.

The table below is a list of a number of the Child Pornography (CP) files allegedly found on the PC.

Note the files highlighted in yellow: It appears that the files have the same creation and access date, indicating that possibly were not even viewed.

See the last file (starting with the Chinese character 苏)? It’s referenced in the preliminary hearing in an exchange between Assistant District Attorney Anthony Casola and Pennsylvania Trooper James Ford, who worked on the case along with Corporal Goodyear:

The file was even the basis for the search warrant.

But it might very well be that no one on that computer ever actually viewed that file!

When was eMule installed? Oddly, the police noted the date stamps for the downloaded porn files, but not for eMule itself. In other words, it would be quite useful to know when the program responsible for downloading the child pornography itself had been installed — but that data continues to remain hidden by the police.

Trooper Ford confirms this in the direct examination:

Mr. Zhao didn’t have the patterns of a child pornography collector: The psychology of someone who views CP would typically point to having large collections of these files (there were none); or that the person would be viewing files and then deleting them (no evidence of that either). So the fact that only 7 files (later, a total of 14) were found just doesn’t jibe with typical behavior.

It makes no sense, and the Trooper confirms this:

There’s further oddities, in that the computer reportedly had other forms of legal pornography. However, there is no information as to when these files were accessed – as we see in this recross examination:

Note that there was also indications of English search terms used, but Mr. Zhao does not speak or write English (all the documents for the court were translated by his daughter, and he required a full-time interpreter in court).

So we have no information as to when eMule was installed (absolutely vital information), and there are other types of pornographic files but we don’t know when they were downloaded. What if, as the lawyer asked, they were downloaded in November 2013, before Zhao even arrived to the US? That would be good information to know.

The router

Compounding the poor security setup on Windows XP is that the family used a Mercury router to connect to the internet, and it was set to the default setting. It’s trivial to get the user name and password for this router.

S2 Forensics also checked the availability of hotspots from this router, and there is plenty of places where someone outside of the house could access this wide-open router.

Access by others

Further concern is that at least four individuals had physical access to Mr. Zhao’s computer – including Weiwu Zhao, Zhao’s wife, Zhao’s daughter Ms. Qing Zhao, and Qing Zhao’s ex-husband, Jason Nicholas Veres.

Asian hate?

Part of the family’s argument is that this is a case motivated by Asian hate. As an example, earlier that year, Qing Zhao’s mother-in-law allegedly posted this on Facebook:

This post is followed by a stream comments, which includes a note made by “Jan Tommy Zito” (apparently a relation to the county’s senior Judge Leonard Zito).

There are other allegations by the family that generally center around Asian hate in the community and various conflicts of interest; I’ll leave those for someone else to research.

The trial: A dog’s breakfast

Further compounding the situation was the disaster that was Zhao’s defense. An ethnic Chinese man without English skills, he needed interpreters to assist, and routinely fired lawyers (a total of 5).

He verbally stumbled, yelled (as he is hard of hearing) and made a mess of his case, ultimately representing himself in court with terrible consequences.

No defense witnesses were called.

Horribly enough, several of Weiwu’s expert witnesses, including a crucial expert witness, Steve Simpson (a true expert who I interviewed myself for this blog post) were all excluded, simply because Weiwu, in his ignorance of representing himself, didn’t follow correct procedure.

He was warned about this nearly two weeks prior, on October 17, 2017, in conference with the judge and the prosecutor. He apparently didn’t understand it:

Then, reading the actual trial transcripts is like watching a train wreck in excruciating slow motion:

Weiwu, in fact, didn’t get a chance to have one witness testify on his behalf. He did not have any forensic expert to testify on his behalf. And he had no true forensic analysis of the hard drive performed.

The judge allowed CP to be shown to the jury

And in the trial itself, the court allowed something appallingly prejudicial to occur: it allowed the hardcore pornographic videos to be shown of the children being raped, to the shock and horror of the jury:

As the first video played, one woman in the jury box began to cry, wiping her eyes with a tissue. Others on the panel cast their eyes to the ceiling, or shrouded their gazes with their hands.

By the second video, another juror was fighting tears. The five men and seven women bore thousand-mile stares, a state police investigator narrating what they were seeing: young girls being raped before their eyes on child pornography that authorities said was uncovered on a computer seized in Easton.

Child porn possession cases rarely go to trial, given the inflammatory nature of the images involved. But on Tuesday, a Northampton County jury endured 14 separate videos showing girls being sexually assaulted, after 76-year-old Weiwu Zhao of Easton insisted on his day in court.


The fact that Northampton County Judge Jennifer Sletvold allowed these videos to be viewed by the jury is surprising and disturbing — notwithstanding a caveat she gave to the jurors on the matter prior to the viewing.

Zhao’s fate was sealed. He didn’t stand a chance.

Reasonable doubt?

There are many things disturbing aspects of this case.

  • eMule is a program used globally. So why, then, did a state trooper in Pennsylvania happen to pick up Mr. Zhao’s PC in his search for child porn? It opens the door to the possibility that Zhao’s PC was actually targeted. This discrepancy is caught by no one in the testimony.
  • According to his daughter, files were downloaded prior to Zhao having access to the PC. And this was a computer picked up in the trash.
  • The computer was wide open to other users, with no password security. Others, including the ex-husband of one of the parties involved, were known to have accessed the computer. It was running Windows XP and an insecure router.
  • A discrepancy as to the files themselves: The police originally noted seven files at the preliminary hearing in February 2016. However, a second report in July 2017 found an additional seven files. The question must be raised as to why all 14 files were not located during initial analysis of Mr. Zhao’s hard drive, as would be normal practice in forensic examinations and discovery.
  • Discrepancies as to the items seized: The original search warrant lists an Acer laptop (serial number NXM6VAA0013220730C6600), a generic flash drive, a Western Digital external hard drive (serial number WMC1T0591522), and a Samsung Galaxy phone among other items. However, as recorded in a later document in June 2016, investigating office Brian Mengel lists the computer seized and analyzed as a Dell Inspiron (serial number BPXZ5J1) and a Western Digital hard drive with (serial number WMAV25256156). These are obviously two distinct and unique computers and hard drives. However, the question must be asked if files from a different computer were used as evidence against Mr. Weiwu Zhao.
  • A major question as to when eMule was installed – the police catalogued and determined the creation times of the pornographic files, but they did not do the same for the file sharing software eMule. One possible conclusion for this omission is that the creation time of the eMule software would show that Mr. Zhao was not responsible for its download, installation or use.
  • The fact that no detailed and exhaustive forensic examination of the hard drive in question was ever done by the defense. It is likely that if such an analysis could be completed that many of the questions posed by this report could be answered and be used as a legal defense for Mr. Zhao.
  • The awful legal representation of Mr. Zhao (which included him going through several lawyers and ultimately representing himself).
  • The fact that none of the defense expert witnesses were allowed at the trial due to Zhao’s disastrous self-representation.
  • The prejudicial action the court took in allowing images of children being raped to be displayed to the jury, explained to the jury by the prosecutor as being part of their “civic duty”.

The best analogy for this case is of a man standing in front of a steamroller, spitting and hollering for the steamroller to stop. The steamroller, oblivious to what’s being said, rolls right over him. And that is exactly what happened to Weiwu Zhao.

The case of Zhao is a deeply disturbing one in many ways. His grave error in not understanding the American judicial system has cost him his future; but even absent that, real questions as to his guilt or innocence linger.

Acknowledgement: I’m indebted to the work of others, and Steve Simpson of S2 Forensics who researched the bulk of what I’ve described here.

  1. Many of us remember the old peer-to-peer programs, including Napster. One could download a file from another computer (a “peer”) and your computer would then act as a distribution point for other computers. However, this simplicity also comes with a risk: one may unknowingly or inadvertently download a file that has illicit material, and then become a “distributor” of that file, since it’s being shared with others on the network. eMule was such a program, and is still active even today. []
  2. Note that while there are issues dealing with CP files from a forensic standpoint, there are methods for specialists to analyze the files that don’t put them in danger of inadvertently possessing illicit files. []
  3. This problem is complicated by the change between Windows Vista and XP, which apparently changed this behavior, further muddying the waters. []