After 31 years and 100,000 man-hours of conventional research, the famous case of the BTK killer was cracked with 15 minutes of work by a modern digital detective. The new breed of gumshoe is trained to study bytes the way old-school G-men studied fingerprints. And it's paying off.
The night Cindy M.* disappeared, she ate dinner with her parents
and older brother in the family's two-story suburban Pittsburgh home,
then went to her room and promised to come back for apple-walnut pie.
The pretty 13-year-old with dark blond hair and blue-green eyes never
returned. When her parents checked her room, they found neither a note
nor a sign of forced entry. It was New Year's Day, 2002, and their
daughter was simply gone.
Pittsburgh police spent almost two days interviewing Cindy's friends and
family, while neighbors scoured nearby fields and gullies, but everyone
came up empty. When FBI special agent Denise Holtz took over the case,
late on Jan. 2, the investigation had barely moved beyond square one.
This is what Holtz knew: Cindy was a shy child who wrote poetry and
frequently made the honor roll. She was rarely in trouble. She could
have run away, but she left her coat hanging in the closet on one of the
coldest nights of the year. Only one tidbit seemed promising: Friends
said Cindy frequented Internet chat rooms.
A six-year veteran of the Crimes Against Children Task Force, Holtz
suspected the answer to Cindy's disappearance was hidden within the
girl's upstairs computer. She also knew that it might already be too
late. If Cindy had fallen into the hands of a killer, the statistics
were grim: 74 percent of abducted children who are murdered are dead
within 3 hours.
* Not her real name
When Andy Spruill, a computer forensics
examiner at Guidance Software, looks into a hard drive, he sees
everything about its owner. "It's like looking into his mind," he says.
Here's how he and other computer sleuths find their clues.
| Step 1 |
• Computer drives that may
contain evidence are attached to a write-blocking device that allows
examiners to read from them without changing the contents.
|
| Step 2 |
• Software, such as Guidance's
EnCase, creates a forensic image of the hard drive--which Spruill
compares to a "digital evidence bag."
|
| Step 3 |
| • The forensics software analyzes
the image, uncovering hidden and deleted files as well as partially
deleted "file remnants," and displays them in a hierarchical format.
|
| Results |
| Photos, Microsoft Office documents, e-mails
and MP3 files can hide incriminating meta-data, and the Internet cache
stores records of a suspect's Web travels that can be recovered even
after they are deleted.
|
"We knew that time was ticking and we couldn't sleep until we found
her," Holtz says. She turned to FBI forensic examiner Tony Pallone, one
of the bureau's computer specialists, and asked him to drop all other
projects until he found something in the machine that could lead them to
the missing girl.
Pallone made a forensic image of Cindy's computer hard drive and settled
in for a long night. He then ran a program that analyzed the
image--yielding thousands upon thousands of numbers and letters
scrambled together, amounting to little more than gibberish to the
untrained eye.
From Cindy's personal Web page, Pallone knew she called herself
"goddessofall" and listed among her interests witchcraft, hypnosis and
mythology, so he searched the data for snippets of those words hoping to
discover other clues amid the jumble of characters. He found some
troubling information: "File residue" logs showing the computer's recent
activities revealed that Cindy visited chat rooms dedicated to
sadomasochism. Potentially worse, Pallone deduced from the gibberish
that she chatted frequently with someone going by the ominous screen
name of "dcsadist." Pallone searched the Internet for references to
anyone using that name but nothing surfaced.
By the evening of Jan. 3, Cindy's parents began to lose hope that she
would be found alive. "You know the statistics," the girl's mother later
told Newark, N.J.'s
Star-Ledger. "It's a one-in-a-million shot to see your child again."
PALLONE is an examiner in the
Pittsburgh FBI office's computer forensics lab. The operation is a
small-scale version of the FBI's 10 multiagency Regional Computer
Forensics Laboratories (RCFLs); two more are slated to open this year.
The FBI provides the RCFL startup costs--about $3 million per lab--and
state and local agencies contribute staffers certified in computer
forensics. As cases come in, examiners pitch in on those with the
highest priority, regardless
of which agency owns jurisdiction.
All told, 200-plus examiners at RCFLs and other FBI teams across the
country analyzed more than 1400 terabytes of data in 2005--equal to a
stack of paper 47,000 miles high. This new breed of gumshoe, trained to
study bytes the way old-school G-men studied fingerprints, snares a
predictable cast of hackers and insider traders but also a surprising
number of violent criminals.
Computer forensics is not only crucial to law enforcement, it is
critical to the business world, where digital evidence-gathering tools
are used for everything from fraud investigations to employee
monitoring. And government computer investigators buy much of their
software from the same commercial vendors that supply big business. The
dominant player in the field is Pasadena, Calif.-based Guidance
Software, makers of EnCase, a widely used suite of programs that can dig
deep into the memory of everything from computer hard drives to MP3
players. The next generation should even be able to search cellphones.
Through its consulting arm, the company also trains more than 3500 law
enforcement officers each year.
"A computer is no different than a tape recorder--it records everything
you do," says Andy Spruill, who oversees the consulting division and
works as a lead investigator with the Westminster, Calif., police
department's computer forensics unit. "Right now [computer forensics] is
still a specialty, with few people having the skills and resources to
do it," he says. "Think about where DNA was 10 years ago. Most cops
didn't even know about it. Now most patrol officers carry DNA swabs.
That is where [computer forensics] is going to go, to the patrol level."
"It is unusual today to have a case that doesn't involve computers,"
explains Mary Beth Buchanan, U.S. attorney for the Western District of
Pennsylvania. She adds that computers are not just a source of evidence,
but a source of better evidence. "Through the use of computers, people
store information they might not otherwise. They might not even know it
is being stored," Buchanan says. "The value [of the evidence] is also
greater because that information is stored in an organized manner and
the computer leaves footprints of an individual's every action."
In 2003 Kansas State University English professor Thomas Murray's
computer turned into a witness against him. For more than a year, local
police suspected Murray in his ex-wife's stabbing death, but it was not
until examiners in the Kansas City, Mo., RCFL searched his office
computer that they found damning evidence. In the months before his
wife's death, Murray had used such Internet search terms as "how to kill
someone quietly and quickly" and "murder for hire." A jury rejected
Murray's defense that he was researching script ideas for a television
show such as CSI and sentenced him to life in prison.
The new breed of gumshoe is trained to study bytes the way old-school G-men studied fingerprints.
Digital evidence helped the FBI
find Dennis Rader, aka the BTK killer (left), and Scott William Tyree
(right). (Photographs by AP/World Wide Photo [Rader], Matt Freed
[Tyree])
The most famous case cracked using the skills of computer forensics
investigators is last year's capture of the serial killer known as BTK,
short for "Bind, Torture and Kill."
Responsible for 10 murders around Wichita, Kan., between 1974 and 1991,
BTK taunted police with letters that boasted of his deeds but yielded
few clues to his identity. He resurfaced in 2004 with a letter to a
local newspaper hinting that he might be plotting more murders.
In February 2005, Wichita television station KSAS received a
translucent, purple floppy disk accompanied by a 3 x 5 index card with a
message from BTK: "Any Communications will have a # assigned from now
on, encase [sic] one is lost or not found."
The BTK task force enlisted the expertise of Randy Stone, a 39-year-old
Desert Storm vet who started in the Wichita police department's Forensic
Computer Crime Unit in 1998. When Stone checked the disk, it contained
only one file, named "Test A.rtf." The text of the file instructed
investigators to read the index card. No clues there.
Stone checked the disk properties to see the previous user: someone
named Dennis. Then he checked to see where the disk was last used:
Wichita's Christ Lutheran Church. On the church Web site's list of
officers, there was one Dennis, a man named Dennis Rader.
The police used DNA evidence to link Rader to the crime scenes and in
August 2005 he was given 10 consecutive life sentences. After more than
31 years and 100,000 man-hours, Stone's digital detective work cracked
the BTK case within 15 minutes of receiving the disk.
"On a scale of one to 10, it was about a three in terms of computer
forensics," Stone says. "As simple as that was, the sad thing is 95
percent of law enforcement in the U.S. could not have done something
like that."
Late on Jan. 3, 2002, as Pallone toiled away in his lab,
investigators looking for Cindy finally caught a break. An anonymous
Tampa man contacted the FBI and said he might know something about the
girl he'd seen in a missing child photo on the
Pittsburgh Post-Gazette
Web site. The tipster said he met a man in a bondage group online
claiming to have captured a teenager. "I think I got one," the man wrote
the tipster in a message, showing video of a girl chained to a wall,
crying. The tipster thought the man lived in northern Virginia and used
the screen name "master for teen slave girls."
Pallone's co-worker, Tim Huff, arrived at the office around 8 am, just
as the tipster gave up the screen name. Of his six years as a field
agent, Huff has spent five working in computer forensics. "I like
putting bad guys in jail, that's why I got into the bureau," Huff says.
"I got into computer forensics because I like solving puzzles."
Four others in the lab were pulled onto the case to join Pallone in
searching chat groups and elsewhere around the Web for anyone using that
screen name. Even with the new information, they were still searching
90 minutes later.
Maybe, Huff thought, the name was not "master for teen slave girls," as
the original agent wrote it down, but some derivative using Web
shorthand. Team members began to search for variations on the name and,
within minutes, one of the examiners found a Yahoo Chat profile for a
suspect using the handle "master4teen_slavegirls." In his profile, the
man listed other online aliases, including "dcsadist."
It was a huge breakthrough--they quickly matched the information from
the girl's computer with the tipster's information, making it a near
certainty this was the guy holding Cindy. But the profile didn't say
where he lived.
Holtz tried to contact Yahoo to get the Internet protocol (IP) address
of the profile, but it was 6:30 am at the Yahoo corporate offices on the
West Coast and she couldn't get anyone on the phone. Eventually, an
agent in Sacramento, Calif., was reached, who called a contact at Yahoo.
Minutes later, Holtz faxed a letter to Yahoo asking for the IP address,
citing Section 212 of the Patriot Act.
Prior to the Patriot Act, which was passed in October 2001, many
corporations required search warrants or subpoenas before granting
government requests for customer information, mainly to shield
themselves from lawsuits. But Section 212 releases companies from civil
liability in cases where someone is at risk of "immediate danger of
death or serious physical injury." This case was one of the first times
the provision was used.
Cyber sleuths: FBI
computer forensic examiners Tim Huff (left) and Tony Pallone unlock the
secrets inside hundreds of computers each year. (Photograph by Brian
Berman)
Around 11 am, Yahoo faxed the Pittsburgh lab the IP address. A quick
search identified Verizon as the service provider. Thirty minutes later,
Verizon told Holtz the name and address of the customer registered to
the account, a 38-year-old Herndon, Va., man named Scott William Tyree.
With Tyree's address confirmed, Holtz contacted the Washington, D.C.,
field office, which dispatched a team of agents to Tyree's home. Cindy
had been missing for almost three days; now Holtz, Huff and the rest of
the Pittsburgh office could only wait nervously for word of her fate.
At Tyree's suburban townhouse, agents burst through the front door with
guns drawn. The house appeared to be empty until they found Cindy in an
upstairs bedroom, collared and chained to a bolt in the floor. The chain
was just long enough to allow her to go to the bathroom. Tyree, it
turned out, had reported to work at a nearby office of Computer
Associates, but not before warning Cindy that he would hurt her if she
tried to escape.
By 3:30 pm, the investigators at the Pittsburgh RCFL received word:
Cindy was safe. Holtz, a six-year veteran of the bureau, didn't try to
hold back her tears. Still sniffling, she walked to a nearby conference
room to give Cindy's family the good news.
Tyree was picked up less than an hour later at his office. He had no
criminal record and exhibited few previous signs of being a sexual
predator. He was twice divorced and maintained a good relationship with
his only child, a 12-year-old girl who lived with her mother in
California. Tyree's daughter had reportedly stayed with him for most of
December during school break, returning home on New Year's Day--the same
day Cindy disappeared.
In subsequent interviews, investigators determined Cindy was like many
teenagers who get involved in dangerous role-playing on the Web and draw
the attention of predators like Tyree. On New Year's Day, she sneaked
out of the house and met Tyree a few blocks away. By the time Cindy
realized the true intentions of her captor, it was too late to escape.
She now speaks to student groups about the
dangers of the Internet.
Buchanan, the lead prosecutor, says further evidence obtained from
Tyree's computer by Huff and his staff was instrumental in building her
case and forcing Tyree to plead guilty. In March 2003, he was sentenced
to nearly 20 years in federal prison.
More than three years later, Huff says it remains one of his most
rewarding cases. "There is very little that I have experienced that
makes you feel
as good as knowing you made a child safe," he says.
Sharky's Machine By William Diehl
We had a local band that played every
night at the YMCA. The last night before we all went
off to the war, right in the middle of "One O'Clock
Jump," the whole bridge fell off the bass he was playing.
We left it in the corner there, kind of as a tribute.
It may still be there. I hope so.