Computer Forensics: The New Fingerprinting

After 31 years and 100,000 man-hours of conventional research, the famous case of the BTK killer was cracked with 15 minutes of work by a modern digital detective. The new breed of gumshoe is trained to study bytes the way old-school G-men studied fingerprints. And it's paying off.


by Brad Reagan

http://www.popularmechanics.com/technology




The night Cindy M.* disappeared, she ate dinner with her parents and older brother in the family's two-story suburban Pittsburgh home, then went to her room and promised to come back for apple-walnut pie. The pretty 13-year-old with dark blond hair and blue-green eyes never returned. When her parents checked her room, they found neither a note nor a sign of forced entry. It was New Year's Day, 2002, and their daughter was simply gone.

Pittsburgh police spent almost two days interviewing Cindy's friends and family, while neighbors scoured nearby fields and gullies, but everyone came up empty. When FBI special agent Denise Holtz took over the case, late on Jan. 2, the investigation had barely moved beyond square one.

This is what Holtz knew: Cindy was a shy child who wrote poetry and frequently made the honor roll. She was rarely in trouble. She could have run away, but she left her coat hanging in the closet on one of the coldest nights of the year. Only one tidbit seemed promising: Friends said Cindy frequented Internet chat rooms.

A six-year veteran of the Crimes Against Children Task Force, Holtz suspected the answer to Cindy's disappearance was hidden within the girl's upstairs computer. She also knew that it might already be too late. If Cindy had fallen into the hands of a killer, the statistics were grim: 74 percent of abducted children who are murdered are dead within 3 hours.

* Not her real name

When Andy Spruill, a computer forensics examiner at Guidance Software, looks into a hard drive, he sees everything about its owner. "It's like looking into his mind," he says. Here's how he and other computer sleuths find their clues.
Step 1
Computer drives that may contain evidence are attached to a write-blocking device that allows examiners to read from them without changing the contents.

Step 2
Software, such as Guidance's EnCase, creates a forensic image of the hard drive--which Spruill compares to a "digital evidence bag."

Step 3
The forensics software analyzes the image, uncovering hidden and deleted files as well as partially deleted "file remnants," and displays them in a hierarchical format.
Results
Photos, Microsoft Office documents, e-mails and MP3 files can hide incriminating meta-data, and the Internet cache stores records of a suspect's Web travels that can be recovered even after they are deleted.


"We knew that time was ticking and we couldn't sleep until we found her," Holtz says. She turned to FBI forensic examiner Tony Pallone, one of the bureau's computer specialists, and asked him to drop all other projects until he found something in the machine that could lead them to the missing girl.

Pallone made a forensic image of Cindy's computer hard drive and settled in for a long night. He then ran a program that analyzed the image--yielding thousands upon thousands of numbers and letters scrambled together, amounting to little more than gibberish to the untrained eye.

From Cindy's personal Web page, Pallone knew she called herself "goddessofall" and listed among her interests witchcraft, hypnosis and mythology, so he searched the data for snippets of those words hoping to discover other clues amid the jumble of characters. He found some troubling information: "File residue" logs showing the computer's recent activities revealed that Cindy visited chat rooms dedicated to sadomasochism. Potentially worse, Pallone deduced from the gibberish that she chatted frequently with someone going by the ominous screen name of "dcsadist." Pallone searched the Internet for references to anyone using that name but nothing surfaced.

By the evening of Jan. 3, Cindy's parents began to lose hope that she would be found alive. "You know the statistics," the girl's mother later told Newark, N.J.'s Star-Ledger. "It's a one-in-a-million shot to see your child again."

PALLONE is an examiner in the Pittsburgh FBI office's computer forensics lab. The operation is a small-scale version of the FBI's 10 multiagency Regional Computer Forensics Laboratories (RCFLs); two more are slated to open this year. The FBI provides the RCFL startup costs--about $3 million per lab--and state and local agencies contribute staffers certified in computer forensics. As cases come in, examiners pitch in on those with the highest priority, regardless of which agency owns jurisdiction.

All told, 200-plus examiners at RCFLs and other FBI teams across the country analyzed more than 1400 terabytes of data in 2005--equal to a stack of paper 47,000 miles high. This new breed of gumshoe, trained to study bytes the way old-school G-men studied fingerprints, snares a predictable cast of hackers and insider traders but also a surprising number of violent criminals.

Computer forensics is not only crucial to law enforcement, it is critical to the business world, where digital evidence-gathering tools are used for everything from fraud investigations to employee monitoring. And government computer investigators buy much of their software from the same commercial vendors that supply big business. The dominant player in the field is Pasadena, Calif.-based Guidance Software, makers of EnCase, a widely used suite of programs that can dig deep into the memory of everything from computer hard drives to MP3 players. The next generation should even be able to search cellphones. Through its consulting arm, the company also trains more than 3500 law enforcement officers each year.

"A computer is no different than a tape recorder--it records everything you do," says Andy Spruill, who oversees the consulting division and works as a lead investigator with the Westminster, Calif., police department's computer forensics unit. "Right now [computer forensics] is still a specialty, with few people having the skills and resources to do it," he says. "Think about where DNA was 10 years ago. Most cops didn't even know about it. Now most patrol officers carry DNA swabs. That is where [computer forensics] is going to go, to the patrol level."

"It is unusual today to have a case that doesn't involve computers," explains Mary Beth Buchanan, U.S. attorney for the Western District of Pennsylvania. She adds that computers are not just a source of evidence, but a source of better evidence. "Through the use of computers, people store information they might not otherwise. They might not even know it is being stored," Buchanan says. "The value [of the evidence] is also greater because that information is stored in an organized manner and the computer leaves footprints of an individual's every action."

In 2003 Kansas State University English professor Thomas Murray's computer turned into a witness against him. For more than a year, local police suspected Murray in his ex-wife's stabbing death, but it was not until examiners in the Kansas City, Mo., RCFL searched his office computer that they found damning evidence. In the months before his wife's death, Murray had used such Internet search terms as "how to kill someone quietly and quickly" and "murder for hire." A jury rejected Murray's defense that he was researching script ideas for a television show such as CSI and sentenced him to life in prison.

The new breed of gumshoe is trained to study bytes the way old-school G-men studied fingerprints.


Digital evidence helped the FBI find Dennis Rader, aka the BTK killer (left), and Scott William Tyree (right). (Photographs by AP/World Wide Photo [Rader], Matt Freed [Tyree])

The most famous case cracked using the skills of computer forensics investigators is last year's capture of the serial killer known as BTK, short for "Bind, Torture and Kill."

Responsible for 10 murders around Wichita, Kan., between 1974 and 1991, BTK taunted police with letters that boasted of his deeds but yielded few clues to his identity. He resurfaced in 2004 with a letter to a local newspaper hinting that he might be plotting more murders.

In February 2005, Wichita television station KSAS received a translucent, purple floppy disk accompanied by a 3 x 5 index card with a message from BTK: "Any Communications will have a # assigned from now on, encase [sic] one is lost or not found."

The BTK task force enlisted the expertise of Randy Stone, a 39-year-old Desert Storm vet who started in the Wichita police department's Forensic Computer Crime Unit in 1998. When Stone checked the disk, it contained only one file, named "Test A.rtf." The text of the file instructed investigators to read the index card. No clues there.

Stone checked the disk properties to see the previous user: someone named Dennis. Then he checked to see where the disk was last used: Wichita's Christ Lutheran Church. On the church Web site's list of officers, there was one Dennis, a man named Dennis Rader.

The police used DNA evidence to link Rader to the crime scenes and in August 2005 he was given 10 consecutive life sentences. After more than 31 years and 100,000 man-hours, Stone's digital detective work cracked the BTK case within 15 minutes of receiving the disk.

"On a scale of one to 10, it was about a three in terms of computer forensics," Stone says. "As simple as that was, the sad thing is 95 percent of law enforcement in the U.S. could not have done something like that."

Late on Jan. 3, 2002, as Pallone toiled away in his lab, investigators looking for Cindy finally caught a break. An anonymous Tampa man contacted the FBI and said he might know something about the girl he'd seen in a missing child photo on the Pittsburgh Post-Gazette Web site. The tipster said he met a man in a bondage group online claiming to have captured a teenager. "I think I got one," the man wrote the tipster in a message, showing video of a girl chained to a wall, crying. The tipster thought the man lived in northern Virginia and used the screen name "master for teen slave girls."

Pallone's co-worker, Tim Huff, arrived at the office around 8 am, just as the tipster gave up the screen name. Of his six years as a field agent, Huff has spent five working in computer forensics. "I like putting bad guys in jail, that's why I got into the bureau," Huff says. "I got into computer forensics because I like solving puzzles."

Four others in the lab were pulled onto the case to join Pallone in searching chat groups and elsewhere around the Web for anyone using that screen name. Even with the new information, they were still searching 90 minutes later.

Maybe, Huff thought, the name was not "master for teen slave girls," as the original agent wrote it down, but some derivative using Web shorthand. Team members began to search for variations on the name and, within minutes, one of the examiners found a Yahoo Chat profile for a suspect using the handle "master4teen_slavegirls." In his profile, the man listed other online aliases, including "dcsadist."

It was a huge breakthrough--they quickly matched the information from the girl's computer with the tipster's information, making it a near certainty this was the guy holding Cindy. But the profile didn't say where he lived.

Holtz tried to contact Yahoo to get the Internet protocol (IP) address of the profile, but it was 6:30 am at the Yahoo corporate offices on the West Coast and she couldn't get anyone on the phone. Eventually, an agent in Sacramento, Calif., was reached, who called a contact at Yahoo. Minutes later, Holtz faxed a letter to Yahoo asking for the IP address, citing Section 212 of the Patriot Act.

Prior to the Patriot Act, which was passed in October 2001, many corporations required search warrants or subpoenas before granting government requests for customer information, mainly to shield themselves from lawsuits. But Section 212 releases companies from civil liability in cases where someone is at risk of "immediate danger of death or serious physical injury." This case was one of the first times the provision was used.


Cyber sleuths: FBI computer forensic examiners Tim Huff (left) and Tony Pallone unlock the secrets inside hundreds of computers each year. (Photograph by Brian Berman)

Around 11 am, Yahoo faxed the Pittsburgh lab the IP address. A quick search identified Verizon as the service provider. Thirty minutes later, Verizon told Holtz the name and address of the customer registered to the account, a 38-year-old Herndon, Va., man named Scott William Tyree.

With Tyree's address confirmed, Holtz contacted the Washington, D.C., field office, which dispatched a team of agents to Tyree's home. Cindy had been missing for almost three days; now Holtz, Huff and the rest of the Pittsburgh office could only wait nervously for word of her fate.

At Tyree's suburban townhouse, agents burst through the front door with guns drawn. The house appeared to be empty until they found Cindy in an upstairs bedroom, collared and chained to a bolt in the floor. The chain was just long enough to allow her to go to the bathroom. Tyree, it turned out, had reported to work at a nearby office of Computer Associates, but not before warning Cindy that he would hurt her if she tried to escape.

By 3:30 pm, the investigators at the Pittsburgh RCFL received word: Cindy was safe. Holtz, a six-year veteran of the bureau, didn't try to hold back her tears. Still sniffling, she walked to a nearby conference room to give Cindy's family the good news.

Tyree was picked up less than an hour later at his office. He had no criminal record and exhibited few previous signs of being a sexual predator. He was twice divorced and maintained a good relationship with his only child, a 12-year-old girl who lived with her mother in California. Tyree's daughter had reportedly stayed with him for most of December during school break, returning home on New Year's Day--the same day Cindy disappeared.

In subsequent interviews, investigators determined Cindy was like many teenagers who get involved in dangerous role-playing on the Web and draw the attention of predators like Tyree. On New Year's Day, she sneaked out of the house and met Tyree a few blocks away. By the time Cindy realized the true intentions of her captor, it was too late to escape. She now speaks to student groups about the dangers of the Internet.

Buchanan, the lead prosecutor, says further evidence obtained from Tyree's computer by Huff and his staff was instrumental in building her case and forcing Tyree to plead guilty. In March 2003, he was sentenced to nearly 20 years in federal prison.

More than three years later, Huff says it remains one of his most rewarding cases. "There is very little that I have experienced that makes you feel as good as knowing you made a child safe," he says.

 

No comments: