Computer Forensics Takes a Bite Out of Crime

Computer Forensics, a relatively new field of law enforcement, has proven to be a powerful crime fighting tool. It has led to the capture of a severely twisted serial killer and, in a landmark case, set a precedent on data destruction liability. These two cases show the power of Computer Forensics in the criminal and civil courts.

History:

Forensics, as it applies to the law, is the use of science and technology to investigate and establish facts in criminal or civil courts.  Computer forensics has its genesis way back in 1928 when Fritz Pfleumer invented magnetic tape for audio recordings. The magnetic tape that first appeared on 7-inch reels, then cassettes, became the basis of the magnetic storage media and memory devices we see today (e.g. hard and floppy disks, thumb drives, etc.). A modern desktop or laptop is capable of holding gigabytes or even terabytes of data.

Over the course of the computer’s evolution, enterprising criminals began using its growing processing power to commit crimes. In the early 1980s it became apparent to law enforcement that more and more records and written transactions existed only on computers. Criminals no longer shredded evidence; they deleted it.

This need to systematically deal with magnet media created the field of Computer Forensics. The definitions vary but the process is essentially the same: Preserve, identify, extract, document, and interpret computer data in a forensic manner. Basically, investigators had to create an uncorrupted evidence chain of electronic data.

The world of law enforcement was now dealing with a new and what must have been a somewhat baffling phenomenon: the unseen. In other words, the incriminating facts in their evidence chain (and maybe their whole case) would only exist as electronic pulses. And, these pulses would need to be converted to legally permissible digital evidence.

The FBI recognized early – in 1984 – that magnetic media could hold evidentiary material. At their Washington DC headquarters they started the Magnet Media Program to develop the processes and techniques of electronic forensics. This was a fortuitous move, because as the sources of raw digital data multiplied local law enforcement was often overwhelmed. The electronic cache of evidence in a case suddenly grew to include cell phones, desktops, laptops, thumb drives, and video cameras.

To help local law enforcement process the growing amount of data and obtain convictions, in 1992, the Magnet Media Program morphed into the Computer Analysis Response Team (CART). In its first year of existence, the program only worked three cases.  Today, CART has 500 highly trained agents spread throughout 56 field offices. In 2012, CART assisted in 10,400 investigations involving more than 10,500 terabytes of data – this amount of data equals the printed content of 1,050 Libraries of Congress.

Computer Forensics Basics:

Many techniques of data extraction and preservation have developed over the years. They have become increasingly more sophisticated, some even arcane in nature. However, regardless of the forensic techniques, a basic process has been standardized:  

  1. 1.Secure the computer system (or other devices) to ensure the equipment and data are safe.
  2. 2.Find all files on the system, including those that are encrypted, password protected, hidden or deleted that have not been overwritten.
  3. 3.Recover as much deleted information as possible (there are many applications and complex processes to retrieve deleted data from which to choose).
  4. 4.Reveal the content of all hidden files (again, there are many programs designed to find buried data).
  5. 5.Decrypt and access protected files.
  6. 6.Analyze special areas of the computer’s disks – unallocated space on a computer’s drive is a prime area that could contain files or parts of files relevant to a case.
  7. 7.Document every step of the procedure.

All of these steps are important but the first step is critical. The device must be physically isolated to guard against unauthorized access. Once the device is in a secure facility, to maintain its pristine condition and to keep the evidence chain uncorrupted - a digital copy of the storage media is created. All investigation is done on the digital copy. 

Famous Cases:

BTK: For over 30-years the identity of this deranged, homicidal, lunatic was a mystery to the Wichita, Kansas police and FBI. BTK (Bind, Torture, Kill) strangled ten people between 1974 and 1991. In acts of visceral, degenerate horror, BTK would act out bizarre fantasies and inflict the terror described in his name on his victims – two of whom were nine and eleven years-old.  

The killer taunted law enforcement with freakish notes left in odd places (stuck in a book at the library, in a cereal box), incomprehensible poems he sent to local media along with puzzles and pictures. The local police and FBI followed up on thousands of leads, took 1300 DNA samples, interviewed countless people, and analyzed his depraved writings – all to no avail as the case went cold.

Then, after thirteen years of silence, BTK resumed communications with the local media and police. Remarkably, in an act of psychotic, arrogance (and stupidity), BTK contacted the police by letter and actually asked them whether or not a floppy disk could be traced. Law enforcement communicated back in a newspaper ad posted in the Wichita Eagle that they were untraceable. BTK mailed his next message on a floppy disk. The police lied. Imagine that!

Computer forensic experts analyzed the floppy disk’s metadata and recovered a word document. Metadata is data about data. Among many pieces of information recorded in metadata, is when and who last modified a file – in this case, they found the name “Dennis” and the phrase “Christ Lutheran Church.”

A search of the church’s website showed that Dennis Rader was the president of the congregation council. The police set-up surveillance and obtained a DNA sample from his daughter. Dennis Rader was arrested in February 2005; he pled guilty to the killings, and is now serving ten consecutive life sentences.

 

The Corcoran Group:

This case’s significance is not based on what Computer Forensic experts found but what they did not find.

The Corcoran Group is one of the largest real-estate brokerages in New York. The company is Manhattan-based and sells properties ranging from one $1 million for a studio to multi-floor penthouses that can cost as much as $80 million. It was one of their lower end sales that have put all businesses on notice regarding how email is handled.

The case involves a married couple with two young children who bought a three-bedroom, 1,600 foot apartment for $1.3 million in June of 2007. Every time it rained, massive leaks occurred in their unit (and others) damaging furniture, clothes, and appliances. They complained to Corcoran, who refused to remedy the situation, claiming that the leaks occurred after the sale. The water flooded the unit to the point that the family had to move out but they were still held to the mortgage and common charges. The couple decided to sue.

Attorney’s hired by the couple found an engineer’s report showing that the building had been assembled with a material called “Wonderboard”, which is used in construction projects known to have leaks. There was also pervasive mold and very high levels of carbon monoxide in the boiler room. Part of the lawsuit involved a forensic analysis of the Corcoran Group’s computers.

The computer forensic expert was looking for evidence of wrongdoing but what he found was that emails and other files that should have been on the hard drive were gone. When the deleted data was retrieved, they revealed that Corcoran agents cancelled appointments with buyers on rainy days to hide the previously known water leaks.

The judge ruled that Corcoran was “grossly negligent” for failing to preserve and turnover electronic evidence that showed prior knowledge of the water leaks. The fine for the real estate giant was paltry - $35,000.00 in legal fees and court costs accumulated by the plaintiff. However, a new legal precedent was set for preserving electronic evidence in legal cases.

Whether criminal or civil, creating or deleting, there is an electronic trail that can lead right to you. And, Computer Forensic experts can recreate and follow that trail. 

Current Magazine July 2019 July 2019
© Technology First 2019. All rights reserved.