Modern crime often leaves an electronic trail. Finding and preserving that evidence requires careful methods as well as technical skill
Major Convictions, and a Few Gaffes, with Digital Data
Famous criminal cases show the power of digital forensics, but a few also highlight the need for careful handling of data and devices.
• On December 17, 2000, John Diamond shot and killed Air Force Captain Marty Theer. The victim’s wife, Michelle Theer (right), was implicated in the crime, but there was no eyewitness evidence. What prosecutors did have was 88,000 emails and instant messages on her computer, including clear evidence of a sexual relationship between Theer and Diamond, and messages documenting the conspiracy to murder her husband. Theer was found guilty on December 3, 2004, of murder and conspiracy and sentenced to life in prison.
• In 2005, after eluding police for more than 30 years, Dennis Rader (right), a serial killer in Kansas, reemerged, took another victim, and then sent police a floppy disk with a letter on it. On the disk forensic investigators found a deleted Microsoft Word file. That file’s metadata contained the name “Dennis” as the last person to modify the deleted file and a link to a Lutheran church where Rader was a deacon. (Ironically, Rader had sent a floppy disk because he had been previously told, by the police themselves, that letters on floppy disks could not be traced.)
• On January 1, 2002, Scott Tyree kidnapped and imprisoned 13-year-old Alicia Kozakiewicz. He sent an instant message of a photograph showing Kozakiewicz to another man, who contacted the FBI and provided the Yahoo! screen name of the person who had sent the message: “masterforteenslavegirls.” FBI investigators contacted Yahoo! to obtain the IP address for the person who had used the screen name, then contacted Verizon to learn the name and physical address of the subscriber to whom that IP address had been assigned, leading them to Tyree.
• On July 12, 2008, the strangled body of Nancy Cooper was found. Her husband, Brad Cooper (right), was charged with the crime. This time the role of digital data was more complicated. Local police, who did not seek expert assistance, accidentally erased the victim’s phone while attempting to access it. Brad Cooper maintains he went to the grocery store on the morning of his wife’s death, and that she called him during that time, but prosecutors charged that he had the technical expertise and access to the necessary equipment to fake such a call. Investigators searching Brad Cooper’s computer also found zoomed-in satellite images of the area where his wife’s body was discovered, downloaded one day before she was reported missing. Defense attorneys countered that searches done on that and surrounding days contained inaccurate timestamps. Brad Cooper was convicted of murder, although appeals are ongoing.
- Brown, R. 2011. Reconstructing corrupt DEFLATEd files. Digital Investigation 8:S125–S131.
- Farid, H. 2009. Digital doctoring: Can we trust photographs? In Deception: From Ancient Empires to Internet Dating, ed. B. Harrington. Stanford, CA: Stanford University Press, 95–107.
- Garfinkel, S. 2011. Every last byte. Journal of Digital Forensics, Security and Law 6(2):7–8.
- Garfinkel, S., A. Nelson, D. White, and V. Roussev. 2010. Using purpose-built functions and block hashes to enable small block and sub-file forensics. Digital Investigation 7:S13–S23.
- Granetto, P. J. 2009. Sanitization and Disposal of Excess Information Technology Equipment. Technical Report D-2009-104 of the Inspector General of the United States Department of Defense. http://www.dodig.mil/Audit/reports/fy09/09-104.pdf
- King, D. 1997. The Commissar Vanishes: The Falsification of Photographs and Art in Stalin’s Russia. New York: Metropolitan Books.
- Pal, A., H. T. Sencar, and N. Memon. 2008. Detecting file fragmentation point using sequential hypothesis testing. Digital Investigation 5: S2–S13.
- Pollitt, M. M. 2007. An ad hoc review of digital forensic models. In Second International Workshop on Systematic Approaches to Digital Forensic Engineering, 43–54. Los Alamitos, CA: IEEE Computer Society.
- Reith, M., C. Carr, and G. Gunsch. 2002. An examination of digital forensic models. International Journal of Digital Evidence 1(3):10–22.
- Sencar, H., and N. Memon. 2009. Identification and recovery of JPEG files with missing fragments. Digital Investigation 6:S88–S98.
- Walls, R. J., B. N. Levine, M. Liberatore, and C. Shields. 2011. Effective digital forensics research is investigator-centric. Proceedings of the Sixth USENIX Workshop on Hot Topics in Security, 1–7. https://www.usenix.org/conference/hotsec11/effective-digital-forensics-research-investigator-centric
- Walters, A., and N. Petroni. Feb. 2007. Volatools: Integrating volatile memory forensics into the digital investigation process. In Black Hat DC 2007 Proceedings, 1–18. http://www.blackhat.com/presentations/bh-dc-07/Walters/Paper/bh-dc-07-Walters-WP.pdf