Minnesota detectives crack the case with digital

forensics
October 06, 2014 - 12:59 PM

In the world of law enforcement, it's a game changer nearly as profound as the advent of
DNA testing.

When two 13-year-old Andover girls went missing last week, the first place detectives
looked was for the digital clues in their iPods and smartphones. It worked. The girls were
soon found in the basement of a 23-year-old Burnsville man, Casey Lee Chinn, who is now
charged with felony criminal sexual conduct, kidnapping and solicitation of a child.

Digital forensics — the examination of cellphones, tablets and personal electronics in

criminal investigations — are dramatically changing the way cases are worked and solved.
While technology has created new portals for predators searching for victims, it's also
leaving telltale trails for police.

The number of smartphones, tablets and personal devices examined by the Anoka County
Sheriff's Office has tripled in the past three years. In 2013, detectives searched 300 phones
and devices in a wide array of cases. It's now often the first piece of evidence detectives
seek out.

"That [missing girls] case was solved by a detective in the lab, not by any field work or
eyewitness accounts. It was digital forensics," said Commander Paul Sommer. "It's become
an investigation imperative. You try to find the personal electronics."

With 90 percent of American adults now carrying a cellphone — 58 percent with a

smartphone, according to the Pew Research Center — the devices have become the one
constant in many people's lives — in their pocket or purse all day, on their bedside table at
night. It's the alarm clock, home phone line, camera, chat forum, e-mail and social media
terminal. Police use that almost constant phone activity to verify a suspect's or witness'
statement and provide a log of a person's movements and activities. Smartphones can even
be an eyewitness, recording a crime in progress.

The Hennepin County Sheriff's Office crime lab analyzes thousands of phones and personal
electronic devices each year for its own investigations as well as for other police agencies.
It also contracts with an outside digital forensic expert to keep up with the constantly
changing technology.

"Electronic devices are just a treasure trove of information," said Hennepin County Sheriff
Rich Stanek. "The digital evidence is one of the first things we go to. They leave footprints
all over the place: Who the girls were last talking with, who they were tweeting with. They
offer up a lot of clues about what has been happening in these young girls' lives in the past
few hours and days."
Ramsey County Sheriff Matt Bostrom said his investigators increasingly rely on digital
evidence to break cases in addition to older investigative methods.

"It is one of the best advancements in the last decade in being able to quickly respond to
crime," Bostrom said. "It has changed the way we are capable of responding to citizens that
are in trouble."

With potential access to so much personal information, police also face a big responsibility
to not misuse data or violate the privacy rights of innocent people, since lawmakers could
still throttle back law enforcement's access to digital data.

The Anoka County Sheriff's Office has set up a digital forensics lab with computers and
about eight tools that can download cellphone data, useful because the sheriff handles all
death investigations in the county and most of the sex crimes.

This year the Sheriff's Office hired two new detectives, bringing the total to 17 to help
handle the increased digital forensic caseload.

The office also is setting up the first mobile digital forensic lab in the state. It's still in the
early stages but when it's outfitted, detectives can take the unit — an old ambulance
donated by Allina Emergency Medical Services — to a crime scene or a missing person's
home and quickly copy evidence from cellphones. Now detectives have to take phones back
to the lab — something that witnesses can resist.

"You are going to have witnesses taking video. The Boston bombing is a prime example of
that," said Anoka County detective Brian Hill.

Detectives want immediate access to that evidence, "but who wants to be without their
phone for 24 hours?" Hill said.

And in cases of suspected online solicitation where a child is missing, it saves precious
minutes by eliminating a drive back to the sheriff's department.

"There is a huge sense of urgency," Hill said.

Hill is one of five Anoka County detectives trained to download and search data from
cellphones and devices. He traveled to Washington, D.C., this summer to testify before a
subcommittee of Congress to discuss how cellphones and spyware are the newest ways
domestic abusers terrorize their victims. But it also leaves a trail that police can use to help
prosecute them.

Hill said about half his work time is now spent on digital forensics. That's a dramatic
change from when he started with the sheriff's office in 2000.
When deputies are called to a crime scene, the first question is: "Where's the phone? Can
we get access to the phone?" Hill explained. "Virtually every crime today involves
technology and that is usually a cellphone."

Detectives often get witnesses, victims or suspects' consent to search a phone. Hill said he
and his colleagues are cognizant of the personal nature of phones. He said he doesn't snoop
through pictures, e-mails and other information unrelated to the case.

If necessary, detectives obtain a search warrant.

Hill said there are many ways smartphone data can corroborate or poke holes in a
suspect's statement to police.

First, phones record a user's physical movements, which can help break a case.

"They track where you go. Smartphones are constantly reaching out to towers," Hill said.

Text messages, e-mails and even photos stored on smartphones can help detectives flesh
out the truth especially if someone's statement doesn't add up. There have been cases
where text messages have exonerated suspects.

"Text messages can tell a whole different story," Hill said.

A pause in phone use also can tell detectives something. Detectives look to see if someone
shuts their smartphone off or even simply leaves it at home and fails to check e-mails and
texts during the period when a crime was committed.

In the case of the missing Andover girls, parents reported their disappearance at 9:36 p.m.
Monday. Detective Pat O'Hara searched one of the girl's iPods found in her room and
discovered two weeks of sexually explicit texts with the final text "Be there" received at
8:31 p.m. Monday.

Police were searching the suspect's home by the next morning.

Hot-car death highlights key role of digital evidence

July 3, 2014
One of the few details to come out of the murder case against suburban
Atlanta dad Justin Ross Harris -- whose son was found dead after being
strapped into a hot car for hours -- is that he searched for information about
such deaths shortly before the incident occurred.
According to police, Harris used his work computer to search for information
about "child deaths inside vehicles and what temperature it needs to be for
that to occur."

Police seized Harris' computer as part of their investigation into 22-month-old

Cooper Harris' death and included the details in a search warrant affidavit
released last week. His wife also searched the topic, police say.

Harris will be in court Thursday for a preliminary hearing on charges of felony

murder and child cruelty.

While Harris' family appears to be standing by him and he's been convicted of
no wrongdoing, the revelation is the latest reminder that what you do and say
online can become public in unpredictable and sometimes undesirable ways:

Digital breadcrumbs are becoming as common in criminal trials as

fingerprints

Fifteen or 20 years ago, the notion of taking criminal evidence from a personal
computer was as novel as the technology itself. Today, it seems
commonplace and all over the headlines.

Last year, for instance, authorities detailed a document called "Abducting and
Cooking Kimberly -- A Blueprint," found on the computer of New York cop
Gilberto Valle, and made it part of a criminal case against him. A jury
convicted him, but last week a judge overturned the verdict, saying Valle's
writings appeared to be little more than twisted imaginings.

And then, among the many other examples, there's Casey Anthony.
Prosecutors said someone in her parents' home searched for chloroform
recipes before Anthony's daughter disappeared in 2008. A jury acquitted
Anthony of murder but found her guilty on lesser charges of providing false
information to police.

When evidence goes viral

Despite this, people are still posting incriminating things online

Just last month, New York police built a case against dozens of gang
members who posted incriminating text and photos to Facebook. Two
indictments in the case largely consist of details of Facebook posts in which
alleged gang members talk about guns and retribution.

Here's one from the indictments, posted for all to see on the worldwide social
network: "AYO, THIS IS BETWEEN ME AND YOU BRO DON'T TELL
NOBODY THIS, LISTEN, KEEP IT REAL WITH ME BRO IF YOU REALY
WANT TO CLAP, KILL, SHOOT, ONE OF THESE ... I'M WITH IT CAUSE
THEY GETTING OUT OF HAND BRO."

That's not the only example. Last year, a Florida man allegedly killed his wife,
then posted a picture of her body and an apology to Facebook before turning
himself in to police.

And then there's Steubenville, Ohio, where two high school athletes were
convicted in the rape of a 16-year-old girl chronicled in social media postings.

And they're still getting tricked

The online world is a wonderland of ill intent, with its myriad scams, frauds
and trickery. Who could forget Manti Te'o, the college football player whose
story of long-distance romance ending in tragedy turned out to be a hoax
perpetrated by an admirer?

In June, according to AL.com, authorities charged an Alabama girl after she

allegedly tried to enlist a Facebook friend to kidnap her and, if necessary, kill
her aunt. Turns out, the "friend" was the aunt, who reportedly had created the
fake profile in a bid to keep an eye on her troubled niece.

When oversharing online can get you arrested

You should know this: The law is still changing

Yes, police can get a warrant to search your computers -- at home and work,
according to the Electronic Frontier Foundation, which has a handy guide to
electronic evidence on its website.

The Justice Department also maintains a manual on electronic evidence. It's

meant for investigators but covers in detail what can and can't be done legally.
Investigators can even search your computer in limited cases without a
warrant -- if they have good reason to think incriminating evidence will be
destroyed before they can get a warrant.

Things like photos, documents and search histories on the computer and
online are all fair game.

And, as we've seen, they can -- and do -- use information from social media
postings. According to a 2012 report commissioned by LexisNexis, four of five
police officers reported using social media in investigations.

Not only can investigators get a warrant to look at a secured account

directly, a federal judge ruled in 2012that they're free to find a willing
Facebook friend of a suspect and get a look that way.

Police can look at what's on your cell phone, too, but they now always have to
get a warrant after a Supreme Court ruling last week. Before, the law was
unsettled on whether police could take a peek at your information while
arresting you in the same way they can go through your pockets and other
personal effects.

But there are still issues where the law is murky. Massachusetts' high court,
for instance, ruled the same day as the U.S. Supreme Court's cell phone
decision that you can be forced to decrypt your computer for police to take a
peek, something other courts have ruled against.

Even if the cops aren't involved, your online activity can still cost you

Two words: Anthony Weiner.

But consider, also, the Denver teacher who was fired last year after school
officials found a Twitter feed filled with racy photos and drug references. Or
comedian Gilbert Gottfried, who lost his job as the voice of the Aflac duck after
tweeting insensitive jokes about the 2011 Japanese tsunami.

What's on your computer and in your social media posts can also make its
way into civil cases, even divorces.

Facebook was cited in a third of divorce filings in 2011, a UK divorce services

site reported, and more than 80% of U.S. divorce attorneys say they've seen
an uptick in the number of cases involving social media issues, according to
the American Academy of Matrimonial Lawyers.
 In court , digit al e v ide nce can shine or fizzle

The State v. Justin Ross Harris won’t be the first nationally infamous trial to rely heavily on
evidence gleaned from the defendant’s own electronic devices. Case after case has shown how
the ubiquitous digital trail we leave can lay bare the most private reaches of our lives, preserving
what we might wish to obscure or obliterate — and might have in the pre-digital age.
A letter stashed at the bottom of a drawer is easily burned or thrown away; its digital counterpart
may exist not only on your hard drive but on servers across the country. Incriminating
information culled from a book in the library stacks leaves no trace; an Internet search does.
And even if something is deleted, it’s not really deleted until new data writes it over. It’s like the
initials you carve into cliff at the seashore, leave behind and soon forget: They remain until the
wind and tide scour them away.
In fact, the massive power of digital forensics has become a burden as well as a boon to
prosecutors. Just as a “CSI effect” has produced juries that expect iron-clad DNA evidence
every time, a digital-trail effect is taking hold.
“The more people realize that they are leaving a data trail, the more they expect of prosecutors,”
said Craig Nolan, a federal prosecutor who successfully used digital evidence to unravel a
horrific murder plot in Vermont. “It’s just another area where the defense can say, ‘Look, the
prosecution hasn’t shown you any of this type of data or that type of data.’”
At the end of the day, a computer investigation, like any police work, is only as good as the
people who do it and their tools. Pitfalls are many, and missteps can have catastrophic
consequences.
If the science is ever perfected it will be in part because of learning from mistakes made on a
national stage, with people’s lives at stake.

A CASE GO WRONG

A singularly disastrous computer investigation in the annals of modern crime was also one of
the most famous: the trial of Casey Anthony, the young Florida woman accused of murdering
her two-year-old daughter, Caylee. Some issues came to light only long after the trial.
Circumstantial evidence swirled around the death: The mother’s lies and seeming nonchalance
about her daughter’s disappearance; her car’s smell of decomposition; duct tape found with her
daughter’s remains. But how to show that Caylee’s death was intentional, that Casey didn’t
merely allow the disposal of the body after the child accidentally drowned?
Investigators turned to the computer in the home Casey shared with her father. Prosecution
witnesses testified that someone had performed 84 searches for the word “chloroform” on that
computer.
But then, mid-trial, the developer of the forensic software used to tease out that information
found a flaw in his product. There had been just one search for “chloroform,” not 84. He tried to
alert the prosecution but they didn’t tell the jury. Anthony’s defense team did, though.
On July 5, 2011, the jury found Anthony not guilty of murder, unleashing a wave of public
outrage. The few jurors who came forward struggled to emphasize that “not guilty” does not
mean “innocent.” They said the process reduced them to tears, that their own verdict — the only
one possible, given gaps in the evidence — made them “sick to our stomachs.”
Then, a year later, an Orlando news station, WKMG, released the work of two hobbyist sleuths
who had procured the Anthony browsing history under Florida’s open records law. Their
analysis delved into something the police had not found: that on the day of Caylee Anthony’s
disappearance, someone had searched “fool-proof suffication” on a browser primarily used by
Casey Anthony.
The hobbyists determined that the search happened while Casey’s cellphone was pinging a
tower closest to home, at a time when her father said he was at work. One minute later,
someone logged into MySpace, a website used frequently by Casey and not by her father.
Anthony’s lawyer was also aware of the search, but he interpreted the timestamps in a different
way, which suggested that Casey Anthony’s father had performed it. The lawyer did not return a
recent call about the issue from The Atlanta Journal-Constitution.
WKMG also reported that Orange County investigators missed 98 percent of the search records
on the computer for the day Caylee died, because they didn’t look in Firefox, Casey’s newly
favored browser.
Orange County Sheriff’s officials told WKMG they still had confidence in the detective who did
the search: After all, she was never told to search the word “suffocation.”
In interviews with the AJC, the hobbyists, Isabel Humphrey and John Goetz, marveled that she
didn’t just search the word “Google,” which would bring up all Google searches. Neither did she
break down all Firefox search results from the day of the disappearance and scroll through
them, as they did.
“She said, ‘They never asked me to,’” Humphrey recalled.
Best-case scenario
The Vermont case was, if anything, even more bizarre and convoluted. Nolan and his
colleagues spent the last six years on the 2008 rape and murder of a 12-year girl, piecing
together a trail of evidence that probably would not have existed in the days before computers.
Prosecutors believed that one man, Michael Jacques, had used cell phones and his home and
work computers to create multiple characters, whom he put forth as members of a powerful
organization. Communicating through them with a child he knew, investigators said, Jacques
convinced the girl, from the age of nine, to volunteer as his sex slave for fear of having her
family killed. The fake organization became an integral part of her life for years.
When the child became a young teen, Jacques turned his attention to his 12-year-old niece,
Brooke Bennett. Prosecutors said he used the fake organization to convince the first girl that
Bennett was a threat. He persuaded the girl to help lure Bennett into a situation where she could
be abducted and killed.
When police questioned the first girl, she told them she had received paper letters from the
organization, introducing itself and claiming responsibility when she came home one night to
find a pet dog hanged. But those pieces of paper were long gone.
What remained were digital records on Jacques’ computer, in email services and in business
records. Slowly and painfully, police were able to use those records to free Jacques’ young
accomplice of the delusion that the organization existed.
A civilian computer professor and a police trooper specializing in computer forensics formed the
core of the small state’s multi-agency team for the work, and the FBI took on some out-of-state
tasks.
In time, the computer evidence filled the bulk of a 60-page prosecution document filed with the
court this year, supplemented by physical evidence, all the bits and pieces placed in a cohesive
narrative.
Some of the jewels: “organization” email accounts accessed from an IP address in Denton,
Texas, at a time when Jacques was on a work visit there; patterns of accessing more than one
of those email accounts in quick succession from the same locations; and a data fragment on
Jacques’ laptop reading, “To put it bluntly, Miss Bennett will cease to exist…You will not be
required to participate in the actual termination, but you will participate in events leading up to
it.”
The computer investigation was “spectacular,” said Nolan, the assistant U.S. attorney in
Vermont who oversaw that part of the case. “They did everything right.” He was ready to take
the case to trial and seek the death penalty.
But to help a jury understand the computer evidence, he also needed the testimony of the
ravaged girl, who desperately wanted to avoid appearing in court.
Jacques was allowed to plead guilty. In May he was sentenced to life in prison plus 70 years,
with no possibility of parole.
“Nothing’s a silver bullet,” said Nolan.