Software Reconstructs Crime Suspects’ Online Escapades for Profiles, Pay Dirt

0

Software Reconstructs Crime Suspects’ Online Escapades for Profiles, Pay Dirt

By KATHRYN MAESE

Staff Reporter

Before the body of Lacy Peterson washed up on the shores of San Francisco Bay last year, investigators already had a pretty good idea she’d be there. A police computer forensic expert had pored over double-murder defendant Scott Peterson’s five computer hard drives, according to the prosecutor’s case, only to discover that he had shopped online for a boat, studied water currents and bought a gift for his mistress in the weeks leading up to his wife’s death. Prosecution testimony also had Peterson showing an interest in a computer map that included Brooks Island, where Lacy was later found.

At the Pasadena headquarters of Guidance Software Inc., former L.A. County sheriff’s deputy-turned-chief executive John Colbert explained how his firm’s EnCase software enabled investigators to harvest Peterson’s electronic fingerprints and establish a crucial timeline.

“You would think that they are looking for a smoking gun, which they find sometimes,” said Colbert, who served in the Los Angeles County Sheriff’s department for 14 years. “In other cases they are putting together a psychological profile.”

The computer forensic field has grown dramatically over the last five years as the bulk of information storage has become electronic. EnCase was the first software to eliminate the time-consuming and complicated DOS format for computer forensics in favor of an easier-to-use Windows-based system.

Clients can either have Guidance Software technicians rummage through hard drives or they can buy the company’s software and do the rummaging themselves. The product has been used in child pornography cases, electronic and corporate fraud, and increasingly, homeland security efforts.

“It doesn’t do everything, no package does, but it’s very comprehensive,” said Mark McLaughlin, president of Century City-based Computer Forensics International, which uses EnCase software to examine information in civil cases.

Curtis Tomlinson, who manages investigations at Sunnyvale-based Advanced Micro Devices Inc., said the company uses Guidance’s software to spot potential theft of intellectual property by its employees.

“We do software and product design so there’s a lot of effort that goes into protecting it,” Tomlinson said. “If an employee leaves under less than desirable circumstances or is suspicious, then the software helps us prove or disprove whether anything is going on. We’ve been able to resolve significant issues.”

Not ‘CSI’

Demand for the privately held company’s products and services has ballooned: Sales this year are expected to be $30 million, up from $20 million in 2003 and $9.7 million in 2002. Government clients make up 55 percent of the business. There are 13,000 software clients, not including people who contract for the company’s investigative services.

Guidance’s own forensic lab is a far cry from “CSI.” There are no blood or hair samples under a microscope, no crime photos or white lab coats. Instead, the narrow space is sparse and neat, with a bank of a half dozen or so computers and a metal shelf stacked with hard drive scanners that can collect electronic data from anything computer-driven PCs, laptops, digital cameras, PDAs and cell phones.

The investigator hooks the hard-drive into the device and copies the information. This allows multiple investigators to sift through the contents without compromising the original, which is stored in an evidence locker to prevent tampering. Guidance processes about 300 cases a month, and takes about three days to finish a case.

Recovering computer evidence can be tricky business. One wrong move and information can be obliterated or rendered inadmissible in court. Colbert recounted one example in 1997, when L.A. Sheriff’s deputies arrived on a homicide scene to find a dead woman draped over her computer keyboard. Investigators immediately pulled the plug on the unit and took it back to the lab.

There, homicide investigators determined the woman had logged onto the PC two hours before coroners estimated her time of death. Based on the new timeline, the husband admitted to the murder. He had dressed the victim as though she were going to work, leaned her over the keyboard and called 911.

“That was such a fragile piece of evidence that could have been destroyed if investigators had turned on the computer and lost the login time,” Colbert said.

Guidance trains more than 3,500 investigators annually in the use of the EnCase Forensics software, which sells for $3,000 a copy and allows users to examine individual computers. The newer EnCase Enterprise version averages $250,000, allowing companies to stop theft or wrongdoing as it happens what Colbert calls incident response.

The software has played a role in the trials of Scott Peterson and Michael Jackson and in high-profile cases like the one involving shoe bomber Richard Reid. EnCase is said to be the only forensic software that recognizes Arabic, which allowed the Federal Bureau of Investigation to discover the threats on three laptop computers and 51 disks seized in a July 24 raid in Pakistan.

Randall Bolelli, director of the FBI’s San Diego Regional Computer Forensic Lab, said the software is used in almost every case where agents suspect digital evidence exists.

“It’s like identifying millions of needles in millions of haystacks,” he said. “On a regular crime scene you are looking at one file cabinet. In a computer crime scene, you have 50 file cabinets and you have to find one document. That’s the challenge.”

Colbert recognized the field’s potential immediately. After working five years as senior investigator for the Sheriff’s Commercial Crimes Bureau, where he helped develop one of the nation’s first computer forensic labs, he decided to make a career change to the private sector. Last month, he took over as chief executive and the company restructured its operations to focus on developing the forensic software and training division.

“I was presented with the option of being promoted to sergeant and moving back to patrol or taking on a new career in this fast-developing computer-forensic market,” he said. “It was an easy choice for me to change careers.”

No posts to display