How Computer Forensics Solved the BTK Killer Case

For more than 30 years, the case of the BTK killer was one of the biggest unsolved mysteries in America. The BTK killer killed 10 people in and around Wichita, Kansas, between 1974 and 1991.

Dennis Rader first committed murder in January 1975 when he killed four members of a family. For the next 15 years, he killed six more victims, all females. During his murder spree, Rader taunted police by sending them bizarre notes. In the first note he sent, which was found stuck in a book in the Wichita Public Library, Rader admitted to killing the family and provided details that only the police knew. He also created a nickname for himself – BTK (Bind, Torture, Kill). Rader sent several notes to the police, either directly or through the media, and some notes contained poems, puzzles, and pictures.
The local police and FBI spent thousands of hours analyzing the notes, following up on leads, and interviewing suspects. However, they were never able to tie the murder to Dennis Rader.

In 2004, after more than 10 years of silence from Rader, he started sending communications to the police. One such communication turned out to be the break in the case. Rader sent police a document created in Microsoft Office on a floppy disk. The floppy disk was immediately handed over to computer forensic experts for analysis. The forensic experts used EnCase software to examine the floppy disk and found another Microsoft Word document that was deleted on the floppy disk. The forensic experts recovered the document and after analyzing the metadata (data about data) found that it had last been modified by someone named “Dennis” at Christ Lutheran Church. Forensic experts then searched the church’s website and found that Dennis Rader functioned as president of the church’s congregation council. After police and FBI personnel checked Rader’s background and examined DNA evidence, they were able to link him to the BTK murders.

Dennis Rader originally pleaded not guilty, but later confessed and provided police with hours of details surrounding the murders. Dennis Rader currently resides in Kansas’s El Dorado Correctional Facility. His earliest possible release date is February 26, 2180.

The Dangers of the Internet

A news story came out of the UK yesterday that members of the Child Exploitation and Online Protection Center are requesting that Facebook implement a “panic button”. The button will serve as a direct email link to law enforcement where children can report cyber-bullying, sexual abuse, or any other threat or suspicious activity. The news story goes on to describe a case where an adult male created a Facebook profile portraying himself as a teenage male. After connecting with people, he developed an online relationship with a 17 year- old girl. The pair exchanged cell phone numbers and agreed to meet on a date, where the man raped and murdered the girl before dumping her body in a field. Read the full article here.

We worked a case where the daughter of a wealthy businessman went missing. The child was gone for two days when the parents contacted a private investigator (they didn’t contact law enforcement because of the possible exposure to the family). We were hired by the private investigator to perform a forensic examination on the child’s computer to try to determine what could have happened to her. After a thorough review of her computer, we found that through the social networking site Myspace.com, the daughter recently started exchanging emails with what appeared to be an older male. We were able to recover several emails that talked about setting a date and time to meet up and hang out. Shortly thereafter we found the email that gave details about the date and time they would meet up, as well as the name of the hotel where they were staying. We provided this information to the private investigator, who successfully brought the daughter back to her parents unharmed. In this case, the daughter willingly ran away from home to spend time with this older male.

The internet can be our best friend, but it can also be our worst enemy. With the increase in social networking sites, chat/video sites, and other sites tailored to the younger generation, the story above is becoming all too common. There are people out there joining these sites with the intent to develop relationships with naive teenagers in order to harm them physically or sexually.

We urge parents to keep a watchful eye on their child’s internet activity. The first step that can be taken is to make sure that the computer is located in an open room such as a kitchen, living room, dining room where parents can see what activity is occurring on a computer monitor. Another step for parents would be to set up parental controls on the computer and block websites that are not suitable for the child’s age. The one step we highly recommend is setting up an internet monitoring program on the child’s computer. Though this sounds like a sales pitch, Internet Monitoring is one of the services we provide. This service is both reactive and proactive. We can perform a mini forensic examination on the child’s computer to see recent internet activity, sent/received emails, chat participation, in, and recently viewed images/videos. Then we install and configure the monitoring software on the child’s computer which allows parents to see detailed updates of everything the child does on their computer. Though most parents feel it is betraying their kid’s trust, statistics and news articles don’t lie. It is better to be safe than sorry.

If you have any questions about internet safety and monitoring or want us to speak to your organization about this subject, contact us at info@precisioninvestigations.net.

Financial Divorce Forensics

Most of the divorce cases we get involved in revolve around finding evidence of an affair that a spouse had during the marriage. Lately, we have been getting involved in the financial areas of a divorce. Basically we gather all of the financial data found on the hard drive and produce that data to the attorneys or accountants we are working with. Examples of this data can be: financial software files (Quick Books, Quicken, Money, etc.), spreadsheets, and financial internet sites visited (banking sites, stock sites, etc.). This data can prove invaluable during a highly contested divorce. Often times, we have seen spouses attempt to hide assets from the other spouse.

We worked a case for the wife of a prominent doctor who was in the middle of a nasty divorce. The doctor had several practices plus three additional businesses he owned on the side. The wife claimed that she was owed more money than the doctor was willing to pay. We were called in to image the doctor’s computers, export out all of the financial data from them, and provide the data to a forensic accountant.

The attorney we were working with was a great guy, but this was the first time he was involved in a computer forensic case. We spent several meetings educating the attorney on our methodologies and capabilities. We also assisted him with drafting the legal documents in the case that pertained to computer forensics. We then had meetings with the forensic accountant hired to review the financial data in the case. Luckily, he had some experience with forensic investigations so getting him on board with our methodologies was a fairly smooth process.

Once we imaged the computers used by the doctor and his business associates we started recovering the data. Fortunately, we were provided access to the doctor’s personal accountant who helped us identify where most of the data was stored. We recovered several Quick Book files and backup Quick Book files, as well as hundreds of Excel spreadsheets detailing the finances for his medical practices. All of the data was neatly organized and in one central location. When it came to the doctor’s business ventures, the personal accountant’s memory became fuzzy. He claimed that the doctor and his associates kept terrible financial records and he had had a hard time from the beginning trying to organize and work with the financial data. In looking closer, we found that there were some relevant Quick Book and Excel files that were deleted. Once we recovered the deleted files we found evidence that the doctor was using the finances of one of the businesses as his own personal finances. From the money the business made, the doctor was chartering executive jets to Paris with friends, spending thousands of dollars on dinner with friends, and living a lavish lifestyle. This evidence was produced during the divorce case and the wife was given the additional money she was owed.

For more information on our methodologies and practice areas, email info@precisioninvestigations.net

What Computer Forensics Can Do For You

The hardest part of owning a digital forensic company is not putting the pieces together in an investigation, but getting potential clients to see the real value of digital forensics. In the past few weeks, I have spoken to potential clients that say “wow, you can do that”. Most clients admit that they would have never thought to go after digital data if I didn’t contact them and discuss our services. Maybe I am biased, as I have been in the field for a while and have seen the benefits of doing a digital investigation, but I believe that digital evidence is important to consider in most cases. I have worked hundreds of cases in my career, and some were based solely on the findings found on the computers while in others the computer evidence was used in conjunction with other evidence.

We’ve assisted many clients in corporate and divorce litigation with finding evidence that they would not have known existed without our services.
If you think about the digital age we live in today, we not only deal with computers, but we have the capability to forensically examine cell phones, iPods, video game systems, DVRs, video surveillance systems, as well as any other digital media that contains a storage receptacle. In past cases, we have found relevant data on every one of these devices.

People always relate digital forensics to CSI. Whenever I tell someone what I do, their first reaction is “like CSI”. I explain that’s its similar to CSI but not as pretty. In CSI, they show a person walking up to the suspect’s laptop and by pressing a button all of the smoking gun data pops up on the screen. In the forensic field we call this the “find all evidence button” and as of this writing, I still haven’t found the location of this mysterious button. We usually spend days and weeks going through thousands of emails and search hits trying to piece together clues found on the hard drive.

To find out how Precision Computer Investigations can assist you and your clients visit our website for more information. Please feel free to contact us via email or phone.

A Beginners Guide to A Successful Digital Investigation – Determining The Scope (Part II)

Once we determine where the data resides, the budget of the case, and some preliminary information, we then talk with our clients to find specific information that will assist us in narrowing our search of the computer.

This specific information provided by our clients, help us to avoid a “fishing expedition” and allow us to conduct a focused search for the data.  Some of the information that is helpful to us is; specific dates and times, email addresses, specific file names, chat usernames, specific folders where relevant data may reside, and unique words that may be contained in a file or email.  Having this information will help us construct our keywords and point us to where the relevant data may be.

In some cases, there is no information provided to us.  We then rely on our experience and knowledge to examine the hard drive and uncover the relevant data.

A Beginners Guide to A Successful Digital Investigation – Determining The Scope (Part I)

Once we identify where all the relevant data resides, it is time to work with the client to put together a scope of work, which defines the objectives and timelines of the investigation. This is a very important step in the investigation. A poorly planned scope of work could lead to excessive costs and extra time spent on the investigation.

Without a scope of work, the investigation turns into a “fishing expedition” where we are searching everywhere on the hard drive for evidence that may be relevant. To avoid this, we work closely with our clients (investigator, attorney, individual) to determine exactly what they want to get out of the investigation. It can be as simple as a client wanting to find one email address sent from a specific date and time to a specific user. Conversely it could be as complicated as not knowing what to look for in the first place. We use our experience and knowledge to help mold and refine the scope by asking the client questions and offering suggestions.

One of the steps in determining the scope is identifying a budget. We work with the client to keep costs down to avoid any unnecessary expenses. As we are working the case and nearing the budget, we will talk with the client to let them know what we found (or didn’t find) to determine the next steps.

In tomorrow’s post we discuss in detail the information we look for from our clients.

A Beginners Guide to A Successful Digital Investigation – Data Gathering Phase

Before a digital forensic investigation is started, there are several important steps that must be done to ensure a legal and successful outcome. We will break down these steps and discuss them from both the individual side and the corporate side.

The first step to take in a digital forensic investigation is to gather all of the data. In today’s digital age, most individuals and employees use two or three computers, a cell phone, and various other digital media to store data.

For Individuals: In these cases, individuals only use one or two computers at the most. They may also use a cell phone or an iPod that can contain relevant data. The most important step we take when we are dealing with an internet infidelity/ matrimonial case is to determine whether we have a legal right to forensically image and analyze the digital media used by the parties. Once we have determined we can examine the computer, it is important that the computer is not used. Using a computer can alter the data and may potentially overwrite some of the deleted files.

For corporate: In today’s corporate climate, employees are issued two or three computers and a cell phone. The first step we take is to review a company’s computer policy to make sure that the policy states that the digital media issued to employees are solely the company’s property and the employee gives up their right to privacy. From there, we talk with individuals in the IT department to ascertain where the employee’s data may reside. In most companies, an employee is usually issued a desktop, a laptop, and a cell phone. In addition to these devices, the employee’s data may reside on a folder on a server, on an email server, or any other centralized storage device. Once we have a good understanding of where the data resides we can provide a better scope of work to the client detailing costs involved and time to complete the investigation. It is important that the computers do not get re-issued to another employee before it is forensically imaged. Also, steps must be taken to safeguard the data on the servers.

The Lighter Side of Computer Forensics

In my career, I have forensically imaged over 500 computers.  Most of the imaging took place on site, whether it was at a corporate site, a lawyer’s office, or a personal residence.  Doing work in a corporate or attorney’s office is pretty straightforward; they give you a nice conference room or a desk to work on and almost anything you need to be comfortable, such as coffee or drinks.  Doing work in someone’s house is a quite the opposite.  I have had to work on the floor, a small little table in a basement, and even outside in a garage.  On one occasion I had a case where a woman was getting divorced, but she didn’t want her kids to know what was going on with the computer, so she arranged for me to meet her a couple of blocks from her house.  When I arrived at the location to take the computer from her, I was then instructed to go to her friend’s house to do the work.  Well, it turns out the friend didn’t want her family to know what was going on either, so as soon as I rang the doorbell the woman opened the door and literally pushed me to a backroom and locked me in.  It was summertime, and apparently there was no air conditioning in the room, because after 10 minutes I looked like I had just taken a shower.  About every half an hour she would check on me (never offering me a drink, or even a towel to dry off), and then she would leave and lock me up again.  When the image finished and I was done packing up, I had to wait almost forty-five minutes for her to come and check on me again before I could leave the house.

So often in divorce cases, the husband or wife does not want the kids to know every little detail.  They especially want to hide the fact that I am copying the data from the computer.  One time, I responded to this woman’s house around 11:00 AM to image a desktop computer located in the kitchen.  The woman’s mother and maid were also present, but they knew what I was there to do.  Around 11:20 AM, the woman asks me if the imaging was done.  I told her no and that there was almost another hour left.  She had a very concerned look on her face and said “Well, my 11 year old daughter is coming home from school in 10 minutes and she can’t see you working on the computer”.  My initial response was to go to another room in the house to do the work, or even take the computer with me to my lab to do the work.  I told the woman that if the daughter asked where the computer went, she could say she had to take it to a computer shop for a tune up or a virus removal.  The woman didn’t like any of my suggestion at all.  So instead she says to me “Tell her you are a granite countertop salesman, and while you were here giving me an estimate and showing me a drawing on your computer, your computer died and you had to take it apart to fix it”.  Now, for those of you who do this for a living, or have seen it done, you can imagine my reaction as I suddenly became Doug the Granite Countertop Salesman.  For those not familiar with the imaging process, there are hard drives, several wires, and numerous adapters going from one piece to another.  There was no way I was going to pull off this lie (maybe to a 5 year old).  So the daughter comes home, walks into the kitchen where I am, and at that moment I put on my best granite countertop salesman pose and face.  She walks slowly towards me, looks at my computer setup and goes upstairs for the rest of the time I am there.

Want advice on how to not act during a forensic acquisition?  Email info@precisioninvestigations.net

Incident Response – A Case Study

We were contacted by a Fortune 500 company to assist in an internal investigation in their Mexico City office.  The company had a vast amount of data stored on their main data server deleted over a weekend.  The corporate investigators and IT department in the USA suspected it was a data breach from outside the company.  We mobilized our forensic team, a security detail (very important when traveling to Mexico City) and responded within 48 hours.  We were tasked to find out 1) exactly what data was affected, 2) what caused the data to be compromised, 3) was the deletion a malicious attack, 4) could other corporate locations be affected, 5) was this an internal event or external event, and 6) could a former employee be responsible for the attack.

When we arrived onsite, we met with and interviewed the IT director in the Mexico City office.  From the information we gathered, we were able to construct a timeline as to approximately when the data was deleted.  According to the IT director, the deletion had to occur sometime after 5:00 PM on Friday and before 11:00 PM on Sunday.  We were also able to be certain about what data was deleted, which contained employee’s folders and other important data.

We started by forensically imaging the data server as well as the back-up server for it.  In addition to those, we also imaged all of the IT staff’s computers.  We immediately began exporting the event and system logs on the server for an in depth review.  We were looking to see who logged in to the servers during that critical timeframe.  We also started reviewing the employee’s computers for any emails or chats that talked about the data deletion that occurred on the servers.  After an exhaustive search of the data acquired, we found a batch file that was run on Sunday night at 9:00 PM, which was written incorrectly and called for the entire data area on the server to be deleted.  A batch file is a text file that contains a sequence of commands for a computer operating system.  After we found the batch file, we went back into the logs and determined who logged in around the same time the batch file was started.  We then investigated further and found that the batch file was created by a certain user (an IT Administrator), and they logged in at 8:50 PM.  The entire incident was caused by a poorly written batch file by an IT administrator.  We assisted the IT department with recovering some of the deleted data and locating data from the previous backups.  The data server was up and running within two days and was only missing about 5% of data.

While we were conducting our forensic analysis, the corporate investigation team was interviewing all of the IT staff in an attempt to understand what occurred.  The corporate investigators discovered that the IT staff was very careless and did not uphold the policies and procedures of the department.  We found out that the IT staff consistently gave not only each other, but also other employees outside of the IT department their logon credentials to data servers and computers in the company.  We found that the backup procedure was lacking and backups of some servers had not run for weeks, which was a violation of the policies and procedures.  After the incident was over, we stayed onsite another day to work with the IT staff to streamline and update their IT policies and procedures.

Is Your Personal Email Private At Work? (Part II)

In December we posted a link to an article about whether an employee who corresponded with her lawyer through her personal e-mail account on a company-owned laptop was protected by the attorney-client privilege. The employee was an Executive at a nursing agency in NJ who filed suit against her company, alleging sexual harassment and ethnic discrimination. The employer stated that they had reserved the right to look at “all matters on the company’s media systems” in its computer policy. The case being considered centers on whether the company’s computer policy carries more weight than lawyer codes of professional conduct, which govern attorney-client privileges.

The Supreme Court of NJ ruled on Tuesday that the company was not permitted to view her web based emails due to attorney-client privileges. The state’s high court found the company’s policy regarding e-mail use to be vague and noted it said “occasional personal use is permitted.”
“The policy does not address personal accounts at all,’’ the decision said.” The policy does not warn employees that the contents of such e-mails are stored on a hard drive and can be forensically retrieved.’’

We have worked several corporate cases where we were governed by attorney-client privileges. We were not permitted to view or produce any emails/files as per the agreement. This ruling will greatly affect companies and the computer policies they put in place. Companies must be very explicit in their policies when it comes to what employees are allowed to do on a work issued computer and the company must specifically state what information, if any, is protected as labeled as private/not viewable by the company.

We feel that whenever an employee is issued a work computer, that employee gives up his right to privacy on anything he does on that computer. While we feel it’s implied, other legal precedents must be set in order to standardize the proper usage of company issued computers. Our stance is that we feel the company was in the right to read the personal emails, but since the policy was vague and open to interpretation, the Supreme Court was left with no other decision than to side with the Plaintiff.

This is only the tip of the iceberg when it comes to legal rulings in the digital world.

We welcome any comments about this case, which can be found HERE