Posted on 03/24/2002 8:41:01 AM PST by MizSterious
Police comb digital files in pursuit of evidence
By Kathryn Balint March 18, 2002 As San Diego police began focusing on David Westerfield in connection with the kidnapping – and, as was later discovered, death – of Danielle van Dam, they looked in the places that so frequently hold clues to crimes: his computers. The Digital Age has taken police forensics far beyond fingerprints. Police now routinely seize computers in serious crimes. Increasingly, evidence from those computers becomes part of court proceedings, as it did last week when prosecutors presented evidence they said points to Westerfield as Danielle's kidnapper and killer. Westerfield has pleaded not guilty to charges of kidnapping, murder and possession of child pornography. Last week's preliminary hearing shed light on how police go about examining a suspect's computer and what they look for. On Feb. 4, two days after Danielle was found missing from her Sabre Springs home, San Diego police Detective James Watkins, a computer-forensics specialist, showed up at Westerfield's home with a search warrant to examine his computers. In his job with the San Diego Police Department, Watkins needs to know as much about computers as about criminal investigations. Retrieving evidence from a computer requires special care by someone with proper training. Digital files, Watkins testified last week, can be "altered or damaged or cease to exist if not handled correctly." Computer forensics experts ferret out photos, Web sites, e-mail and digital files believed to have been deleted. Any of that information can help solve a crime, or explain a suspect's motives or state of mind. In the wake of the Sept. 11 terrorist attacks, investigators followed the conspirators' electronic trail from libraries in Florida to major Internet service providers across the country. The digital evidence revealed the terrorists had booked airline tickets online, used the Internet to learn about the aerial application of pesticides and exchanged e-mail. Among the cases in San Diego County in which computer evidence has played a role: l The prosecution of Michael Craig Dickman, the "Gap-Toothed Bandit" who was sentenced to nine years in prison last year for robbing six banks around the county. Computer-forensics investigators found copies of his demand notes on his laptop computer. l The conviction of Arthur Gerardo and Valerie Beidler 1-1/2 years ago for the torture and murder of a roommate who helped them make fake identification cards and forge checks. A computer seized from their house contained pictures of checks and driver's licenses that had been scanned, then altered. l The ongoing case against Charles "Andy" Williams, the teen-ager who is awaiting trial on charges of killing classmates Randy Gordon and Bryan Zuckor and wounding 13 others at Santana High School last year. Williams' computer was seized as part of the investigation. Westerfield, 50, a self-employed engineer, had four computers – three desktops and a laptop – at his home in addition to a Palm handheld computer, Watkins testified. On his visit to Westerfield's home, two houses from where Danielle lived, Watkins was accompanied by computer specialist Lee Youngflesh of the FBI's regional computer forensics laboratory. The San Diego-based facility was the first of its kind in the nation, and has been used as a model for other such laboratories across the country. Watkins and Youngflesh brought with them the tools of their trade, including a field imaging device that can make copies of computer hard drives. One of their first tasks at Westerfield's house was to disassemble the computers and remove the hard drives, which is where all of a computer's files are stored. Then they copied the data on Westerfield's computers onto extra hard drives they brought with them. Digital information can be copied perfectly, unlike, say, a photocopied letter or a tape of a prerecorded song. That way, the forensics exam can be done on the digital copy so that the original is left intact. Watkins said he and Youngflesh reassembled Westerfield's computers and made sure they were left in working order. They also copied data from Westerfield's handheld computer. Afterward, they searched the house for other computer-related items, such as a list of passwords or other media on which computer data can be stored. In this case, Youngflesh found three Zip disks and three CD-ROMs in an envelope on a bookcase, Watkins testified. Copious review Once back at the office, the real work began: poring through thousands of files. In an era in which a typical hard drive holds 20 gigabytes of information, that can be a daunting task. Twelve gigabytes of text, for example, would stack 24 stories high if printed out. Westerfield's computers contained about 64,000 photo files and 2,200 video clips, Watkins said. Investigators had to sift through them to find the 100 or so files they deemed relevant to the case. Just as police testified that Westerfield's house was in immaculate order, so were his computer files, Watkins said. Westerfield neatly organized his digital data – including pornographic photos – in computer folders, and folders within folders, the detective testified. With so many files to sift through, what investigators look for first is dictated by the nature of a crime. In this case, they were looking for files containing child pornography, which a prosecutor said points to a motive for the crime: sexual assault. Watkins said he found less than 100 "questionable images," including those he said that may have depicted minor females engaged in sex acts or posing nude in a sexual manner. Two of the files he said he retrieved were cartoon animations of an act of rape. Eight more photos also entered into evidence were supposedly of a girlfriend of Westerfield's and her teen-age daughter in a bikini in suggestive poses. Unlike handwritten notes, computer data contain embedded information noting when a file was created, when it was modified and when it was last accessed. That can give investigators valuable insight into timing. Deleted, hidden files Computer forensics goes beyond plowing through the obvious "active" files on a computer. Investigators also look at "deleted" files. Many computer users do not realize that simply deleting a file does not make it disappear forever. In most cases, hitting the Delete button erases the file from the directory, but the underlying data remain on a disk until the computer writes over it. Watkins was able to resurrect some files that had been deleted from the Zip disks, he said. Another routine check he said he performed on Westerfield's computers was to see if any files were disguised with "bad signatures." That is when a file extension, such as .doc or .mp3 or .jpg, is changed to hide the true nature of the file. For instance, a .jpg file, which denotes an image, could be changed to .mp3 to make it appear to be a music file. Watkins testified that he found no such attempts to disguise files in Westerfield's computers. While the fact that a file was found on a specific computer or disk may be indisputable, who actually created it or viewed it is often not as concrete. Westerfield's attorney raised questions about who downloaded or created the files on his client's computers. In court, he suggested that perhaps Westerfield's grown son or a house guest may have done it. "You don't know who downloaded those photos onto the Zip drives or CD-ROMs, do you?" Watkins was asked. "No, sir, I don't," he replied.
|
This is one scenario I've considered often, perhaps because my grandniece once nearly died after eating most of a bottle of vitamins when she was a wee one. She'd pulled a chair to the counter, climbed up, gotten the cupboard door open, and apparently opened the child-proof cap with ease. Kids should not be left unwatched, because they can be incredibly ingenuous when it comes to getting into trouble, some of which might threaten their own lives.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.