Chapter 10: Digital Forensics

'The advent of the internet has complicated mystery plotting because so much more information is available to both the sleuth and the reader. The reader is not likely to remain long interested in a detective who is too dumb to take the obvious first step in any research – going on line for related information.'

Jeffrey Barlow, Berglund Center for Internet Studies




Angus Marshall and his wife are forensic scientists. People at dinner partiesassume they spend all day in the morgue dissecting bodies. Shirley Marshallsoon disappoints them when she explains that her DNA work is almost entirelylab-based. Angus lets them down still further: 'The only times I cut upanything fleshy is making dinner, or working on my car, and the second one's anaccident.'

At school Angus joined the radio club to get his hands on electronics. One daya maths teacher brought a microcomputer in to show the class. 'It led to theestablishment of the computer club and that's been my downfall. I haven't seendaylight properly since about 1983.'

After graduating, Angus began work as a computer scientist. At the Universityof Hull he was stationed at the Centre for Internet Computing, whose name madeit simply irresistible to hackers. One even managed to wipe out the internetconnection for the whole of the university's main campus. Angus set abouttracking the hacker, and managed to trace his IP address all the way back tohis street address in Amsterdam. These seem humble enough beginnings, but Anguswas proud of the results of his dogged research and submitted a report of theinvestigation to the British Forensic Science Society. So when a far moreserious and disturbing case arose, they knew who to call.

Thirty-one-year-old Jane Longhurst lived in Brighton, where she worked as aspecial needs teacher. She wore her chestnut hair neatly down to her shoulders.Everyone knew her as gentle and bubbly, especially her friends in the localorchestra, where she played the viola. Early on the morning of Friday 14 March2003, Jane kissed her boyfriend Malcolm goodbye as usual.

When he came back that evening to find her gone, Malcolm quickly becameconcerned. Jane was dependable. She let people know what her plans were so theywouldn't worry. At midnight he was so disturbed by her absence that he phoned999. The police initially treated Jane's disappearance as an ordinary missingperson case, but after five days they changed it to a major murderinvestigation. Jane's bank said that none of her accounts had been touchedsince Friday. And her network provider could tell that her phone was turned offbecause it hadn't once communicated with any of their transmitters.

After a month of searching, involving seventy police officers and numerousnewspaper appeals, Jane's body was found on 19 April. She had been dumped in awooded nature reserve in West Sussex, and set ablaze. A passer-by who saw theflames had called the fire brigade. The fireman who found the body noticed apair of nylon tights dug deep into Jane's neck. CSIs scouring the area found amatch and an empty petrol canister.

Jane had to be identified from her dental records. When they examined her body,the two pathologists noted that the tights were pulled so tightly around Jane'sneck that they had broken the skin and caused bleeding. A few days later, thepolice arrested Graham Coutts, a door-to-door salesman of cleaning products,and charged him with Jane's murder. He was the guitar-playing boyfriend ofJane's best friend, and had known Jane for five years.

When Coutts was confronted with the pathologists' reports and the traceevidence, he said nothing at first. But eventually he admitted to killing Jane.He had arranged to take her swimming at the local leisure centre, he toldpolice, but instead took her back to his flat for a cup of tea. There hewrapped the tights around Jane's neck in a consensual act of erotic asphyxia,gradually tightening the ligature as he masturbated. Once he had reached orgasmhe looked at her body and noticed 'to my horror' that it was lifeless. He thenput her body into a cardboard box, and moved it into his garden shed.

Eleven days after Jane's disappearance, the police visited Coutts. They weretrying to question everyone she knew, hunting for clues. He decided at thatpoint that he had to move her body to a room at a nearby Big Yellow Storagefacility, for which he paid for an 'all hours' key. Over the next three weekshe visited Jane's body nine times. When the stench of decomposition grew toostrong, he moved her again, on 17 April, to the nature reserve, where he setfire to her remains.

When they investigated the storage unit the police found Jane's mobile phone,purse, jacket and swimming costume, and a shirt belonging to Coutts with herblood on it. They also found a condom containing his semen, and with her DNA onthe outside. They searched his flat and took away two computers. Together withthe Police Computer Crime Unit, Angus Marshall went to work on them, fightingagainst his own emotional reaction to the hideous things Coutts was chargedwith.

In court the defence argued that Coutts was guilty only of manslaughter, andcalled forensic pathologist Dick Shepherd (see pp.77–86) to the stand. Hetestified that in acts of erotic asphyxia it is possible for someone to diequickly, within a second or two, as a result of the inhibition of the vaguscranial nerve. The pathologist for the prosecution, Vesna Djurovic, denied thispossibility, arguing instead that it takes two to three minutes for a person todie of strangulation – plenty of time for Coutts to know exactly what he wasdoing.

One of Coutts's ex-girlfriends testified that he had partially strangled her onmany occasions during their five-year relationship. Two of Jane's exboyfriendsgave accounts of ordinary sex lives with her. When crossexamined by theprosecutor, Coutts admitted that he had a fetish for women's necks, and thatthis was the first time he and Jane had engaged in a sexual act.

For Angus the case was proving very difficult, both emotionally andprofessionally. He was propelled 'from a relatively trivial hacking incidentinto a very nasty murder. I will never forget that case.' It wascareerchanging. It also gave him a chance to see the kinds of things peoplethought they could do with impunity, and then to try and unpick that impunity.There were lessons aplenty for him: 'I was cross-examined by the twobarristers. They were having problems with the concepts and weren't asking thequestions in the right way. So the judge stepped in because he understood thetechnical issues far better than they did.'

Unfortunately, the judge asked Angus one question about the use of cookies –the little bits of data stored on your computer that communicate with thewebsites you revisit. It spooked the jury. 'They started passing notes to thejudge, wanting to know how they could protect themselves and hide their onlineactivities from spouses and other family members.' Once the judge had restoredorder, Angus proceeded to give his evidence.

He had found more than 800 pornographic images on Coutts's two computers, ofwhich 699 were of strangled, suffocated or hanged women. One showed a FatherChristmas strangling a girl. As well as finding the images, Angus had piecedtogether a timeline of Coutts's online activity. He had been visiting violentpornography websites, such as 'Necrobabes', 'Deathbyasphyxia' and'Hangingbitches'. The frequency of his visits had increased in the weeks beforeJane's death, when he also paid for memberships of websites such as 'Club Dead'and 'Brutal Love'. His visits and downloads reached their peak during the daybefore Jane's death, and the two days before her body was found in flames.

Graham Coutts was convicted of murder and sentenced to life in prison. Angusrecalls the judge commenting on the importance of 'the evidence from hiscomputer showing his normal patterns of activity and the total disappearance ofthat pattern on the day of the murder'. Since the case, Angus has made pullingtogether timeline evidence a priority.

Violent criminals often leave digital traces of the twisted paths down whichtheir minds go. Does the internet spur them along those paths? At any one timethere are roughly 100,000 'snuff' sites on the web, disseminating images andvideo of killings, cannibalism, necrophilia and rape. The UK and US governmentshave taken steps towards combating these kinds of sites – though both moretentatively than Iceland's, which has attempted a complete ban on online porn.

However vigilant the authorities are, the problem remains that when a site isshut down it usually opens up again under a different domain name almostimmediately. Getting to the root of the issue, and going after the producers ofviolent pornography, needs a level of organisation and internationalco-operation which has so far not been met. There are people who argue thatsites peddling violent pornography only exist because there is an appetite forthem. The relationship between the sites and the appetite still needs researchand clarification, but to call it anything less than reciprocal seems deluded.Whether these internet images cause extreme behaviour or merely mirror whatalready exists, there is no doubt that violent sex offenders use them to fanthe flames of their own fantasies.

On the evening of 26 May 2013, 23-year-old Jamie Reynolds sent a short textmessage: 'I'm excited. Don't be late.' He had asked 17-year-old GeorgiaWilliams, the daughter of a police detective, to come over to his home inWellington, Shropshire, to model some clothes for a photography project.Reynolds didn't tell Georgia that he'd been planning the project for months.

When she arrived he gave her high heels, a leather jacket and leather shorts toput on. He took some photos and asked her to stand on a red recycling box onthe landing. Round her neck he placed a noose, which he attached to the lofthatch above. He took a photo. At this point, according to police who saw itlater, Georgia looked 'happy' and 'compliant'. Then Reynolds kicked the boxfrom beneath her. A bruise found in the small of her back suggested to apathologist that he had applied downward pressure with his knee to speed up hersuffocation. He then sexually violated her body.

When police examined Reynolds' computer they found dozens of composite images.He had taken the heads of innocent girls on Facebook and put them on to bodiesengaged in hardcore pornography. They found 72 violently pornographic videos,almost 17,000 images and 40 fantasy stories written by Reynolds, one of whichwas called 'Georgia Williams in Surprise'. Reynolds had taken photos of hisvictim before, during and after the attack. The prosecuting lawyer asked forthe material not to be shown in open court and only to be viewed by the judgebecause of its severely distressing nature. Reynolds was given a whole-of-lifejail sentence for an act which Georgia's father called 'horrific and beyondcomprehension'.

The global expansion of personal computer and smartphone ownership has made itmuch easier for people like Graham Coutts and Jamie Reynolds to indulge theirperverted fantasies. But the majority of people use the internet to dorelatively innocuous things (even if the jury's reaction to Angus's explanationof cookies at the Coutts trial might suggest otherwise). Criminals, too, usethe internet to do ordinary things. They write emails to family and shop withonline retailers. But when they step down illegal paths, they leave a footprintthat forensic digital analysts like Angus can decipher more clearly than manyof them realise.

Today's torrent of personal devices began as a trickle. In the early 1980sforensic digital analysts mostly helped police investigate copyrightinfringement – such as kids copying games for their Atari game consoles – andfraudulent business activities. Hard drive storage capacities were so smallback then that an expert could often browse through all the files on a driveuntil he found what he needed to secure a conviction. 'Computers wererelatively dumb devices at first,' says Angus. 'The complexities, theinteractions that we see today, just weren't there.'

Up until the mid 1990s computers connected using the dial-up 'bulletin boardsystem', which was a precursor to the world wide web. People used bulletinboards to talk to other geeks about technical problems they were having, or toget help with completing a game they were playing. There were a few renegadesexploring the possibilities of using their new-found powers for evil, but mostpeople were just excited by the possibilities. To be involved, you needed afair amount of technical expertise and you often had to build quite a lot ofthe kit yourself.

But computing power continued to grow exponentially. When Microsoft launchedWindows 95, they opened up the world wide web to ordinary people. At this pointthe police started to take digital forensics seriously, realising, like Angus,that 'criminals tend to be very good at adopting new technology'. In 2001 HomeSecretary Jack Straw established the British National Hi-Tech Crime Unit. Hesaid at the launch, 'New technologies bring enormous benefits to the legitimateuser, but also offer opportunities for criminals, from those involved infinancial fraud to paedophiles.' The National Hi-Tech Crime Unit took on newcrimes that the digital revolution had made possible, like hacking, and oldcrimes which it had facilitated, like stalking.

In 2006, the national unit was replaced by regional ones. Today at a crimescene the Senior Investigating Officer decides whether she needs someone fromher force's hi-tech crime unit to look at the digital material. 'Just like withDNA,' Angus explains, 'when they've got eyewitness accounts, fingerprints andeverything else, they often don't need the expensive analysis. But forsomething like stalking or grooming, they have to go to hi-tech crime.' When aunit doesn't have the capacity or expertise to analyse digital evidence, theSIO will call in an independent like Angus. By that point 'the routine work hasoften been done. Most of the time investigators want immediate answers todifficult problems, so I improvise and invent new techniques as I go along.'

An example of this improvisational approach happened in a recent child abusetrial. The accused man – let's call him David – was charged with multiplecounts of paedophilia. His defence strategy was to discredit the key witness,his step-daughter 'Sarah'. He claimed it wasn't he who'd had sex with the14-year-old, it was the boys she'd been having dirty chats with on Facebook. Asevidence in support of his claim, David produced data from a 'key logger' whichhe'd installed on Sarah's computer. A key logger is a hidden program whichsilently records the actions of the computer user. Every time Sarah typedsomething or clicked on something in her web browser, the key logger wouldcapture a screenshot – a complete picture of everything on the screen. Davidhad periodically downloaded these screenshots. Some of the ones he presented tothe court showed an indecent Facebook chat session between Sarah and a teenagedfriend of hers, 'Fred'. But both teens vehemently denied that the chat had evertaken place.

Angus more often examines the digital life of suspects than of alleged victims.But in this case the best way to corroborate or invalidate David's testimonywas to look at Sarah's computer. On it he found no evidence of a chat withFred, but that didn't mean it hadn't taken place. 'As a general rule these daysFacebook doesn't leave traces behind on hard drives. Everything happens in thebrowser,' Angus explains. While he did find a key logger installed on thecomputer, the screenshots of the alleged chat were not present. But that wasn'tevidence one way or another either, because key loggers usually deletescreenshots once they've collected a certain number of them to prevent the harddrive from clogging up.

However, Facebook itself keeps records of all chats even if users have deletedthem, and Angus considered asking the company for the chat histories of Sarahand Fred. But that would have fallen very close to communications interceptionand covert surveillance, so he would have needed authority under the Regulationof Investigatory Powers Act (2000). Then Facebook Inc. would doubtless havetaken their time. Angus would have had to wait six months or more for what heneeded.

Next he asked Sarah for her login details, signed into her account and found notrace of a conversation with Fred. Of course, it might have been that she'ddeleted the conversation. But what she could not do was completely expungeanyone from her lists of 'friends'. On Sarah's 'current friends', 'deletedfriends' and 'requested friends', Fred was nowhere to be seen. Using Fred'slogin details, Angus found no trace of a conversation or friendship with Sarahon his account either. On Sarah's account Angus did, however, find records ofother, milder conversations with other boys that David had provided screenshotsof. It seemed as though David had nestled fabricated screenshots among realones. But Angus was all too familiar with the principle that absence ofevidence doesn't mean evidence of absence.

In the end, Angus wrote to the judge reporting that he couldn't be certain whathad happened. It was theoretically possible that Sarah and Fred had had theindecent chat under false profiles that looked identical to their normal ones. Equally,David, who was a good amateur photographer, could have forged the screenshots.To gain a satisfactory view of what had happened, Angus needed to look atDavid's computers to see if he had manipulated the screenshots with a graphicsediting program.

At this point the judge had to make the call. Should he continue with thetrial? Or should he suspend the sitting and keep the jury sequestered foranother week while Angus examined David's computers? He decided to proceed. Thejury listened to the remaining testimony of the victims, and to

Angus's evidence. Whilst his evidence was inconclusive – and he was careful tomake that clear to the jury – it formed another piece of possible evidence thatDavid was a manipulative liar. The jury deliberated, and found him guilty. Heis currently serving twenty years in jail.

As the case of the key logger shows, the more people who use the increasingnumber of functions available on their digital devices, the harder it becomesfor forensic digital analysts to do their job. Whereas some forensic scientistsare able to answer straight questions – 'Does this blood belong to Mr A or MrB?' – people in Angus's area of specialism have to judge the authenticity ofevidence, construct timelines of online and offline activity and assess thevalidity of alibis. Those without the right blend of imagination and vigilanceneed not apply.

Angus loves the job for its intellectual challenge. 'I'm always learningsomething new, not just grinding away doing the same thing day in day out, butsolving problems.' The hardest thing for him to bear is when his investigationsthrow up nothing. 'I don't know of anyone in the business who, when faced witha no result job, will stop. You keep probing and probing and probing becausethere must be something there, there's always something there, and it's reallyhard to accept that you've done everything you can and hit the limit.'

Before Angus can go to work, he needs something to work on, and getting it canbe a headache. 'In order to collect evidence against one bad apple, you cannotstorm in and seize the computer of every employee in an office. The responsehas to be proportionate.' Laying hands on the hardware for Angus to work on isthe job of the police. They have to justify a search warrant so they canconfiscate digital devices from the suspect's living room, or trouser pocket.

When a device is found at a crime scene it is often covered in fingerprints andDNA. But because the magnetic brushes that CSIs use to powder up and exposefingerprints emit electromagnetic fields, they can destroy evidence within thedevice. Hence, CSIs have learned to place devices carefully in antistaticplastic bags, then send them to the digital analysts. 'We still occasionallyencounter devices sent to the wrong unit,' says Angus. 'I've seen mobile phonessent to the CCTV unit because detectives wanted the photographs. I've seenofficers pick up a mobile phone – very very rarely now, but I have seen it –and start poking at it themselves to see what's on there.'

Once an uncontaminated device has found its way to the hi-tech crime unit,then, according to Angus, 'unless it's a really high priority job like a murderor live missing persons case, it will sit in a storeroom for about six months,because forces have so much work to do'. The device that makes its way to Angusnowadays is seldom an answering machine, printer or fax machine. Usually it's acomputer, smartphone or tablet. These tiny devices contain a detailed (ifpartial) snapshot of a person's life. To damage them can be to damage justice.'Rule One is always, as far as possible, preserve,' Angus notes. As well as forforensic digital analysts, this is the golden rule for CSIs and civilians whowant to provide admissible evidence. In practice, this usually means forensicanalysts will make a direct copy of the contents of a machine they are going toinvestigate, in order to preserve the integrity of the original.

When the term 'forensic computing' was first used in 1992, it was in relationto recovering data from computers for use in criminal investigations. In one ofAngus's early cases, a company director had accused previous directors offraud, and collected the company's main hard drive to present as evidence. Hehad sent the drive for a 2-week repair, stored it at home for a week, thenfinally given it to a forensic computing firm for examination. Angus reportedto the judge that this chain of evidence preservation was not good enough. Itwas impossible to be sure that the employee hadn't added, altered oroverwritten files at some point in the drive's complicated journey. As Angusneared York Station on the train down to Leeds Crown Court for the hearing, hereceived a phone call telling him that the judge agreed with his report and haddismissed the case. He got off at York, walked across to the opposite platformand headed back home to Darlington.

'Sometimes I have to break Rule One,' says Angus. 'The latest iPhones andBlackBerrys are virtually impossible to copy. I have to install software on themto "jailbreak" them. Then Rule Two comes in: If you can't copy it and you'regoing to have to alter it, make sure you know what you are doing and canexplain it. Contemporaneous notes is the charm.' If a careless investigatoropens a file, the time is recorded on the file itself. This hinders thecreation of timelines and, as adversarial lawyers love mentioning in court,fundamentally alters the file.

Once Angus has an immaculate copy of the hard drive, he uses specially tailoredsoftware to look at both the current files and deleted files. From computer andsmartphone drives Angus can restore almost all deleted photos, videos andmessages, just as an old-school detective might have retraced the impression ofa rubbed-out pencil line on a letter.

On mobile phones Angus will look at text messages, called numbers and missedcalls. Text message dialogues sometimes show what criminals were saying to eachother around the time a crime was committed. Individual text messages canprovide crucial evidence, too. On the morning of 18 June 2001, 15-year-oldDanielle Jones went missing near her home in East Tilbury, Essex. Suspicionsquickly fell on her uncle, Stuart Campbell, and he was arrested wheninvestigators found a green canvas bag in his loft containing a pair of whitestockings tainted with a mixture of both his and Danielle's blood.

Campbell claimed that he had been at a DIY shop in Rayleigh, a halfhour driveaway, when Danielle went missing. Police examined his mobile phone and found atext message sent from Danielle's phone that morning:

HI STU THANKZ 4

BEIN SO NICE UR THE BEST UNCLE EVER!

TELL MUM I'M SO

SORRY LUVYA LOADZ DAN XXX

But when police interrogated the records from the network providers, they foundthat both his and Danielle's phones had been within the narrowly defined rangeof the same mobile phone transmitter when Campbell's phone received the textmessage.

Linguistics expert Malcolm Coulthard demonstrated in court that Daniellehabitually wrote her text messages in lower case. He also noticed that inanother text on Campbell's phone, sent shortly after the first, the word 'what'had been shortened to 'wot', whereas Danielle always typed 'wat'. Clearly, thetext message had been planted and Campbell's fabricated evidence had imploded. Despitethe fact that a £1.7 million search operation by Essex Police failed todiscover Danielle's body, her uncle is now serving life behind bars.

Accurately locating victims and suspects at the time of a crime has obviousbenefits for investigators. Modern iPhones and Android phones log theirmovements by default, making it possible to plot a detailed map of wheresomebody's phone has been – and, by assumption, where they have been, too. Thelocation-tracking feature can be disabled deep in the smartphone's settings,but many people don't know this. The iPhone 5S has a specialised location chipthat runs off reserve battery power. Users have reported their iPhonecontinuing to track their movements for four days after the phone has run outof battery and turned itself off. The justification for the location data isthat it helps Apple to improve its maps app, and to tailor suggestions forthings for users to do nearby. Needless to say, the police are interested inthis data too.

Even if a user turns off location tracking on their phone, investigators caninterrogate network provider records to fix an approximate area at a giventime. This is because mobile phones constantly communicate with local phonemasts in order to find a signal. These masts tend to cover small areas, asoccurred with Stuart Campbell in East Tilbury – and also in a remarkable casein Scotland in 2010.

On the morning of 4 May, 38-year-old Suzanne Pilley set off on her way to herjob as a bookkeeper for a financial services company on Thistle Street incentral Edinburgh. At 8.51 a.m. she was caught on CCTV coming out ofSainsbury's, where she'd bought her lunch. And that was the last time anyonesaw her alive. Anyone, that is, apart from her work colleague 49year-old DavidGilroy. Gilroy was married with children and had been having an affair withSuzanne for about a year. She had recently decided to end their relationshipfor good, having had enough of Gilroy's controlling nature and fits ofjealousy.

In the month leading up to Suzanne's disappearance, Gilroy had bombarded herwith more than 400 texts and numerous voicemail messages. He had been desperateto keep the affair going, and unwilling to accept her rejection. On twoparticular days he had sent more than fifty pleading texts. The day before shevanished, Gilroy had left her numerous texts and a voicemail message in whichhe said, 'I'm worried about you.'

Suzanne had spent the night before her disappearance with a new man, MarkBrooks, which sent Gilroy over the edge. He murdered Suzanne in the basement oftheir office, and hid her body in the stairwell. He made an excuse to hiscolleagues – who later described him as 'seeming clammy, with scratches on hisneck and face' – to take the bus home and collect his car. On his way, CCTV footageshowed him buying four air fresheners from Superdrug. Back at the office,Gilroy altered his engagements so that the next day he would have to drive 130miles into the rural heart of Argyll to check on a school whose accounts hisfirm was keeping. Then he bundled Suzanne's body into the boot of his car.

That evening he went to see one of his children perform in a school concert,then on to a restaurant with his family. Meanwhile, Suzanne's worried parentshad reported her missing.

On 6 May, the police interviewed Gilroy. They noticed a cut on his forehead,subtle bruising on his chest and curved scratches on his hands, wrists andforearms. Gilroy said he had scratched himself while gardening. Forensicpathologist Nathaniel Cary would later examine photographs of these injuriesand testify that they could have been made by another person's fingernails,possibly in a struggle, and that he had seen similar scratches on stranglersbefore. He added that he couldn't be sure because Gilroy had covered the scratchesin flesh-coloured make-up. But he did concede under cross-examination thatGilroy's version of how he got the scratches was possible.

At the time, the police were suspicious enough to seize Gilroy's mobile phoneand car. When forensic scientist Kirsty McTurk opened the car boot, she noticeda fresh smell coming from it, like 'air freshener' or a 'cleansing agent'. Shelooked for evidence in the boot and then in the basement stairwell at theoffice in Thistle Street. She could find no trace of Suzanne's DNA. However,when specially trained cadaver dogs smelled the boot and the stairwell theyshowed 'positive indications' of detecting human remains or blood. One of thedogs, a Springer Spaniel named Buster, had previously managed to locate a dead bodyin nearly 3 metres of water.

Police also found vegetation and damaged suspension underneath

Gilroy's car. The roadside cameras were inconclusive, but detectives feltcertain he had made a detour off the A83 Rest and Be Thankful road, awell-known scenic route, before returning home.

A forensic digital analyst went to work on Gilroy's phone. 'When you switch amobile phone off,' explains Angus, 'it records the phone mast that it was lastcommunicating with, so that when it's switched back on, it can quickly find itagain.' On his way to the school in Argyll, Gilroy had switched off his phonebetween Stirling and Inveraray. Police suspected he had done this to avoidbeing tracked as he searched for a good place to dispose of Suzanne's body inthe dense woodland. Then he went to visit the school. On his way back, Gilroyagain switched off his mobile phone between Stirling and Inveraray. This, thepolice believed, was when he dumped the body.

When Gilroy stood trial, police search teams still hadn't found Suzanne's body.Nevertheless, on 15 March 2012, David Gilroy was found guilty of murder andconspiracy to defeat the ends of justice. The judge, Lord Bracadale, agreed tolet television cameras into the court, making Gilroy the first convicted killerto have his sentencing filmed for British television. 'With quite chillingcalmness and calculation,' said Bracadale, 'you set about disposing of thebody, apparently somewhere in Argyll; and, but for the commendably thoroughinvestigation carried out by Lothian and Borders Police, you might well havebeen successful in avoiding detection and prosecution.' He sentenced Gilroy toa minimum of eighteen years in prison. After receiving threats from fellowinmates at Edinburgh Prison, Gilroy was moved to Shotts Prison, where on hisfirst day another inmate broke his jaw.

Police searching for Suzanne Pilley's body near Arrochar, Scotland. Her remainswere never found, though David Gilroy was found guilty of her murder in 2012

Gilroy's conviction had much to do with the sensitivity of investigators to hisdigital footprint. Without their analysis of mobile phone and CCTV evidence, hewould probably be a free man today. It's rare for murderers to be convicted inthe absence of their victim's body. It happened to Stuart Campbell, partlybecause of the splatter of Danielle's blood which investigators found on theunderwear in his loft; and it happened to the Liverpudlian drug dealer caughtout solely by DNA found in the pupal cases of maggots that had fed on hisvictim's corpse (see p.57). In the Gilroy case there was no DNA. The scratcheson his arm would not have been enough. He was convicted because of unusualmobile phone activity, CCTV video and images from road-side cameras.

It's up to people like Angus Marshall to use images and video to incriminatecriminals like David Gilroy. The job is occasionally revelatory, usuallymethodical; it can take time to build up a digital picture. Angus creates hisown tools to help. 'I'm a weirdo. I don't use any of the industry standardtools; they'd get me the same results as everyone else. Most of the programs Iwrite are not very big or complicated, they simply automate things and allow meto sleep occasionally.' Once such programs have recovered all of thephotographs and video files on a given hard drive, another goes through andtries to match them to a child abuse database held by the police, automaticallysorting them into one of the five levels of severity, from relatively innocentnude posing right through to bestiality. 'Unfortunately there are always a fewthat haven't been seen before and some poor soul has to sit and manuallyclassify those and then submit them,' Angus says, his genial expressionclouding over.

The database stores the origin of each image, if it's known. This meansinvestigators can link the consumers of illegal media to the creators, ashappened in the busting of Scotland's largest paedophile ring in 2005 (seep.186). It's a traumatic job, but independent experts like Angus – or, moreusually, police officers – look very carefully at abusive photographs andvideos, to pick up clues as to where in the world they were taken. 'It can besubtle little things like the shape of the electrical sockets, the sound of theTV or the language being spoken,' Angus explains. 'You can approximate the timeof day from where the sun is in the sky. If there is a victim of abuse inthere, you can estimate their age and cross-reference what they look likeagainst missing persons databases.'

And then there's the metadata – information which is embedded in images andvideo files taken on digital cameras and smartphones. Metadata reveals usefulinformation, from the make and model of the device to the date and time whenthe media was recorded – if the perpetrator set the clock. Although imagemanipulation software and file sharing sites sometimes strip metadata, it isoften still buried there and, with the right software, it can be read.

Modern devices even put GPS coordinates into the metadata, making it possibleto know where the photographer was standing. This means digital forensicexperts can interrogate the records of mobile phone networks to find out whichphones were active in a particular area at any given time. GPS coordinates inmetadata have also helped police locate criminals who are on the run, asdemonstrated by the sensational case of John McAfee, a somewhat unstablecomputer genius who lived in the jungles of Belize.

McAfee was the son of an English woman who fell in love with an Americansoldier stationed in the UK during the Second World War. As a boy he moved withhis parents to Virginia. When he was fifteen, his alcoholic and abusive fathershot himself dead. McAfee then became hooked on drugs, but maintained anenthusiasm for computer programming and managed to hold down jobs atinstitutions as august as NASA. Eventually he struck out on his own and createdMcAfee Anti-virus, the first commercially available virus prevention software.In 1996 he sold his stake in the company for tens of millions of dollars. Bythen, as McAfee himself acknowledges, people knew him as 'the paranoid,schizophrenic wild child of Silicon Valley'.

In 2008, at the age of sixty-three, McAfee headed south from California toBelize, where he hoped to use the jungle flora to develop new antibiotics thatwould, in his words, 'interrupt bacteria's ability to communicate'. In 2012police raided his research facility, claiming it was a methamphetamine factory.All charges were subsequently dropped.

John McAfee surrounded by the media after his detainment by Guatemalan police

McAfee's house in Belize

But the relationship between McAfee and his American expat neighbour, GregoryFaull, soured beyond repair. Faull, the owner of an Orlando sports bar,particularly hated McAfee's dogs. He sent a complaint to the local authorities,part of which read: 'These animals get loose and run as a pack. Three residentshave been bitten and three tourists have been attacked.' McAfee later foundfour of his eleven dogs poisoned and had to shoot them to put them out of theirmisery.

On 11 November 2012 a housekeeper discovered Faull on his patio, lying face upwith a bullet in his head. When police came to question McAfee, he hid fromthem under a box. Then he went on the run, disguised as a ragged salesman. However,he continued to update his blog and give online interviews. 'I have modified myappearance in a radical fashion,' he wrote; 'I'll probably look like amurderer, unfortunately.' When he made his way illegally over the border intoGuatemala, the editor-in-chief of Vice magazine decided to follow his life onthe run, and brought a photographer with him.

On 3 December the Vice website posted a photograph of McAfee in front of palmtrees, underneath the smug caption: 'WE ARE WITH JOHN MCAFEE RIGHT NOW,SUCKERS.' But it also contained metadata which held clues to McAfee's exactlongitude and latitude. Realising this, the photographer then posted onFacebook that he had manipulated the metadata. But that was a lie and soon theGuatemalan police tracked down and detained McAfee. He then faked a heartattack in order to buy his lawyer time. Together they blocked the Guatemalanauthorities' attempt to deport McAfee back to Belize. He was sent to Miami,instead, where he was released. He then travelled to Montreal, Canada. Belizepolice still describe McAfee as 'a person of interest' in the murder of GregoryFaull, but not a prime suspect.

McAfee is now back in Silicon Valley, where he has been developing a $100gadget called a D-Central that connects with your computer, smartphone ortablet and, McAfee promises, makes you invisible on the net. 'If you cannot seeit, you cannot hack it, you cannot look at it, you cannot spy on anythinghappening inside it.' The idea is attractive to people in the light of the EdwardSnowden leaks, and perhaps even more attractive to McAfee himself, given hisown unhappy experience of overexposed data.

The D-Central is an extreme device for keeping private communications private,a manoeuvre that tech-savvy criminals and law-abiders alike are keener thanever to make. 'Certainly, younger generations are very careful about theirfootprints,' says Angus. 'I've spoken to a number of them over the years andthey are fully aware of how much snooping goes on and how much of their personaldata is being exploited. A lot of them have a simple solution to making surepeople can't get at their data; they lie, they create fake accounts and leavefake footprints.' Some do this to stop potential employers seeing photos ofthem topless and drunk; others because they don't like the idea of governmentofficials poring over their data; still others because they want to keep theircriminal behaviour under the radar.

Angus is unhappy with the snooping activities of the National Security Agency(NSA) in the United States; in particular, he is unhappy with the notion ofproviding public security through imperilling individual privacy. 'We used tothink Eastern Europe was bad. Our allies are getting even worse.' When anagency like the NSA snoops on websites like Google Mail or Facebook they use anautomated program to look for trigger words. If you were to send an email toyour lover saying, 'You're the bomb,' Angus reckons, 'they'd have a look at it,probably have a laugh, save it for the Christmas party but not much more thanthat. But if you start talking about building nuclear warheads, they'd look atyou in great detail.' Of course many of the most serious criminals steer clearof providers like Gmail and Facebook.

Some of them also know that if they use the web on their smartphones or tabletsvia applications like the Facebook app, they will leave a trace that Angus canpick up. 'But if it's on a web browser on a mobile device then there is notrace. So we have to ask Facebook Inc., who do give us something. Twitter giveus practically nothing.'

The big Californian corporations are trying to get everyone to put theirpersonal data in 'the cloud', which ironically means a remote storage facilityin the United States. The cloud keeps personal data up-to-date across all of auser's digital devices, thereby making it easier for the corporations to mineand exploit. Paradoxically, the more accessible the data is for users andcorporations, the more hidden it is from people like Angus.

The future, says Angus, 'is online and it's cloud. Devices are pushing more andmore of their data up into the cloud so that it is accessible to themeverywhere. So we find it harder to get material off the devices, because it'snot actually on them. We have to identify firstly if we can technically extractthe data from the cloud and, secondly, if we can we get legal authority to doit.' Crossing international borders is just as difficult for a detective now asit was before cloud computing, but the need is far greater.

Angus recalls a recent case when a judge wrote to a social media company askingthem two questions about the reliability of their user data logging. 'We gotback a very simple response from that company's lawyers. It said firstly, "Youhave written to the wrong office. Don't write to us in America, write to us inDublin." And secondly, "Under the terms of the treaty that exists between theUnited Kingdom and the United States, we don't have to answer your questions."'

Cloud computing presents other difficulties for the forensic expert. Softwarelike Dropbox, which keeps files synced across devices, enables users tooverwrite and change files on one device from another device anywhere else inthe world. Angus calls this a 'massive benefit to the end user but, from aninvestigative point of view, if somebody has made a change on their computer intheir house on this side of the country, and their laptop in the other house onthe other side of the country is still switched on, Dropbox changes the contenton the laptop, meaning I cannot tell which house you were in.'

If done deliberately, this kind of behaviour is known as 'anti-forensics', andit can take dozens of forms. A simple example is an organised criminal who buysa pay-as-you-go phone a couple of days before committing a crime, and thenthrows it away immediately after the crime. There are all sorts of morecomplicated anti-forensic techniques. Some programs allow users to change themetadata in files, so that they can make a file look as if it was created in1912 and last accessed in 2050. Others make files look to forensic programs asif they were another kind of file altogether. Thus, an expert could be trickedinto thinking that an image file of a child being abused was an mp3 music file.Seeing through these ruses comes down to the ingenuity and experience of theforensic digital analysts. Just as a psychological profiler needs to empathisewith a criminal in order to understand their motives and predict their actions,so a digital analyst has to be at the cutting edge of developments in thefield, in order to work out exactly what tech-savvy criminals are up to.

Sometimes the experts dabble in anti-forensics themselves. Angus explain, 'Ihave colleagues who travel the world and they don't take any technology withthem. They buy a new laptop and a new mobile phone in whatever country they arevisiting and they trash it and leave it there.' They do this because airportstaff in some countries routinely make sure that people aren't smuggling outthe truth about what's happening in their country, or bringing in pornographyor bomb-making instructions. They simply need access for a remarkably shorttime. 'All airport staff have to do is pull you off into the room where themember of staff with the rubber gloves can keep you busy for half an hour orso,' says Angus. And that's long enough for them to copy an entire hard drive.

In the case of cyber crimes like hacking, forensic digital analysts sometimeshave to play catch-up with the criminals. The old adage holds true: When theforensic scientist takes a step, the criminal counters with a step of theirown. Fingerprinting made burglars put gloves on. CCTV made kids pull theirhoods up. So sometimes old technologies can be the best anti-forensic tools.Analogue cameras don't embed metadata into their photographs. Old-stylebulletin boards can be set up in cyberspace and used completely under theradar. 'They are really easy to set up,' Angus reveals. 'The old software'sstill out there. The hardware is readily available now. It doesn't take a lotand, to be honest, you can hang one on the end of a payas-you-go mobile phone,which is almost untraceable.'

Physical evidence is still absolutely crucial to solving the vast majority ofcrimes. 'None of the cases that I've dealt with have been exclusively built oncomputer evidence,' Angus admits. 'The computer evidence is corroboratingsomething else. It can be incredibly strong corroboration, but it's rare thatit's the only evidence. So if we don't find it, as I said before, absence ofevidence doesn't mean evidence of absence.'

Bạn đang đọc truyện trên: TruyenTop.Vip

Tags: #pháp-y