Before the body of Lacy Peterson washed up on the shores of San
Francisco Bay last year, investigators already had a pretty good idea she’d be
there. A police computer forensic expert had pored over double-murder defendant
Scott Peterson’s five computer hard drives, according to the prosecutor’s
case, only to discover that he had shopped online for a boat, studied water
currents and bought a gift for his mistress in the weeks leading up to his
wife’s death. Prosecution testimony also had Peterson showing an interest in a
computer map that included Brooks Island, where Lacy was later found.
At the Pasadena headquarters of Guidance Software Inc., former L.A. County
sheriff’s deputy-turned-chief executive John Colbert explained how his
firm’s EnCase software enabled investigators to harvest Peterson’s
electronic fingerprints and establish a crucial timeline.
“You would think that they are looking for a smoking gun, which they find
sometimes,” said Colbert, who served in the Los Angeles County Sheriff’s
department for 14 years. “In other cases they are putting together a
psychological profile.”
The computer forensic field has grown dramatically over the last five years as
the bulk of information storage has become electronic. EnCase was the first
software to eliminate the time-consuming and complicated DOS format for computer
forensics in favor of an easier-to-use Windows-based system.
Clients can either have Guidance Software technicians rummage through hard
drives or they can buy the company’s software and do the rummaging themselves.
The product has been used in child pornography cases, electronic and corporate
fraud, and increasingly, homeland security efforts.
“It doesn’t do everything, no package does, but it’s very
comprehensive,” said Mark McLaughlin, president of Century City-based Computer
Forensics International, which uses EnCase software to examine information in
civil cases.
Curtis Tomlinson, who manages investigations at Sunnyvale-based Advanced Micro
Devices Inc., said the company uses Guidance’s software to spot potential
theft of intellectual property by its employees.
“We do software and product design so there’s a lot of effort that goes into
protecting it,” Tomlinson said. “If an employee leaves under less than
desirable circumstances or is suspicious, then the software helps us prove or
disprove whether anything is going on. We’ve been able to resolve significant
issues.”
Not ‘CSI’
Demand for the privately held company’s products and services has ballooned:
Sales this year are expected to be $30 million, up from $20 million in 2003 and
$9.7 million in 2002. Government clients make up 55 percent of the business.
There are 13,000 software clients, not including people who contract for the
company’s investigative services.
Guidance’s own forensic lab is a far cry from “CSI.” There are no blood or
hair samples under a microscope, no crime photos or white lab coats. Instead,
the narrow space is sparse and neat, with a bank of a half dozen or so computers
and a metal shelf stacked with hard drive scanners that can collect electronic
data from anything computer-driven – PCs, laptops, digital cameras, PDAs and
cell phones.
The investigator hooks the hard-drive into the device and copies the
information. This allows multiple investigators to sift through the contents
without compromising the original, which is stored in an evidence locker to
prevent tampering. Guidance processes about 300 cases a month, and takes about
three days to finish a case.
Recovering computer evidence can be tricky business. One wrong move and
information can be obliterated or rendered inadmissible in court. Colbert
recounted one example in 1997, when L.A. Sheriff’s deputies arrived on a
homicide scene to find a dead woman draped over her computer keyboard.
Investigators immediately pulled the plug on the unit and took it back to the
lab.
There, homicide investigators determined the woman had logged onto the PC two
hours before coroners estimated her time of death. Based on the new timeline,
the husband admitted to the murder. He had dressed the victim as though she were
going to work, leaned her over the keyboard and called 911.
“That was such a fragile piece of evidence that could have been destroyed if
investigators had turned on the computer and lost the login time,” Colbert
said.
Guidance trains more than 3,500 investigators annually in the use of the EnCase
Forensics software, which sells for $3,000 a copy and allows users to examine
individual computers. The newer EnCase Enterprise version averages $250,000,
allowing companies to stop theft or wrongdoing as it happens – what Colbert
calls incident response.
The software has played a role in the trials of Scott Peterson and Michael
Jackson – and in high-profile cases like the one involving shoe bomber Richard
Reid. EnCase is said to be the only forensic software that recognizes Arabic,
which allowed the Federal Bureau of Investigation to discover the threats on
three laptop computers and 51 disks seized in a July 24 raid in Pakistan.
Randall Bolelli, director of the FBI’s San Diego Regional Computer Forensic
Lab, said the software is used in almost every case where agents suspect digital
evidence exists.
“It’s like identifying millions of needles in millions of haystacks,” he
said. “On a regular crime scene you are looking at one file cabinet. In a
computer crime scene, you have 50 file cabinets and you have to find one
document. That’s the challenge.”
Colbert recognized the field’s potential immediately. After working five years
as senior investigator for the Sheriff’s Commercial Crimes Bureau, where he
helped develop one of the nation’s first computer forensic labs, he decided to
make a career change to the private sector. Last month, he took over as chief
executive and the company restructured its operations to focus on developing the
forensic software and training division.
“I was presented with the option of being promoted to sergeant and moving back
to patrol or taking on a new career in this fast-developing computer-forensic
market,” he said. “It was an easy choice for me to change careers.”