Digital crackdown

But the image came from a floppy disk confiscated during a police raid on a suspected car-theft ring. According to Massachusetts State Police Lieutenant Thomas Kerle, the thieves used desktop computers and printers to forge all of the documents needed to sanitize a stolen car, and resell it to some unsuspecting consumer.

"The inspection stickers, the registry stamps: You name it, they had it," Kerle said.

Kerle commands the state police computer forensics unit, a band of tech detectives whose skills are becoming as vital to law enforcement as fingerprinting. These days, no raid on a suspected automotive chop shop or drug den is complete without a search of the computers found on the scene. That's because nearly everyone uses computers these days, including crooks.

Earlier this month, the US Justice Department announced that a crackdown on digital criminals had resulted in the arrest or conviction of 125 individuals who had robbed their victims of about $100 million. The crimes went far beyond the expected cases of illegal computer hacking. Many involved traditional ripoffs with a high-tech twist -- such as a band of thieves in Chicago who were fencing stolen goods on legitimate Internet auction sites, or a San Diego identity theft ring that used computers to create bogus checks and phony ID cards for use in cashing them.

Yet battling these criminals requires a rare combination of skills. The researchers must know the principles of criminal investigation, taking care to follow the rules of evidence so the computer data will be admissible in court. But they must also master computer hardware and software systems, to ensure that they capture data without accidentally altering or destroying it, and losing precious evidence.

Think of the TV series "CSI," where glamorous cops pick over the gory remains of murder victims in search of clues. But in computer forensics there's no blood here -- just stacks of cold hard drives, waiting to give up their secrets.

The caseload at the state police computer lab clearly attests to a growing demand for this kind of expertise. So far this year, Kerle and his four colleagues have handled 196 cases, compared to 180 for all of 2002 and 108 in 2001.

Still, Kerle's office has managed to keep up with the rising volume of work. The lab has a two-month backlog of computers waiting to be inspected. By contrast, the state police lab in New Hampshire has just one technician, and a two-year backlog, according to lab director Tim Pifer.

"It is a problem and it will be here for some time," Pifer said.

Kerle's lab isn't the only one in Massachusetts devoted to computer crime. The Boston Police Department also has a computer forensics unit. Other communities throughout the state have joined together to form regional labs.

One such lab, run by the Medford Police Department, serves about 40 communities in Middlesex and Essex counties; another, operated by the Raynham police, covers Southeastern Massachusetts. And still another lab established by Massachusetts Attorney General Tom Reilly, played a key role in one of the state's most notorious murder cases.

On the day after Christmas 2000, Michael McDermott, a computer tester at Edgewater Technology Inc. in Wakefield, shot seven of his coworkers to death. At trial, McDermott pleaded insanity.

"His defense was the Archangel Gabriel came to him and said he had no soul," recalled John Grossman, head of the Massachusetts attorney general's computer crimes unit. "He had to kill Adolf Hitler and six other people to get his soul."

But during cross-examination, Middlesex County prosecutors confronted McDermott with records culled from his own computer, which showed that before the shootings he had done research on how to feign insanity.

Michael McDermott's attorney, Kevin Reddington, fought back, citing another of his client's computer files -- a 1987 suicide note -- as evidence that McDermott was truly insane. The jury was unconvinced. McDermott is now serving seven life sentences in a state prison, instead of an indeterminate stay in a mental hospital.

It's not easy finding cops with top-drawer computer skills. Grossman's chief technical expert is a civilian. But Kerle's staff is composed entirely of experienced cops. One has a bachelor's degree in computer science, while the others have been brought up to speed through computer forensics training courses.

When they arrive at a crime scene, computer investigators quickly unplug the machine, in case the computer is running a file-erasure program that could eliminate evidence.

Next, they confiscate all of the computers and remove the hard drives containing the data files. These drives are "imaged," a method of copying that makes an exact physical duplicate of the data on the drive. The image is used for all future examination of the data, so there's no chance of harming the original drive.

Different computer operating systems store data in different ways. Microsoft Corp. alone offers three different file systems for its Windows software; investigators must understand them all.

Luckily, criminals, like law-abiding citizens, rarely use computers that run the Linux, Unix, or Macintosh operating systems, but such cases do sometimes arise.

"I think we've had three cases where we had to do forensics on a Mac," said Grossman.

A few criminals use encryption programs designed to make their secret files unreadable. But few suspects bother with encryption. Grossman said that his office has encountered several cases where some kind of encryption was used, but only once were his technicians unable to crack it.

Kerle cited one child pornography case in which the computer was equipped with the extremely tough PGP encryption program.

"But it happened at the time we executed the search warrant [that] they were reorganizing their whole photo collection, and when we executed the warrant it was in an unencrypted state," Kerle said. "Sometimes we get lucky."

But the biggest challenge in computer investigations may be the sheer size of today's computer hard drives.

In 2001, said Kerle, the average computer inspected at the lab had a 20-gigabyte hard drive. These days, it's up to 60 gigabytes, and computers capable of storing over 100 gigabytes of data are now common. That's enough to hold thousands of photographic images and millions of pages of documents.

Once the technical experts have obtained the files, the rest is a matter of old-fashioned research, as investigators plow through reams of information in search of tiny flecks of evidence.

They're helped by sophisticated software developed for the purpose, like Guidance Software Inc.'s EnCase forensic program. EnCase lets the investigator run searches that pick out the documents most likely to contain useful evidence.

A cop investigating the auction of stolen jewelry over the Internet could have EnCase search only those documents written since the theft occurred. Then he could look for words that might be connected to the crime, like "bidder," "eBay," or "jewelry."

Even so, most computer inspections are a long, hard slog.

"A simple, simple, simple case will take eight to 16 hours," said Kerle. But it's more common for investigators to spend 80 to 100 hours simply reading and viewing all of the documents.

Rarely does a computer search produce evidence that decisively proves a suspect's guilt, however. More often, the search firms up the state's case by producing additional facts that might otherwise have been missed.

"Occasionally we do get the smoking gun," said Kerle, "but a lot of times we're contributing pieces to the complete investigative puzzle."

While cops and prosecutors get better at computer investigations, criminal defense attorneys often find themselves playing catch-up. Cynthia Orr, a Texas attorney who co-chairs the Internet committee of the National Association of Criminal Defense Lawyers, says that her colleagues are usually at a disadvantage when it comes to computer forensic evidence.

"I think it's a measure of economics," said Orr.

Many defendants just can't afford to hire computer experts to refute the prosecution's arguments. Besides, said Orr, many attorneys don't take advantage of the opportunity to review their client's computer files. The prosecution must provide a copy to the defense, which can use the data to undermine the state's case.

Orr cites one of her own cases, in which a man charged with murder was supposed to have sent an e-mail containing an admission of guilt. Orr didn't question the legitimacy of the messages.

Instead, she showed that other people had access to the computer, and that the state couldn't prove that the author of the damning message was her client. This didn't get him off the hook, but it led the state to offer a relatively attractive plea bargain.

"We started out with an offer of life," said Orr, "and got it down to 25 years."

Orr gives lectures to fellow attorneys, teaching them how to turn computer evidence to the defendant's advantage. As defense attorneys improve their digital skills, more of them will put their clients' computers on the witness stand.

Hiawatha Bray can be reached at bray@globe.com.