Cyber forensics uncover secrets
City of Grosse Pointe
June 12, 2008
What happens in Vegas might stay in Vegas, but not when it's done on a computer.
The delete key doesn't go far in wiping out evidence people would rather leave behind.
Det. Alan Gwyn, a computer forensics specialist with the City of Grosse Pointe public safety department, exposes secrets hidden inside crooks' computers.
His first step in unraveling webs of cyber deceit is to preserve the suspected evidence.
"I remove the hard drive and set it up with a write blocker (a type of hardware) that prevents data from my computer getting on the suspect hard drive," Gwyn said. "You need to prevent that or you can compromise evidence."
He said he documents every step of the investigation, starting by photographing the suspect's computer. Next, he creates an image of the hard drive, called an image file.
"You can only analyze image files with forensic tools," he said.
Gwyn uses a forensic toolkit. The program picks apart image files and logs them into specific categories such as e-mails, documents and pictures.
"It names where they were created, modified and pathed on the computer," Gwyn said. "You can search day, times, the last thing the person did, their Internet history and whether they were searching how to make fake IDs."
Investigators must do more than dig up suspicious data.
"You can't say with 100 percent certainty that (a certain) person was behind the keyboard and did the crime, because you're not standing over their back," Gwyn said. "It could be any user. "
Illegal computer activity has to be examined within context, which Gwyn did when examining a woman being prosecuted for manufacturing fake checks on a home computer.
"You have to see, for example, if she entered her personal information (on the computer), and criminal activity occurred 30 seconds later," Gwyn said. "You can tie it in that she was the one, or she was the only one living at the house, or if it was password protected with her name."
Computer-aided criminals are becoming more common.
"They can make so much money with identity theft," Gwyn said.
Cases can require a lot of investigation. Prosecution is often time consuming. City Detective Ron Weizcorik is investigating the woman.
"I've spent two months working on this trying to figure out how many different things she, family members and friends did in this check writing scheme," Weizcorik said.
The case hasn't gone to court.
Gwyn said because computer cases are so complex, defendants often end up getting probation.
"It's not like someone walking into a bank with a gun for a couple thousand dollars and getting 15 years in prison," he said. "These people get $100,000, victimize 150 people, but get probation. Courts are so tied up with other cases and these cases take time we don't have."