Toddler dad’s fate rests on digital sleuthing


A sixpack of hardware

These are devices for which Cobb County Police obtained search warrants in the case against Justin Ross Harris. The warrant applications do not specify details such as when he obtained each device.

Dell Dimension 9200 Computer Tower (a computer that can stand under a desk, powering a desktop monitor and other peripherals)

Google Chromecast (a plug-in device to stream video to TV)

Apple MacBook Pro (a laptop computer)

Lenovo T530 ThinkPad (a laptop provided by Harris’ employer, Home Depot)

Apple iPad (a tablet computer)

iPhone (a smartphone)

On July 3, Cobb police and prosecutors successfully used tidbits culled from Justin Ross Harris' electronic devices to shock an international audience. When the trial opens, their task will be harder: to convince a jury, beyond a reasonable doubt, that Harris was — at the least — criminally negligent, not just tragically distracted, when he left his 22-month-old son in the car for seven hours.

Based on what they have shown to date, prosecutors made clear that the foundation of their case will be data retrieved from six or more of Harris’ devices, seized by Cobb police. They are an iPhone, an iPad, an Apple laptop, a Lenovo laptop, a Dell computer tower and a Google Chromecast, with which users can stream online video on their TVs.

Cobb police officials declined to talk to The Atlanta Journal-Constitution about the case, the credentials of its digital forensics specialists or whether they will seek outside help to scour Harris’ devices. The Georgia Bureau of Investigation said it’s not assisting in the case.

In theory, Harris’ devices could give investigators almost a moment-by-moment record of his life from the time he acquired them.

Take just his smartphone: The U.S. Supreme Court affirmed this summer that such devices are fundamentally different from, say a paper address book that a person might have in his pocket when arrested. Instead, the court said, it can hold a comprehensive personal history, which police may only search once they've obtained a warrant.

In the Harris case, getting a magistrate to issue warrants was the least of the hurdles police are likely to face. For starters, the sheer volume of information the department's digital sleuths have to comb through promises to be a formidable challenge.

Beyond that, each device and each online service have different security and privacy features, some of which are extremely tough to crack. And even after investigators have isolated what they consider damning evidence, they must weave it into a narrative jurors can grasp.

That last bit is critical, because a conviction in this case will depend on interpreting Harris’ actions — which are mostly not in dispute — to reveal what was in his mind. And like most human behaviors, actions in cyberspace can be interpreted in multiple ways. For instance, how often have you clicked on an item because it outraged you rather than because you found it agreeable?

Peeling the onion

Andrew Case, a New-Orleans-based core developer with the Volatility project, who specializes in computer forensics, says it could take investigators weeks or months to dig through the computer evidence.

The initial investigation might last two to three weeks — if they have a person dedicated full-time to it, which may not be likely, Case said. Then, he said, as the investigation advances, each discovery could suggest fresh lines of inquiry, forcing digital investigators “to re-examine all of the devices for all of that data, and search for new evidence.”

Testifying in the July 3 hearing, Cobb Detective Phil Stoddard said investigators had “only scratched the surface.”

Right now, the pressure is on the investigators to scour for as much information as they can.

When it comes to Harris’ sexting — perhaps the most shocking element of Stoddard’s July 3 testimony — police may not find it easy to locate and interview all the women involved. Harris connected with those women through an app called Kik, and before that one called Skout.

Kik allows users to register using only made-up user names and email addresses the service doesn’t require them to confirm. In fact, the company doesn’t require confirmation of any personally identifiable information submitted to the service.

Under subpoena the company will provide information on a specific user, as well as each user’s IP addresses, long number that are widely used by law enforcement to identify a data sender’s location. But that won’t necessarily lead police to the women themselves, who, according to the prosecution’s theory, might provide testimony that Harris longed to be free of the bonds of marriage and fatherhood.

Not for keeps

Resurrecting any regular text messages Harris deleted from his iPhone may be even trickier. He uses AT&T, which retains basic call records, including whom you call or text and when, as well as a log of all the web pages you visit with a web browser and the zip code you are in when you initiate each use.

But in general AT&T does not retain the content of regular text messages, according to a letter the company wrote a senator last year. The content would have lived on Harris’ iPhone until he deleted it and the phone used that space to store fresh data.

Unless, that is, Harris took steps to thoroughly wipe the phone’s memory. There are apps on the market designed to do that, but he wouldn’t necessarily have needed one. For that, the iPhone’s own internal tools are fairly robust, if not foolproof, said Doug White, who teaches cyber security to law enforcement employees at Roger Williams University in Rhode Island.

“Would this absolutely guarantee the drive was pristine? Well, there may be some artifacts, but it’s pretty effective,” White said.

Similarly, a savvy user can take steps to obscure his identity or erase his steps when using a laptop, desktop or other computerized device — with researchers always seeking new methods to thwart them.

Just as checks can be forged and handwriting imitated, a user can fake IP addresses, or mask them. The addresses also change over time, and are best used in concert with other identifying information.

In most instances, though, deleting data is actually one of the least effective strategies, because information we delete from our computers is not normally erased, it’s just marked as expendable if the computer should need a freed-up space to store new information.

For investigators, deleted data is like a storage room that’s been walled off: The trick is locating it. A determined user can acquire tools and use techniques that make certain items much harder to find.

Expert in what?

In that regard, police have painted Harris as a formidable adversary: “He is a computer expert,” Stoddard testified.

However, while the detective testified that Harris had deleted some items from his devices, he did not indicate that the accused father used advanced methods to hide information.

“There was no mention of anti-forensics being used by him in the transcript,” said White. That may indicate, he said, that although Harris had a bachelor’s degree from the University of Alabama in management information systems, he is not particularly sophisticated at computer forensics.

Or, White said, Harris may have simply be arrogant. “No one ever planned to rob a convenience store, get caught, and spend 25 years in prison. They all think it will go as planned,” he said.

Or perhaps Harris told police the absolute truth: that he simply forgot that his son was in the car and has nothing criminal to hide.

Whatever the outcome of the Harris case, it will rest in part on lessons that have shaped a discipline that is still young.

The Cobb police’s High Tech Crime Squad, made up of four officer-investigators and a sergeant, was formed in 1999. Agency officials would discuss little about their credentials or training, except to say in an email that they get “highly specialized training in the fields of computer crime investigations, computer and mobile device forensics, and video forensics” and use “all current digital forensic software” in their work.

The last phrase appears to refer to various commercial tools widely used by criminal investigators. Those products, like software used in other lines of work, do not require users to be computer experts.

But software built to comb through cell phones and personal computers is always playing catch-up, as device manufacturers and service providers roll out new upgrades.

For example, “every three or four weeks someone will find a new piece of forensically interesting evidence in the registry that’s not documented by Microsoft,” said Vico Marziale, a digital forensics expert and managing partner at 504Ensics Labs, in New Orleans.

Playing defense

In court, a sophisticated defense lawyer might exploit the prosecution’s lack of programming expertise to sow doubt in jurors’ minds. For instance, the defense might argue that investigators don’t know if a particular device was infected with malware at the time that made it visit suspicious websites or download illicit content.

On the other hand, unless the defense hires its own experts, it may have little chance of picking apart prosecutors’ evidence, said Bob Rubin, an Atlanta defense attorney. Without that, he said, “you’re really at the mercy of law enforcement’s readiness to do their job correctly.”

Already in the Harris case, some of the purported digital evidence — especially as it has been depicted in media reports — has come under fire.

For instance, several widely shared news reports claimed that Harris “twice viewed a video that shows the painful death of animals left in hot cars.” But the video a Cobb detective actually described was of a veterinarian pleading for caution, not of animals dying.

During the hearing, Harris' attorney, H. Maddox Kilgore, poked other holes, implying that what prosecutors described as searches were largely just clicks on items displayed on popular Websites as click-bait

If the case proceeds all the way to trial, other questions are likely to arise.

Do the time stamps on various actions communications match, or do different devices and services use different time zones, potentially including even Greenwich Mean Time in England? And even more fundamentally, the question aimed at computer evidence across the land: Even if you can show someone did something on a computer at a certain time, how do you prove that it was the defendant rather than someone else?