The Boston Craigslist Killer: How Information Security techniques were used to track & catch the suspect Phillip Markoff.
- Closed Circuit Television (CCTV) monitoring in key locations at the hotels were the suspect attacked his victims, record and timestamp video 24 hours a day. The timestamps from the hotels' security video will be used in conjunction with computer record to correlate tie the suspect to the scene of the crimes.
IP Address tracking
- Investigators used the IP Address information obtained from computer and Blackberry communications between the suspect and his victims. Investigators were then able to identify and track down the suspect and placed him under surveillance. The IP Address information between suspect and victims will later be used to connect the suspect to his victims. Every computer on the internet as an IP Address and it leaves behind a trail of every place you go.
- The first thing a Certified Computer Investigator would perform is to make an exact image of the victim(s) and or suspect(s) computer called a gold image, so that the original evidence is not altered in any way. The investigator must preserve what's called the Chain of Custody of the evidence, if not protected, the evidence can challenged as contaminated and be tossed out by a judge. After the gold image is made, a unique mathematical formula (algorithm) called a hash is created from it, which will produce a unique identifier "digital finger print", similar to how DNA is unique to every living thing, which will be highly unlikely to match any other data image hash value. A copy of the gold image will be used to conduct all investigations for evidence and the original gold image is locked away for protection and to be used as evidence in court .Additionally, the same process would be used to image mobile phones for inspection of evidence. The two most common hashing algorithms is use today are MD5 & SHA.
- Investigators will use the forensic image to search for key word searches, email records, graphic files, website visits, documents, etc.
Connecting the Dots with Audit Trails
- Using the time stamped logs files of the suspect's and victims' computers, mobile phones, Internet Service Providers (including Criagslist) records, and the hotels' security video, Investigators were able to place the suspect at the location of the crimes.
The irony here is that the same technology the suspect used to setup his victims ultimately was used to track and apprehend him. No foot prints needed just high tech trails.
Julius Clark, MBA, MSIS, CISSP, CISA
Information Security Professional