Thursday, April 23, 2009

The Boston Craigslist Killer: How Information Security techniques were used to track & catch the suspect Phillip Markoff.

The Boston Craigslist Killer: How Information Security techniques were used to track & catch the suspect Phillip Markoff.

Physical Security

  • Closed Circuit Television (CCTV) monitoring in key locations at the hotels were the suspect attacked his victims, record and timestamp video 24 hours a day. The timestamps from the hotels' security video will be used in conjunction with computer record to correlate tie the suspect to the scene of the crimes.

IP Address tracking

  • Investigators used the IP Address information obtained from computer and Blackberry communications between the suspect and his victims. Investigators were then able to identify and track down the suspect and placed him under surveillance. The IP Address information between suspect and victims will later be used to connect the suspect to his victims. Every computer on the internet as an IP Address and it leaves behind a trail of every place you go.

Forensic Imaging

  • The first thing a Certified Computer Investigator would perform is to make an exact image of the victim(s) and or suspect(s) computer called a gold image, so that the original evidence is not altered in any way. The investigator must preserve what's called the Chain of Custody of the evidence, if not protected, the evidence can challenged as contaminated and be tossed out by a judge. After the gold image is made, a unique mathematical formula (algorithm) called a hash is created from it, which will produce a unique identifier "digital finger print", similar to how DNA is unique to every living thing, which will be highly unlikely to match any other data image hash value. A copy of the gold image will be used to conduct all investigations for evidence and the original gold image is locked away for protection and to be used as evidence in court .Additionally, the same process would be used to image mobile phones for inspection of evidence. The two most common hashing algorithms is use today are MD5 & SHA.
  • Investigators will use the forensic image to search for key word searches, email records, graphic files, website visits, documents, etc.

Connecting the Dots with Audit Trails

  • Using the time stamped logs files of the suspect's and victims' computers, mobile phones, Internet Service Providers (including Criagslist) records, and the hotels' security video, Investigators were able to place the suspect at the location of the crimes.

Case solved

The irony here is that the same technology the suspect used to setup his victims ultimately was used to track and apprehend him. No foot prints needed just high tech trails.



Julius Clark, MBA, MSIS, CISSP, CISA

Information Security Professional


  1. How come you are not working in F.B.I cyber crime cell or PENTAGON ?You seem pretty talented to me,Now I really have to check your PROFILE.Seems to me that you are man of great talent and I only judge you partially after reading your blog.

    I still have to go through your other articles and information to get to know you a little bit more.

    The article about The Boston Craiglist killer and it subs like Physical Security,
    IP Adress tracking,Forensic Imaging,Connecting the Dots with Audit Trails are absolutely very well written,up to the point and in Easy,Understandable language.
    I just want to ask you, do you peoples/Companies who make GOOD Tracking software so we can list them oncraigslist posting service

  2. Thank you for the complement. I enjoy IT Security and enjoy keeping people safe on the INTERNET by sharing my knowledge.



Get Expert Advice!