Investigator says forensic search of hard drive takes time

August 17, 2008|By ERIN JULIUS

HAGERSTOWN - Computer crimes investigators usually need between 50 and 70 hours to conduct a complete forensic investigation of a hard drive, said Lt. John Wilhelm, commander of the Maryland State Police computer crimes section.

Investigators begin by creating forensic copies of a computer's hard drive and copying all of the information onto their own equipment, Wilhelm said. Just making the copy could take a few hours or a few days, depending on the size of the hard drive being copied, he said.

"It's not like CSI (CBS television show "CSI: Crime Scene Investigation"), where in 30 minutes, they have everything they need," Wilhelm said. "Television distorts it so much."

Wilhelm's computer crimes section, which works out of a Columbia, Md., office, was not involved in the investigation of former Maryland Del. Robert A. McKee. He said, however, his state police investigators handle forensic computer work for agencies throughout the state.


Months of work

Wilhelm said he knows of no computer forensics lab that has finished a case in less than four months.

He said investigating violent crimes usually takes priority, but if investigators have information about a child being harmed in the making of child pornography, those cases also take precedence.

Maryland State Police computer crimes investigators usually receive about six months of training, although no set training is mandated, Wilhelm said.

Investigators can recover data from cell phones, CDs, DVDs, iPods, flash drives and anything else that has any sort of memory, Wilhelm said. His investigators once searched an Xbox game system in connection with a case.

When investigating a case dealing with images, such as a case surrounding child pornography allegations, investigators can use software to automatically search the data for image files. Once the image files are found, however, the investigator must manually search all of the files for anything deemed potentially criminal, Wilhelm said.

In child pornography investigations, an important element is identifying the children in the pictures, Wilhelm said.

A key element in prosecuting child pornography cases is establishing the age of the child depicted, Washington County State's Attorney Charles Strong said Friday.

According to Maryland statute regarding child pornography possession cases, anyone younger than 16 is considered a child. For manufacturing cases, anyone younger than 18 is considered a child.

Other ways of establishing age, such as having a doctor testify about the person's appearance, are far less reliable in terms of gaining convictions, Washington County Deputy State's Attorney Joseph Michael said Friday.

State police investigators send copies of whatever photographs they find to the National Center for Missing and Exploited Children in Virginia. The center has identified more than 80,000 child victims, and has affidavits to prove their identities in court, Wilhelm said.

An entire network of investigators around the world exchange information related to child pornography cases, he said.

The Herald-Mail Articles