Lt. J.J. McLean sized up the computer that might hold the evidence to help convict the killer of two people. Look before you touch. Power's still on. Take a look at the back. Aha! -- looks like it's networked. A touch of the mouse clears the screen saver and a few clicks reveal a wide-open, unprotected network. That's a trail worth following.
"If you see something in clear view, act on it," McLean says as a sort of axiom. "If you have lawful consent -- a search warrant -- you've got to act."
What McLean found on that network was the e-mail evidence that helped put John J. Hinds in prison for murdering his half-brother and sister-in-law. McLean also discovered thousands of images -- "an incredibly diverse and extensive collection of child pornography" -- that put Hinds's nephew, Charles Hinds Jr., behind bars in a separate case.
Picking Up the Cybertrail
On Oct. 16, 1998, an ongoing family dispute over who would own the Cambridge, MA, home where John Hinds lived with his 87-year-old mother erupted into mayhem when Hinds gunned down Joseph and Mary Beranger and wounded his sister, Patricia Melo, in the street outside the house. Called in as the computer forensics investigator, McLean was looking for e-mails exchanged between John Hinds and the Berangers that would show a motive for the killings.
Taking care not to open any files or run any programs -- yet -- McLean saw there were two other computers -- Takedown and Chuck -- on the network. John Hinds's nephew, Thomas Hinds, who was accompanying the police on their search, said the other computers were in the adjacent house he shared with his brother, Charles. (Takedown was his, and Chuck belonged to Charles Hinds.)
McLean, a Massachusetts police officer who has worked hundreds of computer crime cases, knew that any or all of the three computers on that network could hold what he was looking for. He also knew that his search warrant didn't automatically give him carte blanche to investigate the rest of the network.
Since their search warrant limited them to the house they were in, police could either get a warrant for the house next door or ask each of the owners for permission to search the computers for e-mail evidence. Thomas Hinds gave permission to search Takedown; Charles Hinds gave his OK by phone to search Chuck and headed home to meet the police.
Now that he knew about the other computers on the network, McLean disconnected the modem and network cables from murder suspect John Hinds's computer, making sure that no files were being transferred at the time. He knew that a networked computer could be compromised remotely at any time, and wanted to close that window quickly.
Having used his computer expertise and knowledge of the law to get him this far, McLean got into some serious forensics. Thomas Hinds took McLean down to the basement of his house next door, where the investigator sat in front of Thomas' Takedown computer. Using specialized search tools that don't modify data, he swept Takedown by keyword and application, searching for e-mail evidence for the murder case. He followed up with a manual search for e-mail files, including hidden files.
When McLean was done, still sitting at Takedown computer, he started looking at the Chuck drive, which was on Charles Hinds's computer on the first floor. That's when the porn showed up.
Chuck had some suspiciously named files and folders, such as BOYS2.jpg and LOLITA. What McLean saw when he opened BOYS2 confirmed his suspicions. "Thomas Hinds appeared embarrassed," McLean says. "He made it clear they were Charles's files, not his."
When Charles Hinds arrived, McLean played "good cop" to see what he could learn. "One thing I know from experience," McLean says, "is that you've got to chum up and let them talk." Under McLean's questioning, the man admitted he had downloaded child pornography, as recently as the night before. His solution struck McLean with its sheer audacity: "Can you erase the child pornography on the system?"
"That was an admission of guilt," McLean declares.
When Charles Hinds asked, "[Is there] anything else we can do to end this situation?" McLean tersely replied that he could not. "It was very close to trying to buy a cop," McLean says. "I was watching for it."
The child pornography on Chuck gave McLean grounds to declare the system contraband, seize it without a warrant and ship it, along with John Hinds's computer, to the Attorney General's High Tech Crime Unit lab in Boston.
McLean didn't simply take everything apart and pack it in boxes. He followed a step-by-step procedure:
- Police took photos of the system before disassembling it.
- They disconnected internal data and power cables to the hard drives before the system was moved to ensure that the drives weren't accessed and possibly tampered with before being removed.
- Police also placed a write-protected boot disk in the disk drive to ensure write protection and boot control in case the system was turned on inadvertently.
- Finally, they carefully cataloged what was seized and by whom. They logged, tagged and bagged every component. Investigators took care that each component wasn't damaged or exposed to electromagnetic fields in transport. Similar precautions were taken during storage.
The e-mail evidence on John Hinds's computer eventually helped convict him of two counts of first-degree murder. He received a mandatory life sentence.
Back at the Lab
Because his warrant only pertained to the murder case, McLean obtained a second search warrant specifically to examine Charles Hinds's Chuck computer for child pornography. He used New Technologies' SafeBack to image the hard drive and searched the copy for existing and deleted files, using a number of forensics utilities, including New Technologies' DiskSearch II, TextSearch and IP Filter, as well as Guidance Software's EnCase (www.guidancesoftware.com). What he found surprised him.
"Originally, I believed this to be a minor case of child pornography, not thousands of child pornography images." Ironically, the poor network security opened the door to the case.
"I had the green light to go to the system. Had they had good security in place -- restricted print and file sharing; encrypted files and drive, intrusion detection -- I might not have ever seen the Chuck drive or had the nexus to search it," McLean observes. "If these people had employed more sophisticated protection, the government may not have made the case. [The suspect] might have denied me access and had time to erase the evidence."
However, although McLean had taken the opportunity to grab the Chuck computer immediately at the scene based on what he saw, he would have done things differently if he had another chance. His original thought had been to spare the elderly mother and surviving family the additional trauma of disrupting the households further. That's when he thought he had a routine child pornography possession case. "I would have secured the second household," he writes, "pursuant to a [second] search warrant and seized the entire network, the backup tapes and other related evidence pertaining to child pornography investigations."
Hindsight notwithstanding, the ends justified McLean's actions. A superior court judge upheld McLean's search, citing the unprotected network and Charles Hinds's permission to search Chuck for e-mail. The judge noted that since an e-mail file could be masked by changing names and extensions, McLean acted legally when he opened the first child porn file. With the evidence intact, Charles Hinds was convicted on seven counts of possession of child pornography and ordered to serve a year in jail and register as a sex offender.
Adapted with permission from Sgt. J.J. McLean's account, "Homicide and Child Pornography," in Eoghan Casey's Handbook of Computer Crime Investigation: Forensic Tools and Technology (Academic Press, 2002). McLean is the supervisor of investigation of the Medford, Mass., police department's Computer Crime and Forensic Investigation Unit. He was the supervisor/investigator for the Massachusetts Attorney General's High Technology Crime Unit's investigation of this case.