Bengfort.com

Last week we were assigned to write a short summary about the BTK Killer case in my Computer Forensics class. I found it very interesting and I think those of you that like CSI, NCIS, or any other forensic cop shows might find my summary very interesting, so it is presented to you here in blog form:

Dennis Rader, aka the BTK (bind, torture, and kill) Killer, was convicted in August 2005 of 10 serial murders in Wichita, Kansas over the period 1974 through 1991. He was sentenced to 10 consecutive terms of life in prison without the opportunity for parole, based largely on the use of forensic evidence, especially DNA and handwriting analysis. However, it is the special use of computer forensics which led to his arrest that is of particular interest to this class.

During the timeframe of the murders, Dennis provided details of the murders through letters to the police and local news stations. After the last known murder in 1991- the trail went cold as both the murders and the letters ceased. However, in 2004, after the release of a book concerning his serial murders, he sent a copy of the book along with a 3.5 inch floppy disk containing his final letter to a Fox news station (KSAS-TV) in a padded envelope. Although neither the letter nor the book provided any clues as to the identity of the killer, the 3.5 inch disk did provided the vital link that led to the arrest.

According to Guidance Software, a digital forensic investigation was conducted on the 3.5 inch floppy disk using their premier product: EnCase Forensic. EnCase software is actually a software package, containing several applications that allow investigators to provide digital forensic evidence that can be submitted in court. EnCase starts by creating an image of the media in question, in this case an image of the 3.5 inch disk. The image is stored in a proprietary format that includes byte reads from every sector of the disk and an MD5 or SHA-1 checksum. The checksum is meant to ensure the authenticity of the disk image from the time of its creation (as it also hashes law enforcement metadata). After imaging, the EnCase software uses series of byte analysis tools that identify all the files on the disk, and common software tools such as document viewers and hex editors to classify the files. Any files of interest are then packaged and saved along with their own metadata and checksum to be submitted as evidence.

Using this method of disk analysis, an investigator can find non-operating system files, hidden files, log data, and especially deleted files. In fact, what investigators did find on the disc was a deleted Microsoft Word file. The Word file itself contained no data of interest, but it did contain metadata that led to the arrest- specifically that the author of the file had the first name Dennis, and that the software in question was licensed to Christ Lutheran Church. When law enforcement investigated further, they discovered Raders surname because he was a Deacon at the church (previously they had no named suspects). They knew the killer drove a black Jeep Cherokee, and when they went to his house they noted one in the driveway. They managed to obtain DNA from his daughter, which had a familial match to the DNA evidence from the killings. Based on this evidence they arrested Dennis Rader in May 2005, and obtained warrants that led to the collection of the convicting evidence.

Without the computer forensic tools and analysis used in this case, investigators would never have been able to determine a named suspect, nor obtain the necessary warrants that led to the collection of the convicting evidence.