by Val McDermid
Next he asked Sarah for her login details, signed into her account and found no trace of a conversation with Fred. Of course, it might have been that she’d deleted the conversation. But what she could not do was completely expunge anyone from her lists of ‘friends’. On Sarah’s ‘current friends’, ‘deleted friends’ and ‘requested friends’, Fred was nowhere to be seen. Using Fred’s login details, Angus found no trace of a conversation or friendship with Sarah on his account either. On Sarah’s account Angus did, however, find records of other, milder conversations with other boys that David had provided screenshots of. It seemed as though David had nestled fabricated screenshots among real ones. But Angus was all too familiar with the principle that absence of evidence doesn’t mean evidence of absence.
In the end, Angus wrote to the judge reporting that he couldn’t be certain what had happened. It was theoretically possible that Sarah and Fred had had the indecent chat under false profiles that looked identical to their normal ones. Equally, David, who was a good amateur photographer, could have forged the screenshots. To gain a satisfactory view of what had happened, Angus needed to look at David’s computers to see if he had manipulated the screenshots with a graphics editing program.
At this point the judge had to make the call. Should he continue with the trial? Or should he suspend the sitting and keep the jury sequestered for another week while Angus examined David’s computers? He decided to proceed. The jury listened to the remaining testimony of the victims, and to Angus’s evidence. Whilst his evidence was inconclusive – and he was careful to make that clear to the jury – it formed another piece of possible evidence that David was a manipulative liar. The jury deliberated, and found him guilty. He is currently serving twenty years in jail.
As the case of the key logger shows, the more people who use the increasing number of functions available on their digital devices, the harder it becomes for forensic digital analysts to do their job. Whereas some forensic scientists are able to answer straight questions – ‘Does this blood belong to Mr A or Mr B?’ – people in Angus’s area of specialism have to judge the authenticity of evidence, construct timelines of online and offline activity and assess the validity of alibis. Those without the right blend of imagination and vigilance need not apply.
Angus loves the job for its intellectual challenge. ‘I’m always learning something new, not just grinding away doing the same thing day in day out, but solving problems.’ The hardest thing for him to bear is when his investigations throw up nothing. ‘I don’t know of anyone in the business who, when faced with a no result job, will stop. You keep probing and probing and probing because there must be something there, there’s always something there, and it’s really hard to accept that you’ve done everything you can and hit the limit.’
Before Angus can go to work, he needs something to work on, and getting it can be a headache. ‘In order to collect evidence against one bad apple, you cannot storm in and seize the computer of every employee in an office. The response has to be proportionate.’ Laying hands on the hardware for Angus to work on is the job of the police. They have to justify a search warrant so they can confiscate digital devices from the suspect’s living room, or trouser pocket.
When a device is found at a crime scene it is often covered in fingerprints and DNA. But because the magnetic brushes that CSIs use to powder up and expose fingerprints emit electromagnetic fields, they can destroy evidence within the device. Hence, CSIs have learned to place devices carefully in antistatic plastic bags, then send them to the digital analysts. ‘We still occasionally encounter devices sent to the wrong unit,’ says Angus. ‘I’ve seen mobile phones sent to the CCTV unit because detectives wanted the photographs. I’ve seen officers pick up a mobile phone – very very rarely now, but I have seen it – and start poking at it themselves to see what’s on there.’
Once an uncontaminated device has found its way to the hi-tech crime unit, then, according to Angus, ‘unless it’s a really high priority job like a murder or live missing persons case, it will sit in a storeroom for about six months, because forces have so much work to do’. The device that makes its way to Angus nowadays is seldom an answering machine, printer or fax machine. Usually it’s a computer, smartphone or tablet. These tiny devices contain a detailed (if partial) snapshot of a person’s life. To damage them can be to damage justice. ‘Rule One is always, as far as possible, preserve,’ Angus notes. As well as for forensic digital analysts, this is the golden rule for CSIs and civilians who want to provide admissible evidence. In practice, this usually means forensic analysts will make a direct copy of the contents of a machine they are going to investigate, in order to preserve the integrity of the original.
When the term ‘forensic computing’ was first used in 1992, it was in relation to recovering data from computers for use in criminal investigations. In one of Angus’s early cases, a company director had accused previous directors of fraud, and collected the company’s main hard drive to present as evidence. He had sent the drive for a 2-week repair, stored it at home for a week, then finally given it to a forensic computing firm for examination. Angus reported to the judge that this chain of evidence preservation was not good enough. It was impossible to be sure that the employee hadn’t added, altered or overwritten files at some point in the drive’s complicated journey. As Angus neared York Station on the train down to Leeds Crown Court for the hearing, he received a phone call telling him that the judge agreed with his report and had dismissed the case. He got off at York, walked across to the opposite platform and headed back home to Darlington.
‘Sometimes I have to break Rule One,’ says Angus. ‘The latest iPhones and BlackBerrys are virtually impossible to copy. I have to install software on them to “jailbreak” them. Then Rule Two comes in: If you can’t copy it and you’re going to have to alter it, make sure you know what you are doing and can explain it. Contemporaneous notes is the charm.’ If a careless investigator opens a file, the time is recorded on the file itself. This hinders the creation of timelines and, as adversarial lawyers love mentioning in court, fundamentally alters the file.
Once Angus has an immaculate copy of the hard drive, he uses specially tailored software to look at both the current files and deleted files. From computer and smartphone drives Angus can restore almost all deleted photos, videos and messages, just as an old-school detective might have retraced the impression of a rubbed-out pencil line on a letter.
On mobile phones Angus will look at text messages, called numbers and missed calls. Text message dialogues sometimes show what criminals were saying to each other around the time a crime was committed. Individual text messages can provide crucial evidence, too. On the morning of 18 June 2001, 15-year-old Danielle Jones went missing near her home in East Tilbury, Essex. Suspicions quickly fell on her uncle, Stuart Campbell, and he was arrested when investigators found a green canvas bag in his loft containing a pair of white stockings tainted with a mixture of both his and Danielle’s blood.
Campbell claimed that he had been at a DIY shop in Rayleigh, a half-hour drive away, when Danielle went missing. Police examined his mobile phone and found a text message sent from Danielle’s phone that morning:
HI STU THANKZ 4
BEIN SO NICE UR THE
BEST UNCLE EVER!
TELL MUM I’M SO
SORRY LUVYA LOADZ
DAN XXX
But when police interrogated the records from the network providers, they found that both his and Danielle’s phones had been within the narrowly defined range of the same mobile phone transmitter when Campbell’s phone received the text message.
Linguistics expert Malcolm Coulthard demonstrated in court that Danielle habitually wrote her text messages in lower case. He also noticed that in another text on Campbell’s phone, sent shortly after the first, the word ‘what’ had been shortened to ‘wot’, whereas Danielle always typed ‘wat’. Clearly, the text message had been planted and Campbell’s fabricated evidence had im
ploded. Despite the fact that a £1.7 million search operation by Essex Police failed to discover Danielle’s body, her uncle is now serving life behind bars.
Accurately locating victims and suspects at the time of a crime has obvious benefits for investigators. Modern iPhones and Android phones log their movements by default, making it possible to plot a detailed map of where somebody’s phone has been – and, by assumption, where they have been, too. The location-tracking feature can be disabled deep in the smartphone’s settings, but many people don’t know this. The iPhone 5S has a specialised location chip that runs off reserve battery power. Users have reported their iPhone continuing to track their movements for four days after the phone has run out of battery and turned itself off. The justification for the location data is that it helps Apple to improve its maps app, and to tailor suggestions for things for users to do nearby. Needless to say, the police are interested in this data too.
Even if a user turns off location tracking on their phone, investigators can interrogate network provider records to fix an approximate area at a given time. This is because mobile phones constantly communicate with local phone masts in order to find a signal. These masts tend to cover small areas, as occurred with Stuart Campbell in East Tilbury – and also in a remarkable case in Scotland in 2010.
On the morning of 4 May, 38-year-old Suzanne Pilley set off on her way to her job as a bookkeeper for a financial services company on Thistle Street in central Edinburgh. At 8.51 a.m. she was caught on CCTV coming out of Sainsbury’s, where she’d bought her lunch. And that was the last time anyone saw her alive. Anyone, that is, apart from her work colleague 49-year-old David Gilroy. Gilroy was married with children and had been having an affair with Suzanne for about a year. She had recently decided to end their relationship for good, having had enough of Gilroy’s controlling nature and fits of jealousy.
In the month leading up to Suzanne’s disappearance, Gilroy had bombarded her with more than 400 texts and numerous voicemail messages. He had been desperate to keep the affair going, and unwilling to accept her rejection. On two particular days he had sent more than fifty pleading texts. The day before she vanished, Gilroy had left her numerous texts and a voicemail message in which he said, ‘I’m worried about you.’
Suzanne had spent the night before her disappearance with a new man, Mark Brooks, which sent Gilroy over the edge. He murdered Suzanne in the basement of their office, and hid her body in the stairwell. He made an excuse to his colleagues – who later described him as ‘seeming clammy, with scratches on his neck and face’ – to take the bus home and collect his car. On his way, CCTV footage showed him buying four air fresheners from Superdrug. Back at the office, Gilroy altered his engagements so that the next day he would have to drive 130 miles into the rural heart of Argyll to check on a school whose accounts his firm was keeping. Then he bundled Suzanne’s body into the boot of his car.
That evening he went to see one of his children perform in a school concert, then on to a restaurant with his family. Meanwhile, Suzanne’s worried parents had reported her missing.
On 6 May, the police interviewed Gilroy. They noticed a cut on his forehead, subtle bruising on his chest and curved scratches on his hands, wrists and forearms. Gilroy said he had scratched himself while gardening. Forensic pathologist Nathaniel Cary would later examine photographs of these injuries and testify that they could have been made by another person’s fingernails, possibly in a struggle, and that he had seen similar scratches on stranglers before. He added that he couldn’t be sure because Gilroy had covered the scratches in flesh-coloured make-up. But he did concede under cross-examination that Gilroy’s version of how he got the scratches was possible.
At the time, the police were suspicious enough to seize Gilroy’s mobile phone and car. When forensic scientist Kirsty McTurk opened the car boot, she noticed a fresh smell coming from it, like ‘air freshener’ or a ‘cleansing agent’. She looked for evidence in the boot and then in the basement stairwell at the office in Thistle Street. She could find no trace of Suzanne’s DNA. However, when specially trained cadaver dogs smelled the boot and the stairwell they showed ‘positive indications’ of detecting human remains or blood. One of the dogs, a Springer Spaniel named Buster, had previously managed to locate a dead body in nearly 3 metres of water.
Police also found vegetation and damaged suspension underneath Gilroy’s car. The roadside cameras were inconclusive, but detectives felt certain he had made a detour off the A83 Rest and Be Thankful road, a well-known scenic route, before returning home.
A forensic digital analyst went to work on Gilroy’s phone. ‘When you switch a mobile phone off,’ explains Angus, ‘it records the phone mast that it was last communicating with, so that when it’s switched back on, it can quickly find it again.’ On his way to the school in Argyll, Gilroy had switched off his phone between Stirling and Inveraray. Police suspected he had done this to avoid being tracked as he searched for a good place to dispose of Suzanne’s body in the dense woodland. Then he went to visit the school. On his way back, Gilroy again switched off his mobile phone between Stirling and Inveraray. This, the police believed, was when he dumped the body.
When Gilroy stood trial, police search teams still hadn’t found Suzanne’s body. Nevertheless, on 15 March 2012, David Gilroy was found guilty of murder and conspiracy to defeat the ends of justice. The judge, Lord Bracadale, agreed to let television cameras into the court, making Gilroy the first convicted killer to have his sentencing filmed for British television. ‘With quite chilling calmness and calculation,’ said Bracadale, ‘you set about disposing of the body, apparently somewhere in Argyll; and, but for the commendably thorough investigation carried out by Lothian and Borders Police, you might well have been successful in avoiding detection and prosecution.’ He sentenced Gilroy to a minimum of eighteen years in prison. After receiving threats from fellow inmates at Edinburgh Prison, Gilroy was moved to Shotts Prison, where on his first day another inmate broke his jaw.
Police searching for Suzanne Pilley’s body near Arrochar, Scotland. Her remains were never found, though David Gilroy was found guilty of her murder in 2012
Gilroy’s conviction had much to do with the sensitivity of investigators to his digital footprint. Without their analysis of mobile phone and CCTV evidence, he would probably be a free man today. It’s rare for murderers to be convicted in the absence of their victim’s body. It happened to Stuart Campbell, partly because of the splatter of Danielle’s blood which investigators found on the underwear in his loft; and it happened to the Liverpudlian drug dealer caught out solely by DNA found in the pupal cases of maggots that had fed on his victim’s corpse (see p.57). In the Gilroy case there was no DNA. The scratches on his arm would not have been enough. He was convicted because of unusual mobile phone activity, CCTV video and images from road-side cameras.
It’s up to people like Angus Marshall to use images and video to incriminate criminals like David Gilroy. The job is occasionally revelatory, usually methodical; it can take time to build up a digital picture. Angus creates his own tools to help. ‘I’m a weirdo. I don’t use any of the industry standard tools; they’d get me the same results as everyone else. Most of the programs I write are not very big or complicated, they simply automate things and allow me to sleep occasionally.’ Once such programs have recovered all of the photographs and video files on a given hard drive, another goes through and tries to match them to a child abuse database held by the police, automatically sorting them into one of the five levels of severity, from relatively innocent nude posing right through to bestiality. ‘Unfortunately there are always a few that haven’t been seen before and some poor soul has to sit and manually classify those and then submit them,’ Angus says, his genial expression clouding over.
The database stores the origin of each image, if it’s known. This means investigators can link the consumers of illegal media to the creators, as happened in the busting of Scotland’s largest paedophile ring
in 2005 (see p.186). It’s a traumatic job, but independent experts like Angus – or, more usually, police officers – look very carefully at abusive photographs and videos, to pick up clues as to where in the world they were taken. ‘It can be subtle little things like the shape of the electrical sockets, the sound of the TV or the language being spoken,’ Angus explains. ‘You can approximate the time of day from where the sun is in the sky. If there is a victim of abuse in there, you can estimate their age and cross-reference what they look like against missing persons databases.’
And then there’s the metadata – information which is embedded in images and video files taken on digital cameras and smartphones. Metadata reveals useful information, from the make and model of the device to the date and time when the media was recorded – if the perpetrator set the clock. Although image manipulation software and file sharing sites sometimes strip metadata, it is often still buried there and, with the right software, it can be read.
Modern devices even put GPS coordinates into the metadata, making it possible to know where the photographer was standing. This means digital forensic experts can interrogate the records of mobile phone networks to find out which phones were active in a particular area at any given time. GPS coordinates in metadata have also helped police locate criminals who are on the run, as demonstrated by the sensational case of John McAfee, a somewhat unstable computer genius who lived in the jungles of Belize.
McAfee was the son of an English woman who fell in love with an American soldier stationed in the UK during the Second World War. As a boy he moved with his parents to Virginia. When he was fifteen, his alcoholic and abusive father shot himself dead. McAfee then became hooked on drugs, but maintained an enthusiasm for computer programming and managed to hold down jobs at institutions as august as NASA. Eventually he struck out on his own and created McAfee Anti-virus, the first commercially available virus prevention software. In 1996 he sold his stake in the company for tens of millions of dollars. By then, as McAfee himself acknowledges, people knew him as ‘the paranoid, schizophrenic wild child of Silicon Valley’.
