The Seattle Times. Winner of Eight Pulitzer Prizes.


Tue, Apr 22, 2014

WEATHER | TRAFFIC

VIEW SECTIONS

Home


Updated Thursday, December 20, 2012 at 06:44 AM

Cybersleuths try to mine clues from Newtown killer's damaged computer

By Robert O'Harrow Jr
The Washington Post

Some of the most important clues about what drove Adam Lanza to mass murder probably sit on the computer that the reclusive, technical-minded 20-year-old used as one of his main contacts with the world, law-enforcement authorities said.

Lanza attempted to destroy his computer's hard drive, the device that stores and retrieves data, before setting out on the Dec. 14 killing spree in Newtown, Conn. Police have declined to provide information on the extent of the damage to the drive, but investigators remain hopeful that it can be repaired.

Specialists, however, said that any effort to recover data may be thwarted if the hard drive's magnetic platters are shattered. If the damage is less severe, or if there are multiple platters in the computer, investigators may be able to glean useful information. Such recovery efforts are slow and costly, specialists said.

The computer was seized at Lanza's home soon after he killed his mother and went on to slay 20 children and six adults at Sandy Hook Elementary School before committing suicide.

The computer was taken to the Connecticut State Police computer crimes unit, which has more than a dozen police and civilian technicians focused on gathering digital forensic evidence, according to Lt. J. Paul Vance, a state police spokesman.

Vance declined to provide details about the computer and its condition, but he said the technicians will add their findings to the mix of physical and electronic evidence, including DNA samples, bullet casings, cellphone records and gaming systems.

"We have to look at everything," he said. "It may direct us. It may open a door."

Cellphones and games

A preliminary examination of his cellular telephone showed that he had made or received few, if any calls, investigators and others familiar with the matter said. No information has yet emerged from investigators on any possible text messages he may have sent or received.

Lanza appears to have spent much of his time during the weeks before the shooting in the basement of the home he shared with his mother Nancy, playing violent video games on his computer, investigators believe based on interviews. His X-Box, an electronic game playing device that might have led investigators to Lanza's game playing partners across the Internet, apparently was not used.

Lanza had two bedrooms in the house, including one in the basement in which he kept his computer, his computer video games and other possessions. Lanza had thousands of dollars worth of video games as well as an X-Box, although it appears he rarely if ever used it, preferring to play violent video games on his computer with other anonymous gamers investigators were told.

The basement also is where Nancy Lanza, a gun enthusiast and target shooter, kept her collection of weapons in a locked box. She had at least five weapons — two handguns a semi-automatic rifle, a .22 caliber rifle and a shotgun. Lanza had all the weapons except the .22 with him when he drove to the school.

By destroying his hard drive investigators will not be able to trace what games he was playing, who he was playing with and, more importantly, whether he gave anybody forewarning of the horrific violence he unleashed.

Computer crime lab

The computer crimes unit operates the Computer Crimes and Electronic Evidence Laboratory in Meriden, Conn., assisting in more than 400 criminal cases a year.

"Fully 70% of the cases directed to the Computer Crimes Laboratory involve some level of child exploitation/child pornography," the lab's website said.

The FBI has offered to help with the electronic forensics and may be examining the computer, law-enforcement authorities said.

Although authorities know that Lanza was the shooter, police are pursuing the case as an active murder investigation until they understand what happened and why. At least three search warrants have been filed under seal in Superior Court in Danbury, Conn., according to Geoffrey Stowell, deputy chief clerk of the court. Two of them can be unsealed Dec. 28, and one can be unsealed Dec. 30, he said.

Lanza's computer and online activity will remain a key focus of the investigation.

"The level of detail they can rip out of systems these days seems incomprehensible to most people," said Rob Lee, a forensic specialist who has examined computers seized from terrorists for the U.S. intelligence community.

That includes such obvious things as websites visited and photographs downloaded. Other telling data include the geolocation of every place a laptop has been used, the timing of activity and other technical "artifacts" that computers now maintain as a matter of course. Even some deleted material can be retrieved with relative ease if the damage to the hard drive is not too severe, Lee said.

One method of fixing a damaged hard drive is called a "platter swap," which involves taking the magnetic platter from the damaged hard drive and putting it on an undamaged hard-drive chassis of the same make.

Various reports have said that Lanza used a hammer or screwdriver on his hard drive. The issue in this case may be what can be done with a shattered platter. Platters can be made of aluminum, ceramics or glass. Repairing a broken platter generally requires piecing it together like a cracked plate. Careful alignment is required to preserve the data architecture.

Because the information recorded on new platters is densely packed, it can be almost impossible to reconstruct them with the necessary precision if they are shattered.

Still, extraordinary recoveries have occurred. When the space shuttle Columbia blew up, investigators were able to recover hard drives that had fallen to Earth. "The data was almost 100 percent recoverable," said Lee, the lead for digital forensic and incident response at the SANS Institute, a leading cybersecurity and training organization.

He said investigators also would be looking for contacts Lanza had with other people, possibly gamers. In high school, Lanza reportedly belonged to a technology club that had gaming events called LAN parties, in which players linked computers to compete.

"The computer is probably the only inner look at his psyche," Lee said. "Why Sandy Hook?"

Tim Ryan, a former FBI agent who supervised major cybercases, said it has been widely reported that Lanza was socially isolated in Newtown. But he said he would "not be surprised if he spent a large amount of time" socializing online or with other gamers.

One compelling question, Ryan said, is why Lanza took the relatively unusual step of trying to physically destroy his hard drive.

"What did he try to hide?" said Ryan, now a managing director at Kroll Advisory Solutions.

Information from The Harford Courant is included in this report.


SECTIONS

Top News arrow

Latest News arrow

Local arrow

Nation & World arrow

Business & Technology arrow

Editorial & Opinion arrow

Sports arrow

Entertainment arrow

Living arrow

Travel & Outdoors arrow

Obituaries arrow


CLASSIFIEDS

Jobs arrow

Autos arrow

Homes & Rentals arrow

More Classifieds arrow