In the never-ending search of something new and different (not to mention at least somewhat interesting) to write about regarding digital forensics, I thought I’d use this blog opportunity to relay a case study in which digital forensics played an interesting role. The case involved mountains of data, multiple search warrants and some “meatball” on-scene forensics, which was fortunately documented on film (see below). Regardless, it’s a good illustration of how cases progress. It should be noted that this case has been concluded in the court system and none of the information contained in this case study is considered confidential or privileged.
The subject of our case study is Joseph Emanuele (formerly) of Louisa, Virginia. Mr. Emanuele was no stranger to law enforcement when we came upon him (again) in 2012. He was already a twice-convicted sex offender, having been convicted initially of Incest in 2003 and again of Failure to Register as a Sex Offender in 2010. Mr. Emanuele was also a self-professed computer expert and technician.
He claimed upon our initial encounter with him for this case that people would hire him to fix their computers and further claimed that he had some formal training in this realm. Louisa is a rural community in Virginia, not unlike many other rural communities around the country. It has its fair share of drugs, gangs, sex offenders and various other miscreant types.
In March of 2012, the Charlottesville Police Department, which is not far from Louisa, received a CyberTip from the National Center forMissing & Exploited Children (NCMEC). The CyberTip indicated that a person using a particular email address was soliciting for contraband pictures in an incest-related chat room on Motherless.com. If you’re unaware of Motherless.com, it’s basically an online gathering place for sexual deviants of all kinds, including those interested in incest and child pornography (which often go hand-in-hand). Fortunately, as part of the CyberTip, the email address of the person soliciting pictures was included, so the Charlottesville PD issued an administrative subpoena to the email service provider and, voila! Joseph Emanuele of Louisa, VA was the registered owner. The Charlottesville PD contacted me as the local law enforcement investigator in Louisa who handled these cases and we coordinated our next steps.
At this point, no probable cause existed to apply for a search warrant. We had a CyberTip from a remote entity, an email address, a registered user and a bad criminal history on that user, but none of that was evidence of an current crime. So what do we do? Go to his house and see if he’ll cooperate with us. I, along with two other investigators from the Charlottesville PD went to Mr. Emanuele’s house and he agreed to speak with us, let us in and agreed to allow me and another investigator us OS Triage to scan his computer for any illicit images. While the third detective interviewed Mr. Emanuele, we were presented with a cluttered room full of CDs/DVDs and other assorted media and a homemade computer with several terabytes of on-board and external storage. There were loose internal hard drives, SD cards, memory sticks – you name it, it was strewn about Mr. Emanuele’s bedroom, which was not kept as clean as we would have liked.
Not too long after we initiated the scan, OS Triage found several notable files (thank you Eric Zimmerman) and we decided to ask for consent to take those items, which shockingly, Mr. Emanuele agreed to. We loaded up several computers, hard drives, etc., provided him a receipt and left to do further examination. But I knew he wasn’t going to be that nice forever and now that we had probable cause, I applied for and received a search warrant to seize and examiner the computer system so the consent couldn’t be retracted, which (again shockingly) Mr. Emanuele tried to do the next day. Instead, he was served his copy of the warrant.
So here we are, we have several computers & hard drives and terabytes worth of data to examine, so I start diving into it. At the time, I was using EnCase as my primary forensic tool, so I had my work flow pretty well down. Not too long after I got into the case I realized several key things. First, there were multiple (hundreds, if not thousands) child and adult pornography videos and pictures on the main system and external HD. Second, amongst the mountain of adult pornography, many of the illicit images were also repeated several times meaning that Mr. Emanuele downloaded and saved copies of movies that he already had at least once, if not several times. Some of the originating dates on the files when back to 2005 when Mr. Emanuele was still married and living in a different location. Having the “plus one” rule firmly in mind (meaning if you find one piece of contraband, always look for at least one more), I asked Mr. Emanuele if he had any computer equipment at his ex-wife’s house and he indicated there may be some at that location. Plus, we left hundreds of CDs and DVDs at the original house during our initial visit. Knowing from experience how much purveyors of child pornography like to collect these images, I applied for and received two more search warrants – one for the original location and one for Mr. Emanuele’s former residence, also in Louisa County.
The return visit to Mr. Emanuele’s home was tedious at best. I’m a huge proponent of on-site previews, but when previewing hundreds of CDs and DVDs, it can take a while, even with the best computer. But we did it and we took only what we needed.
The search warrant at Emanuele’s ex-residence was much more challenging. By now, it was the dead of June in Virginia and very hot. We went to the house, secured it and there wasn’t much inside the home, but Mr. Emanuele’s ex-wife indicated that there may be some items in the shed outside. When we went into the shed, it was packed to the ceiling with junk – Furniture, kid’s toys (Mr. Emanuele had two sons), crap and more crap. We carved out a walkway and began looking. We found several loose internal hard drives and began previewing on-site. This picture shows our “meatball” forensic setup. Please note that I’m sitting on a defunct computer tower case and the power is being provided by two separate vehicles. The junk shed is the blue structure in the background. Hey, at least they cut the grass!
Best practices, anyone?
Just as the preview of this hellish nightmare (and I mean hellish, it was 95 degrees and humid) was winding down, I discovered one internal laptop HD with child pornography in the “My Documents” of “Joe” from an old Windows XP system. Bingo.
Back at the lab, I began documenting the registered users of all systems involved in the case and locating any suspected child pornography. NCMEC was extremely helpful in this because I was able to hash the suspected files & upload those hash values and NCMEC in turn sent a listing of which files were known child pornography images. I then conducted a hash comparison against ALL of the evidence in the case, including the original system HD and external HD, the CDs recovered from search warrant #2 and laptop HD recovered from search warrant #3, to identify the worst of the worst, at the Prosecutor’s direction. We picked 10 of the worst files and indicted Mr. Emanuele on those. The direct indictments were handed down in December, 2012 and Emanuele pleaded guilty in April, 2013 to multiple counts of possession of child pornography. He will serve a minimum mandatory 15 years in prison and will be on probation for the rest of his life, not to mention a 3-time sex offender.
This case demonstrates many key points. First and foremost is teamwork. For investigations at any level in any organization to be successful, there has to be a teamwork concept. If traditional cop egos and pride were a factor in this case and the others who originated and assisted in this case really cared about who got the credit, my guess is it wouldn’t have been as successful as it was. Second is communication. The original case was brought by an outside agency who had no real obligation to tell us what they were doing or why, but they did it because that’s what professionals do. We communicated well and consistently with each other to make sure everyone was on-board with the next steps in the case. A third key point was having a knowledgeable, competent prosecutor. Louisa County Commonwealth’s Attorney was (and still is) Rusty McGuire. I have never worked with a more hands-on, professional, knowledgeable prosecutor in the 15 years I was in law enforcement. He took the time to take some digital forensic training and has made it a point to stay abreast of current case law in this field as well as work toward enacting legislation to help law enforcement more effectively investigate these crimes in Virginia. Finally, the resources of the National Center for Missing & Exploited Children proved invaluable in this case. Not only was the original CyberTip from NCMEC, but during the forensic examination of this case, they helped streamline the focus of the investigation, helping us come to a conclusion faster instead of looking for a needle in a stack of needles.
As the primary investigator in this case, I assure you I could not have done it alone. Several former colleagues at both the Charlottesville, Albemarle and Richmond Police Departments helped me immensely on this case, as well as others, and I am truly grateful for their dedication, help and professionalism.
Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia