Computer detective talks about Levy evidence
WASHINGTON (CNN) -- Before 24-year-old former Washington intern Chandra Levy disappeared, she left a trail of clues on her home computer. Computer forensics expert Kevin Mandia is the forensic director of Foundstone, a computer security firm. He has trained some 400 FBI agents and other police in conducting computer intrusion investigations. Mandia spoke on Tuesday with CNN anchor Carol Lin.
LIN: I'm wondering, in this particular case, investigators still say it's a missing person's case and not necessarily a murder or criminal investigation. So what is it that officers are looking for inside her computer that can help?
MANDIA: I think that computers are like diaries. Actually, last night I got online, and I went to some of the travel sites, and then I followed standard investigative procedures and actually found the exact tickets that I purchased online, and I actually found the exact maps that I actually pulled up on MapQuest. So obviously, those things are clues to some of her last activities here.
Now, I don't know the particulars to the case, but I know about following standard procedures, I've been involved in cases in the past where we've looked at computers for computer intrusions, where we've actually looked at a hacker's machine. By the time we were done, we didn't just find evidence of the person who attacked the machines; we also found out whether or not they were doing drugs or whether or not they were cheating on their spouses. I mean, basically, we're opening up a whole autobiography when we open up a person's computer system.
LIN: Well, I can understand that they traced some information that she was looking at about the Klingle Mansion, which is near Rock Creek Park, where investigators are focusing their physical evidence search. They've looked at some of her e-mails, but, let's say, for example -- and we don't know this for a fact -- but let's say if she participated in a chat room -- would any of that evidence or that dialogue still exist in a computer where detectives could take a look at it?
MANDIA: Well, like all good attorneys, I'm going to give you the answer "well, that depends." But the answer is that this is a better scenario than many computer forensic scenarios. We're not dealing with a criminal here -- and when you're doing forensics on a criminal's computer, they're trying to hide their tracks and deniability. We're dealing with someone who is a general person and just an average computer user.
Now, if she set up her Internet relay chat software to actually log her sessions, you'd actually see every word she had typed. Otherwise, you would have to use standard investigative techniques and look through parts of the hard drive that aren't actually files but are called unallocated space, looking for that kind of text. I think that this is a good scenario, though, where that sort of thing would be found.
LIN: Now what about if she was e-mailing somebody, but that person used an alias or some sort of other nickname or something in their e-mail address? Can investigators learn anything from that?
MANDIA: Absolutely. First off, when you have someone's machine, you actually have their e-mail. You've got their inbox with every e- mail they received, and then you have actually every e-mail they sent. Now, just because the Internet is a faceless environment, anonymity is actually difficult to obtain there. What I mean by that is if you have an e-mail address, you can actually pierce anonymity behind it. So even if it's firstname.lastname@example.org, 63 is not a person's name, but you can actually serve subpoenas or the appropriate court orders to find out subscriber information in that case.
LIN: And is there anything that protects the subscriber's privacy?
MANDIA: Absolutely. There are laws in place. You are certainly not going to get that information without a court order or a subpoena.
LIN: Well, in the case of Chandra Levy, investigators can find out what Web sites she went to, they can find out if she sent e-mails, they can find out if she participated in chat rooms, but in the end, how does it add up in this investigation? What specifically do you think investigators are looking for?
MANDIA: I think they're going to look for a lot of different things. Her state of mind may be evident on the machine -- and I'm totally talking, at this point, off the cuff, of standard investigative procedures. But another thing that could be interesting is whoever -- if this is foul play -- the moment she disappeared, investigators would absolutely be able to see she got e-mail from these certain individuals every day, and some of the e-mail from those people stopped. Well, why did they stop sending e-mail? Or they may notice that she deleted the e-mail from the same person all the time, but left all the other e-mail on her machine. So there are tons of subtle clues throughout her computer -- and I can't speak specifics, but there are many of them.
LIN: So knowing what you know about the investigation -- and I know you're not participating in this particular one -- how critical do you think the information in her computer is going to be to determine whether she was murdered, whether she disappeared of her own volition, or any of that?
MANDIA: I think there are high probabilities that it will be relevant. No matter what the case, whether it's a homicide, a drug case, or anything else, investigators seize computers now, and in over 90 percent of them, they're finding evidence that supports the allegations and is of probative value.
|Back to the top|