Scott Peterson’s Sudden Love of Deep-Water Fishing–Time-and-Date Stamps

Let’s continue to look at some computer-forensics testimony from a juror’s point of view for a change.

The first police officer to examine Scott Peterson’s computers was Kirk Stockham. His testimony is unnecessarily long, in my opinion. The prosecution used Stockham to demonstrate how careful the police investigators were and also to try to imply that Scott Peterson bought his boat for no purposes except nefarious purposes. To do this, apparently they thought they had to bludgeon the jury with tedious, technical issues. And the defense apparently thought they had to counter the impact of this techno-babble with equally tedious quibbles.

As to the first point (Stockham’s thoroughness) defense attorney Gergagos scored some points by showing flaws in the process, but (I fear) the points were too subtle for the jury because they were too complicated. As to the second point, the length of the cross-examination only reinforced the “peculiar” fishing-related searches.

Toward the end of Stockham’s testimony, the prosecutor and the defense focused on times and dates when Scott Peterson accessed a website called something like “USA Fishing” and when he printed images from that website. I’m not sure why it mattered, but the parties argued over the dates Dec. 5, Dec. 8, and Dec. 9. Now, since Scott met Amber Frey sometime in late November, the prosecution thought it was sinister that Scott began thinking of buying a boat in early December. The defense tried to show that this assumption was based on erroneous interpretations of the computer-forensics evidence–but took a very long time doing this.

Here’s a section of that testimony (I have inserted comments and questions in all caps):

HARRIS: Mr. Stockham, I want to talk about this particular item Mr. Geragos was asking you in your first–looking at that–for you to assume something. And the assumption was that particular day 12-5, 2002, headline, if that was updated on a regular basis. Going back to that particular area what he’s asking you about that. Now, there is another date that he showed you on the bottom. You see the 12/9 date down there?



HARRIS: Now, on the left side lower portion of this particular — the USA Fishing website,

STOCKHAM: That means, if I if I was at that company’s offices, and I knew the computers that were serving up those web pages, I could probably find a file called SFBay dot HTML on that web serving computer, and it’s giving you that file name.


HARRIS: So when you go online, you are on the internet, you find a document, you want to print it, hit the button that says print on there, does your computer, when it prints it out, add something to the bottom of that document that says where it’s coming from?

STOCKHAM: In that case, yes. That’s a file name, yes.

HARRIS: So looking at this particular document, this document when it’s printed tells us it’s coming from this internet site?



HARRIS: Looking to the far right, when you print, this document has been — it’s stamped on the bottom of the document when your printer is doing it, so it gives you the location it’s coming from. Does it also give you the date?


HARRIS: So, now, looking at this particular document, since we know that it, from looking at that, that it’s coming from this website on that particular date —

GERAGOS: There is an objection. That misstates the evidence. Coming from the website, and it’s based on the internal clock. It’s not on that particular date.

JUDGE: Do you want to clean that up?

HARRIS: The date that’s being printed, is that coming from the computer, or from the within site?

STOCKHAM: It’s probably in the computer, but you can, just by seeing this copy — I am making some assumptions. If we have the actual file name, if we have that HTML, we can do what’s called view source, and you will see the code behind that. And you could tell exactly what the web page is doing. Asking me to make these conclusions from just a black and white printout, it’s an educational guess, but, you know, I need to go further to give you as good solid answer. It’s there on the computer file.


HARRIS: Without going through assumptions, let’s talk about what’s on this particular document in terms of facts. What’s printed at the bottom, that’s something that’s generated by the printer saying this is the location where this document comes from?

STOCKHAM: Yes, like a footer.

HARRIS: So the time that’s attached to that footer, as you were describing earlier, that is the time of the clock that that computer thinks that it’s printing?

GERAGOS: I think he is misstating. The date. The date, not the time.

JUDGE: Doesn’t have time. Has the date.

HARRIS: I’m sorry.

JUDGE: 12/9. Doesn’t have a time on it. At least I don’t see one.

HARRIS: The date?

STOCKHAM: Once again, if you have the file, and you look at the code and you do not find 12/9/2002. That has the text. Not that text. That had to be generated by the user’s PC, not the website.


HARRIS: Again, what we are looking at from this particular exhibit, we have the date from the PC, and the location where it’s being printed from, or where the information is coming from, and that shows us on the bottom of that document it’s 12/9/2002?

STOCKHAM: Correct.

HARRIS: So up higher in the document where it’s saying Today’s Headline, Thursday, December 5th, you were asked to assume that that was correct. Would it also be a fair assumption to say that that’s just — website has not updated that headline yet?

GERAGOS: Objection. That calls for speculation. He can’t answer that.


JUDGE: Well, he wants to know if it’s a fair assumption. You can cross him on it.

STOCKHAM: Once again, it could be a fair assumption. But the code will tell you if you look at that file.


HARRIS: And you were asked about that in terms of that particular USA Fishing, the Captain Hook banner goes to that particular document. That’s D5L-3. So I’m going to point out right there, where it says “BANNERCapthook”.


HARRIS: You were describing for us the dates that this particular data was created to the computer, the date created access modified, right?


HARRIS: What are the dates and times that that particular banner for Captain Hook was created on that computer?

STOCKHAM: We have a date of 12-8 of 02.

HARRIS: What time?

STOCKHAM: 8:19 a.m. with two seconds difference. On 8:19 —

JUDGE: It’s not 19.

STOCKHAM: I’m not sure what the columns are labeled without going back to the computer data

HARRIS: You were asked about these this — other gif that was up there, cb16 —

STOCKHAM: Cb16, underscore, bracket, 1, dot, g-i-f.

HARRIS: You were asked on here — on here some place?


HARRIS: On — do you see that up there someplace?

STOCKHAM: Yes. The upper middle.

HARRIS: Right there?


HARRIS: What’s the date and time that that was accessed on that computer?

STOCKHAM: 12-8 at 9:54 and 9:53.

HARRIS: Is that a.m. or p.m.?


HARRIS: So what would that be thirteen hours later?

STOCKHAM: Thirteen hours later from what?

HARRIS: From the earlier one, the Captain Hook in the a.m.



HARRIS: Now, I know computers do things at different speeds if you have got a dial up modem, if you got cable internet. But is it normal to take thirteen hours for a graphic to load?

STOCKHAM: No, not one of those.

HARRIS: Now, in terms of the times on the clock, you actually checked these particular clocks on these computers?


HARRIS: And you compared these clocks on these computers to the atomic clock?


HARRIS: And did you testify they were within two to three minutes of each other?


HARRIS: So in your assessment, were the clocks in these computers pretty accurate?


HARRIS: I have no other questions.


Recross Examination by Mark Geragos

GERAGOS: This one says 12/8. Do we have anything there that says “usafishing” on there with that same HTML that you just testified about?

STOCKHAM: You are asking to look at a lot of files.

GERAGOS: Well, the one —

STOCKHAM: That’s that big list on that piece of paper?

GERAGOS: Yeah. The one that he’s pointing to right here that I pointed to, Captain Hook, right? And then what he just asked you about, this item here. That doesn’t show up here, right?

STOCKHAM: No, not — correct. Not on that page.

GERAGOS: Right. It’s not on that page. So when obviously something is out of whack, because we have got 12/9 here, correct?


GERAGOS: And we have got 12/8 here, right?


GERAGOS: And then we have got 12/5 here, correct?


GERAGOS: Okay. So there is something out of whack there, right?

STOCKHAM: Well, not out of whack.

GERAGOS: There is something that’s — is there yet a third possibility, that this item — where was this recovered?

STOCKHAM: Well, you said that came from the desk.

GERAGOS: At the warehouse?


GERAGOS: And Mr. Wall is going to testify that these items came from the house?

STOCKHAM: From the — yes.

GERAGOS: From the laptop at the house that you named as the Dell Laptop at the house?


GERAGOS: Okay. Is there the third possibility, that it was — that this item was printed at the warehouse the following day?

STOCKHAM: Well, I don’t know. I didn’t do any printer tests.

GERAGOS: So we don’t — just don’t know?

STOCKHAM: That’s correct.

GERAGOS: Okay. Well, you don’t know at this point because you didn’t do a printer test?


GERAGOS: Printer test would tell us?

STOCKHAM: Well, not necessarily. Depends on the printer. And if I can match a printout from that printer.

GERAGOS: And the other question that Mr. Harris was asking you was the file times here on D5L-3. All of this is the internal clock, right?

STOCKHAM: Yes. Those would have been time stamps by the computer that had those files.

GERAGOS: Okay. And as you indicated before, much of the accuracy of that depends on the internal clock itself, correct?

STOCKHAM: Yes. And the user.

GERAGOS: And the user?


GERAGOS: Thank you. I have no further questions.

HARRIS: No additional questions.

JUDGE: Okay, Mr. Stockham. Thank you very much.

I congratulate Mr. Geragos on his cross-examination. Even a juror who didn’t sit in the jury box at the Peterson trial can understand it.

What did he show? That the prosecution believes that the first time Scott Peterson accessed the USA Fishing website was on Dec. 8. However, the defense showed that the police investigators didn’t bother to collate the results from all the computers. It’s impossible to tell when Scott accessed the website, except that it was probably after Dec. 5.

But how does this mitigate anything? The jury is still under the impression that Scott only became interested in the boat and the bay after meeting Amber Frey (his supposed motive for the crime).

Rhetorically, Stockham’s testimony bolsters the prosecution. He was clear and careful. The failings in the computer forensics examination were not his. The prosecution implied that the data was damning. The defense failed to imply that the data was ludicrously irrelevant; instead the defense went after the intengrity of the data.

The Peterson family website explains their take on the boat-purchasing issue:

They list three people who told investigators that Scott was talking about buying a boat long before Dec. 5, but none of them testified at the trial. Why not?

In this humble juror’s opinion, Geragos won the technical battle by showing how indeterminate the computer evidence was, but lost the war of words.

To be continued ….

A Better Peterson Computer Forensics Examination

I recently looked at the Peterson trial transcripts and found that more than one computer forensics expert testified. My initial response to Lydell Wall’s testimony prompted me to complain about the confusing, inadequate way he explained the process through which he went. It’s a perfect example of the way “science” is used to confuse jurors in a circumstantial case.

Now I realize that Wall did not actually make the “mirror images” of the Peterson “hard drive.” Instead, it was a much-more articulate retired police officer named Kirk Stockham. Stockham did the initial analysis of five separate computers. He retired during the investigation and handed the case over to his colleagues.

Stockham’s testimony is much clearer about the issue of the process of hard-drive examination than Walls. He specifies the software he used. He specifies that multiple drives were examined on five computers, three or four of which were laptops. He seems to have been quite thorough. And his testimony reveals that a Sony Memory Stick used for digital photography was also examined–and corrupted by a third examiner named Joy Smith. There was even a fourth examiner named Kip Loving.

Stockham’s testimony is quite lengthy and involves multiple cross and redirect examinations. The upshot of it seems to be that the prosecution was trying to prove that the police did a thorough and careful examination of the Peterson computers; the defense was trying to show that the police were sloppy and may have corrupted the data. Buried in this barrage of techno-babble is one of the prosecution’s key assertions: that Scott Peterson only decided to buy the boat as a means of disposing of the body. Apparently, this was an important factor in the jury verdict.

I believe the excessive length of Stockham’s testimony served only to convince the jury that the data retrieved from the computers was important evidence. Unfortunately, it wasn’t.

This is a rhetorical issue: the focus of the trial was whether Scott Peterson had premeditated a brutal murder. The prosecution tried to use the evidence of the computers to show that Scott began plotting the crime soon after meeting his mistress Amber Frey. In contrast, the defense ought to have tried to show either that Scott did nothing different after meeting Amber or that the computer data was irrelevant entirely (in other ways, for example, either that he was always interested in fishing and boats or that his searches were entirely irrelevant). Instead, by hammering away at police mistakes with the computer data, Geragos’s cross-examination came across to the jury as defense obfuscation of important information.

Of course, the loss of data from the memory stick is important. It shows that the police computer examination could have been very flawed. But for the jury, the loss of data would only be important if exculpatory information were lost. Even so, I can’t find anywhere in the testimony the defense suggests this. Since Scott can be presumed to know what the photos were, the jury must have wondered why the defense never told them.

If the testimony about the police examination process had been brief (as it ought always to be), then Gergagos could have highlighted the corrupted memory stick. To keep the technical testimony brief, Geragos might have stipulated to everything except the memory stick data. Or, he might have stipulated to everything other than specific instances in which he thought the police might have corrupted or lost exculpatory information. Geragos focused in his cross of Stockham on certain time-and-date stamps, but without making it clear to the jury why they were important.

The real issues at stake in Stockham’s testimony seem to have been: a) when Scott began searching for boats and b) what photographs might have been lost from the memory stick. So, when did either side explain the importance of these items? I suspect they might have left this for the closing arguments. If so, by that time all the jury would retain from Stockham’s testimony is the sense that the computer data was damning–even if it wasn’t.

I would like to address the issues of the boat and the memory stick separately. I feel the first is an example of the misuse of search data as evidence of a crime. The second involves problems with computer date-and-time stamps and what damage might be done to a criminal investigation by the loss of data.

To be continued . . . .

MA v. Sean Fitzpatrick, Jailed Beyond a Reasonable Doubt

The judge in the murder trial of Sean Fitzpatrick (accused of the shotgun shooting of his lover’s husband) prepared the following instruction for the jury:

“A charge is proved beyond a reasonable doubt if you have in your minds after the evaluation of all the evidence an abiding conviction to a moral certainty that the charge is true.”

She can be excused for the tortuous syntax, because this is no doubt a “pattern jury instruction” in the State of Massachusetts. You see, each state’s court system prepares standard wording for the instructions a judge delivers to a jury before they go into deliberations. The judge has some, but not much, discretion in choosing from among a set of possible instructions and may only reword them at her peril.

Even so, the above instruction, which she reread at the jury’s request during deliberations, is a surprising choice, in my opinion. The U.S. Supreme Court has ruled at least once that reasonable doubt instructions need not include the phrase “moral certainty,” and, in fact, the prevailing opinion seems to be that moral certainty is an impossibility, especially in a circumstantial case, such as the Fitzpatrick one.

I’ve been researching the origin of the phrase “beyond a reasonable doubt” for a couple of years. (It’s the sort of research I learned to love in grad school). So, I have a lot to say about it, but I won’t bore you here.

What I will say is that when the judge read that instruction to the Fitzpatrick jury I knew that at least one juror felt the prosecution had not proved its case.

It’s funny, but even though I too felt the case was weak, I also had a sort of gut reaction about the defendant. He seemed like a “type” I’ve encountered quite frequently in my various careers: someone who’s very self-impressed, a geek who thinks he’s smarter than everyone else simply because he doesn’t hang around with very smart people and probably because he was fawned over by his mother. No, I wouldn’t necessarily have voted “guilty” just because I disliked the guy, but I would also have been very uneasy voting “not guilty.”

I suspect that the juror(s) who held out and hung the jury was also either a technical-type or a perfectionist, like me. We Hermione Grangers tend to dislike something that the prosecution did in this case: we dislike the appearance of an incomplete investigation. The cops in the Fitzpatrick case (as his lawyer R. Giola pointed out in his closing argument) did not investigate the possibility that someone else had committed the crime. The forensic evidence did not link the defendant to the crime except in the vaguest of ways (his DNA was on the steering wheel of a truck that was suspected of having transported the killer to the crime scene–but which was never proved to be “the get-to and getaway vehicle,” so to speak). Computer forensics attempted to prove the defendant’s location on the morning of the killing by means of cell-phone triangulation, but in fact it only proved he was where he said he was. This kind of speculative forensics does not bring me to a “moral certainty.”

The only aspect of the forensic evidence that influenced me was that Fitzpatrick’s DNA was proven to be on a threatening note sent to the victim’s family after the crime. The letter implied that the killing was business-related, thus diverting attention from the scorned lover’s more personal motive. But the defendant deftly diffused this evidence by taking the stand and admitting he had sent it specifically because he knew the police had decided he was the prime suspect.

I’m of two minds about this: on the one hand, I can see this as the desperate act of a terrified innocent person, and on the other hand I can also see it as a too-clever-by-half attempt to confuse the investigators.

I guess, if I were on the jury, I would have to follow the judge’s instructions: there must have been an instruction that said that any evidence that could be taken two ways must be taken in the light most favorable to the defendant; and I would have had to say I had not been convinced to a moral certainty.

What I want to know is why the defendant can still be held in jail when the state did not prove he was guilty?

Author Judy Alter on Justice in the West


Guest Blogger Judy Alter is director of the TCU Press in Fort Worth and the author of over 60 books, most for children and young adults. She’s the winner of the 2005 Western Writers of America Owen Wister Award for Lifetime Achievement.

Please visit her blog at and her website at


When Catherine asked me to blog on the subject of justice in the Old West, my mind boggled. I’ve written about the Old—and New—West most of my professional career, but I don’t know that much had to do with justice. It’s certainly not something I researched.

But then I thought about my first young-adult novel, published in 1978 by William Morrow & Co. I called it A Year with No Summer, but the marketing folks changed it to After Pa Was Shot, which does not trip easily off the tongue. The story was taken from an actual incident in a small East Texas town, but my ideas about East Texas—and the Old West—at the turn of the 20th century were hazy at best, typical of a northerner come south (which I then was—now I think of myself as a Texan and will argue with those who say you have to be born here to be a Texan). A young girl’s father, a deputy sheriff, arrests a drunken man on Christmas Eve and jails him to sleep it off. When the now-sober drunk is released, he shoots the father to death on the streets of the town. I remember thinking, “How could that be? East Texas was civilized by then. It wasn’t the wild and woolly Old West.” It may not have been the Old West, but as I now know from having studied Texas history for 40-plus years, East Texas was a violent place, home of some of the West’s most notable feuds.

The whole story is less about official justice than it is “fair” and “right.” Ellsbeth’s father dies because, although he fired first, his gun misfired the first time, and the shooter, Ben Short, gets off because the sheriff says it has to be called self-defense. Ben Short recovers from his wounds, and Pa dies. Ellsbeth writes she wanted to holler to God in Heaven that it wasn’t fair. Would an East Texas jury have been any more fair?

A lot of justice in the West was unfair. Butch Cassidy was once jailed for taking a pair of jeans from a store, even though he had left an IOU and considered his word was his bond. After that jail term (from which he escaped when being transferred on a train) soured him on following the law, Butch skirted justice a whole lot, once robbing a landlord of the money his tenant, an elderly woman, needed to pay the avoid eviction. Sure, he almost got caught several times, but he didn’t—probably not even in South America.

In The Virginian and in Elmer Kelton’s much more recent The Day the Cowboys Quit, cowboys take justice into their own hands and lynch rustlers. I could go on and on with examples—just re-watch “High Noon” for a definition of justice. Fair? Who’s to say? Especially who among us of the 21st century is to apply standards of justice to the late-19th-century West.

It seems to me a lot of justice in the Old West had less to do with the law that with fairness or the lack thereof. There were judges and juries of course—Hanging Isaac Parker comes to mind—but a lot of the “law” never reached the courts.

Hanging Judges

Oklahoma became a state in 1907, but before that it was Indian Territory–the epitome of the Wild West. Justice was administered from a courtroom in Ft. Smith, Arkansas, by a judge named Isaac Parker. So many murderers were convicted and sentenced to death by hanging in his courtroom that he became known as “The Hanging Judge” and his court as “The Court of the Damned.” “Suspects” were rounded up by a couple of dozen deputy marshals who traveled the territory on horseback, shot and asked questions later, and then dragged the bad guys back to jail in Ft. Smith, where a jury of their peers convicted them. Apparently, the deputy marshals who arrested them were the principal witnesses against them.

One of these deputies was Jim Cole,  my great-grandfather. I haven’t spent much time researching his biography, but my mother has. I just found an interesting document (Edwin C. Bearss, Law Enforcement at Fort Smith, 1871-1896– ). I plan to read it tonight and hope to find some references to Jim Cole. I notice already that it includes a photograph of the deputy marshals standing in front of the courthouse (a copy of which I own): my great-grandfather is the paunchy man on horseback to the far right.

Jim Cole has gone down in history as the deputy who shot Frank Dalton in the back (although my mother disputes this). He received several gunshot wounds in return, but still managed to ride back to Ft. Smith afterwards. The saga of Dalton’s demise is available at the National Park Service website for Ft. Smith: (The National Park Service is an unsung hero of American history. If you haven’t visited a National Park Service historical site under their guidance, you’ve missed a great experience.)

The Hanging Judge presided over jury trials, so technically the juries who ought to take some of the blame for the severity of the court. The National Park Service explains the process succinctly here: .

I’m not as skeptical of the guilt of the accused in Parker’s court as East Coast newspapers were at the turn of the century (it was the press that dubbed Isaac Parker the “Hanging Judge”). Living in Indian Territory was probably like living in the worst slums of a modern inner city. Gangs roamed with impunity. Everyone knew who was up to no good. The gangs were proud of what they did–they were like proto-revolutionaries. They were disenfranchised by the Civil War and blamed their own poverty on “Yankee” big business, especially the banks and railroads.

I also can’t believe that current juries are more lenient than juries in the Ft. Smith courtroom. The conviction rate these days is pretty high, and the imposition of capital punishment when available also seems to be the norm. The only real differences that I can see was the speed with which the punishment was “executed,” the fact of simultaneous executions, and that executions were public.

Juries and Justice in the Old West

One of my great-grandfathers was a deputy sheriff for “The Hanging Judge” Isaac Parker in Fort Smith, Arkansas. Here’s the mystery: Were criminals tried only before the judge or were there juries present? And was there any real justice in the Old West? Did my great-grandfather shoot from the hip and ask questions later?

My great-grandfather’s name was James “Jim” Cole. When Frank James (Jesse’s brother) got out of prison and made the lecture circuit, one of the people he stayed with was Jim Cole. My grandfather Elmer Cole was just a kid, but he remembered the visit well. The mystery in our family is what the relationship between the Coles and the James family was. Jesse’s mother was a Cole, but we’ve never been able to find out if there was even a distant connection. Then, too, there’s the Younger Gang, led by Cole Younger. My great-grandfather was severely wounded in a shoot-out with the Youngers, but my grandfather always said there really wasn’t much difference between the law in those days and the lawless.

If that was so, what about those Wild West jurors?

Dumbing Things Down for the Jury–Why Assume They’re Dumb?

In a series of blog posts I plan to “investigate” the rhetoric of computer forensics. By rhetoric I mean the verbal techniques used in court by all the parties when they attempt to persuade a jury that data recovered from a defendant’s hard drives are proof of his crimes.

Among the topics I plan to cover are:

  • The use of search-engine activity as evidence of criminal intent

  • The use of email activity and messages as evidence

  • The failure to use certain types of information that are also stored on computer hard drives

But first I’m going to “examine” the way computer forensic examiners try to explain their job to a jury. To put it simply, they don’t seem to be able to put it simply.

I realize the law requires the prosecution to establish the “chain of custody” of the computer and hard drives involved. They also need to explain how they protect the data on the computer from “contamination.” But they don’t need to go into great (boring) detail.

No one needs to worry about the police having inadvertently or intentionally introduced false information. As concerns data recovered from computers, there’s little chance of faulty techniques, degradation of information, contamination, or any of the other standard complaints that defense attorneys have about other sorts of forensic evidence. I can only assume, though, that most prosecutors are afraid that most defense attorneys will try to claim that the recovered records are degraded, contaminated, or just plain fabricated.

I wish someone (the ABA,  maybe?) would draft some clear, concise questions for prosecutors and some standard, accurate, but jargon-free responses for expert witnesses. For example, I assume that typically police seize a suspect’s computer, and then (without booting the computer up first) they remove the hard drives from it and make a bit-by-bit copy (or “image”) of the data recorded on the drives using a device specifically designed for that purpose. This image is recorded onto some form of blank media (I would guess, a large-capacity hard drive, but I suppose it could be a flash drive or even a series of CDs or DVDs). Next, a “computer forensics expert” (whom I’ll refer to for simplicity as a “CFE”) runs a program on the image to analyze the data and find information that may be relevant to the criminal investigation.

In addition, prosecutors ought not to leave the impression that the investigators did not thoroughly examine all possible sources of data about the defendant’s computer use. When I asked computer forensics expert Larry Daniel whether it was standard procedure to testify about “the hard drive” even when more than one such drive was actually involved, he told me:

“When I testify, I normally refer to ‘the’ hard drive on the persons computer as well.  Only because it is less confusing than trying to refer to the specific drive letter, which in testimony is not relevant . . . .”

Unfortunately, when a CFE refers on the stand to “the hard drive,” it leads me to believe that only the C: drive was examined. (It’s the drive where most user activity is recorded, but not necessarily the only drive where evidence might be found.) Here, too, a brief question and response could clarify the situation for the jury.

Worst of all is the way prosecutors and CFEs try to explain to the jury how computers work. Since I was a computer documentation writer for several years, I realize how hard this is to do, but the key to success is not telling your audience more than they need to know. And juries: a) don’t need to know much about computers, and b) many jurors are more computer-literate than the average lawyer. (On the jury on which I served were a college student, a statistician, and an electronics engineer.)

IMHO, all a jury needs to understand about a computer is that there is no way to permanently delete information from a computer’s hard drives and other storage media without overwriting the information (and this is hard to do) and that computers record all sorts of information other than simply what the user intentionally saves. This other information includes event logs, date-and-time stamps, and almost every keystroke and mouse click.

Let’s look at the Scott Peterson trial and the police computer forensics examiner, Lydell Wall. Wall appears to have done a workman-like job of recovering data from several computers. However, reading through the transcript of Wall’s testimony, I couldn’t find anywhere that he stated exactly what he did to Peterson’s computers. Then, the prosecutor got all hung up on the issue of what happens when someone tries to delete a file. The judge got confused. Wall introduced inaccuracies by trying to dumb things down for the judge and jury.

Here are excerpts from Lydell Wall’s approximately 3,000-word explanation of what he did to Peterson’s laptop:

      [Prosecutor] HARRIS: …  For a computer, if a
      person deletes something from their computer, so you are using the
      operating system, and hit delete, what happens to that information on the
      [Witness] WALL: Well, in most cases that information never really goes away. The
      analogy I like to draw for people to clearly understand is, if you took
      the numbers off of your house, the house tois still there, it’s just the
      address is gone. Makes it more difficult to locate. So the data is still
      presently there, unless it is being overwritten by other data that’s being
      allocated to that space. Most of the files, especially in large hard
      drives, are still going to be there.
     HARRIS: Counsel was asking you about recovery of deleted information. Can
      you explain to us that process, what it is that you do forensically in one
      of your examinations to try and recover data that’s been deleted?
      JUDGE: Can I just ask one, this also applies to files, which is, you know,
      delete files, delete history?
      WALL: There is several ways that operating systems can delete files. You
      can manually delete something by selecting that file and selecting the
      delete key.
      JUDGE: And click it?
      WALL: Yes. It goes into the recycle bin, we can delete from. There is,
      also the operating system can also delete things on its own, depending on
      the settings that you have through your Internet Browser.
      JUDGE: Supposing you get, select options, the top of your computer, and
      you get delete file, delete history. Does that actually eliminate the
      website you were looking at?
      WALL: No.
      JUDGE: Is it still in the computer?
      WALL: In most cases it is still there, your Honor.
      JUDGE: Still retrievable?
      WALL: Yes, sir.
      JUDGE: Go ahead.
      HARRIS: Detective, let’s go back through this a little bit more. The, can
      you, I guess for look of a better term, can you give us a breakdown in lay
      person’s terms, how does a computer actually work?
      WALL: Well, computers are basically complex electronic filing cabinets, is
      the easiest term that I could come up with for that. They are large
      capacity storage systems consisting of a processor, memory, a hard drive,
      or storage device, and input and output device, such as a keyboard and a
      mouse. And through a series of key strokes or other input methods, files
      are created and can be stored on computers; and, in the same way, they can
      be deleted as well.

      HARRIS: Now, so you are on the internet, and you go to a particular
      website, and you close down your computer, or leave the browser, what
      WALL: Well, a lot of things happen. When you go to a website, all of that
      information that’s from that website actually gets put into a temporary
      internet file or a cache file. What happened is, the text and the images
      basically get separated. They are all there in that same filing area, but
      they don’t stay together like you would typically see them in a web page,
      or if you printed them out. So the data is all there, and can be recovered.
      HARRIS: When you say the data is there and can be recovered, can you
      explain that process to us?
      WALL: Well, the websites are there and can be recovered. When we use our
      forensic software to view this information, it’s very similar to using
      your own Windows operating system. But, let’s say, for example Windows
      Explorer if, you are familiar with that process, it is a graphical user
      interface that allows you to see files and folders on your computer, much
      in the same way that a normal user would see it in Windows. So our
      software allows us to view those files in the same way, except for the
      fact that files that are hidden by the operating system, we can see. The
      normal user can’t, doesn’t normally see those. Things that are in
      unallocated space we can access. So the normal user doesn’t normally
      access the unallocated space of a computer.
      HARRIS: What is unallocated space?
      WALL: Well, there is basically two forms of space on a computer: Allocated
      space, which would be the space that you would normally access when you
      are using your computer, and then unallocated space. That’s the things
      that get deleted. And when you fill your recycle bin, they go to
      unallocated space. When you select your Internet Browser to delete
      Temporary Internet Files, they get deleted in a different way, and go to
      the same area, unallocated space in the computer.

Enough already!

A prosecutor should ask technical questions that have something to do with the evidence recovered from the hard drives. If cookies are an important clue to something, then define them. If not, don’t. The jury doesn’t care or need to know about allocated and unallocated disk space. They don’t need to know from where the information found in “operating system” jargon–no registries, no temporary files, no reference to the operating system at all–unless this is an important “clue.”

Perhaps it would be helpful if all the parties would stipulate to certain things in advance of the testimony. For example, in some cases the defense could stipulate to the accuracy of the hard drive image that the prosecution produced (if they feel it was accurate). They might stipulate to the chain of custody and the lack of contamination of the data (if they believe that’s true). Then they could help to write a simple, clear explanation of the forensic examination of a computer. It would be so much better than forcing a jury to listen to the garbled, nearly incoherent “explanations” of CFE’s such as Wall.

The defense could even stipulate that the data recovered is accurate. Then there would be no need to talk about what happens when something is deleted or when a user types in a search string at Yahoo.

Of course, it’s possible that both the prosecution and the defense actually want the jury to be confused. In this age of the ubiquitous computer, though, I think they do so at their peril. Many jurors may understand a great deal more than they think–and than they do themselves. Once the jury begins deliberations, the computer experts on the jury will clarify things for the rest of the panel. They will–believe me. When that happens, the attorneys have lost influence over what the jury will conclude from the testimony.

In Wall’s testimony, defense attorney Geragos objected to Wall interpreting a poorly printed or copied search string that appeared to include an “approximate” sign (squiggle). This is a legitimate thing to which to object. CFEs ought to produce clear, clean prints. In some circumstances a poor print might make a big difference in something like a time stamp.

But very little of Wall’s introductory testimony in the Peterson trial was relevant or helpful for the jury.

And then it got worse.

Next time, my complaints about the way prosecutors use keyword searches.

To be continued…


There are two types of people in the world

I think it’s very funny when someone says, “There are two kinds of people in the world . . ..” All you have to do is look at your own family to know there are more than two types.

The textbook personality types are really just caricatures–cartoon critters. And that goes for personality disorders, like the ones used to “profile” killers, too. Remember when the FBI profilers declared that the Beltway Sniper was a lone, white, young male? “He” turned out to be two, African-American males, one very young and one middle-aged.

But that said, there are two kinds of people in the world, those who can’t stand to think of killers getting away with it and those who can’t stand to think of innocent people being condemned for something they didn’t do. To judge by the Scott Peterson case, I would guess the former greatly outnumber the latter.

I know myself well enough to say I’m among those who fear condemning someone for something they didn’t do. In part it’s probably because of the way I was raised: my parents warned me, “Judge not lest ye be judged.” In part, it’s because I don’t trust the government to get much of anything right. This mindset made my jury service very traumatic. Emotional conflict was the last thing I expected from the experience. Only subsequently have I learned that many, if not most, jurors find a criminal trial to be a wrenching experience.

So, I have great sympathy for the Peterson jurors. They had to sit for weeks and watch a family tragedy unfold. Then they had to decide whether to condemn a fellow human being to death.

I have no idea whether or not Scott Peterson is a murderer, but from what I know of the case I don’t feel the state proved its case beyond a reasonable doubt. I suspect the state merely made Scott Peterson seem like the most-likely culprit. I also don’t support the death penalty, so I’m doubly disturbed by the outcome of the trial.

This kind of high-profile trial may be part of the reason that so few people are willing to serve on juries. Who would want to go through something like that?

I will admit that I was very curious about jury duty and I did, actually, want to serve, although I told myself that I didn’t. I felt sure that when I admitted I was a struggling mystery writer and avid fan of CourtTV (now TrueTV), the judge would  dismiss me instantly.

Now I realize that one reason I didn’t think I would mind jury duty is that I’m a very judgmental person–and proud of it. So even though my parents warned me about the tendency and also instilled a fear in me of being falsely accused myself, I don’t really mind sitting in judgment. Most people probably mind a great deal.

That leads me to conclude that people who are willing to serve on a jury tend to be judgmental. But that doesn’t mean they all relish the thought of condemning a defendant–only that they are willing to accept the responsibility that goes with jury service.

So, if there really are two kinds of people in the world (those who can’t bear to see a killer get away with it and those who can’t bear to see an innocent person condemned), on any given jury there are likely to be six of the first category and half a dozen of the other.

Unfortunately, there are also only two types of lawyers in a criminal courtroom–those who believe the defendant is guilty and those who believe there’s reasonable doubt. (I suspect no one really believes the defendant is completely innocent, even though we’ve all heard about outrageous cases in which completely innocent people were sent to prison.)

I’m convinced that even defense attorneys don’t believe their clients are innocent. As I understand it, they instruct their clients not to tell them what really happened, because as officers of the court they are obliged not to lie about it. They would prefer to remain ignorant so they can say all sorts of ridiculous things in court. By warning their clients not to speak to anyone, even them, defense attorneys can say whatever they want to in their opening statements. Then they try to whittle away the prosecution’s case in cross-examination of witnesses. If they succeed in that, they feel they can fail to present a substantial defense case. Then in closing, they can try to bully the jury into believing the prosecution failed to prove its case (even if it seems by a preponderance of the evidence that the defendant is guilty–because “beyond a reasonable doubt” is a higher standard than a “preponderance of the evidence.”)

Of course, there really aren’t just two kinds of people in the world. Part of the problem with the adversarial judicial system is that it acts as if there were.

Bruce Ivins, Insane Army Scientist with Bio Weapons Clearance

I hate it when I’m wrong. Fortunately, that doesn’t happen very often–but it does happen.

When I was a nonfiction writer, by definition I was never wrong. I guess that made me over-confident. As a fiction writer, by definition I’m always wrong, always lying. (The transition between realms is rather difficult in many ways.)

I hear that journalism students these days are taught to present facts as fiction–find a good guy and a bad guy in every story, even when it’s far more complicated than that. And mystery writers are told to make their fantasies sound gritty and true, no matter how outlandish they are.

OK. So I was wrong about the anthrax letters originating with an Arabic speaker.

Or was I? A quick survey of the latest on Google news suggests that a lot of people are skeptical about the FBI’s claims that a Ft. Detrick scientist named Bruce Ivins was the source of the particular strain of powdered anthrax that terrorized this country in 2001.

It’s a bit of a puzzle how they spent seven years hounding Steven Hatfill, then ended up paying him $5 million, and then, all of a sudden, they’re on the scent again (and “have been for some time”). Sadly, just as they’re about to pounce, their prey commits suicide.

Ivins’ suicide apparently was triggered by an FBI investigation that was closing in on him. The FBI considers that proof-positive of his guilt. But he was also a deeply, psychologically troubled person. His own therapist now claims to have been afraid of him. Why do we assume he committed suicide out of overwhelming guilt and not overwhelming paranoia instead? You know what they say, even paranoids have enemies, and in this case his enemies included the entire FBI.

Among the odd circumstantial evidence against Ivins is the claim that he was fixated on a sorority, which had a campus house near one of the mailboxes used in the terror campaign. (They imply Ivins drove to Princeton from Maryland to get his jollies by dropping a tainted letter in a mailbox near the sorority house. Couldn’t he find one at the University of Maryland? Or at Johns Hopkins?)

His therapists’ hysterical claims about her fears of him also seem to be damning, but you have to wonder why she didn’t report her concerns about his potential as a mass murderer to the authorities long ago? I know there’s a strict code of confidentiality in the doctor-patient relationship, but there must also be a responsibility to the community, too. Can’t a therapist have such a person committed based on being “a danger to himself and others”?

Besides, reports are that Ivins was under a doctor’s care for years. Does this mean that biological-weapons scientists at Ft. Detrick don’t need security clearance? Is it OK to be crazy and work with anthrax? Or was the Army unable to find out that he was visiting a therapist when they gave him security clearance? (Enquiring minds what to know.)

If Ivins did it, he was incredibly crafty in his methods. He began with the National Enquirer in Florida before the 9/11 attacks. By an odd coincidence the scandal rag’s offices were near where 9/11 leader Mohammed Atta was stationed. That first envelope is in some landfill somewhere. After 9/11 he adopted an Arabic persona, dressing the envelopes up in crude printing with a return address for a BBC children show’s fictitious school. All the postmarks were from New Jersey.

Granted, NJ is within a day’s drive of Maryland, where Ivins lived, but can the FBI prove he had no alibi for the days in question? After all, NJ is even closer to NYC, where the next set of envelopes were sent. He could have driven south, just as easily, to a state like North Carolina or Georgia, where there are large Moslem communities to implicate.

It looks as if we’ll never know for sure. The FBI is tired of this case. Now they can close the file and move on to the next big case. Maybe they’ll move on to someone like Drew Peterson, my fellow Chicago-suburbanite. Maybe they’ll find Staci’s body buried in the Kane County landfill or under one of the newly paved roads in the endless, new housing developments there.

No, that’s unlikely. The media have lost the scent on that one. They’ll find a riper candidate for the FBI. 


Computer Hard-Drive Analysis 101

A couple of weeks ago, I began a series of posts about some problems I perceive in the way computer forensics and scientific evidence are presented to juries. As an example, I chose the computer-forensics testimony of Lydell Wall in the Scott Peterson murder trial. Two people who followed the trial closely supplied me with access to transcripts and other information and a computer forensics expert gave me some additional insights. I have unpublished two of my posts on the subject and plan to take an entirely new approach to the issue, which incorporates a great deal of this information.