South Dakota,1999. A woman is found drowned in her bathtub. An autopsy shows a high level of the sleeping pill Temazepam in her bloodstream.
It looks like a suicide that is, until investigators take a close look at her husband's computer. Turns out he's been researching painless killing methods on the Internet and taking notes on sleeping pills and household cleaners. Armed with that evidence, prosecutors are eventually able to put him behind bars.
Law enforcement agencies across the country are realizing that computer-related evidence is valuable in catching all kinds of criminals, not just hackers.
That's why they're scrambling to hire and train officers skilled in computer forensics, the discipline of collecting electronic evidence.
In the corporate world, demand for these IT sleuths is increasing, as well. They usually work as consultants. For example, a company might call a forensics examiner in to investigate how a hacker got into an IT system or to find out which employee walked off with confidential files.
But whether he works for law enforcement or the business world, a computer forensics examiner must be able to thoroughly scour an IT system for evidence while following a strict protocol, so that the evidence can be used in a court of law.
We talked to one forensics examiner with exactly that set of skills the kind of employee who's sure to be in high demand in both worlds for years to come.
The investigator: Patrick Lim, computer forensics examiner at the Regional Computer Forensics Laboratory (RCFL) in San DiegoPrevious experience: Lim has been a special agent at the Washington-based US Naval Criminal Investigative Service (NCIS) for the past 17 years. But it was only about four years ago, when he was transferred to the NCIS's Computer Investigations and Operations unit, that his career took a turn into the world of IT.
In January of last year, Lim helped launch the RCFL, a task force that pools the computer forensics resources of several law enforcement agencies in the San Diego area.
Lim says all examiners at the RCFL must have strong investigative and problem-solving skills, as well as a solid foundation in operating systems and computer imaging.
Responsibilities: Lim spends much of his time working on cases that directly involve computers, like child pornography on the Web or Internet fraud. Increasingly, though, all kinds of cases involve computers, he says. "In the past, people thought that computer forensics applied strictly to computer crimes," says Lim. "But since computers are now such a part of everyday life, we're finding that almost every crime at some point touches a computer."
For example, at the site of a bank robbery, investigators recovered demand notes that were written using a notepad application. Examining one suspect's computer, Lim found that the thief had been careful to delete the files. Looking deep into the hard drive, however, Lim was able to find copies of the notes that were automatically made by the printer.
No matter what the nature of the case, it's essential to leave all of the evidence exactly as it was found "just like a crime scene," says Lim. For that reason, forensics examiners never work directly on suspects' computers. Instead, they use computer imaging to make a complete bitstream copy of an entire machine, and they then comb the copy for whatever incriminating evidence they can find.
Who he is
Name: Patrick Lim.
Title: Computer forensics examiner.
Organisation: Regional Computer Forensics Laboratory, San Diego.
Nature of his work: Collects and analyses computer-related evidence in criminal investigations.
Skills Needed: Lim says a combination of investigative and IT skills is key.
Salary Potential: In law enforcement, $US50,000 to $70,000; in private companies and consulting firms, computer forensic examiners can make up to twice that.
Career path: Computer forensics skills could lead to jobs in law enforcement agencies or in the private sector, where demand for forensics experts is growing.
Advice: Consider getting a certification, like that offered by the FBI's Computer Analysis and Response Team program.