A new technique in law enforcement -- called forensic computer science -- helps put a murderer behind bars.
Each morning, before she left for work, Dorothy Boyer made herself a fresh cup of hot coffee. She'd pull the coffee can from the shelf, measure its contents into a filter, and wait for the water to seep through.
But one day she began to feel ill. The following day, she was so sick she couldn't get out of bed. Her entire body ached, she had intense stomach pain and was vomiting.
The next morning, Boyer felt much better and returned to her normal routine. She got up early, prepared for her day, made her coffee and went to work. But by noon she was once again doubled over with stomach pain.
When she returned home that afternoon she noticed something strange -- the coffee can was not where she left it that morning. The next day she felt better again, and once more returned to her daily routine. But this time, before she left, she noted the exact position of the coffee can. Sure enough, when she returned from work, it had moved.
Boyer called the police, who confiscated the can and checked it for fingerprints. They found some -- her ex-husband's -- all over the can. Police arrested Richard K. Overton, who confessed he had been poisoning her coffee with a heavy metal called selenium to get revenge after she was awarded the house in their divorce settlement. Overton would have gone to jail, but Boyer refused to testify against him and, consequently, he went free.
But as it turned out, the poisoning was just one step in a trail of lies and deceit that would eventually lead to the murder of Overton's third wife, a crime from which he again almost walked away free. Ironically, just as Overton hid poison in an innocent-appearing can of coffee, the evidence that would convict him -- remnants of his personal diary -- resided in a seemingly empty computer disk.
A TANGLED WEB
In January 1988, Overton's third wife, Janet, suddenly collapsed and died in the driveway of the couple's home. Investigators were unable to determine a cause of death.
Boyer read the obituary in the newspaper and decided it was time she spoke up. She called the police and told them Overton had tried to poison her 15 years earlier. By that time the remains of Janet Overton had been cremated. But police ordered an analysis of her ashes, which confirmed the first wife's hunch -- traces of cyanide.
Overton, who was by this time a professor at the University of Southern California, was arrested and charged with murdering his third wife, a trustee of the Capistrano School District. The case was handled by the Orange County, Calif., District Attorney's Office, and became one of the county's most famous and twisted murder cases.
Although they had been divorced for almost 15 years, Boyer's testimony revealed the whole scheme that led up to her coffee-can poisoning. At that time, the defendant worked for an aerospace contractor and had a top-secret-level clearance. While married, he met and married another woman -- Karoline Wallace -- adopting the identity of a co-worker to legally marry the second woman. He would tell one wife he was on a business trip while he lived with the other wife. Every few weeks, one would drop him off at the airport as if he was leaving, and the other would pick him up as if he was returning. For a year and a half, his scam worked.
Then one day Wallace needed to get in touch with her husband. She called his employer and spoke to the person whose identity her husband had adopted. He had no knowledge of her and contacted security because of his top-secret clearance. An investigation revealed the whole scam. Wallace got an annulment. Boyer got a divorce, which was when she received the house and Overton began poisoning her coffee.
Years went by and Overton married again. But all was not well in this marriage either. He suspected Janet was cheating on him, and gave her cyanide to make her sick. But this time, instead of just becoming ill, she died.
After Overton's arrest, a search warrant was executed. Among other things, police confiscated numerous floppy disks. One of the disks contained the remains of his personal diary, which would turn out to be the key piece of evidence in the case. On June 9, 1992, the trial began.
"All the clusters on the disk were used," said Joe Enders, who testified at the trial as a computer evidence expert. "It appeared that he tried to copy his personal diary from the hard drive onto a floppy, but the diary wouldn't fit on the disk, so he probably got a message that there was not sufficient space on the disk to hold the diary. He must have replaced the disk with a new one, which he probably hid or destroyed," Enders explained. But what the defendant didn't know was something Enders had learned while studying a relatively new area of law enforcement -- known as forensic computer science -- at the Federal Law Enforcement Training Center (FLETC) in 1989.
While there was no indication of a file on the disk, Enders knew that when someone tries to copy something onto a disk, the computer writes one cluster after another. "If there isn't enough space to copy the entire file, the machine tells the user there's not enough space. It goes back and deletes the file entry in the directory, but leaves all the information it had already written to the disk. So except for the very end of the diary, which there wasn't space for, all the information was still on there."
But even with this key piece of evidence, prosecutors were still up against a crafty individual who did not want to go to jail. "During the trial he got up and testified and either had a heart attack or feigned a heart attack when he came off the stand, so they stopped the trial," said Enders. "While he was allegedly recovering, his attorney had a mental breakdown. The trial was delayed for such along period of time, the judge declared a mistrial."
THE SECOND TRIAL
At the second trial, which began March 28, 1995, lawyers for the prosecution finally had a chance to present their computer evidence. While the defendant testified that he and Janet had a happy and problem-free marriage, prosecutors presented pieces of the diary they had recovered from the disk that proved otherwise.
"While he didn't spell out that he was going to kill his wife, the diary did reveal his state of mind, and that there were problems between them and it wasn't a lovely marriage as he was pretending," said Enders.
Overton was subsequently convicted of the murder of his third wife and, on Sept. 1, 1995, was sentenced to life in prison without the possibility of parole.
LESSONS FOR LAW ENFORCEMENT
Although computers now play a larger role in the daily life of many Americans, Enders said most law enforcement agencies are unaware of the existence of computer evidence or the value of such information.
"I think in general that a lot of evidence goes untouched or gets contaminated," he said. "It's a big problem that exists with law enforcement. If they do find evidence in a computer, a lot of times they'll take people that know computer fundamentals but don't know anything about processing computer evidence. They don't realize that a lot of events take place on a computer unbeknownst to the user. It's important that law enforcement realize that there are issues relating to processing computer evidence in order to protect their findings."
Enders recalled a recent scenario in which the FBI confiscated a computer as possible evidence. But when the computer was examined, files were found on it that were dated after the date of search warrant. "So they had contaminated the evidence," said Enders. "We couldn't use it."
Enders said there are certain steps law enforcement agencies should learn to take in order to avoid being accused of contaminating computer evidence. Attending forensic computer science courses like those offered at FLETC or other institutions is the best course of action. There are also many books now published on the topic.
"It's important to law enforcement to know that information is still out there even though it may be hidden. They can resurrect information on hard drives that had been erased, for example. Or if someone deletes a file -- the information is often still there."
Establishing dates for undated files and identifying backdated files are also valuable skills. Enders said those techniques are more complicated and very few in the world can accomplish them at this time.
Enders, who spent 25 years as a special agent/computer specialist with the Criminal Investigation Division of the IRS before retiring in 1995, has helped form a new company, New Technologies Inc., headquartered in Oregon. "Almost all paper records have turned into computer records," said Michael Anderson, a partner in the company. "That's why this has become so important. The 'crooks' use other computer tools now to run efficiently."
"Our team knows how to do these complicated procedures," said Enders. "Now we want to develop software to automate the process and allow others to do it too."