Detectives suspected that some of the most important evidence would be discovered not in the bloodstains on Yeardley’s floor, but in the e-mails stored on her computer. They figured that something housed in the hard drive struck Huguely as potentially damaging enough that he went to the trouble of stealing the laptop and tossing it in the trash, where two detectives discovered it just before his arraignment.
Reeves got permission from Yeardley’s grieving mother to forensically inspect the computer’s contents. With Sharon Love’s permission, the white Apple laptop was shipped to Fairfax, about 100 miles northeast of Charlottesville.
Detective Albert Leightley, a computer investigative specialist who was also involved with the U.S. Secret Service Electronic Crimes Task Force, was tasked with searching both Yeardley’s and George’s computers. He declined to be interviewed while the investigation was ongoing. According to several experts not connected with the case, but with extensive backgrounds in recovering evidence from computers, the process typically used is both complex and precise, designed to protect the computer’s hard drive from tampering while giving investigators a mirror copy to search.
Casey Hiser, a forensic consultant at a litigation support firm and a graduate in computer and digital forensics from Burlington, Vermont’s Champlain College, said there are several processes that investigators can use. (“It is actually one of the problems with our field, lack of standardization,” she said.) But the identification and seizure phase is fairly universal.
The computer system is collected using an anti-static bag for safe transport of its electronic components. The bag protects the hard drive from static electricity, which can discharge enough voltage to sufficiently destroy internal microchips. A person walking across a rug can produce up to 12,000 volts of static electricity; as little as 10 volts can damage the delicate innards of a computer system. (Humans can’t even feel a static electricity zap until it reaches about 1,500 volts.) Once the item is bagged, the investigator is charged with recording its chain of custody, meaning that the components’ whereabouts have to be catalogued with every move to show a judge and jury that the evidence found within is reliable.
To actually peruse the computer’s contents, a mirror copy must be made. Most computer users know how to back up their hard drives, but making a forensically sound copy is much more complicated. The investigator has to use a write blocker, which ensures that he’s only reading information from the drive and not writing information to it. (Writing onto the hard drive would be akin to scribbling across an incriminating note found at a crime scene; it would be deemed tampering with evidence and tossed from the trial.) Most forensic investigators use software such as EnCase or Forensic Toolkit (FTK), which create a bit stream image—or mirror-image backup—of the hard drive.
“It convinces the computer locally that the drive is accessible, but in effect it’s read-only,” explained Doug White, a computer forensics expert based in Rhode Island. “It protects it from modification by us.”
White, who has testified in both criminal and civil trials—but is not connected with the Huguely case—is a professor at Roger Williams University, where he’s considered an expert in security, computer technology, electronic crimes, and computer forensics. He also works for the International Society of Forensics Computer Examiners.
He explained that when he creates a copy of a hard drive, he starts “at byte zero, and I go to the last byte on the hard drive and duplicate the whole thing.”
To prove that the copied drive is identical to the original, the investigator uses a hash, which is a mathematical algorithm that serves as something of a fingerprint for a hard drive. If even the tiniest bit of information—right down to a deleted period or an added space in a document—is tweaked from the original compared with the copy, those algorithms won’t match, and the analysis of the copy won’t hold up in court.
And that’s paramount. Evidence gathered from computers hasn’t always been welcome in trials. Just as DNA evidence was scrutinized when it was first introduced, computer technology has just in recent years been consistently deemed admissible—but only when the examiners can prove that the data they found is from an untainted, mirror copy of the original.
John B. Minor, a Texas-based communications expert and member of the International Society of Forensic Computer Examiners, said that creating a mirror image does more than capture information that’s easily accessible to laymen on the hard drive, such as one’s documents folder. It also captures random bits of data, or flotsam, floating around the free space of a hard drive. Named after the debris left behind a shipwreck, that data can prove to be invaluable to an investigation.
“It’s an area littered with bits and pieces of files,” Minor, who is not connected to the case, explained. “It’s often where we find the gems of evidence. It can be part of a chat stream, part of an e-mail or an instant messenger chat exchange.”
Take, for example, an average e-mail: The recipient opens it, reads it, and perhaps deletes it. Even though the message has been deleted, it’s stored on a free area of the hard drive. If a computer user doesn’t regularly use specialized software to clean out the flotsam—and few people do—the information stays until it’s eventually written over by other information stored in similar fashion. The free space becomes a hodgepodge of bits and pieces of random data—flotsam—that an investigator can collect, organize, and then carefully search.
White also described discovering information in cache files: “Say you’re looking at the weather. The information is old, so you hit the refresh button. When you hit refresh, the Web browsers want to speed things up, so they write copies of stuff to the hard drive. Things you’re looking at may be stored physically on the hard drive. When you hit refresh, your browser dumps that cache and gets a new one.”
Modern computers tend to update more often than older computers, he added, but investigators still find tons of information hidden inside the hard drive.
“We’ve grabbed screen shots of e-mails, texts, chats, child pornography you were looking at yesterday or last year or who knows when,” White said. “It might just be fragments of it, too. We might just see an e-mail address.”
Another gold mine of information can be found in what’s called file slack, or the unallocated space between the end of a file and the end of the disk cluster it’s stored in. It occurs when a computer gets a new file that overwrites a previous file. Rarely are the two files exactly the same size, so there often is a smidgeon of space leftover where residual data can collect. Investigators sometimes find meaningful data hidden inside.
“Sometimes the information is intelligible, sometimes not,” Minor said. “It could be an entire e-mail. In some cases, it’s an entire PDF file. There might be bits and pieces of a live text chat.”
And then there are the partitions that some crafty computer users try to delete entirely. White translated it as such: Let’s say a bookshelf contains an entire set of encyclopedias, but you as the owner want to hide one of the books. You take its cover off, and someone viewing the shelf will likely notice that your collection is missing one volume. With a computer, a user can delete an entire drive, and it will look as though it’s missing—but forensics investigators know how to find it. That information usually is a jackpot, White said, because investigators not only discover what the user was trying to hide, but they also can prove in court that he took great pains in trying to keep it hidden—providing prosecutors with circumstantial evidence of a guilty conscience.
According to the search warrants initially released by the Charlottesville Police Department, law enforcement wanted to search Yeardley’s computer for e-mails between her and Huguely. Leightley, the examiner, likely would have first looked through Yeardley’s available e-mail account, and then carefully sifted through the data in hopes of finding more about her doomed relationship. After that, experts said, he probably would have started the daunting task of sorting through all of the gathered information. It’s no easy job, Minor said: An e-mail account showing perhaps just 400 messages might actually turn up 14,000 when the hard drive is thoroughly examined.
“There’s not a practical way to look through all of those, though sometimes we do,” said Minor, who regularly works with law-enforcement agencies and testifies in criminal and civil trials. He has not been asked to work on the Yeardley Love case.
To more easily track down specific information, investigators organize the data into a searchable database, then run keyword searches. They might look for nicknames or monikers to find all the e-mails sent from a particular person—sometimes this points investigators to additional e-mail accounts used by the same person—while other times they might look for words that seem likely to turn up threatening messages (“kill” or “hurt,” for example). When looking up browser history, they might stumble upon some incriminating searches. Hiser said that’s “a great source of info if your killer happened to look up ‘how to hide a body’…Don’t laugh; it has happened.”
In the Love case, detectives curtailed their hunt by searching through just one month’s worth of e-mails—from April 3, 2010 to May 3, the morning Yeardley was killed. The search warrant request on Huguely’s laptop asked for “any stored or deleted documents referring to Yeardley Love or referring to past events involving George Huguely and Yeardley Love.”
During his search of Yeardley’s computer, Leightley discovered fragments of an e-mail that Reeves said appeared to be “in response to an e-mail sent by George Huguely,” according to a court document dated Aug. 17. The media filed requests hoping the e-mail fragment would be released. They received a document that included a chunk of text, measuring about a dozen lines long, completely blacked out with dark marker. But Reeves’s words surrounding the mystery text were telling: “Further examination of the fragmented e-mail…is evidence of a prior incident between Huguely and Love,” she wrote. That incident, she said, was the one in which Yeardley had hit George with her purse, causing her belongings to spill out, including her cell phone, which she believed Huguely held on to.
But while detectives suspected the fragmented e-mail found on Yeardley’s computer was in response to an upsetting one from George, they couldn’t find the original e-mail on her hard drive. Leightley set off to search George’s laptop in hopes of finding it.
He came up empty.
Reeves tried another tack: After talking with Leightley, she learned that sometimes, when an e-mail is written on a person’s smart phone rather than on a computer, the messages could be retrieved from the phone long after the message was written. She asked Judge Higgins for permission to search Huguely’s phone to see if any additional messages could be recovered.
Minor said such a request isn’t unusual, especially these days when few people use their phones simply for making calls. With smart phones, it’s difficult to completely erase data. Forensics experts can extract the memory of the entire cell phone, then go into that information and carve out pertinent data.
“Smart phone evidence can be corroborating evidence, or it can be key evidence,” Minor said. “Smart phones can be sometimes be dead giveaways” that a crime has been committed.
Higgins granted Reeves’s request. The search for more e-mails was under way.