(Part 4 of a series. In the previous installment, federal and state police raided Larry Benedict's home and accused him of trading electronic child porn with Mikel Bolander.)
CANANDAIGUA, New York -- The exchange between two child pornographers seems unusually damning as they discuss what kind of scanners, computers and software would work best to capture images of young boys.
One person who signed the letter "LB" wrote: "Anything that you can see the fuzz on their ball (sic) do at high speed. Use your judgement. If your jeans get creamed just by looking at it then do it high speed."
In a case brought by the federal government, prosecutors claim that "LB" stands for Larry Benedict, who was a senior engineer at Xerox at the time. Benedict has no criminal record, a raid of his home found no child porn magazines or videotapes, and he says he's innocent of the crime.
Courts are still grappling with how to deal with evidence found on computer systems, which has become increasingly important over the last decade. The tentacles of computer databases reach nearly every corner of our lives, tracking what we buy, who we visit and what we do.
Yet electronic evidence is far more malleable than physical evidence. Erasing the date on an important piece of paper and replacing it with a different one will leave a residue, yet most operating systems let you alter the date on a computer file without recording the change.
"Electronic evidence is by its nature mutable," says Mark Rasch, a former federal prosecutor now with Predictive Systems in Reston, Virginia. "If the government wanted to plant electronic evidence and then lie about it, it would be virtually impossible to prove that it happened."
The Justice Department started thinking through the problem of computer evidence in the early 1990s. Its 1994 Guidelines for Searching and Seizing Computers call for a "controlled environment" when examining a PC, noting that "computer evidence is extremely vulnerable to inadvertent or intentional modification or destruction."
Altered or lost evidence
However, in the government's pursuit of Benedict, the Xerox engineer, federal investigators neglected to follow their own computer crime manual.
All the evidence against Benedict is in electronic form -- a search of his home turned up no physical evidence of child pornography. And all of the electronic evidence has been mangled in some way by the government -- either accidentally or willfully.
The evidence includes two sets of computers, one owned by Benedict and another by Mikel Bolander, a confessed pedophile with whom Benedict was allegedly trading child porn. It also includes magnetic media -- a tape drive and a floppy disk -- that Benedict sent through the U.S. mail, according to the government.
Benedict says he was merely trading computer games and had no idea of Bolander's less savory interests.
The first computer, owned by Bolander, is destroyed. After ransacking Bolander's home in January 1995, federal parole officers and San Diego police threw away Bolander's computer hardware and software.
They did keep a copy of Bolander's hard drive, though, and eventually turned it over to the defense about three years after Benedict was indicted. (The government insists that all along, defense counsel had "full opportunity" to review the electronic evidence; it's not clear what caused the delay.)
An analysis by Stan Kremen, a computer forensics specialist hired by the defense, concludes that "extensive changes were made to the Bolander hard drives for quite some time after the computer was in custody."
Fax software was added, image directories were modified, Adobe Photoshop was used, and so on, according to the directory tree -- as recently as May 1995, when the computer was in police custody.
The government doesn't deny it. In a motion filed on Monday, prosecutors say that investigators had no spare computers to use for an examination.
A San Diego police officer "would testify that on Feb. 2, 1995, he restored the contents of the mailed backup tape onto Bolander's computer because his department did not have the computer forensic facilities to do it any other way," wrote assistant U.S. Attorney Martin Littefield. Bolander's computer was seized in January 1995.
However, dozens of files, including Windows system files, were modified as recently as May 1995. (Police noted the time of the computer's system clock when it was checked out of the evidence locker, and it continued to remain accurate.)
Benedict's computers and floppy disks, seized during a February 1995 raid on his home in New York's Finger Lakes country, fared no better.
Prosecutors stashed 27 U.S. Postal Service mailbins in the soggy basement of the Geneva, New York, post office. After a few floods, the computers had rusted and the disks were encrusted with a filmy white substance.
"If you took it out of its case that was adhered to the disk itself, to the oxide part that spins around, there was still stuff stuck to it," says Benedict. "They had a sink there and I tried to wash it. I even tried Windex."
It didn't work. "I couldn't get any of the programs to load," Benedict said. "The brown disk surface was kind of white in color."
Benedict says that his computer and his floppy disks contain vital evidence that could show a jury that he was no child pornographer -- and instead was merely a video game addict who became snared in a sting operation.
In a 1988 case, Arizona v. Youngblood, the Supreme Court ruled that "failure to preserve potentially useful evidence" denies a defendant due process if police acted in bad faith.
But in its filing on Monday, the government says it was an accident: "The fact that the hundreds of disks which were being held by the Postal Service suffered water damage after five years of being held can hardly be attributed as an intentional act, let alone prosecutorial misconduct."
When postal inspectors raided Benedict's house, they found no visible child porn. They also did not report finding any on his computer after U.S. Postal Service analyst Jeffrey Loop had reviewed it.
Nearly five years after Benedict's computer was seized, 16 months after he was indicted, and not long before a trial was scheduled to begin, the federal government finally reported it found some illegal images on his PC.
A government computer specialist "did discover a directory which had not been deleted or erased which contained 11 child pornography files," wrote Littlefield, the assistant U.S. attorney, in a letter dated Dec. 6, 1999.
The letter was talking about archive files in PKZIP or PKArc form, with numbers ranging from PIC13.ARC to PIC33.ARC. All the archive files reportedly required the password "fuzz" to open them.
Perhaps the most interesting fact uncovered by Kremen, the defense's computer specialist, is that the individual image files that are embedded in the archives do not show up on Benedict's PC.
"None of the photographic image files that comprised the archive files resided on Benedict's computer, nor were they recovered after unerasure. Based on this fact, I conclude that these photographic image files never existed on Benedict's computer," Kremen writes in his report dated Nov. 12, 2001.
In other words, there's zero evidence that the illicit files were ever extracted from their archives.
(In Part 5 of this series: Why are there so many puzzling inconsistencies in the U.S. vs. Larry Benedict prosecution?)
