Upcoming Speeches & Events

Civilediscovery In the News

The student aged 16, meddled with computer servers and deleted folders and databases of students at different schools in Georgia, Alabama, Kentucky, Texas, Mississippi, North Carolina and South Carolina, said Maj. Anthony Lowery, spokesman for Baldwin County Sheriff's Office. PressRegister reported this on April 10, 2007.

The student's name was not disclosed considering his age, Lowery told the PressRegister. The student allegedly accessed the computer networks in the 47 school districts, he added.  Although the hacking happened at school, but investigators found a computer at the student's home that was perhaps used to carry out the entire scam. The investigators seized that PC.

The teenager accessed students' demographic information of the period over two weeks in the second half of March, Lowery said. However, there were no evidence of harvesting, pharming or distribution of any student's personal data.  Neither officials of the school district nor those of the Sheriff's office would disclose the time of the hack i.e., whether it happened during class or during school leisure hours.

According to Sgt. Tony Nolf's statement the teen was attending a Web-design class and several of Daphne high classrooms have many computers.

The office of the Sheriff came to know about the hacking on March 30 when the software company of the Baldwin district detected a problem in the servers including those of other districts, Lowery said.  The Baldwin schools, equipped with anti-tampering software, were able to prevent the student trying to penetrate records, said Baldwin school board spokesman Terry Wilhite. PressRegister reported this on April 10, 2007.

The charges against the student could be "offense against intellectual property". The offense is a Class B crime and could carry a punishment of up to 20 years in jail, if the damage is beyond $2,500 or if there occurs a disruption in government operation or public communication.
_______________________________________________________

Sex offender's trial will resume today
Tuesday, May 13, 2008
Federal agents investigating a Prichard man who was charged with nudity in a Mississippi park encountered systems on his home computer comparable to devices meant to protect the government's top secrets, an expert testified Monday.

The testimony by computer forensics consultant Gus Dimitrelos came on the first day of Michael Ryan South's child enticement trial in Mobile's federal court. South, who lives in Prichard's Whistler community, faces charges of traveling across state lines to have sex with a child.

Dimitrelos testified that he has been trying for months to break encryption codes hiding images and videos on a computer taken from South's home. Dimitrelos said he has devoted a computer in his office since Jan. 2 to doing the job. A program working around the clock has tried 5 billion to 6 billion password combinations, he said.

"I've never seen the level (of encryption) that's being used in this case," he said. Jackson County, Miss., sheriff's deputies arrested South in December after a 9-year-old boy reported seeing him naked in Lum Cumbest Park near his home in Hurley. It was the second time he had seen the same man, according to authorities. FBI agents seized a laptop computer and several compact discs from South's home.

Dimitrelos testified that South's computer contained "every known child pornography search term I've ever looked for." He said he was able to recover Web sites, including Denmark-based sites that carry child pornography. He estimated that about 80 percent of the Internet surfing has been to child pornography sites. But with multiple, sophisticated "anti-forensics" programs, Dimitrelos said, he has not been able to access the images. "The user of this computer went to great lengths to hide this activity," he said.

South, an Auburn University graduate and a former architect, is a registered sex offender following a 1990 conviction in Lee County on a first-degree sodomy charge. Assistant Federal Defender Peter Madden urged jurors to put that conviction out of their minds, arguing that it has "nothing to do with this case."

The boy who saw the man in the park, who is now 10 years old, testified that he was trying to corral a dog in his backyard Nov. 4 when he saw a naked man in a wooded area on the edge of the park that abuts the house. His head barely visible in the witness stand, the boy told jurors that the man was scratching his genitals and asked him if he wanted to go streaking. "I was really scared," he said.

The boy said he was riding an all-terrain vehicle Dec. 15 with a 14-year-old friend when he saw the same man again. At first, the boy said, the man was dressed as they rode by. When they came back about a half-hour later, he testified, the man was naked.  The boy pointed to South when Assistant U.S. Attorney Maria Murphy asked him if he saw the man in the courtroom.  The 14-year-old child who also pointed to South testified that the man was masturbating.

Under cross-examination, both boys testified that the man did not try to touch them or move toward them or engage them in any way.  During his opening statement Monday, Madden asked jurors to keep his client's actions in mind as witnesses testified. He argued that there is no evidence that South was trying to have sex with the boy. "He was nude. It was a crime. And there's no excuse for it. But it wasn't a sexual act against a child," he said. "The best indication of what he intended to do is what he did. He walked away from that little boy." The trial resumes this morning with closing arguments. If convicted, South could face life in prison.

_______________________________________________________

Orr guilty of child porn charges
FRIDAY, JUNE 22, 2007 - FEDERAL TRIAL IN MOBILE

Northrop Grumman supervisor blasts verdict, faces a possible 20 years in federal prison. Bruce Michael Orr fought federal prosecutors in Mobile to a standstill two months ago but could not beat back child pornography allegations a second time, as a jury found him guilty Thursday of two criminal counts.

The 52-year-old Northrop Grumman Corp. supervisor now faces the prospect of a prison sentence that will not end until he is an old man.  The jury convicted him of receiving child pornography, which carries a mandatory-minimum sentence of five years in prison and a maximum of 20 years, and possession of child pornography. Considering advisory sentencing guidelines in this case, Chief U.S. District Judge Ginny Granade is likely to impose a 20-year sentence.

Parole has been abolished in the federal system, so Orr will have to serve the entire amount except for the 54 days a year he is eligible to knock off for good behavior. Orr, who vowed to appeal, embraced tearful relatives and supporters as he left the courtroom and angrily blamed his conviction on what he described as untrue testimony by expert witness Gus Dimitrelos, a retired Secret Service agent who now has a consulting business and runs the Alabama Computer Forensics Laboratory in Spanish Fort.

Granade allowed Orr to remain free at least temporarily until his sentencing in September. Assistant U.S. Attorney Maria Murphy said she would look into filing a written request to jai l Orr based on the threat she said he poses to the community and suicidal comments she said he once voiced to his second wife in an unrelated incident. Orr's daughter, Gidget Johnson, issued a handwritten statement lambasting the verdict and decrying a pre-trial decision by Granade to restrict the testimony of a defense expert witness who missed a deadline for giving prosecutors informat ion from his analysis. "I have always had faith in our judicial system. I truly believed that our government CARED about whether someone was innocent or guilty," she wrote. "My eyes have been opened."

Murphy said she does not know what convinced the jury of nine men and three women, but she welcomed their verdict. "I think it's just part of our continuing commitment to protecting children from predators," she said.  Defense attorney Jeff Deen said he was disappointed by the jury's decision. "I don't get to talk to the jury. I don't know how they evaluate evidence," he said.

Throughout three days of testimony, forensics experts testified that the home computer in Orr's Tara Drive residence in west Mobile contained thousands of images of young children engaged in sex acts or posed in a sexual manner. The computer's memory banks also showed signs that the computer had visited dozens of Internet sites offering child pornography.  

Dimitrelos told jurors that all of that material was accessed when Orr's password-protected account was active. There was no child pornography on the accounts of Orr's stepdaughter or his then-wife.

Dimitrelos testified that his examination revealed that Orr's password was removed on June 18, 2005, the date Orr's now ex-wife, Silinda Orr, says she confronted her husband about the child pornography.

In addition, Dimitrelos testified that the Orr account had a specially created "shortcut" taking the user directly to a hidden file on the computer that stores information about the Web sites visited. He said the shortcut, along with all of the information in the temporary Internet file folder, were deleted June 18. Dimitrelos said he was able to retrieve the information because computers never permanently delete data until their memory banks are full.  Orr adamantly denied ever purposely viewing child pornography, which he testified was a "criminally disgusting act." He suggested that Silinda Orr or her daughter might have planted the child porn to blackmail him into more favorable terms in their divorce case.

_______________________________________________________

Defendant judged fit for trial in texting-for-sex case

Trial date is expected soon for Theodore man charged with attempting to lure 11-year-old girl
Tuesday, May 13, 2008

A Theodore man accused of trying to lure an 11-year-old girl with text messages is fit to stand trial, a federal judge in Mobile ruled Monday.
Senior U.S. District Judge Charles Butler Jr. endorsed the findings of a prison doctor at the Metropolitan Correctional Center in Chicago, where the judge had sent Richard Brooks Nelson to be evaluated.

Defense attorney Richard Shields said he was disappointed by the ruling. He said he asked for the mental evaluation based on his conversations with his client.
"Out of an abundance of caution, I think he needed an evaluation," Shields said.

A federal grand jury in Mobile indicted Nelson in August on charges that he tried to entice a minor for sex after Mobile police arrested him earlier that month.

A criminal complaint accuses Nelson of sending text messages to the girl and trying to arrange a face-to-face meeting for sex. In a phone call with an undercover law enforcement officer, the complaint alleges, Nelson "explained that if it was the child's 'first time' she would bleed and they would need a red shirt to conceal the blood."

According to an affidavit filed in federal court by a U.S. Secret Service agent, a law enforcement investigator posed as the girl and spoke with Nelson on the phone. He allegedly said he wanted to meet the child and engage in activity "like how mommies and daddies make babies."

Nelson and the undercover officer agreed to meet at Sage Avenue and Ralston Road near Airport Boulevard, according to the affidavit, which states that the defendant showed up wearing a red shirt.

The case has been on hold since October, when Butler ordered the psychological evaluation for Nelson. Shields said he believes the judge will set a trial date by the end of the week. He said he has not focused on the facts of the case and did not want to comment about it until he has had an opportunity to discuss it with prosecutors.

Court records indicate that Nelson was convicted of third-degree rape in New York and registered as a sex offender in Alabama in May 2007.

Shields previously has said he believes the New York conviction pertains to consensual sex with an underage teenager. He said his client was originally from Mobile County and had decided to return here.

___________________________________________________________________________________________

Six months and billions of passwords later, federal investigators in Mobile are still toiling to hack into encrypted files on a computer seized from a convicted child sex predator

CRACKING THE CODE

Sunday, June 29, 2008

Decrypting protected files

When a computer document is suspect but access is password-protected, digital forensics experts must attempt to decrypt it. Once the file format - .jpg, .pdf, etc. - is determined, experts use specialized software that tries possible passwords. Once the password is found, the document can be opened. The computer in this case was seized from Michael Ryan South,  who was convicted of crossing state lines to have sex with a child. Investigators believe encrypted files on the computer contain child pornography. The graphic below shows one program, Password Recovery Toolkit, which can run as many as 250,000 possible passwords per second.

Federal agents in Mobile investigating an accused child predator sent a computer to cyber consultant Gus Dimitrelos on Jan. 2 with a request that he open encrypted files that they believed contained child pornography.

Dimitrelos, a retired Secret Service agent who assists the U.S. Attorney's Office, easily discovered the secret password to log on to the computer proved exponentially more stubborn.  One hundred and 80 days later having tried some 9.5 billion passwords a forensic software program working around the clock on the seized computer has yet to break the code and reveal the files' secrets.  In May, prosecutors convicted the computer's owner, Michael Ryan South, of traveling across state lines to try to have sex with a child.

Still, Dimitrelos' computers never rested in their efforts to probe South's machine. "We're going to decrypt it," Dimitrelos said. "I just have to wait. There's nothing else I can do. ... It could be years. We could be having the same conversation three years from now." Or significantly longer, according to some computer experts. Nine and a half billion "is not a lot when you're talking about trillions or quintillions of possible combinations," said Philip Craiger, an engineering technology professor at the University of Central Florida in Tampa.

Regardless of the outcome, South is going nowhere. With a prior sex offense on his record, he faces an automatic life sentence for his latest conviction.

But Dimitrelos said that it's important to try to open the encrypted files because they might contain evidence about molestation of which investigators are unaware.  If investigators find child pornography, Dimitrelos said, they will turn the information over to prosecutors.

Would they bring new charges against a man already serving life? "It depends on what's on there," said Maria Murphy, the acting chief of the criminal division of the U.S. Attorney's Office.

250,000 guesses a second 

Dimitrelos throws as many as five computers each with an Intel Core Duo processor, resulting in the equivalent of 10 computers at the challenge. At times, he redirects some of the computers to other tasks. Dimitrelos uses a "brute force" program known as Password Recovery Toolkit by a company called Access to run through different groups of possible passwords at a rate as fast as 250,000 a second. The first group, for instance, consists of just 10 possible passwords the numbers 0 through 9, followed by searches of two digits and three digits. The program searches the alphabet, entire dictionary and then various combinations of letters, numbers and other keys. Foreign languages can be employed. 

Dimitrelos recently demonstrated for the Press-Register how the process works. He copied the newspaper's logo from its Web site into a Microsoft Word document, encrypted it and assigned it the password "register." The program ran through 15 different searches. On the 16th a search of the dictionary the program came upon the correct password.  The entire process, on Dimitrelos' small laptop computer, took a minute and 4 seconds. An earlier test of the same information that he ran on a faster computer took just 12 seconds to complete. What makes the task so hard in the South case, Dimitrelos said, is the level of encryption protecting the password and the sophistication of the password that the defendant used. At 256 bits, he said, it is equal to the standard that the government employs to protect top-secret documents. The software installed on South's computer allows for a password that is up to 109 characters long.

The Toolkit program will run through all known dictionaries, cookbooks, technical manuals and other documents searching to find the combination of letters that might open the lock. If that fails, Dimitrelos said, it will begin searching custom-made lists derived from South's interests, dates that have meaning to him and other personal data.

As a last resort, the program can start searching through random combinations of letters, numbers and special characters. If that's the case, said Central Florida's Craiger, the password could be virtually impossible to break. "It would take to the end of the universe in time to break it," he said. "Essentially, you might as well give up." The surprising and to investigators, disconcerting aspect of South's subterfuge is that he is no computer specialist.

The program that he used to encrypt his files is readily available for free on the Internet, Dimitrelos said. "What he's doing is researching the data," Dimitrelos said. "He's not advanced. The tools are advanced."

The task could become harder

Craiger predicted that law enforcement agencies increasingly will face complications investigating cyber crimes as encryption software becomes more powerful and dispersed.

"There's tons of software both free and cheap on the Internet," he said. Dimitrelos suggested that the technology will force changes in the way that police investigate cyber crime. The standard practice now is for officers serving a search warrant to shut down the computer and take it to a forensics lab. Dimitrelos said would be far better for police to keep the computer running, and summon a forensics expert to the scene, where the data can more easily be obtained.

"We're in a position where one day we will be pulling the plug on pulling 

the plug," Dimitrelos said.