Aurora Police Department Relies on FTK® to Collect Key Digital in Tragic Colorado Movie Theater Mass Shooting
The Aurora Police Department (APD)
Is a full-service law enforcement agency with more than 650 sworn officers and 135 support staff. The ratio of almost two police officers per 1,000 people is higher than for cities of similar size in the western United States.
A Night of Tragedy in Aurora
On July 20, 2012, shortly after midnight, a lone gunman opened fire on moviegoers attending the premiere of Batman: The Dark Knight Rises in the Century Aurora 16 theater complex in Aurora, Colorado. He shot 70 people, 12 of whom died. In addition to those shot, at least 12 people suffered injuries in the course of fleeing the theater, some of which were serious enough to require surgery. In total, at least 82 people suffered physical injuries, not including minor injuries that were not recorded.
Beyond the physical injuries, many movie patrons, family and friends of the casualties, first responders, and people in the community suffered psychological trauma as a result of the incident.
The Use of Forensic Software to Uncover a Killer’s Intent
Detective Mike Leiker was the lead computer forensics investigator in the APD and has 37 years of experience in law enforcement. He has provided expert testimony in dozens of cases throughout his career, spoken numerous times to colleagues and other practitioners and is considered an expert in digital forensics. He has received extensive training for digital forensics software tools and is certified to use FTK® (Forensic Toolkit®) as well as other solutions.
“The (Exterro) products are so simple to operate that you’re able to get to work with them right away. With cases like these, speed is often essential if we are to catch a predator before another innocent child is victimized.”*
On July 20, 2012, Det. Leiker was notified that there was a suspect in custody in the movie theater shooting and the officers were already in possession of the suspect’s iPhone® and an iPad®, as well as several tower computers. This was critical, since often the first step in understanding a motive to commit such a senseless attack on innocent victims is to look at the suspect’s mobile devices for any clues via social media, text and/ or chat platforms that could help with the investigation. Det. Leiker went to work right away and was able to get a physical image on the two mobile devices, as well as a laptop that was discovered.
He then used FTK to investigate the data from the devices. FTK provides comprehensive processing and indexing up front, so filtering and searching is faster than with any other product. This means investigators can “zero in on” relevant evidence quickly and conduct their analysis faster. The product suite is used by top law enforcement agencies around the world.
“I use AccessData’s Forensic Suite because it’s the industry standard and a court-cited digital investigation platform,” said Det. Leiker. “For me, it’s the thoroughness of the collections and the speed of what it processes. I can provide hashable, verifiable data and FTK has been validated and is efficient. Only FTK can handle certain files that other tools can’t. It’s a product that pioneered the field of digital forensics software and I have confidence that the data I’ve acquired and analyzed can be used in court, if needed. It truly stands above competitive products.”
What he was able to uncover was a trail of evidence that would help prove without a doubt the suspect’s guilt.
Det. Leiker started with evidence found in Google Chat. At that time, forensic tools weren’t available to acquire chat evidence so he created a backup and ingested them into FTK. “I used FTK because the chats rendered accurately and in a way that was easy to read, which allowed me to dig really deep into the conversation,” said Det. Leiker. According to published reports that emerged during the 2015 trial of the suspect, those chat communications included the following exchange between him and his ex-girlfriend:
[email protected] (Defendant): Well what I feel like doing is evil so can’t do that
me: what do you feel like doing?
[email protected]: Video games are the next best thing through escapism
me: what is so evil that you want to do?
[email protected]: Kill people of course
Det. Leiker was then able to use the FTK expression feature to help narrow down the IP address to see if it matched an account in the suspect’s apartment, determine who the suspect was talking to, and find words—such as theatre tickets, weapons and bombs— that gave him insight into the suspect’s intent.
For the suspect’s laptop, Det. Leiker used FTK Imager to make a forensically sound copy, PRTK® (Password Recovery Toolkit®) for password protected files and FTK for analysis. He used FTK as the primary tool for registry searches and viewing, Internet bookmarks, cookies and history. Since the Internet bookmarks were encoded, he was able to look at the browser history and registry for ownership.
Once he looked at the Internet IP addresses and cookies, he found a website screen shot that contained the phrase “rational insanity”—allowing him to preserve the evidence quickly. In the unallocated space he found the suspect had searched for the phrase “rational insanity” as well.
Digging deeper into the Internet searches, he found the suspect had also searched for the word “bomb” and Det. Leiker was able to go the registry to see who owned the file, then was able to find that the suspect had purchased firearms, two gas canisters and a face mask.
“With the help of FTK I could quickly preserve the evidence, which later was crucial evidence to prove intent during trial,” said Det. Leiker.
Det. Leiker was able to get physical images of both devices, an iPhone and iPad, and recover artifacts such as back-up information, pictures, contacts and call logs. Once he acquired these artifacts, he brought them into FTK and was able to validate the data. “The sync between the mobile devices and the laptop allowed me to analyze the evidence in an orderly way, helping me to create a clear picture,” said Det. Leiker.
James Holmes was charged with 24 counts of firstdegree murder, 140 counts of attempted murder, and one count of possession of explosive devices and inciting violence. Holmes entered a plea of not guilty by reason of insanity, which was accepted, and his trial began on April 27, 2015. Holmes was convicted on all 165 charges. On August 24, 2015, he was sentenced to 12 consecutive life sentences —plus 3,318 years—all to be served without parole.
Det. Leiker credits the FTK software product suite with playing an instrumental role in the investigation that ultimately led to a successful prosecution in the horrific mass shooting.
“Without FTK, finding the evidence in this case would have taken significantly longer,” he said. “FTK made it possible to more quickly find the critical evidence to convict a killer and bring a little bit of closure to the victims impacted by this tragedy.”
Det. Leiker contends that FTK is “the most valuable digital forensics tool available for law enforcement professionals,” not only because it is forensically sound and verifiable, but also because it “stands above competitive products with an index search that’s so fast, efficient and thorough.”
“For digital forensics, we are talking about being able to see invisible data by simplifying it in a way that renders in an easy-to-see manner,” he said. “FTK Imager is so widely used by law enforcement for image acquisition that it is clearly the gold standard. Other products just don’t compare.
The statements made in this case study by Det. Mike Leiker reflect his own professional opinion and do not represent the beliefs or opinions of the Aurora Police Department, nor the city of Aurora.