For the Maine State Police Computer Crimes Unit, tracing the source of anonymous emails is a matter of connecting the dots.

But it can take time to track electronic communications through a series of Internet service providers to find the unique address of a particular computer.

A pair of analysts in the unit pushed to speed up that process this week when enlisted to help Windham police find out who sent two alarmingly threatening emails to school administrators in the Windham-Raymond district, which led to the closure of eight schools as a precaution to protect 3,300 students.

“When it comes to this (Windham) call, everybody was concerned. Everything gets expedited when there’s a threat to children,” said John Moran, one of two computer forensic analysts assigned to help the Windham Police Department, which led the investigation.

Moran said he could not discuss specifics of the case that led to the arrest in Windham. However, he was able to shed some light on the process and challenges of tracking down people over the Internet. And he described the urgency surrounding the case.

Windham investigators began working with the computer crimes analysts Monday morning, continued late into the night, and resumed the process early Tuesday. By Tuesday afternoon, they had a target. Police executed a search warrant in Windham, which led to the arrest.

Advertisement

Investigators were presented with two emails that threatened gun violence and showed a level of anger and premeditation that they deemed credible. The messages appeared to be from different sources, although police ultimately determined they came from the same person.

A typical cyber crime investigation starts with legal paperwork. The unit works with assistant attorneys general to draft the subpoenas needed to compel Internet service providers such as Microsoft, Google, Yahoo, Time Warner and Comcast to release information about the origin of a given computer file or the identity of a person who registered a given Internet account.

Every computer accessing the Internet has a unique IP address, which can usually be used to find the person operating that computer. But that’s becoming more of a challenge. Sophisticated computer users are able to route emails and other network traffic through a sequence of computer hubs around the world in an effort to cover their tracks.

“If somebody just goes online and sends an email … we can issue subpoenas and find out where they connect from and then find out where that computer address is and follow the dots. But when they really make an effort to hide their tracks, it takes a lot of time and a lot of hair-pulling,” Moran said.

Police have said that the teenager who sent the threatening emails was a knowledgeable computer user, which made it a challenge to identify him.

In addition to high-tech tracking techniques, investigators also rely on “old-fashioned police work,” Moran said. Developing suspects and interviewing witnesses helps focus the computer research.

Advertisement

The temptation for people to hide behind the presumed anonymity of the Internet in order to commit crimes has led to a growing caseload for the unit’s analysts.

The unit handled 509 cases in 2013, which includes cases in which the unit is assisting other agencies, cases that have been referred to it, and cases it generates by hunting for suspect files being shared over the Internet. The number of cases has swelled to 576 so far this year, in part because the unit has added personnel, allowing it to process more cases.

The unit is constantly performing triage, trying to assess which cases demand immediate attention – usually those that involve child predators or kids in imminent danger – and which can be handled as time permits.

The large corporations that host the servers are usually accommodating, especially when the stakes are high. But it can take some persuasion, Moran said.

“They have probably 50 subpoenas sitting on their desk,” he said. A complex and evolving case like the Windham investigation might involve dozens of subpoenas to different companies.

Windham Police Chief Richard Lewsen said the process of serving subpoenas and getting those responses contributed to the length of time it took to identify a suspect and make an arrest.

“It’s true that it did take longer than we expected, but you have to remember if you’re dealing with (an Internet) company way out on the West Coast, it’s very difficult to communicate,” Lewsen said. Many of the major Internet service providers are in that region of the country.

Successfully resolving a case such as the one this week is satisfying, but there was no key moment of discovery when investigators realized they had their culprit, Moran said. Instead, they gradually close in on a suspect until the search warrant is executed and the arrest made.

“Very rarely do you get that made-for-TV moment,” he said.


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.