Island County’s hacking detective covets $16K computer

About 92 percent of criminal cases involve evidence from digital devices

By Jessie Stensland • October 15, 2016 1:30 am

Cracking into someone’s cell phone can be like reading someone’s mind.

Entire conversations in text and email, photos with embedded data, past location information and even Internet history may be revealed.

At the Island County Sheriff’s Office, Detective Ed Wallace is the electronic mind reader — or digital snoop, if you prefer — in residence. He’s charged with doing forensic examinations of computers, cell phones and other electronic devices related to criminal cases.

With the proliferation of cell phones, it’s a big, big job nowadays. About 92 or 93 percent of all cases involve some kind of electronic device that needs to be analyzed, Wallace said. He sometimes helps the Oak Harbor Police Department, and the occasional state or federal agency, with cracking and analyzing devices.

While Wallace’s dream is to someday set up a regional forensic analysis laboratory for digital devices at the sheriff’s office, for now he just wants a computer that can keep up with his workload. He’s asking Island County commissioners to fund an industrial-strength computer for $16,000 in the 2017 budget; commissioners are currently in the process of setting the budget.

Wallace built and paid for the last two computers out of his own pocket. Another is on loan from the Oak Harbor Police Department.

Island County Prosecutor Greg Banks said Wallace has expertise that few, if any, law enforcement agencies in the state have.

“His services would be very expensive if he was in the private sector,” he said.

Wallace’s curriculum vitae is ridiculously long. He’s certified, for example, by Homeland Security and technology companies as a seized evidence recovery specialist, an ethical hacker, a mobile device examiner, a physical analyst and an advanced chip-off forensics analyst. That’s in addition to other regular-cop training, including everything from instruction on homicide investigation to “a lateral vascular neck restraint” instruction.

He said the county has invested about $50,000 in his computer forensics training alone.

At the same time, he carries a caseload as a detective and is the department’s public information officer and SWAT team leader.

Because of his interest and expertise at computer analysis, he’s known as “Geeksquad” in some circles.

Banks said the sheer amount of information investigators receive nowadays from electronic devices is sometimes overwhelming. Prosecutors and law enforcement are obliged to investigate all evidence even if it may be exculpatory — favorable to the defense.

Evidence from cell phones provided important evidence in the two most recent murder cases on North Whidbey.

Wallace analyzed murder suspect Christopher Malaga’s cell phone and found that he had purchased a plane ticket to New Jersey just after the murder. He also found that Malaga was active on his phone just before and just after the shooting, with a period of inactivity at the time of the murder. Text messages exchanged between Malaga and the victim, Adam Garcia, showed that they had a falling out before the shooting.

Malaga was convicted of first-degree murder for the 2014 shooting death of Garcia; he was sentenced to just under 37 years in prison.

In another case, Wallace was able to recover text messages to show how a suspect, David Nunez, got the murder weapon in the 2015 shooting death of 17-year-old John “Jay” Johnson. Facebook messages exchanged between suspects proved to be key; Wallace, also a trained “social media investigator,” has expertise in writing search warrants for social media sites.

Nunez and Brian Rayford pleaded guilty to murder charges in the 2015 shooting death of 17-year-old John “Jay” Johnson. Two others pleaded to lesser charges.

Wallace’s job requires a combination of vocational and technical skills.

He has different tools to deal with different kinds of devices and different levels of examination. Most of the software he uses isn’t available to the general public. Licensing the software is expensive; Wallace said grants through Citizens Against Domestic and Sexual Assault has kept the program afloat.

The “chip off” method is particularly effective. Wallace breaks open a phone, removes the memory chip and sticks it into a chip reader. The drawback is that it ruins the phone and the chip could be damaged in the process.

As Wallace warns students in Internet safety classes, information is never really deleted from electronic devices. Remnants are left behind that can be retrieved or even recreated.

The real trick to his job, Wallace said, it to interpret the information, which requires understanding the raw data and fitting it in with other evidence from the case.

In analyzing a recent murder case on Camano Island, Wallace was able to show that the suspect’s cell phone hooked into the victim’s Wifi network at or near the time of the shooting, he said.

Of course, the technology has limits. He’s been unable to hack into a child molester’s encrypted Mac Book. He ran a program that goes through 150,000 or more possible passwords a second for months, but he wasn’t able to get in. He passed it on to another agency with a bigger computer to the password-breaking program on the computer; it still hasn’t been cracked.

Wallace said he got his first child pornography in 2002 and realized the department didn’t have anyone with skills to handle it. He said the crime lab at that time had a backlog of six to eight months. Mike Hawley, who was then the sheriff, realized the growing importance of computer analysis to law enforcement and sent Wallace to get training.

The most unpleasant part of his job is dealing with child porn; the number of cases continue to increase and averages about 15 a year, he said.

Still, Wallace enjoys the job. He likes the process, finding “minute details” and figuring out how to use data recovered from technology to prove elements in a crime.

“It’s like following a trail of bread crumbs,” he said.