Cybersleuths try to mine clues from Newtown killer's damaged computer

Some of the most important clues about what drove Adam Lanza to mass murder probably sit on the computer that the reclusive, technical-minded 20-year-old used as one of his main contacts with the world, law enforcement authorities said.

Lanza attempted to destroy his computer's hard drive, the device that stores and retrieves data, before setting out on the Dec. 14 killing spree in Newtown, Conn. Police have declined to provide information on the extent of the damage to the drive, but investigators remain hopeful that it can be repaired.

Specialists, however, said that any effort to recover data may be thwarted if the hard drive's magnetic platters are shattered. If the damage is less severe, or if there are multiple platters in the computer, investigators may be able to glean useful information. Such recovery efforts are slow and costly, specialists said.

The computer was seized at Lanza's home soon after he killed his mother and went on to slay 20 children and six adults at Sandy Hook Elementary School before committing suicide.

The computer was taken to the Connecticut State Police computer crimes unit, which has more than a dozen police and civilian technicians focused on gathering digital forensic evidence, according to Lt. J. Paul Vance, a state police spokesman.

Vance declined to provide details about the computer and its condition, but he said the technicians will add their findings to the mix of physical and electronic evidence, including DNA samples, bullet casings, cellphone records and gaming systems.

"We have to look at everything," he said. "It may direct us. It may open a door."

The computer crimes unit operates the Computer Crimes and Electronic Evidence Laboratory in Meriden, Conn., assisting in more than 400 criminal cases a year.

"Fully 70% of the cases directed to the Computer Crimes Laboratory involve some level of child exploitation/child pornography," the lab's website said.

The FBI has offered to help with the electronic forensics and may be examining the computer, law enforcement authorities said.

Although authorities know that Lanza was the shooter, police are pursuing the case as an active murder investigation until they understand what happened and why. At least three search warrants have been filed under seal in Superior Court in Danbury, Conn., according to Geoffrey Stowell, deputy chief clerk of the court. Two of them can be unsealed Dec. 28, and one can be unsealed Dec. 30, he said.

Lanza's computer and online activity will remain a key focus of the investigation.

"The level of detail they can rip out of systems these days seems incomprehensible to most people," said Rob Lee, a forensic specialist who has examined computers seized from terrorists for the U.S. intelligence community.

That includes such obvious things as websites visited and photographs downloaded. Other telling data include the geo-location of every place a laptop has been used, the timing of activity and other technical "artifacts" that computers now maintain as a matter of course. Even some deleted material can be retrieved with relative ease if the damage to the hard drive is not too severe, Lee said.

One method of fixing a damaged hard drive is called a "platter swap," which involves taking the magnetic platter from the damaged hard drive and putting it on an undamaged hard drive chassis of the same make.

Various reports have said that Lanza used a hammer or screwdriver on his hard drive. The issue in this case may be what can be done with a shattered platter. Platters can be made of aluminum, ceramics or glass. Repairing a broken platter generally requires piecing it together like a cracked plate. Careful alignment is required to preserve the data architecture.

Because the information recorded on new platters is densely packed, it can be almost impossible to reconstruct them with the necessary precision if they are shattered.

Still, extraordinary recoveries have occurred. When the space shuttle Columbia blew up, investigators were able to recover hard drives that had fallen to Earth. "The data was almost 100 percent recoverable," said Lee, the lead for digital forensic and incident response at the SANS Institute, a leading cybersecurity and training organization.

He said investigators would also be looking for contacts Lanza had with other people, possibly gamers. In high school, Lanza reportedly belonged to a technology club that had gaming events called LAN parties, in which players linked computers to compete.

"The computer is probably the only inner look at his psyche," Lee said. "Why Sandy Hook?"

Tim Ryan, a former FBI agent who supervised major cybercases, said it has been widely reported that Lanza was socially isolated in Newtown. But he said he would "not be surprised if he spent a large amount of time" socializing online or with other gamers.

One compelling question, Ryan said, is why Lanza took the relatively unusual step of trying to physically destroy his hard drive.

"What did he try to hide?" said Ryan, now a managing director at Kroll Advisory Solutions.