Identifying the Idaho Killer

The New York Times has a long article on the investigative techniques used to identify the person who stabbed and killed four University of Idaho students.

Pay attention to the techniques:

The case has shown the degree to which law enforcement investigators have come to rely on the digital footprints that ordinary Americans leave in nearly every facet of their lives. Online shopping, car sales, carrying a cellphone, drives along city streets and amateur genealogy all played roles in an investigation that was solved, in the end, as much through technology as traditional sleuthing.

[…]

At that point, investigators decided to try genetic genealogy, a method that until now has been used primarily to solve cold cases, not active murder investigations. Among the growing number of genealogy websites that help people trace their ancestors and relatives via their own DNA, some allow users to select an option that permits law enforcement to compare crime scene DNA samples against the websites’ data.

A distant cousin who has opted into the system can help investigators building a family tree from crime scene DNA to triangulate and identify a potential perpetrator of a crime.

[…]

On Dec. 23, investigators sought and received Mr. Kohberger’s cellphone records. The results added more to their suspicions: His phone was moving around in the early morning hours of Nov. 13, but was disconnected from cell networks ­- perhaps turned off—in the two hours around when the killings occurred.

Tags: , , ,

Posted on June 13, 2023 at 7:03 AM40 Comments

Comments

Doug June 13, 2023 7:29 AM

I am reminded of the joke that describes how to have an extramarital affair and get away with it.
Develop a fake hobby that requires you to be away from the house on regular intervals.
Create players/friends associated with the hobby. Build back stories.
Participate in this fake hobby to establish a routine.
Then get married.

mobilemenyc June 13, 2023 7:30 AM

His phone was moving around in the early morning hours of Nov. 13, but was disconnected from cell networks ­- perhaps turned off—in the two hours around when the killings occurred.

Waitaminute. Am I reading this correctly? The movements of a device can still be tracked even when turned off?

Winter June 13, 2023 7:52 AM

@mobilemenyc

The movements of a device can still be tracked even when turned off?

It does not say “turned off”, but “disconnected”.

It is very well possible that the phone recorded gps data which was uploaded later when the phone was reconnected.

When not connected, a phone can still do emergency calls, which might involve pinging the network.

Bluetooth and wifi are used by some shops to follow customers in and around shops.

The phone could have connected to public wifi networks.

Joe D June 13, 2023 7:55 AM

The movements of a device can still be tracked even when turned off?

I read that as “it moved around for awhile then disconnected for two hours before showing up again.”

Moral here is to leave your phone on, but leave it behind.

Charles June 13, 2023 8:53 AM

Frankly, we should use similar techniques to round up every predator roaming the streets.

Why June 13, 2023 9:01 AM

@Doug

This is like the expensive fake or bot social media accounts with most convincing history and proofed against purging by algorithms have several years of credible activities, followers and friends; compared to the cheap run of the mill throw-away accounts that will easily detected by algorithms as fake or bot accounts.

vaadu June 13, 2023 9:31 AM

A request to Amazon sought the order histories of account holders who had purchased such knives.
A follow-up request to eBay focused on a series of specific users, seeking their purchase histories.

‘A request’ is without a warrant?

J Nimmo June 13, 2023 9:42 AM

@mobilemenyc: No. What the pigs are saying is that if your phone runs out of battery or goes out of range and isn’t connected to a cellphone network for even an hour or two, that’s what they regard as suspicious.

Also, Mr. Schneier quotes the following from the NYT:

some allow users to select an option that permits law enforcement to compare crime scene DNA samples against the websites’ data.

That’s in the NYT article.

But it isn’t true. If you give your DNA to an ammurican DNA analysis company, it will be given to the pigs. No option. No choice in the matter.

Mike V June 13, 2023 10:17 AM

Find My iPhone works even while the phone is powered off. This feature debuted in iOS 15 during September 2021.

K.S. June 13, 2023 10:42 AM

“was disconnected from cell networks ­- perhaps turned off—in the two hours around when the killings occurred.”

To me, this implies guilty until proven innocent applied to the digital footprint.

Winter June 13, 2023 10:45 AM

@Mike V

Find My iPhone works even while the phone is powered off.

That is the bluetooth chip sending a beacon:
‘https://www.xda-developers.com/iphone-findable-turned-off/

So when a supported iPhone is powered off, Find My runs in the Bluetooth chipset via a custom applet. The rest of the device is completely off, so only this chip is awake and running on low power to transmit BTLE beacons. While the article mentions AOP (always-on processor), Hector Martin says in a Twitter thread that the Find My service, while powered off, has nothing to do with it.

As a result, powered off iPhones can still be found when approached by another internet-connected, Find My-enabled device. The dead iPhone securely transmits the required identification information to the connected device via Bluetooth. The latter then sends the data to Apple servers. The owner of the dead iPhone can then see the reported location on the map, where another connected device had passed.

John Tillotson June 13, 2023 11:15 AM

If you don’t want the police to have access to data they need to find a killer, then elect or appoint judges who won’t sign warrants for collecting such data. Then give up any hope of law enforcement finding the murderer of you or your loved ones.

Winter June 13, 2023 11:27 AM

@John

If you don’t want the police to have access to data they need to find a killer, then elect or appoint judges who won’t sign warrants for collecting such data.

It is called probable cause. There should be a threshold of evidence to ensure data is collected to apprehend the right suspects, not just “a” possible suspect, or just some unwelcome person who has not done anything illegal.

In this case, there seem to have been probable cause, in other cases, there obviously wasn’t.
‘https://www.independent.co.uk/news/world/americas/crime/cop-city-bail-fund-arrests-b2349853.html

Clive Robinson June 13, 2023 12:19 PM

@ Doug, ALL,

“I am reminded of the joke”

It’s not a joke, as I mentioned when I posted it to this blog quite some time ago.

It’s actually based on the very well observed truism of,

“First a woman lets a man chase her till she has caught him, then once he is hooked, she then spends her time trying to change him”

Psychologists have been aware of it since atleast the 1950’s and it’s appeared in one or two popular fiction books including ScFi.

Thus knowing it is going to happen a man has three choices,

1, Not get hooked.
2, Not change and suffer the consequences.
3, Have sqcrificial hobbies and activities that he realy does not care about.

The advantage of the third option is he can also use it to get “trading points” for when she wants to do something he does not.

So going shopping Saturday morning, gets traded with “going fishing” so he then gets to watch the game with his buddies etc.

Oil and water will not stay mixed but if you do it right, you can have an emulsion that holds well for a long time…

Mexaly June 13, 2023 12:25 PM

Resistance demands adaptation.
A voice can be faked, so verify with a key question.
A photo can be faked, so trace the custody.
A database can be abused, so stuff it with garbage.
I wonder how often someone sends their dog’s DNA into a public geneology database. They probably catch that. But they have to be weak on identification, and if a large enough group of people swap saliva, the value of the database is damaged.
Cell phone location data can be fogged with similar tactics.
In my lifetime, I recall how citizens of the Soviet Union had skills for living under an extremely represssive government. But they are just a recent example.
Perhaps we’re in the end of a golden era of privacy. Time to adapt.

Clive Robinson June 13, 2023 12:36 PM

@ Joe D., ALL,

“Moral here is to leave your phone on, but leave it behind.”

Err no not quite.

Done on it’s own it is still “suspicious activity” thus grounds for further action.

As I’ve indicated before,

“You have to have established and defendable habits”

So always put your phone on charge in your office desk and turn it off at lunch time so it will “fast charge” always turn it off as you get on public transport, and often leave it off till you get home.

Never be in the same room as your phone during “me / down” time unless you are being paid to be near it.

In short turn it into a “land line” equivalent most of the time.

Also,

“Allways pay cash where you can, or find another shop, but always get a recipt”.

The recipt if you keep quiet about it gives you a “defense” as tills almost always have CCTV on them these days. But unless you need it, it can not be “used against you”.

The police can almost always find a “concerned citizen” who will swear she saw you somewhere other than where you claim to be…

The best time to unmask her is in front of a jury with the recipt and if your lawyer is halfway on the ball with the CCTV footage. Destroying one prosecution witness may not be sufficient to kill the case, but it back foots the prosecuter and raises all sorts of questions in a juries minds.

As has been noted by the medical fraternity,

“Convenience takes years off of your life”

The same should be said by the legal proffession.

Ian June 13, 2023 12:56 PM

Attach your phone to your dog or drop it in your wife’s purse. It might get more movement that way.

PaulBart June 13, 2023 1:00 PM

It would have been great if our representatives in Congress would have, along with there mandated E911, say, mandated dip switch to disconnect GPS, opt-out of E911, and quiet pings to tower. But really, are they our representatives, or representatives of the mic and global entities.

Erdem Memisyazici June 13, 2023 1:37 PM

Having a digital footprint is just as fakeable as anything else if you are in charge of the data. It’s worse than not having as much data in my opinion.

Firstly inaccurate data could harm you which was the case with Zachary McCoy for example who got accused of robbing a house.

Secondly the psychological reactions are less indicative of human interactions in an age of digital media where it’s “normal” for numerous companies to be processing your every interaction including biological information like breathing, heart-rate, blood pressure and so on. In a non-digital setting where people are forced to be in the physical presence of one another to communicate their emotional states and reactions are usually much more revealing of one another’s actions. In a shall we say more-analog community if you walk outside with an angry face you’d stick out like a sore thumb. It would be much easier for an investigator to resolve a crime.

Lastly the company or companies in charge of the data can and most likely do get away with crimes as not only can the evidence be expertly manipulated like you could in a more analog setting but unfortunately you also have the additional confidence of people who are under the impression that because everything is being recorded nothing bad can happen and the record is the absolute truth.

JonKnowsNothing June 13, 2023 5:02 PM

@Mexaly, All

re: I wonder how often someone sends their dog’s DNA into a public genealogy database.

There are a large number of animal DNA databases.

Some contain the genetics of all members of an endangered species. These DNA sets are used to limit genetic inbreeding or mitigate prior inbreeding.

Modern animal breeding of “pure bred” type breeds (cats, dogs, horses, cows etc) often have extensive DNA requirements for registration. Each breed registration has a list of criteria and a list of exclusions, sometimes both parents must also be registered and sometimes only one parent needs registration and there are conditions of cross registration where individuals from one registry will be conditionally admitted to another registry.

Along with a list of inclusions/exclusions, the AQHA registry requires a sample of mane hair from the sire, dam and offspring, to verify genetic heritage.

Along with the DNA registration, DNA genetic markers are also determined. Negative finds are are highlighted as well as positive genetic traits and marked on the animal’s registration.

Some adverse genetic findings will be traced back until the source is found.

===

ht tp s://www.aqha.c o m/-/genetic-test-roundup

5 Panel Genetic Testing:

the five equine diseases it covers – HYPP, PSSM1, MH, GBED and HERDA

  • GBED: glycogen branching enzyme deficiency
  • HERDA: hereditary equine regional dermal asthenia
  • HYPP: hyperkalemic periodic paralysis
  • MH: malignant hyperthermia
  • PSSM1: polysaccharide storage myopathy Type 1

When the test is ordered, AQHA will send a test kit, and the owner will mail the hair sample directly to the Veterinary Genetics Laboratory at the University of California-Davis for testing. Once the tests are complete, AQHA will notify the owners and put the results on the horse’s record and certificate of registration.

ht tps://en.wikipedia.o r g/wiki/Glycogen-branching_enzyme_deficiency

  • Glycogen-branching enzyme deficiency (GBED) is an inheritable glycogen storage disease affecting American Quarter Horses and American Paint Horses. It leads to abortion, stillbirths, or early death of affected animals. The human form of the disease is known as glycogen storage disease type IV.
  • This genetic disease has been linked to the foundation Quarter Horse sire King P-234

ht tps://en.wikipedia.o r g/wiki/King_(horse)

King (1932–1958), often known as King P-234, was an outstanding early Quarter Horse stallion who influenced the breed throughout the early years of the American Quarter Horse Association (or AQHA).

King was the sire of many famous Quarter Horses including Brown King H, Martha King, Royal King, King’s Pistol, Gay Widow, Black Gold King, Power Command, Poco Bueno, Continental King, and LH Quarter Moon.[7] Two of his sons were inducted into the AQHA Hall of Fame, those being Poco Bueno and Royal King.[8] His daughter Taboo was the dam of Joe Cody, another member of the AQHA Hall of Fame.

ht tps://en.wikipedia.o r g/wiki/Impressive_(horse)

Impressive (April 15, 1969 – March 20, 1995) was born an Appendix American Quarter Horse, who earned his full AQHA registration in 1971. He was the 1974 World Champion Open Aged halter stallion, the first such World Champion in his breed, despite carrying only 48 halter points in total. He sired 2,250 foals, of which thirty went on to be World Champions themselves.

Over time, it became evident that many horses descended from Impressive were afflicted with the genetic disease hyperkalemic periodic paralysis (HYPP). While it is unclear if Impressive himself ever manifested clinical signs of HYPP in his lifetime, he is considered the index case, as the disease has never been observed in horses which are not descendants of his line. HYPP is a dominant gene, and as such, all animals with even one copy of the gene, identified as “N/H”, will exhibit some symptoms of the disease. Horses with two copies, identified as “H/H.” will always pass on the condition, and research suggests that H/H horses may have more severe symptoms than N/H horses.

  • After a number of years of debate, effective since January 1, 2007, the AQHA amended rule 205(c)(3) and rule Rule 227(e) to require all descendants of Impressive to be tested prior to being registered, and ban from registration all horses born after January 1, 2007 with HYPP genetics confirmed by DNA testing to be homozygous for the condition (H/H)

(url factured)

Ted June 13, 2023 6:47 PM

I was just scanning the court documents for State of Idaho v. Kohberger.

A. Lot. Of search warrants appear to have been issued for this quadruple homicide. Do I count warrants sent to over 40 entities?

Some include UPS, Match, Ebay, Meta, Numerica Credit Union, and on and on.

The Affidavit has more detailed info on the video canvass and the analysis of cell phone records.

After consulting with CAST SA, I was able to determine estimated locations for the 8458 Phone from June 2022 to present, the time period authorized by the court. The records for the 8458 Phone show the 8458 Phone utilizing cellular resources that provide coverage to the area of 1122 King Road on at least twelve occasions prior to November 13, 2022. All of these occasions, except for one, occurred in the late evening and early morning hours of their respective days.

https://coi.isc.idaho.gov

Jesse Thompson June 13, 2023 7:55 PM

It’s actually based on the very well observed truism of,

“First a woman lets a man chase her till she has caught him, then once he is hooked, she then spends her time trying to change him”

Psychologists have been aware of it since atleast the 1950’s and it’s appeared in one or two popular fiction books including ScFi.

@echo halp. I need an adult. D:

candace a. June 13, 2023 8:30 PM

Clive, I don’t see how this would help much:

“You have to have established and defendable habits”
So always put your phone on charge in your office desk and turn it off at lunch time so it will “fast charge” always turn it off as you get on public transport

The warrant, though, was for all the phones in an area at a certain time. Not just those deviating from an established pattern. Maybe an investigator will notice the pattern, maybe not, but it’s unlikely they’ll call off their investigation of a person because of it. At best, once on trial for murder one could subpoena one’s phone records, prove one always does that, and try to establish reasonable doubt. But by then one’s on trial for murder, and has already suffered serious invasions of privacy.

Re: John’s comment “If you don’t want the police to have access to data […], then elect or appoint judges who won’t sign warrants for collecting such data.”—I don’t think that’s sufficient, and I believe that widespread technical measures to prevent the existence of such data would be preferable. Maybe something like “Pretty Good Phone Privacy” (which was the name of a technical paper describing a system). It’s not like this would make it impossible to solve murders; it’d still be easier than it was just 30 years ago. It’d make us more resilient to data-leaks, the public’s tendency to panic and give up rights unnecessarily, non-democratic governments, etc.

Clive Robinson June 13, 2023 9:41 PM

@ candace a.,

“I don’t see how this would help much”

If you are ever going to commit a crime you do not want to do anything outside of your usuall activities[1].

With regards,

“The warrant, though, was for all the phones in an area at a certain time.”

If your phone is in your desk it’s not with you. So an area search on phones in a given area will not have you in it.

Unless your desk is in the area, but then so would every one else in your office. A large office could easily have fifty phones a floor and ten or more floors. Thus an area warrent becomes impractical, unless they have a “distinguisher test” that can reliably winnow out phones that behave normally and only leave a few phones that can be investigated.

Remember not all crimes are for murder or worse, so the level of investigation is based on resources that can be justified by finance more than anything else. Low value crimes are often not investigated, just recorded and filed.

With regards,

“At best, once on trial for murder one could subpoena one’s phone records”

Actually even in the US the prosecution is required to hand over any and all information they have collected. Not doing so and getting caught has consequence nobody wants happening as it can tie judges hands and prosecutions collapse. The fact that US Law Enforcment including the FBI do it all the time, tells you more about the woeful state of defence lawyers than those living in the US would want to contemplate.

I’ll let @John Tillotson answer your other points about his comments.

[1] Because doing so, is these days considerd “circumstantial evidence” thus grounds for “probable cause” thus unlocking the door on further more indepth charges. Or prosecutors saying the abnormal activity was when the crime was committed and making it appear as “proof positive”.

Being able to say “it’s what I always do and have done for years” as well as having the evidence to back it up makes the prosecutions job harder and the defences easier.

Contrary to what people get told, most convictions of any note do not turn on “beyond doubt” or even actuall evidence, but little things. Juries consist of people and by and large people are not rational but petty and go for their convenience. A defendent picking their nose can turn members of a jury against them. Those turned jury members will then push things, so it’s just convenient for others to agree with them, so they can all go home early etc.

lurker June 13, 2023 11:08 PM

@Clive Robinson

If your phone is in your desk it’s not with you. So an area search on phones in a given area will not have you in it.

Errm, last I heard phones had not been granted free will. So a phone found somewhere, in the absence of substantive proof of loss, theft, or gifting, will be deemed to be in the possession, or under the control of its putative owner.[1] Finding the owner of a “burner” phone is left as an exercise for the reader.

[1] The registered owner of a motor vehicle in our jurisdiction, is deemed guilty of any stationary vehicle offence “committed by” said vehicle, until he can prove his innocence.

Hans June 14, 2023 6:03 AM

@lurker
I often leave my phone at my desk when I go somewhere. Me having it there for two hours and then picking it up again would not rise suspicion, because I do that a lot. Of course I can trust my colleagues enough to not take my phone.
That means, what ever I do in that time will not be in the cell phone data. What exactly is your point?

(Using me solely as an example, of course.)

lurker June 14, 2023 2:48 PM

@Hans
“I often leave my phone at my desk when I go somewhere.”

And you will not be implicated by phone records for whatever happens at the somewhere you go.

But if something happens at the office while you’re out, you will be a suspect because your phone was there. We’re out of the landline era now, separation of the person and the phone is deemed unusual and suspicious. You will need witnesses to testify that you often/usually leave your phone behind when you go out.

Zaphod June 14, 2023 4:03 PM

@lurker

To your second point – not really. As Clive detailed, you will have receipts and till cctv showing you out of the office in your scenario.

Z

lurker June 14, 2023 4:33 PM

@Zaphod, Hans

The problem is that LEAs are following the current social trend: the phone ≡ the person. Thus you are deemed guilty until you can prove your innocence. Which is a reversal of the traditional legal assumption.

Clive Robinson June 14, 2023 4:43 PM

@ lurker,

Re : I’ve mentioned this before.

“We’re out of the landline era now, separation of the person and the phone is deemed unusual and suspicious.”

Ask yourself the question,

Q : When is a mobile leashed to a fixer point like a land line?

A : When it’s on charge.

Also,

Q : When would you turn a mobile off?

A : When you are trying to save the battery, or there is no cell connection, or you are in a meeting etc.

As I’ve noted, it’s not what you do or why as such.

Just that it sounds plausable, and it can be shown to be habitual behaviour and not an illegal activity.

For instance some people are known to put food strainers on their heads, like tin foil hats… The fact they do it regularly and claim they are “Pastafarian’s” observing their religious practices, is something they are at liberty to do, and as such a claim is protected legaly in various ways, whilst not in others,

https://academic.oup.com/ojlr/article/10/3/487/6517195

Awkwardly for many it can be seen as being no different than people donning white robes and doing what others consider strange things as the sun comes over the horizon. As they claim to be Druids observing their religious practices.

But if you think a little further, it’s also the same as people dropping a baited hook in the water, doing ball practice, running long distance, or as in my case going sailing, canoeing or swiming when I am able.

All sporting or other activities where an expensive mobile phone can cause a user harm, or others offence, or more obvious the phone be stolen, damaged, broken or lost. Would be to most “reasonable” not to have a phone with you or have it turned off.

I also happen not to take my phone into “The lab” as I use high power RF that would fry an Apple phone in less than a minute as known by experience… Though the same level of radiation would need a little longer to cause me problems…

If this sounds a bit beyond what other people might get upto consider that both Bluetooth and WiFi use the “two and a half gig”(2.45GHz) “Industrial Scientific and Medicine”(ISM) “unlicensed radio band” for the same reason Microwave Ovens do.

That the ISM band happens to be rather conveniently close to a “Ham Band” that is now attracting people sending high quality digital video signals through a Geo-Stationary satellite called Es’hail QO-100 (where QO stands for Qatari Oscar).

Thus building kits of bits like,

https://m.youtube.com/watch?v=fQ-BpKPkmeQ

Is becoming rather more common.

Oh and remember I’ve mentiond before the LDMOS FET (from Philips) was designed to make Microwave ovens both less expensive to manufacturecand more reliable, as well as causing less electrical interferance issues. And that I’ve mentioned using them in the past to design and manufacture 10kW Broarcast Transmitters from LW all the way up to microwaves.

A friend who owned a Broadcast Equipment manufacturing company and spent much time in an EM lab used to regularly “need a new phone” untill he got out of the habit of having it in his pocket or on the bench close beside him.

I never take a phone into an EM lab not just because it might get cooked by what I’m working on, but also it can realy mess up test and measurment work you are doing for certification testing. For the likes of the FCC, or EU “Radio Equipment Directive”(RED) –which now includes CyberSecurity– compliance testing.

Daniel Lambert June 15, 2023 5:35 PM

For several years, I worked intimately with call records for a major cellular provider. It is incredible the amounts and types of data they collect. That;s all I’m gonna say. Forwarned is forearmed.

Concerned June 15, 2023 7:30 PM

Don’t tease us like that. What do they collect? We’re hardly forearmed without that information.

Phillip June 16, 2023 12:52 AM

Apparently, the news staff at Moscow-Pullman Daily News (ID) were presented with something the magnitude of which nobody had any experience with – when the mass murder story was breaking and reported upon. I met an individual, taking a break in southern Oregon, who worked for this news outlet. Recounted those working many hours on various tasks. Nice to have this one finally solved.

vas pup June 16, 2023 6:49 PM

@all:
I hate that guy who killed 4 young people. There is no excuse for his behavior at all.

Regardless of my personal emotions, if I were LEO or prosecutor, I have no right to drive my actions by my emotions.

The difference between criminal who brake the law and LEAs investigating the crime that latter is bound by law when using any forensic tools accessing any type of data.

Now, there is difference between methods used for criminal intelligence on committed or prepared crime and evidence which could be used in court.

That is why e.g. 1023 is internal FBI document but 302 is not. Same applied for technical methods of collection.

Do we have Faraday bags or similar things to put cell phone inside and eliminate all things was discussed in that part of the blog?

vas pup June 16, 2023 7:11 PM

Knesset passes motion urging government to probe police use of spyware
https://www.timesofisrael.com/knesset-passes-motion-urging-government-to-probe-police-use-of-spyware/

“The Knesset’s Constitution, Law and Justice Committee on Tuesday approved a motion urging the government to form an official commission of inquiry to probe alleged illicit use of spyware by police against citizens.

!!!It also came a week after prosecutors for the first time withdrew evidence from a court case after it became clear that police obtained it illegally using spyware. Though police had a court order permitting eavesdropping in the case, the use strayed beyond the confines of the order.

There have been persistent accusations that police have access to a watered-down version of NSO Group’s Pegasus spyware which allows them to access Israelis’ phones, including covertly listening in on conversations.

In early 2022, the Calcalist newspaper reported, without providing evidence or citing sources, that dozens of high-profile Israeli figures — including former ministry directors, prominent business figures, and family members and associates of Prime Minister Benjamin Netanyahu — were spied on by police using Pegasus spyware without any judicial oversight.”

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.