Dave Cawley: Josh Powell went to court in Tacoma, Washington on the first day of February, 2012. He wore a jacket, a blue shirt and tie and carried a crumpled brown paper sack from a FedEx Office copy center. It contained a typed statement for the court. This is what Josh wrote.
Eric Openshaw (as Josh Powell from February 1, 2012 statement): Having demonstrated my fitness as a parent, it is time for my sons to come home.
Dave Cawley: Josh had lost custody of his sons Charlie and Braden four months earlier, after police raided the South Hill home he shared with his father. Detectives were looking for evidence related to the unsolved disappearance of Josh’s wife Susan. Instead, they’d found his father’s stash of voyeur videos.
Eric Openshaw (as Josh Powell from February 1, 2012 statement): I was living with him at the time, however, within the first month, I established my own home and I have consistently proven my fitness as a stable and loving parent.
Dave Cawley: In court, Josh’s attorney Jeff Bassett told judge Kathryn Nelson his client had done everything she’d asked of him.
Jeff Basset (from February 1, 2012 KSL TV archive): He has been nothing if, uh, if, if not cooperative to the entire, uh, everything that’s been asked of him in this case.
Dave Cawley: Josh’d even gone so far as to endure a psychological evaluation.
Eric Openshaw (as Josh Powell from February 1, 2012 statement): I have proven myself as a fit and loving father who provides a stable home even in the face of great adversity.
Dave Cawley: Not so fast. Assistant Washington Attorney General John Long told the court police in West Valley City, Utah had just shared concerning new evidence.
John Long (from February 1, 2012 KSL TV archive): Based on some information that’s been provided, uh, by a criminal, uh, investigation, a judge overseeing the criminal investigation. Uh, I think it’s clear, uh, from that court order that these, uh, can be linked to, uh, Mister Powell.
Dave Cawley: No one came right out and said it in open court that day, but the evidence in question was a set of nearly 400 pornographic images. They were digital files, most of them small thumbnails. The majority were cartoons, showing characters from animated TV series, often depicting children and adults together. Detectives and the FBI had found the thumbnails on a computer taken out of Josh and Susan’s house in Utah, the day after she disappeared in December of 2009.
In court documents, police said the images belonged to Josh. They were wrong.
This is a bonus episode of Cold: Project Sunlight. I’m Dave Cawley.
Dave Cawley: Let’s go back again to Judge Kathryn Nelson’s chambers in Pierce County Superior Court on February 1st, 2012. Josh Powell’s attorney Jeff Bassett pushed back against the claim of new evidence against his client. He wondered why detectives were only then raising the issue. If the cartoon pictures were so bad, he asked, why hadn’t police just arrested Josh when they’d first found them?
Jeff Basset (from February 1, 2012 KSL TV archive): And I just think that we are allowing ourselves to be manipulated from outside sources on this case without cause.
Dave Cawley: Detective Ellis Maxwell, the lead investigator on the Susan Powell case, wasn’t in court that day. But he told me he’d tried to secure charges against Josh on those images. Prosecutors would not go for it.
Ellis Maxwell: I’m sure a lot of people were wondering, going “ok, well they’ve had this for several years but now they’re going to introduce it now.” Well that’s why.
Dave Cawley: Police also considered the images contraband, illegal to possess or view.
Ellis Maxwell: And so we had to go through the courts here and they made an exception to release the evidence to the State of Washington for review purposes and it was very specific to where only the judge and the attorney and the social workers and, y’know, it was a small scope, and I think one detective.
Dave Cawley: The judge’s order did not allow Josh to see the images. But it did grant permission for forensic psychologist James Manley to review them.
James Manley: The overall, umm, tone of these were incestuous.
Dave Cawley: James’d already delivered a report about Josh’s parenting capacity to the court in Washington. After viewing the images, he had new concerns. So, James authored a follow-up.
James Manley: I went down to the police station, talked with the guardian ad litem and the detective and the attorney general. Decided, it didn’t take much to decide but we entered a request or petition to the court for a psychosexual evaluation.
Dave Cawley: On the one side, Judge Nelson had Josh making the case for reunification. On the other side stood police, prosecutors and a psychologist, all arguing Josh might not be a safe father, based on these thumbnail images of cartoon incest pornography. Josh, for his part, seemed to make a vague reference to the pictures in his own typed statement to the court that day. He wrote:
Eric Openshaw (as Josh Powell from February 1, 2012 statement): I have recently heard rumblings that some people are dipping deep down to the bottom of the barrel in a desperate effort to find and manufacture fault with me due to their attitudes.
Dave Cawley: The word “manufacture” there is significant. Josh seemed to imply that he believed police had fabricated the new evidence. His protest didn’t sway the judge. She told Josh he was not getting his boys back that day. Instead, Judge Nelson ordered him to take the psychosexual evaluation. You know what happened next. Days after the court hearing, Josh murdered his sons and killed himself.
Gary Sanders: When he was not only not given custody but then the stipulations that they put on him, the psychosexual and some other things, I think he, that kind of cracked him.
Chuck Cox: The psychosexual evaluation was the end of the road for him. Because, with the revelation that, y’know, he had these pictures on his computer…
Anne Bremner: It’s explicit and it’s of concern. It’s very, very disturbing and so that was something else that they knew about him. And that was found by the West Valley police on his computer.
Dave Cawley: Only, I can now tell you, it wasn’t Josh’s computer. I’ve discovered that the computer in question belonged to Susan.
Dave Cawley: Let’s step backward in time to examine how I made this discovery and what it means about ownership of those pornographic images.
Susan Powell sent an email to an old friend on Christmas Eve, 2008, a little less than a year before her disappearance. In it, she vented about the rocky state of her marriage, expressing despair over its dysfunction. She also wrote that Josh didn’t allow her to go online with his computers.
Kristen Sorensen (as Susan Powell from December 24, 2008 email): I love Facebook and Josh is still convinced using it or anything else on the web, automatically uploads evil and doesn’t trust me with most of his computers.
Dave Cawley: The only computer Josh allowed Susan to use at home was a Compaq brand iPaq, by then a nine-yearold model. In a July, 2009 Facebook message, she told another old friend the Compaq computer wasn’t all that useful.
Kristin Sorensen (as Susan Powell from July 13, 2009 Facebook message): The crappy computer I have access to at home is soo old and slow that I literally log into fb, walk away, click profile, walk away because it takes so long to load.
Dave Cawley: Josh, on the other hand, used multiple computers. He’d built a custom tower complete with a RAID array. Susan mentioned that machine in her July 2008 video documenting the family’s assets.
Susan Cox Powell (from July 29, 2008 home video): Here’s the kinds of pimping out stuff he’s done to his computer, he built it himself.
Dave Cawley: Josh also had a work-issued laptop that he often used around the house. But he didn’t seem to think his wife had much need for a computer of her own.
Linda Bagley: The control that uh, Josh had over her, he wouldn’t let her do certain things.
Dave Cawley: In a July, 2009 email, Susan told her work friend Linda Bagley the only task Josh allowed her to use a computer for was tracking her spending.
Kristen Sorensen (as Susan Powell from July 27, 2009 email): Having every year down to the penny of totals of each category is a priority with my husband and not me.
Dave Cawley: For years, Josh’d tasked Susan with scanning his documents. Susan told Linda doing Josh’s data entry was a waste of time. She wrote:
Kristen Sorensen (as Susan Powell from July 27, 2009 email to Linda Bagley): I enter on each receipt … if it was clothing for Josh, clothing for Susan, accessories for Susan, toiletries for Susan, shoes, cosmetics … groceries is broken down to listening each item or describing if it was produce, frozen, shelf stable foods, incidentals like batteries or non-consumables. … We categorize diapers versus wipes versus diaper ointment versus children’s clothing, children books, children toys, children movies etcetera, etcetera.
Dave Cawley: Susan begged Josh for a better computer throughout 2009. He kept telling her he would build her one, but never did.
Linda Bagley: It was always the best for him and the least they could do for her, but yet she earned as much or more income than he did.
Dave Cawley: Finally, at the end of August, the Compaq iPaq died. Susan felt cut off from her friends and family and she resorted to sneaking onto Facebook at the office. She told a coworker in an email she feared those internet sessions might cost her her job.
Kristen Sorensen (as Susan Powell from September 12, 2009 Facebook message): I just found out, they might be doing “final warnings” and firing people for using “non work related websites.” … I value my job more than email. … I guess, let’s go back to the stone age of cell phones.
Dave Cawley: The solution had been staring Susan in the face for months. She knew of a family that had shut down an in-home business earlier in the year. That family owned several computers they no longer needed. Susan decided to buy one, without telling Josh. That presented a problem, though. At that time, Josh and Susan had only one car.
Linda Bagley: She didn’t get the car, it was him unless he didn’t have the, unless he had the day off maybe or something. It was always him.
Dave Cawley: So on September 18th, 2009, Susan asked her daycare provider Debbie Caldwell to swing by in her Mazda Miata. When Debbie showed up, Susan plopped down into the passenger seat and told Debbie where to go. That night, Susan bought a computer of her own for $100.
In the interest of full disclosure I should mention I know who sold Susan that computer. At this time, I’m opting not to report that detail.
Josh flipped out when he found out about Susan’s purchase.
Kristen Sorensen (as Susan Powell from September 18, 2009 email): Josh immediately pounced on the computer … I told him it was my computer and not to mess with it.
Dave Cawley: The computer was a Dell OptiPlex GX270, far from top of the line. But Susan told her coworkers in this email that it was enough.
Kristen Sorensen (as Susan Powell from September 18, 2009 email): It does what I need and that’s all I care about. I explained I wanted to do Facebook, Hotmail, PBS.org and let the kids watch movies and such.
Dave Cawley: Susan didn’t want her computer downstairs in the office, where Josh kept his computer. Instead, she cleared space in a small upstairs bedroom. And that is exactly where West Valley City police detectives found it less than three months later, when they entered the house with a search warrant.
Dave Cawley: The Dell computer next ended up at the FBI’s Intermountain West Regional Computer Forensics Lab, along with all of the rest of the digital evidence in the Powell case. I talked about the RCFL’s work in episode 12. As a refresher though, here’s FBI Supervisory Special Agent Cheney Eng-Tow.
Cheney Eng-Tow: The software we use goes in and retrieves deleted files, files that are in this so-called like unallocated space that the computer knows can use now. So we’re able to pull stuff that’s deleted and things like that.
Dave Cawley: That’s exactly where investigators found almost all of the cartoon pornography: in unallocated space on the Dell computer’s hard drive. The images had been deleted, likely as part of an automatic purge of web browser cache files. In other words, someone had visited a website hosting the images but had probably not explicitly downloaded copies of them.
Typically, computer files carry metadata that can tell you things like when the file was created, modified or last accessed. Forensic examiners can use that metadata to determine when files were downloaded from the internet. But that’s not always the case with deleted files. They’re often stripped of metadata. This presented a problem for West Valley police. When they and the FBI discovered the cartoon incest pornography in 2010, they opened a new case in the hopes of securing federal child pornography charges against Josh. Police records show a detective even screened the case with an assistant U.S. Attorney. But the AUSA refused to charge, pointing out that police could not prove Josh was the person who’d accessed the explicit cartoons.
The police, FBI and prosecutors all missed something, something that I recently discovered: a timestamp showing when at least some of those cartoon porn images were accessed. I need to take a second and explain how I discovered this. When the RCFL finished its work on the Dell computer’s hard drive, it turned over copies of its findings to West Valley police.
Cheney Eng-Tow: We provide an archive of all of the work that we do. … We also generate a digital report for them. That report will have all of the files that were deemed pertinent.
Dave Cawley: Deemed pertinent. That means the report only included copies of a subset of all of the files found by the forensic software. Now, I have a copy of this report. Reviewing it, I discovered that one of the explicit cartoons still held metadata. It showed the image had last been accessed on March 20th, 2009. That’s six months before the Dell desktop ever entered the Powell house.
That’s not all. The report also included a database indicating all of the files that the forensic software had been able to see. It did not include copies of every file, but you can use the database to see stuff like file names, sizes, metadata and the location where the file had been stored on the file system’s directory.
I know this is all really dull, but just stick with me here. Knowing the date and time from the metadata on that one cartoon image, I was able to find references in the database to several internet cookie files from cartoon pornography websites. They were created just before 1 a.m. on March 22nd, 2009. Again, six months before the Dell computer ever entered the Powell house. The prior owner had failed to wipe the hard drive when selling it to Susan.
This fact carries significant implications. It means neither Josh nor Susan could have been the person who downloaded the cartoon pornography. And because of that, the judge’s order that Josh undergo a psychosexual evaluation, an order that many people close to the case say broke Josh just days before the murder-suicide, was based on flawed information.
Dave Cawley: Josh was in a hurry. It was February 3rd, 2009. He and Susan were making final preparations for a vacation to Washington. They planned to spend the better part of a month visiting their families and old friends in the state where they had first met and fallen in love. Before leaving their home in Utah, Josh wanted to finalize the legal trust he’d been working on with an attorney. He was becoming frustrated because the lawyer wasn’t responding to his messages. He complained to Susan about it in this email.
Eric Openshaw (as Josh Powell from February 3, 2009 email to Susan Powell): I can make a generic trust with that software program just to have something done before leaving.
Dave Cawley: Susan replied with an email of her own, urging her husband to worry about it later.
Kristen Sorensen (as Susan Powell from February 3, 2009 email to Josh Powell): Seriously push for generic for now, we don’t need him delaying our entire vacation.
Dave Cawley: More practical concerns were forefront in Susan’s mind. She needed to find someone to watch their pet parrot, Triley, while they were gone.
(Sound of parrot squawking and Josh saying “hello” from undated home video recording)
Dave Cawley: Susan talked her sister-in-law Jennifer Graves into serving as the bird babysitter. But Josh just couldn’t shake his fixation with the trust.
Eric Openshaw (as Josh Powell from February 3, 2009 email to Susan Powell): Let’s plan to go over the language in detail while driving the bird to Jenny’s.
Dave Cawley: Susan made clear she wanted the legal stuff off Josh’s plate as soon as possible.
Kristen Sorensen (as Susan Powell from February 3, 2009, work email to Josh Powell): I’m really really obsessed with the idea of leaving thursday early am to arrive by dinner so if that trust works-good.
Dave Cawley: The looming 15 hour drive didn’t seem to concern Josh much.
Eric Openshaw (as Josh Powell from February 3, 2009 email to Susan Powell): I also need to work on backing up data. I think I finally have a workable plan, but it will take time to process the files. I better start the process before leaving for Jenny’s.
Dave Cawley: Several months earlier, Josh had purchased a one terabyte Western Digital brand “My Book World Edition” external hard drive. He kept it in his basement office, connected to their home network by way of an ethernet cable. Susan even mentioned that hard drive in the video she made documenting the family’s assets in July of 2008.
Susan Cox Powell (from July 29, 2008 home video): And this is some type of backup device. It says WD on the side. I don’t know, it like shares the information somehow.
Dave Cawley: Josh’d come up with a method of syncing copies of his files from each of his computers to the external hard drive, over the home network.
West Valley City police detectives took the My Book World Edition hard drive when they raided Josh and Susan’s home with a search warrant the day after she disappeared. The same day they took Susan’s Dell desktop. Like the Dell, the My Book World hard drive ended up at the RCFL. But investigators couldn’t manage to get anything off of it. Josh’s network backup was locked with encryption. That encrypted hard drive is one of the last persisting mysteries in the Powell case. And for the first time, we have a clue of just what secrets it might hold.
Dave Cawley: Earlier in this episode, I mentioned Josh’s homebuilt computer tower. It’s the one with the RAID array that was in the basement office of the Sarah Circle house.
Susan Cox Powell (from July 29, 2008 home video): I think there’s like five hard drives, something about doing RAIDS. There’s those for all of the computer geeks.
Dave Cawley: Again, that is Susan’s voice from the video she made documenting her assets in the summer of 2008.
Josh’s RAID array computer also ended up at the FBI’s computer lab after Susan disappeared, but it didn’t appear to hold much in the way of evidence. Investigators flagged some family photos on it, as well as a single file named “vvdb1NetworkEncrypted.tdb.”
I have a copy of this file. At first, I couldn’t make much of it. I didn’t recognize the file format. A little Googling suggested it was probably some kind of database. But without knowing what program created it, there was little chance of viewing it. Maybe, I figured, something might show up if I tried to open the file as text. When I did, it revealed a single, extremely long line of letters, numbers and foreign language symbols. Almost incomprehensible.
Some dictionary words and even short phrases did jump out, but those foreign characters made it impossible to get a clean read. Scrolling what seemed endlessly toward the right, my eyes started to lose focus. That’s when it happened. A pattern began to emerge. The random placement of these foreign characters wasn’t actually random. On a hunch, I replaced all of those foreign characters with line breaks. That unreadable string of long text transformed into a neat list. Scrolling vertically then, I could see the list was roughly 70-thousand lines long. Each line was a discrete reference to an individual file.
Susan Cox Powell (from July 29, 2008 home video): We’ve got all sorts of files, this is all thanks to me trying to save them.
Dave Cawley: These were file paths. The very first line read “ViceVersa synchronization tracking.” ViceVersa is a file backup app.
Susan Cox Powell (from July 29, 2008 home video): There’s some tapes and DVDs and stuff to back up all the computer geek stuff, our family photos and financial information and…
Dave Cawley: I soon learned the .tdb file extension was short for tracking database. So the file I was looking at was how ViceVersa kept track of which items to synchronize. It was a log of what was copied from where, to where. The source, where the original files were copied from, and the target, where they were copied to, were both represented in the list. Looking through the database, I could see the source was called “tempbackupunorganized.” The target volume carried the name “mybookworld.”
Susan Cox Powell (from July 29, 2008 home video): My Book Work, World Edition. I think that’s the stuff I was looking at earlier that saves information.
Dave Cawley: That means the ViceVersa database file is very likely the table of contents to Josh’s encrypted hard drive.
A few takeaways were evident when I started studying the ViceVersa database file. Josh tended to keep his documents well organized, in a series of nested folders. They had orderly names like business, education, finances, insurance, housing and so on. Each individual file carried a descriptive name.
Many of the files and folders also included exact dates in their names. The formatting was always the same: four digit year, two digit month, two digit day. Josh’s documents dated as far back as the early 90s, when he was a teenager. The most recent files dated to September of 2009, three months before Susan’s disappearance.
Perhaps most important, I recognized some of the files. In fact, I already had copies of some of them, like Josh’s audio journals.
Josh Powell (from March 3, 2001 audio journal recording): So I went home, started working on my computer again. I pretty much need my computer for every aspect of my life right now.
Dave Cawley: But my copies of Josh’s journals came from hard drives West Valley police seized from Steve Powell’s house and Josh’s safe deposit box in Washington in 2011.
Josh Powell (from March 2, 2001 audio journal recording): Today I got up and started working on my computer. I decided better get Windows 98 installed on it so I can start using my scanner and stuff again.
Dave Cawley: So how did Josh have copies of those files in Washington in 2011, if police had seized all of his digital data from the Sarah Circle house in Utah right after Susan disappeared in 2009?
Josh Powell (from March 5, 2001 audio journal recording): None of this technology stuff is particularly esoteric to me.
Dave Cawley: The simple answer is off-site backups. So where did Josh stash his off-site copy?
Back to those emails Josh and Susan exchanged in February of 2009, before leaving on their road trip to Washington. In one, Josh told Susan he wanted a backup of his computer done before their meeting with the attorney. Here’s what he wrote.
Eric Openshaw (as Josh Powell from February 3, 2009 email to Susan Powell): I really intend to fully backup the computer and bring a copy.
Dave Cawley: Now, I can’t say for sure, but it’s reasonable to believe Josh might’ve placed this copy of his digital archive in a safe deposit box. Or maybe, he left it with a friend. If so, he could’ve retrieved it after Susan disappeared and carried it with him to Washington.
Evidence exists to support this idea. As I just mentioned, the Josh Powell journal files I received from West Valley City during my research for Cold came from devices police’d seized in 2011. But they line up with the ViceVersa database from 2009. The folder structure on Josh’s encrypted backup is almost identical to that of his archive as it appeared two years later. They both derived from the same original source.
That discovery raised an interesting question: could the digital data seized by police in 2011 hold the key to unlocking the My Book World hard drive from 2009? To find out, I’d need the help of someone with access to all of the digital evidence.
Dave Cawley: At the start of October 2013, Susan’s dad, Chuck Cox, sent an email to West Valley police detective Ellis Maxwell. A man named Richard Hickman from a company called Decipher Forensics had reached out to Chuck, offering to help get into Josh’s encrypted drive.
Richard Hickman: I saw the news story about the hard drives being encrypted and the FBI having a hard time being able to crack the encryption and I thought of the uh, the cryptocurrency mining machines that we had in our office that we also utilized for password breaking for forensics from time to time. And so I thought “well, let’s, let’s reach out. Let’s see if we can maybe just donate some time on our machine.”
Dave Cawley: Richard co-owned Decipher with two other partners, Trent Leavitt and Mike Johnson. They had founded the firm in 2011.
Trent Leavitt: Decipher primarily was a computer forensic and cell phone forensic company. We would handle cases in civil litigation, worked with law enforcement as well, on anything from homicide cases to divorces. Sometimes, they were one in the same. And everything in between: intellectual property theft, employment law, civil litigation of all types.
Dave Cawley: That is Trent. West Valley City had declared the Powell case cold five months earlier. At Chuck’s urging, police reached out to Decipher to see if they could help decrypt the “My Book World” hard drive.
Trent Leavitt: I believe we met with detective Maxwell. Very nice guy, very easy to work with. He was actually very appreciative of our willingness to do this for free and try and move things along and get more answers.
Dave Cawley: Trent told Ellis about the machines they intended to use. Decipher had poured about $14,000 into building them. They were both contained in milk crates.
Richard Hickman: You just have this box, this milk crate box and we, we actually took a piece of wood across the side of it to be able to kind of act as a, like, the shelf. And then we just set down these four really powerful graphics cards that are just gaming graphics cards and hooked ‘em up that way.
Dave Cawley: These milk crates weren’t much to look at but they were necessary because the rigs consumed a lot of power and generated a great deal of heat. It required a full-size fan just to keep them cool.
Trent Leavitt: It generated enough heat in the winter that we would open up our windows and didn’t have to turn on the furnace in our office. It, it literally heated our entire office.
Dave Cawley: Ellis was impressed. He ran the idea up his chain of command and received an ok from the deputy chief. So, in December of 2013, West Valley gave the Decipher team a copy of the MyBookWorld drive. The arrangement came with a condition: Decipher had to sign a non-disclosure agreement. They were not allowed to discuss their work.
Richard Hickman: And we didn’t talk about the fact that we were even doing it with anybody.
Dave Cawley: And, the deal required that they report any discoveries to Ellis.
Trent Leavitt: Anything that we find, per our agreement with West Valley City, y’know, when we originally started this, anything we found was to go back to West Valley City and to go nowhere else.
Dave Cawley: Confidentiality wasn’t an issue for Decipher. It was common practice with almost every case they worked.
Richard Hickman: Talking about a case, especially on camera, it’s weird. It’s very weird. (Laughs)
Dave Cawley: Trent and Richard are only discussing this now because West Valley City released them from the NDA, at Cold’s request. My thanks to West Valley for that.
Trent, Richard and Mike hooked up Josh’s encrypted drive up to their milk crate rig. They’d decided to run what’s known as a dictionary attack against the encryption.
Richard Hickman: We put together this strategy of combining a whole lot of, umm, password lists from previous data breaches and dumps that’d happened. Hackers will breach a company, they’ll pull their usernames and passwords and then they leak that to the internet. And so, all of those lists are publicly available. And so, we downloaded a lot of these lists of very common passwords. And then we created our own big combined dictionary, applied a whole bunch of rules to it to say “try the original password and then we’re going to swap all the As with @ symbols, Ss with $, Es with 3s, Is with 1s or !s, all of these different combinations. And, y’know, putting a one on the end putting or maybe combining two passwords and it created this massive dictionary that we knew and it, an our software showed was going to take forever to get through. But we thought why not? Let’s give it a try.
Dave Cawley: It didn’t take long before Decipher encountered some initial success. The tool they used for the dictionary attack came across a password.
Trent Leavitt: ap1124. Is that it?
Richard Hickman: Yep.
Trent Leavitt: I don’t know how I remember that, but some things you just don’t forget.
Richard Hickman: Yep.
Trent Leavitt: ap1124.
Dave Cawley: They plugged that six-character string into the encrypted drive, then attempted to access it. There was nothing there. The drive appeared to be empty.
Richard Hickman: With True Crypt, without getting really super technical, you can have multiple layers of encryption.
Dave Cawley: I’ll have more to say about this point in a bit, but for now, it’s enough to know that this discovery meant Decipher had to start all over again. They set the milk crate machines back to work.
Richard Hickman: It ran for a very long time.
Dave Cawley: The code-cracking software ripped through hundreds of millions, then billions of possible password permutations. Heat took its toll on the milk crate machines.
Trent Leavitt: And that thing would run around the clock, 24/7, for months, if not, y’know, close to two years before those things burned up. And still didn’t break it.
Dave Cawley: Ellis retired around that same time and a different detective, David Greco, took over as caretaker of the Powell case. 2016 passed. Still, no break. In August of 2017, detective Greco dropped in on the Decipher office to check up on things. Richard and another member of their team, Kaly Richmond, told him they still had the encrypted drive and were still working on it. They brought him up to speed on their early discovery, in a sort of good news/bad news kind of way.
Trent Leavitt: ap1124. That’s what we have to give you. It means absolutely nothing.
Dave Cawley: Two months later, in October of 2017, a private investigator working for Susan’s parents called Decipher to check in on things. Trent told the P.I., Rose Winquist, he didn’t have much to say. But he let slip they’d discovered a short password that didn’t provide access to any files.
Trent Leavitt: It’s really not a big deal. There’s nothing here.
Dave Cawley: Rose shared this information. I spoke to her on the phone on the night of October 25th, 2017. She told me then Decipher had decoded a “first layer” on Josh’s encrypted hard drive. At the time, I contacted West Valley police, who confirmed the general thrust of what Rose had said. So, I broke the story on the 10 o’clock news that night.
Dave McCann (from October 25, 2017 KSL TV archive): KSL radio producer Dave Cawley on the phone with us tonight with the latest development and Dave, this has to do with a hard drive.
Dave Cawley (from October 25, 2017 KSL TV archive): It does, Dave. A company called Winquist Investigations is collaborating with Susan Powell’s parents, Chuck and Judy Cox, and they’re working with a Utah company called Decipher Forensics to try and gain access to a copy of one of Josh Powell’s hard drives.
Dave Cawley: I didn’t then understand then that Decipher was working for West Valley, not the Coxes.
Dave Cawley (from October 25, 2017 KSL TV archive): Private investigator Rose Winquist tells KSL they are in need of more resources now to devote to the effort. They’re reaching out to Amazon, hoping the internet giant can use its cloud computing platform to speed up this process.
Dave Cawley: The following day, Rose made the rounds, talking to other local and national media about the encryption.
Rose Winquist (from October 26, 2017 KSL TV archive): This is our biggest hope right now, is, is this computer and the other computers that the police have.
Ladd Eagan (from October 26, 2017 KSL TV archive): Calling it a “potential breakthrough,” a private investigator hired by the parents of Susan Cox Powell hopes a remaining hard drive gives them the clues they need.
Dave Cawley: The brass at West Valley City were not happy. It seemed to them that Decipher had violated the nondisclosure agreement.
Trent Leavitt: I received a phone call from, uh, I’ll just say an official at West Valley City and wanting to know why the press was starting to camp out at the, y’know, the front of the the doors. And I said, “I have no idea what you’re talking about.”
Dave Cawley: Trent soon figured it out and went to work attempting to limit the damage.
Trent Leavitt: It violated the trust of another department. In our industry, word gets around pretty quick. When in fact, we didn’t violate the trust, someone else did.
Dave Cawley: But that damage was done.
Trent Leavitt: Obviously, in trying to be cooperative, we just did whatever West Valley City told us to do. And they said “Don’t say anything.” We said, “ok, we’ve been pretty good at that.” So we let West Valley City put out a statement. We just kept our mouth shut.
Dave Cawley: That didn’t keep Trent’s phone from blowing up.
Trent Leavitt: Dozens and dozens of phone calls. Probably from your station as well. And I had no comment. Y’know, I actually just started hanging up on people because I had work to do, and I wasn’t getting it done.
Dave Cawley: The Decipher team feared West Valley would demand the encrypted drive back, shutting down their effort. But the city didn’t do that. And the situation did have a silver lining. The renewed interest in the Powell case started the team thinking about how to whittle down that giant dictionary into something more manageable, a custom dictionary to Josh alone.
Richard Hickman: It’s a much more personalized dictionary, based on the information that we have about him. And so, we can take all of his computer information and even enter in manually information like his birthday, his kids’ names, his kids’ birthdays, family members and important life events and that kind of stuff.
Dave Cawley: But they could only build that custom dictionary if they had access to Josh’s other, unencrypted hard drives.
Trent Leavitt: During the course of that week, umm, our former business partner Mike Johnson said, “I’m positive, there’s more drives in this case that just didn’t give them to us. What if we took all of the drives” and like Richard talked about “created a dictionary of all the drives that aren’t encrypted?”
Dave Cawley: A few weeks after the leak, detective Greco dropped in on the Decipher office again to remind Trent, Mike and Richard they were still bound by the non-disclosure agreement. The Decipher team took the opportunity to ask for copies of all of the digital data from the Powell case. West Valley City agreed, in spite of the recent breach of trust. And, in 2018, the accounting firm Eide Bailly acquired Decipher Forensics. Trent brought the Powell drives with him to his new, state-of-the-art digital forensics lab.
Dave Cawley: The October 2017 leak had another unintended consequence. Rob Burton, an IT expert and self-described news junkie, had followed reports about the Powell case from the beginning.
Rob Burton: It affected me very personally, just like many of us here in Utah and nationally.
Dave Cawley: Rob was paying attention when the P.I., Rose Winquist, started doing news interviews about Josh’s encrypted hard drive.
Rob Burton: There was some local news media coverage of the encrypted hard drive that had made the news here in Salt Lake City as well as some podcasts.
Dave Cawley: It was Nancy Grace on her podcast “Crime Stories.” The show characterized the latest news as “a big development” and “the most hopeful lead” in the Powell case in years. Attentive, Rob listened. Several times.
Rob Burton: And as I heard the, the digital forensic details, it just didn’t quite line up.
Dave Cawley: Rob worked for a large corporate employer in Salt Lake City as an information security analyst and digital forensics specialist. He had expertise in this field.
Rob Burton: She kind of glossed over it. I don’t think she fully understood the details and the intricacies that were involved, especially with West Valley City.
Dave Cawley: At one point, a guest on the podcast mentioned there was nothing preventing police from making more copies of the encrypted hard drive and sharing those with other digital forensic experts. That started Rob thinking.
Rob Burton: I actually work in West Valley. My employer has a major IT office in West Valley and so hearing that, I wondered, “I wonder if I could get involved with that?”
Dave Cawley: Rob headed over to West Valley police headquarters on his lunch break one day.
Rob Burton: They were actually very positive, very favorable. I, I, I asked them specifically for the detective involved in the case and he wasn’t there at the time but I left him a message and then he called me back a few days later and met with me.
Dave Cawley: Detective David Greco made a fresh copy of the encrypted “My Book World” hard drive for Rob and delivered it to him at the start of January 2018. Just like with Decipher, Rob signed a nondisclosure agreement. He was gagged from talking about the project.
Rob Burton: In fact, as I started this project two years ago, being under NDA, I knew I just couldn’t just create a folder on my computer called “Susan Powell project” because I was under NDA and kind of had to keep it hidden. And so I named the folder on my computer Project Sunlight because I thought every good secret project has to have a good codename, right? Like you see in movies and TV shows and I named it Project Sunlight Because sunlight is the best disinfectant, I think.
Dave Cawley: Again, West Valley City has granted Rob a release from that NDA at Cold’s request. My thanks to the city for allowing Rob to share his story.
Rob Burton: And now that it’s a little more out in the open, I’m, I’m very relieved to be able to talk about it.
Dave Cawley: Once Rob obtained a copy of the encrypted hard drive, he started tinkering. He bought several computers second-hand and set them up to run a password-cracking program.
Rob Burton: I’ve basically built a small computer lab out of extra computers that I had and uh, that I’ve been able to acquire with some other video cards and then just running the software against it. It’s called Passware and it’s commercially available and it’s what law enforcement agencies also use.
Dave Cawley: Passware began plugging every possible password into the drive, one by one, as fast as it could. This is what’s known as a brute force attack, a different approach from the dictionary attack the Decipher team had first employed.
Rob Burton: There’s a couple different strategies when it comes to decryption, but brute force is kind of the last effort, really, the last ditch effort really, after several of the easier things have been exhausted. You’re really left with brute force. And that’s where you’re basically just trying combinations of letters, numbers, characters to try and brute force that password. To guess it. Password guessing.
Dave Cawley: Passware had only been running for a handful of weeks when something unexpected happened.
Rob Burton: One morning I came in and looked at that and it said “password found 1.” And I thought “oh, is that a bug, was that real?” And sure enough, yeah no, it really did find one password.
Dave Cawley: ap1124. The same password the Decipher team had discovered.
Rob Burton: But we mounted that and it’s blank. There’s no data there.
Dave Cawley: Earlier, I mentioned that I’d get back to the idea of this being an “outer layer” of encryption.
Rob Burton: Think of it as a box within a box.
Dave Cawley: Rob explained, the ap1124 password was the key to open the outer box.
Rob Burton: There’s a process known as plausible deniability that basically, it was used so that if someone was caught and had to give up the password to this drive, say by law enforcement — law enforcement arrests a suspect and convinces them to give up a password to the drive — they could say “ok, well my password is, here’s my password.” Law enforcement thinks “oh great, we’ve got the password to the drive, we can decrypt it.” They can decrypt that outer partition and it can be totally empty. And they think “oh, there’s nothing here.”
Dave Cawley: Cracking the outer partition password brings them no closer to discovering the hidden partition password.
Rob Burton: It’s a whole different password. There’s the outer password and there’s the inner password. So it’s starting over and it’s a much different layer of complexity.
Dave Cawley: ap1124 isn’t very secure, as far passwords go. Nowadays, many websites would refuse to let you use it because it’s not long enough, doesn’t include special characters and uses only lower-case letters. Richard Hickman and Trent Leavitt told me it’s likely the password Josh used on the hidden partition, if a hidden partition even exists, is much more complex.
Richard Hickman: There might not even be a second layer. It could just be, we cracked that top code and it was an empty hard drive.
Trent Leavitt: That’s possibility we’ve talked about.
Richard Hickman: We have no idea, so. We’d like to think that there’s something else to go after.
Dave Cawley: The ViceVersaPro database log I talked about earlier suggests there probably is something to go after. But the only way to know for sure is to either crack the second password or run the brute force attack until the end of time.
Trent Leavitt: No encryption is bulletproof. But if you can delay the amount of time it takes, then becomes improbable.
Dave Cawley: The way you increase the amount of time it takes is by using a long, strong password. Josh did provide police a password for one of his computers in 2011. It consisted of his birth date, his full name, his social security number, his user account name and a string of what appear to be random letters and numbers. It’s 59 characters, including upper and lower case letters, numbers, as well as hyphens, slashes and parentheses.
Rob Burton: However many characters long it may be exponentially increases the complexity and the length that it takes.
Dave Cawley: West Valley police were sifting through the first round of digital data seized from the Sarah Circle house in the days after Susan disappeared when, in March of 2010, Josh Powell’s attorney Scott Williams sent them an email. Williams asked for the return of Josh’s computers and hard drives.
The sergeant in charge of West Valley’s major crimes unit told Williams that wasn’t going to happen. But the sergeant said if Josh had a particular file in mind, detectives could try to find it for him. That would go easier, he added, if Josh would cough up his password.
Josh claimed he could not remember the password. In spite of that, he emailed over his file wishlist a few days later. At the top were his family photos. Here’s what he wrote in his email.
Eric Openshaw (as Josh Powell from April 5, 2010 email to Scott Williams): On the white hard drive, most of it will be in a folder called “photos” or “photos and videos” or similar naming. If possible, please send all photos, audio, and video files you can find. There will be some hundreds of gigabytes in total.
Dave Cawley: The “white hard drive” he’s talking about is the encrypted My Book World drive.
Eric Openshaw (as Josh Powell from April 5, 2010 email to Scott Williams): Everything that can be released from the white Western Digital drive would be greatly appreciated.
Dave Cawley: Josh called the photos and videos “unreplaceable,” even though he already had copies of them safe and sound in Washington. Is it possible then, that this request to police was just a ruse? A way of finding out if they’d managed to break into his encrypted archive?
A bit earlier, I described how I compared the ViceVersaPro database to the digital evidence seized by police in 2011 and discovered they lined up. But there were a few conspicuous omissions from the 2011 data. Files with names like “Gmail email account info” and “encryption instructions” were missing. This suggests that at some point after Susan’s disappearance, Josh performed an audit of his own files and deleted anything that might give away his passwords.
In a more curious omission, Josh appeared to have deleted any file that showed he once owned a set of Ridgid-brand power tools. Paperwork for all of his other tools was still present, but not the Ridgid tools. It’s not clear why he did that.
Back to that email Josh sent police. He told them he also wanted a complete copy of his workissued laptop.
Eric Openshaw (as Josh Powell from April 5, 2010 email to Scott Williams): And if possible, please find the image that is displayed on the desktop and include it. Or just photograph the computer with the desktop picture showing to try as a memory aid.
Dave Cawley: A memory aid. To what, remember his password?
Kaly Richmond, a member of the digital forensics team at Eide Bailly, recovered Josh’s desktop at Cold’s request. The photo was not what I expected. It’s just a stock image of a chameleon. Whatever it might have meant to Josh, I can’t say. But I can say this: after all of this time spent analyzing the digital data and searching for clues, it’s clear Josh Powell was not some computer genius.
Trent Leavitt: He created some websites. There’s eight year olds that create websites and not, they’re not prodigies. Anyone can get a book and create a website. It’s just sitting down and going through the book.
Dave Cawley: Josh did have aptitude when it came to tech.
Rob Burton: He wasn’t really the smartest but he certainly utilized whatever was available at the time.
Dave Cawley: He could run a database, but cryptography was not his specialty. He was no hacker.
Trent Leavitt: There’s not that many true hackers in the world, from a percentage standpoint. But if you work in technology, people think you’re a hacker and it’s just not the case.
Dave Cawley: TrueCrypt, the program Josh used to encrypt the My Book World hard drive, was available for free on the internet in 2009.
Rob Burton: You didn’t have to be the smartest or the most technical savvy. You could just download it and use it.
Dave Cawley: TrueCrypt is just as strong today as it was a decade ago. There’s no simple shortcut or backdoor to discovering Josh’s password.
Richard Hickman: Just because the resources and technology are a little bit better today doesn’t change the fact that that encryption, in the first place, was top notch and that it’s still going to take that many permutations to get through it.
Dave Cawley: Even if investigators some day make into the drive, they will have to contend with the fact that ViceVersaPro, the program Josh used to back up files to the My Book World drive, also applied its own layer of encryption.
Rob Burton: You hook it up to your home router. You back up several computers. Josh was very meticulous, it sounds like, in doing that.
Dave Cawley: This is how digital forensics works. It’s a constant process of coming up against hurdles and finding ways overcome them. Some solutions are technical. Some are rooted in human nature.
Trent Leavitt: I don’t care who you are, decryption’s not easy.
Dave Cawley: Or fast. And at this point, with Josh, Michael and Steve Powell all dead, there’s no expectation on the part of law enforcement that decrypting the My Book World drive will lead to anyone being held accountable for what happened to Susan. But there is hope that some small clue might lead police to Susan’s body.
Trent Leavitt: If it were my daughter, I’d go to the ends of the earth, just like, uh, the Cox family has done for years now, to make sure I’ve exhausted every avenue possible, if that were my daughter.
Dave Cawley: That is why this effort continues.
Trent Leavitt: Everything that we’ve done on this, everyone that’s participate in helping this, no one’s been compensated for it, at all. It’s just to try and help the Cox family as much as possible, in any way that we can.
Dave Cawley: Trent Leavitt and Kaly Richmond at Eide Bailly, along with Richard Hickman, Mike Johnson and the rest of their old Decipher Forensics team, are still brainstorming new approaches.
Richard Hickman: I would love to see someone else able to do it. If they know a hacker out there that knows how to get into True Crypt, I’d love an introduction.
Dave Cawley: And Rob Burton, now part of the effort, is providing his time and insight to Project Sunlight.
Rob Burton: I as a corporate investigator, I’ve got a little extra time on my hands. I’m not constrained by international terrorist cases or, or other criminal cases that tie up law enforcement resources. And so I have a little extra time that I can devote to this. I, I think it’s worth it and I want to continue and I want to just throw additional resources at it. And as technology improves, software gets better, hardware gets better, I think that we’ll get there eventually. And it’s definitely worth the effort and worth trying. We gotta do what we can.