‘Cold’: FBI, Secret Service failed to crack Josh Powell’s encryption
Editor’s note: This is the 12th of a weekly series featuring highlights from a KSL investigative podcast series titled “Cold” that reports new information about the case of missing Utah woman Susan Powell.
WEST VALLEY CITY — An off-the-shelf computer hard drive seized from the basement office of Josh and Susan Powell’s home the day after her disappearance continues to frustrate police more than nine years later.
Warrants filed in the case as far back as Dec. 8, 2009, show police believe the drive could hold evidence related to Susan Powell’s disappearance the day before.
The Western Digital-brand “My Book World Edition” external drive, 1 terabyte in capacity, is locked with encryption. All efforts to crack that encryption have so far failed.
The first stop for that hard drive after police took it from the Powell home with a search warrant was the Intermountain West Regional Computer Forensics Laboratory in Salt Lake City.
FBI supervisory special agent Cheney Eng-Tow said the laboratory’s digital forensic experts worked with West Valley police detectives. They produced an exact copy of the drive, called a mirror. Then they attempted to extract information from the mirror using specialized software called a forensic tool kit.
That failed because the drive had been encrypted. Agents tried several methods of circumventing the encryption, from guessing potential passwords to attempting a “brute force” attack.
“You’re just trying combinations from the dictionary, combinations of letters, alpha-numeric characters, and so the longer that password is, the longer it’s going to be before you can break it,” Eng-Tow said.
Laboratory analysts also attempted more human approaches, such as using children’s names or birthdates.
“We do break encryption here on cases. Sometimes we’re successful doing it, other times we’re not,” Eng-Tow said. “FBI headquarters has a unit basically that can try and do that as well.”
On June 22, 2010, 3rd District Judge Robert Hilder signed a warrant allowing the forensics laboratory to send three encrypted devices, including the mirror of that Western Digital hard drive, to FBI headquarters in Quantico, Virginia.
After more than a year, FBI headquarters returned the drives to Utah. The bureau had been unable to access them.
Case records show West Valley police also requested help from AccessData, the Utah-based software vendor that produced the forensic tool kit program used by the FBI, as well as the U.S. Secret Service.
The city submitted a mirror to the federal agency but in May 2011, the Secret Service reported that it was also unable to crack the encryption.
A secrecy order prevented police from discussing the case or their evidence until May 2013, when the Susan Powell case officially became “cold.” By that point, Josh Powell and his brother Michael Powell, who police suspected had knowledge of Susan Powell’s death, had both committed suicide.
In October of 2013, after a judge had lifted that secrecy order, Susan Powell’s father Chuck Cox suggested that police submit a mirror to a Utah company called Decipher Forensics. The lead detective on the Powell case, Ellis Maxwell, spoke with Trent Leavitt from Decipher the following month.
“I explained to Trent that Josh Powell admitted he used a 24 character password … when we seized further digital media,” Maxwell wrote in a later report. “At that time in 2011, Josh admitted and provided one password that was potentially 56 characters long.”
Maxwell provided a mirror to Decipher Forensics in December of 2013. Four years later, Decipher had still not succeeded in cracking the drive. Police records revealed Decipher requested and received access to mirrors of all the other computer drives seized from the Powell home in 2009, along with the FBI’s analysis and other case documents.
At that time in 2017, investigators reminded Decipher staff they were prohibited from discussing their efforts under a non-disclosure agreement.
Case files also indicate that on Jan. 4, 2018, police provided yet another mirror of the encrypted drive to a computer systems security expert with Intermountain Healthcare. An IHC spokesman said that employee volunteered his expertise as a private individual and the device in question never entered an Intermountain facility.
The most simple solution would have been for Josh Powell to voluntarily provide his password to police. They requested he do so multiple times, but he frequently claimed to have forgotten it.
Because the entire volume is encrypted, there’s no way to know how much data it actually holds or if any of its contents are relevant to the case. Many of Susan Powell’s friends and family members suspect the drive might be the last, best chance of learning what happened to her.
“It’s good maybe to be optimistic like that, but in the end there could be nothing on it of value,” Eng-Tow said. “Is there something on there that is incriminating or not? You’ll never know until you actually get into it and see it.”