‘Cold’: FBI, Secret Service failed to crack Josh Powell’s encryption
Jan 31, 2019, 11:00 AM
This still frame image from one of Steve Powell's home videos shows his oldest son, Josh Powell, sitting at his computer in 2003. Josh Powell's use of encryption on his personal files continues to frustrate police investigating the Dec. 7, 2009, disappearance of Josh Powell's wife, Susan Powell. (Caption: West Valley Police Department)
(Caption: West Valley Police Department)
Editor’s note: This is the 12th of a weekly series featuring highlights from a KSL investigative podcast series titled “Cold” that reports new information about the case of missing Utah woman Susan Powell.
WEST VALLEY CITY — An off-the-shelf computer hard drive seized from the basement office of Josh and Susan Powell’s home the day after her disappearance continues to frustrate police more than nine years later.
Warrants filed in the case as far back as Dec. 8, 2009, show police believe the drive could hold evidence related to Susan Powell’s disappearance the day before.
The Western Digital-brand “My Book World Edition” external drive, 1 terabyte in capacity, is locked with encryption. All efforts to crack that encryption have so far failed.
West Valley police suspect this Western Digital external hard drive seized from Josh and Susan Powell’s home on Dec. 8, 2009, might hold evidence related to Susan Powell’s unsolved disappearance. The drive was encrypted and has resisted all efforts to circumvent that encryption. (Photo: West Valley City, Utah police)
The first stop for that hard drive after police took it from the Powell home with a search warrant was the Intermountain West Regional Computer Forensics Laboratory in Salt Lake City.
FBI supervisory special agent Cheney Eng-Tow said the laboratory’s digital forensic experts worked with West Valley police detectives. They produced an exact copy of the drive, called a mirror. Then they attempted to extract information from the mirror using specialized software called a forensic tool kit.
That failed because the drive had been encrypted. Agents tried several methods of circumventing the encryption, from guessing potential passwords to attempting a “brute force” attack.
“You’re just trying combinations from the dictionary, combinations of letters, alpha-numeric characters, and so the longer that password is, the longer it’s going to be before you can break it,” Eng-Tow said.
While serving a search warrant at the South Hill, Wash., home of Steve Powell on Aug. 25, 2011, police looked for any writings that appeared to hold possible passwords. Those potential passwords were entered into Josh Powell’s encrypted digital media, in the hopes of getting past encryption. (Photo: West Valley City, Utah police)
Laboratory analysts also attempted more human approaches, such as using children’s names or birthdates.
“We do break encryption here on cases. Sometimes we’re successful doing it, other times we’re not,” Eng-Tow said. “FBI headquarters has a unit basically that can try and do that as well.”
FBI
On June 22, 2010, 3rd District Judge Robert Hilder signed a warrant allowing the forensics laboratory to send three encrypted devices, including the mirror of that Western Digital hard drive, to FBI headquarters in Quantico, Virginia.
West Valley police asked for court permission in 2010 to provide Josh Powell’s encrypted digital media to FBI headquarters in Quantico, Va. After more than a year, the FBI reported that it was unable to access the devices. (Photo: West Valley City, Utah police)
After more than a year, FBI headquarters returned the drives to Utah. The bureau had been unable to access them.
Case records show West Valley police also requested help from AccessData, the Utah-based software vendor that produced the forensic tool kit program used by the FBI, as well as the U.S. Secret Service.
The city submitted a mirror to the federal agency but in May 2011, the Secret Service reported that it was also unable to crack the encryption.
Decipher forensics
A secrecy order prevented police from discussing the case or their evidence until May 2013, when the Susan Powell case officially became “cold.” By that point, Josh Powell and his brother Michael Powell, who police suspected had knowledge of Susan Powell’s death, had both committed suicide.
In October of 2013, after a judge had lifted that secrecy order, Susan Powell’s father Chuck Cox suggested that police submit a mirror to a Utah company called Decipher Forensics. The lead detective on the Powell case, Ellis Maxwell, spoke with Trent Leavitt from Decipher the following month.
“I explained to Trent that Josh Powell admitted he used a 24 character password … when we seized further digital media,” Maxwell wrote in a later report. “At that time in 2011, Josh admitted and provided one password that was potentially 56 characters long.”
This still frame image from one of Steve Powell’s home videos shows his oldest son, Josh Powell, sitting at his computer in 2003. Josh Powell’s use of encryption on his personal files continues to frustrate police investigating the Dec. 7, 2009, disappearance of Josh Powell’s wife, Susan Powell. (Caption: West Valley Police Department)
Maxwell provided a mirror to Decipher Forensics in December of 2013. Four years later, Decipher had still not succeeded in cracking the drive. Police records revealed Decipher requested and received access to mirrors of all the other computer drives seized from the Powell home in 2009, along with the FBI’s analysis and other case documents.
RELATED STORIES
At that time in 2017, investigators reminded Decipher staff they were prohibited from discussing their efforts under a non-disclosure agreement.
Case files also indicate that on Jan. 4, 2018, police provided yet another mirror of the encrypted drive to a computer systems security expert with Intermountain Healthcare. An IHC spokesman said that employee volunteered his expertise as a private individual and the device in question never entered an Intermountain facility.
Complex password
The most simple solution would have been for Josh Powell to voluntarily provide his password to police. They requested he do so multiple times, but he frequently claimed to have forgotten it.
Because the entire volume is encrypted, there’s no way to know how much data it actually holds or if any of its contents are relevant to the case. Many of Susan Powell’s friends and family members suspect the drive might be the last, best chance of learning what happened to her.
“It’s good maybe to be optimistic like that, but in the end there could be nothing on it of value,” Eng-Tow said. “Is there something on there that is incriminating or not? You’ll never know until you actually get into it and see it.”
