Forensics Casefile: Stopping the Craigslist Killer

On the night of April 14, 2009, Julissa Brisman showed up at a Boston hotel room, intending to give her new client a massage. The appointment had been set up through Craigslist. Upon arriving at the hotel room, however, Julissa’s client bound her, gagged her, robbed her, and then put bullets through her heart, her hip, and her lung.

This was the only murder committed by Philip Markoff, a man who would come to be known as the Craigslist Killer. But it wasn’t his only crime. Investigators soon connected Julissa’s murder to the armed robbery of an escort at another Boston hotel a few days prior. And just a few days later, they connected it yet again to an attempted robbery in a Rhode Island hotel. Investigators scanned through security footage from all three locations around the time of the crimes (which you can see for yourself, here).

From there, they identified what they believed to be the same man across all three: a young, tall, white male in a dark jacket and a baseball cap. But they still didn’t know who he was.

Many people in the student-rich city of Boston looked like Philip Markoff did: young, tall, and white. He was a 23-year-old medical student at Boston University, living with his fiancee, Megan McAllister, and subsisting purely off student loans. According to McAllister, he rarely left the house. To identify Markoff as the man in the surveillance footage—and thereby catch the Craigslist Killer—required the use of several forms of digital forensics.

Digital Forensics Leads Investigators to the Craigslist Killer

To start, the FBI pulled cell tower records near the scene of each crime for 15 minutes before and after each incident. They tried to find a single phone number that was active in each location around that time. This was and still is a controversial practice, one that’s raised alarm bells by the ACLU and the NY Times, among others. In the end, it proved to be a dead end: Markoff, it turned out, had used multiple disposable phones.

Going after the email address that the killer used to contact Julissa was more fruitful. It was a throwaway email account, but, after a subpoena, Microsoft handed over the IP address of the person who registered it. The ISP, Comcast, (again, after another subpoena) then handed over the name and physical address of the person with that IP address: Philip Markoff. That was a damning bit of evidence, but far from concrete enough to make an arrest and conviction; since Markoff used a wireless router, the IP address could’ve technically been used by another person in his apartment building.

Next on the subpoena spree was Facebook. In return, authorities got a 60-plus-page dossier on Markoff. This 60-plus-page document included a full view of Markoff’s profile: tagged photos, wall posts, friends list, and a complete history of his logins and the IP addresses associated with those logins. (Facebook now claims they wouldn’t give this level of detail anymore based on just a subpoena, and instead would require a search warrant.)

Armed with all the digital information they could ask for, investigators reverted to the tried-and-true methods of old-fashioned detective work. To start, they staked out Markoff’s apartment. When he left the house to go to the grocery store, they followed, and dusted things he touched—a grocery cart, for instance—for fingerprints. They compared these to the one good print they’d been able to lift off the scene of the Brisman murder. This one bit of traditional evidence was enough for investigators to close the net.

Two Interrogations Illuminate Two Different Eras of Investigation

Six days after the Julissa Brisman’s murder, Markoff and his fiancee were pulled over on their way to a casino in Connecticut. Both were hauled in for questioning. Their initial interviews (Markoff’s here and McAllister’s here) prove instructive, as they highlight two different eras of police work.

Markoff’s interrogation offers a glimpse at an old-fashioned form of investigative interviewing. It begins with a long, Kafka-esque exchange wherein Markoff repeatedly asks for a lawyer, and the detectives repeatedly deflect. The lead interrogator claims, over and over, that he’s got photos of someone who looks like Markoff at the hotels where the Craigslist Killer’s crimes were committed, and Markoff repeatedly claims he doesn’t remember whether he’s even been to a hotel in the last two weeks. The interrogator resorts to tough talk and profanity. It goes nowhere.

After Markoff makes over two dozen additional requests for a lawyer, the officers finally end the interview, having obtained no new information. If Markoff had then asked to be let go, the investigators would have had no choice but to oblige.

The interrogation of Markoff’s fiancee, Megan McAllister, appears to be from a different era entirely. Here, the investigators ask about what type of laptops are in Markoff and McAllister’s apartment, what type of phones they use, what type of WiFi or LAN setup they have, which websites they frequent. It’s a more truthful interrogation in practically every sense of the word, and it reveals what investigations today prioritize most: not eyewitness testimony, not hearsay, not conjecture, but IP addresses, email accounts, phone numbers, and wireless routers. The least productive part of this interrogation is when they ask McAllister to identify a man in grainy surveillance footage. Is it her fiance, Philip Markoff?

“Those are not his shoes,” McAllister says, pointing to a screen captured image of the suspect. “I monitor all his shoes.”

But the ones on Markoff’s feet at the time of his arrest would eventually be found to have traces of Brisman’s blood splattered on them. McAllister, who was completely oblivious to her fiance’s crimes, was blinded by her own perception of the man.

“I would never, ever, ever think he would ever do something like that, ever,” McAllister said. She’d maintain her fiance’s innocence for only a few weeks before disavowing him entirely.

Physical Evidence Seals the Case

Acting on a search warrant of Markoff’s apartment, investigators found a Springfield Armory XD9 semi-automatic handgun in a hollowed out copy of Gray’s Anatomy, and, taped to the back of a dryer, bullets matching the ones used to kill Brisman. They also found plastic ties (identical to those used to restrain the victims) and a laptop with a hard drive that held a record of Markoff’s Craigslist correspondence with Julissa.

Markoff was arraigned on April 21st on murder and gun charges. He pled not guilty. His motive for the crimes remains unclear: some suspect he’d chosen to rob workers in the sex-adjacent industry in order to cover some gambling debts, while others believe him to have simply sought a thrill.

In any case, it’s uncertain how much motive even matters in the 21st century; digital proof, in black and white, can make it superfluous. That digital evidence proved Markoff was guilty, but the trial never took place. Almost a year and a half after his arrest, Markoff made his fourth suicide attempt since being arrested—in this instance, using a makeshift scalpel fashioned out of a prison-issued pen—and this time, he was successful.

Meet the Expert: John W. Simek

John W. Simek is the vice president of Sensei Enterprises, a firm specializing in digital forensics, cybersecurity, and IT. He holds numerous professional certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Certified Handheld Examiner (CHE). Simek has co-authored several industry tomes as well, including The Electronic Evidence and Discovery Handbook, and as a contributing author to three editions of e-Discovery. Together with Sensei president Sharon D. Nelson, Simek hosts the Digital Detectives podcast on the Legal Talk Network.

The Future of Digital Forensics

The themes of the Craigslist Killer case reverberate to this day, and help illuminate the unique challenges and opportunities for digital forensics in the 21st century. This was a crime that was both enabled by and solved through the internet. Issues of privacy are woven throughout. After Markoff was caught, a majority of states began demanding greater access to website data for law enforcement agencies. Today, ISPs, email servers, and social networking sites continue to alter the limits of their data collection, and change their responses to subpoenas and search warrants.

“Privacy is becoming more important to people,” says John W. Simek, VP of Sensei Enterprises, a digital forensics and cybersecurity firm. “Companies are putting things in place to, one, protect user privacy, and, two, to be more transparent about the kind of requests they get and the type of data they turn over.”

One of the more difficult tasks of a digital forensics professional is staying current on what data is out there, and what platforms are being used. Craigslist removed its Erotic Services category for American customers in the aftermath of the Markoff case. Since then, the public has seen the rise and fall of dozens of other social media sites, web browsers, and messaging platforms, each with their own characteristics and methods.

“It’s always a moving target,” Simek says. “It’s very difficult for the forensic examiner to stay on top of all that stuff.”

Digital forensics has to keep up with more than the latest app. Changes in hardware and software have had massive implications. The introduction of solid state drives has led to a sharp dropoff in the amount of data collected from laptops. Things aren’t written to disk anymore, they aren’t saved. Today’s operating systems compound the issue.

“You didn’t have Windows 10 back then,” Simek says. “You didn’t have BitLocker built in automatically in the OS. In Windows XP, deleted didn’t mean deleted, but now things are actually getting overwritten much faster.”

Simek sees three important trends for the future:

• First is the shift to mobile analytics, which now accounts for 60 to 70 percent of the evidence Simek and Sensei analyze today.
• The second is the mass proliferation of video surveillance equipment, particularly from cloud-enabled home security devices like Ring.
• Third is that, as technology upgrades, so do criminals: crime itself is trending more towards digital.

“You don’t see many burglaries now, not in the traditional sense,” Simek says. “The bad guys are going digital. They’re sitting behind their computers, with their keyboards, using Amazon Web Services to make attacks.”

Digital forensics is not a static field of study. It requires both a strong foundational understanding and a long commitment to continued learning. In order to catch tomorrow’s killers and to protect the innocent, forensics experts will need to look for critical evidence in the places it’s now most likely to be found: a stray email address, a grainy clip of surveillance footage, a single incriminating IP address pulled from a list of countless others.