THE FAXED LETTER WAS SIMPLE and straightforward. With the Pennsylvania state seal at the top and Gov. Tom Ridge's signature at the bottom, it told the county jail in Ft. Myers, Fla., that Pennsylvania was giving up on trying to extradite a parole-jumping thief named Gregory Allen Williamson. Release him, the letter said. The jailers complied. Three days later, the jail's fax machine delivered another letter. It bore the Florida seal, Gov. Lawton Chiles's signature and an immediate pardon for Williamson's cellmate.
This time, no dice. Suspicious police busted the would-be escapee as soon as he exited the lockup. He led them to Williamson, to a suspected accomplice on the outside and to an Apple Powerbook. A few weeks later Special Agent Jeffrey Herig of Florida's state police powered up the Apple in his computer-evidence recovery lab. He popped in a seized disk, found a file called ""Letter,'' opened it and voila: the Pennsylvania seal and Williamson's ""release order.'' Another computer was ratting on its owner (who has pleaded not guilty and is awaiting trial). ""This,'' Herig says, ""is the crime scene of the '90s.''
Herig's job is to cruise these hard-drive scenes for evidence. Generally, he does so without leaving the Tallahassee, Fla., lab he founded because he's rarely got time for ""meat space,'' cybertalk for what other cops call the field. But Herig isn't fighting a new breed of supersophisticated cybercrook. While headlines trumpet the exploits of hackers who crack bank systems, day-to-day life is less exciting. Like the programs they use, most computer criminals come off the shelf. Last year Herig's 99 cases included 20 child-pornography investigations, along with car-theft and drug incidents. Half of his cases involve fraud. One Medicaid swindler pleaded guilty in April to uploading hundreds of phony claims, pocketing more than $200,000 in five months. Says prosecutor Gina Smith, who handled that case, ""You can steal a lot more with a computer than with a gun.''
Criminals figured that out before cops did. Even now Herig has no more than 200 colleagues nationwide federal, state and local. ""We all know each other by our first names,'' one says. The latest buzz among them centers on the counterfeiting of driver's licenses, school transcripts and price stickers. Using the new generation of scanners, it's easy to turn out an exact copy of virtually any image right down to a bar code that will send all the right signals to a code reader. Herig is now helping investigate an ingenious, scanner-assisted scheme to alter antitheft bar codes printed on vinyl stickers affixed to various auto parts. Police in Lakeland, Fla., grabbed a computer on which Herig found forgeries so precise, says state police spokesman Rick Morera, that ""they look as if they came from the factory.''
Computers tell more about their users than anyone -lawbreaker or solid citizen - realizes. Herig routinely recovers deleted files. He also uses a common, little-known app that records a user's Internet activity. One program - XLPASS, whose maker sells only to law enforcement - gets him through password-protection features embedded in operating systems and some software (it's useless against Pretty Good Privacy and Norton's Your Eyes Only).
Yet Herig's training and tools are sometimes no more powerful than cop intuition. State police in Orlando, Fla., were stumped by a Sharp Wizard they took from an accused methamphetamine dealer and motorcycle buff. Finally, recalls agent supervisor David Donaway, ""I typed in "Harley,' and we were in. The suspect's entire drug organization and all the dope he had sold was in there.''
In another case, a Casio organizer that belonged to a drug-gang member who was killed in 1994 sat in a Lake County Sheriff's Department evidence room for more than two years before a state policeman ran across it and sent it on to Herig. He passed it along to an FBI unit specializing in decrypting organizers. The names and phone numbers that popped up helped convict four men in a federal drug-conspiracy trial in Orlando. They may also serve as evidence if police bring a murder charge.
The scenario is becoming increasingly common. With computers getting more user-friendly, criminals - like everyone else - have gotten used to storing more and more data. In the absence of court rulings, Herig and his colleagues have developed their own standards for seizing that data: don't scan a seized hard drive itself but a ""mirror'' copy, to avoid suspicion of tampering, and prohibit untrained personnel from so much as switching on a seized computer and perhaps destroying data. Does this still leave a defense lawyer room to challenge evidence dug up in the computer lab? Yes. Herig is one of the few cops who actually wants judges to lay down some rules. That's how confident he is in the evidence he downloads.