People of Colorado vs Rabes, Erik Dean
published: Thu, 20-Sep-2007 | updated: Thu, 20-Sep-2007
This morning as I walked out of the District Court in Colorado Springs, I took a huge breath of fresh air. The sun was shining, dazzling the people in front of the courthouse. It felt good to be out of the slighty cramped courtroom, and it felt damn good to be outside; a sense of freedom that Erik Rabes would never enjoy again. I doubt very much he'll ever be out of jail. I smiled.
My wife, the prosecutor who'd convicted him, smiled too. The case had been difficult in a technical sense, but extremely difficult in an emotional way for the family concerned. For, you see, Erik Rabes had sexually abused their 4 year old daughter.
Normally I don't get too involved in this kind of stuff, thank you very much. She has to, she's a Deputy District Attorney in the Special Victims Unit (SVU) for the El Paso County's District Attorney's office, the first such unit created in Colorado. As the name implies, the unit deals with crimes against special victims, that is, the young, the infirm, the elderly, and also prosecutes various sex crimes. She's also involved with the Colorado Springs Police Department's ICAC unit (Internet Crimes Against Children), having been trained by the National Center for Missing and Exploited Children. In short, she's in the front line for prosecuting some very nasty criminal cases indeed.
It was just about a year ago Donna started asking some very technical questions one Sunday afternoon as she prepared to defend a motion to dismiss the following day. "What's an MD5 hash?" was one of those questions, followed shortly by "What does it mean to say it's been broken?"
So I explained what hashes were, and in particular what an MD5 hash was and what "broken" meant with regard to it. In return she explained what was going on. It seems the defendant in this case had been trading child pornography (CP) using his AOL account. Finally AOL's systems, though their automated email checking servers, flagged one or more of Rabes' emails as containing CP. Nebraska State Patrol were notified.
I didn't know this but all large ISPs, including AOL, routinely check email attachments against known CP. In the US, it is illegal to own CP, let alone send it around to other people, and ISPs, by law, have to do these checks. They don't check the actual images of course, instead they calculate the MD5 hashes of the attachments and then cross-reference the calculated hashes against the hashes of known CP.
The National Center for Missing and Exploited Children in Virginia holds the database of CP for the US. They receive CP images from around the country, categorize them into "series" (that is, sequences of images of the same child or children), hash them, and then distribute the hashes to law enforcement and ISPs in order to perform these kinds of automated checks. The Center's librarians who do this must truly have the most awful jobs on the planet.
So when Nebraska State Patrol got the notice from AOL, they got a search warrant, nipped over smartish to the email holder's address, and they arrested Rabes and discovered miscellaneous computer equipment, including an external hard drive and several CD-ROMs. The State Patrol's forensic examiners then got the equipment and they analyzed it using a forensic tool called EnCase. (And that's a fascinating story in itself.)
Pretty quickly, the forensic examiners discovered that Rabes had over 30,000 images of CP on this external hard drive, backed up onto these CDs. Stop a moment and think about that for a moment. We've been taking photos now with a couple of digital cameras for a while, and I dare say we've taken, oh, I don't know, maybe 5 to 6,000 pictures with them. And Rabes had 5 to 6 times that number of pornographic photos involving children, some as young as 1 year old. I was aghast when Donna told me this.
Here comes the next most awful job on the planet: the forensic examiners started taking a look at those images that weren't known, that is, for which they didn't have hashes. Rabes was incredibly meticulous, he'd organized his huge collection by child and by activity (no, believe me you don't want to know, I don't either). He had series that the National Center didn't have or that were incomplete. And one of these unknown series of 32 images were of a small, pretty 4 year old girl. Not only that, but the pictures had the defendant in there with her. Yes, he'd put the camera on the timer and posed with the girl.
State Patrol contacted Rabes' wife, who identified the girl: a neighbor's daughter from when they lived in Colorado Springs (Rabes was a sergeant in the Air Force and moved regularly). The ICAC unit in CSPD were contacted, who then contacted the parents of this little girl. Stop and think about that also for a moment: the police phoning you wanting to talk to you about pictures of your prepubescent daughter. We don't have any kids, but we do have three nieces, and I can imagine what it must feel like. Simply put, it must be devastating. After a little while the DA's office got involved, and after a while, so did my wife. Rabes was charged with various charges involving the sexual abuse of a child.
Anyway, the motion to dismiss was implying that the photos had been doctored, by persons unidentified. EnCase, the forensic tool, copies a hard drive bit by bit and generates a whole slew of MD5 hashes along the way to show that the copy was exact and that it hadn't been altered, maliciously or inadvertently. The defense attorney's motion, in part, alleged that the copy had been altered, but in such a way that the MD5 hashes hadn't detected the change. Because, as the motion said, the MD5 hash has been broken and this can now obviously be done.
OK, I know my readers. You're all intelligent computer techie types. Your lower jaws collectively hit your desks in stupefied amazement. At the time, I think I just said WTF. Yes, they were intimating that the photos had been doctored, but doctored in such a way that the MD5 hashes before and after were exactly the same. I can still look at that sentence and shake my head in amazement. In essence, they wanted access to the original computer equipment.
Now, of course, the defense attorneys are non-technical, just like my wife. They'd hired a computer "expert" to help write this motion. And what an expert: the motion had other laughable things in it too, it was badly written, with some real technical howlers. I'll have to see if I can't get a copy of it.
So I explained about MD5 hashes, how they were calculated, and why, although MD5 had been broken in an academic environment where the researchers had complete latitude to select and fix the data to show the break, it didn't mean that suddenly you could take an arbitrary digital photograph and then alter it to produce a file with the same hash as before. I even pulled down my second edition Schneier from the bookshelf and showed her the algorithm.
She took the book with her the next day, just in case, but defeated the motion easily. Eventually, in June, after defeating several other defense motions, the trial started, and after four days of evidence, the jury deliberated for a grand total of 2 hours, and found Rabes guilty of everything. I helped throughout the whole process from that early Sunday afternoon onwards explaining the various technical things that came her way.
It was the first trial in Colorado involving ICAC. Up until that point ICAC defendants preferred to plea rather than go to trial, but for one reason and another Rabes decided to go to trial. It's his right, after all, but it meant that Donna prosecuted -- on her own, mind -- the first Colorado ICAC case. She couldn't rely on case law, there was none, but instead had to clear her own way.
Today was sentencing. The father of the little girl, who's now 10 or so and thankfully remembers nothing of what happened, made a completely unrehearsed and unscripted speech to the judge. I was beyond impressed; I don't think I could have done it. One or other or both parents had been at every court appearance, including the trial itself, two of the bravest and nicest people I've ever had the pleasure of meeting. And I kid you not about being brave: would you have been able to sit in court and listen as the police officer described each and every one of the 32 photographs so that they could be read into the record, and know that it was your daughter being described?
Rabes made a quiet plea for leniency, but the judge was having none of it. Rabes got 34 years to life for the charges, with 20 years of parole if he ever gets out. Furthermore, even if he got through that little lot, he would have to register as a sex offender for life. But Rabes is 47, he was convicted in a federal CP trading case and got 10 years for that (and today's sentence would start after that had run its course), and the pre-sentencing report warned that he was a high risk of recidivism. If he gets out from those two sentences he'll be in his 80s.
It seems Rabes is a popular criminal indeed. He's now off to Nebraska again for his military court-martial. Yes, everyone wants to put him away.
And I'm glad it's all over and I can stand outside a courthouse and enjoy the sun and know that a disgusting, vile human being will not be able to do just that, ever again.