Following the Cyber Trail Down the Rabbit Hole: A Case from Start to Finish

Julissa Brisman was a New York University college student who supplemented her income as a masseuse and advertised her services in the erotic services section of Craigslist, an online classified ad portal. Her ad was put up in the Boston edition by her friend and business partner, Beth in Denver, who collected the fees and paid her through internet banking. It was a cyber business, seemingly safe from money worries and conventional marketing challenges.

Julissa took the train from New York to Boston on April 14th to ply her trade. She was popular, her ad was effective, and she had six customers on her first day and five more the next day. Her sixth and final customer, “Andy M” arrived a bit before 10pm. When he left at 10:06, Julissa’s bloody body fell out into the hall of the hotel room. She had been robbed, beaten and shot three times, with the final fatal bullet piercing her heart.


Fast response, but not fast enough.

Within minutes, police arrived, but it was too late to save her — or to catch her killer. They immediately went to hotel security and pulled the surveillance video, where they discovered a tall white man in a black leather coat entering and leaving the elevator and the hotel lobby at the appropriate times. He was texting.

Inside the hotel room, the CSI found blood, bullet casings, duct tape across the victim’s mouth with a fingerprint, and the victim’s cell phone.  They found that her customer had called about the appointment, but he had called her phone using an untraceable burner cell phone.

One of the detectives had been investigating a similar robbery a few days before at a hotel across the street. The surveillance video from that incident showed the same perpetrator, dressed alike, who was also texting as he crossed the hotel lobby. The phone he used in that transaction turned out to be a different burner.


A digital fingerprint:

Cell tower phone records linked the two burner phones. Meanwhile, the detectives started looking at the email address that had been used to make the reservation for Julissa’s massage appointment.  By contacting Microsoft, it was revealed that the email address had been opened a few minutes before the reservation was made and only used for that transaction. With a proper request for information about a criminal investigation made under the Stored Communications Act, Microsoft provided an IP address number — the internet address of the computer that had sent the email.  This narrowed the search to an area in Quincy, Massachusetts, but not quite enough to pinpoint the exact computer.


Following the digital bread crumbs.

Two days later, another attack on a Craigslist escort was made 45 minutes away in Warwick, Rhode Island. A third burner phone had been used and surveillance video showed the same man. The cell tower tracking information grew, and contact with this victim came from the same IP address.

Whereas Microsoft could provide the IP address, only the ISP (Internet Service Provider), in this case – Comcast, could link that to records that would identify the subscriber, but they had not responded to the subpoena sent on the 15th. Investigators took a proactive approach and contacted the ISP directly. Comcast told the police that they could only turn around the request in two weeks unless they had an emergency court order. Within hours, the court order was provided and minutes later, the name of Philip Markoff, an address in Quincy and more details were in the hands of the relentless detectives.


A face, a name and a digital trail.

The investigation heated up. With instructions from Facebook for law enforcement agencies, the police prepared a California subpoena (since the social media giant makes its headquarters in California) and the company provided print copies of all pictures, personal information, the latitude and longitude of where each post had been made, and even his friends’ private information.

Now that they had identified their prime suspect, they began online and physical surveillance — even following him into a grocery store and taking fingerprints from everything he touched, including his shopping cart. Ultimately, his prints (which were not in the system) matched one from the duct tape used to bind Julissa.

Meanwhile, a digital still-frame portrait from the surveillance video was taken down to show the third victim, who, visibly shaken, stated that she was “one million percent sure” that the man in the photo — Philip Markoff — was her assailant.

With probable cause, Markoff and his fiancé were pulled over while driving and taken in for questioning. Markoff toyed with the detectives and did not incriminate himself. He thought he was pretty smart. Still, with a positive identification by the third victim, Markoff was arrested for kidnapping and assault. A search of his house revealed: a hidden stash of bullets taped to the back of the dryer; the gun used to kill Julissa; the distinctive black jacket worn in all of the videos hidden between the mattress; shoes with Julissa’s blood on them in his closet; and a host of other damning evidence. Murder charges were added to the long list accumulating against the medical student who would never save a life as a doctor.

The entire investigation was completed in 5 days. The speed with which the investigators were able to move was due to the clues left in the digital realm, and their expertise in gathering and understanding those clues.

The critical clue was the in the arrogant ten digit email address. — “A Medical Doctor Philip Markoff”.


Your Turn: Have you heard any more information about the so-called Craigslist Killer case? Are there any other similar investigations that relied heavily on cyber forensic evidence? We’d love to hear from you. Leave us a comment.




  • Sue Coletta says:

    Oh, yeah. The Craigslist Killer was big news. But I didn’t realize he was caught with cyber forensics. Fascinating. BTW, is that the correct term? Cyber forensics rather than computer forensics?

    • The Forensic Outreach Team says:

      Hi Sue —

      Computer forensics is probably the more academic term for the discipline, where cyber forensics is a bit less formal. They do mean the same thing, though! Hope this helps.

Leave a Reply