For the U.S. government, the raid on Osama bin Laden’s compound in Pakistan represents a unique opportunity to test advanced computer forensics techniques called “media exploitation” that it’s developed over the last few years.
The military’s acronym for the process is DOMEX, which one Army team in Iraq cheekily sums up with this motto: “You check their pulse, we’ll check their pockets.”
The electronic gear hauled away by an assault team of Navy SEALs reportedly included five computers, 10 hard drives, and scores of removable media including USB sticks and DVDs. Some reports say the forensic analysis is taking place at the CIA’s headquarters in Langley, Va., while others have placed it at a “secret location in Afghanistan.”
While the U.S. government isn’t exactly volunteering what’s happening now, the Army has confirmed in the past that it provides “tactical DOMEX teams” to troops in Afghanistan. And a Defense Department directive (PDF) from January 2011 says the National Media Exploitation Center, or NMEC, will be the “central DoD clearinghouse for processing DoD-collected documents and media,” a category that would include the bin Laden files.
Like the National Security Agency in the 1970s, the NMEC isn’t a very visible organization. It doesn’t have a public Web site. It’s intentionally low-profile, and it prefers to stay that way.
The NMEC falls under the director of National Intelligence and is responsible for “the rapid collection, processing, exploitation, dissemination, and sharing of all acquired and seized media,” including forensic analysis, translation, and dissemination.
After NMEC obtained the bin Laden files, which could have happened within hours of the raid, they would have been uploaded to its HARMONY database, which is intended to be the master repository for “documents and media captured or collected to support the global war on terrorism.” West Point’s Combating Terrorism Center has used al Qaeda documents–extracted from HARMONY and declassified–to analyze why the group failed in Iraq.
An initial forensic analysis of bin Laden’s hard drives will likely be done with keyword searches in Arabic and English. “You can get thousands of hits,” Mark McLaughlin, president of Santa Monica, Calif.-based Computer Forensics International, told CNET. “Those hits need to be looked at individually, and in context,” he said, which can take a while.
U.S. officials are calling the data a potential treasure trove of information on al Qaeda’s current and planned operations, perhaps the most important since 9/11. They’re hoping it could yield hints about the whereabouts of Ayman al-Zawahiri, bin Laden’s chief lieutenant.
Denis McDonough, the deputy national security advisor, has said the electronic haul is “probably going to be impressive,” and White House counterterrorism advisor John Brennan told CBS’ Early Show that “what we’re trying to do now is to understand what he has been involved in over the past several years (and) exploit whatever information we were able to get at the compound.” (CBS News is CNET’s sister news organization.)
While government officials aren’t exactly sharing details about their approach, McLaughlin believes that they’ll be using Guidance Software’s EnCase utility, arguably the market leader in forensics analysis. “They’re making copies of all the evidence,” he says. “Then they’ll parcel out the work to the different examiners. You’ll undelete everything you can. If there’s any encryption you have to deal with, you’ll handle it.”
Then, he says, it’s time to reconstruct what happened. “Were files created at the same time? Were they out there searching the Web at the same time? You can put these together and draw correlations.”
Another forensics tool that might come in handy: Vound’s Intella software, which helps sort through reams of e-mail. It’s marketed to law enforcement as “searching email by keywords, or senders/recipients, easily viewing search results through cluster mapping, or quickly viewing email threads.” (Most reports say that bin Laden’s compound did not have Internet access, but the Washington Times reported he had a “dedicated fiber-optic cable used for point-to-point access to the Internet,” citing two U.S. officials who read after-action reports on the raid.)
A job description posted by MPRI, a division of defense contractor L-3, provides a few hints about what tools NMEC uses.
The NMEC support job, which requires a Top Secret security clearance, calls for “complete training in EnCase Forensic Software up through the EnCase Advanced training course or equivalent.” A bachelor’s degree in computer engineering is preferred. So is proficiency in “creating databases in MS Access and SQL.”
Captured Al Qaeda computers have yielded useful intelligence before. A 2007 Defense Department “summary of evidence” supporting the charges against Khalid Sheikh Mohammed reported that a hard drive seized during his capture contained information on the four airplanes hijacked on 9/11, including code names, airline company, flight number, target, pilot name and background information, and names of the hijackers.
Also on the seized computer gear, the summary says: three letters from bin Laden, spreadsheets outlining financial assistance to families of known al Qaeda members, the “operational procedures and training requirements” for an al Qaeda cell, and transcripts of chat sessions belonging to one of the hijackers.
Ramzi Yousef, the original World Trade Center bomber, saved plans to bomb American jumbo jets flying over the Pacific on encrypted files on his laptop computer. (The FBI was able to bypass the encryption–Yousef apparently didn’t use a high-security passphrase.)
But if whoever used the computer took the proper precautions, encryption could pose an obstacle, forensics specialists say. Well-designed encryption is now built into operating systems, including Apple’s FileVault and Microsoft’s BitLocker. PGP announced whole disk encryption for Windows in 2005; it’s also available for OS X.
To avoid having to perform brute-force attacks to guess the passphrase, the Secret Service has found that it’s better to seize a computer that’s still turned on with the encrypted volume mounted and the encryption key and passphrase still in memory. “Traditional forensics always said pull the plug,” U.S. Secret Service agent Stuart Van Buren said in February. “That’s changing. Because of encryption…we need to make sure we do not power the system down before we know what’s actually on it.”
A team of researchers including Princeton University computer scientists published a paper in February 2008 that describes how to bypass encryption products by gaining access to the contents of a computer’s RAM–through a mechanism as simple as booting a laptop over a network or from a USB drive–and then scanning for encryption keys.
U.S. law enforcement, at least, is now doing precisely that. “Our first step is grabbing the volatile memory,” Van Buren said. One forensics utility the Secret Service has used is Responder Pro, which allows the examination of volatile memory and is marketed as being able to unearth “chat sessions, registry keys, encryption keys, socket information and more.”
Of course, not all useful information is digital. Yesterday’s warning about train security from Homeland Security was triggered by files captured during the raid–not electronic ones: the source was “a set of handwritten notes,”