Examining bin Laden's computer

Collin Greenland, Guest Columnist

After spending more than half a trillion dollars in the fight against terror since 9/11, the US's recent termination (with extreme prejudice) of bin Laden at his Abbottabad hideout will no doubt be the hottest topic for some time to come. Much has been said about what effect this successful special operation from the elite US Navy Seals will have on the overall operation and survival of the infamous al-Qaida.

The confiscation of bin Laden's computer and other data-storage devices, however, may be even more instrumental in dismantling al-Qaida than the leader's death since, according to media houses like ABC, the hard drives and discs confiscated by the special forces could provide a 'treasure trove' of vital information that could lead to snaring other members of bin Laden's terror network.

Already, news reports have revealed that a cursory look through the data indicate the al-Qaida leader had a more involved role in operational terror plots, including sketchy plans of a railway attack.

This 'mother lode of intelligence' that US officials is hoping the seized equipment will yield could be even more revealing than the computer seized by CIA and Pakistan intelligence agents in 2003 when they captured Khalid Sheikh Mohammed. According to Wall Street Journal writer Arik Hesseldahl, Mohammed's hard drive, at the time, allegedly contained, among other things, "three letters from Osama bin Laden, a list of safe houses that bin Laden had used, a pilot's licence belonging to 9/11 hijacker Mohamed Atta and information about the four planes hijacked that horrible day". In 2005 also, after alleged terrorist Abu Musab al-Zarqawi eluded capture in Iraq, US forces still managed to get his computer, which yielded financial information and recent pictures which facilitated the eventual killing of Zarqawi in 2006.

The information secured from terrorists' computers, therefore, has proven historically to be as important as actually killing them. Clearly, although the intelligence fraternity will be salivating at the "impressive" amount of information that CIA Director Leon Panetta said is being extracted by hundreds of analysts in Pakistan, billions worldwide are now also asking the same question: Can you imagine what's on Osama bin Laden's hard drive? But how will they examine bin Laden's computer?

Smoking-gun evidence

Since the information to be extracted from bin Laden's computer may provide the smoking-gun evidence critical in the conviction of other terrorists if they are eventually captured and tried, one can assume that the US officials will ensure that the 'chain of custody' of this evidence is secured by utilising professional computer forensic techniques to examine/extract the data. Digital evidence, by its very nature, is fragile, and can be altered, damaged or destroyed by improper handling or examination. In the interest of time and space, a quick but reasonably certain approach the examiners of bin Laden's computer will adopt can be viewed on the US Department of Justice's website titled 'Electronic Crime Scene Investigation: A Guide for First Responders' (http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm).

Although the forensic investigators used may be from a cross section of US investigative/law-enforcement agencies, I suspect that the FBI's great expertise and experience in these matters may be playing a lead role. Typically, they will be following some standard set of procedures which will involve physically isolating the computer in question to make sure it cannot be accidentally contaminated; making a digital copy of the hard drive; locking the original hard drive in a safe or other secure storage facility to maintain its pristine condition; conducting all investigation on the digital copy; and, at all times, ensuring forensic best practices are followed in essential aspects such as chain of custody, imaging/hashing function, validated tools, analysis, repeatability (quality assurance), and reporting/possible expert presentation considerations.

An important point to note is that the investigators of bin Laden's computer and other devices will be careful to create a 'forensic copy' of the hard drive in order to conduct effective an 'forensic examination'. A forensic copy is an exact bit-by-bit copy of the entire physical storage media, including all active and residual data and unallocated space on the media. This is also sometimes called an 'image copy', or 'mirror image'. A forensic copy allows for a 'forensic exam' of the copy as forensic investigators do not - or should not - search the original because the act of searching it would in itself change it. (This is called the Heisenberg Principle of computer forensics.) This 'forensic examination' will mean that all of the information on bin Laden's hard drive will be carefully probed and searched, especially any attempted hidden information, any deleted files, residual data, unallocated space, corrupted files and encrypted files. Knowing the forensic toolkit available to the FBI in particular, everything that is scientifically possible to restore and search will be searched. The information examined will be completely interrogated with advanced forensic type data-mining techniques which may, for example, allow the US officials to mine large amounts of al-Qaida-type metadata to discover previously unknown, action-oriented, hidden trends, patterns and complex relationships.

While analysing, the investigators will take special note of all suspiciously compressed or 'zip' files found on the copy of the bin Laden's hard drive. Any compressed or other type of file found protected by passwords may be cracked using traditional 'brute force' (that is, using every combination of upper- or lower-case letters, special characters, and numbers), by using a dictionary file consisting of common al-Qaida/bin Laden-type words, past data, other variables and populations. Quite likely, however, other more modern password crackers are at the disposal of US officials. Although it is said that bin Laden avoided the Internet, records of any websites that he may have visited will be reviewed by accessing his Internet browser 'cache', 'history', and 'cookie' files. Although the myriad of forensic software now on the market makes it difficult to predict which ones are being used, quite likely a favourite of forensic accountants, such as EnCase, is being used by the investigators.

An important point that must not be missed, however, is that although the capture of bin Laden's computer is now allowing investigators to thoroughly examine his information, it was good old-fashioned knowledge of fraud techniques that initially led to his demise. As Hesseldahl quite interestingly pointed out, it appears that bin Laden's efforts to forgo the use of telephones and the Internet may have been a key clue that helped bring his hiding place to the attention of intelligence analysts. By trying to make himself digitally scarce, bin Laden may have ironically raised a red flag.

Maybe there is a lesson here for us here in Jamaica to note. After the US spent half a trillion dollars since 9/11 in the fight against terror and hunting the world's most-wanted fugitive, it was simply the follow-up of red flags that led to bin Laden's final demise. How many red flags are we ignoring locally?

Collin Greenland is a forensic accountant. Email feedback to columns@gleanerjm.com and cgreeny.collin@gmail.com.