All right so the title is total link bait. The United States seized some number of computers and peripherals from the compound in Pakistan. Those materials will be evaluated and analyzed for intelligence purposes and perhaps used in planning future actions. Since the method of acquisition is not secret there is little loss of future intelligence capacity due to announcing the acquisition of the materials or my analysis of the strategies. So, from a fairly high level the following is an outline of what some ideas behind the acquisition and seizure processes moving towards the utilization might look like.Any forensic investigation is going to have some basic parts. You are likely going to decide to investigate and at some point you will have a set of hypothesis that will determine what you are looking for in what form. Few investigations are post facto derived from outside reasons. As an example if you stumble down the street and find a murder victim you are going to want to know who did it, how they did it, when they did it, and perhaps why they did it. These questions decide for you a mode of investigation.
Unfortunately we usually do not have enough evidence to solve a crime instantly. In other cases though there is a different model of investigation. Perhaps you have a known killer and you have evidence of how they did something and when they did it. You are no longer deriving a hypothesis about the crime. You are instead trying to ascertain who was involved in the previous crime and perhaps who is involved in future criminal enterprise. The scope of this latter investigation is much broader and deeper. It also is complicated by the inherent bias that the particular avenues of obtaining intelligence elements will provide. In the case of Usama Bin Laden he is dead so only the electronic and written record provides clues as to these questions.
Once we know what we are going to do we act upon those intentions. This may seem simple put the planning of seizure of evidence is not an easy task. Upon arriving we are going to photograph everything. The rooms, the details of machinery and how it is hooked up, the software and hardware bundles as they sit are all photographed in detail. Everything gets taken that isn’t nailed down (and most that is too). It is imperative that notepads and papers are taken. They can provide details or clues later on password or thinking processes to create passwords. A neophyte may try to lighten their load by not taking peripherals, but a professional knows a few things about those peripherals.
Peripherals such as keyboards and mice contain buffers that may have data within them. Printer and scanner devices may have hard drives within them for caching print and scanning jobs. Some keyboards may contain macro or other executable code that acts as triggers on how hard drives are encrypted. There are also software programs that can be created to delete crypto keys to data if a particular device is not hooked up when booting or operating the computer system.
A special note when seizing equipment in hostile environments. Though forensic resistance is starting to take shape in the national discussion of forensics. There are elements of sabotage that can occur before analysis has even begun. During the seizure process it is obvious that in particular scenarios explosives or other nasty surprises might be an issue. Brake cleaner is a fairly effective chemical destruction device. It will remove the hard drive material from the platter fairly quickly. Other chemicals may work better. These can be set on timers, servos, or have dead man switches. Whether you agree with the strategy of creating anti-forensic processes the principle remains as a threat to investigations.
Once the seizure of evidence has been accomplished and systems have been transported it is important to insure that they are not disturbed or destroyed in transit. Whether from hostile acts of accident if you’ve gone to the trouble of gathering it all up you’d like to make sure it is around to look at.
Current computer forensics practice is dominated by the acquisition of evidence in the prosecution of child pornography. As such evidence practices around the practice of analyzing large hard drives for images are the primary skill sets of law enforcement. Tools and techniques have been developed to speed this analysis phase, but what has not happened is advanced techniques in document and contextual analysis of hard drive contents. There has been some intelligence practices developed but they are fairly nascent in comparison to image analysis. In the case of the Usama data analysis of context, geospatial data (e.g. exif data from images), word choice for author attribution, entity relationship data from emails, date time stamps for travel or other habits that lead to behavior indicators are inclusive of the data driven intelligence process.
Since our likely hypothesis is that there are terrorists and they have relationships between themselves for coordination analyzing relationship data can expand an understanding even of a cell network of entities. Most “cells” will leave breadcrumbs that can be analyzed even if it is just volumetric data. Entity relationship found on the hard drive of computing systems can determine the in and outbound, and relationship between decision entities and action entities. All of this can be analyzed from the various forms of evidence found on a computing system. None of this is easy or quick.
To understand this better consider a student in a university and their relationship to other students. They are going to have people they sit near in classes (relationships), classes they sit in specifically at particular times (geo temporal), paths and patterns of travel required to get between specific locations at specific times, teachers (command and control), teaching assistants (secondary or tier 2 command and control), expected places that eating and drinking occur (resource acquisition), and so on. Consider it from a humorous point of view but much of this data is going to be on the persons cell phone, computer, and secondary systems (web servers, class management systems) that the student uses.
If you think about our mythical student and the relationship to the University we can start to draw patterns out from the interactions and create entity relationship or social network graphs. There are many tools like this used by law enforcement to make the job easier, but we’ll go with a hand drawn graph for the sake of example, and because nobody would give me the tools necessary for free to demonstrate.
If you look at the relationship between the “University” and the other entities you start to see a pattern of primary entity relationships. All of the entities likely have “primary” relationship to “University A” but for the sake of example we’ve shown secondary, and tertiary relationships. In general this kind of diagram would have a specific contextual relationship such as a set of events at a times and places of a specific nature regarding “University A”. That would then set up the who, where, when, and perhaps how of choosing the primary subjects. Often the primary subjects that create the primary relationship are witnesses or victims (not all victims are witnesses).
To drive down to the secondary relationships people who have had interaction with the primary with possible interaction or even simply motivation towards the act that happened to the “entity” are derived. In some cases with computer crime it might be the carbon copy line of an email message (we’re at the 100K foot level here). Finally the farther you go out the more likely you are to be to far out in the weeds. At some point though consistent or perhaps even corroborating evidence points to a likely suspect who was in all places at the right time or place.
In the case of the Usama hard drives even a highly secretive network can start to give away details. In fact the more secretive they are the more details they may expose. Word choice, time of day selection for communication, choice of aliases, and much more are forms of meta data (data about data) that leak information.
When the emails of Enron were subjected to mass scrutiny many different factors and networks were identified within the company. The decision makers were not necessarily the managers. Projects (illicit and legal) could be traced from the idea phase all the way towards the end phase where the project succeeded, failed, or at what point the project was cancelled. Some interesting data can be derived from this kind of cumulative decision cycle.
Using the Boyd OODA loop each set of decisions can be broken out and examined (remember we’re talking Enron, but thinking Usama terrorism). If the decisions points are broken out of the complete process time lines can be created. Considerations of the decision cycle and evaluations of what the entities involved considered to be important to reaching specific conclusions can be evaluated. I would mention this is not a speedy process. Unlike finding pornographic images this type of analysis can be structured but requires significant skill in teasing out details. If consistent omissions are noticed they can be examined deeper to see if there are specific reasons for the omissions. This is the principle of seeing what is not there. In the Enron emails I have seen mention of specific kinds of decisions documented at the end of the project process (yay look what we did!) but the entirety of the early decision cycles are missing. That is suggestive of out of band communication.
When thinking about this kind of investigation and returning to the Usama hard drives you would be looking for that decision cycle to see how fast specific operations are created, what the targeting cycle looks like, how fast that cycle occurs, what kind of process is in place as verification of attributes of targets, and the speed at which targets are examined and then dispensed with (passed over) or engaged (attacked). Understanding the mental processes and principles using the timeline process with entity relationships can even give understanding of how much trust is inherently given to specific entities. If a piece of intelligence with similar attributes is deposited by one entity and acted upon quickly, and another pieces from another entity and acted upon slowly that can suggest trust relationships.
I know that many intelligence analysts are sitting there shaking their heads, but I’m not an intelligence analyst and the purpose of this is to show that much more than Usamas porn collection can be gathered off his hard drives The various forms of meta data can be an interesting place to see what was going on behind the scenes of any investigation. White-collar crime and eDiscovery are starting to drive significant improvements in this area of the computer forensics discipline. It should be interesting to see what happens in the near future.
1 comment for “From near earth orbit: How to analyze Usama Bin Laden’s Porn Collection”