Bin Laden’s ESI, which moved on ‘sneaker-net,’ may prove as valuable as his demise
Forced to run his terrorist network offline, Osama bin Laden relied on couriers to deliver messages by hand using storage devices. Could the electronically stored information (ESI) from his seized hardware clarify al-Qaeda's structure, or is it just one more piece to a larger intelligence puzzle?
Before Osama bin Laden's corpse was cold, US intelligence officers on the ground in Abbottabad had seized what they described as the most valuable contents of the terrorist leader's Pakistani lair – a trove of 10 hard drives, five computers and more than 100 storage devices, including several thumb drives, containing data one official called "the mother lode of intelligence."
"We were in the compound for about 40 minutes and we were able to acquire some material that was there. A lot of that is currently being exploited and reviewed," the White House senior adviser on counterterrorism, John Brennan, said Tuesday afternoon, May 3.
Link analysis could decipher and unravel al-Qaeda Network
In the years after the 2001 attacks on New York and Washington, D.C., bin Laden had grown to rely on couriers to deliver information and data – a communications system that eventually led a team of US Navy SEALs to his front door. Now, US officials hope the same system that proved bin Laden's undoing could help undermine or destroy his global network and capture its key players.
The ESI haul is likely undergoing "entity extraction," analyzing photos for facial recognition, cross-referencing phone numbers with names and addresses, scouring documents for identifying characteristics. |
On Monday May 2, just hours after bin Laden's death, a senior US official told the press that intelligence officials had determined that a great deal of computer equipment, containing untold gigabytes of electronically stored information, or ESI, was being used at the sprawling compound.
"It’s also noteworthy that the property is valued at approximately $1 million but has no telephone or Internet service connected to it," the official said.
Relying on the 'Sneaker-Net'
The fact that the compound had no Internet service or phone lines, a rarity that says much about the occupants of a facility in the 21st century, was particularly interesting to Dr. Gary C. Kessler, a computer forensics expert in Vermont. Kessler is editor-in-chief of the Journal of Digital Forensics, Security and Law, and has worked with law enforcement and other government agencies to disassemble and dissect hard drives containing sensitive information.
"In the old days with floppy disks we called it the 'sneaker-net.' That is, you take files and move them over to another computer by foot," Kessler said. "Today it's done with thumb drives, and it sounds like he had couriers working to do this. It's very easy to take a thumb drive and bring it to another computer. It's also relatively easy to track what USB drives were used on other computers using serial numbers. Since [US forces] were tracking the couriers, they could also track this activity."
These serial numbers could allow intelligence agencies to create a 21st century data storage link analysis chart – one that maps electronic devices and computers instead of names and faces.
"The government has a vast array of tools they can use that will plug names into software," Kessler said. Among those tools are link analysis generators such as ProDiscover or FTK—software that interprets data and presents it in visual representations that resemble a cloud of points and lines.
'MedEx' tells long-form story over time
The data haul at bin Laden's refuge is far from being the first of its kind for the Pentagon, according to Geoff Black, director of high tech investigations for Prudential Financialand a former computer forensics examiner at the Naval Criminal Investigative Service Cyber Division. He said the practice of "media exploitation" –analyzing all aspects of digital media captured in the field – creates a long-form story of terrorism that can connect groups and individuals across borders.
"The Department of Defense tries to get its hands on as much information and data as possible and squeeze it for everything they can," Black said. Because bin Laden is believed to have grown somewhat removed from al-Qaeda's day-to-day operations, the ESI captured in this raid might be important but not critical, he said. "So this would be a missing piece, but I don't know if it would be a determining link."
Capitalizing on this find is not as simple as plugging data into missing spots, however. For instance, al-Qaeda often employs several different couriers to transfer clips of data in numerous storage devices, all bound for one destination. These pieces of the information mosaic would be almost meaningless if captured alone.
Entity extraction finds needle in haystacks
"But once they get them all, they can piece the 'clips' together to get the message," said Doug Goroway, an investigator who previously served on the Joint Terrorism Task Force before retiring from law enforcement.
Goroway said that the bin Laden hardware haul is now likely undergoing a process called "entity extraction." This is where photos are analyzed for facial recognition, phone numbers are cross-referenced with names and addresses, and all documents and files are explored for identifying characteristics.
"This plays into the link analysis. It provides the needle you're looking for in the haystack," he said. "From a triage perspective, I would guess that three to four different sets of eyes are looking at the forensic images right now for any imminent threats," such as planned attacks.
Records on computers' registry are key data
Using the considerable data already held by the US, Black and Goroway concurred that the storage devices could be the most valuable resources.
"Whenever you insert a USB device and connect it to Windows, a record is made," Black said.
Stephanie Giammarco, a computer forensics partner at the international firm, BDO Consulting, in New York, said that while these serial numbers can be found on the computers' registry, there are potential roadblocks.
"I would be very surprised if the computers weren't encrypted. That makes it much more difficult. But the government has resources that the corporate world doesn't," Giammarco said. "I'd be interested in seeing what [bin Laden and his associates] were doing just before the raid. What files were created, when they were created; these are all potential indicators of other evidence and intelligence."
If the files are on the computers are encrypted, the job gets harder – and messier, according to Brian Brown, director of forensics at RenewData, an information management firm based in Austin, Texas
"If the computers are encrypted, the government will need to get the keys the old-fashioned way: by compelling it from their captives," Brown said. Interrogations aside, Brown thinks the equipment itself could provide viable leads for the DoD.
"I would like to know where the equipment came from. Was it from the '90s or state of the art? If so, where is the supply of the systems coming from? This could lead to the al-Qaeda supply chain."
However, Goroway said, bin Laden's computer hardware may not bring a big win to the intelligence community. "These are sophisticated people who have evaded the authorities for 10 years. They are not dumb," he sighed.
