bin Laden case gives e-discovery specialists lessons in decryption and translation

In an era of instant digital gratification, the very notion of waiting around for electronic data processing recalls the archaic days of dial-up connections and AOL trial discs. But such is the nature of the US government’s deep dive into the plunder of data recovered from Osama bin Laden’s million-dollar compound in the hills of Abbottabad.

The e-discovery process dissecting a vast haul of physical electronic devices – a so-called “sneaker-net” of superior intelligence information – took on the utmost importance when Navy SEALs confiscated five computers, 10 hard drives, and a stockpile of DVDs and thumb drives in a 40-minute raid of bin Laden’s Pakistani lair on May 2.

As U.S. intelligence agents and analysts continue to pore over the al-Qaeda kingpin’s wealth of encrypted files, a number of questions pertaining to decryption, language translation and multimedia ESI pique the interest of e-discovery professionals whose duties often overlap with those of government investigators.

E-Discovery in bin Laden investigation mirrors litigation processes

According to Geoff Black, director of high tech investigations for Prudential Financial and a former computer forensics examiner at the Naval Criminal Investigative Service Cyber Division, the process of identifying encrypted “file containers” in bin Laden’s digital cache is no different than “exception processing” in e-discovery. That term applies to the handling of special conditions that alter the flow of computer program executions, the instructions governing programs.

Upon pinpointing the encrypted data, e-discovery practitioners typically resort to interviewing the custodian or, in the case of the bin Laden data, cracking passwords.

“You can’t predict what you’re going to get after the first seven days,” said Chris Mellen, the vice president of professional services for AccessData, one of the leading firms in digital investigations. “You’ve already cracked all the easy passwords, gone through the low-hanging fruit, and have major horsepower churning away at this data.”

Numerous decryption tactics can be employed

According to Mellen, a former special agent of the U.S. Department of Defense, investigators either approach encryption with “brute force” – standard password guessing – or, more typically, a “dictionary attack” in which analysts compile a store of keywords lifted from a piece of confiscated media.

“When you get into dictionary attacks, you can’t be so literal as to think it’s an actual word,” Mellen said, describing an enhanced, time-consuming process that takes into account term permutations, symbols, numbers and letter case sensitivity.

Like any criminal organization hiding from law enforcement authorities, al-Qaeda had gone to great lengths to ensure the secrecy of its online communications. It published at least two issues of the electronic magazine “Technical Mujahid” in 2006 and 2007 detailing how to ensure encryption and embed hidden messages in images. According to Time, the publication advised using “The Mujahideen Secrets,” an encryption program written by jihadists.

Do-it-yourself technology andamateur couriers have exploitable flaws

This kind of do-it-yourself technology could come back to haunt al-Qaeda, notes Brian Brown, director of forensics at RenewData, an information management and e-discovery consulting firm. Unlike mainstream programs, internally published software typically does not receive the same rigorous vetting from researchers, leaving flaws that can be exploited, he said.

Bin Laden’s use of couriers to relay electronic information may be a blessing for forensic analysts trying to decrypt data and piece together his terrorist network, two challenges similar to those government pursuers of international criminal organizations face.

“We’re making a huge assumption that somebody’s going to be that secretive,” Mellen said. “If somebody uses a passphrase and uses high level encryption, it’s going to be challenging to find that key. The converse is interesting, though, if you have a passphrase with 100 symbols – how are you going to remember it?”

“They didn’t prey on bin Laden to make mistakes. They preyed on the courier to make mistakes,” he said, referring to the sneaker brigade thattransported bin Laden’s flash drives to off-site internet cafés.

Language translation complicates data mining

Once data is successfully decrypted, the investigative analysis begins to resemble the traditional e-discovery document review process. To clear the language hurdle, translators will attempt to make sense of a multitude of Arabic dialects, cross-referencing their findings with a backlog of intelligence culled from years of tracking the terrorist group and its allies.

“Arabic is unique in a couple of ways,” said RenewData’s Brown, “The dialects change the meaning of the words pretty significantly and technical terms are translated very specifically. For instance, the word for ‘compute’ and the word for ‘computer’ have the same meaning.”

While Arabic’s right-to-left writing and reading configuration may occasionally confuse operating system settings, according to Prudential’s Black, “the main key is having personnel that are native speakers and readers of that language so that something doesn’t get overlooked.”

Voice recognition technology also comes into play in these situations. Advances in sound filtering and audio clean-up allow investigators to identify background voices that might have gone unnoticed in previous times.

Additionally, specialized forensics software can convert video and audio files to searchable indexes of words and phonemes, Black said. Programs that adapt sound straight to text are said to be less reliable.

Thus far, analysts have not uncovered plans for imminent attacks against the United States, though Attorney General Eric Holder recently told Bloomberg Television that bin Laden may have been plotting something in the near term.

“He did seem to have a goal around the 10^th anniversary of Sept. 11,” he said. “Certainly he wanted to harm and was in the advanced operational stage of pulling the levers in the al-Qaeda organization.”

On Tuesday, May 17, Pakistani security forces in Karachi made the first capture of a high level al-Qaeda operative since bin Laden’s death, though it was not immediately clear if U.S. intelligence was involved.