Tracking terrorists with click of a mouse

Crime center finds clues in recovered CDs, hard drives

March 26, 2007|By Siobhan Gorman | Siobhan Gorman,sun reporter

WASHINGTON -- Tucked away in a squat, 1980s-era office park halfway between Washington and Baltimore, 200 digital detectives are scouring the hard drives, MP3 players and compact discs seized from terrorist hide-outs in search of links and clues to their next plans of attack.

If there is a real-life version of the kind of technical wizardry that appears in popular TV shows like CSI and 24, the Defense Department's Cyber Crime Center in Linthicum might come closest to it -- though these cyber-sleuths are quick to say it's not nearly as easy as Hollywood makes it look to piece together files on a bomb-blasted hard drive.

The craft of unearthing data hidden deep inside computer equipment has become known as "digital forensics." And the center's executive director, Steven D. Shirley, predicts it will revolutionize investigations much as DNA did.

Like DNA, digital forensic analysis can place a person at a particular location. It can establish relationships. And it can also provide evidence of activities, plans and intentions, Shirley said.

"Digital forensics is probably accelerating at twice the rate that the impact of DNA did," he said.

Terrorists have gravitated toward modern communication devices for the same reasons business executives do -- they're portable, agile and relatively inexpensive. And the digital footprints terrorists leave behind on laptops, cell phones, and Palm Pilot-type devices are providing a means to find them.

"It's become one of our primary windows on terrorism," said Jim Jaeger, a retired Air Force brigadier general who heads the digital forensics operation at defense industry giant General Dynamics.

At a recent status review hearing in Guantanamo Bay for Khalid Sheikh Mohammed, accused of being the mastermind behind the Sept. 11 attacks, military officials introduced a slew of evidence -- including photographs, code names and spreadsheets -- connecting Mohammed to those attacks and other operations.

Letters from Osama bin Laden, transcripts of chat sessions with a Sept. 11 hijacker, biographical information and photographs of the hijackers, and records of pilot license fees for lead Sept. 11 operative Mohamed Atta were among the pieces of evidence extracted from a computer hard drive seized during Mohammed's capture.

A February 2005 military raid in Iraq yielded the laptop of the leader of al-Qaida in Iraq, Abu Musab al-Zarqawi. Information on that computer reportedly helped U.S. officials track down and capture his top associates.

When Zarqawi was killed in an airstrike a year later, soldiers uncovered additional computers, memory sticks and MP3 players that military officials heralded as an intelligence coup. Four hundred and fifty raids followed shortly thereafter.

Shirley said he would not discuss whether his center played a role in exploiting materials seized in the raids of Zarqawi's belongings because that is classified. But, he said, "we do have the capability to do things exactly like that."

The Pentagon launched the Cyber Crime Center in 1998 to lend a high-tech hand to its criminal and counterespionage investigations, but the center has come into its own only in recent years.

Counterterrorism and intelligence investigations, which used to make up a small fraction of the center's cases, now represent 40 percent of its work, said Shirley, who left a senior post in the Air Force's Office of Special Investigations to join the center in 2004.

The center's workload -- the volume of data it processes -- has doubled in the past year and is more than 10 times larger than it was in 2001, as the digital information explosion meets the government's post-Sept. 11 counterterrorism push.

In 2006, it processed 159 terabytes of information -- one terabyte would fill more than 8,000 file cabinets -- and it expects 40 percent more this year. At any one time, the center is evaluating 2,500 pieces of digital media.

In 2001, most counterterrorism investigations of computers were limited to printing out what could readily be found.

Counterterrorism investigators "didn't understand the nuances of how you could hide data within data," said Jim Christy, a senior official at the center.

In the CIA-led invasion of Afghanistan in October 2001, officers didn't expect to find much electronic equipment in the mountainous region along the Pakistani border, which has no electrical infrastructure. What they found, Christy said, was an array of wireless computerized devices.

"It was kind of eye-opening for everybody," he said.

By the 2003 Iraq invasion, the Cyber Crime Center was deploying technicians on the battlefield to provide analysis of computer equipment.

In the center's Maryland laboratory, where the see-through cubicles look more corporate-modern than 24, forensic investigators use high-powered software to extract hidden information from computer equipment that has been erased or damaged.

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.