[ISN] Iraq battle plan leak sparks overhaul of cybercrime-fighting techniques

InfoSec News isn at c4i.org
Tue Feb 1 04:07:18 EST 2005

Forwarded from: William Knowles <wk at c4i.org>


By Paul Roberts
JANUARY 31, 2005 

The U.S. Department of Defense seized hundreds of computers and around
60TB of data as part of an investigation into how details of the U.S.  
invasion plan for Operation Iraqi Freedom were leaked to The New York
Times, a Defense Department official said.

The investigation ended in 2003 without finding the source of the
leak. But it has prompted changes within the department, which is
developing software tools and investigative strategies for computer
crime cases that involve large amounts of data, said Lt.Col. Ken
Zatyko, director of the DOD's Computer Forensics Laboratory.

The investigation was prompted after details of the U.S.'s planned
invasion of Iraq appeared in a series of newspaper articles in the
Times beginning in July 2002. The articles revealed various details of
the planned invasion and options that were being considered by
military planners. Operation Iraqi Freedom was launched in March 2003.

The Times articles set off an intense effort within the DOD to
discover the source of the leak. Hundreds of computer servers and
desktop systems were seized at a number of locations, including U.S.  
Central Command at MacDill Air Force Base in Tampa, Fla., and from
military bases in the Persian Gulf region, including the U.S. naval
base in Bahrain, Zatyko said.

In all, about 60TB of data, including data stored on computer hard
drives and other devices, was collected and brought back to the DOD's
computer forensic lab at the Department of Defense Cyber Crime Center
(DC3), he said.

One Times reporter was also subpoenaed for information pertaining to
the leak, but that subpoena was quashed, according to Catherine
Mathis, vice president of corporate communications at The New York
Times Co.

At DC3, a team of computer forensics investigators searched through
the data looking for evidence -- such as an e-mail message or document
transfer -- that would link a particular individual to a Times
reporter, Zatyko said. Ultimately, the investigation failed, in part
because of the challenge of sifting through the huge volume of data,
he said.

"It was a 'needle in the haystack' case," Zatyko said. "The challenge
is to reduce all that data and hone in on the document that was sent
to the reporter."

The investigators did discover a number of versions of a presentation
that contained information linked to the articles, as well as e-mail
messages to reporters. However, they couldn't find evidence that the
presentation or other sensitive information was sent to the Times, and
DC3's investigation ended in late 2003 without finding those
responsible for the leaks, Zatyko said.

There are a number of possible explanations for why the investigation
failed. The best explanation is that the information wasn't
transferred digitally to the Times, Zatyko said. "They could have just
printed it out and provided it [to the reporter] as a hard-copy
document," he said.

The failure to find the source of the leak shows that reporters and
their sources are getting sophisticated about covering their trails
using IT, said Bob Giles, curator of the Nieman Foundation for
Journalism at Harvard University. "The people inside the government
are being smart about how they're [leaking information] and not doing
it in a way that's going to get them caught," he said.

The DC3 is changing the way it conducts large computer forensic
investigations in the wake of the case, Zatyko said.

In particular, the DC3 has established a section of its lab and a team
of examiners just to work on cases with large data sets, replacing ad
hoc teams created to address case requests as they come in. DC3 is
also using a combination of commercial forensic software and
proprietary tools to comb seized data stored on large capacity
storage-area networks and network-attached storage devices.

The new DC3 approach replaced individual examiners working on separate
workstations, which led to inconsistencies in the forensic examination
process and duplication of effort between examiners, Zatyko said.

With the Iraq battle-plan leak investigation closed at DC3, forensic
investigators are trying out the new techniques on a more common
source of large data set investigations: child pornography cases, he
said. "We're focusing on the child-porn issue and moving out from
there," Zatyko said.

"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org

More information about the ISN mailing list