Tracking terrorists with click of a mouse
03-26-2007, Baltimore Sun - Siobhan Gorman
http://www.baltimoresun.com/
WASHINGTON -- Tucked away in a squat, 1980s-era office park halfway between Washington and Baltimore, 200 digital detectives are scouring the hard drives, MP3 players and compact discs seized from terrorist hide-outs in search of links and clues to their next plans of attack.


If there is a real-life version of the kind of technical wizardry that appears in popular TV shows like CSI and 24, the Defense Department's Cyber Crime Center in Linthicum might come closest to it -- though these cyber-sleuths are quick to say it's not nearly as easy as Hollywood makes it look to piece together files on a bomb-blasted hard drive.

The craft of unearthing data hidden deep inside computer equipment has become known as "digital forensics." And the center's executive director, Steven D. Shirley, predicts it will revolutionize investigations much as DNA did.

Like DNA, digital forensic analysis can place a person at a particular location. It can establish relationships. And it can also provide evidence of activities, plans and intentions, Shirley said.

"Digital forensics is probably accelerating at twice the rate that the impact of DNA did," he said.

Terrorists have gravitated toward modern communication devices for the same reasons business executives do -- they're portable, agile and relatively inexpensive. And the digital footprints terrorists leave behind on laptops, cell phones, and Palm Pilot-type devices are providing a means to find them.

"It's become one of our primary windows on terrorism," said Jim Jaeger, a retired Air Force brigadier general who heads the digital forensics operation at defense industry giant General Dynamics.

At a recent status review hearing in Guantanamo Bay for Khalid Sheikh Mohammed, accused of being the mastermind behind the Sept. 11 attacks, military officials introduced a slew of evidence -- including photographs, code names and spreadsheets -- connecting Mohammed to those attacks and other operations.

Letters from Osama bin Laden, transcripts of chat sessions with a Sept. 11 hijacker, biographical information and photographs of the hijackers, and records of pilot license fees for lead Sept. 11 operative Mohamed Atta were among the pieces of evidence extracted from a computer hard drive seized during Mohammed's capture.

A February 2005 military raid in Iraq yielded the laptop of the leader of al-Qaida in Iraq, Abu Musab al-Zarqawi. Information on that computer reportedly helped U.S. officials track down and capture his top associates.

When Zarqawi was killed in an airstrike a year later, soldiers uncovered additional computers, memory sticks and MP3 players that military officials heralded as an intelligence coup. Four hundred and fifty raids followed shortly thereafter.

Shirley said he would not discuss whether his center played a role in exploiting materials seized in the raids of Zarqawi's belongings because that is classified. But, he said, "we do have the capability to do things exactly like that."

The Pentagon launched the Cyber Crime Center in 1998 to lend a high-tech hand to its criminal and counterespionage investigations, but the center has come into its own only in recent years.

Counterterrorism and intelligence investigations, which used to make up a small fraction of the center's cases, now represent 40 percent of its work, said Shirley, who left a senior post in the Air Force's Office of Special Investigations to join the center in 2004.

The center's workload -- the volume of data it processes -- has doubled in the past year and is more than 10 times larger than it was in 2001, as the digital information explosion meets the government's post-Sept. 11 counterterrorism push.

In 2006, it processed 159 terabytes of information -- one terabyte would fill more than 8,000 file cabinets -- and it expects 40 percent more this year. At any one time, the center is evaluating 2,500 pieces of digital media.

In 2001, most counterterrorism investigations of computers were limited to printing out what could readily be found.

Counterterrorism investigators "didn't understand the nuances of how you could hide data within data," said Jim Christy, a senior official at the center.

In the CIA-led invasion of Afghanistan in October 2001, officers didn't expect to find much electronic equipment in the mountainous region along the Pakistani border, which has no electrical infrastructure. What they found, Christy said, was an array of wireless computerized devices.

"It was kind of eye-opening for everybody," he said.

By the 2003 Iraq invasion, the Cyber Crime Center was deploying technicians on the battlefield to provide analysis of computer equipment.

In the center's Maryland laboratory, where the see-through cubicles look more corporate-modern than 24, forensic investigators use high-powered software to extract hidden information from computer equipment that has been erased or damaged.

The FBI, CIA, National Security Agency and other agencies also have digital forensics efforts under way, but the Pentagon center is the largest of its kind in the country, if not the world. It assists counterterrorism and criminal investigators from intelligence agencies and the Defense Department.

As technology grows more complex and data storage becomes cheaper, the center's digital sleuths are in a constant race to keep up.

The real benefit of digital forensics will be realized when a soldier or intelligence officer can seize a computer, connect to a device that sends the information to the center and immediately retrieve information about where a terrorist is hiding, said Gavin Manes, president of Oklahoma Digital Forensics Professionals Inc.

Not only are digital detectives hindered by the amount of time it takes to copy and evaluate a hard drive, but they also must contend with computers whose files may be encrypted or in a different language, Manes said.

Finding analysts who understand forensic computer jargon as well as counterterrorism has been a daunting challenge, said Evan Kohlmann, who does digital forensic consulting in counterterrorism for the U.S. and British governments.

Many of those doing the computer analysis know little about terrorism, he said.

"It becomes very difficult to understand what you're looking at" without knowledge of both, Kohlmann said.

Terrorists are even more inclined to use encryption than ordinary criminals, said Jaeger. And technology to lock up entire hard drives is readily available, which the federal
government can't crack, according to Christy.

Perhaps the greatest challenge for digital detectives, however, is the one that many intelligence agencies are facing in the Digital Age: the sheer amount of ever-expanding data to sift through.

"The volume problem," Manes said, "is going to be enormous for them, because of what happens if they miss information."

Copyright 2007, The Baltimore Sun