Question? RTFAQ (Read the F*cking Al Qaeda)!
May 4, 2011 6:54 AM   Subscribe

Mining the Mother of all Data Dumps We now have a relatively massive haul of digital data from the OBL strike.  There are several forensic toolkits in use by the private (commercially available) and public sector as well as open-sourceBest practices include inventorying all the sources, cloning the sources so as to not damage pristine data, recovering any partial or damaged content, making the cloned sources read-only, adhering to legally-admissible tools standards, and documenting everything.   There is an excellent source titled Digital Forensics and Born-Digital Content from the Council on Library and Information Resources [pdf, Resource Shelf].   But what to do next*?

I’d immediately parse the data, looking for anything that resembled encrypted text-strings, urls, logins, or passwords, and immediately access, subpoena, compromise, and archive any mentioned sites or services, adding that information to the digital warehouse.  The Anonymous hack of HBGary is a well documented narrative of the process.

I would then index the data contextually and semantically, looking for date and time stamps, languages used,  file types, bank accounts, email addresses, IP addresses, place names, person names, indices from the 9/11 Commission both published and unpublished, known keywords (targets, weapons systems, known methods, etc.), and certainly others.  It would also be useful to examine machine-created data on machines such as access and activity logs as well as the registry for machine and user-specific data.

My suggestion would be to centrally locate the source data, and to then index it and slap a front-end on (see AOL data dump, previously).  I’d also apply analytics to the front end to see what the crowd was looking for, and optionally aggregate and share that data (with some careful thought as to designing a system to avoid a Private Manning-type scenario), creating an internal-honeypot for capturing analysts interests and ideas.   The dataset is likely not large enough for true data mining (previously), but Social Network Analysis (previously) could still be employed beyond searching for keywords.  I’d also look for patterns of activity (and gaps), and compare that with known plots to identify patterns.  Most importantly, I’d work backwards, as old date is likely stale as far as actionable intelligence.  I’d further suspect that any data from the 9/11 period would be beyond priceless.

Most technology enthusiasts are protective of their privacy and skeptical of data mining. This appears to be a situation where this technology can be used for good.

*Disclaimer – everything after this point assumes access is limited to secured machines, accessed by authorized users of the United States military, law enforcement, and employees (and contractors).
posted by rzklkng (40 comments total) 30 users marked this as a favorite

 
Turns out his browser's home page was Cute Overload.

A complicated man.
posted by Trurl at 7:00 AM on May 4, 2011 [13 favorites]


I would actually feel safer if the whole thing were just handed over to Wikileaks and Anonymous.
posted by Faint of Butt at 7:09 AM on May 4, 2011 [9 favorites]


Nice FPP. As someone who works in computer forensics, I'm also interested in whether or not there was any kind of encryption used. I've heard stories (old wives tales?) about folks rolling their own encryption, or just not using it at all because products like Truecrypt were "invented by Americans" and therefore breakable.

After this story broke, my curiosity was piqued - what I wouldn't give to look through this data for just a few minutes...
posted by antonymous at 7:12 AM on May 4, 2011


I've always wondered if OBL used his frequent 'tapes' as a signal-station, with messages encoded based on phrases or some other low-level encryption.
posted by rzklkng at 7:18 AM on May 4, 2011



If I were a BadGuy™, I wouldn't use a goddamn computer. Let's hope they were dumb enough to use PGP/GPG.
posted by eriko at 7:24 AM on May 4, 2011


I've always thought about building a file server with a kill switch set-up so that any data, if forcibly seized, could never be recovered from it by the gov't or other agents. Here's the basic setup:
Two servers (or, maybe, virtual machines on the same laptop) each set up to boot-off-the-network from each other, using full disk encryption, where the encryption/decryption keys are stored only on the other server's encrypted volumes and no where else. Both are initially booted up once off a preseeded server which is immediately discarded. And either server could go down and be bought back up if-and-only-if the other server was still up and running. If both servers were ever shut down at the same time (such as: dead man switch going off, power being lost, or hard drives being seized by the gov't) then the encryption keys themselves are forcibly lost forever since they could only be recovered from the now undecryptable volumes.
As long as the encryption algorithms and the chosen full-disk-encryption method being used are sound, then this should be more or less fool-proof. Especially in a scenario where the storage devices themselves are all the gov't seemingly cares about, and pulling them from a live machine would render the data inaccessible forever.
posted by yeoz at 7:27 AM on May 4, 2011 [5 favorites]


(not that I have any data that gov't would remotely be interested in. that's the only thing holding me back from building out the above setup!)
posted by yeoz at 7:29 AM on May 4, 2011


The data dump is just a cover story. UBL is alive and under interrogation right now. His "death" is just a cover story so no one asks any questions about trials, or visitation rights, etc. We threw his body in the sea. No autopsy to confirm his kidney problems, or other health issues. We killed him even though he was unarmed, because he didn't throw his hands in the air. Better to have him dead and let his allies think we're getting things from his laptop, instead of from the snakes mouth.
posted by humanfont at 7:30 AM on May 4, 2011 [3 favorites]


Given the man was reported to have really bad kidney problems and on the run - thus unable to get to hospitals, perhaps his medical techniques will be found and made public.
posted by rough ashlar at 7:31 AM on May 4, 2011


UBL is alive and under interrogation right now. His "death" is just a cover story...Better to have him dead and let his allies think we're getting things from his laptop, instead of from the snakes mouth.

NO! We traded his body to the Illuminati Brotherhood for their secret free-energy/orgone technologies. Everybody knows the Illuminati Elders love them some good facial hair.
posted by PlusDistance at 7:36 AM on May 4, 2011 [9 favorites]


Nonsense. Osama Bin Laden is dead, and now the second Osama Bin Laden is also dead. That's my story and I'm sticking to it.
posted by Faint of Butt at 7:41 AM on May 4, 2011 [2 favorites]


No no no, it was to the Atlanteans, in exchange for orialchum, obviously.
posted by likeso at 7:43 AM on May 4, 2011 [1 favorite]


not that I have any data that gov't would remotely be interested in.

What about your spec script for The Love that Rumsfeld Dare Not Speak?
posted by shakespeherian at 7:44 AM on May 4, 2011 [1 favorite]


yeoz you are still vulnerable to having your kernels modified to leak the key, either by physical access or hacking of the machines. Additionally you are vulnerable to having your seekret keys read from your RAM if you can't reach your shutdown button in time, and even if you reach it in time, if your adversary can reach those ram chips quickly enough for the data to still be there.
posted by CautionToTheWind at 7:45 AM on May 4, 2011 [1 favorite]


I'm just talking out of my rectum here -- but if I wanted to destroy Western civilization and knew I'd never leave my house alive, I'd spend my remaining time weaving a convoluted web of false evidence that would maximize trouble for all who take said evidence at face value, hopefully provoking another war or two.

Yes, I know we have Top Men who are good at analyzing intelligence and seeing through such ruses. But what if false evidence gets leaked, and it's such a compelling story that the public/Congress can't resist? (See: Iraq War, WMDs)
posted by RobotVoodooPower at 7:49 AM on May 4, 2011 [1 favorite]


yeoz: That system exists, and it's called Mandos.
posted by teraflop at 7:50 AM on May 4, 2011


yeoz: have you seen the HotPlug? It, in combination with the MouseJiggler, are designed to allow recovery of a server or computer from a scene without ever shutting it down. If you didn't have your screensaver up before the capturing agency arrived, they can keep it in a state where your files can be accessed until they have it back at the lab.

Of course, that sort of thing isn't really feasible for a SEAL team raid in Pakistan, but I think it's interesting that this has already been thought about enough for a commercial product to exist. I use some Wiebetech products in the course of my work (data recovery, I'm not a cop)—they're the real deal, with prices to match.
posted by aaronbeekay at 7:50 AM on May 4, 2011


the Illuminati Brotherhood for their secret free-energy

Bah, that is already out there.

Makers of fine spinning magnet motor/generators run by ex CIA heads
posted by rough ashlar at 7:51 AM on May 4, 2011


Nonsense. Osama Bin Laden is dead, and now the second Osama Bin Laden is also dead. That's my story and I'm sticking to it.

But I hear the original Osama bin Laden is in retirement in Patagonia.
posted by kmz at 7:51 AM on May 4, 2011 [2 favorites]


Yeoz, I imagine it'd just take one prolonged power outage for you to lose all your data once, and soon all your underlings start backing up their important documents in plaintext on USB keys "just in case."
posted by mccarty.tim at 7:52 AM on May 4, 2011 [2 favorites]


I want to know what kind of porn he's got on there and how many fucking illegal downloads from Livewire he's got. RIAA can sue his estate for 12 billion dollars for every version of "I Kissed A Girl" and other hits they find.
posted by spicynuts at 7:58 AM on May 4, 2011


yeoz: That system exists, and it's called Mandos.
posted by teraflop at 10:50 AM on May 4
Thanks much; I'll have to take a look at that.

I'll admit that physical access to the system and thusly recovery of the keys from RAM is viable attack, that I don't know a solution for. But, I'd be shocked if that was part of the operating protocol for the SEAL team used in the OBL raid. Maybe it is! I'm curious if that was the case or not.
all your underlings start backing up their important documents in plaintext on USB keys "just in case."
posted by mccarty.tim at 10:52 AM on May 4
Yeah, that's definitely the weakest link. Goddamn minions and their passwords on sticky notes. :(
posted by yeoz at 7:59 AM on May 4, 2011


(and, I guess it's back to thermite charges and mercury-tilt switch triggers for all of my computers then :( )
posted by yeoz at 8:04 AM on May 4, 2011


If you didn't have your screensaver up before the capturing agency arrived, they can keep it in a state where your files can be accessed until they have it back at the lab.

Now I don't know a lot about computer forensics, but I recall reading that even if a screensaver is up the password could be retrieved by pulling out the ram and reading that (as data in ram will remain there for a least a minute or so after losing power) or even more simply by connecting through the Firewire port (if present) with the right software, since Firewire allows access to the entire memory.
posted by bobo123 at 8:06 AM on May 4, 2011


Ten Myths about OBL
posted by lalochezia at 8:09 AM on May 4, 2011 [3 favorites]


Now I don't know a lot about computer forensics, but I recall reading that even if a screensaver is up the password could be retrieved by pulling out the ram and reading that (as data in ram will remain there for a least a minute or so after losing power)

Longer if you cool the RAM down (liquid nitrogen is your friend)
posted by atrazine at 8:12 AM on May 4, 2011


I recall reading that even if a screensaver is up the password could be retrieved by pulling out the ram and reading that (as data in ram will remain there for a least a minute or so after losing power)
Yeah, this is called a cold boot attack (wiki). Dunno about the firewire thing, but, I haven't had a computer with a firewire port in a long time.

Although, I'm suddenly reminded of something. Weren't there reports of a power outage during the raid on OBL?
the fact that electricity in Abbottabad was cut off for two hours before the raid and then miraculously restored. (source).
Ok, admittedly the source isn't a great one, but I think for these night time raids, it's fairly SOP to kill power, so your target can't see you coming...
posted by yeoz at 8:15 AM on May 4, 2011


Goddamn minions and their passwords on sticky notes. :(

Well if the head of IT wouldn't make us change our passwords every few weeks maybe we could remember them!
posted by TedW at 8:18 AM on May 4, 2011 [2 favorites]


yeoz: Although, I'm suddenly reminded of something. Weren't there reports of a power outage during the raid on OBL?

The guy who live tweeted the event didn't mention anything about that (although this proves nothing, it is a data point to keep in mind).
posted by moonbiter at 8:24 AM on May 4, 2011


How about having people, say, people who have studied Al Qaeda, look at the "data" and try to figure out what it means? I know it's crazy, but it just might work!
posted by MarshallPoe at 8:26 AM on May 4, 2011


yeoz writes "Ok, admittedly the source isn't a great one, but I think for these night time raids, it's fairly SOP to kill power, so your target can't see you coming..."

Isn't power unreliable in Pakistan? I'd figure anyone with the money for a compound would also have backup generation.
posted by Mitheral at 8:30 AM on May 4, 2011


(and, I guess it's back to thermite charges and mercury-tilt switch triggers for all of my computers then :( )

You'd think if anyone would know how to use explosives as a security system, it would be a terrorist organization.

Isn't power unreliable in Pakistan? I'd figure anyone with the money for a compound would also have backup generation.

Right, the live-tweeter mentioned above said the power is off for more than half of the day on average.
posted by burnmp3s at 8:38 AM on May 4, 2011


Wait. What's wrong w/PGP?
posted by symbioid at 9:08 AM on May 4, 2011


Using the firewire port is most common when grabbing data from one of those pesky-to-open Macs (OpenApple-T). I'd break out in laughter if OBL had a Macbook Air and a tricky-to-image iPhone/iPad.
posted by antonymous at 9:48 AM on May 4, 2011


yeoz: my friends in islamabad have their power go out for hours at a time nearly daily -- not saying that it wasnt done on purpose, but i seem to understand power outages in pakistan happen constantly.
posted by 3mendo at 10:34 AM on May 4, 2011


I predict that at the end of the day the most interesting thing we will discover from OBL's is that he was really, really good at Angry Birds.
posted by LarryC at 10:51 AM on May 4, 2011 [1 favorite]


I predict that the true story, and any very interesting or telling or revealing data mined from these computers, won't come out until long after all the prime players have been dead and gone for decades - i.e., not until the information won't matter anymore.
posted by Greg_Ace at 11:32 AM on May 4, 2011


Also this mansion was just an ISI prison. Keep the invalid terrorist on ice as make him release a tape every so often when you need a fresh cheque from America. Fucking Pakistan.
posted by humanfont at 2:28 PM on May 4, 2011 [1 favorite]


I wonder what the intersection between arabic speakers and hackers is in the intelligence community...
posted by stratastar at 2:33 PM on May 4, 2011 [1 favorite]


I wonder if he used Asrar Al Mujahideen 2.0/Mujahideen Secrets 2, which was recommended in the Al-Qaeda Inspire magazine.
posted by ymgve at 2:51 PM on May 4, 2011


« Older "If you've never heard of this game, it is simply ...  |  Star Wars Propaganda posters... Newer »


This thread has been archived and is closed to new comments