http://www.computerworld.com/securitytopics/security/cybercrime/story/0,1080
1,99397,00.html?source=NLT_SEC
<http://www.computerworld.com/securitytopics/security/cybercrime/story/0,108
01,99397,00.html?source=NLT_SEC&nid=99397> &nid=99397
Iraq battle plan leak sparks overhaul of cybercrime-fighting techniques
The DOD probe involved combing through 60TB of data
News Story by Paul Roberts
JANUARY 31, 2005 (IDG NEWS SERVICE) <HTTP://WWW.IDG.NET> - The U.S.
Department of Defense seized hundreds of computers and around 60TB of data
as part of an investigation into how details of the U.S. invasion plan for
Operation Iraqi Freedom were leaked to The New York Times, a Defense
Department official said.
The investigation ended in 2003 without finding the source of the leak. But
it has prompted changes within the department, which is developing software
tools and investigative strategies for computer crime cases that involve
large amounts of data, said Lt.Col. Ken Zatyko, director of the DOD's
Computer Forensics Laboratory.
The investigation was prompted after details of the U.S.'s planned invasion
of Iraq appeared in a series of newspaper articles in the Times beginning in
July 2002. The articles revealed various details of the planned invasion and
options that were being considered by military planners. Operation Iraqi
Freedom was launched in March 2003.
The Times articles set off an intense effort within the DOD to discover the
source of the leak. Hundreds of computer servers and desktop systems were
seized at a number of locations, including U.S. Central Command at MacDill
Air Force Base in Tampa, Fla., and from military bases in the Persian Gulf
region, including the U.S. naval base in Bahrain, Zatyko said.
In all, about 60TB of data, including data stored on computer hard drives
and other devices, was collected and brought back to the DOD's computer
forensic lab at the Department of Defense Cyber Crime Center (DC3), he said.
One Times reporter was also subpoenaed for information pertaining to the
leak, but that subpoena was quashed, according to Catherine Mathis, vice
president of corporate communications at The New York Times Co.
At DC3, a team of computer forensics investigators searched through the data
looking for evidence -- such as an e-mail message or document transfer --
that would link a particular individual to a Times reporter, Zatyko said.
Ultimately, the investigation failed, in part because of the challenge of
sifting through the huge volume of data, he said.
"It was a 'needle in the haystack' case," Zatyko said. "The challenge is to
reduce all that data and hone in on the document that was sent to the
reporter."
The investigators did discover a number of versions of a presentation that
contained information linked to the articles, as well as e-mail messages to
reporters. However, they couldn't find evidence that the presentation or
other sensitive information was sent to the Times, and DC3's investigation
ended in late 2003 without finding those responsible for the leaks, Zatyko
said.
There are a number of possible explanations for why the investigation
failed. The best explanation is that the information wasn't transferred
digitally to the Times, Zatyko said. "They could have just printed it out
and provided it [to the reporter] as a hard-copy document," he said.
The failure to find the source of the leak shows that reporters and their
sources are getting sophisticated about covering their trails using IT, said
Bob Giles, curator of the Nieman Foundation for Journalism at Harvard
University. "The people inside the government are being smart about how
they're [leaking information] and not doing it in a way that's going to get
them caught," he said.
The DC3 is changing the way it conducts large computer forensic
investigations in the wake of the case, Zatyko said.
In particular, the DC3 has established a section of its lab and a team of
examiners just to work on cases with large data sets, replacing ad hoc teams
created to address case requests as they come in. DC3 is also using a
combination of commercial forensic software and proprietary tools to comb
seized data stored on large capacity storage-area networks and
network-attached storage devices.
The new DC3 approach replaced individual examiners working on separate
workstations, which led to inconsistencies in the forensic examination
process and duplication of effort between examiners, Zatyko said.
With the Iraq battle-plan leak investigation closed at DC3, forensic
investigators are trying out the new techniques on a more common source of
large data set investigations: child pornography cases, he said. "We're
focusing on the child-porn issue and moving out from there," Zatyko said.
[Non-text portions of this message have been removed]
------------------------ Yahoo! Groups Sponsor --------------------~-->
Take a look at donorschoose.org, an excellent charitable web site for
anyone who cares about public education!
http://us.click.yahoo.com/_OLuKD/8WnJAA/cUmLAA/TySplB/TM
--------------------------------------------------------------------~->
--------------------------
Want to discuss this topic? Head on over to our discussion list, [EMAIL
PROTECTED]
--------------------------
Brooks Isoldi, editor
[EMAIL PROTECTED]
http://www.intellnet.org
Post message: [email protected]
Subscribe: [EMAIL PROTECTED]
Unsubscribe: [EMAIL PROTECTED]
*** FAIR USE NOTICE. This message contains copyrighted material whose use has
not been specifically authorized by the copyright owner. OSINT, as a part of
The Intelligence Network, is making it available without profit to OSINT
YahooGroups members who have expressed a prior interest in receiving the
included information in their efforts to advance the understanding of
intelligence and law enforcement organizations, their activities, methods,
techniques, human rights, civil liberties, social justice and other
intelligence related issues, for non-profit research and educational purposes
only. We believe that this constitutes a 'fair use' of the copyrighted material
as provided for in section 107 of the U.S. Copyright Law. If you wish to use
this copyrighted material for purposes of your own that go beyond 'fair use,'
you must obtain permission from the copyright owner.
For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/osint/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
