If you were on the ...
 
Notifications
Clear all

If you were on the Laden case...

62 Posts
25 Users
0 Reactions
6,037 Views
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
 

Greetings,

1) Burning trash isn't uncommon in many parts of the world, printouts or no.
2) Power is irregular. Compound probably had a generator. Raid took 45 minutes. How do you keep the systems live, ie, unencrypted, while getting to them, and then getting them home?
3) Plan the fight, and fight the plan. Don't walk up to me after the fact and say "Here, analyze this." Let me in on the planning. (Which I am sure they did.)
4) After five years of living in the compound, I'll bet their security got lax.
5) Highly doubtful that residents used satellite phones. Too many documented cases of Western intelligence organizations tracking and intercepting those.

-David


   
ReplyQuote
(@braveheart)
Eminent Member
Joined: 16 years ago
Posts: 31
 

No doubt much of what you want will be hidden in some form or another, so, you're handed drives from that compound, and told find me something.

What do you start off doing?

(Please avoid all the depends on this or depends on that, whether I'm asked for this or whatever else, and just give what YOU would do if you're given the drives and the boss, officer, (whomever is in charge) gives you the green light to scour the drive)

If asked to work on this type of case, the main aim will be to gather as much intelligence as possible that could immediately help in neutralizing immenent future dangers and unmask past, present and future activities.
Some information that might be of immense value

1. Contacts of all kind such as foreign, local, internet, covert, overt, secret, confidential, trustworthy, etc.
2. Timings
3. Meetings
4. Plans
5. Funds
6. Legal & illegal money transfers
7. Languages that can be encountered and must be prepared to analyze and work with Arabic, Pasthun, Dari, Urdu
8. Travel and transportation mode used, had access to, could have be arranged at short notice
9. Mode and choice of communication
10. Places of interest
11. Maps, diagrams, sketches
12. Targets for sabotage and destruction, assasinations, etc.
13. Information about arms & weapons used, storage, availability, have access to, can be accessed, etc.
14. Information about manufacture, availability or acquisition, storage of WMDs.
15. Safe houses and hideouts
16. Couriers and sub-couriers and sub-of-sub couriers, etc.
17. Distance and time taken to exchange and receive messages or communication, correlation between message timings and postings on web forums, and availability to the media agencies.
18. Friendly media outlets, agencies and forums.
19. Methods of sabotage and destruction
20. Business investments and interests
21. Relationship, rivalries and its extent with other organizations, agencies, personnel, friendly and supporting countries, moles or double-agents, sleeper cells and off-shoot organizations.
22. Duties, Responsibilities and posts alloted to top members of the organization.
23. Usage and extent of dependence on technology.
24. Medical information such as any medical problems, access to medicines and doctors, etc.
25. Who next to head the organization?


   
ReplyQuote
(@jonathan)
Prominent Member
Joined: 20 years ago
Posts: 878
 

If asked to work on this type of case, the main aim will be to gather as much intelligence as possible that could immediately help in neutralizing immenent future dangers and unmask past, present and future activities.
Some information that might be of immense value

1. Contacts of all kind such as foreign, local, internet, covert, overt, secret, confidential, trustworthy, etc.
2. Timings
3. Meetings
4. Plans
5. Funds
6. Legal & illegal money transfers

…. etc, etc

This isn't the usual domain of a digital forensic analyst. We're only a small cog of the investigative machinery. We extract the maximum amount of available data matching the requestor's requirements, provide provenance for that data, document everything, then hand the data in an acceptable format to the requestor.


   
ReplyQuote
azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
 

This isn't the usual domain of a digital forensic analyst. We're only a small cog of the investigative machinery. We extract the maximum amount of available data matching the requestor's requirements, provide provenance for that data, document everything, then hand the data in an acceptable format to the requestor.

I have to concur with Jonathan on this one - to be honest what I would do is image the disk and hand over copies (with checksums) to the intellegence agencies - I don't have the man power, or the computer power, to go through it byte-by-byte, which is what is going to be required. Without prior intel data - e.g. codewords etc. - it could be meaning less - that appointment to have coffee with Abdul in Bhagdhad, might actually be a coffee appointment, rather than the codewords to mortar Downing Street at that time.

As they say - "it's above my pay grade" 😉


   
ReplyQuote
(@braveheart)
Eminent Member
Joined: 16 years ago
Posts: 31
 

I have posted the above comment from LE point of view of what an analyst will be looking for, but not a private or independent investigator.


   
ReplyQuote
(@jonathan)
Prominent Member
Joined: 20 years ago
Posts: 878
 

I have posted the above comment from LE point of view of what an analyst will be looking for, but not a private or independent investigator.

How would it differ?


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

With 'less tech […] friendly' I meant not willing to use it for security or other reasons.

I do not know…
It is also suggested in reports that there was no Internet connection (although a cell phone tethered, or satellite link would work), which further suggest less tech savvy or tech friendly.
?

I'm not sure I'd concur with that assessment more probably they wanted to avoid interception of communications. I guess that's pretty tricky when you're America's Most Wanted sure, you could use an encrypted satellite link, but I presume doing that from an area where a high value target is suspected to be hiding would be like painting a target on yourself.

I'd also be quite surprised if unencrypted media was used, but then again when you've got the full resources of the US government at your disposal you've got a better chance than most of us of finding a way round it. Perhaps in any case I'm overestimating the technical sophistication of these guys…


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

Greetings,

1) Burning trash isn't uncommon in many parts of the world, printouts or no.

I am aware; but normally such burnings are done outside, in a community trash heap, in my experience.

[…]
5) Highly doubtful that residents used satellite phones. Too many documented cases of Western intelligence organizations tracking and intercepting those.

There are other countries with satellite communications besides Western countries.


   
ReplyQuote
(@kovar)
Prominent Member
Joined: 18 years ago
Posts: 805
 

Greetings,

[…]
5) Highly doubtful that residents used satellite phones. Too many documented cases of Western intelligence organizations tracking and intercepting those.

There are other countries with satellite communications besides Western countries.

Yes, but I'm missing your point, I think. Mine was that in the early days of the war on Al Quada, Western intelligence services located a number of targets via satellite phone tracking and interception. When the news "broke", the intel agencies were upset that a very useful technique was no longer viable because the targets switched to couriers.

The CIA supposedly found OBL by finding his courier. I doubt that, at this late date, OBL had gone back to using sat phones.

_David


   
ReplyQuote
(@braveheart)
Eminent Member
Joined: 16 years ago
Posts: 31
 

Rightly said, this isn't the normal domain of a DF analyst, but what I believe is it is certain for any LE Forensic analyst. This is where the main difference between a Non-LE and LE analysis.

Non-LE Analysis is calculated in terms of No. of hours of manpower and machine power spent or required + Amount of Data Extracted + fulfillment of Client's Requirements.

So, what about those data that neither matches the client's requirement nor the client is aware of its existence, nor the analyst has the capability or means to evaluate, extract and connect those vital pieces of information to each another, is it ok to overlook that? Isn't it a wastage of time and resources to depend on someone who doesn't have the required means in the first instance?

Whereas, LE are in a better position when compared to Non-LE with the availablity of vast resources and the analysis is calculated in terms of amount of intelligence and evidence gathered + connecting this acquired information to the past present and future scenarios as quick as possible, irrespective of manpower and machine power spent or required. And more importantly the percentage of success that can be achieved using this extracted information. This is just one of the many scenarios where an LE analysis will be far more tangible compared to Non-LE. And it's highly unlikely that this type of cases will ever be given out for private job work even for imaging and authentication given its nature of confidentiality and secrecy.


   
ReplyQuote
Page 4 / 7
Share: