Thursday 07 November 2024
Font Size
   
Monday, 19 December 2011 01:55

Forensic Expert: Manning's Computer Had 10K Cables, Downloading Scripts

Rate this item
(0 votes)
Forensic Expert: Manning's Computer Had 10K Cables, Downloading Scripts

Army Pfc. Bradley Manning, left, is escorted out of a courthouse in Fort Meade, Md., Friday, Dec. 16, 2011, after the first day of a military hearing that will determine if he should face court-martial for his alleged role in the WikiLeaks classified leaks case. Manning is suspected of being the source in one of the largest unauthorized disclosures of classified information in U.S. history. (AP Photo/Cliff Owen)

FT. MEADE, Maryland – A government digital forensic expert linked accused Army leaker Bradley Manning to documents published by WikiLeaks with damning evidence Sunday, testifying that he found thousands of U.S. State Department cables on one of Manning’s work computers, ranging from unclassified to SECRET cables, among other incriminating documents.

Special agent David Shaver, who works for the Army’s Computer Crime Investigative Unit, said that on one of two laptops that Manning used he found a folder called “blue,” he found a zip file containing 10,000 diplomatic cables in HTML format, and an Excel spreadsheet with three tabs.

The first tab listed scripts for Wget, a program used to crawl and download large numbers of files, that would allow someone to go directly to the Net Centric Diplomacy database where the State Department documents were located and download them easily; the second tab listed message record identification numbers of State Department cables from March and April 2010; the third tab listed message record numbers for cables from May 2010. The spreadsheet included information about which U.S. embassy originated the cable. There were indications on Manning’s computer that he had begun using the Wget tool in March 2010.

Shaver noted in his testimony that what he found particularly significant was that the cable record numbers in the spreadsheet were all sequential.

“Whoever did this was keeping track of where they were [in the downloading process],” said Shaver, the final government witness on Sunday, the third day of a pre-trial hearing that will determine whether the soldier will face a court martial on more than 20 charges of violating military law.

The Net Centric Diplomacy Database, is a database that stored the more than 250,000 U.S. State Department cables that Manning is alleged to have downloaded and passed to WikiLeaks. In May 2010, he allegedly bragged in an online chat with former hacker Adrian Lamo that he had downloaded them while pretending to lip sync to Lady GaGa music. Six months after Manning was arrested in May, WikiLeaks began publishing 250,000 leaked U.S. embassy cables.

The zip file Shaver examined on Manning’s computer didn’t include the contents of the cables themselves, but Shaver said that while he was probing unallocated space on one of Manning’s work laptops, he also found thousands of actual State Department cables, including ones classified as SECRET NOFORN, a classification that prohibits sharing of the information with non-Americans, and another “hundred thousand or so fragments” of cables.

In addition, he found two copies of the now-famous 2007 Army Apache helicopter attack video, that Wikileaks published on April 5, 2010 under the title “Collateral Murder,” and files pertaining to a second Army video, known as the Garani attack video, that Manning allegedly leaked to WikiLeaks, but which the site has not yet published. Shaver was able to recover a number of PDF files and JPEG images pertaining to the Garani incident that were supposedly deleted from Manning’s computer.

The “Collateral Murder” video depicts a U.S. gunship attack on Iraqi civilians that killed two Reuters employees and seriously wounded two Iraqi children. Shaver said one copy of the video he found on Manning’s computer was the version that WikiLeaks had published, and the other copy “appeared to be the source file for it.” The video appeared to have shown up on Manning’s computer for the first time in March 2010.

Shaver testified that he also found four complete JTF GITMO detainee assessments located in unallocated space on Manning’s computer. The assessments are reports written by the government about prisoners at the Joint Task Force Guantanamo Bay prison, assessing their threat risk should they be released.

Last April, WikiLeaks began publishing a trove of more than 700 Gitmo prisoner assessment reports.

Shaver discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same, Shaver testified.

Finally, Shaver found JPEGS showing aircraft in combat zones as well as pictures that appear to show hospital burn victims.

Nearly all of the documents found on Manning’s computer, aside from the jpegs of aircraft and burn are documents that Manning allegedly confessed in online chats with former hacker Adrian Lamo that he had stolen and passed to WikiLeaks. Lamo had passed a copy of those chats to the government in May 2010, but forensic investigators found an identical copy of those chats on Manning’s computer as well, a government witness said Saturday.

In those chats, Manning told Lamo that he had “zero-filled” his laptops, referring to a way of securely removing data from a disk drive by repeatedly filling all available space with zeros. The implication from Manning was that any evidence of his leaking activity had been erased from his computers. But Shaver’s testimony would seem to indicate that either the laptops weren’t zero-filled after all, or that it had been done incompletely.

Aside from the files that Shaver found on Manning’s computer, he also found repeated keyword searches that suggest that Manning had, if nothing else, an extensive interest in WikiLeaks.

Shaver examined the logs of Intel Link – a search engine for the military’s classified SIPRnet – and found suspicious searches coming from an IP address assigned to Manning’s computer starting in Dec 2009. The search terms included “WikiLeaks,” “Iceland,” and “Julian Assange.”

The searches “seemed out of place,” Shaver said, for the kind of work Manning was doing in Iraq.

There were more than 100 keyword searches on “WikiLeaks,” the first occurring Dec. 1 2009. He also found searches for the keywords “retention of interrogation videos.” The first search for that term was Nov. 28 2009, around the time that Manning told Lamo he first contacted WikiLeaks. “Interrogation videos” could refer to the infamous CIA videos showing the waterboarding of terror suspects, which the CIA reportedly destroyed.

Shaver did not face defense cross-examination Sunday afternoon, but will likely do so Monday. He is also expected to testify on classified information in a court session closed to the public.

UPDATE 11pm EST: This story has been updated with additional information about forensic data found on Manning’s computers.

Authors:

French (Fr)English (United Kingdom)

Parmi nos clients