Cracking Bin Ladens Hard Drives

  /     /     /  
Publicated : 22/11/2024   Category : security

Cracking Bin Ladens Hard Drives


Security experts detail how the government will attempt to unlock the trove of information on devices recovered during the raid on Osama bin Ladens residence.


The weekend raid on Osama bin Ladens compound carried out by Navy Seals and CIA paramilitary operatives reportedly recovered numerous data storage devices.
According to the
New York Times
, the team found a trove of information and had the time to remove much of it: about 100 thumb drives, DVDs and computer disks, along with 10 computer hard drives and five computers. There were also piles of paper documents in the house.
An unnamed U.S. official
told Politico
that the Navy Seals had recovered the mother lode of intelligence, and that hundreds of people were already at work analyzing it at a secret base in Afghanistan.
Theyre very likely to get a lot of really good, actionable intel off of these devices, since Osama bin Laden apparently had no direct connection to the Internet, said Greg Hoglund, CEO of security software and consulting firm HBGary, Inc., in a telephone interview. So all of his work was done with outside couriers … and information thats coming and going is probably on thumb drives and DVDs, media like that, meaning that they likely stored important operational information.
According to Hoglund, the effort to recover Osama bin Ladens data likely started with--and was part of--the raid, in a process thats known as battlefield exploitation, which seeks to extract as much data as possible while in the field. Thats because its much easier to extract information from a computer thats still running. Even if a hard drive employs
encryption
, if the drive is still mounted, then its vulnerable. Furthermore, if the team can take physical memory RAM snapshots of a live device, this can help crack any encryption.
Heres how the process works, said Rob Lee, a director at information security company Mandiant and a fellow at The SANS Institute, in a telephone interview: A military team will secure a location but not touch the computers. Next, computer experts--typically, contractors--traveling with the team come in and do a clean takedown of any machines. Little if any deep dive data analysis will be performed in the field, except perhaps some quick analysis in search of low-hanging fruit, for example to note on a captured cell phone any phone numbers that the target recently called, or any recently sent emails. But the true payoff comes when intelligence analysts compare the captured data with the hundreds of terabytes of data that theyve already gathered over many years, for example to see how names, email addresses, and phone numbers match up.
The goal isnt just to recover data, but to rapidly understand its intelligence context. Instead of standard forensics, the terminology is called media exploitation, and in the intel community, that word has a high value to it, said Lee. He said
the practice
dates from the start of the Iraq War.
Interestingly, both the data on the recovered devices as well as the devices themselves may provide valuable clues. Thats because every USB storage device has its own serial number, which can be retrieved from any computer to which its been connected. Youre able to track that USB device in every system its touched, said Lee. That may help analysts better understand how the courier network operated, especially if the storage devices match up with previous PCs that theyve encountered.
The raid on Osama bin Ladens compound reportedly lasted 38 minutes, and recent accounts suggest that the facility may have been secured relatively quickly. That would have left time for computer specialists to go to work.
To process a computer thats in a running state, youre probably talking about 15 to 30 minutes, said HBGarys Hoglund. A guy has a toolkit--a hardened briefcase, he sits down, plugs it in, and it provides him with a full view of whats on the RAM chips, and also allows him to image the hard drive. In addition, a subset of the information can be transmitted via VSAT--a very small, two-way satellite communications system--to intelligence analysts in for immediate study.
What happens, however, if computers are powered off, as well as encrypted?
If youre doing encryption on the drive properly, meaning youve done your research, looked at the solutions, you follow best practices, have a strong key, and dont have a weak passphrase, then it will probably never be decrypted. Because drive encryption done properly is extremely difficult, it ends up being a brute-force problem, said Hoglund.
To try and recover data in such situations, he said one standard practice is to remove the drives to an analysis facility that has crackers built using large arrays of field-programmable gate array chips. If a strong passphrase can be broken, that approach will do it within a week, or not at all. Its like the event horizon--its the threshold of tolerance, he said.
But given Osama bin Ladens use of couriers--who might not be computer-savvy, and who may have needed to operate from places like Internet cafes--I wouldnt be surprised to find out that they werent using any type of encryption, said Hoglund.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Cracking Bin Ladens Hard Drives