Tech Forensics Take Center Stage in Manning Pre-Trial

smitty777 writes with some updates from Bradley Manning's Article 32 hearing: "Wired has been reporting all [yester]day on the prosecution's technological evidence against Bradley Manning. The first is on the technology and techniques used by Manning. In the second, the examiners admit they didn't find any matching cables on Manning's computer. And finally, evidence that Manning chatted directly with Assange himself." The prosecution was able to access chat logs and other bits of evidence (which had been deleted, but not scrubbed from the disk) thanks to PFC Manning's use of the same password for his OS login and encryption passphrase. Oops.

"not scrubbed from the disk" ,"Same password" ??

[zero.kalvin]

Come one, for a person who do the work he was doing, he have known better! He should only blame himself for these mistakes.

Military vs. Civilian Justice

[Sadsfae]

The military justice system is a whole different world than that of civilians, it will be interesting to see if any of the circumstantial evidence will even matter.

Re:Military vs. Civilian Justice

[blizz017]

1. He's not at trial yet; this is an Article 32 hearing.. basically a grand jury hearing/pre-trial. 2. At Trial, he would have a jury of his peers; far more so than you'd find in a civilian courtroom. He's and enlisted soldier, so if his defense team opted, they can have a jury full of enlisted soldiers. 3. Contrary to what you wish to believe; military court martials aren't show trials. I'd argue that they're ultimately far more fair and impartial than you'll ever find in a civilian courtroom where a DA and/or Judge may have a political agenda to fulfill.

Re:Military vs. Civilian Justice

[vlm]

From having been in the military although not involved in the justice system, there are two reasons why military trials tend toward pointlessness.

1) Dumb people and addicts and nuts more or less can't get in the military. Most civilian trials, from talking to jury members, tend to involve some level of comedy, like how stupid / arrogant / high did the defendant have to be to think he'd not get picked up by the cops. Easy, trivial, to catch. But the smart military crooks (most stories I heard were about fencing stolen military property) were smart enough that it takes such a huge effort that the evidence is beyond overwhelming by the time they're arrested, there's no way Perry Mason could possibly get the guy free. Most military crooks tended to get caught by being too greedy, underlying substance abuse, or "hurrying up" toward the end of their enlistment, at least in the supply related stories I heard.

2) No rich people in .mil. Its widely believed that rich people don't do time in the civilian world, because its true. There's no way an enlisted soldier is going to afford OJ Simpson's lawyer. Also an enlisted soldier can donate a little to the correct political action committees, but not enough to matter. Maybe if his dad was an admiral or a general, maybe...

Re:Military vs. Civilian Justice

[Xest]

"Contrary to what you wish to believe;"

You know, not everyone on Slashdot has their viewpoints set in stone. There are at least one or two of us here still that are capable of taking in new information and changing our viewpoint based on the balance of evidence, rather than posting asserting that some preconceived notion is correct, despite not actually knowing that to be the case with some degree of accuracy.

I don't know a lot about US military trials, which is why I phrased my post largely as a question, as what I understood to be the case thus far was based largely on previous posts on the subject.

So to continue the point, what exactly is the goal of this pre-trial, what does it determine? how is the jury of peers decided? is it determined by a genuinely randomly selected set of soldiers? is there any scope for corruption to allow it to effectively become a show trial?

Re:Military vs. Civilian Justice

[wygit]

I remember Heinlein saying If you're guilty, you're better off in a civilian trial. If you're innocent, you're better off in a military trial.
From "Starship Troopers", I believe.

Re:Military vs. Civilian Justice

[Hatta]

3. Contrary to what you wish to believe; military court martials aren't show trials. I'd argue that they're ultimately far more fair and impartial than you'll ever find in a civilian courtroom where a DA and/or Judge may have a political agenda to fulfill.

Bradley Manning was held in solitary confinement for almost a year before he was even indicted. How is that consistent with your even handed, non-political picture of military justice?

Hero

[roman_mir]

You do realize, that unlike your football and basketball stars, you actually have a real hero, don't you? He is in your prison - a political prisoner, because he dared to challenge the government and its illegal activities.

Re:Hero

[Forty+Two+Tenfold]

A hero would have exposed corruption, wrongdoing, etc. and not just released a database hoping others would figure it all out. The hero in this scenario would have no need to be anonymous.

The alleged hero in this scenario was 22 years old at the time of the event. A 22 year old witness to his "brothers" in arms commiting atrocities.

Re:Hero

[AJH16]

Yes, because heroes leak information on what the government considers sensitive sites that could be vulnerable to terrorist attacks. You have a warped and naive view of what a hero is. Certainly some small amount of the information that came out indicated distasteful activity, however a large portion of it had no possible political purpose other than to try to hurt the US or give "bragging rights". The actions of whoever leaked the documents is not that of a hero trying to protect, but of an arrogant child trying to show off what they could do.

Even if the goal had been to see what they saw as atrocities stopped, it was not the correct forum to do so by and even if the correct forums had been taken, bragging about it demonstrates the true motivations. I hate corruption and abuse as much as anyone, but that doesn't even make the beginning of an excuse for the vast majority of the type of information that was leaked. What possible whistle is being blown by exposing that many neighbors and "allies" of Iran are secretly terrified of them getting nukes and begging for it to be stopped. All it does is make the situation more dangerous, less likely to be resolved peacefully and accomplishes nothing. There is no point to it.

The calls to go after Assanage seems foolish to me as he isn't a US citizen and I don't see how US law applies to him, but he could reasonably be considered a person non grata. Whoever leaked the documents however, did so from the US and is an enemy of the US and in fact world peace, whether intentionally or not and should be prosecuted as such. Arguably doing some small amount of good (in the wrong way) does not make up for the huge amount of inexcusable, irresponsible harm which was done.

Not so fast...

[neokushan]

From the first article...

In those chats, Manning told Lamo that he had “zero-filled” his laptops, referring to a way of securely removing data from a disk drive by repeatedly filling all available space with zeros. The implication from Manning was that any evidence of his leaking activity had been erased from his computers. But Shaver’s testimony would seem to indicate that either the laptops weren’t zero-filled after all, or that it had been done incompletely.

So Manning certainly knew about this kind of thing, but either didn't do it or didn't do it correctly. I wonder how difficult it is to mess something like that up?

Re:Not so fast...

[vlm]

Or he most certainly did, or at least he set up an automated system to do it, etc.

But, no one can/will publicly admit the truth, that either the automated system to do that can be selectively remotely subverted on command (perhaps a routine investigation into him "fishing expedition" found more than expected?) OR the secret truth that cannot be discussed is that classified data recovery operations can read overwritten data much better than public recovery operations.

Most likely this is one of those "lawyers approach the bench" undocumented moments where both sides were informed that public discussion of these classified projects in this trial will be prosecuted, etc... The less this seemingly important topic is discussed during the trial, the more likely they're covering up some interesting technical means.

Having worked in a Army reserve unit in the early 90s in an IT-like capacity, we were told if we were overrun, the ammo depot's records had to be wiped by thermite, not "writing zeros" or whatever. This is public knowledge, read the public TMs. There is probably a very good reason when going up against "the bad guys" you only trust thermite, and going up against internal investigators and auditors, "trust us, writing zeros is good enough"

Re:Not so fast...

[jimicus]

So Manning certainly knew about this kind of thing, but either didn't do it or didn't do it correctly. I wonder how difficult it is to mess something like that up?

Extremely easy.

Any modern operating system uses swap space - and while there's usually a way to ask the OS never to swap a program out, it's seldom exposed to the user. It normally relies on the program itself requesting this, and not everything will. Though a program may be exited later, the area of swapfile it used to use is not necessarily freed from disk.

On top of that, a few programs (eg. Gimp) deal with their own memory management to a certain extent and so operate their own swap independently of the OS - they may also keep other temporary files floating around and don't always delete them. Or they may not save a file in the way you expect - when you hit "save", it's not unusual for a program to:

  - Create a new file.
  - Dump the data into the new file.
  - Rename the old file.
  - Rename the new file so it has the same name as the old one.
  - Delete the old file.

This drastically reduces the risk of the app dying part way through the save process resulting in a corrupted file. It may result in a file that hasn't been saved, so some work may be lost, but it won't lose the lot. Of course this has the side-effect that there's an old file sat on the disk somewhere containing much the same data.

On top of that, very small files will be stored directly in the MFT on Windows. Now the size of file we're talking about is probably not big enough to contain any serious information, but it may well give a forensic investigator a clue as to what's been done.

I can think of a few scenarios in which Manning could easily mess up:

1. Several "secure delete" utilities offer the option to securely delete individual files. Which they will, but as discussed above that may not achieve much.
2. Using a tool to wipe all free space - these usually work by creating a file and filling it with zeroes until the OS eventually returns a disk full error, then deleting the file. I have no idea what - if anything - they'll do with any data still sitting around the MFT. Not to mention the fact that they won't help if there's any incriminating files sitting around that weren't deleted in the first place - and as we've established, it's quite possible for an application to do this totally invisibly to the end user.

Realistically Manning would need to run DBAN or something similar on the entire disk. This will wipe the OS, so the affected computer would need to be reimaged.

Re:Not so fast...

[Alranor]

Having worked in a Army reserve unit in the early 90s in an IT-like capacity, we were told if we were overrun, the ammo depot's records had to be wiped by thermite, not "writing zeros" or whatever. This is public knowledge, read the public TMs. There is probably a very good reason when going up against "the bad guys" you only trust thermite, and going up against internal investigators and auditors, "trust us, writing zeros is good enough"

Of course, that might have something to do with the fact that zeroing out the hard drives takes a not insignificant amount of time compared with just blowing them up. I've never been in the military myself, but I would hazard a guess that you might be under some time pressures if your base is being overrun by the enemy.

Re:Not so fast...

[VortexCortex]

The magnetic data is analog.  so, it's less 1's and 0's than 1.0031 and 0.073...
Overwriting with zeros could leave some evidence of the previous data eg (w/ a 1/100th retention: 0.010031 and 0.0073).
Amplify those by 100 and you get back your 1.0031 and 0.073.  It takes a very sensitive head, multiple reads, and a totally different drive enclosure, but you get the basic idea.

So, what if you write over the data with pseudo random noise? That's better, but not quite good enough.  The problem is that we know what the "top layer" of data is, so we can subtract out that layer of noise.

Eg: Let's say we have a multiple zero written surface, we're starting from scratch, and we write: 1010
1.0
0.0
1.0
0.0

Now, let's say that we overwrite this with 1100
1.01
1.00
0.01
0.00

We can read back the 1100 and subtract the noise from our signal.
0.01
0.00
0.01
0.00

Amplify the signal by a gain of 100.
1.0
0.0
1.0
0.0

With VERY sophisticated and sensitive gear you could even read back data after multiple writes.  The best part is that the CRC checksums of the sectors will help you verify the data is correct.  It's best to overwrite multiple times with a good source of (pseudo)randomness, like a cipher in CBC mode with a strong key and pseudo-random data stream.  I'd say 3 times would be more than enough to obfuscate the data, but what do I know?

Now, a factor of 100 is a gross simplification for example purposes only. This was a bigger concern with older hard drives; Modern hard drives store the magnetic fields in such a way that it's even harder to recover, but the truth is it's not digital.  It's still analog underneath, and subject to the same type of retrieval practices with very good gear.

SSDs use ware leveling, so over writing data does nothing but place the new data somewhere else, leaving the old data intact.

In any event, if you want the data really gone, just hit it with a hammer a few times... Thermite may attract more attention than its worth.

Re:Not so fast...

[Sloppy]

Any modern operating system uses swap space - and while there's usually a way to ask the OS never to swap a program out, it's seldom exposed to the user. It normally relies on the program itself requesting this, and not everything will. Though a program may be exited later, the area of swapfile it used to use is not necessarily freed from disk.

Yeah, there are lots of ways to screw up, but swap is one of the easiest things to get right. Since the user doesn't need to know a key, the machine can pick a totally random one (256 real bits, no guessable passphrase with less actual entropy) for it at every boot. Swap can be as solid as your best symmetric cipher, and that's pretty damn good. All the PK used on the internet will fail long before this level of tech does. Set things up right and swap may be the #1 safest place on your disks, the catch being that your lose it every time your reboot. ;-)

Re:Not so fast...

[huge]

it's not unusual for a program to:

- Create a new file.
- Dump the data into the new file.
- Rename the old file.
- Rename the new file so it has the same name as the old one.
- Delete the old file.

This. Some of the more recent applications may replace last three steps with atomic rename so that new file replaces the old one. Linux has supported atomic rename already for a good while and so do Vista and later versions of Windows. Even after this data from the old file and new file are still retained on disk, even though space used for the old file will be marked 'free'.

Re:Not so fast...

[loxosceles]

The standard recommendation I've seen is to overwrite at least 3, perhaps 5, 7, or even 9 times[0], often with a final all-zero overwrite[1] at the end (since an all-zero nominal image might discourage someone from looking harder, while a disk full of random-looking data can only result from a random overwrite or a full-disk encryption system).

The "kill it with fire" technique is more a question of speed and when you can afford to destroy disks. I've heard the NSA burns their disks, and Google physically mangles disks, but consider that those organizations are going to get rid of disks either when the device using them is past its useful lifetime, or when the disk starts failing. At that point the future value of keeping the disk around is low. It's more cost effective to use a quick method that prevents data recovery (of the desired level depending on threat model), rather than tying up computers and personnel in lengthy overwrite procedures when the disk is probably going to be thrown out anyway.

The reason for multiple overwrites is that if you look at absolute magnetic readings from the disk at each bit storage position, it's not digital. Instead of "1" or "0", you might see .998 or .005.

The one in-depth article I read a while back said that an overwrite moves the charge roughly 90% of the way to the opposite value. If a bit was "1" and is overwritten with "0", the new value would be 0.1 Subsequent overwrites similarly attenuate past data. Given disk error rates today, I think 90% is optimistically high.

For the sake of simplicity, if each overwrite pass changes the data value exactly 90% of the way from the current value to the target value, every bit on the disk is going to be either between 0 and 0.1 or between .9 and 1.0. More specifically, there are four possibilities for each bit. If the reading is close to the range 0.00 to 0.01, both the current and last image stored a zero. If the reading is close to the range 0.09 to 0.10, the current image is zero and the last image was a 1. Similarly for 0.90 to 0.91 and 0.99 to 1.00 ranges.

With a perfectly accurate magnetic detector and a HDD write mechanism that is perfectly accurate, and a perfectly linear and resilient magnetic layer on the disk, you could discover past images one by one... once you determine the last image logical value, you apply a function, possibly a linear map, to strip out the computer-visible layer and derive the exact magnetic reading as it would have been before the last overwrite. Repeat, wash, rinse...

The objective of overwriting several times is to push the magnetic differences caused by the last "real" stored data into the range where it's obscured by noise, either noise of the magnetic imager used to take raw magnetic readings, or much more likely, noise of the HDD writing mechanism (it isn't writing a perfect "1" value each time), or noise or imperfections of the magnetic substrate leading to imperfect magnetic storage.

I think recommendations for 35 overwrites, or even 9 overwrites, may be overestimating the capabilities of an adversary. Not because of anything the adversary does, but because of modern hard drives. Data is crammed into such small magnetic wells that the absolute magnetic readings are less consistent than ever before. Given the error rates of modern TB-sized disks, I would expect many blocks with unrecoverable (2+ bit errors per block) read errors upon reconstruction of even the second to last magnetic image. Repeating the process, I would expect errors to increase non-linearly. My WAG is that before 9 overwrites you're in a situation where even a perfect magnetic detector is reading only low-level noise from the drive. (I'm talking about noise from the non-perfect magnetic layer on the disk surface, and fluctuating magnetic field write strength from the drive head.)

[0] see, for instance, http://www.securityfocus.com/archive/1/310128

Re:Not so fast...

[budgenator]

So Manning certainly knew about this kind of thing, but either didn't do it or didn't do it correctly. I wonder how difficult it is to mess something like that up?

Well,

Johnson testified that he found two attempts to delete data on Manning’s laptop. Sometime in January 2010, the computer’s OS was re-installed, deleting information prior to that time. Then, on or around Jan. 31, someone attempted to erase the drive by doing what’s called a “zerofill” — a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option.

All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said. Jolt in WikiLeaks Case: Feds Found Manning-Assange Chat Logs on Laptop

First you actually have to shred the files you don't want around, then do a quick single pass ZeroFill then on a frequent basis defrag the harddisk and do a high-level ZeroFill; few will have the patience to do this consistently enough to be effective. It's simply human nature to get sloppy and over-confident after a while.

Info Doesn't Add Up

[am+2k]

Maybe it's the usual journalist dumbing-down, but the forensics info doesn't add up:

Then, on or around Jan. 31, someone attempted to erase the drive by doing what’s called a “zerofill” — a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option.

So it's "only" zero-filled.

Mark Johnson, a digital forensics contractor for ManTech International who works for the Army’s Computer Crime Investigative Unit, examined an image of Manning’s personal MacBook Pro...

How is that contractor able to decode the original data from a zero-filled disk from a mere image?

Re:Info Doesn't Add Up

[Alranor]

Somehow you missed the very next line of the article ....

All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said.

Re:Data Recovery Capabilities

[neokushan]

I'm very curious about this, because as far as I was aware, the debate on "how much do you need to overwrite data to securely delete it?" raged quite a bit a few years ago, but nobody could actually prove that it was possible to recover data that was overwritten just the once? There was even a website set up, the Great Zero challenge (Which has now been pulled, supposedly nobody ever accepted it) to try and prove or disprove the myth.

Does anyone have any information on where that really stands? Is it actually possible to recover overwritten data by any known means? I realise that the DOD don't see single-overwrites of zeros as enough, but what's that based on?

Re:Real Heros do not throw the lives of others awa

[Forty+Two+Tenfold]

A real hero would have taken the time to scrub names of people who are informants and such in hostile areas.

Whoever passed the information did so unto the entity that did the scrubing for him. It's unreasonable to expect that he parsed reams of documents to remove stuff.

A real hero would always be on the look out for the the little guy, not simply acting out of anger or spite.

Whoever leaked the docs, was looking out for the helpless and wanted to defend them from US military assholes acting out of infantile anger, spite and sadism.

A real hero does not act as Manning allegedly did.

FTFY, idiot.

we will never know how many lives were lost because of it. Granted we may not know of lives saved, but I imagine those lost are real.

FTFY. That's just your imagination/wishful thinking/bad will/brainwashing.

Re:Real Heros do not throw the lives of others awa

[AdamJS]

In fairness;
-He was assured that the names of sensitive peoples would be scrubbed. Or rather, the truly sensitive cables would not be leaked. And Wikileaks actually did not release many documents purely because of that.
-Wikileaks was using agencies like TheGuardian for the leaks, which assured them that they would properly vet the cables
-The last, drastic and total leak was the result of general incompetence in regards to the total file and the security passcode for it having been posted online by different people, unawares. Oops.

Really, his duty is to the US constitution, and if he believed that there was cause for the leaks - that the army or military or diplomats were treasonous in their duty and that the cables were proof needed to bring this to light - then it's quite understandable that he tried to expose them.

His main mistake was pure naivety or pure dumbassery in trusting a random foreigner with such sensitive data - he had NO way of knowing that this information wasn't going straight into enemy hands - and not trying to bring this data to a local news agency like the NYT (just an example).

Re:Data Recovery Capabilities

[blueg3]

It's not that simple. That's a reasonable description of an MFM disk, an old technology that isn't used any more. MFM disks were the topic of the Gutmann paper. Basically all claims that you can recover data from a zeroed drive are based on this paper. Gutmann has since repudiated it. Modern disks are substantially more complicated in terms of how a block of data gets turned into a collection of magnetizations, such that it's no longer reasonable to ever expect to get any useful information out of hysteresis (residual magnetization).

Nonetheless, the myth persists that somehow, magically, the government can read erased hard drives. What actually turns out to be the case is that people don't bother erasing hard drives.

(Also, it's not charge, it's moment. You can't add and remove magnetic charge because we haven't found any magnetic monopoles.)

Re:"not scrubbed from the disk" ,"Same password" ?

[Sloppy]

He should only blame himself for these mistakes.

Obviously, but Manning's not-having-his-shit-together was way deeper than technical. His situation was one where you don't even want to be a suspect or "person of interest." Once you have determined investigators looking at you, it's like having a determined burglar specifically interested in your house. He was one of tens (hundreds?) of thousands of people with access to these supposedly-sensitive documents, safely lost in a totally unmanageable crowd, and he told someone "look at me! look at me!"

I don't know if it even makes sense to "blame" him for getting caught, because at some point he apparently decided it was ok to get caught.

A climate of really lousy security...

[Demerara]

(1) Net Centric Diplomacy database
Appears to have been trivially downloadable. Manning used Wget to automate the capture of cables from this database. Manning had access to secure networks (SIPRNet) and it was this, rather than any technical expertise, that allowed him to pull all the cables.It seems as if the Net Centric Diplomacy database and its interface (presumably a web front end) lacked any functionality to inhibit automated / bulk downloads, to track or log downloads or to alert operators to suspicious or anomalous patterns of access.

Contrast this with the logging that was available in IntelLink (the SIPRnet internal search engine) that helped link incriminating keywords (Assange, Wikileaks etc) to the IP address assigned to Manning's computer. The defense cannot refute that, while they may be able to undermine the (very poorly gathered) computer forensics from Manning's computer.

(2) Microsoft Share Point server
Appears, also, to have been wide open to anyone on SIPRnet and to have permitted automated (scripted) bulk downloading of files. And, like (1), appears to have lacked any functionality to alert operators to suspicious behaviour.

Contrast this, also, with the logging that was available in IntelLink.

(3) Manning is no expert
First, he used the same password for both his operating system (presumably, his Windows username/password) as for his encryption. Second, he claims to have "zero-filled" his hard disk but had not done so. Third, he used his own computer for the IntelLink searches thereby leaving a trail of evidence.

(4) Lack of expertise seems quite widespread...
The computer environment at the FOB where Manning worked was risible. In testimony, an officer described how "soldiers would store movies and music in their shared drive on the SIPRnet. The shared drive, called the “T Drive” by soldiers, was about 11 terabytes in size, and was accessible to all users on SIPRnet who were given permission to access it, in order to store data that they could access from any classified computer." In other words, in practise, no distinction between storage for movies and music and the storage for classified materials. While the officer told soldiers not to use it for music and movies (and used to delete same as well as reporting the abuse), the practise was prevalent. And despite the 11 terabytes (that is 11 thousand Gigabytes) available for music and movies, this officer cites lack of storage as the reason that some logs (that may have contained evidence) were not maintained. This officer, Capt. Thomas Cherepko, received a "letter of admonishment" for the lax enviroment at this base.

Has the buck stopped at the Captain? I believe that points 1, 2 and 3 suggest a culture of information security so poor as to merit serious enquiry in its own right. Manning probably did break several laws in gathering and communicating the cables to WikiLeaks and, if convicted, must face the music. But the ease with which he did this ought to be cause for far more concern than we are seeing in the media. The US Army appears to be throwing Manning under a bus, but only a slap on the wrist for Cherepko. That is unjust. Lets see how this unfolds...