Computer Forensic Exam of Najibullah Zazi’s Laptop

by Mike Murr on September 25, 2009

Earlier today, Jonathan Abolins tweeted about a US DOJ memorandum on detainee Najibullah Zazi.  The memorandum is about the motion the US government filed for a permanent order of detention for Zazi.  Part of the evidence that supports the order of detention, comes from a forensic exam of Zazi’s laptop.  I found a few pieces of evidence quite interesting from a digital forensics perspective.

  • Zazi is associated with three separate email accounts.  The memorandum states that one account is “directly subscribed to Zazi”, and “all three accounts contain slight variations of the same password.”
    • While not the best password policy, it could help with attribution.
  • JPEG images of handwritten notes about explosives (manufacture, handling, etc.) were found as email attachments.
    • Keyword searches would probably fail to find this evidence, since the notes are JPEG images.  Are there any digital forensics tools (or plugins/scripts) that support keyword searching of images? (perhaps by OCR?)
  • Browser artifacts were uncovered that suggested Zazi searched for hydrocholoric acid.  Additionally, a site for “Lab Safety for Hydrocholoric Acid” was bookmarked with two different web browsers.
    • The bookmarking could be useful in demonstrating intent, as users often bookmark sites they wish to remember, and/or return to.  The same bookmark in two different browsers makes this action less likely to be “accidental”.
  • Some of the browser artifacts suggested that Zazi “searched a beauty salon website for hydrocide and peroxide”.  Later, surveillance videos and receipts were used to show that Zazi purchased hydrogen peroxide products from a beauty supply store.  Other persons associated with Zazi, also purchased hydrogen and acetone, from three other beauty supply stores.
    • Digital evidence is just one type of evidence.  Here digital evidence (browser artifacts) is combined with physical evidence (surveillance video and receipts), to make the arguments more persuasive.
  • After executing another search warrant (at a later date), Zazi’s laptop was seized again.  The difference is that in the latter seizure, the hard drive was not recovered (it had been removed).
    • This could be considered a rudimentary form of anti-forensics.  You can’t analyze ones and zeros if they aren’t there.

You can view the memorandum here.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Reddit Post to StumbleUpon

The Computer Forensic Exam of Najibullah Zazi’s Laptop by Forensic Computing, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 3.0 United States License.

Tagged as: forensic exam, laptop, najibullah zazi

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Previous post:

Next post: