Earlier today, Jonathan Abolins tweeted about a US DOJ memorandum on detainee Najibullah Zazi. The memorandum is about the motion the US government filed for a permanent order of detention for Zazi. Part of the evidence that supports the order of detention, comes from a forensic exam of Zazi’s laptop. I found a few pieces of evidence quite interesting from a digital forensics perspective.
- Zazi is associated with three separate email accounts. The memorandum states that one account is “directly subscribed to Zazi”, and “all three accounts contain slight variations of the same password.”
- While not the best password policy, it could help with attribution.
- JPEG images of handwritten notes about explosives (manufacture, handling, etc.) were found as email attachments.
- Keyword searches would probably fail to find this evidence, since the notes are JPEG images. Are there any digital forensics tools (or plugins/scripts) that support keyword searching of images? (perhaps by OCR?)
- Browser artifacts were uncovered that suggested Zazi searched for hydrocholoric acid. Additionally, a site for “Lab Safety for Hydrocholoric Acid” was bookmarked with two different web browsers.
- The bookmarking could be useful in demonstrating intent, as users often bookmark sites they wish to remember, and/or return to. The same bookmark in two different browsers makes this action less likely to be “accidental”.
- The bookmarking could be useful in demonstrating intent, as users often bookmark sites they wish to remember, and/or return to. The same bookmark in two different browsers makes this action less likely to be “accidental”.
- Some of the browser artifacts suggested that Zazi “searched a beauty salon website for hydrocide and peroxide”. Later, surveillance videos and receipts were used to show that Zazi purchased hydrogen peroxide products from a beauty supply store. Other persons associated with Zazi, also purchased hydrogen and acetone, from three other beauty supply stores.
- Digital evidence is just one type of evidence. Here digital evidence (browser artifacts) is combined with physical evidence (surveillance video and receipts), to make the arguments more persuasive.
- After executing another search warrant (at a later date), Zazi’s laptop was seized again. The difference is that in the latter seizure, the hard drive was not recovered (it had been removed).
- This could be considered a rudimentary form of anti-forensics. You can’t analyze ones and zeros if they aren’t there.
You can view the memorandum here.
The Computer Forensic Exam of Najibullah Zazi’s Laptop by Forensic Computing, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 3.0 United States License.
{ 1 comment… read it below or add one }
Just found your article – pretty interesting stuff. I’ve never thought that permutations of an email password could lead to the discovery of the owner of those accounts.
I still don’t think there’s OCR technology that can do much with handwriting samples though. It would be a big help if there were technology that could indicate that handwriting even exists within a particular image…