Computer Forensic Exam of Najibullah Zazi’s Laptop

Earlier today, Jonathan Abolins tweeted about a US DOJ memorandum on detainee Najibullah Zazi.  The memorandum is about the motion the US government filed for a permanent order of detention for Zazi.  Part of the evidence that supports the order of detention, comes from a forensic exam of Zazi’s laptop.  I found a few pieces of evidence quite interesting from a digital forensics perspective.

  • Zazi is associated with three separate email accounts.  The memorandum states that one account is “directly subscribed to Zazi”, and “all three accounts contain slight variations of the same password.”
    • While not the best password policy, it could help with attribution.
  • JPEG images of handwritten notes about explosives (manufacture, handling, etc.) were found as email attachments.
    • Keyword searches would probably fail to find this evidence, since the notes are JPEG images.  Are there any digital forensics tools (or plugins/scripts) that support keyword searching of images? (perhaps by OCR?)
  • Browser artifacts were uncovered that suggested Zazi searched for hydrocholoric acid.  Additionally, a site for “Lab Safety for Hydrocholoric Acid” was bookmarked with two different web browsers.
    • The bookmarking could be useful in demonstrating intent, as users often bookmark sites they wish to remember, and/or return to.  The same bookmark in two different browsers makes this action less likely to be “accidental”.
  • Some of the browser artifacts suggested that Zazi “searched a beauty salon website for hydrocide and peroxide”.  Later, surveillance videos and receipts were used to show that Zazi purchased hydrogen peroxide products from a beauty supply store.  Other persons associated with Zazi, also purchased hydrogen and acetone, from three other beauty supply stores.
    • Digital evidence is just one type of evidence.  Here digital evidence (browser artifacts) is combined with physical evidence (surveillance video and receipts), to make the arguments more persuasive.
  • After executing another search warrant (at a later date), Zazi’s laptop was seized again.  The difference is that in the latter seizure, the hard drive was not recovered (it had been removed).
    • This could be considered a rudimentary form of anti-forensics.  You can’t analyze ones and zeros if they aren’t there.

You can view the memorandum here.