Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Cracking Bin Laden's Hard Drives

Security experts detail how the government will attempt to unlock the "trove of information" on devices recovered during the raid on Osama bin Laden's residence.

The weekend raid on Osama bin Laden's compound carried out by Navy Seals and CIA paramilitary operatives reportedly recovered numerous data storage devices.

According to the New York Times, "the team found a trove of information and had the time to remove much of it: about 100 thumb drives, DVDs and computer disks, along with 10 computer hard drives and five computers. There were also piles of paper documents in the house."

An unnamed U.S. official told Politico that the Navy Seals had recovered "the mother lode of intelligence," and that hundreds of people were already at work analyzing it at a secret base in Afghanistan.

"They're very likely to get a lot of really good, actionable intel off of these devices," since Osama bin Laden apparently had no direct connection to the Internet, said Greg Hoglund, CEO of security software and consulting firm HBGary, Inc., in a telephone interview. "So all of his work was done with outside couriers … and information that's coming and going is probably on thumb drives and DVDs, media like that," meaning that they likely stored important operational information.

According to Hoglund, the effort to recover Osama bin Laden's data likely started with--and was part of--the raid, in a process that's known as battlefield exploitation, which seeks to extract as much data as possible while in the field. That's because it's much easier to extract information from a computer that's still running. Even if a hard drive employs encryption, if the drive is still mounted, then it's vulnerable. Furthermore, if the team can take physical memory RAM snapshots of a live device, this can help crack any encryption.

Here's how the process works, said Rob Lee, a director at information security company Mandiant and a fellow at The SANS Institute, in a telephone interview: A military team will secure a location but not touch the computers. Next, computer experts--typically, contractors--traveling with the team come in and do a "clean takedown" of any machines. Little if any "deep dive" data analysis will be performed in the field, except perhaps some quick analysis in search of "low-hanging fruit," for example to note on a captured cell phone any phone numbers that the target recently called, or any recently sent emails. But the true payoff comes when intelligence analysts compare the captured data with "the hundreds of terabytes of data that they've already gathered over many years," for example to see how names, email addresses, and phone numbers match up.

The goal isn't just to recover data, but to rapidly understand its intelligence context. "Instead of standard forensics, the terminology is called media exploitation, and in the intel community, that word has a high value to it," said Lee. He said the practice dates from the start of the Iraq War.

Interestingly, both the data on the recovered devices as well as the devices themselves may provide valuable clues. That's because every USB storage device has its own serial number, which can be retrieved from any computer to which it's been connected. "You're able to track that USB device in every system it's touched," said Lee. That may help analysts better understand how the courier network operated, especially if the storage devices match up with previous PCs that they've encountered.

The raid on Osama bin Laden's compound reportedly lasted 38 minutes, and recent accounts suggest that the facility may have been secured relatively quickly. That would have left time for computer specialists to go to work.

"To process a computer that's in a running state, you're probably talking about 15 to 30 minutes," said HBGary's Hoglund. "A guy has a toolkit--a hardened briefcase, he sits down, plugs it in," and it provides him with a full view of what's on the RAM chips, and also allows him to image the hard drive. In addition, a subset of the information can be transmitted via VSAT--a very small, two-way satellite communications system--to intelligence analysts in for immediate study.

What happens, however, if computers are powered off, as well as encrypted?

"If you're doing encryption on the drive properly, meaning you've done your research, looked at the solutions, you follow best practices, have a strong key, and don't have a weak passphrase, then it will probably never be decrypted. Because drive encryption done properly is extremely difficult, it ends up being a brute-force problem," said Hoglund.

To try and recover data in such situations, he said one standard practice is to remove the drives to an analysis facility that has crackers built using large arrays of field-programmable gate array chips. If a strong passphrase can be broken, that approach will do it within a week, or not at all. "It's like the event horizon--it's the threshold of tolerance," he said.

But given Osama bin Laden's use of couriers--who might not be computer-savvy, and who may have needed to operate from places like Internet cafes--"I wouldn't be surprised to find out that they weren't using any type of encryption," said Hoglund.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.
CVE-2019-6659
PUBLISHED: 2019-11-15
On version 14.0.0-14.1.0.1, BIG-IP virtual servers with TLSv1.3 enabled may experience a denial of service due to undisclosed incoming messages.