[iwar] [fc:Computers.Used.by.Hijackers.May.Yield.Information]

From: Fred Cohen (fc@all.net)
Date: 2001-09-19 18:58:54


Return-Path: <sentto-279987-2087-1000951136-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 19 Sep 2001 19:01:11 -0700 (PDT)
Received: (qmail 25570 invoked by uid 510); 20 Sep 2001 01:59:20 -0000
Received: from n27.groups.yahoo.com (216.115.96.77) by 204.181.12.215 with SMTP; 20 Sep 2001 01:59:20 -0000
X-eGroups-Return: sentto-279987-2087-1000951136-fc=all.net@returns.onelist.com
Received: from [10.1.1.223] by fh.egroups.com with NNFMP; 20 Sep 2001 01:58:56 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_3_2_2); 20 Sep 2001 01:58:55 -0000
Received: (qmail 6457 invoked from network); 20 Sep 2001 01:58:54 -0000
Received: from unknown (10.1.10.26) by 10.1.1.223 with QMQP; 20 Sep 2001 01:58:54 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 20 Sep 2001 01:58:55 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id SAA09793 for iwar@onelist.com; Wed, 19 Sep 2001 18:58:54 -0700
Message-Id: <200109200158.SAA09793@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Wed, 19 Sep 2001 18:58:54 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Computers.Used.by.Hijackers.May.Yield.Information]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Computers Used by Hijackers May Yield Information

By Jenni Bergal and Christine Winter, NewsFactor, 9/19/01
<a href="http://www.ecommercetimes.com/perl/story/13617.html">http://www.ecommercetimes.com/perl/story/13617.html>

Forensic computer experts say federal investigators may be able to
extract important information from computers reportedly used by some of
the terrorists believed responsible for last week's attacks.  On
Tuesday, FBI agents spent the day examining computers at two library
branches in Hollywood, Fla., which they believe some of the terrorists
may have used to communicate via the Internet.  In the next several
days, they expect to start looking through records at a branch in Coral
Springs, Fla., not far from where one of the suspects, Mohamed Atta,
lived this summer.  Crucial Evidence Agents also scrutinized the main
servers for the entire Broward County, Fla., library system of 600
computers at 37 branches.  A federal source close to the investigation
said early analysis shows the computers are offering clues about the
suspects and their communications.  Forensic computer experts say the
suspects may have left behind crucial evidence. 

"It sounds like the bureau is trying to find the trail of communication
through these computers," said Curt Bryson, an Internet investigation
consultant for New Technologies Inc.  in Gresham, Ore.  "Any computer
will leave a trace." Forensic experts said that even though the
computers were in a public place used by many people, e-mail messages,
Web sites and even money transfers can be tracked.  A Wealth of
Information "There may be a wealth of information to trace," said Lee
Curtis, managing director for high tech investigations at the Palo Alto,
Ca., office of Kroll, a global investigations and intelligence company. 
If the terrorists used the computers to communicate with others in the
United States or abroad, Curtis and Bryson said, investigators may be
able to retrieve that information.  "It not only will give them the
person who received the e-mail, but those who were sending it," Bryson
said.  Hit-or-Miss The experts cautioned, however, that computer
forensics can be a hit-or-miss process.  Even if the terrorists used the
computers, the information they left behind might have disappeared,
depending on how long ago they logged on and how many people have used
the computer since then.  In that case, experts said, the information
might have been "overwritten" rather than deleted, which would make it
much harder to trace.  Even so, investigators still could send the
computers to a special national security lab run by the U.S.  Department
of Energy, where forensic experts sometimes can retrieve data that has
been overwritten, according to Bryson, a former investigator for the Air
Force.  Bryson and Curtis said federal authorities also would try to get
information from any Internet provider the terrorists might have used,
such as America Online or Yahoo.  AOL spokesman Nicholas Graham said the
company has been contacted by law enforcement and is cooperating.  "We
will provide information upon request under the proper legal guidelines,
if we have it," Graham said.  Retrieving Old E-Mail AOL does not store
e-mails or instant messages, which disappear when they are off the
screen or when the user signs off, according to Graham.  E-mails can be
retrieved by AOL from the recipient's mailbox for a few days or possibly
as long as a week after they are sent.  Unopened e-mail can be retrieved
for a few weeks, until they are purged.  A Yahoo spokeswoman, who
refused to allow her name to be used, declined to comment about
retrieving old mail from user's boxes, other than to say that the
company would cooperate if asked to do so by law enforcement.  Curtis
said he believes the computer investigation might give federal agents
some critical information as they try to piece together the terrorists'
activities.  "A lot of these guys don't care about hiding their trail,"
he said.  "They want people to remember them."


------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT