Return-Path: <sentto-279987-2087-1000951136-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Wed, 19 Sep 2001 19:01:11 -0700 (PDT) Received: (qmail 25570 invoked by uid 510); 20 Sep 2001 01:59:20 -0000 Received: from n27.groups.yahoo.com (216.115.96.77) by 204.181.12.215 with SMTP; 20 Sep 2001 01:59:20 -0000 X-eGroups-Return: sentto-279987-2087-1000951136-fc=all.net@returns.onelist.com Received: from [10.1.1.223] by fh.egroups.com with NNFMP; 20 Sep 2001 01:58:56 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_3_2_2); 20 Sep 2001 01:58:55 -0000 Received: (qmail 6457 invoked from network); 20 Sep 2001 01:58:54 -0000 Received: from unknown (10.1.10.26) by 10.1.1.223 with QMQP; 20 Sep 2001 01:58:54 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 20 Sep 2001 01:58:55 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id SAA09793 for iwar@onelist.com; Wed, 19 Sep 2001 18:58:54 -0700 Message-Id: <200109200158.SAA09793@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Wed, 19 Sep 2001 18:58:54 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Computers.Used.by.Hijackers.May.Yield.Information] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Computers Used by Hijackers May Yield Information By Jenni Bergal and Christine Winter, NewsFactor, 9/19/01 <a href="http://www.ecommercetimes.com/perl/story/13617.html">http://www.ecommercetimes.com/perl/story/13617.html> Forensic computer experts say federal investigators may be able to extract important information from computers reportedly used by some of the terrorists believed responsible for last week's attacks. On Tuesday, FBI agents spent the day examining computers at two library branches in Hollywood, Fla., which they believe some of the terrorists may have used to communicate via the Internet. In the next several days, they expect to start looking through records at a branch in Coral Springs, Fla., not far from where one of the suspects, Mohamed Atta, lived this summer. Crucial Evidence Agents also scrutinized the main servers for the entire Broward County, Fla., library system of 600 computers at 37 branches. A federal source close to the investigation said early analysis shows the computers are offering clues about the suspects and their communications. Forensic computer experts say the suspects may have left behind crucial evidence. "It sounds like the bureau is trying to find the trail of communication through these computers," said Curt Bryson, an Internet investigation consultant for New Technologies Inc. in Gresham, Ore. "Any computer will leave a trace." Forensic experts said that even though the computers were in a public place used by many people, e-mail messages, Web sites and even money transfers can be tracked. A Wealth of Information "There may be a wealth of information to trace," said Lee Curtis, managing director for high tech investigations at the Palo Alto, Ca., office of Kroll, a global investigations and intelligence company. If the terrorists used the computers to communicate with others in the United States or abroad, Curtis and Bryson said, investigators may be able to retrieve that information. "It not only will give them the person who received the e-mail, but those who were sending it," Bryson said. Hit-or-Miss The experts cautioned, however, that computer forensics can be a hit-or-miss process. Even if the terrorists used the computers, the information they left behind might have disappeared, depending on how long ago they logged on and how many people have used the computer since then. In that case, experts said, the information might have been "overwritten" rather than deleted, which would make it much harder to trace. Even so, investigators still could send the computers to a special national security lab run by the U.S. Department of Energy, where forensic experts sometimes can retrieve data that has been overwritten, according to Bryson, a former investigator for the Air Force. Bryson and Curtis said federal authorities also would try to get information from any Internet provider the terrorists might have used, such as America Online or Yahoo. AOL spokesman Nicholas Graham said the company has been contacted by law enforcement and is cooperating. "We will provide information upon request under the proper legal guidelines, if we have it," Graham said. Retrieving Old E-Mail AOL does not store e-mails or instant messages, which disappear when they are off the screen or when the user signs off, according to Graham. E-mails can be retrieved by AOL from the recipient's mailbox for a few days or possibly as long as a week after they are sent. Unopened e-mail can be retrieved for a few weeks, until they are purged. A Yahoo spokeswoman, who refused to allow her name to be used, declined to comment about retrieving old mail from user's boxes, other than to say that the company would cooperate if asked to do so by law enforcement. Curtis said he believes the computer investigation might give federal agents some critical information as they try to piece together the terrorists' activities. "A lot of these guys don't care about hiding their trail," he said. "They want people to remember them." ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:45 PDT