DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL (S//SI) SIGINT Forensics: A Look Inside Terrorists' Computers (repost) FROM: Dr. Adele Merritt SIGINT Forensics Lab Run Date: 12/30/2003 (U) Note from SIGINT Communications: This article appeared on September 22nd. (U//FOUO) Recently, the Royal Canadian Mounted Police arrested 19 suspected Al Qaeda members. The New York Times reported that the authorities "need to sift through 30 computer hard drives" and it "could take weeks if not months" to finish gathering evidence. Ever since the War on Terrorism started, government agencies throughout the world have been gathering computer media while pursuing and capturing suspected terrorist and Al Qaeda members. Ever wonder who looks at this data? (S//SI) The SIGINT Forensics Lab was established in September 2001. The Lab's mission is to analyze seized computer media in support of SIGINT operations. This makes the Lab unique from other computer forensics efforts that exist throughout the U.S. Government. Utilizing commercial, open source, and in-house developed tools, the Lab harvests communications information such as phone numbers and e-mail addresses in an effort to provide actionable SIGINT leads to NSA offices. Because the lead information is pulled from computer data, the Lab is also usually able to pass along useful context information to assist customers in assessing the significance of the lead. Residing in Cryptanalysis and Exploitation Services (CES), the Lab is also well-positioned to identify and facilitate the exploitation of encryption and steganography found in target computer data. (S//SI) One other unique service provided by the SIGINT Forensics Lab is the identification of direct and indirect communication links from looking across data from numerous target computers collected via SIGINT, HUMINT, and law enforcement efforts. This problem is more challenging than other metadata chaining efforts due to the variability of the communications data format and locations within computer media. However, the Lab has been able to overcome this problem and find countless communication connections between target computers. These discoveries have led to the identification of new targets for the SIGINT system to pursue, as well as providing a better understanding of how targets communicate via computers. (S) In addition to providing SIGINT support, the lab also provides technical assistance to external organizations through facilitating responses to requests for decryption of computer data, as well as providing computer communication profiles for targets. On occasion, the lab has also been able to provide non-communications forensics work. For instance, in November 2002, pictures of American trains found on a terrorist hard drive prompted intelligence reports and a FBI-issued alert warning that Al Qaeda operatives may be planning an attack against US railroads. Time Magazine reported in their November 4, 2002 issue, "photos of American passenger and cargo trains as well as rail crossings" were found on a terrorist hard drive. The SIGINT Forensics Lab examined the photos and accompanying computer files to determine that the train photos were taken from a 1980's commercially produced clip art CD. NSA was able to provide this information to the various elements of the U.S. Government who had committed resources to following this specific threat. (U//FOUO) If you are interested in learning more about the SIGINT Forensics Lab, please contact us at . "(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet without the consent of S0121 (DL sid comms)."
DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // SI / TK // REL TO USA AUS CAN GBR NZL DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108