How Digital Forensics Led (and Misled) The Bradley Manning Case




On July 30th of this year, PFC Bradley Manning was convicted of 19 out of 22 different charges, most notably 6 counts of espionage, and while sentencing is still pending, his total of convictions could lead to as many as 130+ years in prison for Manning.

All of the reams of leaked documents that he gained access to –the material he had leaked en masse to Wikileaks—had been obtained and distributed while he had worked at military bases in Iraq as a part of the Army’s Intelligence division, with access to major systems known as SIPRNet –the Secure Internet Protocol Router Network– and the Joint Worldwide Intelligence Communications System .

These convictions, the trial that lead to them and the most important part of the evidence that sustained the trial were the result of carefully scoured digital tidbits and clues which investigators slowly collected through numerous forensic techniques involving Manning’s computers, internet communications and the assorted data that the soldier had created on other electronic media.

Forensic Targets

While going into all the myriad details of how investigators put together their case and gathered their information against manning would take pages, there are several key factors that led to large amounts of information for the prosecution and justification for certain legal arguments that later failed in court when it came to making their case.

These forensic factors were collected by both government investigators and private forensic analysts under government contract. This latter being a common practice in modern digital investigations, since electronic forensic consulting companies such as LWG Consulting and ManTech International often have more professional specialization in these kinds of investigations.

Shortly after PFC Manning was detained in Iraq in March of 2010 under suspicion of having leaked classified government information, the investigation against him was able to get into full swing and the forensics used was aimed right at his personal machines.

Forensic analysis data that was used in court against Manning included digital analysis of SD memory cards used by the PFC to transport information, cards which were located at an aunt’s house in the U.S and with Manning’s belongings in Iraq.

In addition to these, all of Manning’s personal computers and any other electronic storage media he’d had were confiscated and taken by federal investigators, including a Macbook Air of his and an external hard drive that was with his possessions in Iraq.

Most importantly, military computers used by Manning while performing his duties for Army Intelligence between 2009 and 2010 were scoured by forensics investigators for clues about the soldier’s activities.

The computer hard drives and storage media collected weren’t the only targets of forensics either. In addition to both of these troves for the later prosecution’s case, online data was searched for which indicated the extent of Manning’s involvement with Wikileaks, how he had maintained contact with the people at the organization and whom he had talked to in online chat forums.

This sort of collected online evidence was based in part on search history records recovered from within Manning’s computers and partly on guiding information from Adrian Lamo, a former “grey hat” hacker who had originally first fingered Manning to the authorities after telling the FBI that he’d gained the soldier’s trust and been told about numerous leaked documents that Manning was revealing to Wikileaks.

The Evidence and its Effectiveness

What the Military investigation gleaned from all the devices and online chat and search logs they got from Manning’s various computers and media was truly extensive.

In addition to finding hundreds of thousands of pages of information taken and copied from the military databases the PFC had worked with, forensic analysts also scratched out plenty of search records, online chat logs and odd readme files which detailed Manning’s regular communications with others online, communications in which Manning indirectly discussed his leaking of documents.

One powerful additional discovery was an SSH log discovered on the Macbook Air, which showed records of an SFTP connection between the IP address at house of Manning’s aunt, where he had visited during the time he was leaking, and other IP addresses in Sweden that were tied ti Wikileaks.

Interestingly, what the evidence also found was that Manning had actually tried to erase HD data on his personal computers and had even gone through the trouble of reinstalling his operating systems after doing what are called “zero-fill” wipes of all the free space on his hard drives. These wipes basically fill in all open space on a machine with zeros as a method of completely wiping traces of data that’s been tossed in a machines digital trash.

The most fascinating part of this is the fact that the “zero-fill” wipe done by Manning on the Macbook air apparently hadn’t completely worked, since his

prosecution still managed to get enough information to nail him when the trial came around.

With all the documentation and communications logs dug up by the forensic analysts, proving that Manning had actually stolen tons of information and then handed it off to Wikileaks was not really that hard, and this is what eventually led to the numerous convictions for espionage slammed against him

What is interesting however, is seeing where the forensic investigator’s search for evidence also failed.

How The Main Charge against Manning was Derailed.

One thing prosecutors were really going for was a charge of Aiding the enemy, and in order to slam this charge forward, they put a lot of effort into looking for signs of more obvious and coordinated cooperation between Manning and the people at Wikileaks.

While they clearly had enough showing that Manning had maintained some contact with the Wikileaks staff and had given them plenty of data that he’d gathered on his own; what prosecutors and forensic analysts couldn’t prove convincingly was that the specific data Manning had copied was chosen based on direct or indirect instructions from Wikileaks. This is something that could have been construed as evidence for an Aiding the Enemy charge.

The main problem in this case was the fact that, despite all the forensic searches online and in Manning’s various machines, no direct signs of coordination between the leaker and Wikileaks were found. Not even a single record of him visiting the site of Wikileaks itself was ever located!

While the prosecution argued that this was because Manning had clearly performed data wipes on his machines (especially his Macbook Air), the judges at the trial rebuffed them by counter arguing that an absence of evidence was not in itself evidence of malfeasance.

Thus, while Manning had clearly made at least some attempts to destroy digital evidence of what he’d been doing (but surprisingly little effort if you really consider the magnitude of his activities), he may or may not have at least succeeded in destroying enough to foil prosecution investigators when it came to their biggest criminal charge.

About the Author:

Stephan Jukic_Headshot


Stephan Jukic is a freelance writer who generally covers a variety of subjects relating to the latest changes in white hat SEO, mobile technology, marketing tech and digital security. He also loves to read and write about location-free business, portable business management and finance. When not busy writing or consulting on technology and digital security, he spends his days enjoying life’s adventures either in Canada or Mexico. Connect with Stephan on Google+ and LinkedIn.