Forensic Expert: Manning’s Computer Had 10K Cables, Downloading Scripts

Army Pfc. Bradley Manning, left, is escorted out of a courthouse in Fort Meade, Md., Friday, Dec. 16, 2011, after the first day of a military hearing that will determine if he should face court-martial for his alleged role in the WikiLeaks classified leaks case. Manning is suspected of being the source in one of the largest unauthorized disclosures of classified information in U.S. history. (AP Photo/Cliff Owen)

FT. MEADE, Maryland – A government digital forensic expert linked accused Army leaker Bradley Manning to documents published by WikiLeaks with damning evidence Sunday, testifying that he found thousands of U.S. State Department cables on one of Manning’s work computers, ranging from unclassified to SECRET cables, among other incriminating documents.

Special agent David Shaver, who works for the Army’s Computer Crime Investigative Unit, said that on one of two laptops that Manning used he found a folder called “blue,” in which he found a zip file containing 10,000 diplomatic cables in HTML format, and an Excel spreadsheet with three tabs.

The first tab listed scripts for Wget, a program used to crawl a network and download large numbers of files, that would allow someone to go directly to the Net Centric Diplomacy database where the State Department documents were located on the military’s classified SIPRnet and download them easily; the second tab listed message record identification numbers of State Department cables from March and April 2010; the third tab listed message record numbers for cables from May 2010. The spreadsheet included information about which U.S. embassy originated the cable. The earliest indications on Manning’s computer that he was using the Wget tool was March 2010.

Shaver noted in his testimony that what he found particularly significant was that the cable record numbers in the spreadsheet were all sequential.

“Whoever did this was keeping track of where they were [in the downloading process],” said Shaver, the final government witness on Sunday, the third day of a pre-trial hearing that will determine whether the soldier will face a court martial on more than 20 charges of violating military law.

The Net Centric Diplomacy Database stores the more than 250,000 U.S. State Department cables that Manning is alleged to have downloaded and passed to WikiLeaks. In May 2010, he allegedly bragged in an online chat with former hacker Adrian Lamo that he had downloaded them while pretending to lip sync to Lady GaGa music. Six months after Manning was arrested in May, WikiLeaks began publishing 250,000 leaked U.S. embassy cables.

The zip file Shaver examined on Manning’s computer didn’t include the contents of the cables themselves, but Shaver said that while he was probing unallocated space on one of Manning’s laptops, he also found thousands of actual State Department cables, including ones classified as SECRET NOFORN, a classification that prohibits sharing of the information with non-Americans, and another “hundred thousand or so fragments” of cables.

In addition, he found two copies of the now-famous 2007 Army Apache helicopter attack video, that Wikileaks published on April 5, 2010 under the title “Collateral Murder.” He also found files pertaining to a second Army video, known as the Garani attack video, that Manning allegedly leaked to WikiLeaks, but which the site has not yet published. Shaver was able to recover a number of PDF files and JPEG images pertaining to the Garani incident that were supposedly deleted from Manning’s computer.

The “Collateral Murder” video depicts a U.S. gunship attack on Iraqi civilians that killed two Reuters employees and seriously wounded two Iraqi children. Shaver said one copy of the video he found on Manning’s computer was the version that WikiLeaks had published, and the other copy “appeared to be the source file for it.” The video appeared to have shown up on Manning’s computer for the first time in March 2010.

Shaver testified that he also found four complete JTF GITMO detainee assessments located in unallocated space on Manning’s computer. The assessments are reports written by the government about prisoners at the Joint Task Force Guantanamo Bay prison, assessing their threat risk should they be released.

Last April, WikiLeaks began publishing a trove of more than 700 Gitmo prisoner assessment reports.

Shaver discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same, Shaver testified.

Finally, Shaver found JPEGS showing aircraft in combat zones, as well as pictures that appear to show hospital burn victims.

Nearly all of the documents found on Manning’s computer, aside from the JPEGs of aircraft and burn victims, are documents that Manning allegedly confessed that he had stolen and passed to WikiLeaks in online chats with former hacker Adrian Lamo. Lamo had passed a copy of those chats to the government in May 2010, but forensic investigators found an identical copy of those chats on Manning’s computer as well, a government witness said Saturday.

In those chats, Manning told Lamo that he had “zero-filled” his laptops, referring to a way of securely removing data from a disk drive by repeatedly filling all available space with zeros. The implication from Manning was that any evidence of his leaking activity had been erased from his computers. But Shaver’s testimony would seem to indicate that either the laptops weren’t zero-filled after all, or that it had been done incompletely.

Aside from the files that Shaver found on Manning’s computer, he also found repeated keyword searches that suggest that Manning had, if nothing else, an extensive interest in WikiLeaks.

Shaver examined the logs of Intel Link – a search engine for the military’s classified SIPRnet – and found suspicious searches coming from an IP address assigned to Manning’s computer starting in December 2009. The search terms included “WikiLeaks,” “Iceland,” and “Julian Assange.”

The searches “seemed out of place,” Shaver said, for the kind of work Manning was doing in Iraq.

There were more than 100 keyword searches on “WikiLeaks,” the first occurring December 1, 2009. He also found searches for the keywords “retention of interrogation videos.” The first search for that term was Nov. 28, 2009, around the time that Manning told Lamo he first contacted WikiLeaks. “Interrogation videos” could refer to the infamous CIA videos showing the waterboarding of terror suspects, which the CIA destroyed, despite a court order to the contrary.

Shaver did not face defense cross-examination Sunday afternoon, but will likely do so Monday. He is also expected to testify on classified information in a court session closed to the public.

Despite Shaver’s testimony about being able to reconstruct Manning’s activities, testimony earlier in the day showed that the security conditions and logging in the area Manning worked lacked basic controls.

Capt. Thomas Cherepko, who is currently the deputy computer information services officer for the NATO command in Madrid, testified during cross-examination from the defense that on the day that Manning was arrested in May 2010, agents with the Army’s Criminal Investigations Division (CID) asked him for server logs that would show activity on the classified SIPRnet, activity on a shared drive that soldiers used for storing data in the Army “cloud” as well as email activity.

Cherepko hesitated in answering before saying that he was able to pull up some of the logs for the agents, but not others, because “some of them we did not maintain.”

Cherepko explained that due to lack of storage capability, they were not able “to maintain every single data log that you can see on [the television show] CSI.”

“The logs we maintain are generic server logs that we use for troubleshooting,” he said. “They’re technical logs, not administrative logs of user activity.”

When government attorney Capt. Ashden Fein later asked him in re-direct what the server logs contained, Cherepko replied, “I’m not entirely sure at this time.”

CID agents also asked him to image computers, but Cherepko could not recall exactly which computers he was asked to image. He said he did not do the imaging himself, but passed it to one of his subordinates – a sergeant or a private (he couldn’t remember who) had done the imaging for him.

Cherepko testified that he expressed concern to the agents about creating “forensically sound images” so as not to taint the data. He said one of the CID agents replied to him saying in essence, “It’s okay, we haven’t seized it yet so you can’t really taint anything,” adding that it had been so long since the activity they’re investing occurred that “it’s already been contaminated.”

He was later asked to “make a copy of Manning’s folder” as well as log files from the server, but didn’t know how to do it in a way that would preserve the metadata for forensic purposes, so a CID agent had to walk him through the process over the phone.

Cherepko, who received a letter of admonishment last March from Lt. Gen. Robert Caslan for failing to ensure that the network of the 2nd Brigade Combat Team of the 10th Mountain Division – Manning’s brigade – was properly accredited and certified, continued his testimony about the lax network security at FOB Hammer.

He described how soldiers would store movies and music in their shared drive on the SIPRnet. The shared drive, called the “T Drive” by soldiers, was about 11 terabytes in size, and was accessible to all users on SIPRnet who were given permission to access it, in order to store data that they could access from any classified computer.

Rules prohibited using the shared drive for storing such files, and Cherepko would delete the files when he found them, but they would return despite his efforts. Although he reported the activity to his superiors, he wasn’t aware of any punishment that occurred as a result, or any subsequent enforcement of the rules against storing such files on the shared drive.

The hearing will resume Monday morning.

UPDATE 11pm EST: This story has been updated with additional information about forensic data found on Manning’s computers.

Manning Sent ‘Collateral Murder’ Video Links to Commanding Officer

Army Pfc. Bradley Manning, left, is escorted out of a courthouse in Fort Meade, Md., Friday, Dec. 16, 2011, after the first day of a military hearing that will determine if he should face court-martial for his alleged role in the WikiLeaks classified leaks case. Manning is suspected of being the source in one of the largest unauthorized disclosures of classified information in U.S. history. (AP Photo/Cliff Owen)

FT. MEADE, Maryland – One of Bradley Manning’s officers in Iraq testified Sunday that after WikiLeaks published the “Collateral Murder” video that Manning allegedly passed to the organization, he sent her links to the video to show her that it was the same one stored on the military’s classified network.

Capt. Casey Fulton, the government’s first witness on the third day of the hearing, testified that she had asked the analysts in her unit if they had seen the video and what they thought of it.

Manning later approached her in person and told her it was the same video that was on the Defense Department’s SIPRnet, a shared classified network that Manning’s brigade, and others, used for gathering data and conducting analysis.

Fulton said she told him, “No way, that’s not the same video. It’s definitely shorter in duration” from the military video. She told him she would have to view the two videos side-by-side to verify if they were the same.

Manning subsequently sent her an email with two links to two video clips – one to the video stored on SIPRnet, the other to the video published by WikiLeaks. The exchange shows how familiar Manning was with the video and highlights the extended interest he had in it, after WikiLeaks published it.

Another witness testified on Saturday that after WikiLeaks published the video, Manning contacted his aunt, Debora Van Alstyne, asking how the public was reacting to publication of the video. Manning’s friend, Tyler Watkins, told Wired.com last year that Manning had also contacted him last year after the video was published, asking again how the public was reacting to the video.

In logged chats with former hacker Adrian Lamo, Manning was clear that the point of the leaking was to change people’s minds about the war and the U.S. government:

(02:24:58 AM) bradass87: the reaction to the video gave me immense hope… CNN’s iReport was overwhelmed… Twitter exploded…

(02:25:18 AM) bradass87: people who saw, knew there was something wrong

(02:26:10 AM) bradass87: Washington Post sat on the video… David Finkel acquired a copy while embedded out here

(02:26:36 AM) bradass87: [also reason as to why there’s probably no investigation]

(02:28:10 AM) bradass87: i want people to see the truth… regardless of who they are… because without information, you cannot make informed decisions as a public

UPDATE 12 noon Eastern

During the course of the government’s direct examination of Fulton, prosecuting attorney Capt. Ashden Fein asked Fulton if, in the course of his work, Manning had a need to conduct searches on SIPRnet for certain keywords – “GITMO SOP,” “Julian Assange,” “WikiLeaks” — or whether he had reason to visit a specific part of the CENTCOM web site. Fulton replied “no” in all cases.

Another witness, fellow intelligence analyst Sgt. Chad Madaras, was later asked similar questions. Madaras and Manning shared computers at Forward Operating Base Hammer in Iraq, where they were deployed together. Madaras worked the day shift, and Manning mostly served on the night shift.

The government asked if Madaras had ever used their computers to search for some of the same terms, as well as the term “JTF GITMO” or the name “Birgitta Jonsdottir,” or if he had ever used the Net Centric Diplomacy Database. Madaras replied “no” in each case.

The implication of the questioning seemed to be that the government had found forensic evidence that Manning’s workstation computers had been used to search these terms, though there was no testimony that stated this directly.

Birgitta Jonsdottir is the name of an Icelandic politician who worked with WikiLeaks to edit the “Collateral Murder” video before the organization published it in April 2010. The Net Centric Diplomacy Database, is a database that stored 250,000 U.S. State Department cables that Manning is alleged to have downloaded and passed to WikiLeaks. CENTCOM is also significant, because Manning allegedly obtained an Army video from a CENTCOM web site and passed it to WikiLeaks.

Following Fulton’s testimony, two government witnesses invoked their right to silence under Article 31 of the Uniform Code of Military Justice. The two witnesses, Sergeant First Class Paul Adkins and Warrant Officer 1 Kyle J. Balonek, were dismissed by the court, despite objections from defense attorney David E. Coombs.

Adkins’s testimony would have been significant to the defense’s case because he is the only soldier known to have been demoted as a result of an internal Defense Department investigation into the Army’s handling of Manning.

Adkins had been a master sergeant at FOB Hammer in Iraq and had been responsible for the security of the Sensitive Compartmented Information Facility (SCIF) where Manning worked on classified information. In testimony with other witnesses yesterday, it was revealed that Adkins had failed to pass information up the chain of command about behavioral problems that Manning had exhibited on a number of occasions – both before his deployment to Iraq and in the period around Dec. 2009, when he is alleged to have begun his major leaking activity.

A large part of the defense strategy is to show that had the Army responded to Manning’s behavioral problems correctly, he should never have been deployed to Iraq in the first place or should have had his security clearance revoked early on his deployment – both of which would have made it impossible for him to obtain the documents he allegedly leaked to WikiLeaks.

The other witness who invoked his right to silence, Warrant Officer 1 Kyle Balonek, was supervisor during the day shift at the SCIF. Manning had worked for a time on the day shift and sometimes worked on research products for Balonek.

UPDATE 1:05pm

Proceedings in the court this morning continued in a contentious manner between defense attorney Coombs and the proceeding’s equivalent of a judge, Investigating Officer Capt. Paul Almanza. At one point, when the IO tried to stop a line of questioning with a witness, questioning the relevancy. Coombs abruptly walked to the defense table and grabbed a book containing Article 32 procedural rules and brandished it to Almanza.

“I would caution the investigating officer as to case law,” he said, adding that the defense should be given wide latitude in questioning to obtain evidence.

“The IO should not arbitrarily limit cross-examination, ” he said. “I am not going off into the ozone layer about this. . . I should be allowed to ask questions about what this witness saw so I can have this testimony under oath as part of discovery.”

Army: Manning Kept a Copy of His Chatroom Confession

FT. MEADE, Maryland – Forensic investigators searching Bradley Manning’s computers and removable media found a full log of the online chats Manning conducted with former hacker Adrian Lamo in which Manning described his alleged leaking of classified information, a government witness revealed during testimony on Saturday.

Investigators also discovered classified information on an SD memory card they found at the Maryland home of Manning’s aunt, Debra Van Alstyne, where he had been living before enlisting in the Army.

Additionally, the government was able to recover logs from a Secret-level U.S. intelligence search engine called Intel Link, a system that allows government workers to search for classified documents on the SIPRnet. The logs detailed the searches performed from the IP address assigned to Manning’s workstation in Iraq. Government witnesses did not directly reveal Saturday what searches Manning had conducted.

The  testimony in the second day of Manning’s Article 32 hearing — a hearing that will decide if his case proceeds to court martial — provided the first public overview of the government’s case against Manning, who turned 24-years-old Saturday.

Lamo turned his copies of the chat logs over to authorities in May 2010 after Manning contacted him and began confessing that he had leaked hundreds of thousands of sensitive and classified documents to WikiLeaks, and that he had a direct relationship with WikiLeaks founder Julian Assange.

Assange — and some Manning supporters — have long challenged the authenticity of the chat logs, suggesting Lamo might have fabricated the correspondence to frame Manning. But the revelation that an identical set of logs was found on Manning’s personal laptop in Iraq will make it difficult for Manning’s attorneys to pursue that argument themeselves.

Wired.com obtained a copy of the logs from Lamo in May 2010, and published portions of them online at that time. Full versions of the logs were published online earlier this year.

Special Agent Mark Mander, with the Army’s Computer Crime Investigative Unit, didn’t go into detail about the chat logs found on Manning’s computer, other than to say that the Army got a copy from Lamo, and “corresponding versions were found on the property collected from Pfc. Manning.”

Nor did he indicate what kind of classified information was found on the memory card in Van Alstyne’s home. He just noted that “some of that information was classified.”

Mander said that he and other investigators first visited Van Alstyne’s home on June 18, 2010, at which point she let them search a basement room where Manning’s things were stored. She also indicated that a computer in her upstairs bedroom belonged to Manning, but that she didn’t have access to it or know what her nephew used it for.

When investigators returned to the home in October, they found that the aunt had organized Manning’s belongings in a series of plastic containers. In the containers were a number of things they had missed during their initial search. This included various memory cards, a hard disk, and optical media disks. Among these was the SD memory card containing unspecified classified information.

The hearing continues Sunday.

Illustration: Simon Lutrin/Wired.com