A government digital forensic expert examing the computer of accused WikiLeaks source Bradley Manning retrieved communications between Manning and an online chat user identified on Manning’s computer as “Julian Assange,” the name of the founder of the secret-spilling site that published hundreds of thousands of U.S. diplomatic cables.
Investigators also found an Icelandic phone number for Assange, and a chat with a hacker located in the U.S., in which Manning says he’s responsible for the leaking of the “Collateral Murder” Apache helicopter video released by WikiLeaks in spring 2010.
Until Monday’s revelation, there have been no reports that the government had evidence linking Manning and Assange, other than chat logs provided to the FBI by hacker Adrian Lamo last year. Assange is being investigated by a federal grand jury, but has not been charged with any crime, since publishing classified information is not generally considered a crime in the U.S. But if prosecutors could show that Assange directed Manning in leaking government documents that he then published, this could complicate Assange’s defense that WikiLeaks is simply a journalistic endeavor.
The news of the chat logs between Manning and Assange came on the fourth day of Manning’s pre-trial hearing being held to determine whether he’ll face court martial on 22 charges of violating military law for allegedly abusing his position as an intelligence analyst in Iraq in order to feed a treasure trove of classified and sensitive documents to WikiLeaks.
Mark Johnson, a digital forensics contractor for ManTech International who works for the Army’s Computer Crime Investigative Unit, examined an image of Manning’s personal MacBook Pro and said he found 14 to 15 pages of chats in unallocated space on the hard drive that were discussions of unspecified government info between Manning and a person believed to be Assange, which specifically made a reference to re-sending info.
While the chat logs were encrypted, Johnson said that he was able to retrieve the MacBook’s login password from the hard drive and found that the same password “TWink1492!!” was also used as the encryption key.
Assange’s name was attached to a chat handle “[email protected]” listed in Manning’s buddy list in the Adium chat program on his computer. That Jabber address uses the same domain name allegedly mentioned by Manning in the chat logs that ex-hacker Adrian Lamo gave to the FBI and to Wired.com last year. In that earlier chat log, Manning was making reference to a domain that Assange was known to use.
In Manning’s buddy list there was also a second handle, “[email protected],” which had two aliases associated with it: Julian Assange and Nathaniel Frank. CCC.de in the domain refers to the Chaos Computer Club, a hacker club in Germany that operates the Jabber server.
When asked about the two aliases, Johnson said it was odd for a user to assign two names to one account, implying that some subterfuge might have been at play.
The chat logs mention a request to re-send some unspecified data, showing that the parties had talked before, Johnson said, as well as discussion about using SFTP for uploading data securely to an FTP server.
Johnson testified that he also found SSH logs on Manning’s computer that showed an SFTP connection from a Verizon IP address, that resolved to Manning’s aunt’s house in the U.S., to an IP address associated with a Swedish ISP called PRQ that is known to have links to WikiLeaks.
In a separate chat with Eric Schmiedl, who appears to be a photographer, lock picker and member of the hacker scene who lives in the U.S., Manning confesses that he leaked the Apache attack video, which documented the deaths of two Reuters employees.
Manning: Are you familiar with WikiLeaks?
Schmiedl: Yeah, I am
Manning: I was the source of the 12 Jul 07 video from the Apache Weapons Team which killed two journalists and injured two kids
Johnson testified that he found two attempts to delete data on Manning’s laptop. Sometime in January 2010, the computer’s OS was re-installed, deleting information prior to that time. Then, on or around Jan. 31, someone attempted to erase the drive by doing what’s called a “zerofill” — a process of overwriting data with zeroes. Whoever initiated the process chose an option for overwriting the data 35 times — a high-security option that results in thorough deletion — but that operation was canceled. Later, the operation was initiated again, but the person chose the option to overwrite the information only once — a much less secure and less thorough option.
All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said.
Johnson says he also examined an external hard drive found in Manning’s bunk room in Iraq that contained a text file called wl-press.txt that was created on Nov. 30, 2009, right around the time that Manning told Lamo that he first made contact with WikiLeaks.
The file included the line: “You can currently contact our investigations editor directly in Iceland at 354.862.3481 : 24 hour service : ask for Julian Assange.”
During re-direct with Johnson, government attorney Joe Morrow referred Johnson to one of the charges against Manning that relates to the “United States Forces -Iraq Microsoft Outlook / SharePoint Exchange Server global address list belonging to the United States government,” which Manning allegedly stole between May 11-27, 2010.
Morrow asked Johnson if he’d found any evidence related to the global address list (GAL) and he replied that investigators found a text file in unallocated space that contained a task instruction to obtain the global address list for U.S. forces in Iraq. He also found thousands of Exchange-formatted email addresses on the computer. Asked if there was any evidence that the GAL had been released, Johnson replied, “I did not discover that, no.”
Johnson didn’t mention any date in relation to the GAL evidence he found on Manning’s computer, but on May 7, 2010, WikiLeaks had tweeted a request for people to send it .mil email addresses.
“We would like a list of as many .mil email addresses as possible. Please contact [email protected] or submit,” the Tweet read.
Also testifying today, was Special Agent David Shaver, who revealed that he examined an SD card found at Manning’s aunt’s house, where Manning had lived for a while, and found an encrypted zip file on it that contained three files he was able to open, and references to two files that had been deleted and were no longer accessible. The two deleted files were named “Nathan2_events.tar.br2″ and “Nathan2_event.”
Of the three files he was able to open, one file “Irq_events.csv” was created on Jan. 5, 2010 and contained more than 400,000 action reports from Iraq, pulled from the Combined Information Data Network Exchange, or CIDNE. The other file, “Afg_events.csv,” was created on Jan. 8, 2010 and contained about 91,000 action reports from Afghanistan. The third file, a readme.txt file, appeared to be a message to someone, likely WikiLeaks.
Items of historical significance of two wars Iraq and Afghanistan Significant Activity, Sigacts, between 00001 January 2004 and 2359 31 Dec 2009 extracts from CSV documents from Department of Defense and CDNE database. These items have already been sanitized of any source identity information.
You might need to sit on this information for 90 to 180 days to best send and distribute such a large amount of data to a large audience and protect the source.
This is one of the most significant documents of our time removing the fog of war and revealing the true nature of 21st century asymmetric warfare.
Have a good day.
Shaver said he was able to open those encrypted files using the same password he extracted from the MacBook.
“You got kind of lucky?” asked the prosecutor.
“Yes, sir,” Shaver replied.
In the summer and fall of 2010 WikiLeaks, and several media partners in the U.S. and Europe, published what WikiLeaks referred to as the Iraq War Diary – a cache of more than 400,000 so-called Sigact reports from the Iraq War – as well as the Afghan War Diary, a trove of some 91,000 Sigacts from the Afghan War.
UPDATE 7:55pm EST: To add information about evidence related to the GAL.
UPDATE 10:57pm EST: To add information about two files that had been deleted from the SD memory card, and to include names and dates of the files that were accessible on the card.
Photo Credit: Julian Assange photo by Lily Mihalik/Wired