September 25th, 2009

How Internet surveillance, IT sleuth work helped indict suspected terrorist Zazi

Posted by Larry Dignan @ 5:39 am

Categories: General, Government, IT Management, Infrastructure, Search, Web Technology

Tags: Agent, Information Technology, Pakistan, Laptop Computer, Internet, E-mail, Notebooks, Online Communications, Hardware, Notebooks & Tablets

Source: CBS News video

The indictment of suspected terrorist Najibullah Zazi, who is charged with acquiring and preparing bombs similar to the ones deployed in the 2005 London subway attacks, rides substantially on Zazi’s Internet surfing habits.

Federal prosecutors say that Zazi was trained in Pakistan and shuttled between Queens, N.Y. and Denver in an attempt to prepare bombs. The Feds allege that Zazi was involved in an Al Qaeda conspiracy to attack the U.S.

As you read the indictment and order for permanent detention (also see FBI statement, CBS News) you can almost picture the various connected databases and monitoring techniques at work. Simply put, Internet surveillance and information technology sleuthing played a big role in the Zazi case. FBI agents arrested Zazi in Colorado.

Jeffrey Knox, an assistant U.S. attorney, tells the tale in the permanent detention document. Here’s a look at the key linchpins where IT crossed paths with detective work.

The Customs databases…

Zazi flew from Newark Liberty International Airport to Peshawar, Pakistan on Aug. 28, 2008.   Something triggered in a database, given that Zazi, 24, was going to Peshawar, known as a terrorism hotbed.

Pakistan email accounts…

Here’s where the surveillance kicked in. Knox notes in the order for detention:

Zazi is associated with three email accounts (”Email Account 1,” “Email Account 2″ and “Email Account 3″) that were active during his time in Pakistan. One of the accounts is directly subscribed to Zazi, and all three accounts contain slight variations of the same password. The government will establish at trial that these accounts were used in furtherance of Zazi’s efforts to manufacture explosive devices. Among other things, during a consent search of two of the three accounts, agents found jpeg images of nine pages of handwritten notes containing formulations and instructions regarding the manufacture and handling of different kinds of explosives. Based on email header information, these images had been emailed to Email Accounts 2 and 3 in early December 2008, while Zazi was in Pakistan. As discussed below, the same notes were transferred onto Zazi’s laptop computer in June 2009.

Customs databases again…

Zazi flew back to the U.S. via JFK International Airport in Queens on Jan. 15, 2009.

You are your Internet search history…

Knox continues:

A lawfully-authorized search of Zazi’s laptop computer reflects that Zazi transferred the bomb-making instruction notes onto his laptop and/or accessed the notes on his laptop in June and July 2009. The FBI’s search of the laptop also reflects that Zazi conducted several internet searches for hydrochloric acid during the summer of 2009, and “bookmarked” a site on two different browsers for “Lab Safety for Hydrochloric Acid.” Zazi also searched a beauty salon website for hydrocide and peroxide.

Turns out Zazi and cohorts went shopping at various beauty supply stores for these ingredients. The Feds say that Zazi rented an Aurora, Colo. hotel room on Sept. 6 and 7 and tried to put the ingredients together.

The cell phone tap…

According to the permanent detention request:

Also on September 6 and 7, Zazi attempted to communicate on multiple occasions with another individual - each communication more urgent in tone than the last - seeking to correct mixtures of ingredients to make explosives. Included in the communications were requests related to flour and ghee oil, which are two ingredients listed in the bomb-making instructions. Zazi repeatedly emphasized in the communications that he needed the answers right away.

Internet search history take 2…

Knox writes:

A lawfully-authorized search of Zazi’s laptop computer reflects that the next day, September 8, Zazi searched the internet for locations of a home improvement store within zip code 11354, the zip code for the Flushing neighborhood of Queens, New York. He then searched the home improvement store’s website for muriatic acid, which is a diluted version of hydrochloric acid and, as discussed, could constitute the third component of TATP, which is comprised of hydrogen peroxide, acetone and a strong acid like hydrochloric acid. Zazi viewed four different types of muriatic acid. He viewed one particular type - Klean Strip Green Safer Muriatic Acid - multiple times. This product claims to have lower fumes and is safer to handle than standard muriatic acid.

Too little too late: Ditching the hard drive…

According to cell phone taps, Zazi started to realize he was being tracked after renting a car to New York. Zazi purchased an airline ticket and returned to Denver on September 12. After laptop searches revealed scans of handwritten bomb making instructions, Zazi removed the hard drive. According to Knox:

After Zazi’s laptop was searched in New York, and after Zazi returned to Colorado with his laptop, agents executed a search warrant at his Aurora residence. Agents recovered the same laptop that had previously been searched and found that the hard drive had since been removed.

There are still gaps in the account and specifics about how the Feds followed Zazi’s Internet habits. But it’s safe to say that the case would be a lot harder to prove if it weren’t for Zazi’s search habits and digital fingerprints.

Watch CBS Videos Online