FT. MEADE, Maryland – A government digital forensic expert linked accused Army leaker Bradley Manning to documents published by WikiLeaks with damning evidence Sunday, testifying that he found thousands of U.S. State Department cables on one of Manning’s work computers, ranging from unclassified to SECRET cables, among other incriminating documents.
Special agent David Shaver, who works for the Army’s Computer Crime Investigative Unit, said that on one of two laptops that Manning used he found a folder called “blue,” in which he found a zip file containing 10,000 diplomatic cables in HTML format, and an Excel spreadsheet with three tabs.
The first tab listed scripts for Wget, a program used to crawl a network and download large numbers of files, that would allow someone to go directly to the Net Centric Diplomacy database where the State Department documents were located and download them easily; the second tab listed message record identification numbers of State Department cables from March and April 2010; the third tab listed message record numbers for cables from May 2010. The spreadsheet included information about which U.S. embassy originated the cable. There were indications on Manning’s computer that he had begun using the Wget tool in March 2010.
Shaver noted in his testimony that what he found particularly significant was that the cable record numbers in the spreadsheet were all sequential.
“Whoever did this was keeping track of where they were [in the downloading process],” said Shaver, the final government witness on Sunday, the third day of a pre-trial hearing that will determine whether the soldier will face a court martial on more than 20 charges of violating military law.
The Net Centric Diplomacy Database stores the more than 250,000 U.S. State Department cables that Manning is alleged to have downloaded and passed to WikiLeaks. In May 2010, he allegedly bragged in an online chat with former hacker Adrian Lamo that he had downloaded them while pretending to lip sync to Lady GaGa music. Six months after Manning was arrested in May, WikiLeaks began publishing 250,000 leaked U.S. embassy cables.
The zip file Shaver examined on Manning’s computer didn’t include the contents of the cables themselves, but Shaver said that while he was probing unallocated space on one of Manning’s work laptops, he also found thousands of actual State Department cables, including ones classified as SECRET NOFORN, a classification that prohibits sharing of the information with non-Americans, and another “hundred thousand or so fragments” of cables.
In addition, he found two copies of the now-famous 2007 Army Apache helicopter attack video, that Wikileaks published on April 5, 2010 under the title “Collateral Murder.” He also found files pertaining to a second Army video, known as the Garani attack video, that Manning allegedly leaked to WikiLeaks, but which the site has not yet published. Shaver was able to recover a number of PDF files and JPEG images pertaining to the Garani incident that were supposedly deleted from Manning’s computer.
The “Collateral Murder” video depicts a U.S. gunship attack on Iraqi civilians that killed two Reuters employees and seriously wounded two Iraqi children. Shaver said one copy of the video he found on Manning’s computer was the version that WikiLeaks had published, and the other copy “appeared to be the source file for it.” The video appeared to have shown up on Manning’s computer for the first time in March 2010.
Shaver testified that he also found four complete JTF GITMO detainee assessments located in unallocated space on Manning’s computer. The assessments are reports written by the government about prisoners at the Joint Task Force Guantanamo Bay prison, assessing their threat risk should they be released.
Last April, WikiLeaks began publishing a trove of more than 700 Gitmo prisoner assessment reports.
Shaver discovered Wget scripts on Manning’s computer that pointed to a Microsoft SharePoint server holding the Gitmo documents. He ran the scripts to download the documents, then downloaded the ones that WikiLeaks had published and found they were the same, Shaver testified.
Finally, Shaver found JPEGS showing aircraft in combat zones, as well as pictures that appear to show hospital burn victims.
Nearly all of the documents found on Manning’s computer, aside from the JPEGs of aircraft and burn victims are documents that Manning allegedly confessed that he had stolen and passed to WikiLeaks in online chats with former hacker Adrian Lamo. Lamo had passed a copy of those chats to the government in May 2010, but forensic investigators found an identical copy of those chats on Manning’s computer as well, a government witness said Saturday.
In those chats, Manning told Lamo that he had “zero-filled” his laptops, referring to a way of securely removing data from a disk drive by repeatedly filling all available space with zeros. The implication from Manning was that any evidence of his leaking activity had been erased from his computers. But Shaver’s testimony would seem to indicate that either the laptops weren’t zero-filled after all, or that it had been done incompletely.
Aside from the files that Shaver found on Manning’s computer, he also found repeated keyword searches that suggest that Manning had, if nothing else, an extensive interest in WikiLeaks.
Shaver examined the logs of Intel Link – a search engine for the military’s classified SIPRnet – and found suspicious searches coming from an IP address assigned to Manning’s computer starting in December 2009. The search terms included “WikiLeaks,” “Iceland,” and “Julian Assange.”
The searches “seemed out of place,” Shaver said, for the kind of work Manning was doing in Iraq.
There were more than 100 keyword searches on “WikiLeaks,” the first occurring December 1, 2009. He also found searches for the keywords “retention of interrogation videos.” The first search for that term was Nov. 28 2009, around the time that Manning told Lamo he first contacted WikiLeaks. “Interrogation videos” could refer to the infamous CIA videos showing the waterboarding of terror suspects, which the CIA destroyed, despite a court order to the contrary.
Shaver did not face defense cross-examination Sunday afternoon, but will likely do so Monday. He is also expected to testify on classified information in a court session closed to the public.
Despite Shaver’s testimony about being able to reconstruct Manning’s activities, testimony earlier in the day showed that the security conditions and logging in the area Manning worked lacked basic controls.
Capt. Thomas Cherepko, who is currently the deputy computer information services officer for the NATO command in Madrid, testified during cross-examination from the defense that on the day that Manning was arrested in May 2010, agents with the Army’s Criminal Investigations Division (CID) asked him for server logs that would show activity on the classified SIPRnet, activity on a shared drive that soldiers used for storing data in the Army “cloud” as well as email activity.
Cherepko hesitated in answering before saying that he was able to pull up some of the logs for the agents, but not others, because “some of them we did not maintain.”
Cherepko explained that due to lack of storage capability, they were not able “to maintain every single data log that you can see on [the television show] CSI.”
“The logs we maintain are generic server logs that we use for troubleshooting,” he said. “They’re technical logs, not administrative logs of user activity.”
When government attorney Capt. Ashden Fein later asked him in re-direct what the server logs contained, Cherepko replied, “I’m not entirely sure at this time.”
CID agents also asked him to image computers, but Cherepko could not recall exactly which computers he was asked to image. He also said he did not do the imaging himself, but passed it to one of his subordinates – a sergeant or a private (he couldn’t remember who) had done the imaging for him.
Cherepko testified that he expressed concern to the agents about creating “forensically sound images” so as not to taint the data. He said one of the agents replied to him saying in essence, “It’s okay, we haven’t seized it yet so you can’t really taint anything,” adding that it had been so long since the activity they’re investing occurred that “it’s already been contaminated.”
He was later asked to “make a copy of Manning’s folder” as well as log files from the server but didn’t know how to do it in a way that would preserve the metadata for forensic purposes, so a CID agent had to walk him through the process over the phone.
Cherepko, who received a letter of admonishment last March from Lt. Gen. Robert Caslan for failing to ensure that the network of the 2nd Brigade Combat Team of the 10th Mountain Division – Manning’s brigade – was properly accredited and certified, continued his testimony about the lax network security at FOB Hammer.
He described how soldiers would store movies and music in their shared drive on the SIPRnet. The shared drive, called the “T Drive” by soldiers, was about 11 terabytes in size, and was accessible to all users on SIPRnet who were given permission to access it, in order to store data that they could access from any classified computer.
Rules prohibited using the shared drive for storing such files, and Cherepko would delete the files when he found them, but they would return despite his efforts. Although he reported the activity to his superiors, he wasn’t aware of any punishment that occurred as a result, or any subsequent enforcement of the rules against storing such files on the shared drive.
The hearing will resume Monday morning.
UPDATE 11pm EST: This story has been updated with additional information about forensic data found on Manning’s computers.