Breakdown of currently known forensic and circumstantial evidence related to Count 18 against Julian Assange, Conspiracy To Commit Computer Intrusion (18 U.S.C. 371 and 1030)
- posted August 8, 2019
A December 2017 criminal complaint, as well as March 2018 and May 2019 indictments against Julian Assange, demonstrate that prosecutorial theories related to a criminal conspiracy involving civilians have indeed survived the Chelsea Manning court-martial. I had reported and discussed the surviving theories after her court-martial.[1] One is the foundation of the existing superseding indictment.
Lets take a look at Count 18. Underlying that surviving theory is the allegation that Manning was in direct contact with Assange “during large portions” between on or about November 2009 to May 27, 2010.
WikiLeaks IRC Chats
Much attention has understandably focused on excerpts of March 2010 chats, allegedly between Manning and Assange. The incomplete fragments were recovered from the unallocated space on Manning’s personal laptop.
Yet, Manning said in a sworn statement that she began following WikiLeaks Internet Relay Chat (IRC) group channel in January 2010.
Manning also said that she joined other IRC channels of a technical nature: specifically “Linux and Berkeley Security Distribution (BDS) Operating System (OS), networking, encryption algorithms and techniques, and other more political topics such as politics and queer rights.” This may or may not be relevant to one outstanding question related to Count 18.
Within days or weeks of joining the WikiLeaks IRC channel (on January 8, 2010, according to Manning) she removed back-up CDs of Significant Activity reports from Iraq and Afghanistan that were stored the conference room of the secured intelligence shop at FOB Hammer, Iraq. She took them to her containerized housing unit. It was her first admitted transgression.
Once in her CHU, she transferred them onto an external SD card, which she brought home with her on leave later that month.
While on that leave[2] in Potomac, Maryland–beginning on January 23, 2010–she said she had discussed being in possession of material in the WikiLeaks IRC group-chat.
As told by Manning, an individual in that group-chat asked her to describe the information. But, the conversation was preempted by another, she said, who pointed her to the online submission system. She states that she uploaded the SigActs onFebruary 3, 2010.
In her own words, Manning said that the WikiLeaks IRC group-chats in mid-to-late January regarding Icelandic politics influenced her own decision to search out classified material on Iceland.
Three days after arriving back in Iraq (February 14, 2010), she searched again and came upon the 10REYKJAVIK13 cable, which was authored on January 13, 2010. She removed it from the SCIF, and uploaded it to WikiLeaks on February 15, 2010.
Prior to and just after her leave (January and early February time-frame), Manning also said she had been researching the 2007 Apache airstrike video that was dubbed “Collateral Murder” by WikiLeaks. She burned that video, rules of engagement, annexes, and other related material onto a CD on the same day that she burned 10REYKJAVIK13 (February 15, 2010).
According to Manning, she uploaded all of these on February 21, 2010 in Iraq via WikiLeaks’ online submission system.
Jabber Chats
But Manning also said that the WikiLeaks IRC channel switched over to Jabber in late February or early March 2010. Her Adium OTR contacts list file was created on January 25, 2010, five days before her computer was wiped, and two days into her stateside leave, which ended February 11, 2010.
Forensic evidence from excerpted chats with the handle pressassociation@jabber.ccc.de that she eventually labeled Julian Assange [3] had a duration from February 22, 2010the day after she stated in sworn testimony that she uploaded the 2007 Apache airstrike videountil May 24, 2010, days before Manning was arrested. The handle for the person(s) at pressassociation@jabber.cc.de, who she engaged with on Jabber was first known to her as “office.” She eventually changed the name in her Adium contact lists to Julian Assange.
Cracking the Admin Password on her Classified Computer
Manning was convicted of bypassing security mechanisms prohibited by Army Regulation 25-2 paragraph 4-5(a) (4), which military prosecutors described as attempting an FTP user account password to surf SIPRNET anonymously between November 1, 2009 and March 8, 2010.
She did this by downloading a Linux rescue disk onto her Macintosh laptop on March 2, 2010, according to forensic evidence at her court-martial, days before her known chats with a WikiLeaks interlocutor.
She subsequently booted her classified computer with that CD containing the Linux operating system to access the FTP user account to conceal her identity and surf SIPRNET anonymously. Booting from the Linux rescue disk, enabled her to obtain a portion of the FTP user accounts LM hash value for that account’s password.
A key question is if/how Manning came to know how to boot her computer with a Linux disk to obtain the partial hash of the admin password, said Jake Williams, a former member of the National Security Agency’s hacking unit and founder of Rendition InfoSec.
Based on a review of the court-record, that detail is not clear. While a basic capability, a security expert, who I spoke with on the condition of anonymity, suggested her other behavior–like querying Intelink, the Intelligence Community’s search engine, for rainbow tables and other obfuscating mechanisms–may suggests her technical proficiency was lacking.
Between December 6, 2009 and March 8, 2010, according to Intelink logs, Manning searched 19 times for terms such as “encryption, rendale,” and “MD5.”
The evidence underlying her conviction on the bypass security charge that was dated between November 1, 2009 and March 8, 2010 intersects with the subsequent criminal complaint and indictments against Assange, and the related chat fragment where she asks for assistance cracking the LM hash. Those chats are alleged to have occurred on March 5th to 8th, 10th, 16th to 18th, 2010.
They are the full extent of such communications recovered from the unallocated space on Manning’s computer, according to a forensic examiner, who testified for the government.
Williams told me that cracking her own machine’s administrator password would not only enable her to access SIPRNET anonymously, but could potentially give her access with other machines in the shop, provided the administrator passwords were the same.
Of the 14 hard drives retrieved from the tactical operations center and intelligence shop, where Manning worked in Iraq, all but four and a half were wiped or otherwise inoperable by the time law enforcement collect them after her arrest, and long after after the 2nd Brigade Combat Team returned home with their equipment.
Accessing material using other IP addresses is also relevant to forensic attribution when communication left the boundary of Manning’s DoD subnet in Iraq.
Nothing else within that perimeter was tracking her movements–hypothetically speaking–said the security expert, who spoke with me on the condition of anonymity, that is, except the active directory of Manning’s official account.
That is where the missing CENTAUR logs come in.
Missing CENTAUR logs
Nearly forty percent of DoD CENTAUR logs which tracked computer activity for two devices that Manning was known to have used to access SIPRNET between November 19, 2009 to May 29, 2010 are missing.
SIPRNET or the Secret Internet Protocol Router Network is the DoD “largest interoperable command and control data network” for information marked Secret.
For 74 out of 192 days of the relevant period, CENTAUR logs do not exist for Manning’s known devices, according to Army Computer Crimes Investigation Unit Special Agent David Shaver, the key computer forensic expert, who testified for military prosecutors at her court-martial.
The gaps in the CENTAUR logs occurred at critical points in military prosecutors’ criminal theory for charges against Manning that involve civilian co-conspirators. Those missing periods include November and December 2009 as well as April 2010.[4] Additionally, CENTCOM server logs are missing for the month of November 2009.
CENTAUR logs are the DoD’s version of Netflow data. They captured source and destination IP addresses, ports, transfer volume, start and end times, duration, as well as the specific sensors that were monitoring communication between devices.
The DoD had CENTAUR sensors at key perimeters between its internal sub-networks and at the boundaries between DoD networks and the commercial sector, according to the 2013 stipulated testimony of James Downey, the program manager for attack analysis at the Defense Information Systems Agency or DISA, an agency responsible for securing relevant DoD IT networks.
According to Downey’s 2013 stipulation: “Drastic changes in the history of a log tell [him] one of two things. When a log is not consistent with previous behavior over a large period of time, it would indicate to [him] that either a sensor was down or the relevant computer was turned completely off. There should always be some baseline level of activity for a computer connected to a network.”
Shaver also opined at her trialbased on all the indicators known to him at the timethat the sensors likely failed and there were no indications that the failure had anything to do with actions Manning took herself.
According to two security experts, whom I spoke with, Manning did not possess the required technical acumen in their view to take out the CENTAUR sensors. Military prosecutors also said during the court-martial that CENTAUR logs are not perfect monitoring systems.
However, Manning is but a piece of the overall WikiLeaks investigation, according to the lead military prosecutor at her court-martial. Military prosecutors brought a narrow case against Manning in that tiny Fort Meade courtroom in part to protect the Department of Justice’s ongoing criminal investigation into civilians allegedly involved in the leaks, as well as the success in any potential future prosecution(s). They also wanted to avoid having to disclose more classified information, involving numerous U.S. government equities–from breach and aftermath.
These are missing dates in the CENTAUR logs, according to unclassified evidence at her court-martial:
- November 20 to November 30, 2009
- December 2, 2009
- December 6 to December 18, 2009
- December 20 to December 31, 2009
- January 10, 2010
- January 15, 2010
- April 2 to 14, 2010
- April 16 to 21, 2010
- April 23 to 29, 2010
- May 1, 2010
- May 3, 2010
- May 5, 2010
- May 18, 2010
- May 22, 2010
- May 24, 2010
- May 26, 2010
- May 29, 2010
The CENTAUR logs in court-martial relate only to Manning’s known computers.
Missing CENTCOM Server Logs
CENTCOM server logs are also missing for the month of November 2009. According to the same expert, CENTCOM SIPRNET Sharepoint Server logs exist from December 1, 2009 to August 2010, because they were overwritten before law enforcement collection in July 2010.
While CENTAUR logs are not missing for the dates around the March 8, 2019 “lm hash” cracking discussion between Manning and a WikiLeaks interlocutor, who the U.S. government alleges was Assange; they are marked Secret and/or had been withheld pursuant to an ongoing criminal investigation(s), as of 2013.
Based on additional logs from the CENTCOM SIPRNET Sharepoint server (which are different than CENTAUR logs), the controversial video of a 2009 cluster bombing in Afghanistan was accessed two times by unidentified devices between December 2009 and July 2010, for example. Once on January 28, 2010 and again on February 23, 2010.[5]
On the first occasion Manning did not have access to the CENTCOM server, because she was on leave from Iraq, according to a defense counter-argument. For the second date, CENTAUR logs do exist, but do not evidence a connection between her known devices and the CENTCOM SIPRNET Sharepoint Server. The CENTCOM SIPRNET Sharepoint server logs, do not, however, track log IP addresses, but only whether material has been accessed.
Intelink Logs
Logs from Intelink do exist from October 2009 to May 2010. Those logs are how military prosecutors built most of the forensic case about Manning’s activities on her two known classified computers.
[1] See, for example, in December 2013; February; July 2014; August 2015; and because found I myself repeating the same discussion privately with colleagues, I threw a barebones summary in May 2017, as I was working on other stuff.
[2] Manning’s leave from Iraq occurred between January 23 and February 11, 2010.’
[3] In the same statement, Manning states she assumed her interlocutor was Assange or Daniel Schmidt.
[4] Military prosecutors alleged (unsuccessfully) that Manning acquired and transmitted an encrypted video located on the CENTCOM server that WikiLeaks tweet about on January 8, 2010 in November and December 2009. Shaver also testified that the user account for a civilian allegedly involved had copied the video onto his computer on 15 December 2009.
Shaver, the military prosecutions forensic expert, agreed based on other forensic evidence that the defense’s theory that she had transmitted the video of a May 2009 cluster bombing in Farah province Afghanistan to WikiLeaks in April 2010, when she downloaded and transmitted the full investigation file for the same incident was reasonable. Manning was acquitted of espionage (793(e)) for the Garani video, but convicted on the same for the Farah investigation documents.
[5] Based on CENTAUR logs that do exist and that were entered into evidence at Mannings court-martial, a total of seven IP address transferred approximately 20 megabytes of data with CENTCOM servers between October 2009 and May 2010.
Based on other logs, Manning had searched CENTCOM server(s) on November 30, 2009; December 9, 2009; December 15, 2009; and December 16, 2009; However, during this period there are gaps in the CENTAUR logs. She made additional searches on December 31, 2009. While there are logs, no data was transferred between her computers and CENTCOM server.
On January 2, 2010, she searched again, and CENTAUR logs show 18 transfers between her computer and CENTCOM server totalling 637 kilobytes (too small for the charged video). She made searches on January 4, 2010, with no transfers of data.
On February 19, 2010, she searched again and transferred 252 kilobytes (too small for the video).
She made another search on February 28, 2010, but did not (via 13 different connections) transfer to/from the CENTCOM server. None of the transfers or there sum would match the size of the video.
She searched again on March 12, 2010, a time frame that happened concurrent to the alleged chats with Julian Assange, and based on CENTAUR logs her device conducted 29 transfers of data, but they were too small in relation to the video.
She searched again on March 17, 2010 but there was no evidence of data transferred. Based on the court record, the only search of the CENTCOM server related to Farah (a province in Afghanistan that relates to two espionage charges against Manningone for the video of a 2009 cluster bombing she was acquitted of and another for documents related to the investigation of the same incident she was convicted of).