Terror investigation turns to forensic tools

Carnivore, the FBI's controversial Internet surveillance tool, is set to play a key role in the US government's investigation...

Carnivore, the FBI's controversial Internet surveillance tool, is set to play a key role in the US government's investigation into the 11 September terrorist attacks in the US.

Called DCS1000 by the FBI, Carnivore monitors packets of data passing through an ISP's network. Officials at the FBI declined to comment on any details of its investigation.

Carnivore is similar to the software programs set up by the UK government to support the Regulation of Investigatory Powers Act (RIPA). Phil Huggins, the managing security architect for the digital security consultancy @stake, said: "The UK government will play an integral part in the investigations, since RIPA provides such sweeping powers."

RIPA requires ISPs in the UK to track all data traffic passing through their computers and route it to the Government Technical Assistance Centre (GTAC), established in the London headquarters of MI5.

The Home Office declined to comment on any involvement it may or may not have in ongoing investigations into the terrorist attracts.

According to Huggins, @stake has also offered its services to the US government, but he could not confirm if the company was currently involved in tracking down those responsible for the attacks. "We have worked very closely with US federal agencies in the past, as we have a lot of employees who are former FBI employees and White House security staff," Huggins said.

Investigators are already sifting through data in an attempt to identify possible suspects. "They will be looking at computer systems which produce and store detailed logging information," said Huggins. "It is the very un-sexy side of data investigations. Things like airport logs and mobile phone logs will all be looked at. Investigators will obviously be trying to find as much information as possible on those who were involved in planning the attacks."

One tool that Huggins believes may be used to track digital data is The Coroner's Toolkit (TCT), a suite of freeware tools partly distributed by @stake. Dan Farmer, a researcher for Earthlink Networks, and Wietse Venema, a researcher at IBM, originally wrote TCT.

"TCT is a collection of tools that are designed to assist in a forensic examination of a computer," said Huggins. "It's designed for Unix systems, but it can also get some data collection and analysis from non-Unix disks and media."

While there are a number of tools on the market that can aid criminal investigations, tools such as TCT are important because the data collected by the programs can be used as evidence in US courts.

"Courts rely on tools that have been used in past trials - even if there are technologies that are more up-to-date and effective. TCT is certainly one of those tools, as it's been used many times in court cases," Huggins said.

Further information
TCT: www.fish.com/tct and www.porcupine.org/forensics.
Atstake: www.atstake.com.

Read more on IT legislation and regulation