FBI pursuing clues to terrorists on Internet and in e-mail

September 19, 2001

WASHINGTON — Attempts by terrorists to cover their tracks in cyberspace as they planned last week's attacks may have backfired because they accessed the Internet from computers in public libraries, computer forensic experts said Tuesday.

At the behest of the FBI, a federal grand jury ordered two libraries in Broward County, Florida, on Tuesday to turn over electronic files from their computers. Within hours of the attacks, the agency began scouring the Internet for any trails left by the suspects.

The FBI's Computer Analysis and Response Team moved quickly to examine files on Internet servers nationwide. They reportedly unearthed hundreds of e-mail messages in English and Arabic between the alleged hijackers and their associates. Investigators also are trying to obtain information from Internet service providers such as America Online and Web sites such as Yahoo that the terrorists might have used.

The trail of evidence could be substantial, said Curt Bryson, a computer forensics and Internet investigations consultant for New Technologies Inc. in Oregon, which trains many of the FBI's computer investigators.

``It's not just e-mail that's going to be retrievable. Anything they did on those machines, Web sessions, Web chat . . . is recoverable,'' said Bryson, a former special agent in the U.S. Air Force Office of Special Investigations.

If the suspects used Web-based e-mail, such as Hotmail or Yahoo mail, copies go ``all over the hard drive, in places users don't realize,'' he said.

The terrorists most likely thought that creating free Web e-mail accounts and accessing them on widely used computers at public libraries would be more clandestine than using their own computers, Bryson said.

Web e-mail accounts don't require users to download messages to their computers the way Internet service providers such as Earthlink do, experts said.

The terrorists could have bought commercial software programs to cover their tracks, he said. The software erases the downloaded messages from a computer's memory, but the experts said it was doubtful the suspects had time to run such programs on computers in public libraries.

The terrorist network of Osama bin Laden, the prime suspect in masterminding the attacks, has employed advanced computer software before, investigators said. But even a sophisticated computer user would not know how to delete every trace or record of the messages from a computer's hard drive.

It's unclear what type of e-mail the suspects used. Yahoo officials have refused to comment on whether they are assisting the investigation. Investigators have contacted AOL, which is cooperating with authorities, said AOL spokesman Nicholas Graham.

Once read, e-mail messages on AOL remain in the system for about three to five days, he said. Sent messages or incoming messages that are unopened can remain for ``several weeks,'' Graham said. Instant messages, however, are gone almost immediately, as are the messages in chat rooms, Graham said.

History logs

Internet service providers routinely keep history logs for 90 days that show when a person accessed an e-mail account and from where, said Lee Curtis, managing director for high-tech investigations at Kroll, a risk-management firm in San Jose.

``What's on a computer system could be a wealth of information,'' Curtis said.

The most important factor is getting to the computers and service providers quickly, he said.

The FBI apparently has done that. Within 24 hours of the attacks Sept. 11 FBI agents arrived at EarthLink's headquarters in Atlanta with a subpoena to search for e-mail and other information from the terrorist suspects.

The FBI wanted to install the controversial tracking software known as Carnivore. EarthLink refused to allow the use of Carnivore, which it and other service providers have opposed because of privacy concerns. But Earthlink used its own tracking information to assist the FBI.

Terrorists in bin Laden's network have left an electronic trail in the past. After the first World Trade Center bombing in 1993, the FBI discovered encrypted files in the laptop of Ramzi Yousef, the convicted leader of that attack. Those files outlined plans to blow up 11 U.S.-owned commercial airliners.

Encrypted files are scrambled and can only be read by someone with a special ``key'' to decode them. Encryption would make the task of FBI computer investigators more difficult, but not impossible, Bryson said.

FBI officials could not be reached for comment Wednesday about whether any of the e-mail message they had retrieved were encrypted.

Encryption issue

Law enforcement officials have been concerned about the use of encryption by terrorists, but the high-tech industry has successfully pressed for the removal of most controls on its export because it is produced by companies in other countries as well. More worrisome than encryption to some computer forensic experts is steganography, a technology that hides messages inside other files, such as pictures, music or other e-mail.

The Taliban leadership in Afghanistan, where bin Laden has lived in hiding for years, has said he could not have planned the recent terrorist attacks because he has been deprived of Internet access and other communications.

Some of the suspected hijackers who were living in South Florida were seen at libraries in Hollywood, Fla., leading to the FBI's subpoenas.

Investigators provided library officials with a list of suspected hijackers, said Sam Morrison, director of the Broward County library system. ``We completed the check against our centralized computer data base and have provided that information to the FBI'' on Tuesday, he said.