T5 B55 Fbi Cart Docs Fdr- Entire Contents- Doc Request- Docs- Withdrawal Notices 155
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View T5 B55 Fbi Cart Docs Fdr- Entire Contents- Doc Request- Docs- Withdrawal Notices 155 as PDF for free.
More details
- Words: 30,841
- Pages: 166
FBI DOCUMENT REQUEST NO. 34 Thomas H. Kean CHAIR
Lee H. Hamilton VICE CHAIR
Richard Ben-Veniste
The National Commission on Terrorist Attacks Upon the..United States ("the Commission") requests that the Federal Bureau of Investigation (FBI or the "respondent") provide the Commission with copies of the following documents no later than March 23, 2004 (the "production date"):
Fred F. Fielding Jamie S. Gorelick Slade Gorton Bob Kerrey John Lehman Timothy J. Roemer James R. Thompson
1. All Computer Analysis Response Team (CART) reports, or predecessor computer exploitation reports, regarding hard drives seized from al Qaeda associated subjects from 1995 through September 11,2001. 2. All investigative materials (images or verbal) concerning travel or travel documents derived from those hard drives. 3. Sections on terrorist travel and travel documents from training manuals obtained prior to September 11, 2001, from al Qaeda or related organizations.
Philip D. Zelikow EXECUTIVE DIRECTOR
The Commission requests that documents requested above be provided as soon as they are available, even though all requested documents may not be provided at the same time, thorough means of a "rolling" production. If any requested documents are withheld from production, even temporarily, based on an alleged claim of privilege or for any other reason, the Commission requests that the respondent, as soon as possible and in no event later than the production date, identify and describe each such document or class of documents, as well as the alleged basis for not producing it, with sufficient specificity to allow a meaningful challenge to any such withholding. If the respondent does not have possession, custody or control of any requested documents but has information about where such documents may be located, the Commission requests that the respondent provide such information as soon as possible and in no event later than the production date. If the respondent has any questions or concerns about the interpretation or scope of these document requests, the Commission requests that any such questions or concerns be raised with the Commission as soon as possible so that any such issues can be addressed and resolved prior to the production date. March 9, 2004
Daniel Marcus General Counsel
TEL (202) 331-4060 FAX (202) 296-5545
http://www.9-l lcommission.gov
DOCUMENTS RELATING to AMPUTEE ANALYSIS RESPONSE TEAM $MRT) REPORTS, OR PREDECESSOR COMPUTER EXPLOITATION REPORTS, iRD DRIVES SEIZED FROM AL ^-^'ASSOCIATED SUBJECTS FROM 1995 THROUGH SEPTEMBER 11, 2001.
RESPONSIVE TO REQUESTS #34-1 [PACKET #1]
MATERIAL ALSO RESPONSIVE TO DR#34-2
S^JGATIVE MATERIALS (IMAGES OR VERBAL) CONCERNING TRAVEL ** ^^^O^TRAVEL DOCUMENTS DERIVED FROM THOSE HARD DRIVES.) ^
^«X"
"^
'
„
-*•
/
"SECRET MATERIAL ENCLOSED"
COMMISSION COP
9/11 COMMISSION TASK FORCE DOCUMENT DELETION CODES [As of August 11, 2003] "A" - SOURCE/INFORMANT INFORMATION - Information, the disclosure of which would tend to reveal the identity of an informant or source where confidentiality is expressed or implied. "B" - FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI techniques and/or methods which would impede or impair the effectiveness of that technique and/or method. "C" - NON-RELEVANT FBI CASE INFORMATION - Information neither relevant nor responsive to the Commission's requests. "D" - FBI PENDING CASE INFORMATION - Information which would impede or jeopardize a pending investigation of the FBI. "E" - STATUTORY - Information legally prohibited from release by statute. "F" - PRIVACY/SECURITY - Information, the disclosure of which would be an unwarranted invasion of the personal privacy or jeopardize the safety of law enforcement personnel and/or their family members Material redacted under this code includes (1) social security numbers; (2) date and place of birth; (3) home address and telephone numbers; (4) personnel cell phone and pager numbers
"G" - FOREIGN GOVERNMENT INFORMATION - The identity of a foreign government and/or foreign service to include the names of foreign law enforcement employees/officials.
WITHDRAWAL NOTICE RG: 148 Exposition, Anniversary, and Memorial Commissions SERIES: 9/11 Commission Team 5, FRC Box 23 NND PROJECT NUMBER:
51095
FOIA CASE NUMBER: 30383
WITHDRAWAL DATE: 09/08/2008
BOX: 00004
FOLDER: 0001
COPIES: 1 PAGES:
TAB: 3
DOC ID: 31193682
11
ACCESS RESTRICTED The item identified below has been withdrawn from this file: FOLDER TITLE: T. Eldridge files-FBI CART documents DOCUMENT DATE: 08/14/1998
DOCUMENT TYPE: FBI 302
FROM: FBI New York TO: Director FBI SUBJECT:
Documents relating to all Computer Analysis Response Team (CART) reports, or predecessor computer exploitation reports, regarding hard drives seized from Al Qaeda associated subjects from 1995 through September 11, 2001. Responsive to Requests #34-1 Packet #1 [withheld material]
This document has been withdrawn for the following reason(s): 9/11 Classified Information
WITHDRAWAL NOTICE
9/11 Law Enforcement
Privacy
;(12/31/1995) ,
FEDERAL BUREAU OF INVESTIGATION Precedence:, To:
Date:
ROUTINE Attn: Attn:
FBI Headquarters \\New\York
From: '.New York \ 1-4 9A Contact:
06/02/1999
NS-3C, Robert Briskman SAC John P. O'Neill ASAC Pasquale J. D'Amuro
SA
Approved By: Drafted By: Case ID #: Title:
256A-NY-259391-I8
(Pending)
USAMA BIN,, LADIN; \; \Y
\.
; Synopsis: Report of investigations conducted in Dhajca, ;; Bangladesh from OS/22/,1999 to 05/29/1999. ^Details:
At the request of the| WFO Cart Team, ], New York Office and SA [ traveled to Dhaka Bangladesh, along with representatives of the CIA's Counter Terrorism Center (CTC). The purpose of this travel
Gr
Also on this date, three individuals were taken into \ {According to information provided by the j^the-s'e individuals are all members of HARKUT UL JIHAD and were.-'charged with involvement in terrorist acts and anti-governme.nt activities. custody \_
Upon arrival to D h a k a , SA |^^^^^
[-met w i t h
Director, ffM Director JKH^explaTned^is^TJI^^govemment has been attempting to control the activities of certain terrorist o r g a n i z a t i o n s who have a strong presence in B a n g l a d e s h . One such group is H a r k u t Ul Jihad. JJ|J stated that the Jfj has information obtained t h r o u g h I
9/11 Law Enforcement Sensitive
REQ #34-1
000000012
Enforcement Privacy
,To: FBI Headquarters From: New York Re: 256.A-NY-259391-i8 • • (Pending)Title: USAMA BIN LADIN; IT-SUDAN; OO:NYSynopsis: Report, of investigations conducted in Dhaka, BangiadeshfroinOS/a^/iggsr^ Q5/29/1999 . Details : At the York Office and SA'1 ^^^^^^^nWFO Cart Team, traveled to Dhaka Bangladesh, along with representatives of the CIA's Counter Terrorism Center (CTC). The purpose of this travel was to assist in the analysis ot computers seized during a search conducted on 05/04/1999. Also on this date, three individuals were taken into custody.
L
J-
According to information provided by the J^Bthese individuals are all members of HARKUT UL JIHAD and were charged with involvement in terrorist'.acts and anti-government activities. Upon arrival^^ Dhaka, SA I I met with Director d ( H explained that his government has been attempting to control the activities of certain terrorist organizations who have a strong presence in Bangladesh. One such group is Harkut Ul Jihad. HHH stated that the^BBhas information obtained __ through confidential sources that/
| b u t , a c c o r d i n g to the has strong ties to some known terrorists, including the subjects of this arrest and arrests conducted in January of this year. BHBBV^30 expressed concerns about the level of extremist involvement within Bangladesh. Due to the high poverty levels and relatively open borders, jflHHL feels that Dhaka is a fertile environment for recruitment and fund-raising by Islamic extremists. He welcomed the assistance of the United States as he believes "we are fighting the same enemies". Following this meeting Deputy Director provided information concerning the arrests on 05/04/1999. arrest took place a r \ " ~ ~ ~
/ A l l three men are Sunni Muslim.They have
9/11 Law Enforcement Sensitive
REQ #34-1
000000013
G
Enforcement Privacy
To: ..FBI Headquarters From: New York Re: 256A-NY-259391-I8 -(.Pending) Title: USAMA BIN LADIN; IT-SUDAN; -00:NYSynopsis: Report of investigations conducted in Dhaka, Bangladesh from 05/22/1999' to- 05/29/1999.Details: At the New request of the Bangladesh government, SAil j WFO Cart Team, traveled to Dhaka York Office and SA[ •Bangladesh, along with representatives of the CIA's Counter of.computers seized during a search conducted on 05/04/1999. Also on this date, three individuals were taken into custody, According to information provided by the | Htnese individuals are all members of HARKUT UL JIHAD and were charged with involvement in terrorist acts and anti-government activities. Director\BHH[explained that his government has been attempting to .control.the activities of certain terrorist organizations who have a string presence in Bangladesh. One such group is Harkut Ul Jihad. HHHstated that the HHfhas information obtained through 'confidential sources that
Jbut,according to the| strong fries to some known terrorists, including the subjects of this arrest and arrests conducted in January of this year, refused to spe''ak to the authorities and are presently in the custody of the 'court ''system. The computers seized were believed to have been used for the publishing activities of Harkut Ul Jihad. One of the computers is a Macintosh based system and the other is a Windows based system. There were also a number of floppy disks recovered. [which will be for-wajrded to the FBI laboratories and maintained as evidence. S A L J also made cursory examination of additional copies of all the material seized but did not find any information which \appeared to be connected to terrorist activity: Deputy Director ^J^then explained that the ^f had attempted to access the\r systems using jjf[ computer specialists. It was SA1 ]opinion that information may have been lost during this initial examination. Both computers and all the floppy disks will be examined in detail by the FBI Laboratory. Director BBBBfrecJueste^ that the §(Blbe given copies of any additional information retrieved from the computers or disks.
8
9/11 Lav; Enforcement Sensitive
REQ #34-1
000000014
Law Enforcement
Privacy
To: FBI Headquarters From: New York /Re: 256A-NY-259391-I8... (Pending) Title: USAHA BIN LADIN; I'tVSUDAN; .00: NYSynopsis: ' -Report of investigations conducted in Dhaka, Bangladesh from 05/22/1999....to 05/29/1999. Details: At the request of the Bangladesh government, -SA.I / New York Office and 3 f t . ] / "I ' WFO Cart " ' Team, traveled ' ' ^to Dhaka Bangladesh, along with representatives of the CIA's Counter Terrorism Center (CTC). The purpose of this travel was to assist Also on this date, three individuals were taken into custody, L JI According to information provided by the HR these individuals are all members of HARKUT UL JIHAD and were charged with involvement in terrorist acts and anti-government activities. Upon arrival to Dhaka^SA^^^^^^^met with Director ^BUH explained that his government has been attempting to control the activities-., of certain terrorist organizations who have a strongpre^ence in Bangladesh. One such group is Harkut Ul Jihad, JllHIHUtated that_jthe_JJhas information obtained _ through confidential sources
Jbut, according to the| strong ties to some known terrorists, including the subjects of this arrest and arrests conducted in Janu'a.ry of this year. [ "] who participated in this task were extremely helpful in coordinating the investigation. The investigative team washable to function efficiently and accomplish its tasks rapidly, without any complication.
J met In addition to the above investigation, SAL with/various U.S. Embassy staff to discuss two letters received by the embassy. According to the RSO's office, two individuals who recently applied for U.S. visas were connected to the Usama Bin Ladin terrorist organization by anonymous sources. In both cases anonymous letters were received concerning the individuals. /Each letter alleged that the person applying for a U.S. visa was involved with the Bin Ladin terrorist organization. There did not appear to be a connection between the two cases. The Consular's office also indicated that letters such as this are not uncommon and are usually impossible to verify. The Embassy Consular's office supplied the two names as L \d / future information to the ..State Department and to FBI NY. -'York was previously -informed of the letter concerning \
New
9/11 Law Enforcement Sensitive REQ #34-1
000000015
Law Enforcement Privacy'
To: "FBI Headquarters. From: New York Re-:, 256A-NY-259391-I8' (Pe.jiding) Title: USAMA BIN LADIN; IT-SUDAN; OQ-:NYSynopsis: Report-.of investigations conducted in Dhaka,, Bangladesh from 05/22/1999 to'-Q-5./29/1999 . Details : At the request1-.of the Bangladesh government, SA 1 |, New York Office and SA i ~\, WFO Cart Team, traveled to Dhaka Bangladesh,- along with representatives of the CIA's Counter of computers seized during a search conducted on 05/04/1999. Also on this date,-, three individuals were taken into custody,
JAccording to information provided by the ^UJthese individuals are all members of HARKUT UL JIHAD and were charged with involvement in terrorist acts and anti-government activities. Upon arrival to_ Dhaka_t_SAJ^^_^_J_met with Director 1 | P ( | H explained that his government has been attempting to control" the activities of certain terrorist organizations who have a stronqpresence in Bangladesl^^ One such group is Harkut Ul Jihad. H^tated that the dhas information obtained through confidential sources that|
Jbut, according to the strong ties to some known terrorists, including the subjects of this arrest and arrests conducted in January of this year, through State Department channels.
9/11 Lav; Enforcement Sensitive
REQ 134-1
000000016
WITHDRAWAL NOTICE RG: 148 Exposition, Anniversary, and Memorial Commissions SERIES: 9/11 Commission Team 5, FRC Box 23 NND PROJECT NUMBER:
51095
FQIA CASE NUMBER: 30383
WITHDRAWAL DATE: 09/08/2008
BOX: 00004
FOLDER: 0001
COPIES: 1 PAGES:
TAB: 4
DOC ID: 31193692
37
ACCESS RESTRICTED The item identified below has been withdrawn from this file: FOLDER TITLE: T. Eldridge files-FBI CART documents DOCUMENT DATE:
DOCUMENT TYPE: FBI 302
FROM: TO:
SUBJECT:
Documents relating to all Computer Analysis Response Team (CART) reports, or predecessor computer exploitation reports, regarding hard drives seized from Al Qaeda associated subjects from 1995 through September 11, 2001. Responsive to Requests #34-1 Packet #1 [withheld material]
This document has been withdrawn for the following reason(s): 9/11 Classified Information
WITHDRAWAL NOTICE
9/11 Lavj Enforcement Privacy (Rev. 08-2S-2000)..
FEDERAL BUREAU OF INVESTIGATION
Precedence: To':, New
Date:
ROUT INE""---,...
York
07/16/2002
Attn:
' ..
AD P. D'Amuro SC /
Counterterrorism Investigative Services Islamabad From:
London Contact:
Approved By: Drafted By: Case ID #: 265A-NY-259391 Title:
(Pending)
USAMA BIN LADEN; MAJOR CASE ,161
G
Synopsis: To provide_New__Ygrk with a computer and documents seized by ^^ffjf^ff^ffjf pursuant to the arrest of Hamza ALLIBI. Reference:
265A-NY-259391 Serial 7811
Administrative: Forwarded on July 17, 2002, via Federal Express, to FBI New York, Attn: SA j \, the following:
- MW/24 - Hard drive removed frra unbranded tower PC
- NF/16 - Hard drive removed from Dell Dimension L566CX - MW/18 - 1 x CD
- MW/21 - 1 x CD & 5 floppy disks - MW/27 - 1 x floppy disk 2 - Copies of the below listed] Exhibits: DPN/2665/MPS/02 DPN/2670/MPS/02
REQ #34-1
000000054
To: Re:
New York From: London 265A-NY-259391, 07/16/2002
EP/1 CDR/DPN/2664/MPS/02 CDR/DPN/2670/MPS/02
MW/1 MW/2 MW/3 MW/4 MW/5 MW/6 MW/7 MW/8 MW/9 MW/10 MW/11 MW/12 MW/13 MW/14 MW/15 MW/1 6 MW/17 MW/18 MW/19 MW/20 MW/21 MW/2 2 MW/23 MW/2 4 MW/2 5 MW/2 6 MW/27 NF/1
REQ
#34-1
000000055
To: Re:
New York From: London 265A-NY-259391, 07/16/2002
NF/2
NF/3 NF/4 NF/5 NF/6 NF/7 NF/8 NF/9 NF/10 NF/11 NF/12 NF/13 NF/14
NF/15 NF/16 NF/17 NF/18 Record Only Record Only Record Only Details: In referenced EC, Serial 7811, dated May 17, 2002, the recipients were provided with the following information:
"warrants that had been obtained under the auspices of the .terrorism Act 2000 (TACT). The warrants were executed simultaneously at|
9/11 Lav; Enforcement Sensitive
REQ
#34-1
000000056
G-
i,aw Enforcement
To: Re:
Sensitive
New York From: London 265A-NY-259391, 07/16/2002
I
^Hm^ computers, CD ROMs and floppy di s ke tte s recovered ^ durjuig^^e aforementioned searches. | lalso provided Legat with copies of documents, communications,telephone address books, etc recovered during the same searches. The Exhibits, as itemized in the Administrative Section of this communication, were forwarded to FBI New York, Attn: SA 1 | on July 17, 2002, via Federal Express. FBI New York is requested to provide the enclosed to CART, and to ensure that remaining Hi Exhibits into INTELPLUS.
»
9/11 Law Enforcement Privacy
000000057 REQ #34-1
To: Re:
New York From: London 265A-NY-259391, 07/16/2002
LEAD(s) : Set Lead 1: NEW YORK AT NEW YORK, NY New York is requested to ensure that provided by H j | | is made available to CART. New York is requested to ensure that all relevant Exhibits are entered into INTELPLUS. Set Lead 2:
(Adm)
COUNTERTERRORISM AT WASHINGTON. DC Read and clear. Set Lead 3:
(Adm)
INVESTIGATIVE SERVICES AT WASHINGTON, DC Read and clear. Set Lead 4:
(Adm)
ISLAMABAD AT ISLAMABAD, PAKISTAN Read and clear.
REQ #34-1
000000058
DOCUMENTS RELATING to ANALYSIS RESPONSE TEAM mJRJEPORTS, OR PREDECESSOR WSk EXPLOITATION REPORTS, D DRIVESSEIZED FROMAL WOflATED SUBJECTS FROM 1995 KGH SEPTEMBER 11, 2001. it-*, ' « £ . , . fa-^J
T
RESPONSIVE TO .,„. , [PACKET #2]
WERJ^ALSO RESPONSIVE TO DR#34-2 ALS (IMAGES OR VERBAL) CONCERNING TRAVEL pCCUMENTS DERIVED FROM THOSE HARD DRIVES.} ^T - "- _ Hs"-'*'^"-
yfe|T,JVIATERIAL ENCLOSED" |»fe,%> C. «--jJ ^*<"'L t-1* ~
^V1 W^si^- ^1 ^ - -v t ^
-
AINS SENSITIVE CRIMINAL AND/OR pi INFORMATION PERTAINING TO TERRORISM -RELATED INVESTIGATIONS"
COMMISSION COPY
9/11 COMMISSION TASK FORCE DOCUMENT DELETION CODE! [As of August 11, 2003] "A" - SOURCE/INFORMANT INFORMATION - Information, the disclosure of which would tend to reveal the identity of an informant or source where confidentiality is expressed or implied. "B"- FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI techniques and/or methods which would impede or impair the effectiveness of that technique and/or method. "C" - NON-RELEVANT FBI CASE INFORMATION - Information neither relevant nor responsive to the Commission's requests. "D" - FBI PENDING CASE INFORMATION - Information which would impede or jeopardize a pending investigation of the FBI. "E" - STATUTORY - Information legally prohibited from release by statute. "F" - PRIVACY/SECURITY - Information, the disclosure of which would be an unwarranted invasion of the personal privacy or jeopardize the safety of law enforcement personnel and/or their family members Material redacted under this code includes (1) social security numbers; (2) date and place of birth; (3) home address and telephone numbers; (4) personnel cell phone and pager numbers
"G" - FOREIGN GOVERNMENT INFORMATION - The identity of a foreign government and/or foreign service to include the names of foreign law enforcement employees/officials.
9/11 Law Enforcement Privacy
CO
04/16/04 10:14:54
:
view Document Text -/'
Case ID, : 315N-NY-259391-302 * Responses :
9/11 Law Enforcement Sensitive
\O \
ro CD OJ
f.
CD
in
Serial \ 411 \2
On March 28, 2002, Special Agent I i FBI, Washington Field office. Computer Analysis Response Team (CART), assisted in the execution of searches in I ~1 Following the execution of these searches, the evidence was brought to I [where SA| 1 examined the following
0
computer media: Site D 71-2331:
o O o o o o
O i
TO
Generic mini-tower CPU containing one hard drive, a Quantum Fireball EX, serial number 527351, p/n EX32A014, approximately 3 Gigabytes
Command , . . > Fl=Help F3=Exit F4=Prompt F6=Multv F8=Fwd Fl2=cancel Fl3=Attrib Fl4=nst \c Fl6=NextDoc Fl8=NextWd j S i4AU
05,002
.
9/11 Law Enforcement Privacy
lO Ul
view Document Text
i 04/16/04 i 11:31:33
ECFVTlMO
More : - +
ij
Case ID , Responses
315N-NY-259391-302 *
Serial : 411
(GB),
Site F ?3-900|:
SP tower CPU containing one hard drive, a Quantum Fireball let, p/n QML15000LC-A, serial number 612019327495 DFZXX, approximately 15 GB,
Site G 74-6931:
Smart series mini-tower CPU containing one hard drive, a Quantum Fireball CR, serial number 824916152940 PGZXX, approximately 4 GB,
-i
o I
03
An image copy of each hard drive was created and stored on forensically sterile media. The working copy hard drives were then reviewed for immediate threat information, These working O
o o o o o o
Command . . . > Fl=Help F3=Exit F4=Prompt F6=Multv F7=Bkwd F8=Fwd Fl2=cancel Fl3=Attrib Fl4=List Fl5=PrevDoc Fl6=NextDoc Fl7=Prevwd Fl8=NextWd 4AO 05,002
13 G~t
m o Ul
9/11 Law Enforcement Privacy
,,:fi9/ll Law Enforcement Sensitive
lO 00
I 04/16/04 11:31:36
ECFVTlMO
il
"•^.
ro
More : - +
SerialT: 411
Case ID , : 315N-NY-259391-302 * Responses :
copies remained in further evaluation,
left on 3/31/02, for
after SA
The following e-mail addresses were associated with the potmai 1. com and Site F 73-9001 hard drive: Both addresses were aliased/nicknamed One e-mail provided instructions for as depositing donations to/ A f\
I
1
t
*
•••••^•••M .
.
CO CTi
'
"
1
:
1
D
o m
An e-mail received from/ ], originating IP addresst J, revealed that the writer was working in o o o o o o o a\w Document Text
Command . . . > , I Fl=Help F3=Exit F4=Pronipt F6=Multv F7=Bkwd F8=Fwd Fl2=Cance1 Fl3=Attrib Fl4=List Fl5=PrevDoc Fl6=NextDoc Fl7=PrevWd FlS^NextWd 4AO 05,002
CTi
rn
9/11 Lai-j Enforcement Privacy
lO
=tt= CJ •t.
I 04/16/04 11:31:39
ECFVTlMO
view Document Text
More : - +
Serial : 411
Case ID . : 315N-NY-259391-302 * Responses :
ro cs
CO
in
o I
TI o ~T! U)
O O
o o o o cr> ro
Command . . . >
•••
Fl-Help F3=Exit F4=Prompt F6=Multv F7=Bkwd F8=Fwd Fl2=Cancel Fl3=Attrib Fl4=List Fl5=PrevDoc Fl6=Nextooc Fl7=PrevWd Fl8=NextWd 4A0 05,002
s CD Ul
9/11 Law Enforcement Sensitive
9/11 Law Enforcement Privacy
lO
I 04/16/04 Ii 11:31:41
ECFVTlMO
view Document Text
More : - +.
I
!
Case ID .
|
Responses
315N-NY-259391-302 *
Serial: 411
A number of documents in Arabic were also located and appeared to be related to bank accounts, phone numbers and lists of contacts for fund-raising activities. Further analysis is required, :
O i
The original CPUs, with the exception of the system from Site G, were transported back to the united States for further examination, The CPU from Site G was returned to the authorities. O i O ° ! O O O O
U)
Command . . . > •••• • Fl=Help F3-Exit F4=Prompt F6=Multv F7=Bkwd F8=Fwd Fl2=Cancel Fl3=Attnb Fl4=List Fl5=PrevDoc Fl6=NextDoc Fl7=PrevWd Fl8=NextWd 4AU 05,002
m
91/14/2084
01:05
PAGE
TO-4 WFO FBI
I
l/l
uu
Hj II
•H
j-i
fu
(Li U M O MH
rd •i— s_ cu
£
LJ
LO
W
cr
rd ^ II X
OJ
OJ
ca u i—
0)
"^ OJ
SI LII OUD II
oo cr>
O.
£ O L_ 0_ 11
l-O
i
c: QJ
<-> O O 4-» X o> 21 II
- X U-
H
w
LU
-S g
to
CU
0)
O OJ Q.
o *H C
un to
nd cu
-
II O ro o - U- Ci
> -a ex a> j- ,- £_ nd O) Q-
S in u
DQ
REQ #34-1
000000064
67
9/11 Law Enforcement Privacy ;
'Ep-302-(Rev. 10-6-95)
• 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
06/20/2000
pr-. AnaTy.qi s Response Team (CART) field examiner | of thp NPM Ynrk Citv Division requested the
(FE) |
assistance of CART FE L system examination.
Jwith an Apple computer
In performance of the above stated request, the CART FE assisted special agents in the review of previously copied files from original evidence in this matter. The files reviewed were located on CDROM discs. The review process included, but was not limited to, printing files, viewing files, and troubleshooting problems that arose during the review. This is the extent of the assistance provided regarding the Apple computer system. All related materials remained with the New York City Division.
investigation on Fil=#
by
5/15/00
« Manhattan,
255A-NY-259391
I
New York Date dictated
6/20/00
| CART FE
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to yourcaKn*^ /-v n n /- c # O A __ n U\JL/\Jww\JOj •^-HtSdndfltAiwitems are not to be distributed outside your agency.
'PTPP*
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
-1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
12 / 2 Q / 1 9 9 9
On Friday, December 17, 1999, at 2:30 PM, SA [ I was given access to three computers, believed to be associated w i t h l ~ Images were made, to magneto optical cartridges, of the following-computers: A Toshiba Satellite Model 300CDT notebook computer, serial number 68542478E, containing a Toshiba hard drive, serial number 68118960, A TIKO '.desktop computer (no serial number) ,, containing two hard drives,,a Maxtor 7270AV hard drive, serial7 number H203B9HS, and a unknown \model, 813 1*EB hard drive. An AST Premium II desktop computer (no/serial number), containing two hard drives, a Seagate OT3660A hard drive, serial number AF21198/7523E12774 and a 'Maxtor 7425AV hard drive, serial number N1010DMO. \l Law Enforcement Privacy
Investigation on
12/17/99
File # 265A-NY_^2593
by
Date dictated
12/20/99
SA i,i. dojjuipsm contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned ns are not to be distributed outside your agency.
(Rev. 10-01-1999)
FEDERAL BUREAU OF INVESTIGATION
Precedence: To:
Date:
ROUTINE
New York
Attn:
Laboratory From: 0
1/3/2000
CART, Room 4315
Pocatello ITC Computer Analysis Response Team Contact:
/^/Approved By:
Drafted By: Case ID #: 265A-NY-259391""
(Pending)
WE 66F-A51-LTitla:
USAMA BIN LADIN; MAJOR CASE 161
/9/11 Law Enforcement Privacy
synopsis: To close lead and/lprovide information to case agent and FBIHQ CART. // \: 265A-NY-259391 Serial 2163
Package Copy: Being forwarded iunder separate cover 324 3%" diskettes, one original compact; disc, one 3V diskette containing the Vogon utility SRESTORE with; documentation, two duplicate compact discs with all DOS readable files, and two compact discs with minimized files (one /of th4>se with the ACES Viewer software) . These items are? being sent via Federal Express. Enclosure (3): Enclosed for the tfew York Field Office is an original and one copy of .the FD-302 regarding the CART processing of the Vogon images from compact disc to diskettes and the minimization details. Enclosed for FBIHQ CART is a copy of the FD-302 and CART examination report form. Details: The CART processing of the Vogon images was performed by cs I land CS/FE I [of the Pocatello Information Technology Center according to the instructions given from the FBI's New York Field Office. The minimization was The details of this process are performed by CS/FE[ described in the attached FD-302.
REQ #34-1
000000067
9/11
Law Enforcement Privacy ,FD-3-Q2(Rev 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
1/3/2000
Computer-'Specialist Forensic Examiner (CS/FE) I of the :Pocatello Information Technology Center (PITC) was requested by:l 1 of the New York, New York Field Office to res;tpre floppy diskette images contained on a compact disc .back ,,to floppy^ diskettes. The compact disc and image software, were received by t:hV; FBI's Pocatello Information Technology Center (PITC) on TJnwimhgr ia r 1999 and placed into a controlled, access, vault by CS/FE |'' ... On, November 2 9 , ,1999, CS [_ Jbegan running •.the Vpgon utility called SRESTORE under the direction of CS/FE 1 [ The SRESTORE u.tility-v.restored 32,4 im,ages from one compact disc on to 324 diskettes. CS I "~| finished -processing the high density image files o n December''-1, 1999. CS/FB I I finished t h e double density image file's on December 2, 1999,. .On December 8, 1999, Special Agent <SA) [ J J requested that the.PITC print,all readable files located ' on the restored diskettes.. Because of .the substantial quantity of nt.ed media, SA I ~~| and- CS/FE I "lagreed that CS/FE the printed POOLE would copy all files to a compact disc and minimize those- : " <***~-]nl numbered and labeled all files that were unreadable. CS/FE diskettes from-POQ001 through POQ324. The eliminated diskettes from the minimized compact disc are in the list that follows: NON-DOS / Unreadable POQ002-POQ005 POQ007-POQ008 POQ010 POQ013-POQ014 POQ017-POQ027 POQ029-POQ030 POQ034 POQ03S-POQ037 POQ045 POQ048-POQ051 POQ053-POQ054 POQ057-POQ060 POQ063
investigation oni 1/18-12/29/1999"'
Software POQ006 POQ031-POQ033 POQ052 POQ056 POQ067-POQ068 POQ073-POQ079 POQ080-POQ097 POQ100-POQ101 POQ163-POQ210 POQ298
Pocatello,
Blank POQ038-POQ044 POQ055 POQ118-POQ119 POQ131 POQ231
Idaho Dais dictated
1/3/2000
bv contains neither recommendations nor conclusions of the FBI. It is the proper.}- of the FBI and is loaned to rtWrtPfftft Q gg ;nts arc not to be distributed outside your agency.
Fp-302i(5Uv. 10-6-95)
265A-NY-259391
Cominuaiion of FD-302 of
CART Processing of Floppy Images
,onll/i3-12/29/9.$as«
NON-DOS / Unreadable Software Blank POQ065-POQ06G POQ102-POQ108 POQ110-POQ112 POQ114 POQ117 POQ128-POQ130 POQ132-POQ138 POQ152-POQ161 POQ211-POQ216 POQ220-POQ230 POQ232 POQ236-POQ263 POQ265-POQ2SS POQ273-POQ278 POQ280 POQ2S4-POQ285 ;/H Law Enforcement Privacy POQ289-POQ291 . 'POQ293 ' POQ295 •:- , ; ••.,, ' POQ299-POQ300 ;POQ305-POQ308 . - . . - • ' • POQ310 POQ312-POQ319 POQ321
The original compact disc, the floppy diskette containing the Vogon software, the 324 restored diskettes, two copies of the compact disc of all readable files, and two copies of the compact disc with the minimized files will be shipped back to SA \f the New York Fie
REQ #34-1
000000069
FD-302 (Rev. 10-6-95)
-1FEDERAL BUREAU OF INVESTIGATION
9/11 Law Enforcement Sensitive Date of transcription
2/28/00
The following examination, was conducted by a Computer Analysis Response Team (CART) Field. Examiner: SPECIMEN(S):
NYO Q24 - 26 - CD Rom Disks \O Q177 -188 - CD Rom Disks\O Q189 -
EXAMINATION: Copies of Q24 -26 and Q177 - 188 were made to CD Rom using a CD Rom duplicator. - Logical copies of the files on Q189 - 193 were made to disk using Windows 95 Explorer. Deleted files were recovered from Q191 and Q192 using Norton Utilities for Windows. Files on these exhibits were cataloged using the TreePrint utility.. CD Roms were prepared containing the logical file copies, the recovered deleted files and the floppy file listing.
/9/11 Law Enforcement Privacy
Investigation on
2/28/00
File # 2 6 5A-NY- 2 5 9 3 9 1
by
at New
York
/
Date dictated
SA|_
This dpcumerji cooiams neither recommendations not conclusions of the FBI. RSQiQtiri«4(5Et«ats are nol to be distributed outside your agency.
It is the property of the FBI and is loane
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
:
Date of transcription Q 3 / 2 4 / 0 0
The following-examination was conducted by a Computer Analysis Response Tearn'-..(CART) Field Examiner: SPECIMEN(S):
\9 - Q193 - 3.5" floppy disks'
This report supplements a report dated 02/28/00. Residue was extracted from Q189, Q190, Q191, Q192 and Q193 to an exam hard drive using the REDX Utility. A CD Rom was prepared of the residue.
/9./11 Law Enforcement Privacy
Investigation on
03/24/00
at New York, New York
File* _26_5A-NY-259391-SUB-00 by
/
Date dictated
SA
^* Tffi.; rlnrument contains neither recommendations nor conclusions of the FBI. It is the property of the
9/11 Law Enforcement Sensitive FD-302(Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
01/28/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): QS3, Q89,
Q84, - Magneto Optical Disks containing data Q90 seized 1 [
The image from Q83 was restored to a new hard drive using the Safeback Utility. The image from Q84 was restored to a new hard drive using the Safeback Utility. The image from Q89 was restored to a new hard drive • using the Safeback Utility. The image from Q90 was restored to a new hard drive using the Safeback Utility.
XS/'ll Law Enforcement Privacy
investigation on
01/28/2000
File # 2 6 5 A - N Y - 2 5 9 3 9 1 by .
at New York, NY Date delated
01/28/2000
SA
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned^to^ aned to your ^pur jigency^ agency: R-EQ ar||3tAco5lents are not to be distributed outside your agency.
000000072
9/11
Law Enforcement Sensitive
FD-302,(Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
05 / 3 1 / 2 0 0 0
The following examination was conducted by Computer Analysis Response Team (CART) Field Examiners. SPECIMEN(S):
Q119 - Magneto 'Optical Disk containing Safeback image of Toshiba 300CDT Notebook Acquired in'l 112/1999. Q120
- Magneto Optical Disk containing 2 Safeback images of TIKO Desktop and 2 Safeback images of AST Premium II (2 Hard Disk Drives each) Acquired in'l |12/1999.
The image contained on Q119 was restored to an exam hard drive(Q119 restored). A logical copy of Q119's restored files (two partitions) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q119 restored were recovered to optical disk using the XDF and XDF32 utilities. Residue was collected using the REDX and REDX32 utilities. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q119 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. The images contained on Q120 were restored to exam hard drives. Logical copies of the restored files were made to optical disk using the Codeblue utility. Recoverable deleted files on the restored images were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Is-Encrypted utilities were run on the restored images and a report was created. The Tree Print utility was used to create a listing of the directory structures. The residue collected from images contained on Q119 and Q120 were searched for the following list of words supplied by the case agent:
investigation on
05/31/2000
File* _ 2 6 5 A - N Y - 2 5 9 3 9 1
by
al
N e w Y o r k , NY Dedicated
05/31/2000
S?.
"R&5 dltjijpui JODtains neither recommendations nor conclusions of the F3I. It is the property of the FBI and :s it anrl its contents are not to be distributed outside your agency.
FD-302a (Rev. 10-6-95)
265A-NY-259391 .On 0 5 / 3 1 / 2 0 0 0
Continuation of FD-302 of
_.Page
9/11 Law Enforcement Sensitive
The residue search returned negative results.
REQ #34-1
000000074
9/11
Law Enforcement Privac FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
11/13/97
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMENS: Ql - 12:
3 M floppy disks Ql - 12 are image copies of floppy disks provided by SA
Ql contains files which run an install program for "My Advanced Label Designer" software. Q2 contains files which run an install program, "hadeeth.exe". Attempts to load this application failed. Q3 contains files which run an install program for "Islamic Adan for Prayers". Q4 contains an executable program "guran.exe", which appears to be an electronic version of the Koran. The program will not run properly without special screen'fonts. Q5 - 8 contain files which appear to supplement Q4. Q9 - 10 contain Windows font files Qll - 12 contain files consistent with those utilized by the software "Act". However, running the "install.exe" file on this exhibit starts to load a program similar in appearance to \Q4. No deleted files of value were noted on Ql - 12. The residue on Ql - 12 was extracted for further review by the case Agent.
investigation on
11/13/97
File t 2 6 5A-NY-259391
at New York, NY '
Date dictated
11/13/97
by T^-:_ j
„, „„„,„;„, n»irh*r Tr.r.nmmendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;
FD-302 (Rev. 10-6-95}
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S) :
Q27 - Optical disk containing floppy disk images Q28 - Optical disk containing an image from a no-name mini-tower computer Q29 - Jazz disk containing an image of a Maxtor Hard Disk Drive Q30 - Optical disk containing a logical copy of a Maxtor Hard Disk Drive Images from Q28 and Q29 were restored and reviewed with the case Agent. Both images restored an Arabic version Operating System. CD Roms containing files from Q27 and Q28 were prepared for dissemination. Jazz disks containing files from Q29 and Q28 were prepared for dissemination. Recoverable deleted files from Q28 were recovered to optical disk using the Makefer utilities. No files of value were noted.
Investigation on
4/21/99
at New
Ffle* 2 6 5 A - N Y - 2 5 9 3 9 1 Law
York,
NY DatedictaBd
Enforcement Privacy
iiTT>;ii« r.n-ntains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to ydnrigenryV
FD-302 (Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
08/21/98,
The following Computer Analysis Response Team (CART) examination was conducted between August 13, 1998 and August 21, 1998: Restored Safeback Images for AB0110, AB0210, AB0310, A30510 and AB0520. Restored "xcopy" for AB0410. Restored floppy images. Unerased files for AB0110, AB0210, AB0310, AB0510, AB0520 and floppy images. Retrieved residue from AB0110, AB0210, AB0310, AB0510, AB0520 and floppy images. Created CD's containing active, unerased and residue files.
investigation on File*
26
by
SA
OB/21/98
n New York, New York Date dictated
REQrh#i3>4im4t contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned
FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
5/28/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): Q24 - 650MB Compact Disc labeled "Copy Cl" Q25 - 650MB Compact Disc labeled "Copy C2" Q26 - 650MB Compact Disc labeled "Copy C3" Recoverable files were printed for review by the Case Agent.
investigation on
5/23/99
at New York, New York
File I 2 6 5 A - N Y - 2 5 9 3 9 1
by REQ
SA I
9/I1 La"
Date dictated
5/31/99
Enforcement Privacy
Tft3j4cni:m contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
7/09/99
The following search was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE) . This search was done following the procedures and using tools provided by the FBI Laboratory. A ooTiintit-.ftr search/ seizure was conducted at the United States Embassy, I | The following computer (s) were searched and data was seized from the hard drive (s) (HD) : One (1) .Compaq brand Deskpro 2000 computer, serial number (s/n) 8646HVS51688. One (\1) Internation Business Machines (IBM) brand computer, 's/n 558P54P. One (1) Macintosh brand computer model LC, s/n SG1370FJL10. One (1) Generic computer, no s/n. One (1) DTK brand computer, no s/n. Images of the HDs were made to magneto-optical disk (MOD) usihg the Saf eback and FWB Toolkit utilities . Logical copies of ^11 partitions of the HDs were made to MOD using the Codeblue utility. Recoverable deleted files were transferred to MOD using the Makefer utilities. In addition, three (3) 3.5" floppy diskettes (FD) were were imaged to FD;,
Investigation on
2/17/99
at [_
File* 265A-NY-259391 by
SA ^£11
Lau'
Owe totaled 7/09/99
Enforcement Privac'
mlt contains neither recommendations nor conclusions of the FBI. It is the propeny of the FBI and is loaned to yoO ft000 0 0 7 9
FD-302(Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
02/17/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): Q176 - Fugi Film DDS3 Data Cartridge, On-track data recovery
create by
Q176 contained an NT Tape Backup created by On-track Data Recovery. Q176's files were restored using the NT Backup utility to an exam hard drive. All files were then copied from the exam hard drive to optical disk using the Windows NT explorer. CD-ROMs were prepared from the exam hard drive of Q176.
investigation on
02/17/2000
Ki e # 265A-NY-259319
at New York, NY Dale dictated
02/17/2000
contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is
i>302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
04/23/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). This examination was done following the procedures and using tools provided by the FBI Laboratory. SPECIMEN(S):
Q100 - Macintosh Powerbook 140 laptop computer, serial number (s/n) F2148K00706. ALSO SUBMITTED:
One cannon bubble jet printer model BJ-lOsx, s/n PJC66146 with power cord and printer cable. One Kodak printer model Diconix I80si, s/n SAA2ZYZ696 with power cord and serial cable. One Macintosh compatible mouse. Sixty-seven (67) 5.25" floppy diskettes. One Sharp operation manual. One Canon Bubble Jet BJ-lOsx printer user's manual'. One Windows & MS-DOS user's guide. An image of Q100 was made to magneto-optical disk (MOD) using FW3 Toolkit. Recoverable deleted files on Q100 were recovered to MOD using Norton Utilities unerase. Hard copies of the documents on Q100 were printed and provided to the case agent. All original evidence was returned to the case agent. All examination notes were provided to the case agent.
Investigation on
04/23/1999
at New York, NY
File I 1 9 9 I - N Y - 2 5 7 5 Q 3
Date dictated
by J 9/11 Law Enforcement Privacy |
04/23/1999
,
umcm contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to * K»
rficn-ilv
it^-H
-
FD-302 (Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of traMcription
11/26/1999
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE) . SPECIMEN(Si Q80 -A Magneto-Optical Disk (MOD) labeled PJW/28 Image copy Apple Macintosh Quadra "700. Q81 -An MOD labeled SCG/69 FWB - Image, Macintosh Ilsi 40 MB HD End Block 82091. Q82 -A Magneto-Optical Disk (MOD) labeled on side A: Copies of CD-R's:lab ref # CSL/279/98, Items: SCG/78.1 SCG/78.2 SCG/78.3, on side B: Copy of CD: lab ref CSL/274/98, item SCG/78/5 19 floppy disk shrink wrap images from C3L/274/98. Q83 -An MOD labeled lab ref # CSL/270/98, Item KRA/25 Safeback Image, directory listing, recovered deleted files. Q84 -An MOD labeled Lab ref # CSL/273/98, Item SCG/64 safeback image, directory listing. Q85 -An MOD labeled SCG/73 Image Copy FWB/HDT. Q86 -An MOD labeled KRA/2110 Image Copy Apple Mac 8200/120. Q87 -An MOD labeled PLW/4 HDT-Iiaage, end block 2503871, Power Macintosh 8200/120. Q88 -An MOD labeled SCG/20 quantum Prodrive HDT-image end block 82028. Q89 -An MOD labeled lab ref: CSL/259/98, Item PLW/5 Safeback image, directory list.
investigation on
11/26/99
File # 265A-NY-2S9391_
»t New York, NY Date dictated
11/26/1999
[9/11 Lav; Enforcement Privacy meit contains neither recommendations nor conclusions of the FBI. It a the property of the FBI ind is
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
, On 1 1 / 2 6 / 9 9
Q90 -An MOD labeled lab ref CSL/323/98, Item PS/125 Safeback image, directory listing, partition information. Q91 -A Zip Disk labeled Copy of lab ref CSL/274/98, item PLW/40/1. Q92 -A Zip Disk labeled Copy of lab ref If CSL/274/98, item PLW/40/2. Q93 -A Zip Disk labeled Copy of lab ref # CSL/274/98, item # PLW/40/3. Q94 -A Zip .Disk labeled Copy of lab reftf CSL/274/98, PLW/40/4. Q95 -A Zip Disk labeled Copy of lab ref# CSL/274/98, itemtt PLW/40/5. Q96 -A Zip Disk labeled Copy of lab ref# CSL/274/98, item# PLW/40/6. Q97 -A Zip Disk labeled Copy of lab ref# CSL/274/98, itemtt PLW/40/7. Q98 -A.Zip Disk labeled Copy of lab refft CSL/274/8, itemtt PLW/40/8. Q99 -An MOD labeled copy of CD lab ref CSL/279/98, item PLW/35/133 and lab ref CSL/274/98, PLW/35/122. Q101
-A CD-ROM labeled Copy of lab ref # CSL/274/98, Item SCG/81.
Q102 -A CD-ROM labeled Copy of Item PLW/35/132, lab ref # CSL/274/98. Q103 -A CD-ROM labeled Copy of Track 1 from Item PLW/35/121, lab ref CLS/274/98. Q104 -A CD-ROM labeled Copy of Lab ref CSL/274/98, item # PLW/42/1. Q105
RED #34-1
-A CD-ROM labeled PS/124.3, CSL/323/98.
000000083
FD-302* (Rev. 10-6-95)
265A-NY-259391 •
Continuation of FD-302 of
, On 1 1 / 2 6 / 9 9
p
page
3^
Q106 -A CD-ROM labeled PS/124.1, CSL/323/98. Q107 -A CD-ROM labeled PS/124.2, CSL/323/98. Q108 -A CD-ROM labeled Vogon Simage{s) of floppies from CSL/270/98, CSL/274/98, CSL/298/98, CLS/323/98. EXAMINATION: Q80 - mounted the image on a Macintosh G3 exam computer (MEC) . Deleted files were recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the Toast utility. Q81 - mounted the image on MEC. Deleted files were recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the Toast utility. Q82 - floppy disk images were copied to EC and mounted on MEC. The data was copied to CD-ROM using the toast utility* The CD-ROM images were copied to EC, mounted, then copied to CD-ROM using the Toast utility. Q83 - Restored image to Windows exam computer (WEC) using the safeback utility. Recovered deleted files using the XDF utility. The restored image was booted and reviewed by the case agent and arabic translator. Q84 - Restored image to (WEC) using the safeback utility. Recovered deleted files using the XDF utility. The retored image was booted and documents were printed and sent to the case agent. Q85 - mounted the image on MEC. Deleted files were recovered using the Norton unerases utility. Data and deleted files were copied to CD-ROM using the Toast utility. Q86 - mounted the image on MEC. Deleted files were recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the Toast utility. Q87 - mounted the'image on MEC. Deleted files were recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the Toast utility.
S34-1
000000084
FD-302»(Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
. On 1 1 / 2 6 / 9 9
Q88 - mounted the image on MEC. Deleted files were recovered using the Norton unerase utility. Data and deleted' files were copied to CD-ROM using the Toast utility. Q89 - Restored image to (WEC) using the safeback utility. Recovered deleted files using the XDF utility. The retored image was booted and documents were printed and sent to the case agent. Q90 - Restored image to (WEC) using the safeback utility. Recovered deleted'files using the XDF utility. The retored image was booted and documents were printed and sent to the case agent. Q91 - Zip disk mounted on MEC and copied to CD-ROM using the toast utility. Q92 - Zip disk mounted on MEC. Deleted files recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the toast utility. Q93 thru Q98 - Zip disk mounted on MEC and copied.to CDROM using the toast utility. Q99 - Magneto Optical disk (MOD) was mounted on MEC. data was copied to CD-ROM using the toast utiliy. Q101 - CD-ROM was copied using the Adaptec CD Copier utility on WEC. Q102 - CD-ROM was mounted on MEC and copied using the toast utility. Q103 - CD-ROM was mounted on MEC and copied using the toast utility. Q104 - CD-ROM was copied using the Adaptec CD Copier utility on WEC. Q105 - CD-ROM was copied using the Adaptec CD Copier utility on WEC. Q106 - CD-ROM was copied using the Adaptec CD Copier utility on WEC. Q101 - CD-ROM was copied using the Adaptec CD Copier utility on WEC.
REO #34-1
000000085
The
FD-302i(Rev. 10-6-95)
265A-NY-259391 ,0. 11/26/99
.Page
Continuation of FD-302 of
000000086
FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Q / ?3 / 9 9
The following examination was conducted by a Computer Analysis Response Team (CART) Fialcl Examiner: SPECIMEN(S): NYO Q79 - 3 1/2" floppy disk, containing, in part, handwriting "8/21/97"
Q79 contains one file, "newpol.doc". The LFN utility identifies the date/time stamp for this file as 03-27-97 at 10:52 P-
investigation on
9/23/99
it New York
File* 265A-NY-259391 by
Duie fated
gj^/H Law Enforcement Privacy
•RT7.("Thiiifaa4»e4t contains neither recommendations nor conchisiooj of the FBI. It is the pnr^erry of tbe rat and is la
9/11 Law Enforcement Sensitive FD-302 (Rev:?l,0-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
X:>;.
Date of transcription Q3/1 7 / 2 Q Q O
The following examination was conducted by a Computer Analysis Response Team ""-(-CART) Field Examiner: SPECIMEN (S) :
\_
Q347 - Magneto Optical,Disk. Contains logicai\;copy, recovered deleted files, slack and residue':frorci a No Name CPU, No. serial number processed,, in I l Q348 - Q356
CD-ROMs frnm'1
--..
Q357 - Q367
3.5 inch floppies from'C search
\
CD-ROMs were prepared from the logical copy, recovered deleted files, slack and residue from Q347. The Tree Print utility was used to create a listing of Q347's directory structure. CD Duplicator was used to copy Q348, Q349, Q351 - Q356. Q350 was not copied due to a read error on the CD-ROM. A file copy of Q357 - Q367's files was made to CD-ROM. Recoverable deleted files on Q357 - Q367 were recovered using the XDF utility and written to CD-ROM.
Investigation on File # bv
03/17/2000
I65A-NY-259391 SA9''11
....
Law
. New York, NY
at
Dictated
03/17/2000
Enforcement Privacy
...—, ~r tv,. KRT. It is the property of the FBI a
c
agency;
9/11 Law Enforcement Sensitiv ve FD-302-(Rev. 10-5-95) - 1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription 03/17/2000 The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): Q27 - CD-ROM contaihi (from search in
disk images,
Restored all disk images to floppies except the following: Disk 5 was not formatted Image for disk 43 and 50 were missing. Recoverable deleted files on all restored disks were recovered to CD-ROM using the XDF utility. All restored disks were copied to CD-ROM except the following: Disk 27, 32, 40, 42, 48, 53, 58. The following restored disks contained a virus and were cleaned: Bisk 41, 46, 47, 48, 49, 51, 53, 55, 56, 59, 60, 61
investigation on
Q3/17/200Q
at **ew York, NY Date dictated 03/17/2000
Flief 265A-NY-259391 5A9/|11
Lav ' E n f °rcement
Privacy
nnr conclusions of the FBI. It is the property of the
agency
9/11 Law Enforcement Sensitive
FD-302 (Rev. 10-6-95)
- 1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription Q 4 / 2 5 / 2 Q O O
'\Ttie following examination was conducted by a Computer i^. Response Team (CART) Field Examiner: SPECIMEN, (S! : \8 - ,No Name Desktop with no S/N \m I
[search
Q369 -\No Name Desktop with no S/N from L | search Q370 - No Name Desktop, \V 8713439108309 \m 1 I search Q371 -\SCSI Hard Drive S,/ N - 1A0423372A6 f rom t~ | search Q372 - Dell Model .TS306 Laptop S/N V 7437346BYK8111A from I | search A physical image of Q368 was made to tape using the Safeback Utility. A logical copy of Q368's files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q368 were recovered to optical disk using the XDF32 utility. -Residue was collected using the REDX32 utility. CD-ROMs were prepared from the logical file copy, recovered file copies and residue file. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q368 and a report was created. The physical image of Q368 was restored to an exam hard drive using the Safeback Utility. A physical image of'Q369 was made to tape using the Safeback Utility. A logical copy of Q369's files (three partitions) was made to optical disk using the Codeblue utility. 0 4 / 2 5 /_ 2000 Investigation on _
New Y o r k[,_ NY at. _
Pue# 265A-NY-259391 b
SA I
; Date
_
^ ^ 04/25/2000
9/11 Law Enforcement Privacy
r of the FBrilPiPlftiWd lo^our agencj
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
\^ 04/25/2000
_. Page
2
Recoverable deleted files on Q369 were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. CD-ROMs were prepared from the logical file copy, recovered file copies and residue file. The DriveScan and IsEncrypted utilities were run on the logical copy of Q369 and a report was created. Two files were found to be password protected. The use of Access Data Password Cracker was used and revealed the file level passwords of "aaaaa". The physical image of Q369 was restored to an exam hard drive using the Safeback Utility. A physical image of Q370 was made to tape using the. Safeback Utility. A logical copy of Q370's files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q370 were recovered to optical disk using the XDF32 utility. Residue was collected using the REDX32 utility. CD-ROMs were prepared from the logical file copy, recovered file copies and residue file. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q370 and a report'was created. The physical image of Q370 was restored to an exam hard drive using the Safeback Utility. Q371 would not power-up properly and was sent to OnTrack Data Recovery on the case agent's request. A physical image of Q372 was made to tape using the Safeback Utility. A logical copy of Q372's files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q372 were recovered to optical disk using the XDF32 utility. Residue was collected using the REDX32 utility. CD-ROMs were prepared from the logical file copy, recovered file copies and residue file. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q372 and a report was created. Three files were found to be password protected. The use of Access Data Password Cracker was used and revealed the file level passwords of "allah". The physical image of Q372 was restored to an exam hard drive using the Safeback Utility. The Tree Print utility was used to create a listing of Q368, Q369, Q370 and Q372 directory structures.
000000091
9/11
Law Enforcement Sensitive
\a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
• On 04/25/2000
. Page
The utilities DL and CPX were used to search and extract from the logical file copies and recovered file copiesfrom Q368, Q369, Q370, and Q372 for the following list of strings provided by the case agent:
The sbarch reports and extract results were written to CD-ROMs. . The Linux utilities GREP was used to search and extract from the residue files of Q368, Q369, Q370, and Q372 for the following list of strings provided by the case agent:
REO #34-1
000000092
3_
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 oj_
9/11 Law Enforcement Sensitive
The search extract results were written to CD-ROMs
000000093
FD-302 [Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription 0 5 / 0 5 / 2 0 0 0
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN (S*) :
9//11 Law Enf°rcement
Sensitive
Q371 - SCSI Hard Drive \N - 1A0423372A6. from I
|search
Q371 would not power-up properly and was sent to OnTrack Data Recovery on the case agent's request. A CD-ROM was returned containing the data recovered by On-Track. The CD-ROM duplicator was used to create a copy of -the CD-ROM returned by On-Track. The Tree Print utility was used to create a listing of the directory structures. '
05/05/2000
Investigation on FUe # bv
at, New York, NY
2 6 5 A - N Y - 2 5 9 3 9 1 SA"'11 '
Law
D
a
t
e
^ ^
05/05/2000
Enforcement Privar-' i-
... j. k ,
^--i.,c,,«r,c nf rhr FHI. It is the arooertv of the FBI arifiYsfcKrKd'tyT&uS- agency.
9/11 Law Enforcement Sensitive
..FD-302 (Rev. 10-5-95) - 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription-
. The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner. *
••0373\ SyQuest SyJet 1.5GB Cartridge, ' \d P—^] iW AB0110 l
J^ Room A
Q374 - SyQuest SvJet. 1.5GB Cartridge, image AB0210 -
Labeled!
- First Floor Office
•,6375 ± SyQuest SyJet 1.5GB Cartridge, XLabeledF 1 im^e """^ ' - Upstairs Computer Disk 1 of 2 SyQuest SyJet 1.5GB Cartridge, Labeledf
^
Z image AB0310
~
- Upstairs Computer
T)isk 2 ot"~ Q377,
loraega Jaz 1 GB Cartridge,
Labele
Xcopy of AB041 - Room C
Q378 -.SyQuest SyJet 1.5GB Cartridge, , _ • , . . - . I image - i T n S L r r a ABO510 A R l T U ™ '•Labeledi i^ ;=__pownstairs Computer Desk next to 0379 Q
. S^Jetl. 5GB Cartridge, ' AB0410 Aborted Safeback Image
0380 - SyQuest W[etl. 5GB Cartridge,
Labeled i!_±] floppy
Investigation on File*
05/23/2000
at
New Y o r k , NY
9/11 Law Enforcement Sensiti ve FD-302a(Rev. 10-6-95)
265A-NY-.259391
Continuation of FD-302 of
05/08/2000
.Page
Restored image contained on Q373 on exam hard drive (Q373*'restored) . A logical copy of Q373's restored files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q373 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q373 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. Restored image contained on Q374 on exam hard drive(Q374 restored). A logical copy of Q374's restored files (three partitions) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q374 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q374 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. Restored image contained on Q375 and Q376 on exam hard drive(Q375/Q376 restored). A logical copy of Q375/Q376's restored files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q375/Q376 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q375/Q376 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. A logical copy of Q377's files was made to optical disk using Windows Explorer. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q377 and a report was created. The Tree Print utility was used to create a listing of the directory structures. Restored image contained on Q373 on exam hard drive(Q378 restored). A logical copy of Q378's restored files
000000096
2
FD-302a (Rev. 10-6-95}
265A-NY-259391
Continuation of FD-302 of
.
______ • On 0 5 / 0 8 / 2 0 0 0
(one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q378 restored were recovered to optical disk 'using the XDF utility. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q378 restored and a report was created. The unformat utility was used to unformat Q378 restored. The Codeblue and XDF utilities were run on the unformatted version of Q378 restored. Residue was collected using the REDX32 utility. The DriveScan and IsEncrypted utilities were run on the logical copy of the unformatted version of Q378 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. Q379 and Q380 were not processed.
000000097
9/11 Law Enforcement Privacy FD-302 (Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription Q7./Q5/QQ This reports supplements an FD-302 dated 06/15/00. The following examination was conducted by a Computer Analysis Response Team (CART.) Field Examiner: SPECIMEN(S): Q384 - One Magneto Optical-.Disk containing, a logical file copy/recoverable deleted files from D: (partition 2), One copy of Q387 and Five 3.5" floppy diskette images. Q38"7 - One CD Rom containing a copy, of a recordable CD Rom These items were prepared on 12/11/99 in | The computer contained a 3227 megabyte Seagate hard drive model number ST33232A, serial number VG864384, with two partitions.
j
Five self extracting image files from Q384 numbered 1 through 5 were restored to five 3.5" floppy diskettes. Logical copies of diskettes 2 through 5 were made to magneto optical disk using the Windows Explorer Utility. Reoverable deleted files were recovered to magneto optical disk using the XDF Utility. Residue was extracted to magneto optical disk using the REDX Utility. A CD Rom was prepared of the logical, recoverable deleted and residue files. The Norton Disk Doctor (NDD) Utility was used to repair floppy disk number 1, because it could not be accessed. A logical file copy of disk 1 was made to magneto optical disk using the Windows Explorer Utility. Recoverable deleted files were made to magneto optical disk using the XDF Utility. Residue was extracted to magneto optical disk using the REDX Utility. Results of the logical, recoverable deteted and residue files were put onto the CD Rom containing results from floppies 2 through 5.
Investigation on
07/05/00
File # 265A-NY-259391 by
| -1-711
Law
at New York, New York Date
dictated
Enforcement Privacy
^i^t retains neither recommendations nor conclusions of the FBI. It is the property of the FBI MjijlAl^gad fPOjW1 agency:
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-S-95)
- 1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription 06/15/00 The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): \3 - One Magneto Optical Disk containing a logical
file copy/recoverable deleted files from C: (partition 1) Q384 - One Magneto Optical Disk containing a logical file copy/recoverable deleted files from D: (partition 2) Q385 - One Magneto Optical Disk containing a logical file copy/recoverable deleted files from C: (partition 1) Q386 - One Magneto Optical Disk containing residue from C:(partition 1} and D: (partition 2) Q387 - One CD Rom containing a copy of a recordable CD
Rom Also
submitted:
4 - CD Roms containing a logical file1 copy/recoverable deleted files from C: (partition 1) and D:'-..(partition 2) 2 - 3.5" floppy diskettes containing logical files unable to be written to CD Rom These items were prepared on 12/11/99 in |_ The computer contained a 3227 megabyte Seagate hard drive model number ST33232A, serial number VG864384, with two partitions. The Drivescan Utility was used to scan all magneto optical disks containing logical/recoverable deleted files. Printouts were prepared. The Access Data Password Recovery Toolkit was used to Investigation on
06/15/00
File # _2_65A- NY - 2 5 9 3 9_1 _ by
SA,-
at New York, New York Date dictated
Law Enf
^n« nnr rnnr.luslons of the FBI. It is the property of the FBI sQ0Ql&fld(lQ>9
FD-302a (Rev. 10-5-95)
265A-NY-259391
Continuation of FD-302 of
01/01/00
page
scan all magneto optical disks containing logical/recoverable deleted files. Printouts were prepared. No passworded data was found. The Slice Utility was used to break the residue files on magneto optical disk number 6 into smaller pieces. CD Roms were prepared containing the split files. Magneto optical disk number 6 containing residue was mounted in Linux. The residue from C: (partition 1) and D: (partition 2) was filtered using the strings command and then searched using- the Grep Utility for the following words:
9/11 law Enforcement Sensitive
000000100
2
FD-302a [Rev. 10-5-95)
265A-NY-259391
Continuation of FD-302
,0n 01/01/00
.Page
_3_
The output of this search was w r i t t e n to CD Rom.
RED #34-1
000000101
9/ll_ Law Enforcement Sensitive FD-302 (Rev.'iQ-6-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
"...
Date of transcription 0 6 / 0 1 / 2 0 0 0
The following examination was conducted by Computer Analysis Response Team (CART) Field Examiners. SPECIMEN(S):
,
Five Magneto Optical Disks containing Safeback images of Q31, Q32, Q34 and Q35 acquired in../ ~\. Five Magneto Optical Disks containing logical file copies of Q31, Q32, Q34 and Q35 and recovered deleted files from Q32 acquired iri/V _ , ,_ \ \6 - Q38 - Three 3.5 in flopoy disks acquired in j ] 02/1999. The Safeback image of Q31 was restored to an exam hard drive(Q31 restored). Recoverable deleted files on Q31 restored were recovered to optical disk using the XDF32 utility. Residue was collected using the REDX32 utility. The DriveScan and Access Toolkit utilities were run on the logical copy of Q31 and a report was created. The Tree Print utility was used to create a listing of the directory structures. The Safeback image of Q32 was restored to an exam hard drive(Q32 restored). Recoverable deleted files on Q32 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Access Toolkit utilities were run on the logical copy of Q32 and a report was created. The Tree Print utility was used to create a listing of the directory structures. The Safeback image of Q34 was restored to an exam hard drive(Q34 restored). Recoverable deleted files on Q34 restored were recovered to optical disk using the XDF32 utility. Residue was collected using the REDX32 utility. The DriveScan and Access Toolkit utilities were run on the logical copy of Q34 and a report was created. The Tree Print utility was used to create a , K Investigation on
06/07/2000
, New York, NY
at
F1te# 265A-NY-259391
SA9/tu "nj- ^* -'
Lav'
pate dictated 0 6 / 0 7 / 2 0 0 0
Enforcemen t Privacy
* —-—'"•= "-it-ht-r recommendations nor conclusions of the FBI. It is the property of the FBI
FD-302a (Rev. 10-6-95)
265A-NY-259391
Contlnuauon of FD-302 of_
listing of the directory structures. The Safeback image of Q35 was restored to an exam hard drive(Q35 restored). Recoverable deleted files on Q35 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Access Toolkit utilities were run on the logical copy of Q35 and a report was created. The Tree Print utility was used to create a listing of the directory structures.. A file copy of Q36 and Q38's files were made to floppy disk. Recoverable deleted files on Q36 and Q38 were recovered to optical disk using the XDF utility. Q37 was not processed due to disk read error.
000000103
FD-302(Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
09/24/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S): Q33 - One (1) Magneto-Optical Disk (MOD)containing an image of a hard disk drive (HDD) from a Macintosh LC, serial number (s/n) SG1370FJL10. Also submitted were ten (10) MODs consisting of: Q31 - an image, and logical copy of a Compaq Deskpro 2000, s/n 8646HVS51688. Q32 - an image, logical copy, logical file listing and deleted files from an IBM Personal Computer 100, s/n 558P54B. Q34 - an image and logical copy of two HDDs from.a generic computer. Q35 - an image and logical copy of a DTK computer, no s/n. Q36, Q37 and Q38 - images of three -(3) 3.5" floppy diskettes. EXAMINATION:
Q33 was restored to a hard disk drive (HDD) on a Macintosh Ilci. An examination of the restoration revealed an Arabic language Macintosh operating system.
investigation on
09/24/1999
File* 265A-NY-259391 by _J 9 / U
L a«
at Manhattan, New York Date dictated
09/24/1999
Enforcement PrivacvL
>ur agency; •"•*-•— **• **-*—*•• ™nMms neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agi
000000104
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription 0 7 / 1 4 / 2 0 0 0
The following examination was conducted by Computer Analysis Response Team (CART) Field Examiners. SPECIMEN(S): Q449-- One Magneto Optical Disk containing a CSCDup copy of a Compaq''-5100E CPU and six floppy disk images acquired in I |. Recoverable deleted files on Q449 were recovered to an exam hard drive optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Access Toolkit utilities were run on Q449 with no positive results. The Tree Print utility was used to create a listing of the directory structures. The logical copy, recovered deleted files and the residue file were written to CD-ROM. The floppy disk images on Q449 were restored to floppy disks. Recoverable deleted files were recovered .to an exam-hard drive using the XDF utility. Residue was collected using the REDX utility. The logical copy, recovered deleted files and the residue file were written to CD-ROM.
07/14/2000
Investigation on
. New York, NY
at
FQe#265A-NY-259391
by
SA9//11
'
Law
Date dictated
07/14/2000
Enforcement Privacy
i
i_-,_4. —„*,.!„= r,»it-hpr rprnmmendations nor conclusions of the FBI. It is the property of the
FD-302(Rev. 10-6-95)
-1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
04/17/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S):
NYOQ#195 - an Apple Macintosh Powerbook 1BO laptop computer, serial m m j b e r ( s / r i ) FC311SHY440 obtained from the|_ ||HIHH|HFBI barcode #E01911047. The laptop contained an IBM 82rnbliar^aisk drive (HDD) formatted with an HFS file system running an Arabic version of Macintosh OS. ALSO SUBMITTED:
One Sony power adaptor, model AC-V30. EXAM: Device copies of Q195 were made to magneto-optical disk (MOD) using the FWB Toolkit utility. The image was restored to 100mb Zip disks using the same FWB Toolkit utility. The restored image was mounted on a CART exam machine were invisible files were identified, listed and made visible using the Norton Disk Edit utility. Recoverable deleted files were identified and restored using the Norton Unerase utility. A string search of Q19S was done using the Ultrafind -jfv for the following strings with negative results:
9/11 Law Enforcement Sensitive
investigation on
4/17/2000
File# 265A-NY-259391 by
** New York, NY Date dictated
4/17/2000
|9/11 Law Enforcement Privacy
.—.it-...—.,.,, „„„,„;,„ neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loanid-iaA'aut. wcscir _
FD-302I (Rev. 10-6-95)
265A-NY-259391
• of,FD-3D2 m.«,ofr Continuation
Cart Exam
_____^__ rv • °°4/17/2000
Logical, recovered delted files, directory and file printouts were provided for review to the Case Agent.
OOOOOOIOT
FD-302(Rev. 10-6-95)
-1-
FEDERAL BUREAU OP INVESTIGATION
Date of transcription
05/19/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FB). SPECIMEN(S): NYOQJ238 NYOQJ240 NYOOJ245 NYOQJ246 NYOQ8247 NYOOJ248 NYOQ#249 NYOOJ250 NYOQJ251 NYOQJ252 NYOQJ253 NYOQJ254 NYOQJ255 NYOOJ256 NYOQJ257 NYOQJ258 NYOCJ259 NYOQJ260 NYOQ#261 NYOQJ262 NYOOJ263 NYOQ#264 NYOQ#265 NYOQ&266 NYOQJ267 NYOQ#268 NYOOJ269 NYOQJ270 NYOQ#271 NYOQJ272 NYOQJ273 NYOQJ274
- A CDROM disk labeled Item 25L. - A CDROM disk labeled Item 63B - A CDROM disk labeled Item 1ST - A CDROM disk labeled Item 15N -- A CDROM disk labeled Item 15AK - A CDROM disk labeled Item 15AE - A CDROM disk labeled Item 15Y - A CDROM disk labeled Item 15S - A CDROM disk labeled Item 15M - A CDROM disk labeled Item 15W - A CDROM disk labeled Item 15 AC - A CDROM disk labeled Item 15Q - A CDROM disk labeled Item ISAM - A CDROM disk labeled Item 15AH - A CDROM disk labeled Item 15V - A CDROM disk labeled Item 15R - A CDROM disk labeled Item 15AG - A CDROM disk labeled Item 15AM - A CDROM disk labeled Item 15P - A CDROM disk labeled Item 15X - A CDROM disk labeled Item 15AD - A CDROM disk labeled Item 15AJ - A CDROM disk labeled item 15AI - A CDROM disk labeled Item 15AO - A CDROM disk labeled Item ISA - A CDROM disk labeled Item 15B - A CDROM disk labeled Item 15P - A CDROM disk labeled Item 15C - A CDROM disk labeled Item 15F - A CDROM disk labeled Item 15L - A CDROM disk labeled Item 15G - A CDROM disk labeled Item 15D
New at
Investigation on
5/19/2000
265A-NY-259391 Date dictated
File 9/11 Law Enforcement
Privacy
by p ,.,
tnant contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency. its contents are not to be distributed outside your agency. OODOOOlOo
FD-302a(Rev. 10-6-95)
265A-NY-259391
CART EXAM
Continuation of FD-302 of
NYOQJ275 NYOQ#276 NYOQ#277 NYOQ#278 NYOQ#279 NYOQ#280 NYOQ#281 NYOQ#282 NYOQ#283 NYOQ#284 NYOQ#285 NYOQ#286 NYOQ#287 NYOQJ288 NYOQ#239 NYOQ8290 NYOQ#291 NYOQ#292 NYOQ#293 NYOQJ294 NYOQJ295 NYOQJ296 NYOQ#297 NYOQ#298 NYOQ#299
-
A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM
disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk
,On
labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled
5/19/2000
Item 15H Item 151 Item 15J Item 15AF ' Item 15Z Item 15K Item 15AB Item 15AA Item 150 Item 15A Item 150 Item 41A Item 4 IB Item 41C Item SIB Item 55 Item 61A Item 11 Item 13A Item 58 Item 9 Item 5 ID Item 51C Item 5 IB Item 51A
EXAM:
Duplicate CDROMs were made using the Champion CD Duplicator,
REQ #34-1
000000109
FD-301 (Rev. 10-6-95)
-1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
04/28/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S): NYOQ#196 - a 3,.5" floppy diskette labeled NYOQ#197 - a 3 .5" floppy diskette labeled NYOQ#198 - a 3 .5" floppy diskette labeled NYOQ#199 - a 3 .5" floppy diskette labeled NYOQS200 - a 3 .5" floppy diskette labeled NYOQ#201 - a 3 .5" floppy diskette labeled NYOQ#202 - a 3 .5" floppy diskette labeled NYOQ#203 - a 3 .5" floppy diskette labeled NYOQ#204 - a 3 .5" floppy diskette labeled NYOQ#205 - a 3 .5" floppy diskette labeled NYOQ#2.06. ™" CL 3 .5" floppy diskette labeled NYOQ8207 - a 3 .5" floppy diskette labeled NYOQ#208 - a 3 .5" floppy diskette labeled labeled NYOQ#209 - a 3 .5" floppy diskette labeled diskette NYOQ#210 - a 3 .5" floppy labeled NYOQ#211 - a 3 .5" floppy diskette labeled diskette NYOQ#212 *** cl 3 .5" floppy labeled diskette floppy NYOQ#213 - a 3 .5" labeled NYOQ8214 - a 3 .5" floppy diskette labeled NYOQ8215 - a 3 .5" floppy diskette labeled NYOQ8216 - a 3 .5" floppy diskette labeled NYOQ#217 - a 3 .5" floppy diskette labeled NYOQ#218 - a 3 .5" floppy diskette labeled diskette NYOQ8219 - a 3 .5" floppy diskette labeled NYOQt*220 - a 3 .5" floppy labeled NYOQ#221 - a 3 .5" floppy diskette labeled diskette NYOQ#222 - a 3 .5" floppy labeled NYOQS223 - a 3 .5" floppy diskette labeled diskette NYOQ#224 - a 3 .5" floppy labeled NYOQ8225 - a 3 .5" floppy diskette labeled diskette NYOQH226 - a 3 .5" floppy labeled NYOQ#227 - a 3 .5" floppy diskette labeled NYOQ#228 - a 3 .5" floppy diskette
investigation on
4/28/2000
File # ?fi5A-NY-259391
Item 521 Item •52K Item 52J Item 52L Item 52M Item 52H Item 52G Item 52F Item 52E Item 52D Item 52C Item 52B Item 52A Item 56A Item .56B Item 5SC Item 56D Item 56E Item 56F Item 56G Item 56H Item 561 Item 56J Item 56K Item SSL Item 56N Item 56M Item 25H Item 25J Item 251 Item 25G Item 25B Item 25A
" New York, NY Date dictated
4/28/2000
[9/11 Law Enforcement Privacy! by contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is lointiU jiniu-ia^LiVL -. -r>t, ,rr nnt to he distributed outside your agency. UUUUUUJ-.LU
FD-302* {Rev. 10-6-95)
265A-NY-259391
n ' ' ofrrtvtnn Conbnuation FD-302 off
NYOQ#229 NYOQJ230 NYOQJ231 NYOQ#232 NYOQJ233 NYOQJ234 NYOQ#235 NYOQ#236 NYOQ#237 NYOQ#239 NYOOJ241 NYOQJ242 NYOQJ243 NYOQJ244
, r^ On
EXAM
-
a a a a a a a a a a a a a a
3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy .diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette
labeled labeled labeled labeled
labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled
Item Item Item Item Item Item Item Item Item Item Item Item Item Item
4/28/2000 ' '
, , Page
25F 25K 25C 25D 25E 10A 10B IOC 10D 63A 57 22D 40 31A
EXAM: NYOQ209, NYOQ210, NYOQ212-NYOQ219, NYOQ222-NYOQ226 , NYOQ228NYOQ230, NYOQ232 and NYOQ233 were identified as Macintosh formatted floppy diskettes (FDs) . A search of the Mac FDs for invisible files was conducted using the Macintosh Sherlock utility. No nonsystem hidden files were identified. The Norton Unerase utility was executed on the Macintosh FDs resulting in deleted file recovery on NYOQ210, NYOQ214, NYOQ216, NYOQ217, NYOQ224, NYOQ225, NYOQ226 and NYOQ229 only. NYOQ196-NYOQ208, NYOQ221, NYOQ227, NYOQ231, NYOQ234-NYOQ237 , NYOQ241-NYOQ244, and NYOQ239 were identified as DOS formatted, or unformatted FDs. The XDF utility was executed on the DOS FDs resulting in deleted file recovery on NYOQ196, NYOQ198, NYOQ204, NYOQ234 and NYOQ243 only. Residue was recovered from all the DOS FD with the exception of NYOQ208 and NYOQ221 which were unformatted. Isenctypted and Drivescan were run on the DOS FDs and the results were printed. The results of the exam on the Macintosh FDs were made to Zip disk, 3.5" floppy diskette, and CD-ROM. The results of the DOS FDs were made to magneto- optical disk, 3.5" floppy diskette, and CD-ROM. ALSO SUBMITTED: Twenty-one (21) empty CD-ROM jewel cases, one (1) sealed recordable CD-ROM, and one (1) sealed Netscape install software CD-ROM.
REQ
#34-1
000000111
FD-302 [Rev. 10-6-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription 0 7 / 2 0 / 0 0
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S):
9/11 Law
Enforcement Sensitive
Q551 ..- One CD Rom \2 - One CD Rom \3 - One 3.5" Floppy Disk
Q554 - One 3.5" Floppy Disk Q5.55 - One 3.5" Floppy Disk Q556 - One 3.5" Floppy Disk Q557 - One Recordable CD Rom Q558 - One Recordable CD Rom
f
Q559 - One Recordable CD Rom Q560 - One Recordable CD Rom Q561 - One 3.5" Floppy. Disk
These items were seized inj
| on
04/15/00. Logical copies of Q551 and Q552 were made to magneto optical disk using the Windows Explorer Utility. CD Roms were prepared of the logical copies. Logical copies of Q553 through Q556 were made to investigation on 07/20/00
at New York, New York
File # 265A-NY-259391 by
SA |9/11
La'-'
Date dictated
Enforcement Privicyj
contains neither recommendations nor conclusions of the FEI. It is the property of the FBI
FD-302a (Rev. 10-6-95)
Continuation of FD-302 of
265A-NY-259391
, On
07/20/00
. Page
2
_
magneto optical disk using the Windows Explorer Utility. Reoverable deleted files were recovered to magneto optical disk using the XDF Utility. Residue was extracted to magneto optical disk using the REDX Utility. A CD Rom was prepared of the logical, recoverable deleted and residue files. A logical copy was made of selected files on Q557, Q558 and Q560 to magneto optical disk using the Windows Explorer Utility. CD Roms were prepared of the logical files. A logical copy was made of Q559 to magneto optical disk using the Windows Explorer Utility. A CD Rom was prepared of the logical files. A logical copy was made of Q561 to magneto optical disk using the Windows Explorer Utility, copy errors were encountered. Reoverable deleted files were recovered to magneto optical disk using the XDF Utility. Residue was extracted to magneto optical disk using the REDX Utility. A CD Rom was prepared of the logical, recoverable deleted and residue files. The Treeprint Utility was used to print out directory structures of all prepared CD Roms.
REQ #34-1
000000113
9/11 Personal Privac1\FD-302 (Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
12/19/2000
The following investigation was conducted by a Computer Analysis Response Team (CART) Field Examiner fFE). Also present were I 9/11 Personal Privacy
SPECIMEN(S) : NYOQ563 - a magneto optical disk (MOD) labeled "990602008 JL Image Copy". EXAMINATION: NYOQ563 was inserted into a Sony MOD unit and attached to an Apple Macintosh G3 notebook a [Long with an external four (4) gigabyte (gig) hard disk drive {HDD) provided by Greenleaf. The drive containing NYOQ563 was set to SCSI ID 2 and the HDD provided by Greenleaf was set to SCSI ID 4. An image of NYOQ5S3 was made to Greenleaf's HDD using the device copy utility from FWB Toolkit. Once the image was complete,j |indicated that the new'image should be mounted to ensure that a good copy was made. Using FWB Toolkit, the new image on SC&I ID 4 was mounted on the desktop of the G3 . Once the image was mounted the volume "Macintosh HD" appeared on the desktop. Once | | were satisfied, the Macintosh HD volume was unmounted ana detached from the G3.
Investigation on
12/18/2000
File # 265A-NY-259391 by
New York, Date dictated
12/19/2000
[s/ll Law E n f o r c e m e n t Priva'cy contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is _*- ,*. ««t in K» rfirtnhittefl outside vour aeencv.
FD-302 (Rev. 10-6-95)
il: FEDERAL BUREAU OF INVESTIGATION
Date of transcription
12/12/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN (S) : NYOQ562 is a Bernoulli 230 megabyte (MB) diskette labeled image copy made 8/21/97. NYOQ563 is a Verbatim 2.3 gigabyte (GB) magneto optical disk' (MOD) labeled 990602008 JL Image Copy. EXAMINATION: NYOQ562 was inserted into a Bernoulli transportable 230 disk drive. The drive was then attached to an Apple Macintosh G3 notebook and booted. The volume on NYOQ562 would not mount, neither would it copy to any other media. NYOQ563 was inserted into a Sony MO Disk Unit, model RMO-S551. The MO disk unit was then attached to an Apple Macintosh G3 notebook and booted. The volume on NYOQ562 could be mounted on the G3 desktop.
Investigation on
12/12/2000
File # 265A-NY-259391
at
N6W York Dtte dicuted
12/12/20QQ
[9/11 Law Enforcement Privacy! c$£4entl:aiiuii» neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned ~J ;t« /»nntmt< are not to be distributed outside your agency.
9/11 Law Enforcement Sensitive
\2 (Rev.40-S-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription 5/1/Q1
On 4/23/01, the , computers related to captioned case.
provided access to
The following computers were examined by a Computer Analysis Response Team (CART) Field Examiner (FE) on site: Computer I - CompEx Solutions Desktop a. ST34313A
SN: 6DL023LF
Computer 2 - SMR Desktop a. Maxtor51536H2
SN: F20JVKYC
Computer 3 - TOUCH Desktop a. QuantumFireballELS.lA SN: 345815010692 b'. FujitsuM16l4TA SN: 03549565 Hard Drive 1 - WDCAC22500L
SN: WD-WM3490181653
Floppy 1 \ 3.5" Floppy Disk (unlabeled) Computer 1 contained one hard drive and it was imaged to DDS-4 tap\ using the Safeback Utility. A logical file copy of partitions 1,and 2 to optical disk was made using the Codeblue Utility. Recoverable deleted files were recovered from partition 1 and 2 to optical disk using te XDF32 Utility. Residue was extracted front, partitions 1 and 2 to optical disk using the REDX32 Utility. Computer 2 contained one hard drive and it was imaged to DDS-4 tape using the Safeback Utility. A logical file copy of partitions 1 and '2 to optical disk was made using the Codeblue Utility, Recoverable deleted files were recovered from partitions I and 2 to optical\disk using the XDF32 Utility. Computer 3 contained two hard drives. Hard drive one was imaged to DDS-4 tape using the Safeback Utility. A logical Investigation on
4/23/01
at
File* 2 6 5 A - N Y - 2 5 9 3 9 1
Date dictated
9/11 Law Enforcement Privacy
**-^Q TmsM&cliient contains neither recommendations nor conclusions of the FBI. It is the property of the
FD-302a (Rev. 10-5-95)
Continuation of FD-302 of
265A-NY-259391
. On 5/1/01
, Page
file copy of hard drive one partitions 1 and 2 to optical disk was made using the Codeblue Utility. Recoverable deleted files were recovered from partitions 1 and 2 to optical disk using te XDF32 Utility. Partial residue was extracted from partition 1 to optical disk using the REDX32 Utility. Hard drive two was imaged to DDS-4 tape using the Safeback Utility. A logical file copy of partition 1 to optical disk was made using the Codeblue Utility. Recoverable deleted files were recovered from partition 1 to optical disk using the XDF Utility. The XDF process was stopped during lost cluster sweep. Residue was extracted from partition 1 to optical disk using the REDX Utility. The Safeback Utility was used to image hard drive 1, however, the Safeback Utility reported errors after the image was started. The Safeback image was halted. The Disk Copy Utility was used to image floppy 1, however, errors were encountered.
REQ #34-1
000000117
FD-302 (Rev. 10-6-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription 5/4/Q1
The following computers were examined by a Computer Analysis Response Team (CART) Field Examiner (FE) : Q569a - Magneto Optical Disk (Logical and Recovered Deleted Files of partition 1) of a CompEx Solutions CPU containing hard drive ST34313A SN: 6DL023LF Q569b - Magneto Optical Disk (Logical and Recovered Deleted Files of partition 2 and Residue of partition 1 and 2) of a CompEx Solutions CPU containing hard drive ST34313A SN: 6DL023LF Q570 - Magneto Optical Disk (Logical and Recovered Deleted Files of partition 1 and 2) of a SMR CPU containing hard drive Maxtor51536H2 SN: F20JVKYC Q571 - Magneto Optical Disk (Logical, Recovered Deleted Files and Residue of partition 1) of a TOUCH CPU containing hard drive FujitsuM1614TA SN: 03549565 Q572 - Magneto Optical Disk (Logical and Recovered Deleted Files of partition 1 and 2, partial residue of partition 1) of a TOUCH CPU containing hard drive QuantumFireballELS.1A SN: 345815010692 Q573
- 3.5" Floppy Disk (Disk Copy)
ALSO SUBMITTED: DDS-4 tape (Safeback Image of QuantumFireballELS. 1A SN: 345815010692) 3.5" Floppy Disk (Safeback Audit File) DDS-4 tape (Safeback Image of Maxtor51536H2 SN: F20JVKYC) 3.5" Floppy Disk (Safeback Audit File)
Investigation on
5/4/01
File* 265A-NY-259391 by __JJ 1 ''H
LdW
at New York Date dictated
Enforcement Privacy
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI twa «ubBrRikl)8ur agency:
FD-302a (Rev. 10-6-95)
Continuation of FD-302 of
265A-NY-259391
. On 5/4/01
, Page _
DDS-4 tape (Safeback Image of ST34313A SN: 6DL023LF) 3.5" Floppy Disk (Safeback Audit File) DDS-4 tape (Safeback Image on of FujitsuM1614TA SN03549565) 3.5" Floppy Disk (Safeback Audit File) CD Roms were prepared containing the logical and recovered deleted files from Q569a, Q569b, Q570, Q571 and Q572. File naming convention errors were encountered during the CD preparation process. The Disk Copy Utility was used to image Q573 to a 3.5" Floppy Disk. Errors were encountered. Q573 was not accessible in Arabic Windows 98/DOS. The Norton Disk Doctor Utility was used to attempt to repair Q573. The Norton Disk Doctor Utility recovered n_DD" files, but they did not contain any data recognizable by the Windows/DOS operating system. Recovered deleted files were attempted to be recovered from Q573 using the XDF Utility, but the XDF Utility locked up. Logical and recovered deleted files copied to magneto optical disk from Q569a, Q569b, Q570, Q571 and Q572 were queried for password protected/encrypted files using the Access Data Password Recovery Tool Kit. Screen shots of the results were prepared. The directory structures of the logical and recoverable deleted files on cd roms prepared from Q569a, Q569b, Q570, Q571 and Q572 were printed using the Treeprint Utility.
REQ #34-1
000000119
9/11 Law Enforcement Sensitive
,FD-3Q2(Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
.
,
•-.
Date of transcription 0 6 / 0 9 / 2 0 0 1
\e following-search was conducted by Computer Analysis R&spbnse Team (CART) Field-examiners (FEs). \ computer seizure was., conducted at the following location:
Data from the following computer hard drives. (HD) were seized: \Computer 1, a Aptiva Laptop, no serial'-number. '.(Computer was represented to be owned by 1
I
SEARCH;
\A physical copy of Computer 1's HD, was made to optical disk using the Safeback Copy Utility. This was canceled at 90% due to return of subject. The physical copy of Computer 1 wa's restored to a sterile hard drive (Computer 1 restored). A logical copy of Computer 1 restored's files (two partitions) were made to optical disk using the Codeblue utility. Recoverable deleted files on Computer I restored were recovered to optical disk using the XDF utility. CD-ROMs were prepared from the logical file and recovered file copies.
Investigation on
06/09/2001
File* 265A-NY-259391_ by
I 9/11
at I
|_
Date dictated 06/09/2001
Law Enforcement Privacy]
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI QiQ Q U4ftQllc4rWJr agency:
9/11
Law Enforcement
Sensitive
FD-302 [Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription 0 1 / 1 6 / 2 0 0 2
The following1 search was conducted by two Computer Analysis Response Team (CART) Field Examiners (FEs). The following computers and media were made available
Computer 1, a Jump desktop, serial number (s/n) - 07JUM800AREV. Computer 2, a C.S.N. desktop,, no s/n. Computer 3, a Acer Travelmate 200 laptop, s/n - 9144G017J5105016CDT. Floppies 1 - 36, Thirty-six 3.5 inch floppy disks. \CD-ROMs 1 - 21, Twenty-one CD-ROMs. advised that above media and computers were owned by
J
I SEARCH :
\ copy of Computer 1's HD was made to HD using the
Logicube Hard Disk Duplicator. A copy of Computer 2's HD was made to HD using the Logicube Hard Disk Duplicator. A copy \of Computer 3's HD was made to HD using the Logicube Hard Disk Duplicator. A logical copy of Floppies 1 - 36 's files were made to hard drive using the MXCOPY utility. Recoverable deleted files on Floppies 1 - 36 '£ were recovered to hard drive using the XDF utility. Read errors were encountered on Floppies 6, 9, 13, 15, Investigation on
01/16/2002
att
FUe# 265A-NY-280350 by __J
_
9/11 Law Enforcement Privacy
] Date dictated
01/16/2002
/_
*ThtK"Bocument contains neither recommendations nor conclusions of the FBI. It is the property of the FBI
agency;
FD-302a (Rev. 10-6-95)
265A-NY-280350
Continuation of FD-302 of
, On 01/15/2002
Page
17, 19, 28, 30 and 33 - 36. A CD-ROM was prepared from the logical file and recovered file copies. CD-ROMs 1 - 7 , 1 0 - 1 9 and 21 were copied using the CD Copy utility. CD-ROMs 8, 9 and 20 were not readable and not processed.
REQ #34-1
000000122
FD-302 (Rev, 10-6-95)
-1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
03/25/2004
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMENS:
NYO Q5S5 - Seagate Hard Disk Drive, s/n 6ED1RDE6
(E01960358)
NYO Q5B6 - Compaq Armada 3500 Notebook computer, s/n J9062
(E01960358)
NYO Q586a - IBM HDD, s/n AGOAG044005 EXAMINATION:
This report supplements a report dated 3/21/02, reported under 265A-BS-89704. NYO Q585 was imaged to DDS3 tape and to a sterile examination hard drive using the Safeback utility. The image file was processed using the Forensic Toolkit (FTK). Files identified by FTK in the Documents, Spreadsheets, Databases, Graphics, Encrypted and Other Known categories were exported to disk and thereafter copied to CD Rom. Encrypted files were processed using both the Password Recovery Toolkit and the Distributed Network Attack {DNA) utilities. A PRTK report was printed. Twelve files decrypted by DNA were copied to CD Rom in their decrypted form. NYO Q586 contains one hard drive. This drive was imaged to DDS3 tape and to a sterile examination hard drive using the Safeback utility. The image file was processed using the Forensic Toolkit (FTK). Files identified by FTK in the Documents, Graphics, Other Known categories were exported to disk and thereafter copied to CD Rom.
investigation on
3/25/04
Rle# 265A-NY-259391
at New York CART
Lab Date dictated
contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is
loWA
Hff^QJ23
amicev.wpd
FD-3021 (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
CART Examination
. On 3 / 2 5 / 0 4
, Pag«
2_
Physical copies of NYO Q585 and Q586a were made using a Logicube Drive Duplicator. The FTK work files and the image files from NYO Q585 and Q586 were archived to DDS4 tape.
anticev.wpd
RED #34-1
000000124
FD-302 (Rev. 10-6-95)
- 1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription 03/13/2002 The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner. SPECIMEN(S): NYOQ587 - Maxtor Hard Drive (HD), serial number (s/n) T3RHOS4C
(E01960359)
NYOQ588 - Maxtor HD, s/n T3H26RYC
(E01960359)
NYOQ589 - Magneto Optical Disk (MOD), labeled "Safeback Image Madrid Computer 2 and 3"
(E01960359)
NYOQ590 - MOD, labeled ^Computer 14"
(E01960359)
NYOQ591 - Seagate HD, s/n 6ED3PW4J
(E01960359)
NYOQ592 - MOD, (E01960359) labeled "Partial Safeback of Computer 9"
Investigation on FUe#
NYOQ593 - Western Digital HD, S/n WD-WMAAR2397114
(E01960359)
NYOQ594 - Western Digital HD, s/n WD-WMA751063599
(E01960359)
NYOQ595 - CD-ROM, labeled "219 Floppy Disks'
(E01960359)
NYOQ596 - Seagate HD, s/n 6ED3PPW9
(E01960359)
NYOQ597 - Western Digital HD, s/n WD-WMA6V1144420
(E01960359)
03/13/2002
265A-NY-259391
at New York Dictated
03/13/2002
Eorcernent Privacy"!
REQ
#34-1
nc nether recommendations nor conclusions of the FBI. It is the property of the
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
• On
NYOQ598 - Seagate HD, . s/n 6ED3PW4C
(E01960359)
NYOQ599 - Maxtor HD, s/n T3RHOSXC
(E01960359)
•NYOQ600 - Western Digital HD, s/n WD-WMA6V1145260
(E01960359)
NYOQ601 - Western Digital HD, s/n WD-WMA9L1183844
(E01960359)
NYOQ602 - IBM HD, s/n YJEYJ2K5933
(E01960359)
NYOQ603 - Seagate HD, s/n 6ED3PB&P
(E01960359)
NYOQ604 - NYOQ"?02 - Ninety-Nine CD-ROMs
(E01960359)
Also submitted: CD-ROM labeled "Photos of original evidence"
A physical image of NYOQ587 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ58"7. Files from the following categories were exported to hard drive and written to CD-ROM: - partial Documents - partial Spreadsheets - partial Graphics - partial Other known - partial. Unknown The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files,
REQ #34-1
000000126
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
, On Q 3 / 1 3 / 2 0 Q 2
Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ588 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ588. Files from the following categories' were exported to hard drive and written to CD-ROM: Documents - partial Databases - partial Graphics - partial Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. The Access Data Forensic Tool Kit was used to process NYOQ589. Files from the following categories were exported-to hard drive and written to CD-ROM: Documents - partial Graphics - partial Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access' Data Forensic Tool Kit case files and exported files were written to CD-ROM using the EZ-CD Creator utility. The Access Data Forensic Tool Kit was used to process NYOQ590. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - all Spreadsheets - all Databases - all. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility.
000000127
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
03/11/2002
.Page
A physical image of NYOQ591 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ591. No pertinent files were found on NYOQ591. The Access Data Forensic Tool Kit case files and Safeback image files were written to tape using the Windows 2000 Backup utility. NYOQ592. was found to contain no data and was not processed. A physical image of NYOQ593 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ593. Files from the following categories were exported to hard drive and written to CD-ROM: Other known - partial. The nair.es of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ594 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ594. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial Databases - partial Graphics - partial From E-Mail - partial E-Mail Messages - partial Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. NYOQ595 contained image files, logical copies and recovered deleted files for two hundred and nineteen floppy disks. The Access Data Forensic Tool Kit was used to process the image files contained on NYOQ595 with the exception of the
REQ #34-1
000000128
FD-302a (Rev. 1O6-95)
265A-NY-259391
Continuation of FD-302 of
-• On03/13/?00?
. Page
following floppy disk image files: 1, 3, 10, 12, 15, 37, 38, 40, 119, 128, 139, 147, 151, 152 and 175. Files from the logical copies and recovered deleted files for these floppy disks were exported manually. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial
Spreadsheets
- all
Graphics
- partial
From E-Mail
- partial
E-Mail Messages - all Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files and exported files were written to CD-ROMs using the EZ-CD Creator utility. A physical image of NYOQ596 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ596. Files from the following categories were exported to hard drive and written to CD-ROM: Documents partial Spreadsheets partial Databases partial partial Graphics From E-Mail partial partial E-Mail Messages partial Temp Internet partial Other known - partial. Unknown The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ597 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ597 . Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial
REO
#34-1
000000129
FD-302a [Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
'___
, On 0 3 / 1 3 / 2 0 0 2
Pag6 _
Databases - all Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ598 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ598. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - all Graphics - all Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ599 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ599. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial Databases
- partial
Spreadsheets
- partial
Graphics
- partial
From E-Mail - partial E-Mail Messages - partial Other known - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ600 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to" process NYOQ600. Files from the following
RED #34-1
000000130
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
.- On 03/13/200?
.Page
categories were exported to hard drive and written to CD-ROM: Documents partial partial Spreadsheets partial Databases Graphics partial From E-Mail partial E-Mail Messages partial Archives partial Other known partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ601 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ601. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial Databases - partial Graphics - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the'Windows 2000 Backup utility. A physical image of NYOQ602 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ602. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial Spreadsheets - partial Graphics - partial From E-Mail
- partial
E-Mail Messages - partial Temp Internet - all Other known Unknown
RED
#34-1
- partial - partial.
000000131
T_
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
. On 03/13/2002
.Page
The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ603 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ603. Files from the following categories were exported to hard drive and written to CD-ROM: Other, known - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files/ .Safeback image files and exported files were written to tape using the .Windows 2000 Backup utility. The Access Data Password Toolkit was run on all exported files from NYOQ587 - NYOQ603 with a report created. NYOQ604 - NYOQ702 were copied using the CD Duplicator.
#34-1
000000132
8
FD-302 (Rev. 10-6-95)
-1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
05/17/2002
The following examination was conducted by Computer Analysis Response Team (CART) Field Examiners: SPECIMEN(S): NYO Q703 - DVD ROM Media, labeled (E019S2299) "Crouching Tiger & Hidden Dragon, Disk 1" NYO Q704 - DVD ROM Media, labeled (E01962299) "Crouching Tiger & Hidden Dragon, Disk 2" EXAMINATION: The contents of Q703 and Q704 were examined using Microsoft Windows Explorer and CD Inspector (v2.0.0). The DVD media contained files consistent with those found on DVD video media. When attempting to view the video contained on the DVD the InterVideo WinDVD utility produced an error stating that the DVD was formatted for a market other than the United States.
Investigation on
05/17/2002
F»t » 2 6 5 A - N Y - 2 5 9 3 9 1 by
*'
New York Date dictated
9/11 Law Enforcement E'rivac-
dqc>«ij*nl -contains neither recommendations nor conclusions of the F3I. li is the property of the FBI and is loane j 1rrJrnn(»RVs arf. not tn h<> distributed nutside vour aeencv.
FD-302(Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Dulc of transcription
05/23/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S): NYOQ194 - four (4) CDROM disks containing, a safeback image of an Apple hard disk drive (HDD). EXAM: NYOQ194 were restored to HDD using the safeback utility. The restored HDD was mounted and logical files were copied to CDROM using the Toast utility.
investigation on
05/23/2000
File* 265A-NY-259391-CC by
L
u w
a'
New York Date dictated
05/23/2000
^niorcenent Privacy
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; aJfa34 eoltents are not to be distributed outside your agency. 000000134
9/11 Law Enforcement Sensitiv \. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
.
Date of transcription
12/20/1999
\n 12/16/1999-. the following items were provided by the ] [Authorities: One (1) Dell laptop .computer, model PPS, serial number (s/n) JH5J65160, p/n,. 08627. Ref # 991216E. One (1) Compaq laptop computer, model 4/25, s/n 53085. Ref # 991216D. One (1) Generic tower computer, no model, no s/n. Ref # 991216A & 99121SB. * One (1) Generic mini-tower computer, no model, no s/n. Ref # 991216B. One (1) PD650 Plasmon optical disk cartridge. Ref # 991216F. Sixty-nine (69) CDROM disks. Ref # 991218E., 991219A, 991218C, 991218D. Fifty-five (55) 3.5" floppy disks. Ref # 991216C,. One (1) Helical-Scan 4mm Data Cartridge labeled Bkup". No Ref tt. \o (2) document reproductions containing drawingsof buildings and arabic writings. No Ref #. •On 12/19/1999, two (2) 5.25" floppy disks Ref # 991219C, and two (2) CDROM disks Ref # 991219B were provided to the CART FE copying. The following search was conducted by a Computer Analysis Response Teatn (CART) Field Examiner (FE) . SEARCH;
A -Dell laptop was imaged to magneto optical disk (MOD) using the safeback utility. A logical copy was made to MOD using the codeblue utility. Recovered deleted files was made to MOD using the XDF32 utility. Residue was extracted to MOD using the REDX utility. The hard disk drive (HDD) needed to be removed from the computer because the power cord was not supplied, and the battery was not charged.
Investigation on
12/20/1999
Files 265A-_NY.-2_59391 by
_
"1 £
Date dictated
12/20/1999
9/11 Law Enforcement Privacy]
This document contains neiiher recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency, !fcnts are not to be distributed outside your agency. 000000135
FD-302a(Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
CART
SEARCH
.
._
. On 1 2 / 2 0 / 1 9 9 9
A Compaq laptop was imaged to MOD using the safeback utility. A logical copy was made using the codeblue utility. Recoverable deleted files was made to MOD using the XDF32 utility. The HDD was removed from the computer because the computer was in non-functioning condition. A tower computer was imaged to 4mra DDS3 tape cartridge using the safeback utility. A logical file copy was made to MOD using the codeblue utility. Recovered deleted files were made to MOD using the XDF32 utility. The tower computer had two HDDs, however one was not connected and would not spin up when power was applied. utility. utility. utility.
A mini-tower was imaged to MOD using the safeback A logical file copy was made to MOD using the codeblue Recovered deleted files were made to MOD using the XDF32
A PD650 Plasmon optical disk cartridge was copied to Iomega Jazz cartridge using Windows Explorer. Floppy diskettes were imaged to MOD using the copyqm utility. CDROMS were imaged to files using the Adaptec CD creator utility and copied to 4mm DDS3 tapes using Windows Explorer. All MODs, 4mm tapes, Jazz cartridges, Zip cartridges, CDROMs and documents were prqvded to the search coordinator.
RED #34-1
000000136
FD-302(Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
07/20/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S): NYOQ109 - a magneto optical disk (MOD) containing an image, logical files and deleted files from a compaq laptop. NYOQ110 - two (2) 4mm tape containing images from thirty-six (36) CD-ROM disks. NYOQ112 - a 4mm tape containing an .image of a generic tower server computer. NYOQ113 - an MOD containing an image of a generic mini tower computer. NYOQ114 - an MOD containing a logical file copy and deleted files from a generic tower server computer. NYOQ115 - an MOD containing an image of a Dell laptop computer. NYOQ116 - an MOD containing data from fifty-five (55) 3.5" floppy diskettes and the image of one (I) CD-ROM disk. NYOQ117 - an MOD containing images from two (2) CD-ROM disks.. NYOQ118 - an Iomega Jaz cartridge containing data from a PD650 optical disk.
NYOQ121 - An Iomega Zip 250 disk containing data from a 5.25 inch floppy diskette. NYOQ122 - a CD-ROM disk containing data from a CD-ROM disk. NYOQ301 - a CD-ROM disk labeled Al-Iman. NYOQ302 - a CD-ROM disk labeled
Investigation on
Q7/2Q/2QQQ
File # 265A-NY-259391 by
9/11
»'
New
990423_1227.
York Daic diclated
07 . 2 0 . 2 0 0 0
Law Enforcement Priva . J
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency' REQ aft3t4rolents are not to be distributed outside your agency. 000000137
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
CART EXAM
, On 0 7 / 2 0 / 2 0 0 0
. Page
NYOQ303 - a CD-ROM disk labeled 12/15/99- 03:30. NYOQ304 - a CD-ROM disk labeled 12/16/99 04:00. NYOQ305 - a CD-ROM disk labeled 12/16/99 04:30. NYOQ306 - a CD-ROM disk labeled 12/16/99 05:15. NYOQ307 - a CD-ROM disk labeled 12/16/99 05:55. NYOQ308 - a CD-ROM disk labeled 12/16/99 04:41. NYOQ309 - a CD-ROM disk labeled CD1 Azzam Targima. NYOQ310 - a CD-ROM disk labeled 12/16/99 06:30. NYOQ311 - a CD-ROM disk labeled CD-2 Azzam Thakafah. EXAM: NYOQ109 was restored to a hard disk drive (HDD) using the Safeback utility. Logical files, deleted files and residue were copied to CD-ROM using the Adaptec EZ CD creator utility. NYOQ110 - all thirty-six (36) CD-ROM images were restored to CD-ROM using the Adaptec EZ CD creator utility. NYOQ112 was restored to HDD using the Safeback utility. A search was conducted for all files with the extensions .skr, .pkr, and .asc. The following files were found:
REQ #34-1
000000138
FD-302a(Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
.On 07/20/2000
CART EXAM
.P*B°
logical, deleted and residue was copied to CD-ROM using the Adaptec EZ CD Creator utility. NYOQ113 was restored to HDD using the Safeback utility. Logical, deleted and residue was copied to CD-ROM using the Adaptec E2 CD Creator utility. NYOQ115 was restored to HDD using the Safeback utility. Logical, deleted and residue was copied to CD-ROM using the Adaptec EZ CD Creator utility. NYOQ116 - floppy images were self-extracted to floppy diskettes. NYOQ117 was restored to CD-ROM using the Adaptec EZ CD Creator utility. A logical copy of NYOQ118 was made to CD-ROM using the Adaptec EZ CD Creator utility. NYOQ121 - a floppy image was restored to diskette, logical copies of two floppies were made to CD-ROM using the Adaptec EZ CD Creator utility. NYOQ122 could not be copied due to damage to the CD-ROM. NYOQ301 NYOQ302 NYOQ303 NYOQ304 NYOQ305 NYOQ306 NYOQ307 NYOQ308 NYOQ309 NYOQ310 NYOQ311
REQ #34-1
was was was was was was was was was was was
copied copied copied copied copied copied copied copied copied copied copied
to to to to to to to to to to to
CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM
using using using using using using using using using using using
a a a a a 'a a a a a a
Champion Champion Champion Champion Champion Champion Champion Champion Champion Champion Champion
CD-ROM CD-ROM CD-ROM 'CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM
copier. copier. copier. copier, copier, copier, copier, copier, copier. copier, copier.
000000139
FD-302 (Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
5/21/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). This examination was done following the procedures and using tools provided by the FBI Laboratory. SPECIMEN(S): Ql - a 3Hi" floppy diskette. Q2 - a Magneto-optical disk (MOD) containing the image, logical and deleted files from an Altimo Supreme laptop computer. Q3 - a 3W floppy diskette. Q4 - a 34" floppy diskette. Q152 - an MOD containing the image, logical and residue of an Altimo Supreme laptop computer. EXAMINATION: Q2 and Q152 were restored to a hard drive (HD), The system was then booted. Since the operating system was in arabic, a translator was provided to assist in printing documents from the HD. All documents were provided to the case agent. Ql, Q3 and Q4 were provided to the case agent as well.
Investigation on
12/24/1993
at New
File I 2 6 5 A-NY- 252802 I
9/11 Law Enforcement Privacy
York
Date disced
5/21/1999
I
REQJh#S"l™l3?t contains nei*er recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to yoQ|fe0iQO 0140
FD-302 (Rev. 10-6-95)
. - 1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
5/21/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). This examination was done following the procedures and using tools provided by the FBI Laboratory. SPECIMEN(S): Ql - a 3%" floppy diskette. Q2 - a Magneto-optical disk (MOD) containing the image, logical and deleted files from an Altimo Supreme laptop computer obtained November 1998. Q3 - a 3W floppy diskette. Q4 - a 3W floppy diskette. Q152 - an MOD containing the image, logical and residue of an Altimo Supreme laptop computer obtained February 1999 . EXAMINATION: Q2 and Q152 were restored to a hard drive (HD). The system was then booted. Since the operating system was in Arabic, a translator was provided to assist in printing documents from the HD. All documents were provided to the case agent. Ql, Q3 and Q4 were copied and provided to the case agent as well.
Investigation on
12/24/1998
File * 265A-NY-252802 by
|
at New York
Date dictated
5/21/1999
9/11 Law Enforcement Pri vacv
'&d.mlnf mntains neither recommendations nor conclusions of the FBI. it is the property of die FBI and is loaned to yW/VWWn n+ A •>
FD-302 (Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
11/06/98
The following search was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). This search was done following.the procedures and using tools provided by the FBI Laboratory. A covert computer search/seizure
ducted at the
The following computer was searched and data was seized from the hard drive (ED): One (1) Altimo Supreme laptop computer. An image of the HD was made/to magneto-optical disk (MOD) using the Safeback utility. Logical copies of both partitions of the HD were made to MOD using the Codeblue utility. Recoverable deleted files were transferred to MOD using the Makefer utilities. In addition, three (3) 3.5" floppy diskettes (FD) were were ' imaged to FD. 9/11 Law Enforcement Sensitive
Investigation on
10/31/ 98
Filef 265A-NY-252802 by
I
Date dictated
11/06/98
9/11 Law Enforcement Privacy contains neither recommendations nor conclusions of the F31. It is the property of the FBI and is loaned to yoin f¥f}
7-1 (Rev. 2-21-91)
- M. HorvattT)
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535 Date: To:
March 14, 1996
SAC, New York FBI File NO. 2 65A-NY-252 802 LabNo.
50120018 D BY
Reference:
Preliminary Laboratory Report Dated 3 / 6 / 9 5
Your No.
265A-NY-252802
Re:
9/11 Law Enforcement Sensitive
OO: NEW YORK
Specimens received:
Specimens:
Ql Qli Qlj Qlk,Qll
Toshiba T1950CT/200 Laptop Computer, Model Number PA1152EA, SN# 02414578 One magneto-optical cartridge One internal computer hard drive Two magneto-optical cartridges
Also Submitted: One 3.5" diskette containing software to perform decryption of files contained on Ql. Results of Examination,: Specimens Qla through Qlh which are referenced in this report were previously described in Laboratory Report dated 3/S/95. Specimen Ql was hand carried from New York Division to the FBI Laboratory on April 12, 1995. All specimens were analyzed using computer resources currently available to the FBI Laboratory. 2 - 265A-HN-12924 MFH:mfh (6) REQ #34-1 This Renort Is Furnished For Official Use Only
000000143
LdW Enforce^nt
Sensltlve
/9/ii Law
Enforcement Privacy
\. Specimen Ql was previously examined in"] Jon 1/23/95. It--,w'a-s noted that the date /contained within the computer was set to'1/22/95, one day from the actualAdate of the examination. An image backup of Ql was written to \ magneto-optical cartridge and labeled Qli. The SAMPO virus, was found on the laptop computer. This virus has been determined to be nondestructive to ,information contained on the hard drive. A logical copy of all/files contained on Ql was also copied to Qli. "V . An image composite of Ql'a-, and Qlb was written to a .ter hard drive and ,labelled-.Q computer ,labelled-..QJ_i—._£his' image, represents Ql's status during examination in1I I Also submitted item, referred to as ' decryption software' •. was received at the FBI Laboratory on 4/9/95 from SA'1 ) I I This software was used to produce text output of encrypted files contained on Ql. Nine out of twenty files, whose contents were unknown, were decrypted to a readable form. These files have been printed and copies of each were supplied to .New York, FBIHQ and AUSA Mike Garcia., One database file appears to be password protected. The password is unknown. It was determined through Toshiba International that Ql was manufactured overseas. Serial number 024l4.p78 existed but . was not assigned- to a model T1950CT/200 . It is 'assigned to a •.model T1910CS/200. The laptop assigned to the given serial. \rmmber 0241467B was found to be sold to the company'! 1 I ~1 on March 24, 1994, This company is located in England. Directory listings and erased files listings were produced for Ql. These were compared to listings that were created for the tape backups Qla through Qlc. No differences in active files were encountered. Differences were encountered in the erased file information. At the two separate times of examination, each had some erased file information that did not exist or could not be retrieved at the opposite time. The newly available erased files were recovered and reviewed. File listings have been produced that represent which files were retrieved at which time. Slack information was retrieved from Ql and compared to the slack information that was retrieved during the examination in Manila and differences were encountered. Both versions have been printed and are being delivered to AUSA Mike Garcia.
Lab # 50120018 D BY Page 2 REQ #34-1
000000144
9/11 Law Enforcement Sensitive
A text string search was performed on Ql for the strings
/
I.
The
result was negative. Copies of all .WAV and .LAV sound files were made to diskette and shipped overnight to New York Division upon request, along with directory and erased file listings, and decrypted file information. Five (5) additional image backups were written to tape. Four tapes were shipped to New York Division and one is being shipped to the AUSA's office in New York. Seven (7) hard drives received from AUSA Mike Garcia were used to restore the image contained on Qli. Five hard drives were shipped back to the New York Division and two were shipped directly to the AUSA's office in New York. A cassette recording was made of four sound files and sent to Language Services for translation. The cassette recording and results from Language Services were forwarded to the New York Division. The contents of Qli were copied to two additional magnetooptical cartridges, Qlk and Qli. An image backup was made of Qlj and also written to Qlk and Qli. A second image backup of Qlj was written to tape. The FBI Laboratory is keeping on file seven (7) backup tapes (Qla through Qlg), two magneto-optical cartridges {Qli and Qlk), the Also Submitted item containing the decryption software and a copy of• all printouts, erased information and encrypted information. Two additional image backup tapes, one copy of the decryption software, one magneto-optical cartridge (Qli), two printouts of slack information, listings of erased files retrieved and a copy of all notes is being shipped overnight to AUSA Mike Garcia.
Lab # 50120018 D BY Page 3
REQ #34-1
000000145
/9/11 Law Enforcement Privacy (Rev. 10-01-1999)
FEDERAL BUREAU OF INVESTIGATION
Precedence: To:
\:
ROUTINE Attn:
Laboratory
From:
Laboratory CART RM. Contact:
01/13/2000
ERF. EST-1 SSA
ms
Approved By: Drafted By: Case ID #: 265A-NY-252802 Title: I Synopsis: Reference:
I
/
(Pending) 9/11 Law Enforcement Sensitive
Request ERF assistance in analysis of software. 265A- NY - 252802 Serial 1449
Details: Three (3) 2.3G3 magneto optical cartridges (CART Q225Q227)and one (1) 3/%" 1.44MB floppy diskette (CART Q228) containing images /and files of a laptop were submitted to the CART Unit for examination. Images . (Q225-Q227) of the laptop were restored to a staging IDE hard/disk drive (Seagate Medalist 8641 Model ST38641A S/N VR103440) and a copy of all logical data, recovered erased files and extracted residue information are on two (2) CD-ROMs being forwarded to ERF EST-1 for further analysis by request of SAJ |(FBIHQ NSD ITOS). A copy of the incoming EC from NSD is attached for ERF's assistance in further analysis of the restored images.
REQ #34-1
000000146
To: Re:
Laboratory From: Laboratory 265A-NY-252802, 01/13/2000
LEAD(s): Set Lead 1: ERF EST-1 AT FBI ACADEMY OUANTICO, VA
Request ERF EST-1 further analyze restored image of laptop located on staging IDE hard disk and the two (2) CD-ROMs containing logical, erased and residue data. Additionally, CART request the return of the IDE staging hard disk (Seagate Medalist 8641 Model ST38641A S/N VR103440) to FBIHQ CART UNIT upon completion of analysis.
REQ #34-1
000000147
.
„ LABO»ATO»T
^^T
FEDERAL BUREAU OF INVESTIGATION WASfflNGTON, D. C. 20535
CMC-. February 1,2000 To:
NSD
rros
Attn: SA
.
. case ID NO,
265A-NY-252802 000127007 BI
:
Communication dated 01/27/2000
Your No.:
Title:
-1 ................
'
....-.••••-'-•......" 9/11 Lav; E n f o r c e m e n t Privacy
9/11 Law Enforcement Privacy
Date specimens received: January 27, 2000
Specimens: Re-submission of Q225-Q228 from laboratory number 000106009 BI (265A-NY-252802) which was completed on January 13, 2000. The results of the Computer Analysis Response Team (CAKIlfiiaSunatio are included in this report. Specimens Q225-Q228 were returned to SAL J FBJ« NSD ITOS, who should make a determination to what extent these materials require entry into the ACS collected items database.
Page 1 of 1
REQ #34-1
This Report is Furnished for Official Use Only
000000148
7-la (Rev. 5-18-99) LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
Report of Examination J
Examiner Name: L
Daw:
February 1,2000
Unit;
Computer Analysis Response Team
phoocNo.: 202-324-6225
Case ID No.:
265A-NY-252802
UbNa:
000127007 BI
Results of Examinations: One (1) copy of each previously submitted specimens Q225-Q228 were made. No hardcopy printouts were made or any other analysis conducted. No hardcopy printouts or magnetic/optical media are being retained by the FBI Laboratory.
CART - Page 1 of 1
REQ #34-1
This Report is Furnished for Official Use Only
000000149
/9/11 Law Enforcement Privacy
August 13, 1999 National Security ITOS / NS3C ATTN: E
I'
265A-NY-259391 990608001 AB
Communication dated June 6, 1999 (S) 265A-NY-259391 (S)
USAMA BIN LADEN; AOT-IT
June 8, 1999 Specimens :
of Q53 Q Q54 Q 055 055
"
NE50
Seagate hard drive, model ST3 917 3W, part of a 5-dr.ve RAID assembly, SN: LM040163 Seagate hard drive, model ST3 917 3W, part of a 5-drive RAID assembly, SN: LM041289 Seagate hard drive, model ST39173W, part of a 5-drive Hi* assembly, SN: LM027194 RAID controller assembly, model DS500-SR, SN: 97324E2913 (over)
Page 1
\Q #34-1
000000150
(U) The results of the Computer Analysis Response Team (CART) are included in this report. Specimens Q51-Q55 and NESO^ are being returned directly to the Evidence Control Technician in New York Division. Five (5) hard drives containing work product are being returned directly to the case agent in New York, who should make a determination to what extent these items should be entered into the ACS collected items database. Twenty-eight (28) CDs containing extracts from work product have been sent to Tampa Division for further analysis.
Page 2
REQ #34-1
000000151
)/ll Law Enforcement Privacy
August 13, 1999 Computer Analysis Response Team (S) 265A-NY-259391
|_ 990608001 AB
Results of Examinations: (U) Specimens Q51-Q55 were configured as a Redundant Array of Independent Disks (RAID), and could only be analyzed by installing them into NE50. Once installed, the drives functioned as a single storage device with several partitions. Thus, analysis was conducted on these partitions rather than on the individual specimens themselves. An examination was conducted on the four data partitions: Binl, Bin2, Bin3, and Bin4. (U) Raw data was recovered from each Bin and examined for fragments of audio files. The extracted fragments were then converted to a non-proprietary audio format. Results of the recovery, interim examination, and conversion processes were placed on external hard drives, sorted according to Bin number and date/time. All non-zero length recovered audio files were also copied to CDS, using the non-proprietary format. (U) No hardcopy printouts or magnetic-optical media are being retained.
CART - Page 1 of 1
REQ #34-1
000000152
9/11 Law Enforcement Privac 7-1 (Rev. 5-13-99)
LABORATOKT
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
Date: To:
April 19, 2000
SAC ATTN NL Case ID No.: Lab No.:
Reference:
265 A-NY-259391-PP 000310006 BI
Communication dated: 3/6/2000
Your No.:
Title-
USAMA BIN LADIN; MAJOR CASE 161; OO:NY
Date specimens received: March 10, 2000
Specimens:
Q56
One (1) CDROM labeled as "O80-I t"™^.?^?^1'^ Number SCG/69) DELETED FILES MAC QUADRA 700 MAC HSI .
Q57
One (1) CDROM labeled as "O82< lnumberSCG/78) FLOPPY IMAGES FOR MAC CSL/274/98 WORK COPY 1 OF 1".
Q58
One (1) CDROM labeled as "Qpd OF 1 COPY OF' CDR'S". :
Q59
One (l)CDROM labeled as "Q82| WORK CQPY CSU274/98 1 OF IT
humber SCG778) FLOPPIES
Q60
One (I) CDROM labeled as "098 | d2/l6/OOPLW/40/8",
[number PLW/40) ZIP DISK
!
^number SCG/78) WORK COPY 1
• Page 1 of 1
,,i
9/11 Law Enforcement Sensitive
REQ #34-1
This Report is Furnished for Official Use Only
000000153
9/11 Law E n f o r c e m e n t
Sensitive
Q61
One (1) CDROM labeled as "QR2 1 Uimher SCG/78) ITEMS SCG/78,1 SCG/72.2 WORK COPY 02/16/00".
Q62
One (i)GDROM labeled as "OS'S I FILES 02/16/00 SCG/73 MAC H.D".
Q63
One (1) CDROM labeled as "Q861 humber KRA/2110) MAC HARD DRIVE KRA/2110 MAC 8200/120 2/16/00".
"Inumber SCO/73) DELETED
Q64
One (1) CDROM labeled as "0861 Inumber KRA/2110) DELETED ..FILES KRA/2110 2/16/00 MAC 8200/120".
Q65
One <1) CDROM labeled as "SCG/69 MACINTOSH ESI 9/13/99 WORK COPY #2 DISK 1 OF 1".
Q66
One (1) CDROM libeled as "PJW/28 IMAGE COPY APPLE MACINTOSH QUADRA 700 9/13/99
Q67
One (1) CDROM labeled as "QUANTTM PRO DRIVE SCG/20 2/11/00 IMAGE.CQPY". \e (1) CDROM labeled as."O88l Inumber SCG/20) DELETED
Q68
FILES SCG/20 2/17/00 QUANTUM PRO DRIVE".
Q69
One (1) CDROM labeled as "Q99| CD 2/17/00 PLW/35/133",
]number PLW/35) SIDE A COPY
Q70
One (1) CDROM labeled as OF CD 2/17/00 PLW/35/122".
] number PLW/35) SIDE B COPY
Q71
One (1) CDROM labeled as "Q87LZH1 number PLW/4> DELETED FILES 2/16/00 POWER MAC PLW/4 8200".
Q72
One (1) CDROM labeled PLW/4 POWER MAC 8200 02/16/00".
Q73
One (1) CDROM labeled as "092 I jnumber PLW/40) ZIP DISK DELETED FILES 2/17/00 PLW/4072T\e (1) CDROM labeled as "Q93
Q74
Inumber PLW/4) HARD DRIVE
number PLW/40) ZIP DISK 2/17/00 PLW/40/3".
Q75
One (1) CDROM labeled as "Q94 2/17/00 PLW/40/4".
number PLW/40) ZIP DISK
Q76
One (1) CDROM labeled as "Q95 2/17/00 PLW/40/5".
number PLW/40) ZIP DISK
Q77
One (1) CDROM labeled as " 2/17/00 PLW/40/6".
number PLW/40) ZIP DISK
Page 2 of 1 000310006 BI
RF.O #34-1
000000154
9/11 Law Enforcement Sensitive
number PLW/40) ZIP DISK
Q78
One (1) CDROM labeled as "Q97 2/17/OOPLW/40/7". ..
Q79
number PLW/40) ZIP DISK One (1) CDROM labeled as "Q91 WORK COPY MAC CSU274/98 PLW/40/1#.
The results of the Computer Analysis Response Team (CART) examination are included in this report. Specimens Q56 - Q79 has been returned to the Evidence Control Technician in your office. All hardcopy printouts have been forwarded to case agent SA| | I I who should make a determination to what extent these materials require entry into the ACS collected items database.
9/11 Law Enforcement Privacy
Page 3 of 1 000310006 BI
REO #34-1
000000155
9/11 Law Enforcement Privacy f--U (Rev. 5-18-99) LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
Report of Examination April 19, 2000 Unit.
Computer Analysis Response Team
phoneNo.: 202-324-6225
Case ID No.:
265A-NY-259391-PP
UbNo.:
000310006 BI
Results of Examinations: , All contents of specimens Q56 - Q79 have been reviewed and hardcopy printouts were produced from specimens Q56 -Q79 for review by the case agent. Documents recovered from specimens 056 - 079 containing Arabic characters have been reviewed by Language SpecialistF " T o r interpretation and results were forwarded to the case agent. No hardcopy printouts or magnetic/optical media are being retained by the FBI Laboratory.
CART - Page 1 of 1
REQ #34-1
This Report is Furnished for Official Use Only
000000156
WITHDRAWAL NOTICE RG: 148 Exposition, Anniversary, and Memorial Commissions SERIES: 9/11 Commission Team 5, FRC Box 23 NND PROJECT NUMBER:
51095
FOIA CASE NUMBER: 30383
WITHDRAWAL DATE: 09/08/2008
FOLDER: 0002
BOX: 00004
COPIES: 1 PAGES:
TAB: 2
DOC ID: 31193699
2
ACCESS RESTRICTED The item identified below has been withdrawn from this file: FOLDER TITLE: T. Eldridge files-FBI CART documents DOCUMENT DATE: 12/03/2001
DOCUMENT TYPE: FBI 302
FROM: FBI Lab TO: ADIC New York SUBJECT:
Documents relating to all Computer Analysis Response Team (CART) reports, or predecessor computer exploitation reports, regarding hard drives seized from Al Qaeda associated subjects from 1995 through September 11, 2001. Responsive to Requests #34-1 Packet #2 [withheld material]
This document has been withdrawn for the following reason(s): 9/11 Classified Information
WITHDRAWAL NOTICE
Law Enforcement Privacy 7-la (Rev. 5-18-99) LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
Report of Examination :I
)
one:
December 3, 2001
Un-lt:
Computer Analysis Response Team
Phone NO.: 202-324-6225
Case ID No.:
(S) 265A-NY-259391
Lab No.:
Oil 109001 BI
Results, of Examinations: (TJ) Specimens Q112, Q113, Ql 14 and Ql 16 are four (4) IDE hard disk drives (HDD). Specimens Q115, Q117, Q118 and Q119 are duplicate copies (1 - IDE HDD and 3 tarv>.^| of specimens Ql 12, Ql 13, Ql 14 and Ql 16 made by CART Examiner SA d therefore no analysis was performed on these specimens.
t!
(U) Specimens Q112, Ql 13, Ql 14 and Ql 16 were analyzed for active and erased files as well as residual data using ILOOK. Drive to Drive copies were also made of specimens Q112, Ql 13, Q114 and Q116 onto four (4) IDE HDD. ILOOK results for specimens Q112, Q113, Ql 14 and Q116 were copied to (4) IDE HDD. Indexing of all active files was performed using DT Search and those results were copied onto four (4) magneto optical cartridges fMOGsl. The work product from specimens Q112, Q113.Q114 and Ql 16 are being retained by SAL ]for further review at FBI HQ. (U) Safeback images were made of ILOOK results for specimens Oil 2, Ql 13, Ql 14 and Ql 16 onto eight (8) 4mm data tapes and were forwarded to SA| | (WFO) for further review. (U) No hardcopy printouts or magnetic/optical media are being retained by the FBI Laboratory.
CART - Page 1 of 1 i
This Report is Furnished for OfficialUse Only
000000159
7-1 (Rev. 5-13-99)
LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535 Date: January 17, 2002 To;
SAP Nftw Ynrk ATTN:| case ID NO.: Lab No.:
Reference:
265 A-NY-259391-12 020107003 BI
Communication dated 12/17/2001
Your No.: Title:
USAMA BIN LADEN MAJOR CASE 161 SUB FILE 1-2
9/11 Law Enforcement Sensitive •19/11 Law Enforcement Privacy
Date specimens received: January 07, 2002
|
Specimens:
| inside cover of case: D8083-2E).
NE2
\0
Computer hard drive storage system and vid \1
IDE mini Seagate laptop hard drive (model S
Wooden video collection box with no serial or model numbers.
The results of the Computed Analysis Response Team (CART) examination are included in this report. ; Specimens Q20, Q20.1 and NE2 along with CD-ROM copies (3) of Jper examination results have been returned tojERF Video Collection Unit ETI „-,— request of case agent SAJ I (NYFO). Three (3) CD-*OMs Containing examination results were sent to case agent I I™ FEDEX. Case agent 1 [should make a determination to what extent these materials require entry ;S collected items database. into the ACS Page 1 of 1
This Report is Furnished for Official Use Only
#34-1
000000160
9/11 Law Enforcement Privacy 7-V(Rev.5-18-99) LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
:
Report of Examination v.
I-1
Examiner Name: | Unic
V
a* ID NoV
|
Date:
January 17, 2002
Computer Analysis Response Team
nooeNo.: 202-324-6225
265A-NY-259391-I2
ub NO, 020107003 BI
Results of Examinations: Specimen Q20.1 is an IDE mini Seagate laptop hard drive (model ST91685AG S/N FN608903) w^ich was retrieved from specimen Q20 (computer hard dnve/video power supply unit). Specimen Q20.1 was examined for active and deleted files. As requested in the communication 12/17/2001, a recovery of active graphical files contend on specimen Q20.1 and saved onto CD-ROM. Recovery ofde eted£Ues was also conducted on specimen Q20.1 yet did not yield any deleted f1^*"*^^^^ all active files as well as all active files found on specimen Q20.1 were saved to CD-ROMs.
Was
Three (3} CD-ROMs Staining all examination results of specimen Q20.1 were ollecta field conditions. No hardcopy printouts or magnetic/optical media are being retained by the FBI Laboratory.
CART - Page 1 of 1 This Report is Furnished for Official Use Only
RED #34-1
000000161
9/11 Law Enforcement Privacy (0X26/1998)
'"•--....
"FEDERAL BUREAU OF INVESTIGATION Precedence: To:
Routine
"
-New York 1-49
From:
D.ate:
June 23, 2003
Attn:
SA'
Investigative Technology Cyber Technology Section/CART Unit, Contact:
Approved By: Drafted By: Case ID #: 265A-NY-259391-CC Title:
USAMA BIN LADEN Major Case 161
Synopsis: To provide results of a CART examination and the disposition of the evidence. Reference: 2G5A-NY-259391-CC-331 Enclosures: Enclosed is an FD-302 to be maintained' in the requesting division's case file. Details: The results of the CART examination are detailed in the enclosed FD-302. The submitted evidence in the captioned matter and the digital output results of the CART examination have been sent co the Kansas City evidence control technician. No digital media is being retained at CART headquarters and this matter is • considered closed.
REO #34-1
000000162
FD-302 (Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
06/23/2003
Computer Analysis Response Team Report of Examination Included herein are the results of a digital forensic examination performed by an FBI CART Certified Forensic Examiner. This examination has been performed in accordance with CART policies and procedures. Case Reference: Laboratory Number 020612002 AB Specimens:
Q516
One (1) Verbatim 4.1 GB magneto-optical disk, lot number 01026564, with handwritten label "10-18-01 SAMSUNG External USB Drive 1 of 3 . . . DISK 1" .
Q517
One (1) Verbatim 2.3 GB magneto-optical disk, lot number 00427522, with handwritten label "10-18-01 External USB Hard Drive SAMSUNG . . . DISK 2".
Q518
One (1) Verbatim 4.1 GB magneto-optical disk, lot number 01026564, with handwritten label "265A-NY259391-CC Computer Used by Ziyad Khaeel . . . 3-26' 02 DISK 1 of 2".
Q519
One (1) Verbatim 4.1 GB magneto-optical disk, lot number 01026564, with handwritten label "265A-NY259391-CC Computer Used by Ziyad Khaeel . . . 3-2602 DISK 2 of 2" .
Q520
One (1) Verbatim 4.1 GB magneto-optical disk, lot number 01026564, with handwritten label "265A-NY259391-CC HD From Computer Used by Ziyad Khaeel 82000/12-2000 . . . DISK 1 of 2".
investigation on
06/23/2003
at HQ Lab, Washington, DC
File* 265A-NY-259391-CC^3 t V'^ by
IT/FE
Date dictated
06/23/2003
9/11 Law Enforcement Privacy
This document contains neither recommendations nor conclusions of the FBI. ire not lo be distributed outside your agency.
ed to your jigejicy,__ agency; It is the property of the FBI and is loaned_
000000163
9/11 Law Enforcement Privac
•'9/11 Law Enforcement Sensitive
F0-30iii (Rev. 10-6-95)
\265A-NY-259391-CC
Continuation of FD-3Q2 of
CART .Forensic Examination
,On 06/23/2003
.Page
Q521 \e (1) .Verbatim 4 . 1 GB magneto-opticalXdisk, lot number 00323624, with handwritten label "265A-NY25^3_9,1CC HD From Inside Computer Used by [ ] [_____] Segate. [sic] HD From 8-2000/12-2000 . . . DISK 2 of 2" . ,. Request: Per 'an electronic communication, 255A-NY-259391-CC-331, from NY 1-49 SAl I CART was requested to restore three Safeback images. Subsequently, SA | ] requested that the restored images and original evidence be sent to Kansas City Division. No other procedures were requested. Summary of Results: The Safeback images, provided on magnetooptical disks as described above, were restored to new laboratory hard drives which had been wiped. Derivative Evidence (DE): Following were produced as derivative evidence: DEHQl
Maxtor 10 GB hard drive, SN B1DCB47E, containing restoration of Safeback image from Q516 and Q517.Verification mdBsum (for the derivative evidence drive only, not to be used to compare to original evidence drives) : 6c7ff6cc330aecdbde5cac61a5910c95
DEHQ2
Maxtor 10 GB hard drive, SN B1DCB4FE, containing restoration of Safeback image from Q518 and Q519. Verification mdSsum (for the derivative evidence drive only, not to be used to compare to original evidence drives): 2d2e77fb69108b5f76e2e533cOfb35el
DEHQ3
Maxtor 10 GB hard drive, SN B1DBYBTE, containing restoration of Safeback image from Q520 and Q521. Verification mdSsum (for the derivative evidence drive only, not to be used to compare to original evidence drives): 95775aff5f769e289c78dbc2eea6d06d
Examination: Images from the specimens were restored to hard drives as described above. These drives were attached to a
REQ #34-1
000000164
9/11
Law Enforcement Privacy
FD-302a (Rev..lO-6-95)
265A-NY-259391-CC
Continuation of FD-3Q2 of
CART Forensic Examination
, On 06/23/2003
laboratory computer, and the case agent.reviewed the contents. These interim work product drives were subsequently wiped, and the original images restored to them again. It is these drives that are being transmitted as the Derivative Evidence drives. At the direction of the .case agent, all original evidence and derivative evidence was sent to Kan«.aa p-i tv Division evidence control technician, for the attention of I 3 The notes of examination are being placed in a 1A envelope and being retained in the FBI Information Technology Division file. No electronic media copies of the original or derivative evidence are being retained by headquarters.
REQ #34-1
000000165
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
10/20/2003
Computer Analysis Response Team Report of Examination Included herein are the results of a digital forensic examination performed by an FBI CART Certified Forensic Examiner. This examination has been performed in accordance with CART policies and procedures. Case Reference: Laboratory Number 030122051 Specimens: AFGP 2002 804371
QHQ001 IBM Travelstar 2.5"10.OS GB ATA/IDE notebook drive,model DJSA-210, SN 42MZ9347.
Request: Per a Department of Defense Office of General Counsel Memorandum dated September 25, 2003, Subject: Computer Hard Drive Analysis, a forensic analysis of the subject specimen was requested. Additionally, three specific files were.requested.to be recovered: an article entitled)
Summary of Results: A full forensic examination was conducted, and the four requested files were identified and recovered from the specimen. However the recovered documents differed slightly from the descriptions given by the Office of General Counsel. Additionally, one of the requested files, "arrival.doc", was password protected, and the password had to be recovered before completing recovery of the document. Derivative Evidence (DE): Following is a list of digital media containing results of the examination. DEHQ010
investigation or
'CD with summary results of the examination, with web-based organizing indices.
10/15/2003
at HQ La.b Washington DC
* 265A-NY-259391-EEE ^|CJO by
ITS/FE|
Date dictated
10/15/2003
9 / H ^aH Enforcement Privacy"
me«l contains neither recommendations nor conclusions of the FBI. jTi»«te: -\r^ nnt m k^ Hish'ihutftri musifle vour D0encv.
It is the property of f.he FBI and is
9/11 Law Enforcement Sensitive FD-302a (Rey. 10-6-95)
265A-NY-259391-EEE
Continuation of FD-302 of
Computer Forensic Exam
, On 10/15/2003
, Page
DEHQ011
5 DVDs containing full results of the examination, with'-web-based organizing indices.
DEHQ012
3 DVDs containing copies of the image file segments used to perform the examination.
DEHQ013
Western Digital 20 GB hard drive, SN WMAAR1214879, containing full\results of the examination.
DEHQ014
Printed copy of the. file
DEHQ015
Printed copy of the file
DEHQ016
Printed copy of the file
DEHQ017
Printed copy of the file
DEHQ018
Printed copy of the file
DEHQ019
4-mm DAT containing Safeback image of DEHQ013.
Examination: • The specimen had one FAT32 partition. The operating system ori the partition was Windows ME. The following processes were performed directly on the specimen: 1.
A "digital signature", in the form of an md5 hash, was calculated, with result a550a975c3f9316a588b43ca5a434df8 ,
2.
An image file, in 15 segments, was made of the specimen.
3.
A final md5 hash was calculated, with result a550a975c3f9316a588b43ca5a434df8.
All other forensic procedures were performed on the image file segments. These forensic procedures were as follows:
REQ #34-1
1.
An md5 hash was calculated on the concatenated segments, with result a550a975c3f9316a58Bb43ca5a434df3.
2.
The file system was mapped, and an md5 hash was calculated for every file. These results were then compared with a standard list of hashes for known system
000000167
9/11
Law Enforcement Sensitive
Fbr3.02aX.Rev. VO-6-95)
\E
Continuation pf FD-302 of
'. Computer Forensic Exam
,On 10/15/2003
.Page
3_
and, application files, and the known files were not further examined. ... 3\
Deleted, files and residua, were extracted.
, 4.\ file list was produced, in 'the form of a Microsoft \s data, base. B..
The four requested files were found. ,One requested file, I "I, ''--was password protected, '--as was one nonrequested file, I I. Passwords were recovered for both files. The four requested files, plus F I, were printed out. Some of the requested files-as found , differed slightly from the descriptions given by the contributor. Specifically, the travel document referenced , was six pages in length, not three. Also, the article '. entitledf
6.
Internet usage reports were generated, and e-mail files were examined. Although there were indications that the specimen had been used to access the Internet, there appears to have been no usage of standard e-mail programs (such as Outlook and Outlook Express) for user e-mail messages.
7.
All results were extracted to DEHQ013, along with . forensic logs.
8.
A final md5 hash was calculated on the concatenated image file segments, with result a550a975c3f9316a588b43ca5a434df8.
9.
Summary and full results, along with copies of the image file segments, were copied to a CD and eight DVDs. These products were DEHQ010, DEHQ011, and DEHQ012.
10.
An md5 hash was calculated on DEHQ013, with result Ib21e86call56efa6f0999fdl9b61b8b. An image was made of this drive and placed on a 4-mm data tape.
QHQ001 and DEH1019 are being returned to FBI Document Exploitation evidence control. DEHQ10-DEHQ18 are being returned to the Department of Defense Office of General Counsel. The notes of
REQ #34-1
000000168
FD-302a(Rcv. 10-6-95)
265A-NY-259391-EEE
Continuation of FD-302 of
Computer Forensic Exam_
. On 10/15/2003
examination, along with a copy of DEHQ010, are being retained in a 1A envelope in the FBI Investigative Technology Division f i l e .
REO #34-1
000000169
9/11 Law Enforcement Privacy (01/26/-1998)
""•-••......
FEDERAL BUREAU OF INVESTIGATION Precedence: To:
Routine
"""••-...
'Counter terrorism \s Analysis Section \DOCX, Room 4648
From:
Date:
1/16/2004
Attrr:--...
Investigative Technology Digital Evidence Section/CART UniJi, Contact:
Approved By: Drafted By: Case ID ft: 265A-NY-259391-EEE Title:
USAMA BIN LADEN MAJOR CASE 161 00: NY
Synopsis: To provide results of a CART examination and the disposition of the evidence. Reference:
265A-NY-259391-EEE-44
Enclosures: Enclosed is an FD-302 to be maintained in the requesting division's case file. Details: The results of the CART examination are detailed in the enclosed FD-302. The submitted evidence in the captioned matter and DEHQ1-DEHQ3 have been sent to DOCX Evidence Control and the digital output CD results of the CART examination have been sent to the contributor. No digital copies of the evidence are being retained at CART headquarters. This matter is considered closed.
+4
000000170
9/11
Law Enforcement Privacy
9/11 Law Enforcement Sensitive
FD.-302 (Rev. 10-6-9S)
1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
1/16/2004
Computer Analysis Response Team Report of Examination Included herein are the results of a digital forensic examination performed by an FBI CART Certified Forensic Examiner. This examination has been performed in accordance .'with CART policies and procedures. Case References: Laboratory Number 030122051 PB Specimens:
IBM TravelStar, DJSA-210, 10.06GB hard drive, serial number 42MZ9347. \n Digital, WD200,. 20GB hard drive
QHQ1
NEHQ1 WMA6K3663033, labeled | \m 11 Room A; IBM TravelStar 10..06GB" Maxell 4mm tape labeled, '|_ Room A; IBM TravelStar 10.06GB"
NEHQ2 \:
J, Item 11
Per 265A-NY-2593 91-EEE-44, an examination was conducted and two (2) duplicate copies of the hard drive were made.
\Summary of Results: Three copies of QHQ1 were made. The copies \were verified using MDSSUMs. All three MD5s were\. The MD5 was a550a975c3f9316a588b43ca5a434df8. A CART forensic examination was completed. ' .The results of the examination were saved to CD-ROMS, specifically''.the data related to Internet files. The CDs were provided to 5A | for review. Derivative Evidence (DE): A list of digital media containing results of examination. Items will be listed by DE number. Copy of QHQ1 copied to a Samsung, SV2044D 20GB hard drive, SN: 0191J1FN523505
DEHQ1
investigation an.
01/22/2003
al
HQ Laboratory ^Washington, DC
File # 2 6 5 A ^ N Y - 2 5 9 3 9 1 - E E E by
Date dictated 0 9 / 2 3 / 2 0 0 3
CSFE
This his -dacumem contains neither recommendations nor conclusions conclusion of the FBI. It is the property of the FB! and is t*J --.W _J -^* -^ i \ji — *• -
M^&
nrtt
tn
^»«
r(irtrtk..ttt/J
r>n^r>>rl*
>.n
in«n~ii
|
FD-302a(Rev. 10-6-95)
265A-NY-259391-EEE
,t^™, f Continuation of FD-302 ot
CART Forensic Examination
.
_ 01/22/2003
, On
, Page
DEHQ.2 . Copy of DEHQ1 copied to a Maxtor, 2B015H1 15GB hard drive, SN: B1STFAPS DEHQ3 Copy of DEHQ1 copied to a Western Digital, WD200 20GB hard drive, SN: WMAAR1213546 DEHQ4-DEHQ9 CDRW containing logical files from QHQ1 Examination: The drive contained a single FAT32 formatted partition. The following processes were performed on QHQ1: Three duplicates of QHQ1 were made utilizing three forensically wiped hard drives. A standard partition traverse was conducted on DEHQ1 and the drive was mapped. A file listing was created and saved to an Access database. Deleted files were recovered and all data was extracted to a staging drive. The logical files were extracted and saved to DEHQ1 in their original directory structure. Six (6) CDs containing all logical files from DEHQ1 were created for the case agent to review. All original evidence was returned to DOCX Evidence Control. DEHQ1-DEHQ3 and NEHQ1 and NEHQ2 were returned to DOCX Evidence Control. DEHQ4-DEHQ9 were provided to....5A-r I of the New York Division. The notes of examination are being placed in a 1A envelope and .being.- retained in the FBI ITD file.
9/11 Law Enforcement Privacy
000000172
EXAMINATION REPORT REGIONAL COMPUTER FORENSIC LABORATORY
Date:
September 17, 2002
....-•-""9/11 Law Enforcement Privacy
To:
From:
Reference:
265A-NY-259391 (Operation Enduring Freedom) NTRCFL # R2-02-599
Weeks 09/02/2002 - 09/13/2002 I 1 Processed the following "Harmony Numbers"
AFGP-2002-903209 AFGP-2002-903291 AFGP-2002-903270 AFGP-2002-903269 AFGP-2002-903262 APGP-2002-903259 AFGP-2002-903219 AFGP-2002-903299 AFGP-2002-903277 AFGP-2002-903275 AFGP-2002-903287 AFGP-2002-903389 AFGP-2002-903385 AFGP-2002-903280 AFGP-2002-903293 AFGP-2002-903276 Created copies of two (2) repository drives for "Phase 1" exarrunaaon Attached directory listing of contents Created Harmony Upload CD with PDF files for upload to Harmony Installed nw repository drive in Exam machine NORTH TEXAS REGIONAL COMPUTER FORENSICS LABORATORY *„„_-,
301 N O R T H M A R K E T STREET, SUITE 215 DALLAS, TEXAS 75202
000000173 00000017.*
jO
—X^ ***?n
NT^RCFL
EXAMINATION REPORT
REGIONAL COMPUTER FORENSIC LABORATORY
August 22, 2002
Date:
/|9/11 Law Enforcement Privacy
To:
From:
Reference:
265A-NY-259391 (Operation Endunng Freedom) NTRCFL # R2-02-0599 • i
Passdown Log Ejxam Workstation #4 Weeks 08-05-2002 / 08-15-2002 [SfTRCFL - DALLAS Processed the following Harmony Numbers AFGP-2002-004954 AJGP-2002-003788 AFGP-2002-004955 AFGP-2002-00712S AFGP-2002-00710S APGF-2002-007103 AFGP-2002-800417 APGP-2002-007096 AFGP-2002-007122 APGP-2002-800490 AFGP-2002-007096 AFGP-2002-007117 APGP-2002-007101 AJFGP-2002-007127 AFGP-2002-007115 AFGP-2002-007098 AFGP-2002-800412 APGP-2002-800425 AFGP-2002-800434 AFGP-2002-800426 AFGP-2002-800443 AFGP-2002-800421 AFGP-2002-800464 AFGP-2002-007121 APGP-2002-007118
AFGP-2002-007123 APGP-2002-007108 APGP-2002-007129 AFGP-2002-007128 AFGP-2002-007111 AFGP-2002-007095 AFGP-2002-007106 AFGP-2002-007104 AFGP-2002-007112 APGP-2002-007U9 AFGP-2002-007120 AFGP-2002-007110 APGP-2002-007107 APGP-2002-007102 APGP-2002-007097 APGP-2002-007114 APGP-2002-007124 AFGP-2002-007113 AFGP-2002-007116 ALPB-2002-800413 ALBP-2002-800418 AFGP-2002-004948 APGP-2002-004947 ALBP-2002-800639-2
NORTH T E X A S R E G I O N A L COMPUTER FORENS1CS LABORATORY 3 0 1 N O R T H M A R K E T S T R E E T , S U I T E 215 DALLAS, T E X A S 75201
000000174
• Page 2
Created copies of two (2) repository drives for '"'Phase 1" examination Attached directory listing of contents. Created Harmony Upload CD with PDF files for upload to Harmony Installed new repository drive in Exam workstation #4 8/14/2002 No problems were noted with the exam machine.
r^-n/^
J10
000000175
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Dale of transcription
10/20/2003
Computer Analysis Response Team Report of Examination Included herein are the results of a digital forensic examination performed by an FBI CART Certified Forensic Examiner. This examination has been performed in accordance with CART policies and procedures. Case Reference: Laboratory Number 030122051 Specimens: AFGP 2002 804371
\1 IBM Travelstar 2.5"10.06 GB ATA/IDE notebook drive,model -DJSA-210, SN 42MZ9347.
Request: Per a Department,of Defense Office of General Counsel Memorandum dated September 25, 2003, Subject: Computer Hard Drive Analysis, a forensic analysis of the subject specimen was ; requested. Additionally, three soegif ic f i ^recovered: an article entitled
Summary of Results: A full forensic examination was conducted, and the -four requested files were identified and recovered from the specimen. However the recovered documents differed slightly from the descriptions given by the Office of General Counsel. Additionally, one of the requested files. I 1, was
password protected, and the password had to be recovered before completing recovery of the document. Derivative Evidence (DE): Following is a list of digital media containing results of the examination. DEHQ010
investigation on
CD with summary results of the examination, with web-based organizing indices.
10/15/2003
at
HQ Lab
Washington DC
File* 265A-NY-259391-EEE by
ITS/FE I
Date dictated
10/15/2003
9/11 Law Enforcement Privacy
This document contains neither recommendations nor conclusions of ihe FBI. It is the property of the FBI and is loaned to your afVWft f\ "7 C
9/11 Law Enforcement Sensitive FD-302a (.Rev. 10-6-95)
265A-NY-259391-EEE
Computer _Forensic Exam
Continuation of FD-302 of
, On 10/15/2003
, Page
DEHQ011
5 'DVDs containing full results of the examination, withx.web-based organizing indices.
DEHQ012
3 DVDs containing copies of the image file segments used to perform the examination.
DEHQ013
Western Digital 20 GB hard drive, SN WMAAR1214879, containing full, results of the examination.
DEHQ014
Printed copy of the file
DEHQ015
Printed copy of the file
DEHQ016
Printed copy of the file
DEHQ017
Printed copy of the file
DEHQ018
Printed copy of the file
DEHQ019
4-mm DAT containing Safeback image of.DEHQ013.
Examination: The specimen had one FAT32 partition. The operating system on the partition was Windows ME. The following processes were performed directly on the specimen: 1.
A "digital signature", in the form of an md5 hash, was calculated, with result a550a975c3f9316a588b43ca5a434df8,
2.
An image file, in 15 segments, was made of the specimen.
3.
A final md5 hash was calculated, with result a550a975c3f9316a588b43ca5a434df8.
All other forensic procedures were performed on the image file segments. These forensic procedures were as follows:
A _
1.
An md5 hash was calculated on the concatenated segments, with result a550a975c3f9316a588b43ca5a434df8.
2.
The file system was mapped, and an md5 hash was calculated for every file. These results were then compared with a standard list of hashes for known system
000000177
9/11 Law Enforcement Sensitive FD-302a(Rtv, 10-6-95)
265A-NY-259-391-EEE
Computer 'Forensic Exam
Continuation of FD-302 of
, On 10/15/2003
, Page
and application 'files, and the known files were not further examined.
3
Deleted files and residue were extracted.
4
A file list was produced, in ,the form of a Microsoft Access dat'a base. "''••-,. four requested files were found'.-,, One requested file, me '.was password protected,---, as was one nonJ/ requested file, I j. Passwords were recovered for both files. The four requested files, plus \e printed out. Some,
\
L
differed slightly from the descriptions given by the contributor. Specifically, the travel document referenced was six pages in length, not three. Also, the article e n t i t l e d ! " ' ' I
Internet usage reports were generated, and e-mail -files were examined. Although there were indications that the specimen had been used to access the Internet, there appears to have been no usage of standard e-mail programs (such as Outlook and Outlook Express) for user e-mail messages. All results were extracted to DEHQ013, along with forensic logs. A final md5 hash was calculated on the concatenated image file segments, with result a550a975c3f9316a588b43ca5a434df8.
9.
Summary and full results, along with copies of the image file segments, were copied to a CD and eight DVDs. These products were DEHQ010, DEHQ011, and DEHQ012.
10,
An md5 hash was calculated on DEHQ013, with result Ib21e86call66efa6f0999fdl9b61b8b. An image was made of this drive and placed on a 4-mm data tape.
QHQ001 and DEH1019 are being returned to FBI Document Exploitation evidence control. DEHQ10-DEHQ18 are being returned to the Department of Defense Office of General Counsel. The notes of
000000178
FD-302a(Rev. 10-6-95)
265A-NY-259391-EEE Continuation of FD-302 of
Computer Forensic Exam
. On 10/15/2003
, Page
examination, along with a copy of DEHQ010, are being retained in a 1A envelope in the FBI Investigative Technology Division f i l e .
000000179
0 '%&&&<•
DOCUMENTS RELATING to
°
M&OMPUTER ANALYSIS RESPONSE TEAM l^EPORTS, OR PREDECESSOR UTA TION REPORTS, FROMAL 'M^OCIATED SUBJECTS FROM 1995 W[lJGH SEPTEMBER 11, 2001. •v ..•!*, .
~> r^_
*
"•*-*~,C
KESPONSIVE TO REQUESTS #34-1 '• (. _ [PACKET #3] yL5O RESPONSIVE TODR#34-2 'IVE MATERIALS (IMAGES OR VERBAL) CONCERNING TRAVEL lijQCUMENTS DERIVED FROM THOSE HARD DRIVES.)
COMMISSION COPY
9/11 COMMISSION TASK FORCE DOCUMENT DELETION CODES [As of August 11, 2003] "A" - SOURCE/INFORMANT INFORMATION - Information, the disclosure of which would tend to reveal the identity of an informant or source where confidentiality is expressed or implied. "B" - FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI techniques and/or methods which would impede or impair the effectiveness of that technique and/or method. "C" - NON-RELEVANT FBI CASE INFORMATION - Information neither relevant nor responsive to the Commission's requests. "D" - FBI PENDING CASE INFORMATION - Information which would impede or jeopardize a pending investigation of the FBI. "E" - STATUTORY - Information legally prohibited from release by statute. "F" - PRIVACY/SECURITY - Information, the disclosure of which would be an unwarranted invasion of the personal privacy or jeopardize the safety of law enforcement personnel and/or their family members Material redacted under this code includes (1) social security numbers; (2) date and place of birth; (3) home address and telephone numbers; (4) personnel cell phone and pager numbers
"G" - FOREIGN GOVERNMENT INFORMATION - The identity of a foreign government and/or foreign service to include the names of foreign law enforcement employees/officials.
'9/11 Law Enforcement Privacy
12/8/98 Computer Analysis Response Team
|
|
262-NY-267856
981022001 S/I FX SX
Results of Examinations: Media from specimens Q791-Q798 were removed from their casings and labeled, respectively, Q791.1-Q798.1. Specimens Q793.1 and Q798.1 were unreadable due to extensive media errors. Physical images of readable sectors from specimens Q791.1, Q792.1, and Q794.1-Q797.1 were made to magneto-optical disk, and errors were logged to the magnetooptical disk as well. Specimens Q791.1, Q792.1, and Q794.1-Q797.1 were each found to contain a Macintosh (HFS) file system. Active files from specimens Q791.1, Q792.1, and Q794.1-Q797.1 were copied to magneto-optical disk. All outputs onto magneto-optical disk were searched for any strings possibly representing an Internet e-mail address using the regular expression "[a-zO-9]@ [a-zO-9]". No significant results were returned. A Disk Ranger catalog listing was made of specimens Q791.1, Q792.1, and Q794.1-Q797.1 at the request of, and for review by, SIOC. All material from the magneto-optical disk was copied to CD-ROM, and an additional copy of the CD-ROM was made at the request of, and for review by, SIOC.
REQ. #34-1
000000180
CART - Page 1 of 1
REQ. #34-1
000000181
9/11 Law E n f o r c e m e n t Privacy
""-••-...
12/8/98
Computer Analysis Response Team
|_
2S2-NY-267856
980911013 S/I FX SX
Results of Examinations: Specimen K190 was found to contain a Seagate ST32122A hard disk drive, serial number XKF04812 / 9J7013-503, which was referred to as specimen K190.1. A physical image of specimen K190.1 was made to magneto-optical disk, and all active files were logically copied to the magneto-optical disk as well. Directory listings of specimen K190.1 and residue extracted from specimen K190.1 were copied to the magnetooptical disk. Three hundred seventy-three (373) erased files were recovered from specimen K190.1 to the magneto-optical disk. A long file name directory' listing was also generated and copied to the magneto-optical disk. Specimen K191 was found to contain: seventeen (17) 3.5" diskettes, referred to as specimens K191.1-K191.17; a plastic diskette storage box, referred to as specimen K191.18; and a cardboard diskette box, referred to as specimen K191.19. Specimen K191.18 was found to contain four (4) 3.5" diskettes, referred to as specimens K191.18.1-K191.18.4. Specimen K192 was found to contain: a cardboard diskette box, referred to as specimen K192.1; and a cardboard diskette box, referred to as specimen K192.2. Specimen K192.1 was found to contain ten (10) 3.5" diskettes, referred to as specimens K192.1.1-K192.1.10. Specimen K192.2 was found to contain six (6) 3.5" diskettes, referred to as specimens K192.2.1-K192.2.S. Media were removed from all diskette casings and labeled with the respective specimen number, plus the suffix ".1". Specimens K191.4.1-K191.6.1, K191.17.1, K192.1.1.1, K192.1.2.1, K192.1.4.1-K192.1.10.1, and K192.2.1.1-K192.2.6.1 were found to be unreadable, probably due to there being no file system format on the media.
REQ. #34-1
000000182
CART - Page 1 of 2 Physical images'of all media specimens containing file systems were made to magneto-optical disk; error logs were generated and also copied to the magneto-optical disk. Directory listings were generated for all media specimens containing file systems and copied to magneto-optical disk. Active files on all media specimens containing file systems were copied logically co magneto-optical disk. Recoverable erased files on all media specimens containing file systems were copied to magneto-optical disk. Residue on all media specimens containing FAT file systems was extracted to magneto-optical disk. All materials generated on the magneto-optical disk were copied to CD-ROM for review by the case agent.
#34-1
000000183
980911013 S / I FX SX CART - Page 2 of 2
REQ. #34-1
000000184
9/11 Law Enforcement Privacy (01/26/1998)
'"•-•-.....
FEDERAL BUREAU OF INVESTIGATION Precedence: To:
New York
From:
Date:
PRIORITY Attn:
06/10/1999
J Computer SA I Analysis Response Team (CART)
New York Squad 1-45 Contact: SA
Approved By: Drafted By: Case ID #: Title:
262-NY-26785S 262-NY-267857
(Pending) (Pending)
KENBOM; MAJOR CASE 148; IT-OHAH 00: NEW YORK TANBOM ; MAJOR CASE 149; IT-OHAH OO: NEW YORK
Synopsis: To set lead for duplication of computer compact discs (CDS) and diskettes. Details: The United States Attorneys Office in the Southern District of New York (SDNY) and the New York Office (NYO) of the Federal Bureau of Investigation (FBI) are preparing for the-trial of indicted subjects in the captioned investigations. To that end, defense attorneys are seeking copies of evidence seized in the course of FBI investigation. FBI searches have yielded several computers, computer diskettes, and related materials. The NYO Computer Analysis Response Team (CART) has provided on-going computer analysis of such items. To 'that end, Squad 1-45 is submitting three CDS, known as KENBOM items IBS68, 1B869, and IBS70, and several diskettes, known as KENBOM item 1B118, for duplication. Defense attorneys have requested the listed' materials as part of the discovery phase of trial preparation. The deadline for production is June 22, 1999.
REQ. #34-1
000000185
To: Re:
REQ. #34-1
New York From: New York 2 6 2 - N Y - 2 6 7 8 5 6 , 06/10/1999
000000186
To: Re:
New York 'From: New York 262-NY-267856, OS/10/199S
LEAD (s) : Set Lead 1: NEW YORK AT NEW YORK Squad 1-45 requests that the Computer Analysis Response Team (CART) duplicate three computer compact disks (CDS) known as KENBOM items 1B858, 1B859, and 1B860. Squad 1-45 also requests that CART 'duplicate approximately 100 computer diskettes known as KENBOM item 113.
REQ. #34-1
000000187
9/11 Law Enforcement. Privacy .
(01/26/1998)
FEDERAL BUREAU OF INVESTIGATION Precedence: To:
Date: 12/OS/1999
PRIORITY
New York:
Attn:
SSA |_ CART
I SO-15
From:, New York Squad 1-45 Contact: SA
:\e ID #: 262
Approved By Drafted By
262-NY-267857 Title:
(Pending)
KENBOM M.C. 148 OHAH-IT 00: NY
Synopsis:
Request CART to examine diskettes enclosed.
Enclosures:
102 diskettes for review by CART team.
Details: Enclosed diskettes were seized in captioned case. It is requested that the CART team examine each diskette and download items on the diskette for review or translation by the case squad.
REQ. #34-1
000000188
To: Re:
New York From: New York 262-NY-267856, 12/06/1999
LEAD (s): Set Lead 1: NEW YORK AT SO-15. Examine enclosed diskettes and download information in format for review by translator or case squad.
REQ. #34-1
000000189
9/11 Law Enforcement Privacy (Rev. 08-28-2000)
FEDERAL BUREAU OF INVESTIGATION Precedence: To: \New York From:
Date:
ROUTINE Attn:
05/09/2001
Computer Analysis Response Team (CART)
New York Squad 1-45 Contact: SAi
Approved By: Drafted By: Case ID #: Title:
262-NY-267856 "262-NY-2S7857
(Pending) (Pending)
KENBOM; MAJOR CASE 148; IT-OHAH OO: NEW YORK TANBOM; MAJOR CASE 149; IT-OHAH OO: NEW YORK
Synopsis: To set lead for analysis and duplication of several 3.5" disks, three compact disks (CDs), and one laptop hard drive seized in the course of captioned investigations. Details: On 08/07/1998, terrorist cells linked to USAMA BIN LADIN bombed the United States Embassies in Nairobi, Kenya and Dar Es Salaam, Tanzania. In the course of the ensuing FBI investigation, NYO seized several computer-related items. The NYO Computer Analysis Response Team (CART) analyzed and duplicated the majority of such computer-related items. Squad I45 has identified additional items and requests that CART analyze those items as well and store all recovered data to CD. Material developed from the additional computer-related items may be used in future trials and/or for intelligence purposes. Squad 1-45 anticipates future trials related to the KENBOM/TANBOM investigation. Although the current Embassy bombing trial is projected to end by June 2001, two subjects are currently being extradited from England to che Southern District
REQ. #34-1
000000190
9/11 Law Enforcement Privacy To: Re:
New York From: New York 262-NY-26785S, 05/09/2001
o'f New York (SDNY) and their trial will likely begin within one year of the date of this communication. It should' also be noted that, the KENBOM/TANBOM investigation led to the indictment of 22 subjects, 13 of whom are fugitives. In the event that a fugitive is arrested, NYO and the United States Attorneys Office-SDNY will prosecute that person. The computer-related items include: one laptop computer, known as KENBOM 1B241 five disks, known as KENBOM 1B47 item 12 seven disks, known as KENBOM 1B90 item 3 one disk, known as KENBOM 1B115 item 9 103 disks,and three CDs, known as KENBOM 1B118 two disks, .known as 1B127 items 4 and 7 two disks, known as 1B137 items 20 and 21 Squad 1-45 requests that CART analyze the listed media and store all recovered data to CD (one CD-per IB number). • The items listed above are not enclosed. Squad 1-45 requests that CART contact SA | | extension 8014, at its convenience and the items will be removed from evidence and released to CART for analysis.
REQ. #34-1
000000191
9/11 Law Enforcement Privacy To: Re:
New York Fruin: New York 262-NY-267856, 05/09/2001
LEAD (s): Set Lead 1: ALL. RECEIVING OFFICES ''•.Squad 1-45 requests that NYO CART analyze the materials listed below and store all recovered data to CDs (one CD per IB number): one laptop computer, known as KENBOM 1B241; five disks, known as KENBOM 1B47 item 12; seven disks, known as KENBOM 1B90 item 3; one disk, known as KENBOM 13115 item 9; 103 disks and three CDs, known as KENBOM 1B118; two disks, known as 1B127 items 4 and 7; two disks, known as 1B137 items 20 and 21. The items listed 'above are not enclosed. Squad 1-45 requests that CART contact SAj | extension 8014, at its convenience and the items will be removed from evidence and released to CART for analysis.
REQ. #34-1
000000192
9/11 Law Enforcement Privacy ' . (wiv.'bs -28-2000)
FEDERAL BUREAU OF INVESTIGATION .Precedence: To;
Date:
ROUTINE
New York
Attn:
08/14/2001
Squad 1-45.
Froms, New York Squad 1-45 Contact: SA Approved By: Drafted By: Case ID #: Title:
262-NY-267B5S-TR (Pending) 262-NY-267857 (Pending)
KENBOM; MAJOR CASE 143; IT-OHAH OO: NEW YORK TANBOM; MAJOR CASE 149; IT-OHAH OO: NEW YORK
/9/11 Law Enforcement •' Sensitive
Synopsis: To provide copies of file lists and substantive text files found on selected diskettes_(dis_ks) seized from]
Reference:
262-NY-267856-TR Serial 55\R Serial 57,
Enclosures: Attached hereto are copies.of the file lists for 19 disks seized from I Ton 08/20/1998 in I I. Each disk is known by its New York Office (NYO) Computer Analysis and' Response Team (CART) Q-number and also by its NYO IB-number. Files lists were printed from the following disks: Q119 - Q125 Q126 - Q133 Q134 - Q135 Q136 Q137 .
REQ. #34-1
1B90, item 33 (7 disks) 1B127, item 8 (8 disks) 1B137, items 20 and 21 (2 disks) 13115, item 9 (1 disk) 1B47, item 12 (1 disk)
000000193
9/11 Law Enforcement Sensitive To: Re:
New York From: New York 262-NY-267856-TR, 08/14/2001
Also attached hereto are substantive text files and selected residue files found on four disks within the group of 19. These are the only substantive text files on the entire set of 19 disks. The following files were printed: from from from from from
Q12S\FILES Q12S\FILES Q12S\FILES Q12S\ERASED Q126\RESIDUE (not a text file)
from from from from
Q134\FILES Q134\FILES Q134\FILES Q134\FILES
from from from from from from from from from from from from from from from from from from from from from
Q136\RESIDUE (not a text file) Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q13S\FILES Q13S\FILES Q136\FILES Q136'\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES
from from from
Q137\ERASED\CD Q137\ERASED\CD Q137\FILSS
Details: On August 7, 1998, terrorist cells linked to USAMA BIN LADIN bombed the United States Embassies in Nairobi, Kenya and Dar Es Salaam, Tanzania. In the ensuing investigation, investigators from the Federal Bureau of Investigation (FBI) and
REQ. #34-1
000000194
9/11 Law Enforcement Sensitive
\
Re:
To: New York Fi-^n:- New York 262-NY-267856-TR, 08/14/2001
\n Criminal Investigation Department (CID) searched the
The| ~| search took place on 08/20/1998. Investigators seized business records, both documentary and electronicallystored items, along with many other items. Attached hereto are copies of file lists and substantive text files found on selected disks seized during that search. Specifically, this communication addresses 19 disks (each disk is known by its NYO CART Q-number and also by its NYO IB-number}, including: Q119 - Q125 Q126 - Q133 Q134 - Q135 Q136 Q137
1B90, item 33 (7 disks) 1B127, item 8 (8 disks) 1B137, items 20 and 21 (2 disks) 1B115, item 9 (1 disk) 1B47, item 12 (1 disk)
During the same search, investigators seized a Daewoo laptop, known as both NYO CART item Q118 and NYO 1B241. Printable files from that item are attached to referenced communication, 262-NY-267856-TR serial 57. Investigators also seized approximately 104 additional disks and two CD-ROMS, known collectively as NYO 1B118 and known individually as Q12 - Q115 and Q116 - Q117 (respectively). Printable files from those items are attached to referenced communication, 262-NY-267856-TR serial 55. Processing Disks Q119 - 0137 NYO CART copied all materials on disks Q119 - Q137 to a magneto-optical disk and to a CD-ROM contained in KENBOM sub-302 1A1308. Logical files were copied to folders named "FILES;" deleted files were recovered and copied to folders named "ERASED;" all other printable characters that were not otherwise contained in a file were recovered and copied to folders named "RESIDUE." Each such file folder appears in a parent folder named by Q-number, such that every disk has its own files folder, erased folder, and residue folder. The following disks had no files in their respective "ERASED" folders: Q120 - Q125 and Q127 - Q133. Disk Q127 contained no files whatsoever.
REQ. #34-1
000000195
9/11 Law Enforcement Sensitive To: Re:
New York Fi^m: New York 262-NY-267856-TR, 08/14/2001
All substantive text files contained on the 19 disks were printed and attached hereto, including: from from from from
Q126\FILES Q126\FILES Q126\FILES Q126\ERASED
from from from from
Q134\FILES** Q134\FILES** Q134\FILES** Q134\FILES**
from from from from from from from from from from from from from from from from from from from from
Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILSS Q136\FIL3S Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136YFILES Q136\FILES**
from from from
Q137\ERASED\CD** Q137\ERASED\CD** Q137\FILES**
All substantive text files are written in Arabic, except those marked with a double asterisk (**). Those files are written in English. Documents written in Arabic are being submitted for translation under separate cover. Two residue files that contained recognizable English, names were also printed and attached hereto, including:
REQ. #34-1
000000196
9/11 Law Enforcement Sensitive To: X.Re:
New York From: New York 262-NY-267356-TR, 03/14/2001
from
Q126\RESIDUE
from
Q136\RESIDUE
The remaining files are system files, executable files, wav files, aud files, etcetera, and do not contain substantive text.
+4
REQ. #34-1
000000197
9/11 Law Enforcement Privac1 (1.2/31/1995)
FEDERAL BUREAU OF INVESTIGATION Precedence:
Date:
ROUTINE
To:'- New York From:
Attn:
08/24/2001
Squad 1-45
New York Squad 1-45 \: - SA
Approved By: Drafted By: Case ID #: Title:
262-NY-267856 • 262-NY-267857
(Pending) (Pending)
KENBOM; MAJOR CASE 148; IT.-OHAH 00: NEW YORK TANBOM; MAJOR CASE 149; IT-OHAH OO: NEW YORK
Synopsis: To summarize computer and computer-related evidence matters in the .captioned investigations. Reference:
262-NY-267856 Serial 4643 262-NY-267857 Serial 3469
Enclosures: Enclosed for reference are the following Computer Assistance Response Team (CART) reports and Latent Fingerprint Section (LFS) reports: CART CART CART CART
FD-302 FD-302 FD-302 FD-302
dated dated dated dated
07/18/2001, 03/08/2000, 01/04/2000, 09/15/1998,
262-NY-267856-302 262-NY-267856-302 262-NY-267856-302 262-NY-267856-302
serial serial serial serial
1721 1219 1204 1698
LFS Lab Report dated 02/12/1999, 262-NY-267856 serial 3935 LFS Lab Report dated 01/20/1999, 262-NY-267856 serial 3816 CART Lab Reports dated 12/08/1998, 252-NY-267856-E serial 24 (two reports -- 980911013 and 981022001) CART Lab Report dated 10/14/1998, 262-NY-267856 serial 4651 Details:
REQ. #34-1
On August 7, 1998, terrorist cells linked to USAMA BIN
000000198
9/11 Law Enforcement Privacy To: Re:
/J9/11 Law Enforcement //Sensitive
New York From: New York 262-NY-267856, 08/24/2001
LADIN bombed the United States Embassies in Nairobi, Kenya, and Dar Es Salaam, Tanzania. The ensuing/investigation led to the .seizure of several computers and cpmputer-related items. SA I [ formerly assigned t0 Squad;1 1-45, /oversaw the processing of all such items as requested by referenced communications. The following is/ a,summary for each item of KENBOM/TANBOM evidence classified /as computer or/computer-related evidence. / / . \ J, Daewoo Laptop Computer, seized 08/20/1998, Nairobi,. Kenya KENBOM 1B241; NYO. CART item number Q118 laptop computer from the ['' [offices in Nairobi, Kenya. This computer is known as KENBOM 1B241 and NYO CART item Q118. The New York/(NYO) Computer Analysis Response Team (CART) made a logical copy of all files (including erased and residue) on the laptop and recorded them to a CD-ROM stored in KENBOM main file 1A225. See attached FD-302 dated 03/08/2000, known as KENBOM sub-302 serial 1219. See also KENBOM sub-302 1A946 for CART exam/notes and printout! of BMP and WAV files that CART was unable to/open. j A copy 6f the printable files from the laptop is attached to an electronic communication (EC) dated 03/21/2000, known as KENBOM sub-TR serial 57. ; II .
Disks and Compact Disks (CD-ROMs), seized 08/20/1998, Nairobi, Kenya j A. KENBOM 1B47, item 12; NYO CART item number Q137
Isei zed On August 20, 1998, Joffices in Nairobi, Kenya. approximately one disk from the This disk is known as item 12 of KENBOM 1B47 and NYO CART item Q137. NYO CART made a logical copy of all files (including erased and residue) on the disk and recorded them to a magnetooptical disk and to a CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 dated 07/18/2001, known as KENBOM sub-302 serial 1721.
REQ. #34-1
000000199
&
9/11 Law Enforcement Sensitive
':\,
'' ,To: New York From: New York 262-NY-26785S, 08/24/2001
A copy of the printable substantive text files from 'this disk is attached to an EC dated 08/14/2001, known as KENBOM sub\TR serial 125."--, V\. KENBOM lB90,"-i,tem 33; NYO CART items Q119 - Q125 approximately seven disks from the"! I offices in Nairobi, Kenya. These disks are known as item 33 .of KENBOM 1B90 and NYO CART items\Q119 - Q125. NYO. CART made a logical copy of all files (including erased and residue) on the disks and recorded them to a magnetooptical disk arid to a CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 ''dated 07/18/2001, known as KENBOM sub-302 serial 1721. \. These disks do not contain printable substantive text files. C. KENBOM 13115 item 9; NYO CART item Q136 On August 20, 1998, ^•HI^HH^B^^H seized approximately one disk from.the| [offices in Nairobi, Kenya. This disk is known as item 9\of KENBOM 1B115 and NYO CART item Q136. NYO CART made a logical copy of all files (including erased and residue) on the disk and recorded them to a magnetooptical disk and to a CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 dated 07/18/2001, known as KENBOM sub-302 serial 1721. A copy of the printable substantive text files from this disk is attached to an EC dated 08/14/2001, known as KENBOM sub-TR serial 125. D. KENBOM 1B118; NYO CART items Q1-.2 - Q115 (disks) and NYO CART items Q116 and Q117 (CD-R6Ms) On August 20, 1998, approximately 104 disks and two CD-ROMs from the [ | offices in Nairobi, Kenya. These disks and CD-ROMs are known collectively as KENBOM 1B118 and individually as NYO CART items Q12 - Q115 (disks) and NYO CART items Q116 and Q117 (CD-ROMs).
REQ. #34-1
000000200
9/11 Law Enforcement Sensitive \. To: New York From: New York \. Re: 262-NY-267856, 08/24/2001
NYO CART made a logical copy of all files (including .erased and residue) on disks Q12 - Q115 and CD-ROMs Q116 and Q117 and recorded them to CD-ROMs stored in KENBOM main file 1A219. See attached-.FD-302 dated 01/04/2000, known as KENBOM sub-302 serial 1204. See also KENBOM main file 1A222 for a duplicate set of CART CD-ROMs'-and KENBOM sub-302 1A905 for CART exam notes. A copy of "''-the printable files from the disks and CDROMs is-, attached to arixEC dated 03/21/2000, known as KENBOM subTR serial 55. E. KENBOM 1B127, item 8; NYO CART items Q126 - Q133 approximately-,eight disks from the) [offices in Nairobi, Kenya. These disks are known as item 8 of KENBOM 1B127 and NYO CART items Q126\ Q133. NYO CART made a logical copy of all files (including erased and residue) on the disks and recorded them to a magnetooptical disk and to\ CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 dated 07/18/2001, known as KENBOM sub-302 serial 1721. A copy of the printable substantive text files from disk Q126 is attached to\an EC dated 08/14/2001, known as KENBOM sub-TR serial 125. The remaining disks do not .contain printable substantive text files. F. KENBOM 1B137, items 20 and 21; NYO CART items Q 134 - Q135 On August 20, 1998, ^ H | | | | H | H B H V seized approximately two disks from the^^^H offices in Nairobi, Kenya. These disks are known as items 20 and 21 of KENBOM 1B137 and NYO CART items Q134 - Q135. NYO CART made a logical copy of all .files (including erased and residue) on the disks and recorded them to a magnetooptical disk and to a CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 dated 07/18/2001, known as KENBOM sub-302 serial 1721. A copy of the printable substantive text files from disk Q134 is attached to an EC dated 08/14/2001, known as KENBOM sub-TR serial 125. Disk Q135 does not contain printable
REQ. #34-1
000000201
9/11 Law Enforcement Sensitive \\''-:. \,
'"Tb-;.. New York Fr^m: New York Re":-./-26.2-NY-267856, 08/24/2001
.substantive text fll.es.
'1II.
FAZUL ABDULLAH'MOHAMMED, aka HARUN, Disks, seized 09/02/1998. I I KENBOM 1B510 items 1 and '2;.. Lab Items K191 and K192
seized On September 2, 1998, approximately 3? disks from the residence of |_' I located in | |. It should be noted that\ residence is also known as the residence of Mohamed Said Ali. Twenty-one 'of these disks are known both as item 1 of KENBOM \1B510 and, lab item K191; sixteen of these disks are known as both \item 2 of \KENBOM IBS 10 and lab item K192. FBIHQ, CART made a physical image of all media specimens containing file systems to a magneto-optical disk and a CD-ROM kkown as KENB'pM 1B860. Erased files and residue were recovered ftom the disks, to -1B860 . Several disks were found to be unreadable, thus, physical images were not recorded to 1B860. See attached Lab Report'number 980911013 S/I FX SX dated 12/08/1998, kndwn as KENBOM s,ub-E\l 24. A copy of the,printable files from the disks is attached to an EC dated '03/21/2000, known as KENBOM sub-TR serial 54 . \n addition,-, the 'lab recovered latent fingerprints and/of latent palm prints ori\r disks, K191.6, K192.1.6, K192.1\ 9, and K192.2.5. .One latent fingerprint developed on disk K192.2;5 was identified as a finger impression of FAZUL ABDULLAH MOHAMMED, aka HARUN. See ''attached Lab Report number 980911013 FX CW dated 02/12/1999, known', as KENBOM main serial 3935.
IV.
FAZUL ABDULLAH MOHAMMED, aka HARUN, Macintosh Computer, seized 09/02/1998,1 | \KENBOM 1B513 item 1; Lab Item K189
\0n September 2, 1998, Macintosh Computer from the residence of located ini I. It should be residence is also known as the residence This computer is known both as item 1 of item K189.
REQ. #34-1
seized a |~ noTefl _ of Mohamed Said Ali. KENBOM 1B513 and lab
Gr
000000202
9/11 Law Enforcement Sensitive \v\: New York Fr^m: New York \V\. 262-NY-26785S, 08/24/2001
Lab item K189 is a first generation Macintosh and does not, contain an internal hard drive; therefore, CART conducted no .analysis of this item... . \o latent prints ""of value were developed on lab item ''•K18.9. See attached Lab Report number 980911013 FX CW dated 02/12/1999., known as KENBOM main ""aerial 3935. It should be noted thatXitem K189 is not referenced in the Results of Examination; however, K189. appears in the lab communication as a specimen examined for latent fingerprints. V.
\ FAZUL ABDULLAH MOHAMMED, aka HARUN, HDD" Central Processing Unit (CPU), seized 09/02/1998, \ \M lB513\item 2; Lab Item K190
\U from the residence of 1 • • • • • • • • • • • • •located in | | it should be noted that |_ (residence is also known as the, residence of Mohamed Said Ali. This CPU is known both as item .2 of KENBOM 1B513 and lab item K190. FBIHQ CART determined that the HDD CPU contained a Seagate ST32122A hard drive, serial XKF04812/9J7013-503, which was designated as lab item K190.1. CART copied a physical image of the Seagate hard drive to a magneto-optical disk and a CD-ROM known as KENBOM 13860. Three-hundred and seventy-three (373) erased files were '-recovered from the Seagate hard drive to 1B860. See attached Lab Report number 980911013 S/I FX SX dated 12/08/1998, known as. KENBOM sub-E serial 24. A copy of the printable files from the Seagate hard drive is attached to an EC dated 03/21/2000, known as KENBOM subTR serial 54. The. lab developed latent fingerprints and/or latent palm prints on the HDD CPU, but no identifications were made. See attached Lab Report number, 980911013 FX CW dated 02/12/1999, known as KENBOM main serial 3935. VI.
FAZUL ABDULLAH MOHAMMED, aka HARUN, Briefcase Disks, seized 09/32/1998, I I KENBOM 1B521 item 45, Lab Items Q791 - Q798
REQ. #34-1
000000203
9/11 Law Enforcement Sensitive 1 \, /9/11 Lav; Enforcement Privacy \' "New York FiwiCi: New York / \: 2 62-NY-2.67856, 08/2 4/2 001/
.-.approximately eight disks /from HARUN'"H I/ 1 ~| The disks were f.6und in a briefcase, known as KENBOM 1B521, that belonged to .HARUN. The disks are known both as item 45 of 1B521 and as lab /items Q791 - Q79'8.
FBIHQ CART copied a physical image of the disks' readable sectors to a magneto-optical disk and CD-ROM known as KENBOM 1B859. Lab items Q793 and Q798 wer6 unreadable due to extensive media errors, thus, physical images were not recorded to 1B859. Readable specimens were found to contain a Macintosh (HFS) file''•••system'''. NYO CART labeled the same disks NYO CART items Ql - Q8 and conducted an independent analysis. NYO CART also found the readable disks to contain a Macintosh file system. See attached FD-3Q2 dated 09/15/1998, known as KENBOM sub-302 serial 1698. / ' • -, ' \Q CART searched the magneto-opt strings possibly representing an internet e-mail, address using the regular expression *[a-zO-9]@[a-zO-9]" and produced no significant results. See attached Lab Report number 981022001 S/I FX SX dated 12/08/1998,. known as KENBOM sub-E serial 24. As of the date/of this communication, SA | I | | was reviewing these'.disks and.preparing copies of the printable files for the KENBOM file. No latent prints of, value were developed on lab items Q791 - Q798. See attached Lab Report number 981022001 S/L FX SX CW dated 01/20/1999, known as KENBOM main serial 3816. VII.
FAZUL ABDULLAH MOHAMMED'',-, aka HARUN, Toshiba Hard Drive, seized 09/09-11/1998, Nairobi, Kenya KENBOM 1B902 (part); Lab Item K200.4
^seized a Toshiba 2.5" IDE hard drive, model MK2326FCH, from ^ |in Nairobi, Kenya. Investigation revealed that HARUN had left this hard drive, along with several other parts from a Sharp laptop computer, for repair at [ This hard drive is known both as KENBOM 1B902 (part) and lab item K2 0 0 . 4 . FBIHQ CART copied a physical image of this hard drive to a magneto-optical.disk and CD-ROM known as KENBOM 1B858.
REQ. #34-1
000000204
9/11
Law Enforcement Privacy
/9/11 Law Enforcement /Sensitive
"To: New York From: New York Re: - -.2 62 -NY- 2 6 7856, 03/24/2001
Erased files were recovered from this h^'rd drive and also recorded to 1B858. """--.... / I \T searched the residue repor
strings, "[a-z]@[a-z] Sender:" and.""re.s-gilts were recorded to 1B858. See attached Lab Report number 580914024 S'/I FX SX dated 10/14/1998, known as KENBOM main serial 465L, \\s of the date of this comnvtmicati
L
|was reviewing this hard drive and preparing copies of the printable files for the KENBOM file./
VIII. J Computer, seized 09/02^/1998 A'Car Es Salaam, Tanzania = \\M 1B276 item 59; Lab Item
On or about September 2,1 1998, seized an Olivetti M24X5, P166-X CJPU. Serial A4979F-Q503'24(T! From I \\ \in Dar Es Salaam,. Tanzania. CART determined that the CPU \contained a Fujitsu MPA3017 AT hard drive. Thte hard drive is Jdnown both, as item 59 of TANBOM 1B276 and lab |tem K98.1.1. \\ FBIHQ CART copied a physical image of this hard drive to a 2.3 gigabyte disk and CD-ROM known as TANBOM 1B283. Investigation revealed that (had no Jf and its owner]_ aka L connection to the Embassy bombings in Nairobi, Keny^ and Dar Es Salaam, Tanzania. In April 200..5, NYO shipped this cbtnputer to the Regional Security Officer (RSO) in Dar Es Salaam for\n to Thomas Lyimo. / \.
\ disk, seized 09/02/1 Tanzania TANBOM 1B276 item 40; Lab Item K138 On or about September 2, 1998, seized one computer disk, from "], in Dar Es Salaam, Tanzania. The disk is known both as item 40 of TANBOM 1B276 and lab item K138.
REQ. #34-1
000000205
9/11 Law Enforcement Sensitive ' -To: New-Y.prk From: New York Re:-. . 262-NY-2-67-856, 08/24/2001
Investigation revealed that
aka I
/ and its owner \ had no
connection to the Emba'ssy bombings in Nairobi, Kenya and Dar Es Salaam, Tanzania. In April ...2000, NYQ shipped this disk to the RSO in Dar Es Salaam for return to/ I.
REQ. #34-1
000000206
Lee H. Hamilton VICE CHAIR
Richard Ben-Veniste
The National Commission on Terrorist Attacks Upon the..United States ("the Commission") requests that the Federal Bureau of Investigation (FBI or the "respondent") provide the Commission with copies of the following documents no later than March 23, 2004 (the "production date"):
Fred F. Fielding Jamie S. Gorelick Slade Gorton Bob Kerrey John Lehman Timothy J. Roemer James R. Thompson
1. All Computer Analysis Response Team (CART) reports, or predecessor computer exploitation reports, regarding hard drives seized from al Qaeda associated subjects from 1995 through September 11,2001. 2. All investigative materials (images or verbal) concerning travel or travel documents derived from those hard drives. 3. Sections on terrorist travel and travel documents from training manuals obtained prior to September 11, 2001, from al Qaeda or related organizations.
Philip D. Zelikow EXECUTIVE DIRECTOR
The Commission requests that documents requested above be provided as soon as they are available, even though all requested documents may not be provided at the same time, thorough means of a "rolling" production. If any requested documents are withheld from production, even temporarily, based on an alleged claim of privilege or for any other reason, the Commission requests that the respondent, as soon as possible and in no event later than the production date, identify and describe each such document or class of documents, as well as the alleged basis for not producing it, with sufficient specificity to allow a meaningful challenge to any such withholding. If the respondent does not have possession, custody or control of any requested documents but has information about where such documents may be located, the Commission requests that the respondent provide such information as soon as possible and in no event later than the production date. If the respondent has any questions or concerns about the interpretation or scope of these document requests, the Commission requests that any such questions or concerns be raised with the Commission as soon as possible so that any such issues can be addressed and resolved prior to the production date. March 9, 2004
Daniel Marcus General Counsel
TEL (202) 331-4060 FAX (202) 296-5545
http://www.9-l lcommission.gov
DOCUMENTS RELATING to AMPUTEE ANALYSIS RESPONSE TEAM $MRT) REPORTS, OR PREDECESSOR COMPUTER EXPLOITATION REPORTS, iRD DRIVES SEIZED FROM AL ^-^'ASSOCIATED SUBJECTS FROM 1995 THROUGH SEPTEMBER 11, 2001.
RESPONSIVE TO REQUESTS #34-1 [PACKET #1]
MATERIAL ALSO RESPONSIVE TO DR#34-2
S^JGATIVE MATERIALS (IMAGES OR VERBAL) CONCERNING TRAVEL ** ^^^O^TRAVEL DOCUMENTS DERIVED FROM THOSE HARD DRIVES.) ^
^«X"
"^
'
„
-*•
/
"SECRET MATERIAL ENCLOSED"
COMMISSION COP
9/11 COMMISSION TASK FORCE DOCUMENT DELETION CODES [As of August 11, 2003] "A" - SOURCE/INFORMANT INFORMATION - Information, the disclosure of which would tend to reveal the identity of an informant or source where confidentiality is expressed or implied. "B" - FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI techniques and/or methods which would impede or impair the effectiveness of that technique and/or method. "C" - NON-RELEVANT FBI CASE INFORMATION - Information neither relevant nor responsive to the Commission's requests. "D" - FBI PENDING CASE INFORMATION - Information which would impede or jeopardize a pending investigation of the FBI. "E" - STATUTORY - Information legally prohibited from release by statute. "F" - PRIVACY/SECURITY - Information, the disclosure of which would be an unwarranted invasion of the personal privacy or jeopardize the safety of law enforcement personnel and/or their family members Material redacted under this code includes (1) social security numbers; (2) date and place of birth; (3) home address and telephone numbers; (4) personnel cell phone and pager numbers
"G" - FOREIGN GOVERNMENT INFORMATION - The identity of a foreign government and/or foreign service to include the names of foreign law enforcement employees/officials.
WITHDRAWAL NOTICE RG: 148 Exposition, Anniversary, and Memorial Commissions SERIES: 9/11 Commission Team 5, FRC Box 23 NND PROJECT NUMBER:
51095
FOIA CASE NUMBER: 30383
WITHDRAWAL DATE: 09/08/2008
BOX: 00004
FOLDER: 0001
COPIES: 1 PAGES:
TAB: 3
DOC ID: 31193682
11
ACCESS RESTRICTED The item identified below has been withdrawn from this file: FOLDER TITLE: T. Eldridge files-FBI CART documents DOCUMENT DATE: 08/14/1998
DOCUMENT TYPE: FBI 302
FROM: FBI New York TO: Director FBI SUBJECT:
Documents relating to all Computer Analysis Response Team (CART) reports, or predecessor computer exploitation reports, regarding hard drives seized from Al Qaeda associated subjects from 1995 through September 11, 2001. Responsive to Requests #34-1 Packet #1 [withheld material]
This document has been withdrawn for the following reason(s): 9/11 Classified Information
WITHDRAWAL NOTICE
9/11 Law Enforcement
Privacy
;(12/31/1995) ,
FEDERAL BUREAU OF INVESTIGATION Precedence:, To:
Date:
ROUTINE Attn: Attn:
FBI Headquarters \\New\York
From: '.New York \ 1-4 9A Contact:
06/02/1999
NS-3C, Robert Briskman SAC John P. O'Neill ASAC Pasquale J. D'Amuro
SA
Approved By: Drafted By: Case ID #: Title:
256A-NY-259391-I8
(Pending)
USAMA BIN,, LADIN; \; \Y
\.
; Synopsis: Report of investigations conducted in Dhajca, ;; Bangladesh from OS/22/,1999 to 05/29/1999. ^Details:
At the request of the| WFO Cart Team, ], New York Office and SA [ traveled to Dhaka Bangladesh, along with representatives of the CIA's Counter Terrorism Center (CTC). The purpose of this travel
Gr
Also on this date, three individuals were taken into \ {According to information provided by the j^the-s'e individuals are all members of HARKUT UL JIHAD and were.-'charged with involvement in terrorist acts and anti-governme.nt activities. custody \_
Upon arrival to D h a k a , SA |^^^^^
[-met w i t h
Director, ffM Director JKH^explaTned^is^TJI^^govemment has been attempting to control the activities of certain terrorist o r g a n i z a t i o n s who have a strong presence in B a n g l a d e s h . One such group is H a r k u t Ul Jihad. JJ|J stated that the Jfj has information obtained t h r o u g h I
9/11 Law Enforcement Sensitive
REQ #34-1
000000012
Enforcement Privacy
,To: FBI Headquarters From: New York Re: 256.A-NY-259391-i8 • • (Pending)Title: USAMA BIN LADIN; IT-SUDAN; OO:NYSynopsis: Report, of investigations conducted in Dhaka, BangiadeshfroinOS/a^/iggsr^ Q5/29/1999 . Details : At the York Office and SA'1 ^^^^^^^nWFO Cart Team, traveled to Dhaka Bangladesh, along with representatives of the CIA's Counter Terrorism Center (CTC). The purpose of this travel was to assist in the analysis ot computers seized during a search conducted on 05/04/1999. Also on this date, three individuals were taken into custody.
L
J-
According to information provided by the J^Bthese individuals are all members of HARKUT UL JIHAD and were charged with involvement in terrorist'.acts and anti-government activities. Upon arrival^^ Dhaka, SA I I met with Director d ( H explained that his government has been attempting to control the activities of certain terrorist organizations who have a strong presence in Bangladesh. One such group is Harkut Ul Jihad. HHH stated that the^BBhas information obtained __ through confidential sources that/
| b u t , a c c o r d i n g to the has strong ties to some known terrorists, including the subjects of this arrest and arrests conducted in January of this year. BHBBV^30 expressed concerns about the level of extremist involvement within Bangladesh. Due to the high poverty levels and relatively open borders, jflHHL feels that Dhaka is a fertile environment for recruitment and fund-raising by Islamic extremists. He welcomed the assistance of the United States as he believes "we are fighting the same enemies". Following this meeting Deputy Director provided information concerning the arrests on 05/04/1999. arrest took place a r \ " ~ ~ ~
/ A l l three men are Sunni Muslim.They have
9/11 Law Enforcement Sensitive
REQ #34-1
000000013
G
Enforcement Privacy
To: ..FBI Headquarters From: New York Re: 256A-NY-259391-I8 -(.Pending) Title: USAMA BIN LADIN; IT-SUDAN; -00:NYSynopsis: Report of investigations conducted in Dhaka, Bangladesh from 05/22/1999' to- 05/29/1999.Details: At the New request of the Bangladesh government, SAil j WFO Cart Team, traveled to Dhaka York Office and SA[ •Bangladesh, along with representatives of the CIA's Counter of.computers seized during a search conducted on 05/04/1999. Also on this date, three individuals were taken into custody, According to information provided by the | Htnese individuals are all members of HARKUT UL JIHAD and were charged with involvement in terrorist acts and anti-government activities. Director\BHH[explained that his government has been attempting to .control.the activities of certain terrorist organizations who have a string presence in Bangladesh. One such group is Harkut Ul Jihad. HHHstated that the HHfhas information obtained through 'confidential sources that
Jbut,according to the| strong fries to some known terrorists, including the subjects of this arrest and arrests conducted in January of this year, refused to spe''ak to the authorities and are presently in the custody of the 'court ''system. The computers seized were believed to have been used for the publishing activities of Harkut Ul Jihad. One of the computers is a Macintosh based system and the other is a Windows based system. There were also a number of floppy disks recovered. [which will be for-wajrded to the FBI laboratories and maintained as evidence. S A L J also made cursory examination of additional copies of all the material seized but did not find any information which \appeared to be connected to terrorist activity: Deputy Director ^J^then explained that the ^f had attempted to access the\r systems using jjf[ computer specialists. It was SA1 ]opinion that information may have been lost during this initial examination. Both computers and all the floppy disks will be examined in detail by the FBI Laboratory. Director BBBBfrecJueste^ that the §(Blbe given copies of any additional information retrieved from the computers or disks.
8
9/11 Lav; Enforcement Sensitive
REQ #34-1
000000014
Law Enforcement
Privacy
To: FBI Headquarters From: New York /Re: 256A-NY-259391-I8... (Pending) Title: USAHA BIN LADIN; I'tVSUDAN; .00: NYSynopsis: ' -Report of investigations conducted in Dhaka, Bangladesh from 05/22/1999....to 05/29/1999. Details: At the request of the Bangladesh government, -SA.I / New York Office and 3 f t . ] / "I ' WFO Cart " ' Team, traveled ' ' ^to Dhaka Bangladesh, along with representatives of the CIA's Counter Terrorism Center (CTC). The purpose of this travel was to assist Also on this date, three individuals were taken into custody, L JI According to information provided by the HR these individuals are all members of HARKUT UL JIHAD and were charged with involvement in terrorist acts and anti-government activities. Upon arrival to Dhaka^SA^^^^^^^met with Director ^BUH explained that his government has been attempting to control the activities-., of certain terrorist organizations who have a strongpre^ence in Bangladesh. One such group is Harkut Ul Jihad, JllHIHUtated that_jthe_JJhas information obtained _ through confidential sources
Jbut, according to the| strong ties to some known terrorists, including the subjects of this arrest and arrests conducted in Janu'a.ry of this year. [ "] who participated in this task were extremely helpful in coordinating the investigation. The investigative team washable to function efficiently and accomplish its tasks rapidly, without any complication.
J met In addition to the above investigation, SAL with/various U.S. Embassy staff to discuss two letters received by the embassy. According to the RSO's office, two individuals who recently applied for U.S. visas were connected to the Usama Bin Ladin terrorist organization by anonymous sources. In both cases anonymous letters were received concerning the individuals. /Each letter alleged that the person applying for a U.S. visa was involved with the Bin Ladin terrorist organization. There did not appear to be a connection between the two cases. The Consular's office also indicated that letters such as this are not uncommon and are usually impossible to verify. The Embassy Consular's office supplied the two names as L \d / future information to the ..State Department and to FBI NY. -'York was previously -informed of the letter concerning \
New
9/11 Law Enforcement Sensitive REQ #34-1
000000015
Law Enforcement Privacy'
To: "FBI Headquarters. From: New York Re-:, 256A-NY-259391-I8' (Pe.jiding) Title: USAMA BIN LADIN; IT-SUDAN; OQ-:NYSynopsis: Report-.of investigations conducted in Dhaka,, Bangladesh from 05/22/1999 to'-Q-5./29/1999 . Details : At the request1-.of the Bangladesh government, SA 1 |, New York Office and SA i ~\, WFO Cart Team, traveled to Dhaka Bangladesh,- along with representatives of the CIA's Counter of computers seized during a search conducted on 05/04/1999. Also on this date,-, three individuals were taken into custody,
JAccording to information provided by the ^UJthese individuals are all members of HARKUT UL JIHAD and were charged with involvement in terrorist acts and anti-government activities. Upon arrival to_ Dhaka_t_SAJ^^_^_J_met with Director 1 | P ( | H explained that his government has been attempting to control" the activities of certain terrorist organizations who have a stronqpresence in Bangladesl^^ One such group is Harkut Ul Jihad. H^tated that the dhas information obtained through confidential sources that|
Jbut, according to the strong ties to some known terrorists, including the subjects of this arrest and arrests conducted in January of this year, through State Department channels.
9/11 Lav; Enforcement Sensitive
REQ 134-1
000000016
WITHDRAWAL NOTICE RG: 148 Exposition, Anniversary, and Memorial Commissions SERIES: 9/11 Commission Team 5, FRC Box 23 NND PROJECT NUMBER:
51095
FQIA CASE NUMBER: 30383
WITHDRAWAL DATE: 09/08/2008
BOX: 00004
FOLDER: 0001
COPIES: 1 PAGES:
TAB: 4
DOC ID: 31193692
37
ACCESS RESTRICTED The item identified below has been withdrawn from this file: FOLDER TITLE: T. Eldridge files-FBI CART documents DOCUMENT DATE:
DOCUMENT TYPE: FBI 302
FROM: TO:
SUBJECT:
Documents relating to all Computer Analysis Response Team (CART) reports, or predecessor computer exploitation reports, regarding hard drives seized from Al Qaeda associated subjects from 1995 through September 11, 2001. Responsive to Requests #34-1 Packet #1 [withheld material]
This document has been withdrawn for the following reason(s): 9/11 Classified Information
WITHDRAWAL NOTICE
9/11 Lavj Enforcement Privacy (Rev. 08-2S-2000)..
FEDERAL BUREAU OF INVESTIGATION
Precedence: To':, New
Date:
ROUT INE""---,...
York
07/16/2002
Attn:
' ..
AD P. D'Amuro SC /
Counterterrorism Investigative Services Islamabad From:
London Contact:
Approved By: Drafted By: Case ID #: 265A-NY-259391 Title:
(Pending)
USAMA BIN LADEN; MAJOR CASE ,161
G
Synopsis: To provide_New__Ygrk with a computer and documents seized by ^^ffjf^ff^ffjf pursuant to the arrest of Hamza ALLIBI. Reference:
265A-NY-259391 Serial 7811
Administrative: Forwarded on July 17, 2002, via Federal Express, to FBI New York, Attn: SA j \, the following:
- MW/24 - Hard drive removed frra unbranded tower PC
- NF/16 - Hard drive removed from Dell Dimension L566CX - MW/18 - 1 x CD
- MW/21 - 1 x CD & 5 floppy disks - MW/27 - 1 x floppy disk 2 - Copies of the below listed] Exhibits: DPN/2665/MPS/02 DPN/2670/MPS/02
REQ #34-1
000000054
To: Re:
New York From: London 265A-NY-259391, 07/16/2002
EP/1 CDR/DPN/2664/MPS/02 CDR/DPN/2670/MPS/02
MW/1 MW/2 MW/3 MW/4 MW/5 MW/6 MW/7 MW/8 MW/9 MW/10 MW/11 MW/12 MW/13 MW/14 MW/15 MW/1 6 MW/17 MW/18 MW/19 MW/20 MW/21 MW/2 2 MW/23 MW/2 4 MW/2 5 MW/2 6 MW/27 NF/1
REQ
#34-1
000000055
To: Re:
New York From: London 265A-NY-259391, 07/16/2002
NF/2
NF/3 NF/4 NF/5 NF/6 NF/7 NF/8 NF/9 NF/10 NF/11 NF/12 NF/13 NF/14
NF/15 NF/16 NF/17 NF/18 Record Only Record Only Record Only Details: In referenced EC, Serial 7811, dated May 17, 2002, the recipients were provided with the following information:
"warrants that had been obtained under the auspices of the .terrorism Act 2000 (TACT). The warrants were executed simultaneously at|
9/11 Lav; Enforcement Sensitive
REQ
#34-1
000000056
G-
i,aw Enforcement
To: Re:
Sensitive
New York From: London 265A-NY-259391, 07/16/2002
I
^Hm^ computers, CD ROMs and floppy di s ke tte s recovered ^ durjuig^^e aforementioned searches. | lalso provided Legat with copies of documents, communications,telephone address books, etc recovered during the same searches. The Exhibits, as itemized in the Administrative Section of this communication, were forwarded to FBI New York, Attn: SA 1 | on July 17, 2002, via Federal Express. FBI New York is requested to provide the enclosed to CART, and to ensure that remaining Hi Exhibits into INTELPLUS.
»
9/11 Law Enforcement Privacy
000000057 REQ #34-1
To: Re:
New York From: London 265A-NY-259391, 07/16/2002
LEAD(s) : Set Lead 1: NEW YORK AT NEW YORK, NY New York is requested to ensure that provided by H j | | is made available to CART. New York is requested to ensure that all relevant Exhibits are entered into INTELPLUS. Set Lead 2:
(Adm)
COUNTERTERRORISM AT WASHINGTON. DC Read and clear. Set Lead 3:
(Adm)
INVESTIGATIVE SERVICES AT WASHINGTON, DC Read and clear. Set Lead 4:
(Adm)
ISLAMABAD AT ISLAMABAD, PAKISTAN Read and clear.
REQ #34-1
000000058
DOCUMENTS RELATING to ANALYSIS RESPONSE TEAM mJRJEPORTS, OR PREDECESSOR WSk EXPLOITATION REPORTS, D DRIVESSEIZED FROMAL WOflATED SUBJECTS FROM 1995 KGH SEPTEMBER 11, 2001. it-*, ' « £ . , . fa-^J
T
RESPONSIVE TO .,„. , [PACKET #2]
WERJ^ALSO RESPONSIVE TO DR#34-2 ALS (IMAGES OR VERBAL) CONCERNING TRAVEL pCCUMENTS DERIVED FROM THOSE HARD DRIVES.} ^T - "- _ Hs"-'*'^"-
yfe|T,JVIATERIAL ENCLOSED" |»fe,%> C. «--jJ ^*<"'L t-1* ~
^V1 W^si^- ^1 ^ - -v t ^
-
AINS SENSITIVE CRIMINAL AND/OR pi INFORMATION PERTAINING TO TERRORISM -RELATED INVESTIGATIONS"
COMMISSION COPY
9/11 COMMISSION TASK FORCE DOCUMENT DELETION CODE! [As of August 11, 2003] "A" - SOURCE/INFORMANT INFORMATION - Information, the disclosure of which would tend to reveal the identity of an informant or source where confidentiality is expressed or implied. "B"- FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI techniques and/or methods which would impede or impair the effectiveness of that technique and/or method. "C" - NON-RELEVANT FBI CASE INFORMATION - Information neither relevant nor responsive to the Commission's requests. "D" - FBI PENDING CASE INFORMATION - Information which would impede or jeopardize a pending investigation of the FBI. "E" - STATUTORY - Information legally prohibited from release by statute. "F" - PRIVACY/SECURITY - Information, the disclosure of which would be an unwarranted invasion of the personal privacy or jeopardize the safety of law enforcement personnel and/or their family members Material redacted under this code includes (1) social security numbers; (2) date and place of birth; (3) home address and telephone numbers; (4) personnel cell phone and pager numbers
"G" - FOREIGN GOVERNMENT INFORMATION - The identity of a foreign government and/or foreign service to include the names of foreign law enforcement employees/officials.
9/11 Law Enforcement Privacy
CO
04/16/04 10:14:54
:
view Document Text -/'
Case ID, : 315N-NY-259391-302 * Responses :
9/11 Law Enforcement Sensitive
\O \
ro CD OJ
f.
CD
in
Serial \ 411 \2
On March 28, 2002, Special Agent I i FBI, Washington Field office. Computer Analysis Response Team (CART), assisted in the execution of searches in I ~1 Following the execution of these searches, the evidence was brought to I [where SA| 1 examined the following
0
computer media: Site D 71-2331:
o O o o o o
O i
TO
Generic mini-tower CPU containing one hard drive, a Quantum Fireball EX, serial number 527351, p/n EX32A014, approximately 3 Gigabytes
Command , . . > Fl=Help F3=Exit F4=Prompt F6=Multv F8=Fwd Fl2=cancel Fl3=Attrib Fl4=nst \c Fl6=NextDoc Fl8=NextWd j S i4AU
05,002
.
9/11 Law Enforcement Privacy
lO Ul
view Document Text
i 04/16/04 i 11:31:33
ECFVTlMO
More : - +
ij
Case ID , Responses
315N-NY-259391-302 *
Serial : 411
(GB),
Site F ?3-900|:
SP tower CPU containing one hard drive, a Quantum Fireball let, p/n QML15000LC-A, serial number 612019327495 DFZXX, approximately 15 GB,
Site G 74-6931:
Smart series mini-tower CPU containing one hard drive, a Quantum Fireball CR, serial number 824916152940 PGZXX, approximately 4 GB,
-i
o I
03
An image copy of each hard drive was created and stored on forensically sterile media. The working copy hard drives were then reviewed for immediate threat information, These working O
o o o o o o
Command . . . > Fl=Help F3=Exit F4=Prompt F6=Multv F7=Bkwd F8=Fwd Fl2=cancel Fl3=Attrib Fl4=List Fl5=PrevDoc Fl6=NextDoc Fl7=Prevwd Fl8=NextWd 4AO 05,002
13 G~t
m o Ul
9/11 Law Enforcement Privacy
,,:fi9/ll Law Enforcement Sensitive
lO 00
I 04/16/04 11:31:36
ECFVTlMO
il
"•^.
ro
More : - +
SerialT: 411
Case ID , : 315N-NY-259391-302 * Responses :
copies remained in further evaluation,
left on 3/31/02, for
after SA
The following e-mail addresses were associated with the potmai 1. com and Site F 73-9001 hard drive: Both addresses were aliased/nicknamed One e-mail provided instructions for as depositing donations to/ A f\
I
1
t
*
•••••^•••M .
.
CO CTi
'
"
1
:
1
D
o m
An e-mail received from/ ], originating IP addresst J, revealed that the writer was working in o o o o o o o a\w Document Text
Command . . . > , I Fl=Help F3=Exit F4=Pronipt F6=Multv F7=Bkwd F8=Fwd Fl2=Cance1 Fl3=Attrib Fl4=List Fl5=PrevDoc Fl6=NextDoc Fl7=PrevWd FlS^NextWd 4AO 05,002
CTi
rn
9/11 Lai-j Enforcement Privacy
lO
=tt= CJ •t.
I 04/16/04 11:31:39
ECFVTlMO
view Document Text
More : - +
Serial : 411
Case ID . : 315N-NY-259391-302 * Responses :
ro cs
CO
in
o I
TI o ~T! U)
O O
o o o o cr> ro
Command . . . >
•••
Fl-Help F3=Exit F4=Prompt F6=Multv F7=Bkwd F8=Fwd Fl2=Cancel Fl3=Attrib Fl4=List Fl5=PrevDoc Fl6=Nextooc Fl7=PrevWd Fl8=NextWd 4A0 05,002
s CD Ul
9/11 Law Enforcement Sensitive
9/11 Law Enforcement Privacy
lO
I 04/16/04 Ii 11:31:41
ECFVTlMO
view Document Text
More : - +.
I
!
Case ID .
|
Responses
315N-NY-259391-302 *
Serial: 411
A number of documents in Arabic were also located and appeared to be related to bank accounts, phone numbers and lists of contacts for fund-raising activities. Further analysis is required, :
O i
The original CPUs, with the exception of the system from Site G, were transported back to the united States for further examination, The CPU from Site G was returned to the authorities. O i O ° ! O O O O
U)
Command . . . > •••• • Fl=Help F3-Exit F4=Prompt F6=Multv F7=Bkwd F8=Fwd Fl2=Cancel Fl3=Attnb Fl4=List Fl5=PrevDoc Fl6=NextDoc Fl7=PrevWd Fl8=NextWd 4AU 05,002
m
91/14/2084
01:05
PAGE
TO-4 WFO FBI
I
l/l
uu
Hj II
•H
j-i
fu
(Li U M O MH
rd •i— s_ cu
£
LJ
LO
W
cr
rd ^ II X
OJ
OJ
ca u i—
0)
"^ OJ
SI LII OUD II
oo cr>
O.
£ O L_ 0_ 11
l-O
i
c: QJ
<-> O O 4-» X o> 21 II
- X U-
H
w
LU
-S g
to
CU
0)
O OJ Q.
o *H C
un to
nd cu
-
II O ro o - U- Ci
> -a ex a> j- ,- £_ nd O) Q-
S in u
DQ
REQ #34-1
000000064
67
9/11 Law Enforcement Privacy ;
'Ep-302-(Rev. 10-6-95)
• 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
06/20/2000
pr-. AnaTy.qi s Response Team (CART) field examiner | of thp NPM Ynrk Citv Division requested the
(FE) |
assistance of CART FE L system examination.
Jwith an Apple computer
In performance of the above stated request, the CART FE assisted special agents in the review of previously copied files from original evidence in this matter. The files reviewed were located on CDROM discs. The review process included, but was not limited to, printing files, viewing files, and troubleshooting problems that arose during the review. This is the extent of the assistance provided regarding the Apple computer system. All related materials remained with the New York City Division.
investigation on Fil=#
by
5/15/00
« Manhattan,
255A-NY-259391
I
New York Date dictated
6/20/00
| CART FE
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to yourcaKn*^ /-v n n /- c # O A __ n U\JL/\Jww\JOj •^-HtSdndfltAiwitems are not to be distributed outside your agency.
'PTPP*
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
-1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
12 / 2 Q / 1 9 9 9
On Friday, December 17, 1999, at 2:30 PM, SA [ I was given access to three computers, believed to be associated w i t h l ~ Images were made, to magneto optical cartridges, of the following-computers: A Toshiba Satellite Model 300CDT notebook computer, serial number 68542478E, containing a Toshiba hard drive, serial number 68118960, A TIKO '.desktop computer (no serial number) ,, containing two hard drives,,a Maxtor 7270AV hard drive, serial7 number H203B9HS, and a unknown \model, 813 1*EB hard drive. An AST Premium II desktop computer (no/serial number), containing two hard drives, a Seagate OT3660A hard drive, serial number AF21198/7523E12774 and a 'Maxtor 7425AV hard drive, serial number N1010DMO. \l Law Enforcement Privacy
Investigation on
12/17/99
File # 265A-NY_^2593
by
Date dictated
12/20/99
SA i,i. dojjuipsm contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned ns are not to be distributed outside your agency.
(Rev. 10-01-1999)
FEDERAL BUREAU OF INVESTIGATION
Precedence: To:
Date:
ROUTINE
New York
Attn:
Laboratory From: 0
1/3/2000
CART, Room 4315
Pocatello ITC Computer Analysis Response Team Contact:
/^/Approved By:
Drafted By: Case ID #: 265A-NY-259391""
(Pending)
WE 66F-A51-LTitla:
USAMA BIN LADIN; MAJOR CASE 161
/9/11 Law Enforcement Privacy
synopsis: To close lead and/lprovide information to case agent and FBIHQ CART. // \: 265A-NY-259391 Serial 2163
Package Copy: Being forwarded iunder separate cover 324 3%" diskettes, one original compact; disc, one 3V diskette containing the Vogon utility SRESTORE with; documentation, two duplicate compact discs with all DOS readable files, and two compact discs with minimized files (one /of th4>se with the ACES Viewer software) . These items are? being sent via Federal Express. Enclosure (3): Enclosed for the tfew York Field Office is an original and one copy of .the FD-302 regarding the CART processing of the Vogon images from compact disc to diskettes and the minimization details. Enclosed for FBIHQ CART is a copy of the FD-302 and CART examination report form. Details: The CART processing of the Vogon images was performed by cs I land CS/FE I [of the Pocatello Information Technology Center according to the instructions given from the FBI's New York Field Office. The minimization was The details of this process are performed by CS/FE[ described in the attached FD-302.
REQ #34-1
000000067
9/11
Law Enforcement Privacy ,FD-3-Q2(Rev 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
1/3/2000
Computer-'Specialist Forensic Examiner (CS/FE) I of the :Pocatello Information Technology Center (PITC) was requested by:l 1 of the New York, New York Field Office to res;tpre floppy diskette images contained on a compact disc .back ,,to floppy^ diskettes. The compact disc and image software, were received by t:hV; FBI's Pocatello Information Technology Center (PITC) on TJnwimhgr ia r 1999 and placed into a controlled, access, vault by CS/FE |'' ... On, November 2 9 , ,1999, CS [_ Jbegan running •.the Vpgon utility called SRESTORE under the direction of CS/FE 1 [ The SRESTORE u.tility-v.restored 32,4 im,ages from one compact disc on to 324 diskettes. CS I "~| finished -processing the high density image files o n December''-1, 1999. CS/FB I I finished t h e double density image file's on December 2, 1999,. .On December 8, 1999, Special Agent <SA) [ J J requested that the.PITC print,all readable files located ' on the restored diskettes.. Because of .the substantial quantity of nt.ed media, SA I ~~| and- CS/FE I "lagreed that CS/FE the printed POOLE would copy all files to a compact disc and minimize those- : " <***~-]nl numbered and labeled all files that were unreadable. CS/FE diskettes from-POQ001 through POQ324. The eliminated diskettes from the minimized compact disc are in the list that follows: NON-DOS / Unreadable POQ002-POQ005 POQ007-POQ008 POQ010 POQ013-POQ014 POQ017-POQ027 POQ029-POQ030 POQ034 POQ03S-POQ037 POQ045 POQ048-POQ051 POQ053-POQ054 POQ057-POQ060 POQ063
investigation oni 1/18-12/29/1999"'
Software POQ006 POQ031-POQ033 POQ052 POQ056 POQ067-POQ068 POQ073-POQ079 POQ080-POQ097 POQ100-POQ101 POQ163-POQ210 POQ298
Pocatello,
Blank POQ038-POQ044 POQ055 POQ118-POQ119 POQ131 POQ231
Idaho Dais dictated
1/3/2000
bv contains neither recommendations nor conclusions of the FBI. It is the proper.}- of the FBI and is loaned to rtWrtPfftft Q gg ;nts arc not to be distributed outside your agency.
Fp-302i(5Uv. 10-6-95)
265A-NY-259391
Cominuaiion of FD-302 of
CART Processing of Floppy Images
,onll/i3-12/29/9.$as«
NON-DOS / Unreadable Software Blank POQ065-POQ06G POQ102-POQ108 POQ110-POQ112 POQ114 POQ117 POQ128-POQ130 POQ132-POQ138 POQ152-POQ161 POQ211-POQ216 POQ220-POQ230 POQ232 POQ236-POQ263 POQ265-POQ2SS POQ273-POQ278 POQ280 POQ2S4-POQ285 ;/H Law Enforcement Privacy POQ289-POQ291 . 'POQ293 ' POQ295 •:- , ; ••.,, ' POQ299-POQ300 ;POQ305-POQ308 . - . . - • ' • POQ310 POQ312-POQ319 POQ321
The original compact disc, the floppy diskette containing the Vogon software, the 324 restored diskettes, two copies of the compact disc of all readable files, and two copies of the compact disc with the minimized files will be shipped back to SA \f the New York Fie
REQ #34-1
000000069
FD-302 (Rev. 10-6-95)
-1FEDERAL BUREAU OF INVESTIGATION
9/11 Law Enforcement Sensitive Date of transcription
2/28/00
The following examination, was conducted by a Computer Analysis Response Team (CART) Field. Examiner: SPECIMEN(S):
NYO Q24 - 26 - CD Rom Disks \O Q177 -188 - CD Rom Disks\O Q189 -
EXAMINATION: Copies of Q24 -26 and Q177 - 188 were made to CD Rom using a CD Rom duplicator. - Logical copies of the files on Q189 - 193 were made to disk using Windows 95 Explorer. Deleted files were recovered from Q191 and Q192 using Norton Utilities for Windows. Files on these exhibits were cataloged using the TreePrint utility.. CD Roms were prepared containing the logical file copies, the recovered deleted files and the floppy file listing.
/9/11 Law Enforcement Privacy
Investigation on
2/28/00
File # 2 6 5A-NY- 2 5 9 3 9 1
by
at New
York
/
Date dictated
SA|_
This dpcumerji cooiams neither recommendations not conclusions of the FBI. RSQiQtiri«4(5Et«ats are nol to be distributed outside your agency.
It is the property of the FBI and is loane
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
:
Date of transcription Q 3 / 2 4 / 0 0
The following-examination was conducted by a Computer Analysis Response Tearn'-..(CART) Field Examiner: SPECIMEN(S):
\9 - Q193 - 3.5" floppy disks'
This report supplements a report dated 02/28/00. Residue was extracted from Q189, Q190, Q191, Q192 and Q193 to an exam hard drive using the REDX Utility. A CD Rom was prepared of the residue.
/9./11 Law Enforcement Privacy
Investigation on
03/24/00
at New York, New York
File* _26_5A-NY-259391-SUB-00 by
/
Date dictated
SA
^* Tffi.; rlnrument contains neither recommendations nor conclusions of the FBI. It is the property of the
9/11 Law Enforcement Sensitive FD-302(Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
01/28/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): QS3, Q89,
Q84, - Magneto Optical Disks containing data Q90 seized 1 [
The image from Q83 was restored to a new hard drive using the Safeback Utility. The image from Q84 was restored to a new hard drive using the Safeback Utility. The image from Q89 was restored to a new hard drive • using the Safeback Utility. The image from Q90 was restored to a new hard drive using the Safeback Utility.
XS/'ll Law Enforcement Privacy
investigation on
01/28/2000
File # 2 6 5 A - N Y - 2 5 9 3 9 1 by .
at New York, NY Date delated
01/28/2000
SA
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned^to^ aned to your ^pur jigency^ agency: R-EQ ar||3tAco5lents are not to be distributed outside your agency.
000000072
9/11
Law Enforcement Sensitive
FD-302,(Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
05 / 3 1 / 2 0 0 0
The following examination was conducted by Computer Analysis Response Team (CART) Field Examiners. SPECIMEN(S):
Q119 - Magneto 'Optical Disk containing Safeback image of Toshiba 300CDT Notebook Acquired in'l 112/1999. Q120
- Magneto Optical Disk containing 2 Safeback images of TIKO Desktop and 2 Safeback images of AST Premium II (2 Hard Disk Drives each) Acquired in'l |12/1999.
The image contained on Q119 was restored to an exam hard drive(Q119 restored). A logical copy of Q119's restored files (two partitions) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q119 restored were recovered to optical disk using the XDF and XDF32 utilities. Residue was collected using the REDX and REDX32 utilities. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q119 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. The images contained on Q120 were restored to exam hard drives. Logical copies of the restored files were made to optical disk using the Codeblue utility. Recoverable deleted files on the restored images were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Is-Encrypted utilities were run on the restored images and a report was created. The Tree Print utility was used to create a listing of the directory structures. The residue collected from images contained on Q119 and Q120 were searched for the following list of words supplied by the case agent:
investigation on
05/31/2000
File* _ 2 6 5 A - N Y - 2 5 9 3 9 1
by
al
N e w Y o r k , NY Dedicated
05/31/2000
S?.
"R&5 dltjijpui JODtains neither recommendations nor conclusions of the F3I. It is the property of the FBI and :s it anrl its contents are not to be distributed outside your agency.
FD-302a (Rev. 10-6-95)
265A-NY-259391 .On 0 5 / 3 1 / 2 0 0 0
Continuation of FD-302 of
_.Page
9/11 Law Enforcement Sensitive
The residue search returned negative results.
REQ #34-1
000000074
9/11
Law Enforcement Privac FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
11/13/97
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMENS: Ql - 12:
3 M floppy disks Ql - 12 are image copies of floppy disks provided by SA
Ql contains files which run an install program for "My Advanced Label Designer" software. Q2 contains files which run an install program, "hadeeth.exe". Attempts to load this application failed. Q3 contains files which run an install program for "Islamic Adan for Prayers". Q4 contains an executable program "guran.exe", which appears to be an electronic version of the Koran. The program will not run properly without special screen'fonts. Q5 - 8 contain files which appear to supplement Q4. Q9 - 10 contain Windows font files Qll - 12 contain files consistent with those utilized by the software "Act". However, running the "install.exe" file on this exhibit starts to load a program similar in appearance to \Q4. No deleted files of value were noted on Ql - 12. The residue on Ql - 12 was extracted for further review by the case Agent.
investigation on
11/13/97
File t 2 6 5A-NY-259391
at New York, NY '
Date dictated
11/13/97
by T^-:_ j
„, „„„,„;„, n»irh*r Tr.r.nmmendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;
FD-302 (Rev. 10-6-95}
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S) :
Q27 - Optical disk containing floppy disk images Q28 - Optical disk containing an image from a no-name mini-tower computer Q29 - Jazz disk containing an image of a Maxtor Hard Disk Drive Q30 - Optical disk containing a logical copy of a Maxtor Hard Disk Drive Images from Q28 and Q29 were restored and reviewed with the case Agent. Both images restored an Arabic version Operating System. CD Roms containing files from Q27 and Q28 were prepared for dissemination. Jazz disks containing files from Q29 and Q28 were prepared for dissemination. Recoverable deleted files from Q28 were recovered to optical disk using the Makefer utilities. No files of value were noted.
Investigation on
4/21/99
at New
Ffle* 2 6 5 A - N Y - 2 5 9 3 9 1 Law
York,
NY DatedictaBd
Enforcement Privacy
iiTT>;ii« r.n-ntains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to ydnrigenryV
FD-302 (Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
08/21/98,
The following Computer Analysis Response Team (CART) examination was conducted between August 13, 1998 and August 21, 1998: Restored Safeback Images for AB0110, AB0210, AB0310, A30510 and AB0520. Restored "xcopy" for AB0410. Restored floppy images. Unerased files for AB0110, AB0210, AB0310, AB0510, AB0520 and floppy images. Retrieved residue from AB0110, AB0210, AB0310, AB0510, AB0520 and floppy images. Created CD's containing active, unerased and residue files.
investigation on File*
26
by
SA
OB/21/98
n New York, New York Date dictated
REQrh#i3>4im4t contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned
FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
5/28/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): Q24 - 650MB Compact Disc labeled "Copy Cl" Q25 - 650MB Compact Disc labeled "Copy C2" Q26 - 650MB Compact Disc labeled "Copy C3" Recoverable files were printed for review by the Case Agent.
investigation on
5/23/99
at New York, New York
File I 2 6 5 A - N Y - 2 5 9 3 9 1
by REQ
SA I
9/I1 La"
Date dictated
5/31/99
Enforcement Privacy
Tft3j4cni:m contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
7/09/99
The following search was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE) . This search was done following the procedures and using tools provided by the FBI Laboratory. A ooTiintit-.ftr search/ seizure was conducted at the United States Embassy, I | The following computer (s) were searched and data was seized from the hard drive (s) (HD) : One (1) .Compaq brand Deskpro 2000 computer, serial number (s/n) 8646HVS51688. One (\1) Internation Business Machines (IBM) brand computer, 's/n 558P54P. One (1) Macintosh brand computer model LC, s/n SG1370FJL10. One (1) Generic computer, no s/n. One (1) DTK brand computer, no s/n. Images of the HDs were made to magneto-optical disk (MOD) usihg the Saf eback and FWB Toolkit utilities . Logical copies of ^11 partitions of the HDs were made to MOD using the Codeblue utility. Recoverable deleted files were transferred to MOD using the Makefer utilities. In addition, three (3) 3.5" floppy diskettes (FD) were were imaged to FD;,
Investigation on
2/17/99
at [_
File* 265A-NY-259391 by
SA ^£11
Lau'
Owe totaled 7/09/99
Enforcement Privac'
mlt contains neither recommendations nor conclusions of the FBI. It is the propeny of the FBI and is loaned to yoO ft000 0 0 7 9
FD-302(Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
02/17/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): Q176 - Fugi Film DDS3 Data Cartridge, On-track data recovery
create by
Q176 contained an NT Tape Backup created by On-track Data Recovery. Q176's files were restored using the NT Backup utility to an exam hard drive. All files were then copied from the exam hard drive to optical disk using the Windows NT explorer. CD-ROMs were prepared from the exam hard drive of Q176.
investigation on
02/17/2000
Ki e # 265A-NY-259319
at New York, NY Dale dictated
02/17/2000
contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is
i>302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
04/23/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). This examination was done following the procedures and using tools provided by the FBI Laboratory. SPECIMEN(S):
Q100 - Macintosh Powerbook 140 laptop computer, serial number (s/n) F2148K00706. ALSO SUBMITTED:
One cannon bubble jet printer model BJ-lOsx, s/n PJC66146 with power cord and printer cable. One Kodak printer model Diconix I80si, s/n SAA2ZYZ696 with power cord and serial cable. One Macintosh compatible mouse. Sixty-seven (67) 5.25" floppy diskettes. One Sharp operation manual. One Canon Bubble Jet BJ-lOsx printer user's manual'. One Windows & MS-DOS user's guide. An image of Q100 was made to magneto-optical disk (MOD) using FW3 Toolkit. Recoverable deleted files on Q100 were recovered to MOD using Norton Utilities unerase. Hard copies of the documents on Q100 were printed and provided to the case agent. All original evidence was returned to the case agent. All examination notes were provided to the case agent.
Investigation on
04/23/1999
at New York, NY
File I 1 9 9 I - N Y - 2 5 7 5 Q 3
Date dictated
by J 9/11 Law Enforcement Privacy |
04/23/1999
,
umcm contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to * K»
rficn-ilv
it^-H
-
FD-302 (Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of traMcription
11/26/1999
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE) . SPECIMEN(Si Q80 -A Magneto-Optical Disk (MOD) labeled PJW/28 Image copy Apple Macintosh Quadra "700. Q81 -An MOD labeled SCG/69 FWB - Image, Macintosh Ilsi 40 MB HD End Block 82091. Q82 -A Magneto-Optical Disk (MOD) labeled on side A: Copies of CD-R's:lab ref # CSL/279/98, Items: SCG/78.1 SCG/78.2 SCG/78.3, on side B: Copy of CD: lab ref CSL/274/98, item SCG/78/5 19 floppy disk shrink wrap images from C3L/274/98. Q83 -An MOD labeled lab ref # CSL/270/98, Item KRA/25 Safeback Image, directory listing, recovered deleted files. Q84 -An MOD labeled Lab ref # CSL/273/98, Item SCG/64 safeback image, directory listing. Q85 -An MOD labeled SCG/73 Image Copy FWB/HDT. Q86 -An MOD labeled KRA/2110 Image Copy Apple Mac 8200/120. Q87 -An MOD labeled PLW/4 HDT-Iiaage, end block 2503871, Power Macintosh 8200/120. Q88 -An MOD labeled SCG/20 quantum Prodrive HDT-image end block 82028. Q89 -An MOD labeled lab ref: CSL/259/98, Item PLW/5 Safeback image, directory list.
investigation on
11/26/99
File # 265A-NY-2S9391_
»t New York, NY Date dictated
11/26/1999
[9/11 Lav; Enforcement Privacy meit contains neither recommendations nor conclusions of the FBI. It a the property of the FBI ind is
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
, On 1 1 / 2 6 / 9 9
Q90 -An MOD labeled lab ref CSL/323/98, Item PS/125 Safeback image, directory listing, partition information. Q91 -A Zip Disk labeled Copy of lab ref CSL/274/98, item PLW/40/1. Q92 -A Zip Disk labeled Copy of lab ref If CSL/274/98, item PLW/40/2. Q93 -A Zip Disk labeled Copy of lab ref # CSL/274/98, item # PLW/40/3. Q94 -A Zip .Disk labeled Copy of lab reftf CSL/274/98, PLW/40/4. Q95 -A Zip Disk labeled Copy of lab ref# CSL/274/98, itemtt PLW/40/5. Q96 -A Zip Disk labeled Copy of lab ref# CSL/274/98, item# PLW/40/6. Q97 -A Zip Disk labeled Copy of lab ref# CSL/274/98, itemtt PLW/40/7. Q98 -A.Zip Disk labeled Copy of lab refft CSL/274/8, itemtt PLW/40/8. Q99 -An MOD labeled copy of CD lab ref CSL/279/98, item PLW/35/133 and lab ref CSL/274/98, PLW/35/122. Q101
-A CD-ROM labeled Copy of lab ref # CSL/274/98, Item SCG/81.
Q102 -A CD-ROM labeled Copy of Item PLW/35/132, lab ref # CSL/274/98. Q103 -A CD-ROM labeled Copy of Track 1 from Item PLW/35/121, lab ref CLS/274/98. Q104 -A CD-ROM labeled Copy of Lab ref CSL/274/98, item # PLW/42/1. Q105
RED #34-1
-A CD-ROM labeled PS/124.3, CSL/323/98.
000000083
FD-302* (Rev. 10-6-95)
265A-NY-259391 •
Continuation of FD-302 of
, On 1 1 / 2 6 / 9 9
p
page
3^
Q106 -A CD-ROM labeled PS/124.1, CSL/323/98. Q107 -A CD-ROM labeled PS/124.2, CSL/323/98. Q108 -A CD-ROM labeled Vogon Simage{s) of floppies from CSL/270/98, CSL/274/98, CSL/298/98, CLS/323/98. EXAMINATION: Q80 - mounted the image on a Macintosh G3 exam computer (MEC) . Deleted files were recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the Toast utility. Q81 - mounted the image on MEC. Deleted files were recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the Toast utility. Q82 - floppy disk images were copied to EC and mounted on MEC. The data was copied to CD-ROM using the toast utility* The CD-ROM images were copied to EC, mounted, then copied to CD-ROM using the Toast utility. Q83 - Restored image to Windows exam computer (WEC) using the safeback utility. Recovered deleted files using the XDF utility. The restored image was booted and reviewed by the case agent and arabic translator. Q84 - Restored image to (WEC) using the safeback utility. Recovered deleted files using the XDF utility. The retored image was booted and documents were printed and sent to the case agent. Q85 - mounted the image on MEC. Deleted files were recovered using the Norton unerases utility. Data and deleted files were copied to CD-ROM using the Toast utility. Q86 - mounted the image on MEC. Deleted files were recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the Toast utility. Q87 - mounted the'image on MEC. Deleted files were recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the Toast utility.
S34-1
000000084
FD-302»(Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
. On 1 1 / 2 6 / 9 9
Q88 - mounted the image on MEC. Deleted files were recovered using the Norton unerase utility. Data and deleted' files were copied to CD-ROM using the Toast utility. Q89 - Restored image to (WEC) using the safeback utility. Recovered deleted files using the XDF utility. The retored image was booted and documents were printed and sent to the case agent. Q90 - Restored image to (WEC) using the safeback utility. Recovered deleted'files using the XDF utility. The retored image was booted and documents were printed and sent to the case agent. Q91 - Zip disk mounted on MEC and copied to CD-ROM using the toast utility. Q92 - Zip disk mounted on MEC. Deleted files recovered using the Norton unerase utility. Data and deleted files were copied to CD-ROM using the toast utility. Q93 thru Q98 - Zip disk mounted on MEC and copied.to CDROM using the toast utility. Q99 - Magneto Optical disk (MOD) was mounted on MEC. data was copied to CD-ROM using the toast utiliy. Q101 - CD-ROM was copied using the Adaptec CD Copier utility on WEC. Q102 - CD-ROM was mounted on MEC and copied using the toast utility. Q103 - CD-ROM was mounted on MEC and copied using the toast utility. Q104 - CD-ROM was copied using the Adaptec CD Copier utility on WEC. Q105 - CD-ROM was copied using the Adaptec CD Copier utility on WEC. Q106 - CD-ROM was copied using the Adaptec CD Copier utility on WEC. Q101 - CD-ROM was copied using the Adaptec CD Copier utility on WEC.
REO #34-1
000000085
The
FD-302i(Rev. 10-6-95)
265A-NY-259391 ,0. 11/26/99
.Page
Continuation of FD-302 of
000000086
FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Q / ?3 / 9 9
The following examination was conducted by a Computer Analysis Response Team (CART) Fialcl Examiner: SPECIMEN(S): NYO Q79 - 3 1/2" floppy disk, containing, in part, handwriting "8/21/97"
Q79 contains one file, "newpol.doc". The LFN utility identifies the date/time stamp for this file as 03-27-97 at 10:52 P-
investigation on
9/23/99
it New York
File* 265A-NY-259391 by
Duie fated
gj^/H Law Enforcement Privacy
•RT7.("Thiiifaa4»e4t contains neither recommendations nor conchisiooj of the FBI. It is the pnr^erry of tbe rat and is la
9/11 Law Enforcement Sensitive FD-302 (Rev:?l,0-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
X:>;.
Date of transcription Q3/1 7 / 2 Q Q O
The following examination was conducted by a Computer Analysis Response Team ""-(-CART) Field Examiner: SPECIMEN (S) :
\_
Q347 - Magneto Optical,Disk. Contains logicai\;copy, recovered deleted files, slack and residue':frorci a No Name CPU, No. serial number processed,, in I l Q348 - Q356
CD-ROMs frnm'1
--..
Q357 - Q367
3.5 inch floppies from'C search
\
CD-ROMs were prepared from the logical copy, recovered deleted files, slack and residue from Q347. The Tree Print utility was used to create a listing of Q347's directory structure. CD Duplicator was used to copy Q348, Q349, Q351 - Q356. Q350 was not copied due to a read error on the CD-ROM. A file copy of Q357 - Q367's files was made to CD-ROM. Recoverable deleted files on Q357 - Q367 were recovered using the XDF utility and written to CD-ROM.
Investigation on File # bv
03/17/2000
I65A-NY-259391 SA9''11
....
Law
. New York, NY
at
Dictated
03/17/2000
Enforcement Privacy
...—, ~r tv,. KRT. It is the property of the FBI a
c
agency;
9/11 Law Enforcement Sensitiv ve FD-302-(Rev. 10-5-95) - 1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription 03/17/2000 The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): Q27 - CD-ROM contaihi (from search in
disk images,
Restored all disk images to floppies except the following: Disk 5 was not formatted Image for disk 43 and 50 were missing. Recoverable deleted files on all restored disks were recovered to CD-ROM using the XDF utility. All restored disks were copied to CD-ROM except the following: Disk 27, 32, 40, 42, 48, 53, 58. The following restored disks contained a virus and were cleaned: Bisk 41, 46, 47, 48, 49, 51, 53, 55, 56, 59, 60, 61
investigation on
Q3/17/200Q
at **ew York, NY Date dictated 03/17/2000
Flief 265A-NY-259391 5A9/|11
Lav ' E n f °rcement
Privacy
nnr conclusions of the FBI. It is the property of the
agency
9/11 Law Enforcement Sensitive
FD-302 (Rev. 10-6-95)
- 1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription Q 4 / 2 5 / 2 Q O O
'\Ttie following examination was conducted by a Computer i^. Response Team (CART) Field Examiner: SPECIMEN, (S! : \8 - ,No Name Desktop with no S/N \m I
[search
Q369 -\No Name Desktop with no S/N from L | search Q370 - No Name Desktop, \V 8713439108309 \m 1 I search Q371 -\SCSI Hard Drive S,/ N - 1A0423372A6 f rom t~ | search Q372 - Dell Model .TS306 Laptop S/N V 7437346BYK8111A from I | search A physical image of Q368 was made to tape using the Safeback Utility. A logical copy of Q368's files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q368 were recovered to optical disk using the XDF32 utility. -Residue was collected using the REDX32 utility. CD-ROMs were prepared from the logical file copy, recovered file copies and residue file. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q368 and a report was created. The physical image of Q368 was restored to an exam hard drive using the Safeback Utility. A physical image of'Q369 was made to tape using the Safeback Utility. A logical copy of Q369's files (three partitions) was made to optical disk using the Codeblue utility. 0 4 / 2 5 /_ 2000 Investigation on _
New Y o r k[,_ NY at. _
Pue# 265A-NY-259391 b
SA I
; Date
_
^ ^ 04/25/2000
9/11 Law Enforcement Privacy
r of the FBrilPiPlftiWd lo^our agencj
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
\^ 04/25/2000
_. Page
2
Recoverable deleted files on Q369 were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. CD-ROMs were prepared from the logical file copy, recovered file copies and residue file. The DriveScan and IsEncrypted utilities were run on the logical copy of Q369 and a report was created. Two files were found to be password protected. The use of Access Data Password Cracker was used and revealed the file level passwords of "aaaaa". The physical image of Q369 was restored to an exam hard drive using the Safeback Utility. A physical image of Q370 was made to tape using the. Safeback Utility. A logical copy of Q370's files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q370 were recovered to optical disk using the XDF32 utility. Residue was collected using the REDX32 utility. CD-ROMs were prepared from the logical file copy, recovered file copies and residue file. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q370 and a report'was created. The physical image of Q370 was restored to an exam hard drive using the Safeback Utility. Q371 would not power-up properly and was sent to OnTrack Data Recovery on the case agent's request. A physical image of Q372 was made to tape using the Safeback Utility. A logical copy of Q372's files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q372 were recovered to optical disk using the XDF32 utility. Residue was collected using the REDX32 utility. CD-ROMs were prepared from the logical file copy, recovered file copies and residue file. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q372 and a report was created. Three files were found to be password protected. The use of Access Data Password Cracker was used and revealed the file level passwords of "allah". The physical image of Q372 was restored to an exam hard drive using the Safeback Utility. The Tree Print utility was used to create a listing of Q368, Q369, Q370 and Q372 directory structures.
000000091
9/11
Law Enforcement Sensitive
\a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
• On 04/25/2000
. Page
The utilities DL and CPX were used to search and extract from the logical file copies and recovered file copiesfrom Q368, Q369, Q370, and Q372 for the following list of strings provided by the case agent:
The sbarch reports and extract results were written to CD-ROMs. . The Linux utilities GREP was used to search and extract from the residue files of Q368, Q369, Q370, and Q372 for the following list of strings provided by the case agent:
REO #34-1
000000092
3_
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 oj_
9/11 Law Enforcement Sensitive
The search extract results were written to CD-ROMs
000000093
FD-302 [Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription 0 5 / 0 5 / 2 0 0 0
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN (S*) :
9//11 Law Enf°rcement
Sensitive
Q371 - SCSI Hard Drive \N - 1A0423372A6. from I
|search
Q371 would not power-up properly and was sent to OnTrack Data Recovery on the case agent's request. A CD-ROM was returned containing the data recovered by On-Track. The CD-ROM duplicator was used to create a copy of -the CD-ROM returned by On-Track. The Tree Print utility was used to create a listing of the directory structures. '
05/05/2000
Investigation on FUe # bv
at, New York, NY
2 6 5 A - N Y - 2 5 9 3 9 1 SA"'11 '
Law
D
a
t
e
^ ^
05/05/2000
Enforcement Privar-' i-
... j. k ,
^--i.,c,,«r,c nf rhr FHI. It is the arooertv of the FBI arifiYsfcKrKd'tyT&uS- agency.
9/11 Law Enforcement Sensitive
..FD-302 (Rev. 10-5-95) - 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription-
. The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner. *
••0373\ SyQuest SyJet 1.5GB Cartridge, ' \d P—^] iW AB0110 l
J^ Room A
Q374 - SyQuest SvJet. 1.5GB Cartridge, image AB0210 -
Labeled!
- First Floor Office
•,6375 ± SyQuest SyJet 1.5GB Cartridge, XLabeledF 1 im^e """^ ' - Upstairs Computer Disk 1 of 2 SyQuest SyJet 1.5GB Cartridge, Labeledf
^
Z image AB0310
~
- Upstairs Computer
T)isk 2 ot"~ Q377,
loraega Jaz 1 GB Cartridge,
Labele
Xcopy of AB041 - Room C
Q378 -.SyQuest SyJet 1.5GB Cartridge, , _ • , . . - . I image - i T n S L r r a ABO510 A R l T U ™ '•Labeledi i^ ;=__pownstairs Computer Desk next to 0379 Q
. S^Jetl. 5GB Cartridge, ' AB0410 Aborted Safeback Image
0380 - SyQuest W[etl. 5GB Cartridge,
Labeled i!_±] floppy
Investigation on File*
05/23/2000
at
New Y o r k , NY
9/11 Law Enforcement Sensiti ve FD-302a(Rev. 10-6-95)
265A-NY-.259391
Continuation of FD-302 of
05/08/2000
.Page
Restored image contained on Q373 on exam hard drive (Q373*'restored) . A logical copy of Q373's restored files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q373 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q373 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. Restored image contained on Q374 on exam hard drive(Q374 restored). A logical copy of Q374's restored files (three partitions) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q374 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q374 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. Restored image contained on Q375 and Q376 on exam hard drive(Q375/Q376 restored). A logical copy of Q375/Q376's restored files (one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q375/Q376 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q375/Q376 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. A logical copy of Q377's files was made to optical disk using Windows Explorer. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q377 and a report was created. The Tree Print utility was used to create a listing of the directory structures. Restored image contained on Q373 on exam hard drive(Q378 restored). A logical copy of Q378's restored files
000000096
2
FD-302a (Rev. 10-6-95}
265A-NY-259391
Continuation of FD-302 of
.
______ • On 0 5 / 0 8 / 2 0 0 0
(one partition) was made to optical disk using the Codeblue utility. Recoverable deleted files on Q378 restored were recovered to optical disk 'using the XDF utility. The DriveScan and Is-Encrypted utilities were run on the logical copy of Q378 restored and a report was created. The unformat utility was used to unformat Q378 restored. The Codeblue and XDF utilities were run on the unformatted version of Q378 restored. Residue was collected using the REDX32 utility. The DriveScan and IsEncrypted utilities were run on the logical copy of the unformatted version of Q378 restored and a report was created. The Tree Print utility was used to create a listing of the directory structures. Q379 and Q380 were not processed.
000000097
9/11 Law Enforcement Privacy FD-302 (Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription Q7./Q5/QQ This reports supplements an FD-302 dated 06/15/00. The following examination was conducted by a Computer Analysis Response Team (CART.) Field Examiner: SPECIMEN(S): Q384 - One Magneto Optical-.Disk containing, a logical file copy/recoverable deleted files from D: (partition 2), One copy of Q387 and Five 3.5" floppy diskette images. Q38"7 - One CD Rom containing a copy, of a recordable CD Rom These items were prepared on 12/11/99 in | The computer contained a 3227 megabyte Seagate hard drive model number ST33232A, serial number VG864384, with two partitions.
j
Five self extracting image files from Q384 numbered 1 through 5 were restored to five 3.5" floppy diskettes. Logical copies of diskettes 2 through 5 were made to magneto optical disk using the Windows Explorer Utility. Reoverable deleted files were recovered to magneto optical disk using the XDF Utility. Residue was extracted to magneto optical disk using the REDX Utility. A CD Rom was prepared of the logical, recoverable deleted and residue files. The Norton Disk Doctor (NDD) Utility was used to repair floppy disk number 1, because it could not be accessed. A logical file copy of disk 1 was made to magneto optical disk using the Windows Explorer Utility. Recoverable deleted files were made to magneto optical disk using the XDF Utility. Residue was extracted to magneto optical disk using the REDX Utility. Results of the logical, recoverable deteted and residue files were put onto the CD Rom containing results from floppies 2 through 5.
Investigation on
07/05/00
File # 265A-NY-259391 by
| -1-711
Law
at New York, New York Date
dictated
Enforcement Privacy
^i^t retains neither recommendations nor conclusions of the FBI. It is the property of the FBI MjijlAl^gad fPOjW1 agency:
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-S-95)
- 1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription 06/15/00 The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S): \3 - One Magneto Optical Disk containing a logical
file copy/recoverable deleted files from C: (partition 1) Q384 - One Magneto Optical Disk containing a logical file copy/recoverable deleted files from D: (partition 2) Q385 - One Magneto Optical Disk containing a logical file copy/recoverable deleted files from C: (partition 1) Q386 - One Magneto Optical Disk containing residue from C:(partition 1} and D: (partition 2) Q387 - One CD Rom containing a copy of a recordable CD
Rom Also
submitted:
4 - CD Roms containing a logical file1 copy/recoverable deleted files from C: (partition 1) and D:'-..(partition 2) 2 - 3.5" floppy diskettes containing logical files unable to be written to CD Rom These items were prepared on 12/11/99 in |_ The computer contained a 3227 megabyte Seagate hard drive model number ST33232A, serial number VG864384, with two partitions. The Drivescan Utility was used to scan all magneto optical disks containing logical/recoverable deleted files. Printouts were prepared. The Access Data Password Recovery Toolkit was used to Investigation on
06/15/00
File # _2_65A- NY - 2 5 9 3 9_1 _ by
SA,-
at New York, New York Date dictated
Law Enf
^n« nnr rnnr.luslons of the FBI. It is the property of the FBI sQ0Ql&fld(lQ>9
FD-302a (Rev. 10-5-95)
265A-NY-259391
Continuation of FD-302 of
01/01/00
page
scan all magneto optical disks containing logical/recoverable deleted files. Printouts were prepared. No passworded data was found. The Slice Utility was used to break the residue files on magneto optical disk number 6 into smaller pieces. CD Roms were prepared containing the split files. Magneto optical disk number 6 containing residue was mounted in Linux. The residue from C: (partition 1) and D: (partition 2) was filtered using the strings command and then searched using- the Grep Utility for the following words:
9/11 law Enforcement Sensitive
000000100
2
FD-302a [Rev. 10-5-95)
265A-NY-259391
Continuation of FD-302
,0n 01/01/00
.Page
_3_
The output of this search was w r i t t e n to CD Rom.
RED #34-1
000000101
9/ll_ Law Enforcement Sensitive FD-302 (Rev.'iQ-6-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
"...
Date of transcription 0 6 / 0 1 / 2 0 0 0
The following examination was conducted by Computer Analysis Response Team (CART) Field Examiners. SPECIMEN(S):
,
Five Magneto Optical Disks containing Safeback images of Q31, Q32, Q34 and Q35 acquired in../ ~\. Five Magneto Optical Disks containing logical file copies of Q31, Q32, Q34 and Q35 and recovered deleted files from Q32 acquired iri/V _ , ,_ \ \6 - Q38 - Three 3.5 in flopoy disks acquired in j ] 02/1999. The Safeback image of Q31 was restored to an exam hard drive(Q31 restored). Recoverable deleted files on Q31 restored were recovered to optical disk using the XDF32 utility. Residue was collected using the REDX32 utility. The DriveScan and Access Toolkit utilities were run on the logical copy of Q31 and a report was created. The Tree Print utility was used to create a listing of the directory structures. The Safeback image of Q32 was restored to an exam hard drive(Q32 restored). Recoverable deleted files on Q32 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Access Toolkit utilities were run on the logical copy of Q32 and a report was created. The Tree Print utility was used to create a listing of the directory structures. The Safeback image of Q34 was restored to an exam hard drive(Q34 restored). Recoverable deleted files on Q34 restored were recovered to optical disk using the XDF32 utility. Residue was collected using the REDX32 utility. The DriveScan and Access Toolkit utilities were run on the logical copy of Q34 and a report was created. The Tree Print utility was used to create a , K Investigation on
06/07/2000
, New York, NY
at
F1te# 265A-NY-259391
SA9/tu "nj- ^* -'
Lav'
pate dictated 0 6 / 0 7 / 2 0 0 0
Enforcemen t Privacy
* —-—'"•= "-it-ht-r recommendations nor conclusions of the FBI. It is the property of the FBI
FD-302a (Rev. 10-6-95)
265A-NY-259391
Contlnuauon of FD-302 of_
listing of the directory structures. The Safeback image of Q35 was restored to an exam hard drive(Q35 restored). Recoverable deleted files on Q35 restored were recovered to optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Access Toolkit utilities were run on the logical copy of Q35 and a report was created. The Tree Print utility was used to create a listing of the directory structures.. A file copy of Q36 and Q38's files were made to floppy disk. Recoverable deleted files on Q36 and Q38 were recovered to optical disk using the XDF utility. Q37 was not processed due to disk read error.
000000103
FD-302(Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
09/24/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S): Q33 - One (1) Magneto-Optical Disk (MOD)containing an image of a hard disk drive (HDD) from a Macintosh LC, serial number (s/n) SG1370FJL10. Also submitted were ten (10) MODs consisting of: Q31 - an image, and logical copy of a Compaq Deskpro 2000, s/n 8646HVS51688. Q32 - an image, logical copy, logical file listing and deleted files from an IBM Personal Computer 100, s/n 558P54B. Q34 - an image and logical copy of two HDDs from.a generic computer. Q35 - an image and logical copy of a DTK computer, no s/n. Q36, Q37 and Q38 - images of three -(3) 3.5" floppy diskettes. EXAMINATION:
Q33 was restored to a hard disk drive (HDD) on a Macintosh Ilci. An examination of the restoration revealed an Arabic language Macintosh operating system.
investigation on
09/24/1999
File* 265A-NY-259391 by _J 9 / U
L a«
at Manhattan, New York Date dictated
09/24/1999
Enforcement PrivacvL
>ur agency; •"•*-•— **• **-*—*•• ™nMms neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agi
000000104
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription 0 7 / 1 4 / 2 0 0 0
The following examination was conducted by Computer Analysis Response Team (CART) Field Examiners. SPECIMEN(S): Q449-- One Magneto Optical Disk containing a CSCDup copy of a Compaq''-5100E CPU and six floppy disk images acquired in I |. Recoverable deleted files on Q449 were recovered to an exam hard drive optical disk using the XDF utility. Residue was collected using the REDX utility. The DriveScan and Access Toolkit utilities were run on Q449 with no positive results. The Tree Print utility was used to create a listing of the directory structures. The logical copy, recovered deleted files and the residue file were written to CD-ROM. The floppy disk images on Q449 were restored to floppy disks. Recoverable deleted files were recovered .to an exam-hard drive using the XDF utility. Residue was collected using the REDX utility. The logical copy, recovered deleted files and the residue file were written to CD-ROM.
07/14/2000
Investigation on
. New York, NY
at
FQe#265A-NY-259391
by
SA9//11
'
Law
Date dictated
07/14/2000
Enforcement Privacy
i
i_-,_4. —„*,.!„= r,»it-hpr rprnmmendations nor conclusions of the FBI. It is the property of the
FD-302(Rev. 10-6-95)
-1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
04/17/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S):
NYOQ#195 - an Apple Macintosh Powerbook 1BO laptop computer, serial m m j b e r ( s / r i ) FC311SHY440 obtained from the|_ ||HIHH|HFBI barcode #E01911047. The laptop contained an IBM 82rnbliar^aisk drive (HDD) formatted with an HFS file system running an Arabic version of Macintosh OS. ALSO SUBMITTED:
One Sony power adaptor, model AC-V30. EXAM: Device copies of Q195 were made to magneto-optical disk (MOD) using the FWB Toolkit utility. The image was restored to 100mb Zip disks using the same FWB Toolkit utility. The restored image was mounted on a CART exam machine were invisible files were identified, listed and made visible using the Norton Disk Edit utility. Recoverable deleted files were identified and restored using the Norton Unerase utility. A string search of Q19S was done using the Ultrafind -jfv for the following strings with negative results:
9/11 Law Enforcement Sensitive
investigation on
4/17/2000
File# 265A-NY-259391 by
** New York, NY Date dictated
4/17/2000
|9/11 Law Enforcement Privacy
.—.it-...—.,.,, „„„,„;,„ neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loanid-iaA'aut. wcscir _
FD-302I (Rev. 10-6-95)
265A-NY-259391
• of,FD-3D2 m.«,ofr Continuation
Cart Exam
_____^__ rv • °°4/17/2000
Logical, recovered delted files, directory and file printouts were provided for review to the Case Agent.
OOOOOOIOT
FD-302(Rev. 10-6-95)
-1-
FEDERAL BUREAU OP INVESTIGATION
Date of transcription
05/19/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FB). SPECIMEN(S): NYOQJ238 NYOQJ240 NYOOJ245 NYOQJ246 NYOQ8247 NYOOJ248 NYOQ#249 NYOOJ250 NYOQJ251 NYOQJ252 NYOQJ253 NYOQJ254 NYOQJ255 NYOOJ256 NYOQJ257 NYOQJ258 NYOCJ259 NYOQJ260 NYOQ#261 NYOQJ262 NYOOJ263 NYOQ#264 NYOQ#265 NYOQ&266 NYOQJ267 NYOQ#268 NYOOJ269 NYOQJ270 NYOQ#271 NYOQJ272 NYOQJ273 NYOQJ274
- A CDROM disk labeled Item 25L. - A CDROM disk labeled Item 63B - A CDROM disk labeled Item 1ST - A CDROM disk labeled Item 15N -- A CDROM disk labeled Item 15AK - A CDROM disk labeled Item 15AE - A CDROM disk labeled Item 15Y - A CDROM disk labeled Item 15S - A CDROM disk labeled Item 15M - A CDROM disk labeled Item 15W - A CDROM disk labeled Item 15 AC - A CDROM disk labeled Item 15Q - A CDROM disk labeled Item ISAM - A CDROM disk labeled Item 15AH - A CDROM disk labeled Item 15V - A CDROM disk labeled Item 15R - A CDROM disk labeled Item 15AG - A CDROM disk labeled Item 15AM - A CDROM disk labeled Item 15P - A CDROM disk labeled Item 15X - A CDROM disk labeled Item 15AD - A CDROM disk labeled Item 15AJ - A CDROM disk labeled item 15AI - A CDROM disk labeled Item 15AO - A CDROM disk labeled Item ISA - A CDROM disk labeled Item 15B - A CDROM disk labeled Item 15P - A CDROM disk labeled Item 15C - A CDROM disk labeled Item 15F - A CDROM disk labeled Item 15L - A CDROM disk labeled Item 15G - A CDROM disk labeled Item 15D
New at
Investigation on
5/19/2000
265A-NY-259391 Date dictated
File 9/11 Law Enforcement
Privacy
by p ,.,
tnant contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency. its contents are not to be distributed outside your agency. OODOOOlOo
FD-302a(Rev. 10-6-95)
265A-NY-259391
CART EXAM
Continuation of FD-302 of
NYOQJ275 NYOQ#276 NYOQ#277 NYOQ#278 NYOQ#279 NYOQ#280 NYOQ#281 NYOQ#282 NYOQ#283 NYOQ#284 NYOQ#285 NYOQ#286 NYOQ#287 NYOQJ288 NYOQ#239 NYOQ8290 NYOQ#291 NYOQ#292 NYOQ#293 NYOQJ294 NYOQJ295 NYOQJ296 NYOQ#297 NYOQ#298 NYOQ#299
-
A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM A CDROM
disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk disk
,On
labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled
5/19/2000
Item 15H Item 151 Item 15J Item 15AF ' Item 15Z Item 15K Item 15AB Item 15AA Item 150 Item 15A Item 150 Item 41A Item 4 IB Item 41C Item SIB Item 55 Item 61A Item 11 Item 13A Item 58 Item 9 Item 5 ID Item 51C Item 5 IB Item 51A
EXAM:
Duplicate CDROMs were made using the Champion CD Duplicator,
REQ #34-1
000000109
FD-301 (Rev. 10-6-95)
-1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
04/28/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S): NYOQ#196 - a 3,.5" floppy diskette labeled NYOQ#197 - a 3 .5" floppy diskette labeled NYOQ#198 - a 3 .5" floppy diskette labeled NYOQ#199 - a 3 .5" floppy diskette labeled NYOQS200 - a 3 .5" floppy diskette labeled NYOQ#201 - a 3 .5" floppy diskette labeled NYOQ#202 - a 3 .5" floppy diskette labeled NYOQ#203 - a 3 .5" floppy diskette labeled NYOQ#204 - a 3 .5" floppy diskette labeled NYOQ#205 - a 3 .5" floppy diskette labeled NYOQ#2.06. ™" CL 3 .5" floppy diskette labeled NYOQ8207 - a 3 .5" floppy diskette labeled NYOQ#208 - a 3 .5" floppy diskette labeled labeled NYOQ#209 - a 3 .5" floppy diskette labeled diskette NYOQ#210 - a 3 .5" floppy labeled NYOQ#211 - a 3 .5" floppy diskette labeled diskette NYOQ#212 *** cl 3 .5" floppy labeled diskette floppy NYOQ#213 - a 3 .5" labeled NYOQ8214 - a 3 .5" floppy diskette labeled NYOQ8215 - a 3 .5" floppy diskette labeled NYOQ8216 - a 3 .5" floppy diskette labeled NYOQ#217 - a 3 .5" floppy diskette labeled NYOQ#218 - a 3 .5" floppy diskette labeled diskette NYOQ8219 - a 3 .5" floppy diskette labeled NYOQt*220 - a 3 .5" floppy labeled NYOQ#221 - a 3 .5" floppy diskette labeled diskette NYOQ#222 - a 3 .5" floppy labeled NYOQS223 - a 3 .5" floppy diskette labeled diskette NYOQ#224 - a 3 .5" floppy labeled NYOQ8225 - a 3 .5" floppy diskette labeled diskette NYOQH226 - a 3 .5" floppy labeled NYOQ#227 - a 3 .5" floppy diskette labeled NYOQ#228 - a 3 .5" floppy diskette
investigation on
4/28/2000
File # ?fi5A-NY-259391
Item 521 Item •52K Item 52J Item 52L Item 52M Item 52H Item 52G Item 52F Item 52E Item 52D Item 52C Item 52B Item 52A Item 56A Item .56B Item 5SC Item 56D Item 56E Item 56F Item 56G Item 56H Item 561 Item 56J Item 56K Item SSL Item 56N Item 56M Item 25H Item 25J Item 251 Item 25G Item 25B Item 25A
" New York, NY Date dictated
4/28/2000
[9/11 Law Enforcement Privacy! by contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is lointiU jiniu-ia^LiVL -. -r>t, ,rr nnt to he distributed outside your agency. UUUUUUJ-.LU
FD-302* {Rev. 10-6-95)
265A-NY-259391
n ' ' ofrrtvtnn Conbnuation FD-302 off
NYOQ#229 NYOQJ230 NYOQJ231 NYOQ#232 NYOQJ233 NYOQJ234 NYOQ#235 NYOQ#236 NYOQ#237 NYOQ#239 NYOOJ241 NYOQJ242 NYOQJ243 NYOQJ244
, r^ On
EXAM
-
a a a a a a a a a a a a a a
3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy .diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette 3 .5 n floppy diskette
labeled labeled labeled labeled
labeled labeled labeled labeled labeled labeled labeled labeled labeled labeled
Item Item Item Item Item Item Item Item Item Item Item Item Item Item
4/28/2000 ' '
, , Page
25F 25K 25C 25D 25E 10A 10B IOC 10D 63A 57 22D 40 31A
EXAM: NYOQ209, NYOQ210, NYOQ212-NYOQ219, NYOQ222-NYOQ226 , NYOQ228NYOQ230, NYOQ232 and NYOQ233 were identified as Macintosh formatted floppy diskettes (FDs) . A search of the Mac FDs for invisible files was conducted using the Macintosh Sherlock utility. No nonsystem hidden files were identified. The Norton Unerase utility was executed on the Macintosh FDs resulting in deleted file recovery on NYOQ210, NYOQ214, NYOQ216, NYOQ217, NYOQ224, NYOQ225, NYOQ226 and NYOQ229 only. NYOQ196-NYOQ208, NYOQ221, NYOQ227, NYOQ231, NYOQ234-NYOQ237 , NYOQ241-NYOQ244, and NYOQ239 were identified as DOS formatted, or unformatted FDs. The XDF utility was executed on the DOS FDs resulting in deleted file recovery on NYOQ196, NYOQ198, NYOQ204, NYOQ234 and NYOQ243 only. Residue was recovered from all the DOS FD with the exception of NYOQ208 and NYOQ221 which were unformatted. Isenctypted and Drivescan were run on the DOS FDs and the results were printed. The results of the exam on the Macintosh FDs were made to Zip disk, 3.5" floppy diskette, and CD-ROM. The results of the DOS FDs were made to magneto- optical disk, 3.5" floppy diskette, and CD-ROM. ALSO SUBMITTED: Twenty-one (21) empty CD-ROM jewel cases, one (1) sealed recordable CD-ROM, and one (1) sealed Netscape install software CD-ROM.
REQ
#34-1
000000111
FD-302 [Rev. 10-6-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription 0 7 / 2 0 / 0 0
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMEN(S):
9/11 Law
Enforcement Sensitive
Q551 ..- One CD Rom \2 - One CD Rom \3 - One 3.5" Floppy Disk
Q554 - One 3.5" Floppy Disk Q5.55 - One 3.5" Floppy Disk Q556 - One 3.5" Floppy Disk Q557 - One Recordable CD Rom Q558 - One Recordable CD Rom
f
Q559 - One Recordable CD Rom Q560 - One Recordable CD Rom Q561 - One 3.5" Floppy. Disk
These items were seized inj
| on
04/15/00. Logical copies of Q551 and Q552 were made to magneto optical disk using the Windows Explorer Utility. CD Roms were prepared of the logical copies. Logical copies of Q553 through Q556 were made to investigation on 07/20/00
at New York, New York
File # 265A-NY-259391 by
SA |9/11
La'-'
Date dictated
Enforcement Privicyj
contains neither recommendations nor conclusions of the FEI. It is the property of the FBI
FD-302a (Rev. 10-6-95)
Continuation of FD-302 of
265A-NY-259391
, On
07/20/00
. Page
2
_
magneto optical disk using the Windows Explorer Utility. Reoverable deleted files were recovered to magneto optical disk using the XDF Utility. Residue was extracted to magneto optical disk using the REDX Utility. A CD Rom was prepared of the logical, recoverable deleted and residue files. A logical copy was made of selected files on Q557, Q558 and Q560 to magneto optical disk using the Windows Explorer Utility. CD Roms were prepared of the logical files. A logical copy was made of Q559 to magneto optical disk using the Windows Explorer Utility. A CD Rom was prepared of the logical files. A logical copy was made of Q561 to magneto optical disk using the Windows Explorer Utility, copy errors were encountered. Reoverable deleted files were recovered to magneto optical disk using the XDF Utility. Residue was extracted to magneto optical disk using the REDX Utility. A CD Rom was prepared of the logical, recoverable deleted and residue files. The Treeprint Utility was used to print out directory structures of all prepared CD Roms.
REQ #34-1
000000113
9/11 Personal Privac1\FD-302 (Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
12/19/2000
The following investigation was conducted by a Computer Analysis Response Team (CART) Field Examiner fFE). Also present were I 9/11 Personal Privacy
SPECIMEN(S) : NYOQ563 - a magneto optical disk (MOD) labeled "990602008 JL Image Copy". EXAMINATION: NYOQ563 was inserted into a Sony MOD unit and attached to an Apple Macintosh G3 notebook a [Long with an external four (4) gigabyte (gig) hard disk drive {HDD) provided by Greenleaf. The drive containing NYOQ563 was set to SCSI ID 2 and the HDD provided by Greenleaf was set to SCSI ID 4. An image of NYOQ5S3 was made to Greenleaf's HDD using the device copy utility from FWB Toolkit. Once the image was complete,j |indicated that the new'image should be mounted to ensure that a good copy was made. Using FWB Toolkit, the new image on SC&I ID 4 was mounted on the desktop of the G3 . Once the image was mounted the volume "Macintosh HD" appeared on the desktop. Once | | were satisfied, the Macintosh HD volume was unmounted ana detached from the G3.
Investigation on
12/18/2000
File # 265A-NY-259391 by
New York, Date dictated
12/19/2000
[s/ll Law E n f o r c e m e n t Priva'cy contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is _*- ,*. ««t in K» rfirtnhittefl outside vour aeencv.
FD-302 (Rev. 10-6-95)
il: FEDERAL BUREAU OF INVESTIGATION
Date of transcription
12/12/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN (S) : NYOQ562 is a Bernoulli 230 megabyte (MB) diskette labeled image copy made 8/21/97. NYOQ563 is a Verbatim 2.3 gigabyte (GB) magneto optical disk' (MOD) labeled 990602008 JL Image Copy. EXAMINATION: NYOQ562 was inserted into a Bernoulli transportable 230 disk drive. The drive was then attached to an Apple Macintosh G3 notebook and booted. The volume on NYOQ562 would not mount, neither would it copy to any other media. NYOQ563 was inserted into a Sony MO Disk Unit, model RMO-S551. The MO disk unit was then attached to an Apple Macintosh G3 notebook and booted. The volume on NYOQ562 could be mounted on the G3 desktop.
Investigation on
12/12/2000
File # 265A-NY-259391
at
N6W York Dtte dicuted
12/12/20QQ
[9/11 Law Enforcement Privacy! c$£4entl:aiiuii» neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned ~J ;t« /»nntmt< are not to be distributed outside your agency.
9/11 Law Enforcement Sensitive
\2 (Rev.40-S-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription 5/1/Q1
On 4/23/01, the , computers related to captioned case.
provided access to
The following computers were examined by a Computer Analysis Response Team (CART) Field Examiner (FE) on site: Computer I - CompEx Solutions Desktop a. ST34313A
SN: 6DL023LF
Computer 2 - SMR Desktop a. Maxtor51536H2
SN: F20JVKYC
Computer 3 - TOUCH Desktop a. QuantumFireballELS.lA SN: 345815010692 b'. FujitsuM16l4TA SN: 03549565 Hard Drive 1 - WDCAC22500L
SN: WD-WM3490181653
Floppy 1 \ 3.5" Floppy Disk (unlabeled) Computer 1 contained one hard drive and it was imaged to DDS-4 tap\ using the Safeback Utility. A logical file copy of partitions 1,and 2 to optical disk was made using the Codeblue Utility. Recoverable deleted files were recovered from partition 1 and 2 to optical disk using te XDF32 Utility. Residue was extracted front, partitions 1 and 2 to optical disk using the REDX32 Utility. Computer 2 contained one hard drive and it was imaged to DDS-4 tape using the Safeback Utility. A logical file copy of partitions 1 and '2 to optical disk was made using the Codeblue Utility, Recoverable deleted files were recovered from partitions I and 2 to optical\disk using the XDF32 Utility. Computer 3 contained two hard drives. Hard drive one was imaged to DDS-4 tape using the Safeback Utility. A logical Investigation on
4/23/01
at
File* 2 6 5 A - N Y - 2 5 9 3 9 1
Date dictated
9/11 Law Enforcement Privacy
**-^Q TmsM&cliient contains neither recommendations nor conclusions of the FBI. It is the property of the
FD-302a (Rev. 10-5-95)
Continuation of FD-302 of
265A-NY-259391
. On 5/1/01
, Page
file copy of hard drive one partitions 1 and 2 to optical disk was made using the Codeblue Utility. Recoverable deleted files were recovered from partitions 1 and 2 to optical disk using te XDF32 Utility. Partial residue was extracted from partition 1 to optical disk using the REDX32 Utility. Hard drive two was imaged to DDS-4 tape using the Safeback Utility. A logical file copy of partition 1 to optical disk was made using the Codeblue Utility. Recoverable deleted files were recovered from partition 1 to optical disk using the XDF Utility. The XDF process was stopped during lost cluster sweep. Residue was extracted from partition 1 to optical disk using the REDX Utility. The Safeback Utility was used to image hard drive 1, however, the Safeback Utility reported errors after the image was started. The Safeback image was halted. The Disk Copy Utility was used to image floppy 1, however, errors were encountered.
REQ #34-1
000000117
FD-302 (Rev. 10-6-95)
- 1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription 5/4/Q1
The following computers were examined by a Computer Analysis Response Team (CART) Field Examiner (FE) : Q569a - Magneto Optical Disk (Logical and Recovered Deleted Files of partition 1) of a CompEx Solutions CPU containing hard drive ST34313A SN: 6DL023LF Q569b - Magneto Optical Disk (Logical and Recovered Deleted Files of partition 2 and Residue of partition 1 and 2) of a CompEx Solutions CPU containing hard drive ST34313A SN: 6DL023LF Q570 - Magneto Optical Disk (Logical and Recovered Deleted Files of partition 1 and 2) of a SMR CPU containing hard drive Maxtor51536H2 SN: F20JVKYC Q571 - Magneto Optical Disk (Logical, Recovered Deleted Files and Residue of partition 1) of a TOUCH CPU containing hard drive FujitsuM1614TA SN: 03549565 Q572 - Magneto Optical Disk (Logical and Recovered Deleted Files of partition 1 and 2, partial residue of partition 1) of a TOUCH CPU containing hard drive QuantumFireballELS.1A SN: 345815010692 Q573
- 3.5" Floppy Disk (Disk Copy)
ALSO SUBMITTED: DDS-4 tape (Safeback Image of QuantumFireballELS. 1A SN: 345815010692) 3.5" Floppy Disk (Safeback Audit File) DDS-4 tape (Safeback Image of Maxtor51536H2 SN: F20JVKYC) 3.5" Floppy Disk (Safeback Audit File)
Investigation on
5/4/01
File* 265A-NY-259391 by __JJ 1 ''H
LdW
at New York Date dictated
Enforcement Privacy
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI twa «ubBrRikl)8ur agency:
FD-302a (Rev. 10-6-95)
Continuation of FD-302 of
265A-NY-259391
. On 5/4/01
, Page _
DDS-4 tape (Safeback Image of ST34313A SN: 6DL023LF) 3.5" Floppy Disk (Safeback Audit File) DDS-4 tape (Safeback Image on of FujitsuM1614TA SN03549565) 3.5" Floppy Disk (Safeback Audit File) CD Roms were prepared containing the logical and recovered deleted files from Q569a, Q569b, Q570, Q571 and Q572. File naming convention errors were encountered during the CD preparation process. The Disk Copy Utility was used to image Q573 to a 3.5" Floppy Disk. Errors were encountered. Q573 was not accessible in Arabic Windows 98/DOS. The Norton Disk Doctor Utility was used to attempt to repair Q573. The Norton Disk Doctor Utility recovered n_DD" files, but they did not contain any data recognizable by the Windows/DOS operating system. Recovered deleted files were attempted to be recovered from Q573 using the XDF Utility, but the XDF Utility locked up. Logical and recovered deleted files copied to magneto optical disk from Q569a, Q569b, Q570, Q571 and Q572 were queried for password protected/encrypted files using the Access Data Password Recovery Tool Kit. Screen shots of the results were prepared. The directory structures of the logical and recoverable deleted files on cd roms prepared from Q569a, Q569b, Q570, Q571 and Q572 were printed using the Treeprint Utility.
REQ #34-1
000000119
9/11 Law Enforcement Sensitive
,FD-3Q2(Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
.
,
•-.
Date of transcription 0 6 / 0 9 / 2 0 0 1
\e following-search was conducted by Computer Analysis R&spbnse Team (CART) Field-examiners (FEs). \ computer seizure was., conducted at the following location:
Data from the following computer hard drives. (HD) were seized: \Computer 1, a Aptiva Laptop, no serial'-number. '.(Computer was represented to be owned by 1
I
SEARCH;
\A physical copy of Computer 1's HD, was made to optical disk using the Safeback Copy Utility. This was canceled at 90% due to return of subject. The physical copy of Computer 1 wa's restored to a sterile hard drive (Computer 1 restored). A logical copy of Computer 1 restored's files (two partitions) were made to optical disk using the Codeblue utility. Recoverable deleted files on Computer I restored were recovered to optical disk using the XDF utility. CD-ROMs were prepared from the logical file and recovered file copies.
Investigation on
06/09/2001
File* 265A-NY-259391_ by
I 9/11
at I
|_
Date dictated 06/09/2001
Law Enforcement Privacy]
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI QiQ Q U4ftQllc4rWJr agency:
9/11
Law Enforcement
Sensitive
FD-302 [Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription 0 1 / 1 6 / 2 0 0 2
The following1 search was conducted by two Computer Analysis Response Team (CART) Field Examiners (FEs). The following computers and media were made available
Computer 1, a Jump desktop, serial number (s/n) - 07JUM800AREV. Computer 2, a C.S.N. desktop,, no s/n. Computer 3, a Acer Travelmate 200 laptop, s/n - 9144G017J5105016CDT. Floppies 1 - 36, Thirty-six 3.5 inch floppy disks. \CD-ROMs 1 - 21, Twenty-one CD-ROMs. advised that above media and computers were owned by
J
I SEARCH :
\ copy of Computer 1's HD was made to HD using the
Logicube Hard Disk Duplicator. A copy of Computer 2's HD was made to HD using the Logicube Hard Disk Duplicator. A copy \of Computer 3's HD was made to HD using the Logicube Hard Disk Duplicator. A logical copy of Floppies 1 - 36 's files were made to hard drive using the MXCOPY utility. Recoverable deleted files on Floppies 1 - 36 '£ were recovered to hard drive using the XDF utility. Read errors were encountered on Floppies 6, 9, 13, 15, Investigation on
01/16/2002
att
FUe# 265A-NY-280350 by __J
_
9/11 Law Enforcement Privacy
] Date dictated
01/16/2002
/_
*ThtK"Bocument contains neither recommendations nor conclusions of the FBI. It is the property of the FBI
agency;
FD-302a (Rev. 10-6-95)
265A-NY-280350
Continuation of FD-302 of
, On 01/15/2002
Page
17, 19, 28, 30 and 33 - 36. A CD-ROM was prepared from the logical file and recovered file copies. CD-ROMs 1 - 7 , 1 0 - 1 9 and 21 were copied using the CD Copy utility. CD-ROMs 8, 9 and 20 were not readable and not processed.
REQ #34-1
000000122
FD-302 (Rev, 10-6-95)
-1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
03/25/2004
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner: SPECIMENS:
NYO Q5S5 - Seagate Hard Disk Drive, s/n 6ED1RDE6
(E01960358)
NYO Q5B6 - Compaq Armada 3500 Notebook computer, s/n J9062
(E01960358)
NYO Q586a - IBM HDD, s/n AGOAG044005 EXAMINATION:
This report supplements a report dated 3/21/02, reported under 265A-BS-89704. NYO Q585 was imaged to DDS3 tape and to a sterile examination hard drive using the Safeback utility. The image file was processed using the Forensic Toolkit (FTK). Files identified by FTK in the Documents, Spreadsheets, Databases, Graphics, Encrypted and Other Known categories were exported to disk and thereafter copied to CD Rom. Encrypted files were processed using both the Password Recovery Toolkit and the Distributed Network Attack {DNA) utilities. A PRTK report was printed. Twelve files decrypted by DNA were copied to CD Rom in their decrypted form. NYO Q586 contains one hard drive. This drive was imaged to DDS3 tape and to a sterile examination hard drive using the Safeback utility. The image file was processed using the Forensic Toolkit (FTK). Files identified by FTK in the Documents, Graphics, Other Known categories were exported to disk and thereafter copied to CD Rom.
investigation on
3/25/04
Rle# 265A-NY-259391
at New York CART
Lab Date dictated
contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is
loWA
Hff^QJ23
amicev.wpd
FD-3021 (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
CART Examination
. On 3 / 2 5 / 0 4
, Pag«
2_
Physical copies of NYO Q585 and Q586a were made using a Logicube Drive Duplicator. The FTK work files and the image files from NYO Q585 and Q586 were archived to DDS4 tape.
anticev.wpd
RED #34-1
000000124
FD-302 (Rev. 10-6-95)
- 1 -
FEDERAL BUREAU OF INVESTIGATION
Date of transcription 03/13/2002 The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner. SPECIMEN(S): NYOQ587 - Maxtor Hard Drive (HD), serial number (s/n) T3RHOS4C
(E01960359)
NYOQ588 - Maxtor HD, s/n T3H26RYC
(E01960359)
NYOQ589 - Magneto Optical Disk (MOD), labeled "Safeback Image Madrid Computer 2 and 3"
(E01960359)
NYOQ590 - MOD, labeled ^Computer 14"
(E01960359)
NYOQ591 - Seagate HD, s/n 6ED3PW4J
(E01960359)
NYOQ592 - MOD, (E01960359) labeled "Partial Safeback of Computer 9"
Investigation on FUe#
NYOQ593 - Western Digital HD, S/n WD-WMAAR2397114
(E01960359)
NYOQ594 - Western Digital HD, s/n WD-WMA751063599
(E01960359)
NYOQ595 - CD-ROM, labeled "219 Floppy Disks'
(E01960359)
NYOQ596 - Seagate HD, s/n 6ED3PPW9
(E01960359)
NYOQ597 - Western Digital HD, s/n WD-WMA6V1144420
(E01960359)
03/13/2002
265A-NY-259391
at New York Dictated
03/13/2002
Eorcernent Privacy"!
REQ
#34-1
nc nether recommendations nor conclusions of the FBI. It is the property of the
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
• On
NYOQ598 - Seagate HD, . s/n 6ED3PW4C
(E01960359)
NYOQ599 - Maxtor HD, s/n T3RHOSXC
(E01960359)
•NYOQ600 - Western Digital HD, s/n WD-WMA6V1145260
(E01960359)
NYOQ601 - Western Digital HD, s/n WD-WMA9L1183844
(E01960359)
NYOQ602 - IBM HD, s/n YJEYJ2K5933
(E01960359)
NYOQ603 - Seagate HD, s/n 6ED3PB&P
(E01960359)
NYOQ604 - NYOQ"?02 - Ninety-Nine CD-ROMs
(E01960359)
Also submitted: CD-ROM labeled "Photos of original evidence"
A physical image of NYOQ587 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ58"7. Files from the following categories were exported to hard drive and written to CD-ROM: - partial Documents - partial Spreadsheets - partial Graphics - partial Other known - partial. Unknown The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files,
REQ #34-1
000000126
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
, On Q 3 / 1 3 / 2 0 Q 2
Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ588 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ588. Files from the following categories' were exported to hard drive and written to CD-ROM: Documents - partial Databases - partial Graphics - partial Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. The Access Data Forensic Tool Kit was used to process NYOQ589. Files from the following categories were exported-to hard drive and written to CD-ROM: Documents - partial Graphics - partial Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access' Data Forensic Tool Kit case files and exported files were written to CD-ROM using the EZ-CD Creator utility. The Access Data Forensic Tool Kit was used to process NYOQ590. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - all Spreadsheets - all Databases - all. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility.
000000127
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
03/11/2002
.Page
A physical image of NYOQ591 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ591. No pertinent files were found on NYOQ591. The Access Data Forensic Tool Kit case files and Safeback image files were written to tape using the Windows 2000 Backup utility. NYOQ592. was found to contain no data and was not processed. A physical image of NYOQ593 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ593. Files from the following categories were exported to hard drive and written to CD-ROM: Other known - partial. The nair.es of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ594 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ594. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial Databases - partial Graphics - partial From E-Mail - partial E-Mail Messages - partial Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. NYOQ595 contained image files, logical copies and recovered deleted files for two hundred and nineteen floppy disks. The Access Data Forensic Tool Kit was used to process the image files contained on NYOQ595 with the exception of the
REQ #34-1
000000128
FD-302a (Rev. 1O6-95)
265A-NY-259391
Continuation of FD-302 of
-• On03/13/?00?
. Page
following floppy disk image files: 1, 3, 10, 12, 15, 37, 38, 40, 119, 128, 139, 147, 151, 152 and 175. Files from the logical copies and recovered deleted files for these floppy disks were exported manually. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial
Spreadsheets
- all
Graphics
- partial
From E-Mail
- partial
E-Mail Messages - all Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files and exported files were written to CD-ROMs using the EZ-CD Creator utility. A physical image of NYOQ596 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ596. Files from the following categories were exported to hard drive and written to CD-ROM: Documents partial Spreadsheets partial Databases partial partial Graphics From E-Mail partial partial E-Mail Messages partial Temp Internet partial Other known - partial. Unknown The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ597 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ597 . Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial
REO
#34-1
000000129
FD-302a [Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
'___
, On 0 3 / 1 3 / 2 0 0 2
Pag6 _
Databases - all Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ598 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ598. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - all Graphics - all Other known - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ599 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ599. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial Databases
- partial
Spreadsheets
- partial
Graphics
- partial
From E-Mail - partial E-Mail Messages - partial Other known - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ600 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to" process NYOQ600. Files from the following
RED #34-1
000000130
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
.- On 03/13/200?
.Page
categories were exported to hard drive and written to CD-ROM: Documents partial partial Spreadsheets partial Databases Graphics partial From E-Mail partial E-Mail Messages partial Archives partial Other known partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ601 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ601. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial Databases - partial Graphics - partial Unknown - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the'Windows 2000 Backup utility. A physical image of NYOQ602 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ602. Files from the following categories were exported to hard drive and written to CD-ROM: Documents - partial Spreadsheets - partial Graphics - partial From E-Mail
- partial
E-Mail Messages - partial Temp Internet - all Other known Unknown
RED
#34-1
- partial - partial.
000000131
T_
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
. On 03/13/2002
.Page
The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files, Safeback image files and exported files were written to tape using the Windows 2000 Backup utility. A physical image of NYOQ603 was made to both tape and hard drive using the Safeback utility. The Access Data Forensic Tool Kit was used to process NYOQ603. Files from the following categories were exported to hard drive and written to CD-ROM: Other, known - partial. The names of the files exported were changed to ensure uniqueness. The Access Data Forensic Tool Kit case files/ .Safeback image files and exported files were written to tape using the .Windows 2000 Backup utility. The Access Data Password Toolkit was run on all exported files from NYOQ587 - NYOQ603 with a report created. NYOQ604 - NYOQ702 were copied using the CD Duplicator.
#34-1
000000132
8
FD-302 (Rev. 10-6-95)
-1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
05/17/2002
The following examination was conducted by Computer Analysis Response Team (CART) Field Examiners: SPECIMEN(S): NYO Q703 - DVD ROM Media, labeled (E019S2299) "Crouching Tiger & Hidden Dragon, Disk 1" NYO Q704 - DVD ROM Media, labeled (E01962299) "Crouching Tiger & Hidden Dragon, Disk 2" EXAMINATION: The contents of Q703 and Q704 were examined using Microsoft Windows Explorer and CD Inspector (v2.0.0). The DVD media contained files consistent with those found on DVD video media. When attempting to view the video contained on the DVD the InterVideo WinDVD utility produced an error stating that the DVD was formatted for a market other than the United States.
Investigation on
05/17/2002
F»t » 2 6 5 A - N Y - 2 5 9 3 9 1 by
*'
New York Date dictated
9/11 Law Enforcement E'rivac-
dqc>«ij*nl -contains neither recommendations nor conclusions of the F3I. li is the property of the FBI and is loane j 1rrJrnn(»RVs arf. not tn h<> distributed nutside vour aeencv.
FD-302(Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Dulc of transcription
05/23/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S): NYOQ194 - four (4) CDROM disks containing, a safeback image of an Apple hard disk drive (HDD). EXAM: NYOQ194 were restored to HDD using the safeback utility. The restored HDD was mounted and logical files were copied to CDROM using the Toast utility.
investigation on
05/23/2000
File* 265A-NY-259391-CC by
L
u w
a'
New York Date dictated
05/23/2000
^niorcenent Privacy
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; aJfa34 eoltents are not to be distributed outside your agency. 000000134
9/11 Law Enforcement Sensitiv \. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
.
Date of transcription
12/20/1999
\n 12/16/1999-. the following items were provided by the ] [Authorities: One (1) Dell laptop .computer, model PPS, serial number (s/n) JH5J65160, p/n,. 08627. Ref # 991216E. One (1) Compaq laptop computer, model 4/25, s/n 53085. Ref # 991216D. One (1) Generic tower computer, no model, no s/n. Ref # 991216A & 99121SB. * One (1) Generic mini-tower computer, no model, no s/n. Ref # 991216B. One (1) PD650 Plasmon optical disk cartridge. Ref # 991216F. Sixty-nine (69) CDROM disks. Ref # 991218E., 991219A, 991218C, 991218D. Fifty-five (55) 3.5" floppy disks. Ref # 991216C,. One (1) Helical-Scan 4mm Data Cartridge labeled Bkup". No Ref tt. \o (2) document reproductions containing drawingsof buildings and arabic writings. No Ref #. •On 12/19/1999, two (2) 5.25" floppy disks Ref # 991219C, and two (2) CDROM disks Ref # 991219B were provided to the CART FE copying. The following search was conducted by a Computer Analysis Response Teatn (CART) Field Examiner (FE) . SEARCH;
A -Dell laptop was imaged to magneto optical disk (MOD) using the safeback utility. A logical copy was made to MOD using the codeblue utility. Recovered deleted files was made to MOD using the XDF32 utility. Residue was extracted to MOD using the REDX utility. The hard disk drive (HDD) needed to be removed from the computer because the power cord was not supplied, and the battery was not charged.
Investigation on
12/20/1999
Files 265A-_NY.-2_59391 by
_
"1 £
Date dictated
12/20/1999
9/11 Law Enforcement Privacy]
This document contains neiiher recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency, !fcnts are not to be distributed outside your agency. 000000135
FD-302a(Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
CART
SEARCH
.
._
. On 1 2 / 2 0 / 1 9 9 9
A Compaq laptop was imaged to MOD using the safeback utility. A logical copy was made using the codeblue utility. Recoverable deleted files was made to MOD using the XDF32 utility. The HDD was removed from the computer because the computer was in non-functioning condition. A tower computer was imaged to 4mra DDS3 tape cartridge using the safeback utility. A logical file copy was made to MOD using the codeblue utility. Recovered deleted files were made to MOD using the XDF32 utility. The tower computer had two HDDs, however one was not connected and would not spin up when power was applied. utility. utility. utility.
A mini-tower was imaged to MOD using the safeback A logical file copy was made to MOD using the codeblue Recovered deleted files were made to MOD using the XDF32
A PD650 Plasmon optical disk cartridge was copied to Iomega Jazz cartridge using Windows Explorer. Floppy diskettes were imaged to MOD using the copyqm utility. CDROMS were imaged to files using the Adaptec CD creator utility and copied to 4mm DDS3 tapes using Windows Explorer. All MODs, 4mm tapes, Jazz cartridges, Zip cartridges, CDROMs and documents were prqvded to the search coordinator.
RED #34-1
000000136
FD-302(Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
07/20/2000
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). SPECIMEN(S): NYOQ109 - a magneto optical disk (MOD) containing an image, logical files and deleted files from a compaq laptop. NYOQ110 - two (2) 4mm tape containing images from thirty-six (36) CD-ROM disks. NYOQ112 - a 4mm tape containing an .image of a generic tower server computer. NYOQ113 - an MOD containing an image of a generic mini tower computer. NYOQ114 - an MOD containing a logical file copy and deleted files from a generic tower server computer. NYOQ115 - an MOD containing an image of a Dell laptop computer. NYOQ116 - an MOD containing data from fifty-five (55) 3.5" floppy diskettes and the image of one (I) CD-ROM disk. NYOQ117 - an MOD containing images from two (2) CD-ROM disks.. NYOQ118 - an Iomega Jaz cartridge containing data from a PD650 optical disk.
NYOQ121 - An Iomega Zip 250 disk containing data from a 5.25 inch floppy diskette. NYOQ122 - a CD-ROM disk containing data from a CD-ROM disk. NYOQ301 - a CD-ROM disk labeled Al-Iman. NYOQ302 - a CD-ROM disk labeled
Investigation on
Q7/2Q/2QQQ
File # 265A-NY-259391 by
9/11
»'
New
990423_1227.
York Daic diclated
07 . 2 0 . 2 0 0 0
Law Enforcement Priva . J
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency' REQ aft3t4rolents are not to be distributed outside your agency. 000000137
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
CART EXAM
, On 0 7 / 2 0 / 2 0 0 0
. Page
NYOQ303 - a CD-ROM disk labeled 12/15/99- 03:30. NYOQ304 - a CD-ROM disk labeled 12/16/99 04:00. NYOQ305 - a CD-ROM disk labeled 12/16/99 04:30. NYOQ306 - a CD-ROM disk labeled 12/16/99 05:15. NYOQ307 - a CD-ROM disk labeled 12/16/99 05:55. NYOQ308 - a CD-ROM disk labeled 12/16/99 04:41. NYOQ309 - a CD-ROM disk labeled CD1 Azzam Targima. NYOQ310 - a CD-ROM disk labeled 12/16/99 06:30. NYOQ311 - a CD-ROM disk labeled CD-2 Azzam Thakafah. EXAM: NYOQ109 was restored to a hard disk drive (HDD) using the Safeback utility. Logical files, deleted files and residue were copied to CD-ROM using the Adaptec EZ CD creator utility. NYOQ110 - all thirty-six (36) CD-ROM images were restored to CD-ROM using the Adaptec EZ CD creator utility. NYOQ112 was restored to HDD using the Safeback utility. A search was conducted for all files with the extensions .skr, .pkr, and .asc. The following files were found:
REQ #34-1
000000138
FD-302a(Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of
.On 07/20/2000
CART EXAM
.P*B°
logical, deleted and residue was copied to CD-ROM using the Adaptec EZ CD Creator utility. NYOQ113 was restored to HDD using the Safeback utility. Logical, deleted and residue was copied to CD-ROM using the Adaptec E2 CD Creator utility. NYOQ115 was restored to HDD using the Safeback utility. Logical, deleted and residue was copied to CD-ROM using the Adaptec EZ CD Creator utility. NYOQ116 - floppy images were self-extracted to floppy diskettes. NYOQ117 was restored to CD-ROM using the Adaptec EZ CD Creator utility. A logical copy of NYOQ118 was made to CD-ROM using the Adaptec EZ CD Creator utility. NYOQ121 - a floppy image was restored to diskette, logical copies of two floppies were made to CD-ROM using the Adaptec EZ CD Creator utility. NYOQ122 could not be copied due to damage to the CD-ROM. NYOQ301 NYOQ302 NYOQ303 NYOQ304 NYOQ305 NYOQ306 NYOQ307 NYOQ308 NYOQ309 NYOQ310 NYOQ311
REQ #34-1
was was was was was was was was was was was
copied copied copied copied copied copied copied copied copied copied copied
to to to to to to to to to to to
CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM
using using using using using using using using using using using
a a a a a 'a a a a a a
Champion Champion Champion Champion Champion Champion Champion Champion Champion Champion Champion
CD-ROM CD-ROM CD-ROM 'CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM CD-ROM
copier. copier. copier. copier, copier, copier, copier, copier, copier. copier, copier.
000000139
FD-302 (Rev. 10-6-95)
-1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
5/21/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). This examination was done following the procedures and using tools provided by the FBI Laboratory. SPECIMEN(S): Ql - a 3Hi" floppy diskette. Q2 - a Magneto-optical disk (MOD) containing the image, logical and deleted files from an Altimo Supreme laptop computer. Q3 - a 3W floppy diskette. Q4 - a 34" floppy diskette. Q152 - an MOD containing the image, logical and residue of an Altimo Supreme laptop computer. EXAMINATION: Q2 and Q152 were restored to a hard drive (HD), The system was then booted. Since the operating system was in arabic, a translator was provided to assist in printing documents from the HD. All documents were provided to the case agent. Ql, Q3 and Q4 were provided to the case agent as well.
Investigation on
12/24/1993
at New
File I 2 6 5 A-NY- 252802 I
9/11 Law Enforcement Privacy
York
Date disced
5/21/1999
I
REQJh#S"l™l3?t contains nei*er recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to yoQ|fe0iQO 0140
FD-302 (Rev. 10-6-95)
. - 1 FEDERAL BUREAU OF INVESTIGATION
Date of transcription
5/21/99
The following examination was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). This examination was done following the procedures and using tools provided by the FBI Laboratory. SPECIMEN(S): Ql - a 3%" floppy diskette. Q2 - a Magneto-optical disk (MOD) containing the image, logical and deleted files from an Altimo Supreme laptop computer obtained November 1998. Q3 - a 3W floppy diskette. Q4 - a 3W floppy diskette. Q152 - an MOD containing the image, logical and residue of an Altimo Supreme laptop computer obtained February 1999 . EXAMINATION: Q2 and Q152 were restored to a hard drive (HD). The system was then booted. Since the operating system was in Arabic, a translator was provided to assist in printing documents from the HD. All documents were provided to the case agent. Ql, Q3 and Q4 were copied and provided to the case agent as well.
Investigation on
12/24/1998
File * 265A-NY-252802 by
|
at New York
Date dictated
5/21/1999
9/11 Law Enforcement Pri vacv
'&d.mlnf mntains neither recommendations nor conclusions of the FBI. it is the property of die FBI and is loaned to yW/VWWn n+ A •>
FD-302 (Rev. 10-6-95)
- 1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
11/06/98
The following search was conducted by a Computer Analysis Response Team (CART) Field Examiner (FE). This search was done following.the procedures and using tools provided by the FBI Laboratory. A covert computer search/seizure
ducted at the
The following computer was searched and data was seized from the hard drive (ED): One (1) Altimo Supreme laptop computer. An image of the HD was made/to magneto-optical disk (MOD) using the Safeback utility. Logical copies of both partitions of the HD were made to MOD using the Codeblue utility. Recoverable deleted files were transferred to MOD using the Makefer utilities. In addition, three (3) 3.5" floppy diskettes (FD) were were ' imaged to FD. 9/11 Law Enforcement Sensitive
Investigation on
10/31/ 98
Filef 265A-NY-252802 by
I
Date dictated
11/06/98
9/11 Law Enforcement Privacy contains neither recommendations nor conclusions of the F31. It is the property of the FBI and is loaned to yoin f¥f}
7-1 (Rev. 2-21-91)
- M. HorvattT)
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535 Date: To:
March 14, 1996
SAC, New York FBI File NO. 2 65A-NY-252 802 LabNo.
50120018 D BY
Reference:
Preliminary Laboratory Report Dated 3 / 6 / 9 5
Your No.
265A-NY-252802
Re:
9/11 Law Enforcement Sensitive
OO: NEW YORK
Specimens received:
Specimens:
Ql Qli Qlj Qlk,Qll
Toshiba T1950CT/200 Laptop Computer, Model Number PA1152EA, SN# 02414578 One magneto-optical cartridge One internal computer hard drive Two magneto-optical cartridges
Also Submitted: One 3.5" diskette containing software to perform decryption of files contained on Ql. Results of Examination,: Specimens Qla through Qlh which are referenced in this report were previously described in Laboratory Report dated 3/S/95. Specimen Ql was hand carried from New York Division to the FBI Laboratory on April 12, 1995. All specimens were analyzed using computer resources currently available to the FBI Laboratory. 2 - 265A-HN-12924 MFH:mfh (6) REQ #34-1 This Renort Is Furnished For Official Use Only
000000143
LdW Enforce^nt
Sensltlve
/9/ii Law
Enforcement Privacy
\. Specimen Ql was previously examined in"] Jon 1/23/95. It--,w'a-s noted that the date /contained within the computer was set to'1/22/95, one day from the actualAdate of the examination. An image backup of Ql was written to \ magneto-optical cartridge and labeled Qli. The SAMPO virus, was found on the laptop computer. This virus has been determined to be nondestructive to ,information contained on the hard drive. A logical copy of all/files contained on Ql was also copied to Qli. "V . An image composite of Ql'a-, and Qlb was written to a .ter hard drive and ,labelled-.Q computer ,labelled-..QJ_i—._£his' image, represents Ql's status during examination in1I I Also submitted item, referred to as ' decryption software' •. was received at the FBI Laboratory on 4/9/95 from SA'1 ) I I This software was used to produce text output of encrypted files contained on Ql. Nine out of twenty files, whose contents were unknown, were decrypted to a readable form. These files have been printed and copies of each were supplied to .New York, FBIHQ and AUSA Mike Garcia., One database file appears to be password protected. The password is unknown. It was determined through Toshiba International that Ql was manufactured overseas. Serial number 024l4.p78 existed but . was not assigned- to a model T1950CT/200 . It is 'assigned to a •.model T1910CS/200. The laptop assigned to the given serial. \rmmber 0241467B was found to be sold to the company'! 1 I ~1 on March 24, 1994, This company is located in England. Directory listings and erased files listings were produced for Ql. These were compared to listings that were created for the tape backups Qla through Qlc. No differences in active files were encountered. Differences were encountered in the erased file information. At the two separate times of examination, each had some erased file information that did not exist or could not be retrieved at the opposite time. The newly available erased files were recovered and reviewed. File listings have been produced that represent which files were retrieved at which time. Slack information was retrieved from Ql and compared to the slack information that was retrieved during the examination in Manila and differences were encountered. Both versions have been printed and are being delivered to AUSA Mike Garcia.
Lab # 50120018 D BY Page 2 REQ #34-1
000000144
9/11 Law Enforcement Sensitive
A text string search was performed on Ql for the strings
/
I.
The
result was negative. Copies of all .WAV and .LAV sound files were made to diskette and shipped overnight to New York Division upon request, along with directory and erased file listings, and decrypted file information. Five (5) additional image backups were written to tape. Four tapes were shipped to New York Division and one is being shipped to the AUSA's office in New York. Seven (7) hard drives received from AUSA Mike Garcia were used to restore the image contained on Qli. Five hard drives were shipped back to the New York Division and two were shipped directly to the AUSA's office in New York. A cassette recording was made of four sound files and sent to Language Services for translation. The cassette recording and results from Language Services were forwarded to the New York Division. The contents of Qli were copied to two additional magnetooptical cartridges, Qlk and Qli. An image backup was made of Qlj and also written to Qlk and Qli. A second image backup of Qlj was written to tape. The FBI Laboratory is keeping on file seven (7) backup tapes (Qla through Qlg), two magneto-optical cartridges {Qli and Qlk), the Also Submitted item containing the decryption software and a copy of• all printouts, erased information and encrypted information. Two additional image backup tapes, one copy of the decryption software, one magneto-optical cartridge (Qli), two printouts of slack information, listings of erased files retrieved and a copy of all notes is being shipped overnight to AUSA Mike Garcia.
Lab # 50120018 D BY Page 3
REQ #34-1
000000145
/9/11 Law Enforcement Privacy (Rev. 10-01-1999)
FEDERAL BUREAU OF INVESTIGATION
Precedence: To:
\:
ROUTINE Attn:
Laboratory
From:
Laboratory CART RM. Contact:
01/13/2000
ERF. EST-1 SSA
ms
Approved By: Drafted By: Case ID #: 265A-NY-252802 Title: I Synopsis: Reference:
I
/
(Pending) 9/11 Law Enforcement Sensitive
Request ERF assistance in analysis of software. 265A- NY - 252802 Serial 1449
Details: Three (3) 2.3G3 magneto optical cartridges (CART Q225Q227)and one (1) 3/%" 1.44MB floppy diskette (CART Q228) containing images /and files of a laptop were submitted to the CART Unit for examination. Images . (Q225-Q227) of the laptop were restored to a staging IDE hard/disk drive (Seagate Medalist 8641 Model ST38641A S/N VR103440) and a copy of all logical data, recovered erased files and extracted residue information are on two (2) CD-ROMs being forwarded to ERF EST-1 for further analysis by request of SAJ |(FBIHQ NSD ITOS). A copy of the incoming EC from NSD is attached for ERF's assistance in further analysis of the restored images.
REQ #34-1
000000146
To: Re:
Laboratory From: Laboratory 265A-NY-252802, 01/13/2000
LEAD(s): Set Lead 1: ERF EST-1 AT FBI ACADEMY OUANTICO, VA
Request ERF EST-1 further analyze restored image of laptop located on staging IDE hard disk and the two (2) CD-ROMs containing logical, erased and residue data. Additionally, CART request the return of the IDE staging hard disk (Seagate Medalist 8641 Model ST38641A S/N VR103440) to FBIHQ CART UNIT upon completion of analysis.
REQ #34-1
000000147
.
„ LABO»ATO»T
^^T
FEDERAL BUREAU OF INVESTIGATION WASfflNGTON, D. C. 20535
CMC-. February 1,2000 To:
NSD
rros
Attn: SA
.
. case ID NO,
265A-NY-252802 000127007 BI
:
Communication dated 01/27/2000
Your No.:
Title:
-1 ................
'
....-.••••-'-•......" 9/11 Lav; E n f o r c e m e n t Privacy
9/11 Law Enforcement Privacy
Date specimens received: January 27, 2000
Specimens: Re-submission of Q225-Q228 from laboratory number 000106009 BI (265A-NY-252802) which was completed on January 13, 2000. The results of the Computer Analysis Response Team (CAKIlfiiaSunatio are included in this report. Specimens Q225-Q228 were returned to SAL J FBJ« NSD ITOS, who should make a determination to what extent these materials require entry into the ACS collected items database.
Page 1 of 1
REQ #34-1
This Report is Furnished for Official Use Only
000000148
7-la (Rev. 5-18-99) LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
Report of Examination J
Examiner Name: L
Daw:
February 1,2000
Unit;
Computer Analysis Response Team
phoocNo.: 202-324-6225
Case ID No.:
265A-NY-252802
UbNa:
000127007 BI
Results of Examinations: One (1) copy of each previously submitted specimens Q225-Q228 were made. No hardcopy printouts were made or any other analysis conducted. No hardcopy printouts or magnetic/optical media are being retained by the FBI Laboratory.
CART - Page 1 of 1
REQ #34-1
This Report is Furnished for Official Use Only
000000149
/9/11 Law Enforcement Privacy
August 13, 1999 National Security ITOS / NS3C ATTN: E
I'
265A-NY-259391 990608001 AB
Communication dated June 6, 1999 (S) 265A-NY-259391 (S)
USAMA BIN LADEN; AOT-IT
June 8, 1999 Specimens :
of Q53 Q Q54 Q 055 055
"
NE50
Seagate hard drive, model ST3 917 3W, part of a 5-dr.ve RAID assembly, SN: LM040163 Seagate hard drive, model ST3 917 3W, part of a 5-drive RAID assembly, SN: LM041289 Seagate hard drive, model ST39173W, part of a 5-drive Hi* assembly, SN: LM027194 RAID controller assembly, model DS500-SR, SN: 97324E2913 (over)
Page 1
\Q #34-1
000000150
(U) The results of the Computer Analysis Response Team (CART) are included in this report. Specimens Q51-Q55 and NESO^ are being returned directly to the Evidence Control Technician in New York Division. Five (5) hard drives containing work product are being returned directly to the case agent in New York, who should make a determination to what extent these items should be entered into the ACS collected items database. Twenty-eight (28) CDs containing extracts from work product have been sent to Tampa Division for further analysis.
Page 2
REQ #34-1
000000151
)/ll Law Enforcement Privacy
August 13, 1999 Computer Analysis Response Team (S) 265A-NY-259391
|_ 990608001 AB
Results of Examinations: (U) Specimens Q51-Q55 were configured as a Redundant Array of Independent Disks (RAID), and could only be analyzed by installing them into NE50. Once installed, the drives functioned as a single storage device with several partitions. Thus, analysis was conducted on these partitions rather than on the individual specimens themselves. An examination was conducted on the four data partitions: Binl, Bin2, Bin3, and Bin4. (U) Raw data was recovered from each Bin and examined for fragments of audio files. The extracted fragments were then converted to a non-proprietary audio format. Results of the recovery, interim examination, and conversion processes were placed on external hard drives, sorted according to Bin number and date/time. All non-zero length recovered audio files were also copied to CDS, using the non-proprietary format. (U) No hardcopy printouts or magnetic-optical media are being retained.
CART - Page 1 of 1
REQ #34-1
000000152
9/11 Law Enforcement Privac 7-1 (Rev. 5-13-99)
LABORATOKT
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
Date: To:
April 19, 2000
SAC ATTN NL Case ID No.: Lab No.:
Reference:
265 A-NY-259391-PP 000310006 BI
Communication dated: 3/6/2000
Your No.:
Title-
USAMA BIN LADIN; MAJOR CASE 161; OO:NY
Date specimens received: March 10, 2000
Specimens:
Q56
One (1) CDROM labeled as "O80-I t"™^.?^?^1'^ Number SCG/69) DELETED FILES MAC QUADRA 700 MAC HSI .
Q57
One (1) CDROM labeled as "O82< lnumberSCG/78) FLOPPY IMAGES FOR MAC CSL/274/98 WORK COPY 1 OF 1".
Q58
One (1) CDROM labeled as "Qpd OF 1 COPY OF' CDR'S". :
Q59
One (l)CDROM labeled as "Q82| WORK CQPY CSU274/98 1 OF IT
humber SCG778) FLOPPIES
Q60
One (I) CDROM labeled as "098 | d2/l6/OOPLW/40/8",
[number PLW/40) ZIP DISK
!
^number SCG/78) WORK COPY 1
• Page 1 of 1
,,i
9/11 Law Enforcement Sensitive
REQ #34-1
This Report is Furnished for Official Use Only
000000153
9/11 Law E n f o r c e m e n t
Sensitive
Q61
One (1) CDROM labeled as "QR2 1 Uimher SCG/78) ITEMS SCG/78,1 SCG/72.2 WORK COPY 02/16/00".
Q62
One (i)GDROM labeled as "OS'S I FILES 02/16/00 SCG/73 MAC H.D".
Q63
One (1) CDROM labeled as "Q861 humber KRA/2110) MAC HARD DRIVE KRA/2110 MAC 8200/120 2/16/00".
"Inumber SCO/73) DELETED
Q64
One (1) CDROM labeled as "0861 Inumber KRA/2110) DELETED ..FILES KRA/2110 2/16/00 MAC 8200/120".
Q65
One <1) CDROM labeled as "SCG/69 MACINTOSH ESI 9/13/99 WORK COPY #2 DISK 1 OF 1".
Q66
One (1) CDROM libeled as "PJW/28 IMAGE COPY APPLE MACINTOSH QUADRA 700 9/13/99
Q67
One (1) CDROM labeled as "QUANTTM PRO DRIVE SCG/20 2/11/00 IMAGE.CQPY". \e (1) CDROM labeled as."O88l Inumber SCG/20) DELETED
Q68
FILES SCG/20 2/17/00 QUANTUM PRO DRIVE".
Q69
One (1) CDROM labeled as "Q99| CD 2/17/00 PLW/35/133",
]number PLW/35) SIDE A COPY
Q70
One (1) CDROM labeled as OF CD 2/17/00 PLW/35/122".
] number PLW/35) SIDE B COPY
Q71
One (1) CDROM labeled as "Q87LZH1 number PLW/4> DELETED FILES 2/16/00 POWER MAC PLW/4 8200".
Q72
One (1) CDROM labeled PLW/4 POWER MAC 8200 02/16/00".
Q73
One (1) CDROM labeled as "092 I jnumber PLW/40) ZIP DISK DELETED FILES 2/17/00 PLW/4072T\e (1) CDROM labeled as "Q93
Q74
Inumber PLW/4) HARD DRIVE
number PLW/40) ZIP DISK 2/17/00 PLW/40/3".
Q75
One (1) CDROM labeled as "Q94 2/17/00 PLW/40/4".
number PLW/40) ZIP DISK
Q76
One (1) CDROM labeled as "Q95 2/17/00 PLW/40/5".
number PLW/40) ZIP DISK
Q77
One (1) CDROM labeled as " 2/17/00 PLW/40/6".
number PLW/40) ZIP DISK
Page 2 of 1 000310006 BI
RF.O #34-1
000000154
9/11 Law Enforcement Sensitive
number PLW/40) ZIP DISK
Q78
One (1) CDROM labeled as "Q97 2/17/OOPLW/40/7". ..
Q79
number PLW/40) ZIP DISK One (1) CDROM labeled as "Q91 WORK COPY MAC CSU274/98 PLW/40/1#.
The results of the Computer Analysis Response Team (CART) examination are included in this report. Specimens Q56 - Q79 has been returned to the Evidence Control Technician in your office. All hardcopy printouts have been forwarded to case agent SA| | I I who should make a determination to what extent these materials require entry into the ACS collected items database.
9/11 Law Enforcement Privacy
Page 3 of 1 000310006 BI
REO #34-1
000000155
9/11 Law Enforcement Privacy f--U (Rev. 5-18-99) LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
Report of Examination April 19, 2000 Unit.
Computer Analysis Response Team
phoneNo.: 202-324-6225
Case ID No.:
265A-NY-259391-PP
UbNo.:
000310006 BI
Results of Examinations: , All contents of specimens Q56 - Q79 have been reviewed and hardcopy printouts were produced from specimens Q56 -Q79 for review by the case agent. Documents recovered from specimens 056 - 079 containing Arabic characters have been reviewed by Language SpecialistF " T o r interpretation and results were forwarded to the case agent. No hardcopy printouts or magnetic/optical media are being retained by the FBI Laboratory.
CART - Page 1 of 1
REQ #34-1
This Report is Furnished for Official Use Only
000000156
WITHDRAWAL NOTICE RG: 148 Exposition, Anniversary, and Memorial Commissions SERIES: 9/11 Commission Team 5, FRC Box 23 NND PROJECT NUMBER:
51095
FOIA CASE NUMBER: 30383
WITHDRAWAL DATE: 09/08/2008
FOLDER: 0002
BOX: 00004
COPIES: 1 PAGES:
TAB: 2
DOC ID: 31193699
2
ACCESS RESTRICTED The item identified below has been withdrawn from this file: FOLDER TITLE: T. Eldridge files-FBI CART documents DOCUMENT DATE: 12/03/2001
DOCUMENT TYPE: FBI 302
FROM: FBI Lab TO: ADIC New York SUBJECT:
Documents relating to all Computer Analysis Response Team (CART) reports, or predecessor computer exploitation reports, regarding hard drives seized from Al Qaeda associated subjects from 1995 through September 11, 2001. Responsive to Requests #34-1 Packet #2 [withheld material]
This document has been withdrawn for the following reason(s): 9/11 Classified Information
WITHDRAWAL NOTICE
Law Enforcement Privacy 7-la (Rev. 5-18-99) LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
Report of Examination :I
)
one:
December 3, 2001
Un-lt:
Computer Analysis Response Team
Phone NO.: 202-324-6225
Case ID No.:
(S) 265A-NY-259391
Lab No.:
Oil 109001 BI
Results, of Examinations: (TJ) Specimens Q112, Q113, Ql 14 and Ql 16 are four (4) IDE hard disk drives (HDD). Specimens Q115, Q117, Q118 and Q119 are duplicate copies (1 - IDE HDD and 3 tarv>.^| of specimens Ql 12, Ql 13, Ql 14 and Ql 16 made by CART Examiner SA d therefore no analysis was performed on these specimens.
t!
(U) Specimens Q112, Ql 13, Ql 14 and Ql 16 were analyzed for active and erased files as well as residual data using ILOOK. Drive to Drive copies were also made of specimens Q112, Ql 13, Q114 and Q116 onto four (4) IDE HDD. ILOOK results for specimens Q112, Q113, Ql 14 and Q116 were copied to (4) IDE HDD. Indexing of all active files was performed using DT Search and those results were copied onto four (4) magneto optical cartridges fMOGsl. The work product from specimens Q112, Q113.Q114 and Ql 16 are being retained by SAL ]for further review at FBI HQ. (U) Safeback images were made of ILOOK results for specimens Oil 2, Ql 13, Ql 14 and Ql 16 onto eight (8) 4mm data tapes and were forwarded to SA| | (WFO) for further review. (U) No hardcopy printouts or magnetic/optical media are being retained by the FBI Laboratory.
CART - Page 1 of 1 i
This Report is Furnished for OfficialUse Only
000000159
7-1 (Rev. 5-13-99)
LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535 Date: January 17, 2002 To;
SAP Nftw Ynrk ATTN:| case ID NO.: Lab No.:
Reference:
265 A-NY-259391-12 020107003 BI
Communication dated 12/17/2001
Your No.: Title:
USAMA BIN LADEN MAJOR CASE 161 SUB FILE 1-2
9/11 Law Enforcement Sensitive •19/11 Law Enforcement Privacy
Date specimens received: January 07, 2002
|
Specimens:
| inside cover of case: D8083-2E).
NE2
\0
Computer hard drive storage system and vid \1
IDE mini Seagate laptop hard drive (model S
Wooden video collection box with no serial or model numbers.
The results of the Computed Analysis Response Team (CART) examination are included in this report. ; Specimens Q20, Q20.1 and NE2 along with CD-ROM copies (3) of Jper examination results have been returned tojERF Video Collection Unit ETI „-,— request of case agent SAJ I (NYFO). Three (3) CD-*OMs Containing examination results were sent to case agent I I™ FEDEX. Case agent 1 [should make a determination to what extent these materials require entry ;S collected items database. into the ACS Page 1 of 1
This Report is Furnished for Official Use Only
#34-1
000000160
9/11 Law Enforcement Privacy 7-V(Rev.5-18-99) LABORATORY
FEDERAL BUREAU OF INVESTIGATION WASHINGTON, D. C. 20535
:
Report of Examination v.
I-1
Examiner Name: | Unic
V
a* ID NoV
|
Date:
January 17, 2002
Computer Analysis Response Team
nooeNo.: 202-324-6225
265A-NY-259391-I2
ub NO, 020107003 BI
Results of Examinations: Specimen Q20.1 is an IDE mini Seagate laptop hard drive (model ST91685AG S/N FN608903) w^ich was retrieved from specimen Q20 (computer hard dnve/video power supply unit). Specimen Q20.1 was examined for active and deleted files. As requested in the communication 12/17/2001, a recovery of active graphical files contend on specimen Q20.1 and saved onto CD-ROM. Recovery ofde eted£Ues was also conducted on specimen Q20.1 yet did not yield any deleted f1^*"*^^^^ all active files as well as all active files found on specimen Q20.1 were saved to CD-ROMs.
Was
Three (3} CD-ROMs Staining all examination results of specimen Q20.1 were ollecta field conditions. No hardcopy printouts or magnetic/optical media are being retained by the FBI Laboratory.
CART - Page 1 of 1 This Report is Furnished for Official Use Only
RED #34-1
000000161
9/11 Law Enforcement Privacy (0X26/1998)
'"•--....
"FEDERAL BUREAU OF INVESTIGATION Precedence: To:
Routine
"
-New York 1-49
From:
D.ate:
June 23, 2003
Attn:
SA'
Investigative Technology Cyber Technology Section/CART Unit, Contact:
Approved By: Drafted By: Case ID #: 265A-NY-259391-CC Title:
USAMA BIN LADEN Major Case 161
Synopsis: To provide results of a CART examination and the disposition of the evidence. Reference: 2G5A-NY-259391-CC-331 Enclosures: Enclosed is an FD-302 to be maintained' in the requesting division's case file. Details: The results of the CART examination are detailed in the enclosed FD-302. The submitted evidence in the captioned matter and the digital output results of the CART examination have been sent co the Kansas City evidence control technician. No digital media is being retained at CART headquarters and this matter is • considered closed.
REO #34-1
000000162
FD-302 (Rev. 10-6-95)
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
06/23/2003
Computer Analysis Response Team Report of Examination Included herein are the results of a digital forensic examination performed by an FBI CART Certified Forensic Examiner. This examination has been performed in accordance with CART policies and procedures. Case Reference: Laboratory Number 020612002 AB Specimens:
Q516
One (1) Verbatim 4.1 GB magneto-optical disk, lot number 01026564, with handwritten label "10-18-01 SAMSUNG External USB Drive 1 of 3 . . . DISK 1" .
Q517
One (1) Verbatim 2.3 GB magneto-optical disk, lot number 00427522, with handwritten label "10-18-01 External USB Hard Drive SAMSUNG . . . DISK 2".
Q518
One (1) Verbatim 4.1 GB magneto-optical disk, lot number 01026564, with handwritten label "265A-NY259391-CC Computer Used by Ziyad Khaeel . . . 3-26' 02 DISK 1 of 2".
Q519
One (1) Verbatim 4.1 GB magneto-optical disk, lot number 01026564, with handwritten label "265A-NY259391-CC Computer Used by Ziyad Khaeel . . . 3-2602 DISK 2 of 2" .
Q520
One (1) Verbatim 4.1 GB magneto-optical disk, lot number 01026564, with handwritten label "265A-NY259391-CC HD From Computer Used by Ziyad Khaeel 82000/12-2000 . . . DISK 1 of 2".
investigation on
06/23/2003
at HQ Lab, Washington, DC
File* 265A-NY-259391-CC^3 t V'^ by
IT/FE
Date dictated
06/23/2003
9/11 Law Enforcement Privacy
This document contains neither recommendations nor conclusions of the FBI. ire not lo be distributed outside your agency.
ed to your jigejicy,__ agency; It is the property of the FBI and is loaned_
000000163
9/11 Law Enforcement Privac
•'9/11 Law Enforcement Sensitive
F0-30iii (Rev. 10-6-95)
\265A-NY-259391-CC
Continuation of FD-3Q2 of
CART .Forensic Examination
,On 06/23/2003
.Page
Q521 \e (1) .Verbatim 4 . 1 GB magneto-opticalXdisk, lot number 00323624, with handwritten label "265A-NY25^3_9,1CC HD From Inside Computer Used by [ ] [_____] Segate. [sic] HD From 8-2000/12-2000 . . . DISK 2 of 2" . ,. Request: Per 'an electronic communication, 255A-NY-259391-CC-331, from NY 1-49 SAl I CART was requested to restore three Safeback images. Subsequently, SA | ] requested that the restored images and original evidence be sent to Kansas City Division. No other procedures were requested. Summary of Results: The Safeback images, provided on magnetooptical disks as described above, were restored to new laboratory hard drives which had been wiped. Derivative Evidence (DE): Following were produced as derivative evidence: DEHQl
Maxtor 10 GB hard drive, SN B1DCB47E, containing restoration of Safeback image from Q516 and Q517.Verification mdBsum (for the derivative evidence drive only, not to be used to compare to original evidence drives) : 6c7ff6cc330aecdbde5cac61a5910c95
DEHQ2
Maxtor 10 GB hard drive, SN B1DCB4FE, containing restoration of Safeback image from Q518 and Q519. Verification mdSsum (for the derivative evidence drive only, not to be used to compare to original evidence drives): 2d2e77fb69108b5f76e2e533cOfb35el
DEHQ3
Maxtor 10 GB hard drive, SN B1DBYBTE, containing restoration of Safeback image from Q520 and Q521. Verification mdSsum (for the derivative evidence drive only, not to be used to compare to original evidence drives): 95775aff5f769e289c78dbc2eea6d06d
Examination: Images from the specimens were restored to hard drives as described above. These drives were attached to a
REQ #34-1
000000164
9/11
Law Enforcement Privacy
FD-302a (Rev..lO-6-95)
265A-NY-259391-CC
Continuation of FD-3Q2 of
CART Forensic Examination
, On 06/23/2003
laboratory computer, and the case agent.reviewed the contents. These interim work product drives were subsequently wiped, and the original images restored to them again. It is these drives that are being transmitted as the Derivative Evidence drives. At the direction of the .case agent, all original evidence and derivative evidence was sent to Kan«.aa p-i tv Division evidence control technician, for the attention of I 3 The notes of examination are being placed in a 1A envelope and being retained in the FBI Information Technology Division file. No electronic media copies of the original or derivative evidence are being retained by headquarters.
REQ #34-1
000000165
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription
10/20/2003
Computer Analysis Response Team Report of Examination Included herein are the results of a digital forensic examination performed by an FBI CART Certified Forensic Examiner. This examination has been performed in accordance with CART policies and procedures. Case Reference: Laboratory Number 030122051 Specimens: AFGP 2002 804371
QHQ001 IBM Travelstar 2.5"10.OS GB ATA/IDE notebook drive,model DJSA-210, SN 42MZ9347.
Request: Per a Department of Defense Office of General Counsel Memorandum dated September 25, 2003, Subject: Computer Hard Drive Analysis, a forensic analysis of the subject specimen was requested. Additionally, three specific files were.requested.to be recovered: an article entitled)
Summary of Results: A full forensic examination was conducted, and the four requested files were identified and recovered from the specimen. However the recovered documents differed slightly from the descriptions given by the Office of General Counsel. Additionally, one of the requested files, "arrival.doc", was password protected, and the password had to be recovered before completing recovery of the document. Derivative Evidence (DE): Following is a list of digital media containing results of the examination. DEHQ010
investigation or
'CD with summary results of the examination, with web-based organizing indices.
10/15/2003
at HQ La.b Washington DC
* 265A-NY-259391-EEE ^|CJO by
ITS/FE|
Date dictated
10/15/2003
9 / H ^aH Enforcement Privacy"
me«l contains neither recommendations nor conclusions of the FBI. jTi»«te: -\r^ nnt m k^ Hish'ihutftri musifle vour D0encv.
It is the property of f.he FBI and is
9/11 Law Enforcement Sensitive FD-302a (Rey. 10-6-95)
265A-NY-259391-EEE
Continuation of FD-302 of
Computer Forensic Exam
, On 10/15/2003
, Page
DEHQ011
5 DVDs containing full results of the examination, with'-web-based organizing indices.
DEHQ012
3 DVDs containing copies of the image file segments used to perform the examination.
DEHQ013
Western Digital 20 GB hard drive, SN WMAAR1214879, containing full\results of the examination.
DEHQ014
Printed copy of the. file
DEHQ015
Printed copy of the file
DEHQ016
Printed copy of the file
DEHQ017
Printed copy of the file
DEHQ018
Printed copy of the file
DEHQ019
4-mm DAT containing Safeback image of DEHQ013.
Examination: • The specimen had one FAT32 partition. The operating system ori the partition was Windows ME. The following processes were performed directly on the specimen: 1.
A "digital signature", in the form of an md5 hash, was calculated, with result a550a975c3f9316a588b43ca5a434df8 ,
2.
An image file, in 15 segments, was made of the specimen.
3.
A final md5 hash was calculated, with result a550a975c3f9316a588b43ca5a434df8.
All other forensic procedures were performed on the image file segments. These forensic procedures were as follows:
REQ #34-1
1.
An md5 hash was calculated on the concatenated segments, with result a550a975c3f9316a58Bb43ca5a434df3.
2.
The file system was mapped, and an md5 hash was calculated for every file. These results were then compared with a standard list of hashes for known system
000000167
9/11
Law Enforcement Sensitive
Fbr3.02aX.Rev. VO-6-95)
\E
Continuation pf FD-302 of
'. Computer Forensic Exam
,On 10/15/2003
.Page
3_
and, application files, and the known files were not further examined. ... 3\
Deleted, files and residua, were extracted.
, 4.\ file list was produced, in 'the form of a Microsoft \s data, base. B..
The four requested files were found. ,One requested file, I "I, ''--was password protected, '--as was one nonrequested file, I I. Passwords were recovered for both files. The four requested files, plus F I, were printed out. Some of the requested files-as found , differed slightly from the descriptions given by the contributor. Specifically, the travel document referenced , was six pages in length, not three. Also, the article '. entitledf
6.
Internet usage reports were generated, and e-mail files were examined. Although there were indications that the specimen had been used to access the Internet, there appears to have been no usage of standard e-mail programs (such as Outlook and Outlook Express) for user e-mail messages.
7.
All results were extracted to DEHQ013, along with . forensic logs.
8.
A final md5 hash was calculated on the concatenated image file segments, with result a550a975c3f9316a588b43ca5a434df8.
9.
Summary and full results, along with copies of the image file segments, were copied to a CD and eight DVDs. These products were DEHQ010, DEHQ011, and DEHQ012.
10.
An md5 hash was calculated on DEHQ013, with result Ib21e86call56efa6f0999fdl9b61b8b. An image was made of this drive and placed on a 4-mm data tape.
QHQ001 and DEH1019 are being returned to FBI Document Exploitation evidence control. DEHQ10-DEHQ18 are being returned to the Department of Defense Office of General Counsel. The notes of
REQ #34-1
000000168
FD-302a(Rcv. 10-6-95)
265A-NY-259391-EEE
Continuation of FD-302 of
Computer Forensic Exam_
. On 10/15/2003
examination, along with a copy of DEHQ010, are being retained in a 1A envelope in the FBI Investigative Technology Division f i l e .
REO #34-1
000000169
9/11 Law Enforcement Privacy (01/26/-1998)
""•-••......
FEDERAL BUREAU OF INVESTIGATION Precedence: To:
Routine
"""••-...
'Counter terrorism \s Analysis Section \DOCX, Room 4648
From:
Date:
1/16/2004
Attrr:--...
Investigative Technology Digital Evidence Section/CART UniJi, Contact:
Approved By: Drafted By: Case ID ft: 265A-NY-259391-EEE Title:
USAMA BIN LADEN MAJOR CASE 161 00: NY
Synopsis: To provide results of a CART examination and the disposition of the evidence. Reference:
265A-NY-259391-EEE-44
Enclosures: Enclosed is an FD-302 to be maintained in the requesting division's case file. Details: The results of the CART examination are detailed in the enclosed FD-302. The submitted evidence in the captioned matter and DEHQ1-DEHQ3 have been sent to DOCX Evidence Control and the digital output CD results of the CART examination have been sent to the contributor. No digital copies of the evidence are being retained at CART headquarters. This matter is considered closed.
+4
000000170
9/11
Law Enforcement Privacy
9/11 Law Enforcement Sensitive
FD.-302 (Rev. 10-6-9S)
1FEDERAL BUREAU OF INVESTIGATION
Date of transcription
1/16/2004
Computer Analysis Response Team Report of Examination Included herein are the results of a digital forensic examination performed by an FBI CART Certified Forensic Examiner. This examination has been performed in accordance .'with CART policies and procedures. Case References: Laboratory Number 030122051 PB Specimens:
IBM TravelStar, DJSA-210, 10.06GB hard drive, serial number 42MZ9347. \n Digital, WD200,. 20GB hard drive
QHQ1
NEHQ1 WMA6K3663033, labeled | \m 11 Room A; IBM TravelStar 10..06GB" Maxell 4mm tape labeled, '|_ Room A; IBM TravelStar 10.06GB"
NEHQ2 \:
J, Item 11
Per 265A-NY-2593 91-EEE-44, an examination was conducted and two (2) duplicate copies of the hard drive were made.
\Summary of Results: Three copies of QHQ1 were made. The copies \were verified using MDSSUMs. All three MD5s were\. The MD5 was a550a975c3f9316a588b43ca5a434df8. A CART forensic examination was completed. ' .The results of the examination were saved to CD-ROMS, specifically''.the data related to Internet files. The CDs were provided to 5A | for review. Derivative Evidence (DE): A list of digital media containing results of examination. Items will be listed by DE number. Copy of QHQ1 copied to a Samsung, SV2044D 20GB hard drive, SN: 0191J1FN523505
DEHQ1
investigation an.
01/22/2003
al
HQ Laboratory ^Washington, DC
File # 2 6 5 A ^ N Y - 2 5 9 3 9 1 - E E E by
Date dictated 0 9 / 2 3 / 2 0 0 3
CSFE
This his -dacumem contains neither recommendations nor conclusions conclusion of the FBI. It is the property of the FB! and is t*J --.W _J -^* -^ i \ji — *• -
M^&
nrtt
tn
^»«
r(irtrtk..ttt/J
r>n^r>>rl*
>.n
in«n~ii
|
FD-302a(Rev. 10-6-95)
265A-NY-259391-EEE
,t^™, f Continuation of FD-302 ot
CART Forensic Examination
.
_ 01/22/2003
, On
, Page
DEHQ.2 . Copy of DEHQ1 copied to a Maxtor, 2B015H1 15GB hard drive, SN: B1STFAPS DEHQ3 Copy of DEHQ1 copied to a Western Digital, WD200 20GB hard drive, SN: WMAAR1213546 DEHQ4-DEHQ9 CDRW containing logical files from QHQ1 Examination: The drive contained a single FAT32 formatted partition. The following processes were performed on QHQ1: Three duplicates of QHQ1 were made utilizing three forensically wiped hard drives. A standard partition traverse was conducted on DEHQ1 and the drive was mapped. A file listing was created and saved to an Access database. Deleted files were recovered and all data was extracted to a staging drive. The logical files were extracted and saved to DEHQ1 in their original directory structure. Six (6) CDs containing all logical files from DEHQ1 were created for the case agent to review. All original evidence was returned to DOCX Evidence Control. DEHQ1-DEHQ3 and NEHQ1 and NEHQ2 were returned to DOCX Evidence Control. DEHQ4-DEHQ9 were provided to....5A-r I of the New York Division. The notes of examination are being placed in a 1A envelope and .being.- retained in the FBI ITD file.
9/11 Law Enforcement Privacy
000000172
EXAMINATION REPORT REGIONAL COMPUTER FORENSIC LABORATORY
Date:
September 17, 2002
....-•-""9/11 Law Enforcement Privacy
To:
From:
Reference:
265A-NY-259391 (Operation Enduring Freedom) NTRCFL # R2-02-599
Weeks 09/02/2002 - 09/13/2002 I 1 Processed the following "Harmony Numbers"
AFGP-2002-903209 AFGP-2002-903291 AFGP-2002-903270 AFGP-2002-903269 AFGP-2002-903262 APGP-2002-903259 AFGP-2002-903219 AFGP-2002-903299 AFGP-2002-903277 AFGP-2002-903275 AFGP-2002-903287 AFGP-2002-903389 AFGP-2002-903385 AFGP-2002-903280 AFGP-2002-903293 AFGP-2002-903276 Created copies of two (2) repository drives for "Phase 1" exarrunaaon Attached directory listing of contents Created Harmony Upload CD with PDF files for upload to Harmony Installed nw repository drive in Exam machine NORTH TEXAS REGIONAL COMPUTER FORENSICS LABORATORY *„„_-,
301 N O R T H M A R K E T STREET, SUITE 215 DALLAS, TEXAS 75202
000000173 00000017.*
jO
—X^ ***?n
NT^RCFL
EXAMINATION REPORT
REGIONAL COMPUTER FORENSIC LABORATORY
August 22, 2002
Date:
/|9/11 Law Enforcement Privacy
To:
From:
Reference:
265A-NY-259391 (Operation Endunng Freedom) NTRCFL # R2-02-0599 • i
Passdown Log Ejxam Workstation #4 Weeks 08-05-2002 / 08-15-2002 [SfTRCFL - DALLAS Processed the following Harmony Numbers AFGP-2002-004954 AJGP-2002-003788 AFGP-2002-004955 AFGP-2002-00712S AFGP-2002-00710S APGF-2002-007103 AFGP-2002-800417 APGP-2002-007096 AFGP-2002-007122 APGP-2002-800490 AFGP-2002-007096 AFGP-2002-007117 APGP-2002-007101 AJFGP-2002-007127 AFGP-2002-007115 AFGP-2002-007098 AFGP-2002-800412 APGP-2002-800425 AFGP-2002-800434 AFGP-2002-800426 AFGP-2002-800443 AFGP-2002-800421 AFGP-2002-800464 AFGP-2002-007121 APGP-2002-007118
AFGP-2002-007123 APGP-2002-007108 APGP-2002-007129 AFGP-2002-007128 AFGP-2002-007111 AFGP-2002-007095 AFGP-2002-007106 AFGP-2002-007104 AFGP-2002-007112 APGP-2002-007U9 AFGP-2002-007120 AFGP-2002-007110 APGP-2002-007107 APGP-2002-007102 APGP-2002-007097 APGP-2002-007114 APGP-2002-007124 AFGP-2002-007113 AFGP-2002-007116 ALPB-2002-800413 ALBP-2002-800418 AFGP-2002-004948 APGP-2002-004947 ALBP-2002-800639-2
NORTH T E X A S R E G I O N A L COMPUTER FORENS1CS LABORATORY 3 0 1 N O R T H M A R K E T S T R E E T , S U I T E 215 DALLAS, T E X A S 75201
000000174
• Page 2
Created copies of two (2) repository drives for '"'Phase 1" examination Attached directory listing of contents. Created Harmony Upload CD with PDF files for upload to Harmony Installed new repository drive in Exam workstation #4 8/14/2002 No problems were noted with the exam machine.
r^-n/^
J10
000000175
9/11 Law Enforcement Sensitive FD-302 (Rev. 10-6-95)
- 1-
FEDERAL BUREAU OF INVESTIGATION
Dale of transcription
10/20/2003
Computer Analysis Response Team Report of Examination Included herein are the results of a digital forensic examination performed by an FBI CART Certified Forensic Examiner. This examination has been performed in accordance with CART policies and procedures. Case Reference: Laboratory Number 030122051 Specimens: AFGP 2002 804371
\1 IBM Travelstar 2.5"10.06 GB ATA/IDE notebook drive,model -DJSA-210, SN 42MZ9347.
Request: Per a Department,of Defense Office of General Counsel Memorandum dated September 25, 2003, Subject: Computer Hard Drive Analysis, a forensic analysis of the subject specimen was ; requested. Additionally, three soegif ic f i ^recovered: an article entitled
Summary of Results: A full forensic examination was conducted, and the -four requested files were identified and recovered from the specimen. However the recovered documents differed slightly from the descriptions given by the Office of General Counsel. Additionally, one of the requested files. I 1, was
password protected, and the password had to be recovered before completing recovery of the document. Derivative Evidence (DE): Following is a list of digital media containing results of the examination. DEHQ010
investigation on
CD with summary results of the examination, with web-based organizing indices.
10/15/2003
at
HQ Lab
Washington DC
File* 265A-NY-259391-EEE by
ITS/FE I
Date dictated
10/15/2003
9/11 Law Enforcement Privacy
This document contains neither recommendations nor conclusions of ihe FBI. It is the property of the FBI and is loaned to your afVWft f\ "7 C
9/11 Law Enforcement Sensitive FD-302a (.Rev. 10-6-95)
265A-NY-259391-EEE
Computer _Forensic Exam
Continuation of FD-302 of
, On 10/15/2003
, Page
DEHQ011
5 'DVDs containing full results of the examination, withx.web-based organizing indices.
DEHQ012
3 DVDs containing copies of the image file segments used to perform the examination.
DEHQ013
Western Digital 20 GB hard drive, SN WMAAR1214879, containing full, results of the examination.
DEHQ014
Printed copy of the file
DEHQ015
Printed copy of the file
DEHQ016
Printed copy of the file
DEHQ017
Printed copy of the file
DEHQ018
Printed copy of the file
DEHQ019
4-mm DAT containing Safeback image of.DEHQ013.
Examination: The specimen had one FAT32 partition. The operating system on the partition was Windows ME. The following processes were performed directly on the specimen: 1.
A "digital signature", in the form of an md5 hash, was calculated, with result a550a975c3f9316a588b43ca5a434df8,
2.
An image file, in 15 segments, was made of the specimen.
3.
A final md5 hash was calculated, with result a550a975c3f9316a588b43ca5a434df8.
All other forensic procedures were performed on the image file segments. These forensic procedures were as follows:
A _
1.
An md5 hash was calculated on the concatenated segments, with result a550a975c3f9316a588b43ca5a434df8.
2.
The file system was mapped, and an md5 hash was calculated for every file. These results were then compared with a standard list of hashes for known system
000000177
9/11 Law Enforcement Sensitive FD-302a(Rtv, 10-6-95)
265A-NY-259-391-EEE
Computer 'Forensic Exam
Continuation of FD-302 of
, On 10/15/2003
, Page
and application 'files, and the known files were not further examined.
3
Deleted files and residue were extracted.
4
A file list was produced, in ,the form of a Microsoft Access dat'a base. "''••-,. four requested files were found'.-,, One requested file, me '.was password protected,---, as was one nonJ/ requested file, I j. Passwords were recovered for both files. The four requested files, plus \e printed out. Some,
\
L
differed slightly from the descriptions given by the contributor. Specifically, the travel document referenced was six pages in length, not three. Also, the article e n t i t l e d ! " ' ' I
Internet usage reports were generated, and e-mail -files were examined. Although there were indications that the specimen had been used to access the Internet, there appears to have been no usage of standard e-mail programs (such as Outlook and Outlook Express) for user e-mail messages. All results were extracted to DEHQ013, along with forensic logs. A final md5 hash was calculated on the concatenated image file segments, with result a550a975c3f9316a588b43ca5a434df8.
9.
Summary and full results, along with copies of the image file segments, were copied to a CD and eight DVDs. These products were DEHQ010, DEHQ011, and DEHQ012.
10,
An md5 hash was calculated on DEHQ013, with result Ib21e86call66efa6f0999fdl9b61b8b. An image was made of this drive and placed on a 4-mm data tape.
QHQ001 and DEH1019 are being returned to FBI Document Exploitation evidence control. DEHQ10-DEHQ18 are being returned to the Department of Defense Office of General Counsel. The notes of
000000178
FD-302a(Rev. 10-6-95)
265A-NY-259391-EEE Continuation of FD-302 of
Computer Forensic Exam
. On 10/15/2003
, Page
examination, along with a copy of DEHQ010, are being retained in a 1A envelope in the FBI Investigative Technology Division f i l e .
000000179
0 '%&&&<•
DOCUMENTS RELATING to
°
M&OMPUTER ANALYSIS RESPONSE TEAM l^EPORTS, OR PREDECESSOR UTA TION REPORTS, FROMAL 'M^OCIATED SUBJECTS FROM 1995 W[lJGH SEPTEMBER 11, 2001. •v ..•!*, .
~> r^_
*
"•*-*~,C
KESPONSIVE TO REQUESTS #34-1 '• (. _ [PACKET #3] yL5O RESPONSIVE TODR#34-2 'IVE MATERIALS (IMAGES OR VERBAL) CONCERNING TRAVEL lijQCUMENTS DERIVED FROM THOSE HARD DRIVES.)
COMMISSION COPY
9/11 COMMISSION TASK FORCE DOCUMENT DELETION CODES [As of August 11, 2003] "A" - SOURCE/INFORMANT INFORMATION - Information, the disclosure of which would tend to reveal the identity of an informant or source where confidentiality is expressed or implied. "B" - FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI techniques and/or methods which would impede or impair the effectiveness of that technique and/or method. "C" - NON-RELEVANT FBI CASE INFORMATION - Information neither relevant nor responsive to the Commission's requests. "D" - FBI PENDING CASE INFORMATION - Information which would impede or jeopardize a pending investigation of the FBI. "E" - STATUTORY - Information legally prohibited from release by statute. "F" - PRIVACY/SECURITY - Information, the disclosure of which would be an unwarranted invasion of the personal privacy or jeopardize the safety of law enforcement personnel and/or their family members Material redacted under this code includes (1) social security numbers; (2) date and place of birth; (3) home address and telephone numbers; (4) personnel cell phone and pager numbers
"G" - FOREIGN GOVERNMENT INFORMATION - The identity of a foreign government and/or foreign service to include the names of foreign law enforcement employees/officials.
'9/11 Law Enforcement Privacy
12/8/98 Computer Analysis Response Team
|
|
262-NY-267856
981022001 S/I FX SX
Results of Examinations: Media from specimens Q791-Q798 were removed from their casings and labeled, respectively, Q791.1-Q798.1. Specimens Q793.1 and Q798.1 were unreadable due to extensive media errors. Physical images of readable sectors from specimens Q791.1, Q792.1, and Q794.1-Q797.1 were made to magneto-optical disk, and errors were logged to the magnetooptical disk as well. Specimens Q791.1, Q792.1, and Q794.1-Q797.1 were each found to contain a Macintosh (HFS) file system. Active files from specimens Q791.1, Q792.1, and Q794.1-Q797.1 were copied to magneto-optical disk. All outputs onto magneto-optical disk were searched for any strings possibly representing an Internet e-mail address using the regular expression "[a-zO-9]@ [a-zO-9]". No significant results were returned. A Disk Ranger catalog listing was made of specimens Q791.1, Q792.1, and Q794.1-Q797.1 at the request of, and for review by, SIOC. All material from the magneto-optical disk was copied to CD-ROM, and an additional copy of the CD-ROM was made at the request of, and for review by, SIOC.
REQ. #34-1
000000180
CART - Page 1 of 1
REQ. #34-1
000000181
9/11 Law E n f o r c e m e n t Privacy
""-••-...
12/8/98
Computer Analysis Response Team
|_
2S2-NY-267856
980911013 S/I FX SX
Results of Examinations: Specimen K190 was found to contain a Seagate ST32122A hard disk drive, serial number XKF04812 / 9J7013-503, which was referred to as specimen K190.1. A physical image of specimen K190.1 was made to magneto-optical disk, and all active files were logically copied to the magneto-optical disk as well. Directory listings of specimen K190.1 and residue extracted from specimen K190.1 were copied to the magnetooptical disk. Three hundred seventy-three (373) erased files were recovered from specimen K190.1 to the magneto-optical disk. A long file name directory' listing was also generated and copied to the magneto-optical disk. Specimen K191 was found to contain: seventeen (17) 3.5" diskettes, referred to as specimens K191.1-K191.17; a plastic diskette storage box, referred to as specimen K191.18; and a cardboard diskette box, referred to as specimen K191.19. Specimen K191.18 was found to contain four (4) 3.5" diskettes, referred to as specimens K191.18.1-K191.18.4. Specimen K192 was found to contain: a cardboard diskette box, referred to as specimen K192.1; and a cardboard diskette box, referred to as specimen K192.2. Specimen K192.1 was found to contain ten (10) 3.5" diskettes, referred to as specimens K192.1.1-K192.1.10. Specimen K192.2 was found to contain six (6) 3.5" diskettes, referred to as specimens K192.2.1-K192.2.S. Media were removed from all diskette casings and labeled with the respective specimen number, plus the suffix ".1". Specimens K191.4.1-K191.6.1, K191.17.1, K192.1.1.1, K192.1.2.1, K192.1.4.1-K192.1.10.1, and K192.2.1.1-K192.2.6.1 were found to be unreadable, probably due to there being no file system format on the media.
REQ. #34-1
000000182
CART - Page 1 of 2 Physical images'of all media specimens containing file systems were made to magneto-optical disk; error logs were generated and also copied to the magneto-optical disk. Directory listings were generated for all media specimens containing file systems and copied to magneto-optical disk. Active files on all media specimens containing file systems were copied logically co magneto-optical disk. Recoverable erased files on all media specimens containing file systems were copied to magneto-optical disk. Residue on all media specimens containing FAT file systems was extracted to magneto-optical disk. All materials generated on the magneto-optical disk were copied to CD-ROM for review by the case agent.
#34-1
000000183
980911013 S / I FX SX CART - Page 2 of 2
REQ. #34-1
000000184
9/11 Law Enforcement Privacy (01/26/1998)
'"•-•-.....
FEDERAL BUREAU OF INVESTIGATION Precedence: To:
New York
From:
Date:
PRIORITY Attn:
06/10/1999
J Computer SA I Analysis Response Team (CART)
New York Squad 1-45 Contact: SA
Approved By: Drafted By: Case ID #: Title:
262-NY-26785S 262-NY-267857
(Pending) (Pending)
KENBOM; MAJOR CASE 148; IT-OHAH 00: NEW YORK TANBOM ; MAJOR CASE 149; IT-OHAH OO: NEW YORK
Synopsis: To set lead for duplication of computer compact discs (CDS) and diskettes. Details: The United States Attorneys Office in the Southern District of New York (SDNY) and the New York Office (NYO) of the Federal Bureau of Investigation (FBI) are preparing for the-trial of indicted subjects in the captioned investigations. To that end, defense attorneys are seeking copies of evidence seized in the course of FBI investigation. FBI searches have yielded several computers, computer diskettes, and related materials. The NYO Computer Analysis Response Team (CART) has provided on-going computer analysis of such items. To 'that end, Squad 1-45 is submitting three CDS, known as KENBOM items IBS68, 1B869, and IBS70, and several diskettes, known as KENBOM item 1B118, for duplication. Defense attorneys have requested the listed' materials as part of the discovery phase of trial preparation. The deadline for production is June 22, 1999.
REQ. #34-1
000000185
To: Re:
REQ. #34-1
New York From: New York 2 6 2 - N Y - 2 6 7 8 5 6 , 06/10/1999
000000186
To: Re:
New York 'From: New York 262-NY-267856, OS/10/199S
LEAD (s) : Set Lead 1: NEW YORK AT NEW YORK Squad 1-45 requests that the Computer Analysis Response Team (CART) duplicate three computer compact disks (CDS) known as KENBOM items 1B858, 1B859, and 1B860. Squad 1-45 also requests that CART 'duplicate approximately 100 computer diskettes known as KENBOM item 113.
REQ. #34-1
000000187
9/11 Law Enforcement. Privacy .
(01/26/1998)
FEDERAL BUREAU OF INVESTIGATION Precedence: To:
Date: 12/OS/1999
PRIORITY
New York:
Attn:
SSA |_ CART
I SO-15
From:, New York Squad 1-45 Contact: SA
:\e ID #: 262
Approved By Drafted By
262-NY-267857 Title:
(Pending)
KENBOM M.C. 148 OHAH-IT 00: NY
Synopsis:
Request CART to examine diskettes enclosed.
Enclosures:
102 diskettes for review by CART team.
Details: Enclosed diskettes were seized in captioned case. It is requested that the CART team examine each diskette and download items on the diskette for review or translation by the case squad.
REQ. #34-1
000000188
To: Re:
New York From: New York 262-NY-267856, 12/06/1999
LEAD (s): Set Lead 1: NEW YORK AT SO-15. Examine enclosed diskettes and download information in format for review by translator or case squad.
REQ. #34-1
000000189
9/11 Law Enforcement Privacy (Rev. 08-28-2000)
FEDERAL BUREAU OF INVESTIGATION Precedence: To: \New York From:
Date:
ROUTINE Attn:
05/09/2001
Computer Analysis Response Team (CART)
New York Squad 1-45 Contact: SAi
Approved By: Drafted By: Case ID #: Title:
262-NY-267856 "262-NY-2S7857
(Pending) (Pending)
KENBOM; MAJOR CASE 148; IT-OHAH OO: NEW YORK TANBOM; MAJOR CASE 149; IT-OHAH OO: NEW YORK
Synopsis: To set lead for analysis and duplication of several 3.5" disks, three compact disks (CDs), and one laptop hard drive seized in the course of captioned investigations. Details: On 08/07/1998, terrorist cells linked to USAMA BIN LADIN bombed the United States Embassies in Nairobi, Kenya and Dar Es Salaam, Tanzania. In the course of the ensuing FBI investigation, NYO seized several computer-related items. The NYO Computer Analysis Response Team (CART) analyzed and duplicated the majority of such computer-related items. Squad I45 has identified additional items and requests that CART analyze those items as well and store all recovered data to CD. Material developed from the additional computer-related items may be used in future trials and/or for intelligence purposes. Squad 1-45 anticipates future trials related to the KENBOM/TANBOM investigation. Although the current Embassy bombing trial is projected to end by June 2001, two subjects are currently being extradited from England to che Southern District
REQ. #34-1
000000190
9/11 Law Enforcement Privacy To: Re:
New York From: New York 262-NY-26785S, 05/09/2001
o'f New York (SDNY) and their trial will likely begin within one year of the date of this communication. It should' also be noted that, the KENBOM/TANBOM investigation led to the indictment of 22 subjects, 13 of whom are fugitives. In the event that a fugitive is arrested, NYO and the United States Attorneys Office-SDNY will prosecute that person. The computer-related items include: one laptop computer, known as KENBOM 1B241 five disks, known as KENBOM 1B47 item 12 seven disks, known as KENBOM 1B90 item 3 one disk, known as KENBOM 1B115 item 9 103 disks,and three CDs, known as KENBOM 1B118 two disks, .known as 1B127 items 4 and 7 two disks, known as 1B137 items 20 and 21 Squad 1-45 requests that CART analyze the listed media and store all recovered data to CD (one CD-per IB number). • The items listed above are not enclosed. Squad 1-45 requests that CART contact SA | | extension 8014, at its convenience and the items will be removed from evidence and released to CART for analysis.
REQ. #34-1
000000191
9/11 Law Enforcement Privacy To: Re:
New York Fruin: New York 262-NY-267856, 05/09/2001
LEAD (s): Set Lead 1: ALL. RECEIVING OFFICES ''•.Squad 1-45 requests that NYO CART analyze the materials listed below and store all recovered data to CDs (one CD per IB number): one laptop computer, known as KENBOM 1B241; five disks, known as KENBOM 1B47 item 12; seven disks, known as KENBOM 1B90 item 3; one disk, known as KENBOM 13115 item 9; 103 disks and three CDs, known as KENBOM 1B118; two disks, known as 1B127 items 4 and 7; two disks, known as 1B137 items 20 and 21. The items listed 'above are not enclosed. Squad 1-45 requests that CART contact SAj | extension 8014, at its convenience and the items will be removed from evidence and released to CART for analysis.
REQ. #34-1
000000192
9/11 Law Enforcement Privacy ' . (wiv.'bs -28-2000)
FEDERAL BUREAU OF INVESTIGATION .Precedence: To;
Date:
ROUTINE
New York
Attn:
08/14/2001
Squad 1-45.
Froms, New York Squad 1-45 Contact: SA Approved By: Drafted By: Case ID #: Title:
262-NY-267B5S-TR (Pending) 262-NY-267857 (Pending)
KENBOM; MAJOR CASE 143; IT-OHAH OO: NEW YORK TANBOM; MAJOR CASE 149; IT-OHAH OO: NEW YORK
/9/11 Law Enforcement •' Sensitive
Synopsis: To provide copies of file lists and substantive text files found on selected diskettes_(dis_ks) seized from]
Reference:
262-NY-267856-TR Serial 55\R Serial 57,
Enclosures: Attached hereto are copies.of the file lists for 19 disks seized from I Ton 08/20/1998 in I I. Each disk is known by its New York Office (NYO) Computer Analysis and' Response Team (CART) Q-number and also by its NYO IB-number. Files lists were printed from the following disks: Q119 - Q125 Q126 - Q133 Q134 - Q135 Q136 Q137 .
REQ. #34-1
1B90, item 33 (7 disks) 1B127, item 8 (8 disks) 1B137, items 20 and 21 (2 disks) 13115, item 9 (1 disk) 1B47, item 12 (1 disk)
000000193
9/11 Law Enforcement Sensitive To: Re:
New York From: New York 262-NY-267856-TR, 08/14/2001
Also attached hereto are substantive text files and selected residue files found on four disks within the group of 19. These are the only substantive text files on the entire set of 19 disks. The following files were printed: from from from from from
Q12S\FILES Q12S\FILES Q12S\FILES Q12S\ERASED Q126\RESIDUE (not a text file)
from from from from
Q134\FILES Q134\FILES Q134\FILES Q134\FILES
from from from from from from from from from from from from from from from from from from from from from
Q136\RESIDUE (not a text file) Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q13S\FILES Q13S\FILES Q136\FILES Q136'\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES
from from from
Q137\ERASED\CD Q137\ERASED\CD Q137\FILSS
Details: On August 7, 1998, terrorist cells linked to USAMA BIN LADIN bombed the United States Embassies in Nairobi, Kenya and Dar Es Salaam, Tanzania. In the ensuing investigation, investigators from the Federal Bureau of Investigation (FBI) and
REQ. #34-1
000000194
9/11 Law Enforcement Sensitive
\
Re:
To: New York Fi-^n:- New York 262-NY-267856-TR, 08/14/2001
\n Criminal Investigation Department (CID) searched the
The| ~| search took place on 08/20/1998. Investigators seized business records, both documentary and electronicallystored items, along with many other items. Attached hereto are copies of file lists and substantive text files found on selected disks seized during that search. Specifically, this communication addresses 19 disks (each disk is known by its NYO CART Q-number and also by its NYO IB-number}, including: Q119 - Q125 Q126 - Q133 Q134 - Q135 Q136 Q137
1B90, item 33 (7 disks) 1B127, item 8 (8 disks) 1B137, items 20 and 21 (2 disks) 1B115, item 9 (1 disk) 1B47, item 12 (1 disk)
During the same search, investigators seized a Daewoo laptop, known as both NYO CART item Q118 and NYO 1B241. Printable files from that item are attached to referenced communication, 262-NY-267856-TR serial 57. Investigators also seized approximately 104 additional disks and two CD-ROMS, known collectively as NYO 1B118 and known individually as Q12 - Q115 and Q116 - Q117 (respectively). Printable files from those items are attached to referenced communication, 262-NY-267856-TR serial 55. Processing Disks Q119 - 0137 NYO CART copied all materials on disks Q119 - Q137 to a magneto-optical disk and to a CD-ROM contained in KENBOM sub-302 1A1308. Logical files were copied to folders named "FILES;" deleted files were recovered and copied to folders named "ERASED;" all other printable characters that were not otherwise contained in a file were recovered and copied to folders named "RESIDUE." Each such file folder appears in a parent folder named by Q-number, such that every disk has its own files folder, erased folder, and residue folder. The following disks had no files in their respective "ERASED" folders: Q120 - Q125 and Q127 - Q133. Disk Q127 contained no files whatsoever.
REQ. #34-1
000000195
9/11 Law Enforcement Sensitive To: Re:
New York Fi^m: New York 262-NY-267856-TR, 08/14/2001
All substantive text files contained on the 19 disks were printed and attached hereto, including: from from from from
Q126\FILES Q126\FILES Q126\FILES Q126\ERASED
from from from from
Q134\FILES** Q134\FILES** Q134\FILES** Q134\FILES**
from from from from from from from from from from from from from from from from from from from from
Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILSS Q136\FIL3S Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136\FILES Q136YFILES Q136\FILES**
from from from
Q137\ERASED\CD** Q137\ERASED\CD** Q137\FILES**
All substantive text files are written in Arabic, except those marked with a double asterisk (**). Those files are written in English. Documents written in Arabic are being submitted for translation under separate cover. Two residue files that contained recognizable English, names were also printed and attached hereto, including:
REQ. #34-1
000000196
9/11 Law Enforcement Sensitive To: X.Re:
New York From: New York 262-NY-267356-TR, 03/14/2001
from
Q126\RESIDUE
from
Q136\RESIDUE
The remaining files are system files, executable files, wav files, aud files, etcetera, and do not contain substantive text.
+4
REQ. #34-1
000000197
9/11 Law Enforcement Privac1 (1.2/31/1995)
FEDERAL BUREAU OF INVESTIGATION Precedence:
Date:
ROUTINE
To:'- New York From:
Attn:
08/24/2001
Squad 1-45
New York Squad 1-45 \: - SA
Approved By: Drafted By: Case ID #: Title:
262-NY-267856 • 262-NY-267857
(Pending) (Pending)
KENBOM; MAJOR CASE 148; IT.-OHAH 00: NEW YORK TANBOM; MAJOR CASE 149; IT-OHAH OO: NEW YORK
Synopsis: To summarize computer and computer-related evidence matters in the .captioned investigations. Reference:
262-NY-267856 Serial 4643 262-NY-267857 Serial 3469
Enclosures: Enclosed for reference are the following Computer Assistance Response Team (CART) reports and Latent Fingerprint Section (LFS) reports: CART CART CART CART
FD-302 FD-302 FD-302 FD-302
dated dated dated dated
07/18/2001, 03/08/2000, 01/04/2000, 09/15/1998,
262-NY-267856-302 262-NY-267856-302 262-NY-267856-302 262-NY-267856-302
serial serial serial serial
1721 1219 1204 1698
LFS Lab Report dated 02/12/1999, 262-NY-267856 serial 3935 LFS Lab Report dated 01/20/1999, 262-NY-267856 serial 3816 CART Lab Reports dated 12/08/1998, 252-NY-267856-E serial 24 (two reports -- 980911013 and 981022001) CART Lab Report dated 10/14/1998, 262-NY-267856 serial 4651 Details:
REQ. #34-1
On August 7, 1998, terrorist cells linked to USAMA BIN
000000198
9/11 Law Enforcement Privacy To: Re:
/J9/11 Law Enforcement //Sensitive
New York From: New York 262-NY-267856, 08/24/2001
LADIN bombed the United States Embassies in Nairobi, Kenya, and Dar Es Salaam, Tanzania. The ensuing/investigation led to the .seizure of several computers and cpmputer-related items. SA I [ formerly assigned t0 Squad;1 1-45, /oversaw the processing of all such items as requested by referenced communications. The following is/ a,summary for each item of KENBOM/TANBOM evidence classified /as computer or/computer-related evidence. / / . \ J, Daewoo Laptop Computer, seized 08/20/1998, Nairobi,. Kenya KENBOM 1B241; NYO. CART item number Q118 laptop computer from the ['' [offices in Nairobi, Kenya. This computer is known as KENBOM 1B241 and NYO CART item Q118. The New York/(NYO) Computer Analysis Response Team (CART) made a logical copy of all files (including erased and residue) on the laptop and recorded them to a CD-ROM stored in KENBOM main file 1A225. See attached FD-302 dated 03/08/2000, known as KENBOM sub-302 serial 1219. See also KENBOM sub-302 1A946 for CART exam/notes and printout! of BMP and WAV files that CART was unable to/open. j A copy 6f the printable files from the laptop is attached to an electronic communication (EC) dated 03/21/2000, known as KENBOM sub-TR serial 57. ; II .
Disks and Compact Disks (CD-ROMs), seized 08/20/1998, Nairobi, Kenya j A. KENBOM 1B47, item 12; NYO CART item number Q137
Isei zed On August 20, 1998, Joffices in Nairobi, Kenya. approximately one disk from the This disk is known as item 12 of KENBOM 1B47 and NYO CART item Q137. NYO CART made a logical copy of all files (including erased and residue) on the disk and recorded them to a magnetooptical disk and to a CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 dated 07/18/2001, known as KENBOM sub-302 serial 1721.
REQ. #34-1
000000199
&
9/11 Law Enforcement Sensitive
':\,
'' ,To: New York From: New York 262-NY-26785S, 08/24/2001
A copy of the printable substantive text files from 'this disk is attached to an EC dated 08/14/2001, known as KENBOM sub\TR serial 125."--, V\. KENBOM lB90,"-i,tem 33; NYO CART items Q119 - Q125 approximately seven disks from the"! I offices in Nairobi, Kenya. These disks are known as item 33 .of KENBOM 1B90 and NYO CART items\Q119 - Q125. NYO. CART made a logical copy of all files (including erased and residue) on the disks and recorded them to a magnetooptical disk arid to a CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 ''dated 07/18/2001, known as KENBOM sub-302 serial 1721. \. These disks do not contain printable substantive text files. C. KENBOM 13115 item 9; NYO CART item Q136 On August 20, 1998, ^•HI^HH^B^^H seized approximately one disk from.the| [offices in Nairobi, Kenya. This disk is known as item 9\of KENBOM 1B115 and NYO CART item Q136. NYO CART made a logical copy of all files (including erased and residue) on the disk and recorded them to a magnetooptical disk and to a CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 dated 07/18/2001, known as KENBOM sub-302 serial 1721. A copy of the printable substantive text files from this disk is attached to an EC dated 08/14/2001, known as KENBOM sub-TR serial 125. D. KENBOM 1B118; NYO CART items Q1-.2 - Q115 (disks) and NYO CART items Q116 and Q117 (CD-R6Ms) On August 20, 1998, approximately 104 disks and two CD-ROMs from the [ | offices in Nairobi, Kenya. These disks and CD-ROMs are known collectively as KENBOM 1B118 and individually as NYO CART items Q12 - Q115 (disks) and NYO CART items Q116 and Q117 (CD-ROMs).
REQ. #34-1
000000200
9/11 Law Enforcement Sensitive \. To: New York From: New York \. Re: 262-NY-267856, 08/24/2001
NYO CART made a logical copy of all files (including .erased and residue) on disks Q12 - Q115 and CD-ROMs Q116 and Q117 and recorded them to CD-ROMs stored in KENBOM main file 1A219. See attached-.FD-302 dated 01/04/2000, known as KENBOM sub-302 serial 1204. See also KENBOM main file 1A222 for a duplicate set of CART CD-ROMs'-and KENBOM sub-302 1A905 for CART exam notes. A copy of "''-the printable files from the disks and CDROMs is-, attached to arixEC dated 03/21/2000, known as KENBOM subTR serial 55. E. KENBOM 1B127, item 8; NYO CART items Q126 - Q133 approximately-,eight disks from the) [offices in Nairobi, Kenya. These disks are known as item 8 of KENBOM 1B127 and NYO CART items Q126\ Q133. NYO CART made a logical copy of all files (including erased and residue) on the disks and recorded them to a magnetooptical disk and to\ CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 dated 07/18/2001, known as KENBOM sub-302 serial 1721. A copy of the printable substantive text files from disk Q126 is attached to\an EC dated 08/14/2001, known as KENBOM sub-TR serial 125. The remaining disks do not .contain printable substantive text files. F. KENBOM 1B137, items 20 and 21; NYO CART items Q 134 - Q135 On August 20, 1998, ^ H | | | | H | H B H V seized approximately two disks from the^^^H offices in Nairobi, Kenya. These disks are known as items 20 and 21 of KENBOM 1B137 and NYO CART items Q134 - Q135. NYO CART made a logical copy of all .files (including erased and residue) on the disks and recorded them to a magnetooptical disk and to a CD-ROM stored in KENBOM sub-302 1A1308. See attached FD-302 dated 07/18/2001, known as KENBOM sub-302 serial 1721. A copy of the printable substantive text files from disk Q134 is attached to an EC dated 08/14/2001, known as KENBOM sub-TR serial 125. Disk Q135 does not contain printable
REQ. #34-1
000000201
9/11 Law Enforcement Sensitive \\''-:. \,
'"Tb-;.. New York Fr^m: New York Re":-./-26.2-NY-267856, 08/24/2001
.substantive text fll.es.
'1II.
FAZUL ABDULLAH'MOHAMMED, aka HARUN, Disks, seized 09/02/1998. I I KENBOM 1B510 items 1 and '2;.. Lab Items K191 and K192
seized On September 2, 1998, approximately 3? disks from the residence of |_' I located in | |. It should be noted that\ residence is also known as the residence of Mohamed Said Ali. Twenty-one 'of these disks are known both as item 1 of KENBOM \1B510 and, lab item K191; sixteen of these disks are known as both \item 2 of \KENBOM IBS 10 and lab item K192. FBIHQ, CART made a physical image of all media specimens containing file systems to a magneto-optical disk and a CD-ROM kkown as KENB'pM 1B860. Erased files and residue were recovered ftom the disks, to -1B860 . Several disks were found to be unreadable, thus, physical images were not recorded to 1B860. See attached Lab Report'number 980911013 S/I FX SX dated 12/08/1998, kndwn as KENBOM s,ub-E\l 24. A copy of the,printable files from the disks is attached to an EC dated '03/21/2000, known as KENBOM sub-TR serial 54 . \n addition,-, the 'lab recovered latent fingerprints and/of latent palm prints ori\r disks, K191.6, K192.1.6, K192.1\ 9, and K192.2.5. .One latent fingerprint developed on disk K192.2;5 was identified as a finger impression of FAZUL ABDULLAH MOHAMMED, aka HARUN. See ''attached Lab Report number 980911013 FX CW dated 02/12/1999, known', as KENBOM main serial 3935.
IV.
FAZUL ABDULLAH MOHAMMED, aka HARUN, Macintosh Computer, seized 09/02/1998,1 | \KENBOM 1B513 item 1; Lab Item K189
\0n September 2, 1998, Macintosh Computer from the residence of located ini I. It should be residence is also known as the residence This computer is known both as item 1 of item K189.
REQ. #34-1
seized a |~ noTefl _ of Mohamed Said Ali. KENBOM 1B513 and lab
Gr
000000202
9/11 Law Enforcement Sensitive \v\: New York Fr^m: New York \V\. 262-NY-26785S, 08/24/2001
Lab item K189 is a first generation Macintosh and does not, contain an internal hard drive; therefore, CART conducted no .analysis of this item... . \o latent prints ""of value were developed on lab item ''•K18.9. See attached Lab Report number 980911013 FX CW dated 02/12/1999., known as KENBOM main ""aerial 3935. It should be noted thatXitem K189 is not referenced in the Results of Examination; however, K189. appears in the lab communication as a specimen examined for latent fingerprints. V.
\ FAZUL ABDULLAH MOHAMMED, aka HARUN, HDD" Central Processing Unit (CPU), seized 09/02/1998, \ \M lB513\item 2; Lab Item K190
\U from the residence of 1 • • • • • • • • • • • • •located in | | it should be noted that |_ (residence is also known as the, residence of Mohamed Said Ali. This CPU is known both as item .2 of KENBOM 1B513 and lab item K190. FBIHQ CART determined that the HDD CPU contained a Seagate ST32122A hard drive, serial XKF04812/9J7013-503, which was designated as lab item K190.1. CART copied a physical image of the Seagate hard drive to a magneto-optical disk and a CD-ROM known as KENBOM 13860. Three-hundred and seventy-three (373) erased files were '-recovered from the Seagate hard drive to 1B860. See attached Lab Report number 980911013 S/I FX SX dated 12/08/1998, known as. KENBOM sub-E serial 24. A copy of the printable files from the Seagate hard drive is attached to an EC dated 03/21/2000, known as KENBOM subTR serial 54. The. lab developed latent fingerprints and/or latent palm prints on the HDD CPU, but no identifications were made. See attached Lab Report number, 980911013 FX CW dated 02/12/1999, known as KENBOM main serial 3935. VI.
FAZUL ABDULLAH MOHAMMED, aka HARUN, Briefcase Disks, seized 09/32/1998, I I KENBOM 1B521 item 45, Lab Items Q791 - Q798
REQ. #34-1
000000203
9/11 Law Enforcement Sensitive 1 \, /9/11 Lav; Enforcement Privacy \' "New York FiwiCi: New York / \: 2 62-NY-2.67856, 08/2 4/2 001/
.-.approximately eight disks /from HARUN'"H I/ 1 ~| The disks were f.6und in a briefcase, known as KENBOM 1B521, that belonged to .HARUN. The disks are known both as item 45 of 1B521 and as lab /items Q791 - Q79'8.
FBIHQ CART copied a physical image of the disks' readable sectors to a magneto-optical disk and CD-ROM known as KENBOM 1B859. Lab items Q793 and Q798 wer6 unreadable due to extensive media errors, thus, physical images were not recorded to 1B859. Readable specimens were found to contain a Macintosh (HFS) file''•••system'''. NYO CART labeled the same disks NYO CART items Ql - Q8 and conducted an independent analysis. NYO CART also found the readable disks to contain a Macintosh file system. See attached FD-3Q2 dated 09/15/1998, known as KENBOM sub-302 serial 1698. / ' • -, ' \Q CART searched the magneto-opt strings possibly representing an internet e-mail, address using the regular expression *[a-zO-9]@[a-zO-9]" and produced no significant results. See attached Lab Report number 981022001 S/I FX SX dated 12/08/1998,. known as KENBOM sub-E serial 24. As of the date/of this communication, SA | I | | was reviewing these'.disks and.preparing copies of the printable files for the KENBOM file. No latent prints of, value were developed on lab items Q791 - Q798. See attached Lab Report number 981022001 S/L FX SX CW dated 01/20/1999, known as KENBOM main serial 3816. VII.
FAZUL ABDULLAH MOHAMMED'',-, aka HARUN, Toshiba Hard Drive, seized 09/09-11/1998, Nairobi, Kenya KENBOM 1B902 (part); Lab Item K200.4
^seized a Toshiba 2.5" IDE hard drive, model MK2326FCH, from ^ |in Nairobi, Kenya. Investigation revealed that HARUN had left this hard drive, along with several other parts from a Sharp laptop computer, for repair at [ This hard drive is known both as KENBOM 1B902 (part) and lab item K2 0 0 . 4 . FBIHQ CART copied a physical image of this hard drive to a magneto-optical.disk and CD-ROM known as KENBOM 1B858.
REQ. #34-1
000000204
9/11
Law Enforcement Privacy
/9/11 Law Enforcement /Sensitive
"To: New York From: New York Re: - -.2 62 -NY- 2 6 7856, 03/24/2001
Erased files were recovered from this h^'rd drive and also recorded to 1B858. """--.... / I \T searched the residue repor
strings, "[a-z]@[a-z] Sender:" and.""re.s-gilts were recorded to 1B858. See attached Lab Report number 580914024 S'/I FX SX dated 10/14/1998, known as KENBOM main serial 465L, \\s of the date of this comnvtmicati
L
|was reviewing this hard drive and preparing copies of the printable files for the KENBOM file./
VIII. J Computer, seized 09/02^/1998 A'Car Es Salaam, Tanzania = \\M 1B276 item 59; Lab Item
On or about September 2,1 1998, seized an Olivetti M24X5, P166-X CJPU. Serial A4979F-Q503'24(T! From I \\ \in Dar Es Salaam,. Tanzania. CART determined that the CPU \contained a Fujitsu MPA3017 AT hard drive. Thte hard drive is Jdnown both, as item 59 of TANBOM 1B276 and lab |tem K98.1.1. \\ FBIHQ CART copied a physical image of this hard drive to a 2.3 gigabyte disk and CD-ROM known as TANBOM 1B283. Investigation revealed that (had no Jf and its owner]_ aka L connection to the Embassy bombings in Nairobi, Keny^ and Dar Es Salaam, Tanzania. In April 200..5, NYO shipped this cbtnputer to the Regional Security Officer (RSO) in Dar Es Salaam for\n to Thomas Lyimo. / \.
\ disk, seized 09/02/1 Tanzania TANBOM 1B276 item 40; Lab Item K138 On or about September 2, 1998, seized one computer disk, from "], in Dar Es Salaam, Tanzania. The disk is known both as item 40 of TANBOM 1B276 and lab item K138.
REQ. #34-1
000000205
9/11 Law Enforcement Sensitive ' -To: New-Y.prk From: New York Re:-. . 262-NY-2-67-856, 08/24/2001
Investigation revealed that
aka I
/ and its owner \ had no
connection to the Emba'ssy bombings in Nairobi, Kenya and Dar Es Salaam, Tanzania. In April ...2000, NYQ shipped this disk to the RSO in Dar Es Salaam for return to/ I.
REQ. #34-1
000000206
Related Documents
More Documents from "9/11 Document Archive"
Letter To 9/11 Commission About John Kerry
April 2020 0
