pageok
pageok
pageok
Zazi Detention Memo:
The Justice Department filed a memo today making the case for detaining terrorist suspect Najibullah Zazi. It's a pretty riveting read. Of particular interest to me was the important role of computer forensics. By analyzing Zazi's computer, the government was able to reconstruct Zazi's web browsing history and show the details of the alleged plot to gather the chemicals for the bomb. I'm not at all surprised by the role of the computer search, but it's a high-profile example of how computer forensics is becoming an increasingly important part of major criminal cases.

Related Posts (on one page):

  1. Zazi Detention Memo:
  2. Zazi Indicted on WMD Charges:
CDU (mail) (www):
So, had this investigation taken place in the 9th Circuit, how would the regime set up in US v. Comprehensive Drug Testing have affected the computer search?
9.24.2009 10:10pm
Mike& (mail):
And yet no one had to be tortured in order to stop this terrorist. ;-)

Sorry; couldn't resist.
9.24.2009 10:32pm
one of many:
CDU, wouldn't most likely. The govt in this case would have requested warrants for the entire contents of the computer, or at least for information concerning bombs and bomb making. Comprehensive had a warrant just for information about 5 people on a company's computer, and used information about other people obtained from the search. Unless for some strange reason the government didn't ask for a warrant covering Zazi's (and crew's) entire computer(s) there is no way to stretch Comprehensive to apply.
9.24.2009 10:39pm
OrinKerr:
one of many,

I don't follow you. do you think CDT has no application if the government just asks for permission to seize the computer?
9.24.2009 10:42pm
sbron:
I read that Zazi is a legal permanent resident, but why was he admitted into the U.S. in the first place? Refugee? He was working as a shuttle bus driver -- is there really such a lack of shuttle bus drivers that we have to import them? I bet there were plenty of red flags when immigration first admitted him. Immigration -- why? For what? Can't we at least keep hostile people out of the country? Or do the diversity and free trade cults demand unlimited entry into the US?
9.24.2009 11:12pm
rc:
I read a forum post by a guy who reconstructs deleted computer data for evidence. He mentioned how most data he recovers is cell phone video recordings of rapes and etc, and he remarks offhandedly about how often it is for rapists to tape their crying victims. He didn't appear cavalier or crude... just open.

Good God! I would never want that job. 'Investigate rape' ranks way down, next to 'get raped' as far as job options.

The anonymity of computers makes people ugly. I salute the folks who go after the bad guys...
9.24.2009 11:42pm
Fub:
I'm not at all surprised by the role of the computer search, but it's a high-profile example of how computer forensics is becoming an increasingly important part of major criminal cases.
Not to put too fine a point on it, but I don't see in the memo any indication of particularly sophisticated "computer forensics". They (presumably) imaged a copy of the drive, browsed through some file directories, straightforwardly examined files interpreted in their indicated formats, and noted contents and ordinarily recorded creation and modification timestamps. There was no mention of data hidden by encryption or steganography, or even of files or partial files discovered through examination of disk free space left after deletion from file directories.

That kind of examination certainly qualifies as "forensic" examination, because it is for the purpose of developing evidence. But it is also such a blindingly obvious thing to do that no particular "forensic" expertise would be required to do it.

I suppose I was expecting a terrorist suspect to be a little more clever.
9.24.2009 11:58pm
Eli Rabett (www):
If he didn't make any effort to obtain the stuff, what do they have. Bubkes. If he did, why do they need the computer evidence?
9.25.2009 12:43am
OrinKerr:
Fub,

We don't know how sophisticated the guys was: A detention memo isn't going to give a detailed review of the forensics process.

Eli,

Proving a complicated conspiracy is like putting a big puzzle together. When putting a big puzzle together, you wouldn't normally stop half way and throw out the other pieces on the theory that the puzzle is filled in "enough." That's especially true given that everyone will be eager to second guess the government's case: This is a situation in which having an overwhelming case is very desirable.
9.25.2009 12:53am
one of many:
OK,

Nothing in CDT indicated that there was a problem with using the information actual being searched for if found during a search of a computer. CDT only has application to information other than that which was being searched for. Unless someone made a terrible mistake about what to search for on the computer, the information in the memo is exactly the type of information they should have been searching for on the computer of someone who has been arrested in connection with a conspiracy to set of explosives. If kiddie porn had been found on the computer CDT would have an application, but not information about bomb making and conspiracy. There is the whole other question of the search of a computer in the possession of the government incident to arrest but there has to be more to make CDT applicable.
9.25.2009 12:54am
John Moore (www):

That kind of examination certainly qualifies as "forensic" examination, because it is for the purpose of developing evidence. But it is also such a blindingly obvious thing to do that no particular "forensic" expertise would be required to do it.

Errr... a forensic examination is one looking for legal evidence. It doesn't have to be CSI high tech to be "forensic"

Yeah, they probably just looked at his browsing history. Or, they may have had to recover lost files (a little more sophisticated). Or, they might have had to decrypt things (unlikely, but can range from relatively easy to impossible even for NSA). Or, they may have done some deep data recovery, looking for data that had been overwritten - which is sophisticated.

Or, they might have just hacked into Google where all of this stuff is stored, along with his DNA, all of his personal data, and all the details of his future. Just kidding... sort of. When you click on those links on a Google page, it takes you back to Google, which remembers those clicks before sending you off to the page.
9.25.2009 1:04am
Lior:
The memo says the charges against Zazi regard "weapons of mass destruction", yet the evidence detailed refers only to ordinary explosives. Is this an instance where the name of the offence has nothing to do with the proscribed conduct?
9.25.2009 1:18am
Bill Poser (mail) (www):
Actually, the memo does refer to identifying three email accounts as belonging to Zazi, only one of them overtly identified as his, and obtaining the passwords to these accounts. Without further detail it is hard to say what was involved, but it may have been non-trivial.
9.25.2009 1:24am
OrinKerr:
One of many,

I believe that is quite incorrect. CDT has application to each and every computer warrant case: It requires the waiver of plain view ex ante, directs that the search occur by third parties or agents not working on the case, etc.

Sure, the ultimate goal of all of the prophylactic rules is to change how a case comes out when evidence outside the scope of the warrant is discovered. But the Ninth Circuit went out of its way not to create an ex post rule: Instead it is a grand ex ante set of rules that applies to each and every case involving a warrant to search for digital evidence.
9.25.2009 1:36am
one of many:
OK,

It took me a while, but I get it. I was thinking in terms of the results of this search and the results of a search conducted under the CDT standard, not the procedure of the search. Yes CDT would have affected how the search was conducted if it was conducted under the standard the 9th set up. We cannot say exactly what the changes would be in this particular case at this point, because we don't know how this search was conducted. But is any of the information from the computer search(es) the type of information which would not have been covered by a search under CDT? Zazi was arrested in connection with a conspiracy to set off bombs, a warrant issued under the CDT regime would uncover e-mail evidence of conspiracy and information about bomb-making and make it available to the investigating agents, just under a different procedure.
9.25.2009 4:19am
David M. Nieporent (www):
If he didn't make any effort to obtain the stuff, what do they have. Bubkes. If he did, why do they need the computer evidence?
Are you asking a serious question, or trolling? "The stuff" is all legal. The computer evidence explains why seeking "the stuff" is evidence of a crime, as opposed to innocent shopping.
9.25.2009 5:22am
DennisN (mail):
Lior:

The memo says the charges against Zazi regard "weapons of mass destruction", yet the evidence detailed refers only to ordinary explosives.


Apparently, the definition of WMD has been expanded to include Destructive Devices, i.e. common IEDs. And I believe DDs can include cherry bombs and the larger firecrackers.

Little did we know, as kids, that we were blowing WMDs up in the alley behind the garage. 8-0
9.25.2009 10:58am
one of many:
Dennis,

it was long ago that this expansion happened, look up the case of a chap called Timothy McVeigh if you want to know the reasoning/law behind it.
9.25.2009 12:37pm
Fub:
OrinKerr wrote at 9.25.2009 12:53am:
We don't know how sophisticated the guys was: A detention memo isn't going to give a detailed review of the forensics process.
If instead of "indication", I had written "slightest suggestion of a scintilla of a shade of a hint of a subtle clue buried in the tea leaves", perhaps my meaning would have been more clear.

John Moore wrote at 9.25.2009 1:04am:
Errr... a forensic examination is one looking for legal evidence. It doesn't have to be CSI high tech to be "forensic"
Likewise, if I had used boldface when I wrote
That kind of examination certainly qualifies as "forensic" examination, because it is for the purpose of developing evidence.
perhaps my meaning would have been more clear.

I'm glad they caught him, but it did not appear to require even slightly sophisticated forensic technical skills, just subpoena and warrant power to access the obvious records of his idiodyssey.
9.25.2009 3:29pm

Post as: [Register] [Log In]

Account:
Password:
Remember info?

If you have a comment about spelling, typos, or format errors, please e-mail the poster directly rather than posting a comment.

Comment Policy: We reserve the right to edit or delete comments, and in extreme cases to ban commenters, at our discretion. Comments must be relevant and civil (and, especially, free of name-calling). We think of comment threads like dinner parties at our homes. If you make the party unpleasant for us or for others, we'd rather you went elsewhere. We're happy to see a wide range of viewpoints, but we want all of them to be expressed as politely as possible.

We realize that such a comment policy can never be evenly enforced, because we can't possibly monitor every comment equally well. Hundreds of comments are posted every day here, and we don't read them all. Those we read, we read with different degrees of attention, and in different moods. We try to be fair, but we make no promises.

And remember, it's a big Internet. If you think we were mistaken in removing your post (or, in extreme cases, in removing you) -- or if you prefer a more free-for-all approach -- there are surely plenty of ways you can still get your views out.