Following the terrorist attacks in Paris, French officials used metadata from a phone they found in a trashcan to gather information that made it possible to raid ISIS safe houses within a week. During these raids they were able to kill the suspected mastermind behind the operation, who was believed to be planning more attacks....
Sharon D. Nelson is president of the digital forensics, information technology, and information security firm Sensei Enterprises. In addition...
John W. Simek is vice president of the digital forensics and security firm Sensei Enterprises. He is a nationally...
Following the terrorist attacks in Paris, French officials used metadata from a phone they found in a trashcan to gather information that made it possible to raid ISIS safe houses within a week. During these raids they were able to kill the suspected mastermind behind the operation, who was believed to be planning more attacks. Using a combination of cyber forensics and traditional police work, the French identified and successfully raided the purported hideout of the suspected ringleader. Considering our advanced technology, many are left questioning how this happened in the first place? And looking forward, can governments really prevent future acts of terrorism by building backdoors into encryption?
In this episode of Digital Detectives, Sharon Nelson and John Simek discuss the digital forensics of the Paris attacks and the aftermath, including a surfacing argument about cryptic communication, the response from French, British, and American governments, and how Anonymous, the hacker group, has gotten involved. Beginning with a chronology of events, Sharon walks through the events of last Friday. Citing a BBC article published after the Paris attacks, the hosts analyze how the investigation involved traditional and technological means to gather information about the armed attackers and their whereabouts. In addition to fingerprints and DNA, the investigators used witness video footage, mobile phone triangulation, wifi networks, and IP addresses to correlate intelligence and quickly move in on the suspects. John explains how a comment made by Belgium’s Interior Minister about PlayStation 4 network encryption was misinterpreted and carried away by news media, engaging governments in discussions about legislation that could allow encryption backdoors. Is encryption really the problem and is more government control the solution?
Stay until the end of the podcast to hear about Anonymous’s war on ISIS and the hypocritical nature of ISIS’s use of social media.
Advertiser: Welcome to Digital Detectives, reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches. Not theory, but practical information that you could use in your law practice. Right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 66nd edition of Digital Detectives, we’re glad to have you with us. I’m Sharon Nelson, president of Sensei Enterprises.
John W. Simek: And I’m John Simek, vice president of Sensei Enterprises. Today on Digital Detectives, our topic is ISIS Attacks Paris, the Digital Investigation and REsponse. We have no guest today because, well, this is a topic near and dear to our hearts and our expertise.
Sharon D. Nelson: You may for the first time hear a shuffling of papers as we work, but as a lot of journalists, we have been collecting all the information we could. And today, today is actually the 18th of November as we record, and today you have heard a great deal of news. But I want to start back from the beginning because I think a lot of people forgot just because it happened on Friday and because there was so much going on, they don’t have in their minds the chronology of exactly what happened and when it happened on Friday. So let’s talk about that a little, it’s a setup to the story. The first explosion in Paris occurred outside the Stadium of France outside Entrance D about 9:20 PM. Moments later, a second explosion echoed inside the Stadium. French president, François Hollande was in the stadium watching the game and was safely evacuated. IT was a miracle that he was there. If he had not been there, it might well have been true that the terrorists might have gotten into the stadium and the death toll might have been much higher. But as it was, security prevented any entry. At 9:25, two restaurants were entered and the mass attackers killed 15 people at the restaurants Le Carillon and Le Petit Cambodge. Ten more people were seriously wounded. At 9:30, there was another explosion at the stadium. At 9:32 PM, there were five people killed and eight others seriously wounded and forgive me if I mispronounced the name of the restaurant, my high school French has left me completely. 9:36 PM at La Belle Equipe, another black vehicle arrived, 19 people were killed at that restaurant and 9 more were seriously wounded. 9:40 at the Comptoir Voltaire, a suicide bomber blew himself up. Believe it or not, he didn’t manage to kill anyone. Then we go to 9:40 PM at Bataclan, where three attackers armed with assault weapons arrived in a black VW Polo to the concert. And the band that was playing there that night was the United States band, Eagles of Death Metal, which is an interesting name considering what happened. 89 people are killed, the gunmen fired upon people as they lay on the floor, killing them execution style. They entered pumping rifles and shouting, “Allah Akbar!” One patron said they were very calm, very determined, and fired randomly. “It was a bloodbath,” he said. The gunmen took members of the audiences hostage and they regrouped them in front of the stage, and police later find most of the victims were there. At 9:53 PM, near the stadium, a third blast occurred. The remains of a suicide bomber were subsequently discovered. At 12:20 AM, there was a raid by the police upon the concert site Bataclan. Three terrorists were killed during the police counter assault. One was killed by police gunfire and by the explosives he was wearing, and two others activated their suicide belts. The hostages fled at about 1:09, in addition to the 89 dead police found several people injured. One concert patron said that the gunfire was so close that it shook the walls, and he had been hiding for 2 hours in a very small room. The police told him not to look around as he emerged but he looked everywhere and he said there was blood everywhere, even people alive were covered with blood. There was, especially on the ground, a lot of dead bodies and blood and some people had been alive and had to stay there for several hours among the corpses and they went out covered in blood. So it was rather an extraordinary night and we learned about it in America primarily the next day and there were a number of developments after that. Since that time, we’ve had two Air France flights that have been diverted because of bomb threats; no bombs were found. We’ve had two soccer games where the stadiums were evacuated. No bombs were found but the threat might have been credible. We’ve had a great many calls of people making threats. Certainly, we have all been on heightened alert. As I’ve said before today is the 18th of November, there was a raid in Saint-Denis overnight, it was a nighttime raid. Two people were killed in that raid and we’ve also had some people who have been arrested. John is going to talk to you a little bit about how they found that. But we understand now that we have confirmation from French officials who cannot yet be identified that the mastermind behind the French attacks in Paris has been killed. In the raid this morning, French police commandos killed the suspected ringleader of the Paris attacks in a massive predawn raid. This was according to two senior European intelligence officials, after investigators followed leads that the fugitive militant was held up North of the French capital and could be plotting another wave of violence. As I believe I said before, he was in Saint-Denis. His name is Abdel-Hamid Abu Oud, and because we know that the other people are in custody and there were only two deaths, one of the dead was a woman. There were body parts when an entire floor had been exploded by the police outside and so the assumption is that the other person who was killed was Mr. Abdel Oud. It is hard to feel too much grief – I’m sorry to say – for him.
John W. Simek: One of the things that we heard very early on was how could something like this occur, and nobody, absolutely nobody had any idea that it was about to happen. So now, the whole argument about encrypted communication has come to the surface. The initial reports were that the attackers planned this communication using encrypted communications originally from reported to come from the Playstation 4 network, which was later proven to not be true. It just kind of goes to show you. There was a quote out of Newsweek which says that, “As the saying goes, a lie can run around the world before truth can get its pants on.” It kind of happened here because three days earlier, there was a discussion going on with Belgium’s interior minister, Jan Jambon, went on the records saying that the most difficult communications between terrorists to decrepity was via PS4. That happened even before the Paris attacks happened, and the news media kind of misinterpreted that and turned that into saying that the PS4 network was being used by these terrorists in order to plan the attacks, and we now know that’s not true.
Sharon D. Nelson: It could potentially happen, but we have no evidence of it. Is that a correct statement?
John W. Simek: That’s correct, but his statement occurred even before Paris.
Sharon D. Nelson: Correct, yes, I understand that.
John W. Simek: So they had quoted that these encrypted communications were being used. But it really doesn’t matter. So now what’s happened is that the government, even our own government, has gone back and said we need to have a backdoor for encryption again. And that whole argument that has been festering for months has raised its ugly head, and it’s a bad idea. A lot of the security professionals and u included have said it’s a bad idea to build backdoors into encryption and it’s really not going to help anything. Because if there’s a backdoor to encryption for the good guys, the bad guys are going to find it as well at some point and they’ll have access to that. Or, as one official said or one security professional said, it’s like encryption whack-a-mole. You build a backdoor into one system, there’s something else that they’re going to use and there’s a lot of products out there. These guys are pretty smart, there’s thought that they’re using commercial grade, if you will, encryption products. There was even an article posting where they identified the technology that ISIS is using with an actual – The Wall Street Journal published a diagram showing almost like a Powerpoint slide that showed the various products that are available and these products in this column are the safest ones, and these over here are safe and these are moderately safe and these are unsafe. The unsafe being the Whatsapp of the world and WeChat and those kinds of things. Moderately safe being iMessage and Facebook Messenger and those types of things. Apparently, there is evidence though, that ISIS and a lot of the ISIS – maybe not necessarily in these planning attacks – use a product called Telegram, a commercial product which does complete end to end encryption. Okay, that works, that does that. I use a product called Signal on my phone, which does complete end to end encryption. But it’s really a bad idea. I love Bruce Schneier; we hear him quote all the time, right Sharon? Bruce Schneier is a noted computer security expert and encryption genius. He agrees that it’s bad to put these backdoors in there and says, “The bad guys are going to pick and choose whatever encryption products they want, you can’t force terrorists to use Apple. So the government gets backdoor access to iMessage, terrorists will just switch to something else.” And that’s very, very true. But there’s also the argument too that just because it’s an encrypted data stream, you’re going to protect the contents, doesn’t mean that there’s still some intelligence associated with that communication screen. In order to move it from A to B, you have to understand or you have to know what the IP addresses or, you have to know the user ID, or something to route that message through a network. Even though the contents are encrypted, the travel of that message, the metadata associated with that, are still exposed. So there’s still the potential to find out what IP address they were using, or what user ID. But even to use these end to end encryption mechanisms, you just don’t devine this and wake up in the morning and say, “I think I want to send an encrypted text message to user ID Sharon164.” They have no clue, so you have to have something to set up prior to this messaging occurring to establish at least a user ID, a phone number, a text number, or some sort of identifier in which you’re going to be able to communicate with people. So there’s a lot of other ways that the government and these folks can use in order to access this information and this data flow. And there had been reports that France’s own technology isn’t as good as the US or the UK at attacking these communication streams and analyzing them and gathering them all. They’ve kind of changed the way they investigate, so they really aren’t interested in dealing with the encrypted text messages or encrypted communications scheme. They’re using real world informants now. They’re much more effective in getting intelligence that way and having people infiltrate different organizations in which to gain access to all these bad guys.
Sharon D. Nelson: It sounds a lot like the Cold War, doesn’t it? Going back to that kind of black ops. Let me ask you a question though, John. I understand that at the scene of the Paris attacks, in a trash can, they found a cell phone. And I assume that by trolling through the metadata in that phone, that’s where they discovered the probable addresses of some of the safe houses. Is that correct?
John W. Simek: That’s one way, that’s what some of the theories are; we don’t know a lot of the details. First off, what a fool to throw a cell phone away, right? But that also tells us though, if they were able to analyze the phone, that the phone was not locked down. So potentially no pin, no swipe, no whatever, that they were able to access it.
Sharon D. Nelson: They did have some sort of content though on the phone because one of the very last messages was something to the effect of, “We’re ready.”
John W. Simek: Yeah, you’re right though, you would get some sort of data from that phone. But again, they have to be able to access it so it’s not locked down, it’s not in an encrypted form like an iPhone thing – which they would not have been able to access. But that’s how they did get it. But the whole investigated way as to how they walked through it – we’ll talk a little bit more about that, about the various sources of electronic evidence that they discovered as part of this whole attack. I think it’s just fascinating how fast they were able to react and the various pieces to put all these puzzle pieces together as you said to show up at these addresses and create these raids and gather all of this intelligence. It was just phenomenal.
Sharon D. Nelson: When you think about it, it was over 150 raids in a very short time plus manning an attack on Syria and that was very quickly done by the French.
John W. Simek: Well, before we move onto the next segment, let’s take a quick commercial break.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhre in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up to date on the latest technology, and have extensive experience in many types of investigation, including workers comp investigation and surveillance. Find a prescreened investigator today. Visit www.PInow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is ISIS Attacks Paris, the Digital Investigation and Response. I know, John, our listeners would be interested in anything more you have to say about the digital forensics involved in this case today.
John W. Simek: Some of it we’re guessing upon. There are things that we do know and things that we don’t know. Getting back to the surveillance thing and encryption, that’s a hot bed right now; but France actually passed a new surveillance law in June after the previous attacks that requires all the internet service providers to install these black boxes on their network that monitors user activity and retains that data for two to four years. Okay. But what if it’s encrypted data? That doesn’t do you any good, so that’s kind of foolish. Legislators rewrote that section last month and it’s currently awaiting approval, so we don’t know whether or not the storage time period or what the actual collection of those foreign signals are going to be because they’re always a little vague in that regard. But Britain is also considering similar legislation; what they call the Snooper’s Charter – and I wonder who makes these names up. But the bill failed previous attempts and now they’re talking – because of the activity here – they’re talking about reintroducing it again. The US is harboring it as well in building these backdoors and collecting this data. But I think the reality is it’s not because the data is encrypted or any of that stuff. They’ve just got too damn much of it, there’s so much of this information they can’t filter the noise from the real stuff that they want to keep. When we’re talking about the communication schemes anyway. But I thought what was interesting, though, and the BBC did an excellent article on this about the whole investigation, what was done and how they got to where they are today at least to a degree – they didn’t give specifics, certainly, because this is an ongoing investigation – but to start on the ground as an example. The first thing that they do when they went to the crime scenes of what you had described, Sharon, of the killings in the cafes and those things, the first thing they do is gather DNA and fingerprints. That’s traditional police work. Then test the guns that they got from the folks that they killed for prints, and then apparently, I didn’t know this at the time, but there was a dismembered finger from one of the attackers, so they fingerprinted that as well. Then they match all of those up and they compare them to databases. Not only internally in France, but also worldwide. I think it was yesterday that they gave the US 20 sets of fingerprints after the airplanes had been threatened and they weren’t in the databases there. So they’re using traditional means and that’s the DNA evidence and trying to match those up against databases and fingerprints. Then the next step that they did was just like the Boston bombing event is they asked the witnesses for any videos that they had. So any witness to the crimes, because pretty darn much everybody’s got a smartphone these days, and they’re taking pictures and taking video and doing all of this stuff. And as you recall, that was tremendous help in the Boston bombing, the witness videos.
Sharon D. Nelson: And I think there were still cameras that were mounted in various buildings et cetera, and they got all of those as well and using facial recognition technologies with some of that.
John W. Simek: So the whole CCTV because a lot of the EU has video everywhere. The UK certainly has a lot of it. But yeah, using the facial recognition to do that. They also have the same thing that we have here in the United States; probably not as sophisticated as what they have in the United States, but the automatic LPR licence plate recognitions, the licence plate readers, that are gathering and watching these things all around. So they’re able to match those up against rental cars or suspected vehicles or any of that stuff. Mobile phones are a tremendous asset. If they could find a mobile phone number or something where a conversation, let’s say, that occured between two suspects, then they could identify one of those. Basically, it turns that mobile phone into a personal GPS tracker, because now they can go to the Telcos and based upon the serial number of that phone – because it doesn’t have to have GPS on it. The mobile phone has to connect to the cellular network. They can somewhat watch where this device is going and track, so that’s another potential source of their electronic evidence. But as we said earlier, after all these interviews and looking at this kind of information, they’ve developed enough information upon the suspect because they even put a picture, if you recall on the news Sharon, a picture of the suspect they were looking for, the eighth guy. But then from talking with all of these witnesses, that’s how they came up with the addresses for these various apartments and that kind of thing. So then they do these massive, unannounced raids. And what the raids tdo is they produce other evidence. So as a result of the raids, they arrested a bunch of people, they got weapons-
Sharon D. Nelson: They got drugs!
John W. Simek: Yeah, electronics too! Computers, those kinds of things. So now they’ve got more electronic evidence that they’re going to analyze. And as they run through that now they’re going to correlate any of those communications screens. I’m sure it’s how they’re finding out what software was used to communicate. What different applications did they use, those types of things. So those computer examinations, the digital forensic examiners of the electronic devices that they recovered from those raids are very very busy people right now. And then another thing that they did based upon with those computers whether they are laptops or tablets or any of that, you can analyze what the Wi-Fi networks are and what Wi-Fi networks did they previously connect to. And I know a lot of listeners probably don’t even realize that your computer is tracking that. And you don’t even have to say, “Remember to connect,” or whatever the darn box says that you connect automatically. You don’t even have to check that. But any Wi-Fi network that you’ve been connected to is identified and the IP address that you have. So they can use that information to correlate and go back and say, “Ah, this was the cafe such and such,” and what date and time that they connected up to that. So now they can start to position people historically with where these devices were. So it’s just fascinating, all the potential and electronic evidence and how it’s aiding in this investigation.
Sharon D. Nelson: And I think we’re also interested in the social media aspect of this. It’s kind of funny that this is a group ISIL doesn’t believe in the modern world and rants against it, but it uses social media to convert people. It uses social media to spread its word. They have those grotesque YouTube videos, but this is all modern stuff so they’re using that very extensively and I guess it’s comical, a little bit, to watch recently as Anonymous has started to get into the act. And Anonymous, as a hacktivist group, has not always been our favorite group of folks, I guess. But in a YouTube video that was seen more than two million times when I caught up with it, members of the group, Anonymous, in a Guy Fawkes mask – which was classic – declared war on the Islamic state shortly after – it was a day after – the terrorist ISIL claimed responsibility for the attacks in Paris. And they called the attackers vermin and warned them to prepare for many cyber attacks. This too was in French and as we already established, my high school French is long gone. But a translation in SE Magazine, this was the translation: “On Friday, 13, November, our country France was attacked in Paris for two hours by multiple terrorist attacks claimed by you, the Islamic state. These attacks cannot go unpunished. That’s why Anonymous activists from all over the world will hunt you down. Yes, you, the vermin who kills innocent victims. We will hunt you down like we did to those who carried out the attacks on Charlie Hebdo. So get ready for a massive reaction from Anonymous. Know that we will find you and we will never let up. We are going to launch the biggest ever operation against you. Expect very many cyber attacks, war is declared; prepare yourselves. Know this, the French people are stronger than you, and we will come out of this atrocity even stronger. Anonymous sends its condolences to the families of the victims. We are Anonymous. We are legion. We do not forgive. We do not forget. Expect us.” So those attacks have actually begun and thousands of pro-Islamic state Twitter accounts have been taken down. Some were reported to Twitter by Anonymous; reputedly some 25,000 of those accounts were taken down by Twitter itself. There’s also been attacks on the accounts by Anonymous. They’ve published a number of guides for those who want to join the Anonymous community. The first one caught me as a bit comical. It’s called The Noob Guide, which I think means the newbie guide.
John W. Simek: Yep, newbie, yep.
Sharon D. Nelson: I was pretty sure that’s what it meant.
John W. Simek: Yep, hacker lingo.
Sharon D. Nelson: And it basically teaches you how to hack and it gives you access to cheap tools and tells you where they are, et cetera, et cetera. And then to further make the situation colorful, of course, then we had ISIS come back and say how stupid Anonymous were – they called them idiots – as a cyber war between the two groups heats up. It is interesting that it is the modern world but it’s something that we have to watch. Some folks are very upset, especially those who are investigating what happened in Paris. They’re upset with Anonymous because as Anonymous has all of these websites and Twitter accounts removed, these were the very sites that they were watching in order to get information. so to them, they are now being deprived of information. So Anonymous is a double-edged sword. It might be hurting ISIS, but it also might be hurting the government and the investigators and I really don’t know where there’s a balance between that. I only know that they share the same objective which I wish them well. But I don’t know where the balance is in all that and it’s pretty hard to say. But Anonymous has been very strong. The group Anonymous of course is very loosely organized. But it’s clear that the French members of Anonymous have taken the lead here. And in fact, as you know, it was the French who first went in and did all of those attacks the day after the Paris attacks. And I think there’s going to be a sense by many around the world that the French can have the lead on this one in retaliation for Paris. But what I think Anonymous might do is open some backdoor channels with the investigators and the government and they may indeed feed them information. And I think you told me how the best might do it, John. Do you want to repeat that?
John W. Simek: Yeah, but there’s another group too that’s helping out. I can just envision these folks finding out where maybe some ISIS headquarters are or whatever, and then all of a sudden a mysterious email shows up in somebody’s inbox, whether it’s the French or from the Pentagon or whatever. And the contents of the message would say something like, “Perhaps you guys ought to consider testing one of your newfound super accurate missiles at these specific GPS coordinates.
Sharon D. Nelson: And I do think things like that will be shared if they come to light. And you shared with me, John, a story today. It was not from the Paris attacks but actually from several months ago where a terrorist who was fundamentally a moron took a selfie of himself in front of ISIS headquarters in Syria. 22 hours later, the Air Force bombed it and decimated the building. So we have idiots on all sides and I guess name calling is partially where we are here. But what strikes me about this story is it morphs constantly, and I now have a lot of empathy for the reporters on CNN who have to get up and say, “You know what I told you two hours ago? That story has changed!” So as you’re listening to this, indeed, the story may have changed and we already let Legal Talk Network know that if we need to update this podcast we will do so. But it does appear that the guy who was in charge of organizing the attacks on Paris is now dead and we too send our condolences to all of the families of the victims and the city of Paris as well.
John W. Simek: Yes we do. Well that does it for this edition of Digital Detectives; and remember, you can subscribe to all of the editions of this podcasts at LegalTalkNetwork.com, or in iTunes. if you enjoyed this podcast, please review us on iTunes.
Sharon D. Nelson: And you could find out more about Sensei’s digital forensics, technology and security services at www.senseient.com. We’ll see you next time on Digital Detectives.
Advertiser: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on LegalTalkNetwork.com and in iTunes.
[End of Transcript]
Sharon D. Nelson and John W. Simek invite experts to discuss computer forensics as well as information security issues.iTunes Google Play
David Ries talks about whether Kaspersky Lab is safe for lawyers to use, diving into where the controversy started and what the results have...
This legal technology podcast covers the Equifax breach including who was affected, the resulting lawsuits, and whether or not the hack was preventable.
Ben Kusmin talks about the proper handling and format of spreadsheets.
In this legal technology podcast, Brian Wommack talks about the correct way to handle a data breach.
Denver Edwards discusses cybersecurity, including the National Institute of Standards and Technology’s (NIST) cybersecurity framework.
In this legal podcast, Jim McCauley talks about ethical issues lawyers face and how the Virginia Bar is helping to educate lawyers on how...