Super-encrypted material? Special passwords? The Central Intelligence
Agency (CIA) on 1 November 2017 released additional materials recovered
in the 2nd May 2011 raid on Bin Laden’s compound in Abbottabad, Pakistan. We have seen some news about movies, porn, games and several other stuff stored in those computers. But we will go further. We will focus on the security aspects of its 360 GB zipped information. Did they use passwords? Proxies? Encryption? Any special software?
A few hours after releasing the raw information from the hard drives from at least three computers found there, the CIA removed the content due to “technical” issues. 8 days later, they released the
data back but now all Office documents were converted to PDF and EXE
files were “deactivated” removing their headers for “security reasons”.
Another interesting stuff left there, were the registry files. All kind of system files including not only hives but SYSTEM and SAMs raw files. That looked very interesting. Not just passwords for Windows but when they used to log in, installed services, programs, Microsoft licenses and much more. We retrieved all registry files and tried to get them back to life. These are some of the conclusions.
They all (ALNSER-81089E22, SHAED-PC and MASOOD-A4065887 (from Masood Khan)) used the same “public” Windows XP keys or lecenses (QW4HD-DQCRG-HM64M-6GJRK-8K83T and RHKG3-8YW4W-4RHJG-83M4Y-7X9GW).
|One of the computers, alive since 2002|
Since we had the SAM files, we could try to get passwords back again trying with a different method. We already did with the hiberfil.sys file, but just in case. SAMs, by default are encrypted with the SYSKEY… but no problem here. The necessary registry files to figure the SYSKEY out were there. But they were mixed. We did not know what SAM file was in what computer or what SYSTEM file came with what SAM file. So we had to make a simple brute force attack mixing all evidences found.
|After bkhive, we used Cain just to double check|
Some of the SYSKEY codes we found were 9e11eec3a1bdfa93caaa4691b08a372c, 09c6b06c839bb4bbda3d3d267f0316e4, d776321d44b86563039ae83db9becbea… we decrypted all of the SAMS files found with them… but no passwords were found either.
With some of the SYSTEM and user registry hives, we may know what programs were scheduled to run when the computer starts up (The common registry branch for programas and malware … in HKLM or HKCU and CurrentVersionRun).
|Some examples of programs from two different computers|
Here we found two examples from two different computers. Of course “Msn Messsenger” (with three “s”) does not exist, and regsvr.exe is probably malware. SCVhost.exe is not svchost.exe and in winlogon (Userinit) only explorer.exe should appear (not regsvr.exe)… they are all common symptoms of malware infections.
With this data, we may even get to know when they usually logged in (mostly during the afternoon). For example, was this login the last ever in the computer? It was done on May the 1st… and CIA raid is dated May the 2nd.
|Last login in the computer about 2 in the morning|
Passwords and… passwords
We looked for some more possible locations of passwords for example in Firefox database, called
|Firefox preferences with no password|
We tried as well with Outlook Express passwords, since they are stored in the registry. Although we found a password, it was not real and was likely randomly set during installation time.
|Fake Outlook Express configuration|
There were no signs of any passwords managers in the drives. Even worse, we found a password written in a simple and plain TXT file with no context.
|Plain password in a TXT file|
And another one with some context… but, if investigated, it is just some sort of Office activation code.
|Just a common Office activation code|
Passwords for communications between terrorists
An interesting part are the passwords, but the ones used to communicate between terrorists. Thanks to Metashield Protector, we found this email firstname.lastname@example.org inserted in a Word document. But the context of the file was much more interesting than the email itself.
|In this letters they send instructions for a “secure” communication|
In this letter, the sender recommends that, because of the Internet being so insecure, the communication should be compressed with passwords files sent between one another. The password is something in English like “I have no objection to what I gave, and he is the open-minded“.
The letter is for “Mukhtar Abi Al-Zubayr”, the leader of the Somali militant group Harakat al-Shabab al-Mujahidin, which merged with al-Qaeida after Bin Laden’s death. The letter recommends to alert the receiver about the letter and to change the extension from ZIP to some multimedia file ( MP3 or something like that).
Thanks to some metadata, we could find one of the latest documents written from those computers. Date is set in the “future” January 2012 (or even more) for some of the documents found. We have to guess the date in the computers were not properly set.
|Metashield Forensics shows the “life cycle” of a document|
This particular letter was written a Sunday and printed in a Thursday. But before that, it was edited in some way.
|First version of the letter above. Latter version below|
“I had sent a previous letter via Sheikh Mahmoud I ask you your phone number to arrange with you my wedding order from the honorable Sheikh Abu abd al.Rahman…”
Then, a few days later, this paragraph is added “For the phone number, please separate it in the message by arranging it in several parts as funds or objects”
And they stored a hacking book
Despite the the malware, warez and lack of security measures found, they had a hacking book stored.
This book, created by the well known “Terrorist 007“, was somewhere in the hard drives. It is a quite simple, basic guide for hacking, created probably in 2006, with traditional tricks and “usual” hacks.