It's Evident


Digital Forensics and Terrorism
Mark M. Pollitt, Visiting Faculty, National Center for Forensic Science, University of Central Florida

Terrorism has a long and bloody history, going back to at least the Second Century BCE, when the Romans razed New Carthage1. Its goals and techniques have evolved with the political and the technological history of human society, the blood of its victims and the fear invoked in the community are unchanged. Lawmakers and scholars can argue about the taxonomies of terrorism and social scientists can argue about how terrorists come to be, but throughout the centuries, their goals have been the same: to cause violence in a way that invokes fear in the populace. The history of computers is much shorter. The modern, electronic computer dates only from the last half of the Twentieth Century and personal computing is barely three decades old. The Internet, as we know it today, is half that age and ubiquitous computing, where everyone is connected to the network all of the time, has already become reality in many places. Arguably, no technology has had as much impact on humankind in so short a period. Just as quickly, the legal, law enforcement and forensic communities have had to evolve ways in which to locate and document “information of probative value, stored or transmitted in binary form.”2 This quest is commonly called “digital forensics.” This article will explore the relationship between terrorism and digital forensics.

Traditional Digital Forensics
Let us look at the simpler problem first. Digital forensics has been defined as the application of science and engineering to the legal problem of information stored or transmitted in binary form. The practice of digital forensics has mushroomed in the last decade from a tool only used in high tech crimes and child pornography cases, to routine use in virtually all types of criminal cases. Its near-cousin, electronic discovery has exploded onto the legal scene and seen accelerating use since the 2006 changes to the Federal Rules of Civil Procedure3. It has proved to be very valuable evidence. But its focus, as we will soon see, on evidence is problematic in the terrorism arena.

What do terrorists want?
In some respects, all terrorists are the same. as bluntly as possible, they want to see un-imaginable carnage, in the most symbolic place, broadcast on CNN and BBC, and printed on the front pages of every major newspaper and magazine in the world. They want outlets to “explain” their message and the most successful terrorists want to live, to do it again and again. Terrorists seek, adopt and adapt methods and techniques that are effective in creating the most impact, which in turn, provides the most media exposure and popular fear. The bombings, hijackings and kidnappings conducted by terrorist organizations are crimes. The United States response to the 1993 bombing of the World Trade Center, the Bojinka plot to destroy U.S. airliners over the pacific, and the events of September 11, 2001 was to investigate them as crimes. In each case suspects were identified, evidence (including computers) was collected and defendants convicted. In each of these cases the computers were examined for evidence of crimes, and whenever it was found, it was used against the defendants. In the case of the 1993 World Trade Center bombing, a deleted letter claiming responsibility for the bombing was found on Nidal Ayyad’s computer. Ramzi Yousef’s computer, recovered by the Philippine National Police, provided detailed information and plans concerning the plot to blow up the airliners. The laptop computer seized from Zacarias Moussoui had documents concerning his attempts to learn how to fly. Digital forensic examiners found, recovered and testified about this information. However, there was much more information that the examiners found on each of these computers. There was information that might have provided enough warning to have prevented, or at least mitigated, the terrible events of September 11, 2001. Law enforcement and the intelligence community have been lambasted repeatedly for the failure to “connect the dots.”

The notion of evidence
Evidence is a legal construct, designed to constrain the kind of information that the government can collect and present in court. It is a fundamental balancing act that maintains civil society. We try to protect the privacy, safety and security of all citizens, while ensuring the defendant’s right to a fair trial. As a result, the legal community has developed a work process that weeds out any information that is not admissible and probative solely with respect to the elements of a crime. In many ways, it is a form of willful blindness.

What do computers do?
Asking “what do computers do?” in the 21st Century may seem silly: they are everywhere and we use them for almost everything. Today, we not only use desktop computers and mobile devices, but also web-based applications such as Facebook, Twitter™, Google Apps™, Skype™ and YouTube™. Our data is held in “clouds,” independent of location and therefore, jurisdiction. We are connected by our computers, our phones, and even our game consoles. Computing and data have become what computer pundits have labeled “ubiquitous.”

Following this logic, from a legal or forensic perspective, we might be tempted to suggest that digital evidence is therefore also “everywhere,” which is also true. In fact, it is too true. There is far more potential digital evidence of not only terrorist activity, but all criminal activity than we can effectively collect, examine, analyze or report. I call this “data glut and information famine.” This is a problem that law enforcement has been dealing with since the early 1990’s4 . If it is problematic in a domestic, law enforcement context, consider the difficulties in an international terrorism context. Obtaining and analyzing digital information is a significant obstacle to discovering and neutralizing terrorists. Merely getting the data is not enough. We have to find the important facts, concepts, people, networks, strategies and operations that pose a threat. Getting the “right” information from larger and wider collections of data is a problem that has yet to be solved. But limiting the collection and review of data based solely on evidentiary rules has demonstrably failed.

Terrorism as an enterprise
Make no mistake about it, terrorism is a sophisticated enterprise. The terrorist’s stated goals may be framed as political, economic or religious, but they are organizations that, in many ways, mimics the public and private sector. They utilize tactical means to implement what are strategic plans5. The terrorist enterprise is not solely a criminal enterprise. It is also a threat to public health, the world economy, national security and human rights. They are global enterprises. Operationally, terrorists have many of the same problems as commercial or military organizations. They must recruit and train people; they must acquire space, equipment, transportation and financial resources. They have to organize, plan and execute at both strategic and tactical levels. Unlike most commercial organizations, they have a need for operational security (OPSEC). Above all, they must communicate covertly. It would seem that computers are a powerful tool for all these purposes.

Lessons from organized crime
Terrorists were not the first criminal enterprises that posed a threat to society. Law enforcement and prosecutors have learned from investigations concerning traditional and non-traditional organized crime. Like terrorists, they are global enterprises. They have the need to organize, plan, communicate and fund their activities and members. Prosecutors have learned how to use a variety of criminal statues to attack these organizations as enterprises, rather than as a number of individual crimes. Law enforcement has learned the value of gathering and sharing intelligence about groups and individuals. By using this intelligence, they have been able to put together much more complex cases that negatively impact the ability of organized criminal groups to function. In some cases, they have succeeded in eliminating them. The governments has been able to do this because they operate within a single community, under a single legal system (or at least under harmonized rules) and the criminals are clearly identifiable. The law has sufficient reach to penalize the various criminal acts, conspiracies and, perhaps most importantly, seize the proceeds of the enterprise. Statutes such as RICO, (18 U.S.C. § 1961–1968), Continuing Criminal Enterprise statute (21 U.S.C. § 848) have provided powerful tools. Subpoenas and the Grand Jury process have been effective tools to attack organizations. Unfortunately, terrorism is not so constrained. Terrorists operate globally, often outside the jurisdiction of any nation’s judiciary, are difficult to identify and have few visible assets.

Digital Evidence as a strategic weapon
If there is a singular “jurisdiction” in which terrorists operate, it may well be cyberspace. Collecting information from digital sources, whether a laptop left in a hotel room or instant messages transmitted from a mobile device, is likely to be the only available and effective way to collect information on terrorists. But the information collected must transcend the traditional approaches. We have seen how, by focusing on the tactical, evidentiary value of information from terrorist’s computers, we have missed the strategic value of the information and its value in disrupting the enterprise. Our willful blindness has cost us dearly. Information technology has changed the game not only for terrorists, but for governments. The United States Department of Defense has recognized a new form of warfare: information warfare6. Our intelligence and law enforcement methodologies must adapt to deal with this new reality. Crime, like warfare, is no longer local. As a free society, this will be a challenging. Collecting information on private persons is a very sensitive notion. The rules about what information is collected, how it is collected, how it is protected, stored and ultimately used has evolved over the years. While few would argue that the current state is perfect, we are somewhat comfortable dealing with the status quo. Faced with the cyber-enabled, global terrorist enterprise, the old rules may need to change. We, as a nation and a world community, will need to determine how we will protect our privacy while eliminating the terrorist threat. The digital forensics community has much to offer in this context and should be an important voice in this debate.


1 Hoffman, Bruce. Inside Terrorism. Columbia University Press. 1988.
2 Scientific Working Group on Digital Evidence definition of digital evidence (
3 Amendments To The Federal Rules Of Civil Procedure (
4 Computer Forensics Backlog Risk. (
5 Jenkins, Michael. Terrorists Can Think Strategically Lessons Learned From the Mumbai Attacks. Rand Corp. 2009 (
6 Department of Defense, Information Operations (JP 3-13 2006)