T5 B55 FBI CART Docs FDR - Entire Contents - Doc Request - Docs - Withdrawal Notices 155

FBI DOCUMENT REQUEST NO.
34
Thomas H. Kean
CHAIR
The National Commission on Terrorist Attacks Upon the..United States ("the
Lee H. Hamilton
VICE CHAIR
Commission") requests that the Federal Bureau of Investigation (FBI or the
"respondent") provide the Commission with copies of the following documents
Richard Ben-Veniste
no later than March 23, 2004 (the "production date"):
Fred F. Fielding
1. All Computer Analysis Response Team (CART) reports, or
Jamie S. Gorelick
predecessor computer exploitation reports, regarding hard drives
Slade Gorton seized from al Qaeda associated subjects from 1995 through
Bob Kerrey
September 11,2001.
John Lehman 2. All investigative materials (images or verbal) concerning travel or

Timothy J. Roemer
travel documents derived from those hard drives.
James R. Thompson 3. Sections on terrorist travel and travel documents from training
manuals obtained prior to September 11, 2001, from al Qaeda or
related organizations.
Philip D. Zelikow
EXECUTIVE DIRECTOR The Commission requests that documents requested above be provided as soon
as they are available, even though all requested documents may not be provided
at the same time, thorough means of a "rolling" production.
If any requested documents are withheld from production, even temporarily,

based on an alleged claim of privilege or for any other reason, the Commission
requests that the respondent, as soon as possible and in no event later than the
production date, identify and describe each such document or class of
documents, as well as the alleged basis for not producing it, with sufficient
specificity to allow a meaningful challenge to any such withholding.
If the respondent does not have possession, custody or control of any requested
documents but has information about where such documents may be located,
the Commission requests that the respondent provide such information as soon
as possible and in no event later than the production date.
If the respondent has any questions or concerns about the interpretation or scope
of these document requests, the Commission requests that any such questions or
concerns be raised with the Commission as soon as possible so that any such
issues can be addressed and resolved prior to the production date.
March 9, 2004 Daniel Marcus

General Counsel
TEL (202) 331-4060

FAX (202) 296-5545
http://www.9-l lcommission.gov
DOCUMENTS RELATING
to
AMPUTEE ANALYSIS RESPONSE TEAM
$MRT) REPORTS, OR PREDECESSOR
COMPUTER EXPLOITATION REPORTS,
iRD DRIVES SEIZED FROM AL
^-^'ASSOCIATED SUBJECTS FROM 1995
THROUGH SEPTEMBER 11, 2001.
RESPONSIVE
TO
REQUESTS #34-1
[PACKET #1]
MATERIAL ALSO RESPONSIVE TO DR#34-2
S^JGATIVE MATERIALS (IMAGES OR VERBAL) CONCERNING TRAVEL
** ^^Ô^TRAVEL DOCUMENTS DERIVED FROM THOSE HARD DRIVES.)
^ ^«X" "^ ' „ -*• /
"SECRET MATERIAL ENCLOSED"
COMMISSION COP
9/11 COMMISSION TASK FORCE
DOCUMENT DELETION CODES
[As of August 11, 2003]
"A" - SOURCE/INFORMANT INFORMATION - Information, the disclosure of which

would tend to reveal the identity of an informant or source where confidentiality is
expressed or implied.
"B" - FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI

techniques and/or methods which would impede or impair the effectiveness of that
technique and/or method.
"C" - NON-RELEVANT FBI CASE INFORMATION - Information neither relevant nor

responsive to the Commission's requests.
"D" - FBI PENDING CASE INFORMATION - Information which would impede or

jeopardize a pending investigation of the FBI.
"E" - STATUTORY - Information legally prohibited from release by statute.
"F" - PRIVACY/SECURITY - Information, the disclosure of which would be an

unwarranted invasion of the personal privacy or jeopardize the safety of law
enforcement personnel and/or their family members
Material redacted under this code includes (1) social security numbers;
(2) date and place of birth; (3) home address and telephone numbers;
(4) personnel cell phone and pager numbers
"G" - FOREIGN GOVERNMENT INFORMATION - The identity of a foreign

government and/or foreign service to include the names of foreign law enforcement
employees/officials.
WITHDRAWAL NOTICE
RG: 148 Exposition, Anniversary, and Memorial Commissions

SERIES: 9/11 Commission Team 5, FRC Box 23
NND PROJECT NUMBER: 51095 FOIA CASE NUMBER: 30383
WITHDRAWAL DATE: 09/08/2008
BOX: 00004 FOLDER: 0001 TAB: 3 DOC ID: 31193682
COPIES: 1 PAGES: 11
ACCESS RESTRICTED
The item identified below has been withdrawn from this file:
FOLDER TITLE: T. Eldridge files-FBI CART documents
DOCUMENT DATE: 08/14/1998 DOCUMENT TYPE: FBI 302
FROM: FBI New York
TO: Director FBI
SUBJECT: Documents relating to all Computer Analysis Response Team (CART) reports, or
predecessor computer exploitation reports, regarding hard drives seized from Al
Qaeda associated subjects from 1995 through September 11, 2001. Responsive to
Requests #34-1 Packet #1 [withheld material]
This document has been withdrawn for the following reason(s):

9/11 Classified Information
WITHDRAWAL NOTICE
9/11 Law Enforcement Privacy
;(12/31/1995) ,
FEDERAL BUREAU OF INVESTIGATION
Precedence:, ROUTINE Date: 06/02/1999
To: FBI Headquarters Attn: NS-3C, Robert Briskman

\\New\York Attn: SAC John P. O'Neill
ASAC Pasquale J. D'Amuro
From: '.New York

\ 1-4 9A
Contact: SA
Approved By:
Drafted By:
Case ID #: 256A-NY-259391-I8 (Pending)
Title: USAMA BIN,, LADIN; \; \Y \.
; Synopsis: Report of investigations conducted in Dhajca,

;; Bangladesh from OS/22/,1999 to 05/29/1999.
^Details: At the request of the|

], New York Office and SA [ WFO Cart Team,
traveled to Dhaka Bangladesh, along with representatives of the
CIA's Counter Terrorism Center (CTC). The purpose of this travel
custody \_
Also on this date, three individuals were taken into
\ {According to information provided by the
Gr
j^the-s'e
individuals are all members of HARKUT UL JIHAD and were.-'charged
with involvement in terrorist acts and anti-governme.nt
activities.
Upon arrival to D h a k a , SA |^^^^^ [-met w i t h
Director, ffM Director JKHêxplaTnedîs^TJI^^govemment has

been attempting to control the activities of certain terrorist
o r g a n i z a t i o n s who have a strong presence in B a n g l a d e s h . One such
group is H a r k u t Ul Jihad. JJ|J stated that the Jfj has
information obtained t h r o u g h I
9/11 Law Enforcement

Sensitive
REQ #34-1 000000012
Enforcement Privacy
,To: FBI Headquarters From: New York

Re: 256.A-NY-259391-i8 • • (Pending)Title: USAMA BIN LADIN;
IT-SUDAN; OO:NYSynopsis: Report, of investigations conducted in
Dhaka, BangiadeshfroinOS/a^/iggsr^ Q5/29/1999 . Details : At the
York Office and SA'1 ^^^^^^^nWFO Cart Team, traveled to Dhaka

Bangladesh, along with representatives of the CIA's Counter
Terrorism Center (CTC). The purpose of this travel was to assist
in the analysis
ot computers seized during a search conducted on 05/04/1999.
Also on this date, three individuals were taken into custody.
L J-
According to information provided by the J^Bthese individuals
are all members of HARKUT UL JIHAD and were charged with
involvement in terrorist'.acts and anti-government activities.
Upon arrival^^ Dhaka, SA I I met with
Director d ( H explained that his government has been attempting

to control the activities of certain terrorist organizations who
have a strong presence in Bangladesh. One such group is Harkut
Ul Jihad. HHH stated that the^BBhas information obtained __
through confidential sources that/
| b u t , a c c o r d i n g to the
has strong ties to some known terrorists, including the
subjects of this arrest and arrests conducted in January of this
year. BHBBV^30 expressed concerns about the level of
extremist involvement within Bangladesh. Due to the high poverty
G
levels and relatively open borders, jflHHL feels that Dhaka is a
fertile environment for recruitment and fund-raising by Islamic
extremists. He welcomed the assistance of the United States as
he believes "we are fighting the same enemies".
Following this meeting Deputy Director

provided information concerning the arrests on 05/04/1999.
arrest took place a r \ " ~ ~ ~
/ A l l three men are Sunni Muslim.They have
9/11 Law Enforcement Sensitive
REQ #34-1 000000013

Enforcement Privacy
To: ..FBI Headquarters From: New York

Re: 256A-NY-259391-I8 -(.Pending) Title: USAMA BIN LADIN;
IT-SUDAN; -00:NYSynopsis: Report of investigations conducted in
Dhaka, Bangladesh from 05/22/1999' to- 05/29/1999.Details: At the
request of the Bangladesh government, SAil New
York Office and SA[ j WFO Cart Team, traveled to Dhaka
•Bangladesh, along with representatives of the CIA's Counter
of.computers seized during a search conducted on 05/04/1999.

Also on this date, three individuals were taken into custody,
According to information provided by the |Htnese individuals

involvement in terrorist acts and anti-government activities.
Director\BHH[explained that his government has been attempting

to .control.the activities of certain terrorist organizations who
have a string presence in Bangladesh. One such group is Harkut
Ul Jihad. HHHstated that the HHfhas information obtained
through 'confidential sources that
Jbut,according to the|
strong fries to some known terrorists, including the subjects of
this arrest and arrests conducted in January of this year,
refused to spe''ak to the authorities and are presently in the
custody of the 'court ''system. The computers seized were believed
to have been used for the publishing activities of Harkut Ul
Jihad. One of the computers is a Macintosh based system and the
other is a Windows based system. There were also a number of
floppy disks recovered.
[which will be for-wajrded to the FBI laboratories and

8
maintained as evidence. S A L J also made cursory examination
of additional copies of all the material seized but did not find
any information which \appeared to be connected to terrorist
activity: Deputy Director ^J^then explained that the ^f had
attempted to access the\r systems using jjf[ computer
specialists. It was SA1 ]opinion that information may
have been lost during this initial examination. Both computers
and all the floppy disks will be examined in detail by the FBI
Laboratory. Director BBBBfrecJueste^ that the §(Blbe given
copies of any additional information retrieved from the computers
or disks.
9/11 Lav; Enforcement

Sensitive
REQ #34-1 000000014

Law Enforcement Privacy
To: FBI Headquarters From: New York

/Re: 256A-NY-259391-I8... (Pending) Title: USAHA BIN LADIN;
I'tVSUDAN; .00: NYSynopsis: ' -Report of investigations conducted in
Dhaka, Bangladesh from 05/22/1999....to 05/29/1999. Details: At the
request of the Bangladesh government, -SA.I / New
York Office and 3 f t . ] / "I ' WFO Cart
" ' Team, traveled
' ' ^to Dhaka
Bangladesh, along with representatives of the CIA's Counter
Terrorism Center (CTC). The purpose of this travel was to assist
Also on this date, three individuals were taken into custody,

L J-
I According to information provided by the HR these individuals
Upon arrival to Dhaka^SA^^^^^^^met with
Director ^BUH explained that his government has been attempting

to control the activities-., of certain terrorist organizations who
have a strongpreênce in Bangladesh. One such group is Harkut
Ul Jihad, JllHIHUtated that_jthe_JJhas information obtained _
through confidential sources
Jbut, according to the|

strong ties to some known terrorists, including the subjects of
this arrest and arrests conducted in Janu'a.ry of this year.
[ "] who
participated in this task were extremely helpful in coordinating
the investigation. The investigative team washable to function
efficiently and accomplish its tasks rapidly, without any
complication.
In addition to the above investigation, SAL J met

with/various U.S. Embassy staff to discuss two letters received
by the embassy. According to the RSO's office, two individuals
who recently applied for U.S. visas were connected to the Usama
Bin Ladin terrorist organization by anonymous sources. In both
cases anonymous letters were received concerning the individuals.
/Each letter alleged that the person applying for a U.S. visa was
involved with the Bin Ladin terrorist organization. There did
not appear to be a connection between the two cases. The
Consular's office also indicated that letters such as this are
not uncommon and are usually impossible to verify. The Embassy
Consular's office supplied the two names as L \d /
future information to the ..State Department and to FBI NY. New

-'York was previously -informed of the letter concerning \
REQ #34-1 000000015

Law Enforcement Privacy'
To: "FBI Headquarters. From: New York

Re-:, 256A-NY-259391-I8' (Pe.jiding) Title: USAMA BIN LADIN;
IT-SUDAN; OQ-:NYSynopsis: Report-.of investigations conducted in
Dhaka,, Bangladesh from 05/22/1999 to'-Q-5./29/1999 . Details : At the
request1-.of the Bangladesh government, SA 1 |, New
York Office and SA i ~\, WFO Cart Team, traveled to Dhaka
Bangladesh,- along with representatives of the CIA's Counter
of computers seized during a search conducted on 05/04/1999.

Also on this date,-, three individuals were taken into custody,
J-
According to information provided by the ÛJthese individuals
Upon arrival to_ Dhaka_t_SAJ^^_^_J_met with
Director 1|P (|H explained that his government has been attempting
to control" the activities of certain terrorist organizations who
have a stronqpresence in Bangladesl^^ One such group is Harkut
Ul Jihad. H^tated that the dhas information obtained
through confidential sources that|
Jbut, according to the

strong ties to some known terrorists, including the subjects of
this arrest and arrests conducted in January of this year,
through State Department channels.
9/11 Lav; Enforcement

Sensitive
REQ 134-1 000000016

WITHDRAWAL NOTICE

NND PROJECT NUMBER: 51095 FQIA CASE NUMBER: 30383
COPIES: 1 PAGES: 37
ACCESS RESTRICTED
DOCUMENT DATE: DOCUMENT TYPE: FBI 302
FROM:
TO:

WITHDRAWAL NOTICE
9/11 Lavj Enforcement Privacy
(Rev. 08-2S-2000)..
Precedence: ROUT INE""---,... Date: 07/16/2002
To':, New York ' .. Attn:
Counterterrorism AD P. D'Amuro
SC /
Investigative Services
Islamabad
From: London
Contact:
Approved By:
Drafted By:
Case ID #: 265A-NY-259391 (Pending)
Title: USAMA BIN LADEN;
MAJOR CASE ,161 G
Synopsis: To provide_New__Ygrk with a computer and documents
seized by ^^ffjf^ff^ffjf pursuant to the arrest of Hamza AL-
LIBI.
Reference: 265A-NY-259391 Serial 7811
Administrative: Forwarded on July 17, 2002, via Federal Express,
to FBI New York, Attn: SA j \, the following:
- MW/24 - Hard drive removed frra unbranded tower PC

- NF/16 - Hard drive removed from Dell Dimension
L566CX
- MW/18 - 1 x CD
- MW/21 - 1 x CD & 5 floppy disks
- MW/27 - 1 x floppy disk
2 - Copies of the below listed]
Exhibits:
DPN/2665/MPS/02
DPN/2670/MPS/02
REQ #34-1 000000054

To: New York From: London
Re: 265A-NY-259391, 07/16/2002
EP/1
CDR/DPN/2664/MPS/02
CDR/DPN/2670/MPS/02
MW/1
MW/2
MW/3
MW/4
MW/5
MW/6
MW/7
MW/8
MW/9
MW/10
MW/11
MW/12
MW/13
MW/14
MW/15
MW/1 6
MW/17
MW/18
MW/19
MW/20
MW/21
MW/2 2
MW/23
MW/2 4
MW/2 5
MW/2 6
MW/27
NF/1
000000055
REQ #34-1
Re: 265A-NY-259391, 07/16/2002
NF/2
NF/3
NF/4
NF/5
NF/6
NF/7
NF/8
NF/9
NF/10
NF/11
NF/12
NF/13
NF/14
NF/15
NF/16
NF/17
NF/18
Record Only
Record Only
Record Only
Details: In referenced EC, Serial 7811, dated May 17, 2002, the
recipients were provided with the following information:
"warrants that had been obtained under the auspices of the

.terrorism Act 2000 (TACT). The warrants were executed
G-
simultaneously at|
9/11 Lav; Enforcement Sensitive
REQ #34-1 000000056

i,aw Enforcement Sensitive

Re: 265A-NY-259391, 07/16/2002
^Hm^ computers, CD ROMs and floppy di s ke tte s recovered ^

durjuig^ê aforementioned searches. | lalso provided Legat with
copies of documents, communications,telephone address books, etc
recovered during the same searches.
The Exhibits, as itemized in the Administrative Section
of this communication, were forwarded to FBI New York, Attn: SA
1 | on July 17, 2002, via Federal Express.
FBI New York is requested to provide the enclosed
» to CART, and to ensure that remaining Hi Exhibits

into INTELPLUS.

000000057
REQ #34-1
Re: 265A-NY-259391, 07/16/2002
LEAD(s) :
Set Lead 1:
NEW YORK
AT NEW YORK, NY
New York is requested to ensure that
provided by Hj|| is made available to CART.
New York is requested to ensure that all relevant
Exhibits are entered into INTELPLUS.
Set Lead 2: (Adm)
COUNTERTERRORISM
AT WASHINGTON. DC
Read and clear.
Set Lead 3: (Adm)
INVESTIGATIVE SERVICES
AT WASHINGTON, DC
Read and clear.
Set Lead 4: (Adm)
ISLAMABAD
AT ISLAMABAD, PAKISTAN
Read and clear.
REQ #34-1 000000058

DOCUMENTS RELATING
to
ANALYSIS RESPONSE TEAM
mJRJEPORTS, OR PREDECESSOR
WSk EXPLOITATION REPORTS,
D DRIVESSEIZED FROMAL
WOflATED SUBJECTS FROM 1995
KGH it-*, '
SEPTEMBER 11, 2001.
« £ . , .
fa-^J T
RESPONSIVE
TO
.,„. , [PACKET #2]
WERJÂLSO RESPONSIVE TO DR#34-2
ALS (IMAGES OR VERBAL) CONCERNING TRAVEL
pCCUMENTS DERIVED FROM THOSE HARD DRIVES.}
^T - "- _
Hs"-'*'^"-
yfe|T,JVIATERIAL ENCLOSED"
|»fe,%> C. «--jJ
^*<"'L t-1* ~
^V1 W^si^- ^1 ^ - -v t ^ -
AINS SENSITIVE CRIMINAL AND/OR
pi INFORMATION PERTAINING TO TERRORISM
-RELATED INVESTIGATIONS"
COMMISSION COPY
DOCUMENT DELETION CODE!

"B"- FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI





9/11 Law Enforcement Privacy :
CO
04/16/04 view Document Text \O ro
CD
OJ
f.
10:14:54 -/' \
CD
in
Case ID, : 315N-NY-259391-302 * Serial \ 411
Responses : \2
On March 28, 2002, Special Agent I i FBI,

Washington Field office. Computer Analysis Response Team (CART),
assisted in the execution of searches in I ~1
Following the execution of these searches, the evidence was brought O
i
to I [where SA| 1 examined the following 0
computer media: TO
Site D 71-2331: Generic mini-tower CPU containing one hard

drive, a Quantum Fireball EX, serial number
527351, p/n EX32A014, approximately 3 Gigabytes
o
O
o
o
Command , . . >
o
o
Fl=Help F3=Exit F4=Prompt F6=Multv F8=Fwd Fl2=cancel Fl3=Attrib Fl4=nst
\c Fl6=NextDoc Fl8=NextWd j S
i4AU 05,002 .
lO
Ul
i 04/16/04 view Document Text ECFVTlMO
i 11:31:33 More : - +
ij
Case ID , 315N-NY-259391-302 * Serial : 411

Responses
(GB),
Site F ?3-900|: SP tower CPU containing one hard drive, a

Quantum Fireball let, p/n QML15000LC-A, serial
number 612019327495 DFZXX, approximately 15 GB,
Site G 74-6931: Smart series mini-tower CPU containing one hard -i

o
I
drive, a Quantum Fireball CR, serial number
824916152940 PGZXX, approximately 4 GB,
03
An image copy of each hard drive was created and stored

on forensically sterile media. The working copy hard drives were
then reviewed for immediate threat information, These working
O
o
o
o
o
Command . . . >
o
o Fl=Help F3=Exit F4=Prompt F6=Multv F7=Bkwd F8=Fwd Fl2=cancel Fl3=Attrib 13
Fl4=List Fl5=PrevDoc Fl6=NextDoc Fl7=Prevwd Fl8=NextWd G~t

m
4AO 05,002 o
Ul
9/11 Law Enforcement Privacy ,,:fi9/ll Law Enforcement Sensitive
lO
00 il
I 04/16/04 ECFVTlMO "•^.

ro
11:31:36 More : - +
Case ID , : 315N-NY-259391-302 * SerialT: 411 CO

CTi
Responses :
copies remained in after SA left on 3/31/02, for
further evaluation,
The following e-mail addresses were associated with the
A f\ I 1 t * •••••^•••M . . ' " 1 : 1
Site F 73-9001 hard drive: potmai 1. com and

Both addresses were aliased/nicknamed
as One e-mail provided instructions for D
depositing donations to/

o
m
An e-mail received from/ ], originating IP

addresst J, revealed that the writer was working in
o
o
o
o
o Command . . . > ,
o
o I Fl=Help F3=Exit F4=Pronipt F6=Multv F7=Bkwd F8=Fwd Fl2=Cance1 Fl3=Attrib
a\w Document Text
Fl4=List Fl5=PrevDoc Fl6=NextDoc Fl7=PrevWd FlS^NextWd CTi
rn
4AO 05,002
9/11 Lai-j Enforcement Privacy
lO
=tt=
CJ
•t.
I 04/16/04 view Document Text ECFVTlMO ro
cs
11:31:39 More : - +
CO
Case ID . : 315N-NY-259391-302 * Serial : 411 in
Responses :
o
I
TI
o
~T!
U)
O
O
o
o
Command . . . > •••
o Fl-Help F3=Exit F4=Prompt F6=Multv F7=Bkwd F8=Fwd Fl2=Cancel Fl3=Attrib
o
cr>
ro Fl4=List Fl5=PrevDoc Fl6=Nextooc Fl7=PrevWd Fl8=NextWd s
4A0 05,002 CD
Ul
9/11 Law Enforcement Privacy 9/11 Law Enforcement Sensitive
lO
I 04/16/04 view Document Text ECFVTlMO

Ii 11:31:41 More : - +.
I
! Case ID . 315N-NY-259391-302 * Serial: 411

| Responses
A number of documents in Arabic were also located and

appeared to be related to bank accounts, phone numbers and lists of
contacts for fund-raising activities. Further analysis is
required, : O
i
The original CPUs, with the exception of the system from

Site G, were transported back to the united States for further
examination, The CPU from Site G was returned to the
authorities.
O i
O
° !
O Command . . . > •••• •
O
O
O
Fl=Help F3-Exit F4=Prompt F6=Multv F7=Bkwd F8=Fwd Fl2=Cancel Fl3=Attnb
U) Fl4=List Fl5=PrevDoc Fl6=NextDoc Fl7=PrevWd Fl8=NextWd m
4AU 05,002
TO-4 WFO FBI PAGE 67
91/14/2084 01:05 I
l/l
uu Hj
II
•H
j-i
fu
<c
II
(Li
U
M
rd
O
•i—
MH s_
£ cu
W LO LJ
cr
rd
ÎI
X
OJ
OJ
ca
u
i—
0)
"^ OJ
SI L-
II O-
UD II
oo
cr> O.
l-O £ <->
O O
i L_ O
0_ 4-»
11 X
o>
21
c: II
QJ
H - X U-
w LU
- II O
-S to
CU
ro o
- U- Ci
g >
0) -a ex a>
j- ,- £_
O
o OJ Q. nd O) Q-
*H un to S in u
C nd cu
DQ
REQ #34-1 000000064

; 'Ep-302-(Rev. 10-6-95)
• 1-
Date of transcription 06/20/2000
pr-. AnaTy.qi s Response Team (CART) field examiner

(FE) | | of thp NPM Ynrk Citv Division requested the
assistance of CART FE L Jwith an Apple computer
system examination.
In performance of the above stated request, the CART FE
assisted special agents in the review of previously copied files
from original evidence in this matter. The files reviewed were
located on CDROM discs. The review process included, but was not
limited to, printing files, viewing files, and troubleshooting
problems that arose during the review. This is the extent of the
assistance provided regarding the Apple computer system.
All related materials remained with the New York City
Division.
investigation on 5/15/00 « Manhattan, New York

Fil=# 255A-NY-259391 Date dictated 6/20/00
by I | CART FE
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to yourcaKn*^ /-v n n /- c
'PTPP* # O A __ n U\JL/\Jww\JOj
•^-HtSdndfltAiwitems are not to be distributed outside your agency.
Sensitive
FD-302 (Rev. 10-6-95)
-1-
Date of transcription 12 / 2 Q / 1 9 9 9
On Friday, December 17, 1999, at 2:30 PM, SA [

I was given access to three computers, believed to be
associated w i t h l ~
Images were made, to magneto optical cartridges, of the

following-computers:
A Toshiba Satellite Model 300CDT notebook computer, serial number
68542478E, containing a Toshiba hard drive, serial number 68118960,
A TIKO '.desktop computer (no serial number) ,, containing two hard
drives,,a Maxtor 7270AV hard drive, serial7 number H203B9HS, and a
unknown \model, 813 1*EB hard drive.
An AST Premium II desktop computer (no/serial number), containing
two hard drives, a Seagate OT3660A hard drive, serial number
AF21198/7523E12774 and a 'Maxtor 7425AV hard drive, serial number
N1010DMO. \l Law Enforcement Privacy
Investigation on 12/17/99
File # 265A-NY_^2593 Date dictated 12/20/99
by SA
i,i. dojjuipsm contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned
ns are not to be distributed outside your agency.
(Rev. 10-01-1999)
Precedence: ROUTINE Date: 1/3/2000
To: New York Attn:
Laboratory
CART, Room 4315
From: Pocatello ITC

Computer Analysis Response Team
0 Contact:
/^/Approved By:
Drafted By:
Case ID #: 265A-NY-259391"" (Pending)
WE 66F-A51-L-
/9/11 Law Enforcement Privacy
Titla: USAMA BIN LADIN;
MAJOR CASE 161
synopsis: To close lead and/lprovide information to case agent
and FBIHQ CART. // \: 265A-NY-259391 Serial 2163
Package Copy: Being forwarded iunder separate cover 324 3%"

diskettes, one original compact; disc, one 3V diskette containing
the Vogon utility SRESTORE with; documentation, two duplicate
compact discs with all DOS readable files, and two compact discs
with minimized files (one /of th4>se with the ACES Viewer
software) . These items are? being sent via Federal Express.
Enclosure (3): Enclosed for the tfew York Field Office is an

original and one copy of .the FD-302 regarding the CART processing
of the Vogon images from compact disc to diskettes and the
minimization details. Enclosed for FBIHQ CART is a copy of the
FD-302 and CART examination report form.
Details: The CART processing of the Vogon images was performed
by cs I land CS/FE I [of the Pocatello
Information Technology Center according to the instructions given
from the FBI's New York Field Office. The minimization was
performed by CS/FE[ The details of this process are
described in the attached FD-302.
REQ #34-1 000000067

,FD-3-Q2(Rev 10-6-95)
Computer-'Specialist Forensic Examiner (CS/FE)

I of the :Pocatello Information Technology Center
(PITC) was requested by:l 1 of the New York, New
York Field Office to res;tpre floppy diskette images contained on a
compact disc .back ,,to floppy^ diskettes. The compact disc and image
software, were received by t:hV; FBI's Pocatello Information
Technology Center (PITC) on TJnwimhgr ia r 1999 and placed into a
controlled, access, vault by CS/FE |'' ...
On, November 2 9 , ,1999, CS [_ Jbegan running

•.the Vpgon utility called SRESTORE under the direction of CS/FE
1 [ The SRESTORE u.tility-v.restored 32,4 im,ages from one compact
disc on to 324 diskettes. CS I "~| finished -processing the high
density image files o n December''-1, 1999. CS/FB I I finished t h e
double density image file's on December 2, 1999,.
.On December 8, 1999, Special Agent <SA) [ J
J requested that the.PITC print,all readable files located '
on the restored diskettes.. Because of .the substantial quantity of
nt.ed media, SA I
the printed ~~| and- CS/FE I "lagreed that CS/FE
POOLE would copy all files to a compact disc and minimize those- :
files that were unreadable. " <***~-]nl
CS/FE numbered and labeled all
diskettes from-POQ001 through POQ324. The eliminated diskettes
from the minimized compact disc are in the list that follows:
NON-DOS / Unreadable Software Blank

POQ002-POQ005 POQ006 POQ038-POQ044
POQ007-POQ008 POQ031-POQ033 POQ055
POQ010 POQ052 POQ118-POQ119
POQ013-POQ014 POQ056 POQ131
POQ017-POQ027 POQ067-POQ068 POQ231
POQ029-POQ030 POQ073-POQ079
POQ034 POQ080-POQ097
POQ03S-POQ037 POQ100-POQ101
POQ045 POQ163-POQ210
POQ048-POQ051 POQ298
POQ053-POQ054
POQ057-POQ060
POQ063
investigation oni 1/18-12/29/1999"' Pocatello, Idaho
Dais dictated 1/3/2000
bv
contains neither recommendations nor conclusions of the FBI. It is the proper.}- of the FBI and is loaned to rtWrtPfftft Q gg
;nts arc not to be distributed outside your agency.
Fp-302i(5Uv. 10-6-95)
265A-NY-259391
Cominuaiion of FD-302 of CART Processing of Floppy Images ,onll/i3-12/29/9.$as«
NON-DOS / Unreadable Software Blank

POQ065-POQ06G
POQ102-POQ108
POQ110-POQ112
POQ114
POQ117
POQ128-POQ130
POQ132-POQ138
POQ152-POQ161
POQ211-POQ216
POQ220-POQ230
POQ232
POQ236-POQ263
POQ265-POQ2SS
POQ273-POQ278
POQ280
POQ2S4-POQ285
POQ289-POQ291 . '- ;/H Law Enforcement Privacy
POQ293 '
POQ295 •:- , ; ••.,, '
POQ299-POQ300 ;-
POQ305-POQ308 . - . . - • ' •
POQ310
POQ312-POQ319
POQ321
The original compact disc, the floppy diskette containing the
Vogon software, the 324 restored diskettes, two copies of the
compact disc of all readable files, and two copies of the compact
disc with the minimized files will be shipped back to SA \f the New York Fie
REQ #34-1 000000069

FD-302 (Rev. 10-6-95)
-1-

Sensitive
The following examination, was conducted by a Computer

Analysis Response Team (CART) Field. Examiner:
SPECIMEN(S):
NYO Q24 - 26 - CD Rom Disks \O Q177 -188 - CD Rom Disks\O Q189 -
EXAMINATION:
Copies of Q24 -26 and Q177 - 188 were made to CD Rom
using a CD Rom duplicator.
- Logical copies of the files on Q189 - 193 were made to
disk using Windows 95 Explorer. Deleted files were recovered
from Q191 and Q192 using Norton Utilities for Windows. Files on
these exhibits were cataloged using the TreePrint utility..
CD Roms were prepared containing the logical file copies, the
recovered deleted files and the floppy file listing.
Investigation on 2/28/00 at New York
File # 2 6 5A-NY- 2 5 9 3 9 1 / Date dictated
by SA|_
This dpcumerji cooiams neither recommendations not conclusions of the FBI. It is the property of the FBI and is loane
RSQiQtiri«4(5Et«ats are nol to be distributed outside your agency.
FD-302 (Rev. 10-6-95)
- 1 -
: Date of transcription Q 3 / 2 4 / 0 0
The following-examination was conducted by a

Computer Analysis Response Tearn'-..(CART) Field Examiner:
SPECIMEN(S): \9 - Q193 - 3.5" floppy disks'
This report supplements a report dated 02/28/00.
Residue was extracted from Q189, Q190, Q191, Q192 and

Q193 to an exam hard drive using the REDX Utility. A CD Rom was
prepared of the residue.
/9./11 Law Enforcement Privacy
Investigation on 03/24/00 at New York, New York
File* _26_5A-NY-259391-SUB-00 / Date dictated
by SA
^* Tffi.; rlnrument contains neither recommendations nor conclusions of the FBI. It is the property of the
Sensitive
FD-302(Rev. 10-6-95)
The following examination was conducted by a Computer

Analysis Response Team (CART) Field Examiner:
SPECIMEN(S):
QS3, Q84, - Magneto Optical Disks containing data
Q89, Q90 seized 1 [
The image from Q83 was restored to a new hard drive

using the Safeback Utility.
The image from Q89 was restored to a new hard drive •
XS/'ll Law Enforcement Privacy
investigation on 01/28/2000 at New York, NY

File # 2 6 5 A - N Y - 2 5 9 3 9 1 Date delated 01/28/2000
by . SA
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned^to^
aned to your
^pur jigency^
agency:
R-EQ ar||3tAco5lents are not to be distributed outside your agency. 000000072
FD-302,(Rev. 10-6-95)
-1 -
Date of transcription 05 / 3 1 / 2 0 0 0
The following examination was conducted by Computer

Analysis Response Team (CART) Field Examiners.
SPECIMEN(S):
Q119 - Magneto 'Optical Disk containing

Safeback image of Toshiba 300CDT Notebook
Acquired in'l 112/1999.
Q120 - Magneto Optical Disk containing
2 Safeback images of TIKO Desktop and
2 Safeback images of AST Premium II
(2 Hard Disk Drives each)
Acquired in'l |12/1999.
The image contained on Q119 was restored to an exam

hard drive(Q119 restored). A logical copy of Q119's restored
files (two partitions) was made to optical disk using the
Codeblue utility. Recoverable deleted files on Q119 restored
were recovered to optical disk using the XDF and XDF32 utilities.
Residue was collected using the REDX and REDX32 utilities. The
DriveScan and Is-Encrypted utilities were run on the logical copy
of Q119 restored and a report was created. The Tree Print
utility was used to create a listing of the directory structures.
The images contained on Q120 were restored to exam hard
drives. Logical copies of the restored files were made to
optical disk using the Codeblue utility. Recoverable deleted
files on the restored images were recovered to optical disk using
the XDF utility. Residue was collected using the REDX utility.
The DriveScan and Is-Encrypted utilities were run on the restored
images and a report was created. The Tree Print utility was used
to create a listing of the directory structures.
The residue collected from images contained on Q119 and
Q120 were searched for the following list of words supplied by
the case agent:
investigation on 05/31/2000 al N e w Y o r k , NY
File* _ 2 6 5 A - N Y - 2 5 9 3 9 1 Dedicated 05/31/2000
by S?.
"R&5 dltjijpui JODtains neither recommendations nor conclusions of the F3I. It is the property of the FBI and :s
it anrl its contents are not to be distributed outside your agency.
FD-302a (Rev. 10-6-95)
265A-NY-259391
.On 0 5 / 3 1 / 2 0 0 0 _.Page
Continuation of FD-302 of
The residue search returned negative results.
REQ #34-1 000000074

9/11 Law Enforcement Privac
FD-302 (Rev. 10-6-95)
- 1-

SPECIMENS:
Ql - 12: 3 M floppy disks
Ql - 12 are image copies of floppy disks provided by SA
Ql contains files which run an install program for "My

Advanced Label Designer" software.
Q2 contains files which run an install program,
"hadeeth.exe". Attempts to load this application failed.
Q3 contains files which run an install program for
"Islamic Adan for Prayers".
Q4 contains an executable program "guran.exe", which
appears to be an electronic version of the Koran. The program
will not run properly without special screen'fonts.
Q5 - 8 contain files which appear to supplement Q4.
Q9 - 10 contain Windows font files
Qll - 12 contain files consistent with those utilized
by the software "Act". However, running the "install.exe" file
on this exhibit starts to load a program similar in appearance to
\Q4.
No deleted files of value were noted on Ql - 12.
The residue on Ql - 12 was extracted for further review
by the case Agent.
File t 2 6 5A-NY-259391 ' Date dictated 11/13/97
by
T^-:_ j „, „„„,„;„, n»irh*r Tr.r.nmmendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;
FD-302 (Rev. 10-6-95}
- 1-
Date of transcription

SPECIMEN(S) :
Q27 - Optical disk containing floppy disk images

Q28 - Optical disk containing an image from a no-name
mini-tower computer
Q29 - Jazz disk containing an image of a Maxtor Hard

Disk Drive
Q30 - Optical disk containing a logical copy of a

Maxtor Hard Disk Drive
Images from Q28 and Q29 were restored and reviewed with
the case Agent. Both images restored an Arabic version Operating
System.
CD Roms containing files from Q27 and Q28 were prepared

for dissemination. Jazz disks containing files from Q29 and Q28
were prepared for dissemination.
Recoverable deleted files from Q28 were recovered to

optical disk using the Makefer utilities. No files of value were
noted.
Investigation on 4/21/99 at New York, NY
Ffle* 2 6 5 A - N Y - 2 5 9 3 9 1 DatedictaBd
iiTT>;ii« r.n-ntains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to ydnrigenryV
FD-302 (Rev. 10-6-95)
- 1-
Date of transcription 08/21/98,
The following Computer Analysis Response Team (CART)

examination was conducted between August 13, 1998 and August 21,
1998:
Restored Safeback Images for AB0110, AB0210, AB0310,

A30510 and AB0520. Restored "xcopy" for AB0410. Restored floppy
images.
Unerased files for AB0110, AB0210, AB0310, AB0510,

AB0520 and floppy images.
Retrieved residue from AB0110, AB0210, AB0310, AB0510,

AB0520 and floppy images.
Created CD's containing active, unerased and residue

files.
investigation on OB/21/98 n New York, New York
File* 26 Date dictated
by SA
REQrh#i3>4im4t contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned
FD-302 (Rev. 10-6-95)
- 1-

SPECIMEN(S):
Q24 - 650MB Compact Disc labeled "Copy Cl"

Q25 - 650MB Compact Disc labeled "Copy C2"
Q26 - 650MB Compact Disc labeled "Copy C3"
Recoverable files were printed for review by the Case

Agent.
investigation on 5/23/99 at New York, New York

File I 2 6 5 A - N Y - 2 5 9 3 9 1 Date dictated 5/31/99
by SA I 9/I1 La" Enforcement Privacy
REQ Tft3j4cni:m contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to
FD-302 (Rev. 10-6-95)
The following search was conducted by a Computer

Analysis Response Team (CART) Field Examiner (FE) . This search
was done following the procedures and using tools provided by the
FBI Laboratory.
A ooTiintit-.ftr search/ seizure was conducted at the United
States Embassy, I |
The following computer (s) were searched and data was
seized from the hard drive (s) (HD) :
One (1) .Compaq brand Deskpro 2000 computer, serial number (s/n)
8646HVS51688.
One (\1) Internation Business Machines (IBM) brand computer, 's/n
558P54P.
One (1) Macintosh brand computer model LC, s/n SG1370FJL10.
One (1) Generic computer, no s/n.
One (1) DTK brand computer, no s/n.
Images of the HDs were made to magneto-optical disk

(MOD) usihg the Saf eback and FWB Toolkit utilities . Logical
copies of ^11 partitions of the HDs were made to MOD using the
Codeblue utility. Recoverable deleted files were transferred to
MOD using the Makefer utilities.
In addition, three (3) 3.5" floppy diskettes (FD) were were
imaged to FD;,
Investigation on 2/17/99 at [_
File* 265A-NY-259391 Owe totaled 7/09/99
by SA ^£11 Lau' Enforcement Privac'
mlt contains neither recommendations nor conclusions of the FBI. It is the propeny of the FBI and is loaned to yoO ft000 0 0 7 9
FD-302(Rev. 10-6-95)

SPECIMEN(S):
Q176 - Fugi Film DDS3 Data Cartridge, create by
On-track data recovery
Q176 contained an NT Tape Backup created by On-track
Data Recovery. Q176's files were restored using the NT Backup
utility to an exam hard drive. All files were then copied from
the exam hard drive to optical disk using the Windows NT
explorer. CD-ROMs were prepared from the exam hard drive of
Q176.

Ki e # 265A-NY-259319 Dale dictated 02/17/2000
contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is
i>302 (Rev. 10-6-95)
- 1-

Analysis Response Team (CART) Field Examiner (FE). This
examination was done following the procedures and using tools
provided by the FBI Laboratory.
SPECIMEN(S):
Q100 - Macintosh Powerbook 140 laptop computer, serial

number (s/n) F2148K00706.
ALSO SUBMITTED:
One cannon bubble jet printer model BJ-lOsx, s/n PJC66146
with power cord and printer cable.
One Kodak printer model Diconix I80si, s/n SAA2ZYZ696 with
power cord and serial cable.
One Macintosh compatible mouse.
Sixty-seven (67) 5.25" floppy diskettes.
One Sharp operation manual.
One Canon Bubble Jet BJ-lOsx printer user's manual'.
One Windows & MS-DOS user's guide.
An image of Q100 was made to magneto-optical disk
(MOD) using FW3 Toolkit. Recoverable deleted files on Q100 were
recovered to MOD using Norton Utilities unerase. Hard copies of the
documents on Q100 were printed and provided to the case agent. All
original evidence was returned to the case agent. All examination
notes were provided to the case agent.
Investigation on 04/23/1999 at New York, NY
File I 1 9 9 I - N Y - 2 5 7 5 Q 3 Date dictated 04/23/1999
by J 9/11 Law Enforcement Privacy | , -
umcm contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to
* K» rficn-ilv it^-H
FD-302 (Rev. 10-6-95)
-1 -
Date of traMcription 11/26/1999

Analysis Response Team (CART) Field Examiner (FE) .
SPECIMEN(Si
Q80 -A Magneto-Optical Disk (MOD) labeled PJW/28 Image
copy Apple Macintosh Quadra "700.
Q81 -An MOD labeled SCG/69 FWB - Image, Macintosh Ilsi
40 MB HD End Block 82091.
Q82 -A Magneto-Optical Disk (MOD) labeled on side A:

Copies of CD-R's:lab ref # CSL/279/98, Items:
SCG/78.1 SCG/78.2 SCG/78.3, on side B: Copy of CD:
lab ref CSL/274/98, item SCG/78/5 19 floppy disk
shrink wrap images from C3L/274/98.
Q83 -An MOD labeled lab ref # CSL/270/98, Item KRA/25
Safeback Image, directory listing, recovered deleted
files.
Q84 -An MOD labeled Lab ref # CSL/273/98, Item SCG/64
safeback image, directory listing.
Q85 -An MOD labeled SCG/73 Image Copy FWB/HDT.
Q86 -An MOD labeled KRA/2110 Image Copy Apple Mac
8200/120.
Q87 -An MOD labeled PLW/4 HDT-Iiaage, end block 2503871,
Power Macintosh 8200/120.
Q88 -An MOD labeled SCG/20 quantum Prodrive HDT-image end
block 82028.
Q89 -An MOD labeled lab ref: CSL/259/98, Item PLW/5
Safeback image, directory list.
investigation on 11/26/99 »t New York, NY
File # 265A-NY-2S9391_ Date dictated 11/26/1999

[9/11 Lav; Enforcement Privacy
meit contains neither recommendations nor conclusions of the FBI. It a the property of the FBI ind is
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of , On 1 1 / 2 6 / 9 9
Q90 -An MOD labeled lab ref CSL/323/98, Item PS/125

Safeback image, directory listing, partition
information.
Q91 -A Zip Disk labeled Copy of lab ref CSL/274/98, item
PLW/40/1.
Q92 -A Zip Disk labeled Copy of lab ref If CSL/274/98,
item PLW/40/2.
Q93 -A Zip Disk labeled Copy of lab ref # CSL/274/98,
item # PLW/40/3.
Q94 -A Zip .Disk labeled Copy of lab reftf CSL/274/98,
PLW/40/4.
Q95 -A Zip Disk labeled Copy of lab ref# CSL/274/98,
itemtt PLW/40/5.
item# PLW/40/6.
itemtt PLW/40/7.
Q98 -A.Zip Disk labeled Copy of lab refft CSL/274/8, itemtt
PLW/40/8.
Q99 -An MOD labeled copy of CD lab ref CSL/279/98, item
PLW/35/133 and lab ref CSL/274/98, PLW/35/122.
Q101 -A CD-ROM labeled Copy of lab ref # CSL/274/98, Item

SCG/81.
Q102 -A CD-ROM labeled Copy of Item PLW/35/132, lab ref #
CSL/274/98.
Q103 -A CD-ROM labeled Copy of Track 1 from Item
PLW/35/121, lab ref CLS/274/98.
Q104 -A CD-ROM labeled Copy of Lab ref CSL/274/98, item #
PLW/42/1.
Q105 -A CD-ROM labeled PS/124.3, CSL/323/98.
RED #34-1 000000083

FD-302* (Rev. 10-6-95)
265A-NY-259391 •
Continuation of FD-302 of , On 1 1 / 2 6 / 9 9 p page 3^

Q108 -A CD-ROM labeled Vogon Simage{s) of floppies from
CSL/270/98, CSL/274/98, CSL/298/98, CLS/323/98.
EXAMINATION:
Q80 - mounted the image on a Macintosh G3 exam computer
(MEC) . Deleted files were recovered using the Norton unerase
utility. Data and deleted files were copied to CD-ROM using the
Toast utility.
Q81 - mounted the image on MEC. Deleted files were
recovered using the Norton unerase utility. Data and deleted files
were copied to CD-ROM using the Toast utility.
Q82 - floppy disk images were copied to EC and mounted on
MEC. The data was copied to CD-ROM using the toast utility* The
CD-ROM images were copied to EC, mounted, then copied to CD-ROM
using the Toast utility.
Q83 - Restored image to Windows exam computer (WEC) using
the safeback utility. Recovered deleted files using the XDF
utility. The restored image was booted and reviewed by the case
agent and arabic translator.
Q84 - Restored image to (WEC) using the safeback utility.
Recovered deleted files using the XDF utility. The retored image
was booted and documents were printed and sent to the case agent.
recovered using the Norton unerases utility. Data and deleted files
Q87 - mounted the'image on MEC. Deleted files were
S34-1 000000084
FD-302»(Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of . On 1 1 / 2 6 / 9 9

recovered using the Norton unerase utility. Data and deleted' files
Recovered deleted files using the XDF utility. The retored image
Recovered deleted'files using the XDF utility. The retored image
Q91 - Zip disk mounted on MEC and copied to CD-ROM using
the toast utility.
Q92 - Zip disk mounted on MEC. Deleted files recovered
using the Norton unerase utility. Data and deleted files were
copied to CD-ROM using the toast utility.
Q93 thru Q98 - Zip disk mounted on MEC and copied.to CD-
ROM using the toast utility.
Q99 - Magneto Optical disk (MOD) was mounted on MEC. The
data was copied to CD-ROM using the toast utiliy.
Q101 - CD-ROM was copied using the Adaptec CD Copier
utility on WEC.
Q102 - CD-ROM was mounted on MEC and copied using the
toast utility.
Q103 - CD-ROM was mounted on MEC and copied using the
toast utility.
utility on WEC.
utility on WEC.
utility on WEC.
utility on WEC.
REO #34-1 000000085

FD-302i(Rev. 10-6-95)
265A-NY-259391
,0. 11/26/99 .Page

000000086
FD-302 (Rev. 10-6-95)
- 1-
Q / ?3 / 9 9

Analysis Response Team (CART) Fialcl Examiner:
SPECIMEN(S):
NYO Q79 - 3 1/2" floppy disk, containing, in part,

handwriting "8/21/97"
Q79 contains one file, "newpol.doc". The LFN utility

identifies the date/time stamp for this file as 03-27-97 at 10:52
P-
investigation on 9/23/99 it New York

File* 265A-NY-259391 Duie fated
by gj^/H Law Enforcement Privacy
•RT7.("Thiiifaa4»e4t contains neither recommendations nor conchisiooj of the FBI. It is the pnrêrry of tbe rat and is la<zed to y
FD-302 (Rev:?l,0-6-95)
- 1-
X:>;. Date of transcription Q3/1 7 / 2 Q Q O

Analysis Response Team ""-(-CART) Field Examiner:
SPECIMEN (S) : \_
Q347 - Magneto Optical,Disk.

Contains logicai\;copy, recovered deleted files,
slack and residue':frorci a No Name CPU, No. serial
number processed,, in I l
Q348 - Q356 CD-ROMs frnm'1 --.. \
Q357 - Q367 3.5 inch floppies from'C

search
CD-ROMs were prepared from the logical copy, recovered
deleted files, slack and residue from Q347. The Tree Print
utility was used to create a listing of Q347's directory
structure.
CD Duplicator was used to copy Q348, Q349, Q351 - Q356.
Q350 was not copied due to a read error on the CD-ROM.
A file copy of Q357 - Q367's files was made to CD-ROM.
Recoverable deleted files on Q357 - Q367 were recovered using the
XDF utility and written to CD-ROM.
Investigation on
03/17/2000 . New York, NY
at
I65A-NY-259391 Dictated 03/17/2000
File #
bv SA9''11 Law Enforcement Privacy
.... ...—, ~r tv,. KRT. It is the property of the FBI a c agency;

9/11 Law Enforcement Sensitiv
ve
FD-302-(Rev. 10-5-95)
- 1 -

SPECIMEN(S):
Q27 - CD-ROM contaihi disk images,

(from search in
Restored all disk images to floppies except the

following:
Disk 5 was not formatted
Image for disk 43 and 50 were missing.
Recoverable deleted files on all restored disks were

recovered to CD-ROM using the XDF utility.
All restored disks were copied to CD-ROM except the

following:
Disk 27, 32, 40, 42, 48, 53, 58.
The following restored disks contained a virus and were

cleaned:
Bisk 41, 46, 47, 48, 49, 51, 53, 55, 56, 59, 60, 61
investigation on Q3/17/200Q at **ew York, NY
Flief 265A-NY-259391 Date dictated 03/17/2000

5A9/|11 Lav ' E n f °rcement Privacy
nnr conclusions of the FBI. It is the property of the agency

FD-302 (Rev. 10-6-95)
- 1 -
Date of transcription Q 4 / 2 5 / 2 Q O O
'\Ttie following examination was conducted by a Computer

i^. Response Team (CART) Field Examiner:
SPECIMEN, (S! : \8 - ,No Name Desktop with no S/N
\m I [search
Q369 -\No Name Desktop with no S/N

from L | search
Q370 - No Name Desktop,

\V 8713439108309
\m 1 I search
Q371 -\SCSI Hard Drive

S,/ N - 1A0423372A6
f rom t~ | search
Q372 - Dell Model .TS306 Laptop

S/N V 7437346BYK8111A
from I | search
A physical image of Q368 was made to tape using the

Safeback Utility. A logical copy of Q368's files (one partition)
was made to optical disk using the Codeblue utility. Recoverable
deleted files on Q368 were recovered to optical disk using the
XDF32 utility. -Residue was collected using the REDX32 utility.
CD-ROMs were prepared from the logical file copy, recovered file
copies and residue file. The DriveScan and Is-Encrypted
utilities were run on the logical copy of Q368 and a report was
created. The physical image of Q368 was restored to an exam hard
drive using the Safeback Utility.
A physical image of'Q369 was made to tape using the

Safeback Utility. A logical copy of Q369's files (three
partitions) was made to optical disk using the Codeblue utility.
0 4 / 2 5 /_
Investigation on _ 2000 at. _
New Y o r k[,_
NY ; _
Pue# 265A-NY-259391 Date ^^ 04/25/2000
b SA I 9/11 Law Enforcement Privacy
r of the FBrilPiPlftiWd loôur agencj

FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of \^ 04/25/2000 _. Page 2
Recoverable deleted files on Q369 were recovered to optical disk

using the XDF utility. Residue was collected using the REDX
utility. CD-ROMs were prepared from the logical file copy,
recovered file copies and residue file. The DriveScan and Is-
Encrypted utilities were run on the logical copy of Q369 and a
report was created. Two files were found to be password
protected. The use of Access Data Password Cracker was used and
revealed the file level passwords of "aaaaa". The physical image
of Q369 was restored to an exam hard drive using the Safeback
Utility.
A physical image of Q370 was made to tape using the.

XDF32 utility. Residue was collected using the REDX32 utility.
utilities were run on the logical copy of Q370 and a report'was
created. The physical image of Q370 was restored to an exam hard
drive using the Safeback Utility.
Q371 would not power-up properly and was sent to On-

Track Data Recovery on the case agent's request.
A physical image of Q372 was made to tape using the

XDF32 utility. Residue was collected using the REDX32 utility.
created. Three files were found to be password protected. The
use of Access Data Password Cracker was used and revealed the
file level passwords of "allah". The physical image of Q372 was
restored to an exam hard drive using the Safeback Utility.
The Tree Print utility was used to create a listing of

Q368, Q369, Q370 and Q372 directory structures.
000000091
\a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of • On 04/25/2000 . Page 3_
The utilities DL and CPX were used to search and

extract from the logical file copies and recovered file copies-
from Q368, Q369, Q370, and Q372 for the following list of strings
provided by the case agent:
The sbarch reports and extract results were written to CD-ROMs. .

The Linux utilities GREP was used to search and extract
from the residue files of Q368, Q369, Q370, and Q372 for the
following list of strings provided by the case agent:
REO #34-1 000000092

FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 oj_
The search extract results were written to CD-ROMs
000000093
FD-302 [Rev. 10-6-95)
- 1-
Date of transcription 0 5 / 0 5 / 2 0 0 0

SPECIMEN (S*) : 9//11 Law Enf°rcement Sensitive
Q371 - SCSI Hard Drive \N - 1A0423372A6.

from I |search
Q371 would not power-up properly and was sent to On-

Track Data Recovery on the case agent's request. A CD-ROM was
returned containing the data recovered by On-Track. The CD-ROM
duplicator was used to create a copy of -the CD-ROM returned by
On-Track. The Tree Print utility was used to create a listing of
the directory structures. '
Investigation on 05/05/2000 at, New York, NY
FUe #
2 6 5 A - N Y - 2 5 9 3 9 1 D a t e ^ ^ 05/05/2000
SA"'11 Law Enforcement Privar-'

bv ' i-
... j. k , ^--i.,c,,«r,c nf rhr FHI. It is the arooertv of the FBI arifiYsfcKrKd'tyT&uS- agency.
..FD-302 (Rev. 10-5-95)
- 1-
Date of transcription-
. The following examination was conducted by a Computer

Analysis Response Team (CART) Field Examiner.
*
••0373\ SyQuest SyJet 1.5GB Cartridge,

' \d P—^] iW AB0110 -
l J^ Room A
Q374 - SyQuest SvJet. 1.5GB Cartridge,

Labeled! image AB0210 -
- First Floor Office
•,6375 ± SyQuest SyJet 1.5GB Cartridge,

XLabeledF 1 imê """^ '
- Upstairs Computer
Disk 1 of 2
SyQuest SyJet 1.5GB Cartridge,
Labeledf
^ image AB0310
Z ~
- Upstairs Computer
T)isk 2 ot"~
Q377, loraega Jaz 1 GB Cartridge,
Labele Xcopy of AB041 -
- Room C
Q378 -.SyQuest SyJet 1.5GB Cartridge,

, _ • , . . - . I image
- i T n S L r r a ABO510 -
'•Labeledi i^ A R l T U ™
;=__pownstairs Computer
Desk next to
0379 - . S^Jetl. 5GB Cartridge,

Q
' AB0410 -
Aborted Safeback Image
0380 - SyQuest W[etl. 5GB Cartridge,

Labeled i!_±] floppy
05/23/2000 at New Y o r k , NY
Investigation on
File*
9/11 Law Enforcement Sensiti ve
FD-302a(Rev. 10-6-95)
265A-NY-.259391
Continuation of FD-302 of 05/08/2000 .Page 2
Restored image contained on Q373 on exam hard

drive (Q373*'restored) . A logical copy of Q373's restored files
(one partition) was made to optical disk using the Codeblue
utility. Recoverable deleted files on Q373 restored were
recovered to optical disk using the XDF utility. Residue was
collected using the REDX utility. The DriveScan and Is-Encrypted
utilities were run on the logical copy of Q373 restored and a
report was created. The Tree Print utility was used to create a
listing of the directory structures.
drive(Q374 restored). A logical copy of Q374's restored files
(three partitions) was made to optical disk using the Codeblue
recovered to optical disk using the XDF utility. Residue was
collected using the REDX utility. The DriveScan and Is-Encrypted
utilities were run on the logical copy of Q374 restored and a
Restored image contained on Q375 and Q376 on exam hard
drive(Q375/Q376 restored). A logical copy of Q375/Q376's
restored files (one partition) was made to optical disk using the
Codeblue utility. Recoverable deleted files on Q375/Q376
restored were recovered to optical disk using the XDF utility.
Residue was collected using the REDX utility. The DriveScan and
Is-Encrypted utilities were run on the logical copy of Q375/Q376
restored and a report was created. The Tree Print utility was
used to create a listing of the directory structures.
A logical copy of Q377's files was made to optical
disk using Windows Explorer. The DriveScan and Is-Encrypted
created. The Tree Print utility was used to create a listing of
the directory structures.
drive(Q378 restored). A logical copy of Q378's restored files
000000096
FD-302a (Rev. 10-6-95}
265A-NY-259391
Continuation of FD-302 of . ______ • On 0 5 / 0 8 / 2 0 0 0
(one partition) was made to optical disk using the Codeblue

recovered to optical disk 'using the XDF utility. The DriveScan
and Is-Encrypted utilities were run on the logical copy of Q378
restored and a report was created. The unformat utility was used
to unformat Q378 restored. The Codeblue and XDF utilities were
run on the unformatted version of Q378 restored. Residue was
collected using the REDX32 utility. The DriveScan and Is-
Encrypted utilities were run on the logical copy of the
unformatted version of Q378 restored and a report was created.
The Tree Print utility was used to create a listing of the
directory structures.
Q379 and Q380 were not processed.
000000097
FD-302 (Rev. 10-6-95)
Date of transcription Q7./Q5/QQ
This reports supplements an FD-302 dated 06/15/00.

Analysis Response Team (CART.) Field Examiner:
SPECIMEN(S):
Q384 - One Magneto Optical-.Disk containing, a logical

file copy/recoverable deleted files from D: (partition 2), One
copy of Q387 and Five 3.5" floppy diskette images.
Q38"7 - One CD Rom containing a copy, of a recordable CD

Rom
These items were prepared on 12/11/99 in | j

The computer contained a 3227 megabyte Seagate hard drive model
number ST33232A, serial number VG864384, with two partitions.
Five self extracting image files from Q384 numbered 1

through 5 were restored to five 3.5" floppy diskettes.
Logical copies of diskettes 2 through 5 were made to

magneto optical disk using the Windows Explorer Utility.
Reoverable deleted files were recovered to magneto optical disk
using the XDF Utility. Residue was extracted to magneto optical
disk using the REDX Utility. A CD Rom was prepared of the
logical, recoverable deleted and residue files.
The Norton Disk Doctor (NDD) Utility was used to repair

floppy disk number 1, because it could not be accessed. A logical
file copy of disk 1 was made to magneto optical disk using the
Windows Explorer Utility. Recoverable deleted files were made to
magneto optical disk using the XDF Utility. Residue was extracted
to magneto optical disk using the REDX Utility. Results of the
logical, recoverable deteted and residue files were put onto the
CD Rom containing results from floppies 2 through 5.
File # 265A-NY-259391 Date dictated
by | -1-711 Law Enforcement Privacy
î^t retains neither recommendations nor conclusions of the FBI. It is the property of the FBI MjijlAl^gad fPOjW1 agency:
Sensitive
FD-302 (Rev. 10-S-95)
- 1 -
The following examination was conducted by a

Computer Analysis Response Team (CART) Field Examiner:
SPECIMEN(S): \3 - One Magneto Optical Disk containing a logical
file copy/recoverable deleted files from C: (partition 1)

Q384 - One Magneto Optical Disk containing a logical
file copy/recoverable deleted files from D: (partition 2)
Q385 - One Magneto Optical Disk containing a logical

file copy/recoverable deleted files from C: (partition 1)
Q386 - One Magneto Optical Disk containing residue from

C:(partition 1} and D: (partition 2)
Q387 - One CD Rom containing a copy of a recordable CD

Rom
Also submitted:
4 - CD Roms containing a logical file1 copy/recoverable

deleted files from C: (partition 1) and D:'-..(partition 2)
2 - 3.5" floppy diskettes containing logical files

unable to be written to CD Rom
These items were prepared on 12/11/99 in |_

The computer contained a 3227 megabyte Seagate hard drive model
number ST33232A, serial number VG864384, with two partitions.
The Drivescan Utility was used to scan all magneto

optical disks containing logical/recoverable deleted files.
Printouts were prepared.
The Access Data Password Recovery Toolkit was used to
File # _2_65A- NY - 2 5 9 3 9_1 _ Date dictated
by SA,- Law Enf
^n« nnr rnnr.luslons of the FBI. It is the property of the FBI sQ0Ql&fld(lQ>9<ftr agency.
FD-302a (Rev. 10-5-95)
265A-NY-259391
Continuation of FD-302 of 01/01/00 page 2
scan all magneto optical disks containing logical/recoverable

deleted files. Printouts were prepared. No passworded data was
found.
The Slice Utility was used to break the residue files

on magneto optical disk number 6 into smaller pieces. CD Roms
were prepared containing the split files.
Magneto optical disk number 6 containing residue was

mounted in Linux. The residue from C: (partition 1) and D:
(partition 2) was filtered using the strings command and then
searched using- the Grep Utility for the following words:
9/11 law Enforcement Sensitive
000000100
FD-302a [Rev. 10-5-95)
265A-NY-259391
Continuation of FD-302 ,0n 01/01/00 .Page _3_
The output of this search was w r i t t e n to CD Rom.
RED #34-1 000000101

9/ll_ Law Enforcement Sensitive
FD-302 (Rev.'iQ-6-95)
- 1 -
"... Date of transcription 0 6 / 0 1 / 2 0 0 0

SPECIMEN(S): ,
Five Magneto Optical Disks containing Safeback images

of Q31, Q32, Q34 and Q35 acquired in../ ~\.
Five Magneto Optical Disks containing logical file
copies of Q31, Q32, Q34 and Q35 and recovered deleted
files from Q32 acquired iri/V _ , ,_ \
\6 - Q38 - Three 3.5 in flopoy disks acquired in
j ] 02/1999.
The Safeback image of Q31 was restored to an exam hard

drive(Q31 restored). Recoverable deleted files on Q31 restored
were recovered to optical disk using the XDF32 utility. Residue
was collected using the REDX32 utility. The DriveScan and Access
Toolkit utilities were run on the logical copy of Q31 and a
were recovered to optical disk using the XDF utility. Residue
was collected using the REDX utility. The DriveScan and Access
were recovered to optical disk using the XDF32 utility. Residue
was collected using the REDX32 utility. The DriveScan and Access
, K
Investigation on
06/07/2000 , New York, NY
at
F1te# 265A-NY-259391 pate dictated 0 6 / 0 7 / 2 0 0 0

SA9/tu Lav' Enforcemen t Privacy
"nj- ^* -' * —-—'"•= "-it-ht-r recommendations nor conclusions of the FBI. It is the property of the FBI
FD-302a (Rev. 10-6-95)
265A-NY-259391
Contlnuauon of FD-302 of_

were recovered to optical disk using the XDF utility. Residue
was collected using the REDX utility. The DriveScan and Access
listing of the directory structures..
A file copy of Q36 and Q38's files were made to floppy
disk. Recoverable deleted files on Q36 and Q38 were recovered to
optical disk using the XDF utility. Q37 was not processed due to
disk read error.
000000103
FD-302(Rev. 10-6-95)

Analysis Response Team (CART) Field Examiner (FE).
SPECIMEN(S):
Q33 - One (1) Magneto-Optical Disk (MOD)containing an image of a

hard disk drive (HDD) from a Macintosh LC, serial number (s/n)
SG1370FJL10.
Also submitted were ten (10) MODs consisting of:
Q31 - an image, and logical copy of a Compaq Deskpro 2000, s/n

8646HVS51688.
Q32 - an image, logical copy, logical file listing and deleted
files from an IBM Personal Computer 100, s/n 558P54B.
Q34 - an image and logical copy of two HDDs from.a generic
computer.
Q35 - an image and logical copy of a DTK computer, no s/n.
Q36, Q37 and Q38 - images of three -(3) 3.5" floppy diskettes.
EXAMINATION:
Q33 was restored to a hard disk drive (HDD) on a Macintosh Ilci.

An examination of the restoration revealed an Arabic language
Macintosh operating system.
investigation on 09/24/1999 at Manhattan, New York

File* 265A-NY-259391 Date dictated 09/24/1999
by _J 9 / U L a« Enforcement PrivacvL
>ur agency;
•"•*-•— **• **-*—*•• ™nMms neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agi
000000104
FD-302 (Rev. 10-6-95)
- 1-

SPECIMEN(S):
Q449-- One Magneto Optical Disk containing a CSCDup

copy of a Compaq''-5100E CPU and six floppy disk
images acquired in I |.
Recoverable deleted files on Q449 were recovered to an

exam hard drive optical disk using the XDF utility. Residue was
collected using the REDX utility. The DriveScan and Access
Toolkit utilities were run on Q449 with no positive results. The
Tree Print utility was used to create a listing of the directory
structures. The logical copy, recovered deleted files and the
residue file were written to CD-ROM.
The floppy disk images on Q449 were restored to floppy

disks. Recoverable deleted files were recovered .to an exam-hard
drive using the XDF utility. Residue was collected using the
REDX utility. The logical copy, recovered deleted files and the
residue file were written to CD-ROM.
Investigation on
07/14/2000 . New York, NY
at
FQe#265A-NY-259391 Date dictated 07/14/2000
SA9//11 Law Enforcement Privacy

by ' i
i_-,_4. —„*,.!„= r,»it-hpr rprnmmendations nor conclusions of the FBI. It is the property of the
FD-302(Rev. 10-6-95)
-1 -

SPECIMEN(S):
NYOQ#195 - an Apple Macintosh Powerbook 1BO laptop computer, serial

m m j b e r ( s / r i ) FC311SHY440 obtained from the|_
||HIHH|HFBI barcode #E01911047. The laptop contained an IBM
82rnbliarâisk drive (HDD) formatted with an HFS file system
running an Arabic version of Macintosh OS.
ALSO SUBMITTED:
One Sony power adaptor, model AC-V30.

EXAM:
Device copies of Q195 were made to magneto-optical disk (MOD) using
the FWB Toolkit utility. The image was restored to 100mb Zip disks
using the same FWB Toolkit utility. The restored image was mounted
on a CART exam machine were invisible files were identified, listed
and made visible using the Norton Disk Edit utility. Recoverable
deleted files were identified and restored using the Norton Unerase
utility. A string search of Q19S was done using the Ultrafind
-jfv for the following strings with negative results:
investigation on 4/17/2000 ** New York, NY
File# 265A-NY-259391 Date dictated 4/17/2000
by |9/11 Law Enforcement Privacy
.—.it-...—.,.,, „„„,„;,„ neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loanid-iaA'aut. wcscir _
FD-302I (Rev. 10-6-95)
265A-NY-259391
• of,FD-3D2
Continuation m.«,ofr Cart Exam _____^__ rv
• °°4/17/2000
Logical, recovered delted files, directory and file printouts were

provided for review to the Case Agent.
OOOOOOIOT
FD-302(Rev. 10-6-95)
-1-
FEDERAL BUREAU OP INVESTIGATION

Analysis Response Team (CART) Field Examiner (FB).
SPECIMEN(S):
NYOQJ238 - A CDROM disk labeled Item 25L.

NYOQJ240 - A CDROM disk labeled Item 63B
NYOOJ245 - A CDROM disk labeled Item 1ST
NYOQJ246 - A CDROM disk labeled Item 15N
NYOQ8247 -- A CDROM disk labeled Item 15AK
NYOOJ248 - A CDROM disk labeled Item 15AE
NYOQ#249 - A CDROM disk labeled Item 15Y
NYOOJ250 - A CDROM disk labeled Item 15S
NYOQJ251 - A CDROM disk labeled Item 15M
NYOQJ252 - A CDROM disk labeled Item 15W
NYOQJ253 - A CDROM disk labeled Item 15 AC
NYOQJ254 - A CDROM disk labeled Item 15Q
NYOQJ255 - A CDROM disk labeled Item ISAM
NYOOJ256 - A CDROM disk labeled Item 15AH
NYOQJ257 - A CDROM disk labeled Item 15V
NYOQJ258 - A CDROM disk labeled Item 15R
NYOCJ259 - A CDROM disk labeled Item 15AG
NYOQJ260 - A CDROM disk labeled Item 15AM
NYOQ#261 - A CDROM disk labeled Item 15P
NYOQJ262 - A CDROM disk labeled Item 15X
NYOOJ263 - A CDROM disk labeled Item 15AD
NYOQ#264 - A CDROM disk labeled Item 15AJ
NYOQ#265 - A CDROM disk labeled item 15AI
NYOQ&266 - A CDROM disk labeled Item 15AO
NYOQJ267 - A CDROM disk labeled Item ISA
NYOQ#268 - A CDROM disk labeled Item 15B
NYOOJ269 - A CDROM disk labeled Item 15P
NYOQJ270 - A CDROM disk labeled Item 15C
NYOQ#271 - A CDROM disk labeled Item 15F
NYOQJ272 - A CDROM disk labeled Item 15L
NYOQJ273 - A CDROM disk labeled Item 15G
NYOQJ274 - A CDROM disk labeled Item 15D
New
Investigation on at
265A-NY-259391 5/19/2000
File Date dictated

by
p ,., tnant contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency.
its contents are not to be distributed outside your agency. OODOOOlOo
FD-302a(Rev. 10-6-95)
265A-NY-259391
CART EXAM ,On
5/19/2000
NYOQJ275 - A CDROM disk labeled Item 15H

NYOQ#276 - A CDROM disk labeled Item 151
NYOQ#277 - A CDROM disk labeled Item 15J
NYOQ#278 - A CDROM disk labeled Item 15AF '
NYOQ#279 - A CDROM disk labeled Item 15Z
NYOQ#280 - A CDROM disk labeled Item 15K
NYOQ#281 - A CDROM disk labeled Item 15AB
NYOQ#282 - A CDROM disk labeled Item 15AA
NYOQ#284 - A CDROM disk labeled Item 15A
NYOQ#287 - A CDROM disk labeled Item 4 IB
NYOQJ288 - A CDROM disk labeled Item 41C
NYOQ#239 - A CDROM disk labeled Item SIB
NYOQ8290 - A CDROM disk labeled Item 55
NYOQJ294 - A CDROM disk labeled Item 58
NYOQJ295 - A CDROM disk labeled Item 9
NYOQJ296 - A CDROM disk labeled Item 5 ID
NYOQ#297 - A CDROM disk labeled Item 51C
NYOQ#298 - A CDROM disk labeled Item 5 IB
EXAM:
Duplicate CDROMs were made using the Champion CD Duplicator,
REQ #34-1 000000109

FD-301 (Rev. 10-6-95)
-1-

SPECIMEN(S):
Item 521
NYOQ#196 - a 3,.5" floppy diskette labeled Item •52K
NYOQ#197 - a 3 .5" floppy diskette labeled Item 52J
NYOQ#198 - a 3 .5" floppy diskette labeled Item 52L
NYOQ#199 - a 3 .5" floppy diskette labeled Item 52M
NYOQS200 - a 3 .5" floppy diskette labeled Item 52H
NYOQ#201 - a 3 .5" floppy diskette labeled Item 52G
NYOQ#202 - a 3 .5" floppy diskette labeled Item 52F
NYOQ#203 - a 3 .5" floppy diskette labeled Item 52E
NYOQ#204 - a 3 .5" floppy diskette labeled Item 52D
NYOQ#205 - a 3 .5" floppy diskette labeled Item 52C
NYOQ#2.06. ™" CL 3 .5" floppy diskette labeled Item 52B
NYOQ8207 - a 3 .5" floppy diskette labeled Item 52A
NYOQ#208 - a 3 .5" floppy diskette labeled
labeled Item 56A
NYOQ#209 - a 3 .5" floppy diskette labeled Item .56B
NYOQ#210 - a 3 .5" floppy diskette
labeled Item 5SC
diskette labeled Item 56D
NYOQ#212 *** cl 3 .5" floppy labeled Item 56E
labeled Item 56F
NYOQ8214 - a 3 .5" floppy diskette labeled Item 56G
NYOQ8215 - a 3 .5" floppy diskette labeled Item 56H
NYOQ8216 - a 3 .5" floppy diskette labeled Item 561
NYOQ#217 - a 3 .5" floppy diskette labeled Item 56J
NYOQ#218 - a 3 .5" floppy diskette labeled Item 56K
diskette
NYOQ8219 - a 3 .5" floppy diskette labeled Item SSL
NYOQt*220 - a 3 .5" floppy labeled Item 56N
NYOQ#221 - a 3 .5" floppy diskette labeled Item 56M
labeled Item 25H
NYOQS223 - a 3 .5" floppy diskette labeled Item 25J
labeled Item 251
NYOQ8225 - a 3 .5" floppy diskette labeled Item 25G
NYOQH226 - a 3 .5" floppy diskette
labeled Item 25B
NYOQ#227 - a 3 .5" floppy diskette labeled Item 25A
investigation on 4/28/2000 " New York, NY

Date dictated 4/28/2000
File # ?fi5A-NY-259391
[9/11 Law Enforcement Privacy!
by
contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is lointiU jiniu-ia^LiVL -.
-r>t, ,rr nnt to he distributed outside your agency. UUUUUUJ-.LU
FD-302* {Rev. 10-6-95)
265A-NY-259391
4/28/2000 ,
n ' ' ofrrtvtnn
Conbnuation FD-302 off EXAM , r^
On ' ' , Page
NYOQ#229 - a 3 .5 n floppy diskette labeled Item 25F

NYOQJ230 - a 3 .5 n floppy diskette labeled Item 25K
NYOQJ231 - a 3 .5 n floppy diskette labeled Item 25C
NYOQ#232 - a 3 .5 n floppy diskette labeled Item 25D
NYOQJ233 - a 3 .5 n floppy diskette labeled Item 25E
NYOQJ234 - a 3 .5 n floppy diskette labeled Item 10A
NYOQ#235 - a 3 .5 n floppy diskette labeled Item 10B
NYOQ#236 - a 3 .5 n floppy .diskette labeled Item IOC
NYOQ#237 - a 3 .5 n floppy diskette labeled Item 10D
NYOQ#239 - a 3 .5 n floppy diskette labeled Item 63A
NYOOJ241 - a 3 .5 n floppy diskette labeled Item 57
NYOQJ242 - a 3 .5 n floppy diskette labeled Item 22D
NYOQJ243 - a 3 .5 n floppy diskette labeled Item 40
NYOQJ244 - a 3 .5 n floppy diskette labeled Item 31A
EXAM:
NYOQ209, NYOQ210, NYOQ212-NYOQ219, NYOQ222-NYOQ226 , NYOQ228-
NYOQ230, NYOQ232 and NYOQ233 were identified as Macintosh formatted
floppy diskettes (FDs) . A search of the Mac FDs for invisible
files was conducted using the Macintosh Sherlock utility. No non-
system hidden files were identified. The Norton Unerase utility was
executed on the Macintosh FDs resulting in deleted file recovery on
NYOQ210, NYOQ214, NYOQ216, NYOQ217, NYOQ224, NYOQ225, NYOQ226 and
NYOQ229 only.
NYOQ196-NYOQ208, NYOQ221, NYOQ227, NYOQ231, NYOQ234-NYOQ237 ,
NYOQ241-NYOQ244, and NYOQ239 were identified as DOS formatted, or
unformatted FDs. The XDF utility was executed on the DOS FDs
resulting in deleted file recovery on NYOQ196, NYOQ198, NYOQ204,
NYOQ234 and NYOQ243 only. Residue was recovered from all the DOS
FD with the exception of NYOQ208 and NYOQ221 which were
unformatted. Isenctypted and Drivescan were run on the DOS FDs and
the results were printed.
The results of the exam on the Macintosh FDs were made to Zip disk,
3.5" floppy diskette, and CD-ROM. The results of the DOS FDs were
made to magneto- optical disk, 3.5" floppy diskette, and CD-ROM.
ALSO SUBMITTED:
Twenty-one (21) empty CD-ROM jewel cases, one (1) sealed recordable
CD-ROM, and one (1) sealed Netscape install software CD-ROM.
REQ #34-1 000000111

FD-302 [Rev. 10-6-95)
- 1 -
Date of transcription 0 7 / 2 0 / 0 0

SPECIMEN(S): 9/11 Law Enforcement Sensitive
Q551 ..- One CD Rom \2 - One CD Rom \3 - One 3.5" Floppy Disk
Q554 - One 3.5" Floppy Disk

Q5.55 - One 3.5" Floppy Disk
Q556 - One 3.5" Floppy Disk
Q557 - One Recordable CD Rom
Q558 - One Recordable CD Rom f
Q561 - One 3.5" Floppy. Disk
These items were seized inj | on

04/15/00.
Logical copies of Q551 and Q552 were made to magneto
optical disk using the Windows Explorer Utility. CD Roms were
prepared of the logical copies.
Logical copies of Q553 through Q556 were made to
investigation on 07/20/00 at New York, New York

File # 265A-NY-259391 Date dictated
by SA |9/11 La'-' Enforcement Privicyj
contains neither recommendations nor conclusions of the FEI. It is the property of the FBI
FD-302a (Rev. 10-6-95)
265A-NY-259391 07/20/00 2
Continuation of FD-302 of , On . Page _
magneto optical disk using the Windows Explorer Utility.

A logical copy was made of selected files on Q557, Q558
and Q560 to magneto optical disk using the Windows Explorer
Utility. CD Roms were prepared of the logical files.
A logical copy was made of Q559 to magneto optical disk
using the Windows Explorer Utility. A CD Rom was prepared of the
logical files.
A logical copy was made of Q561 to magneto optical disk
using the Windows Explorer Utility, copy errors were encountered.
The Treeprint Utility was used to print out directory
structures of all prepared CD Roms.
REQ #34-1 000000113

9/11 Personal Privac1-
\FD-302 (Rev. 10-6-95)
-1 -
The following investigation was conducted by a Computer

Analysis Response Team (CART) Field Examiner fFE). Also present
were I
9/11 Personal Privacy
SPECIMEN(S) :
NYOQ563 - a magneto optical disk (MOD) labeled "990602008 JL Image
Copy".
EXAMINATION:
NYOQ563 was inserted into a Sony MOD unit and attached to an Apple
Macintosh G3 notebook a [Long with an external four (4) gigabyte
(gig) hard disk drive {HDD) provided by Greenleaf. The drive
containing NYOQ563 was set to SCSI ID 2 and the HDD provided by
Greenleaf was set to SCSI ID 4. An image of NYOQ5S3 was made to
Greenleaf's HDD using the device copy utility from FWB Toolkit.
Once the image was complete,j |indicated that the new'image
should be mounted to ensure that a good copy was made. Using FWB
Toolkit, the new image on SC&I ID 4 was mounted on the desktop of
the G3 . Once the image was mounted the volume "Macintosh HD"
appeared on the desktop. Once | | were
satisfied, the Macintosh HD volume was unmounted ana detached from
the G3.
Investigation on 12/18/2000 New York,
File # 265A-NY-259391 Date dictated 12/19/2000
by [s/ll Law E n f o r c e m e n t Priva'cy
contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is
_*- ,*. ««t in K» rfirtnhittefl outside vour aeencv.
FD-302 (Rev. 10-6-95)
il:

SPECIMEN (S) :
NYOQ562 is a Bernoulli 230 megabyte (MB) diskette labeled image

copy made 8/21/97.
NYOQ563 is a Verbatim 2.3 gigabyte (GB) magneto optical disk' (MOD)
labeled 990602008 JL Image Copy.
EXAMINATION:
NYOQ562 was inserted into a Bernoulli transportable 230 disk drive.
The drive was then attached to an Apple Macintosh G3 notebook and
booted. The volume on NYOQ562 would not mount, neither would it
copy to any other media.
NYOQ563 was inserted into a Sony MO Disk Unit, model RMO-S551. The
MO disk unit was then attached to an Apple Macintosh G3 notebook
and booted. The volume on NYOQ562 could be mounted on the G3
desktop.
Investigation on 12/12/2000 at N6W York
File # 265A-NY-259391 Dtte dicuted 12/12/20QQ

[9/11 Law Enforcement Privacy!
c$£4entl:aiiuii» neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned
~J ;t« /»nntmt< are not to be distributed outside your agency.
Sensitive
\2 (Rev.40-S-95)
- 1 -
Date of transcription 5/1/Q1
On 4/23/01, the provided access to

, computers related to captioned case.
The following computers were examined by a Computer
Analysis Response Team (CART) Field Examiner (FE) on site:
Computer I - CompEx Solutions Desktop
a. ST34313A SN: 6DL023LF
Computer 2 - SMR Desktop
a. Maxtor51536H2 SN: F20JVKYC
Computer 3 - TOUCH Desktop
a. QuantumFireballELS.lA SN: 345815010692
b'. FujitsuM16l4TA SN: 03549565
Hard Drive 1 - WDCAC22500L SN: WD-WM3490181653
Floppy 1 \ 3.5" Floppy Disk (unlabeled)
Computer 1 contained one hard drive and it was imaged

to DDS-4 tap\ using the Safeback Utility. A logical file copy of
partitions 1,and 2 to optical disk was made using the Codeblue
Utility. Recoverable deleted files were recovered from partition
1 and 2 to optical disk using te XDF32 Utility. Residue was
extracted front, partitions 1 and 2 to optical disk using the
REDX32 Utility.
Computer 2 contained one hard drive and it was imaged
to DDS-4 tape using the Safeback Utility. A logical file copy of
partitions 1 and '2 to optical disk was made using the Codeblue
Utility, Recoverable deleted files were recovered from partitions
I and 2 to optical\disk using the XDF32 Utility.
Computer 3 contained two hard drives. Hard drive one
was imaged to DDS-4 tape using the Safeback Utility. A logical
Investigation on 4/23/01 at
File* 2 6 5 A - N Y - 2 5 9 3 9 1 Date dictated
**-^Q TmsM&cliient contains neither recommendations nor conclusions of the FBI. It is the property of the
FD-302a (Rev. 10-5-95)
Continuation of FD-302 of 265A-NY-259391 . On 5/1/01 , Page
file copy of hard drive one partitions 1 and 2 to optical disk

was made using the Codeblue Utility. Recoverable deleted files
were recovered from partitions 1 and 2 to optical disk using te
XDF32 Utility. Partial residue was extracted from partition 1 to
optical disk using the REDX32 Utility. Hard drive two was imaged
to DDS-4 tape using the Safeback Utility. A logical file copy of
partition 1 to optical disk was made using the Codeblue Utility.
Recoverable deleted files were recovered from partition 1 to
optical disk using the XDF Utility. The XDF process was stopped
during lost cluster sweep. Residue was extracted from partition 1
to optical disk using the REDX Utility.
The Safeback Utility was used to image hard drive 1,
however, the Safeback Utility reported errors after the image was
started. The Safeback image was halted.
The Disk Copy Utility was used to image floppy 1,
however, errors were encountered.
REQ #34-1 000000117

FD-302 (Rev. 10-6-95)
- 1 -
Date of transcription 5/4/Q1
The following computers were examined by a Computer

Analysis Response Team (CART) Field Examiner (FE) :
Q569a - Magneto Optical Disk (Logical and Recovered

Deleted Files of partition 1) of a CompEx Solutions CPU
containing hard drive ST34313A SN: 6DL023LF
Q569b - Magneto Optical Disk (Logical and Recovered

Deleted Files of partition 2 and Residue of partition 1 and 2) of
a CompEx Solutions CPU containing hard drive ST34313A SN:
6DL023LF
Q570 - Magneto Optical Disk (Logical and Recovered

Deleted Files of partition 1 and 2) of a SMR CPU containing hard
drive Maxtor51536H2 SN: F20JVKYC
Q571 - Magneto Optical Disk (Logical, Recovered

Deleted Files and Residue of partition 1) of a TOUCH CPU
containing hard drive FujitsuM1614TA SN: 03549565
Q572 - Magneto Optical Disk (Logical and Recovered

Deleted Files of partition 1 and 2, partial residue of partition
1) of a TOUCH CPU containing hard drive QuantumFireballELS.1A
SN: 345815010692
Q573 - 3.5" Floppy Disk (Disk Copy)
ALSO SUBMITTED:
DDS-4 tape (Safeback Image of QuantumFireballELS. 1A SN:

345815010692)
3.5" Floppy Disk (Safeback Audit File)
DDS-4 tape (Safeback Image of Maxtor51536H2 SN: F20JVKYC)

File* 265A-NY-259391 Date dictated
by __JJ 1 ''H LdW Enforcement Privacy
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI twa «ubBrRikl)8ur agency:
FD-302a (Rev. 10-6-95)
Continuation of FD-302 of 265A-NY-259391 . On 5/4/01 , Page _
DDS-4 tape (Safeback Image of ST34313A SN: 6DL023LF)

DDS-4 tape (Safeback Image on of FujitsuM1614TA SN03549565)

CD Roms were prepared containing the logical and

recovered deleted files from Q569a, Q569b, Q570, Q571 and Q572.
File naming convention errors were encountered during the CD
preparation process.
The Disk Copy Utility was used to image Q573 to a 3.5"

Floppy Disk. Errors were encountered. Q573 was not accessible in
Arabic Windows 98/DOS. The Norton Disk Doctor Utility was used to
attempt to repair Q573. The Norton Disk Doctor Utility recovered
n_DD" files, but they did not contain any data recognizable by
the Windows/DOS operating system. Recovered deleted files were
attempted to be recovered from Q573 using the XDF Utility, but
the XDF Utility locked up.
Logical and recovered deleted files copied to magneto

optical disk from Q569a, Q569b, Q570, Q571 and Q572 were queried
for password protected/encrypted files using the Access Data
Password Recovery Tool Kit. Screen shots of the results were
prepared.
The directory structures of the logical and recoverable

deleted files on cd roms prepared from Q569a, Q569b, Q570, Q571
and Q572 were printed using the Treeprint Utility.
REQ #34-1 000000119

,FD-3Q2(Rev. 10-6-95)
- 1-
. , •-. Date of transcription 0 6 / 0 9 / 2 0 0 1
\e following-search was conducted by Computer Analysis

R&spbnse Team (CART) Field-examiners (FEs).
\ computer seizure was., conducted at the following
location:
Data from the following computer hard drives. (HD) were seized:
\Computer 1, a Aptiva Laptop, no serial'-number.
'.(Computer was represented to be owned by 1 I
SEARCH;
\A physical copy of Computer 1's HD, was made to optical

disk using the Safeback Copy Utility. This was canceled at 90%
due to return of subject. The physical copy of Computer 1 wa's
restored to a sterile hard drive (Computer 1 restored). A
logical copy of Computer 1 restored's files (two partitions) were
made to optical disk using the Codeblue utility. Recoverable
deleted files on Computer I restored were recovered to optical
disk using the XDF utility. CD-ROMs were prepared from the
logical file and recovered file copies.
Investigation on 06/09/2001 at I |_
File* 265A-NY-259391_ Date dictated 06/09/2001
by I 9/11 Law Enforcement Privacy]
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI QiQ Q U4ftQllc4rWJr agency:
FD-302 [Rev. 10-6-95)
- 1-
The following1 search was conducted by two Computer

Analysis Response Team (CART) Field Examiners (FEs).
The following computers and media were made available
Computer 1, a Jump desktop,

serial number (s/n) - 07JUM800AREV.
Computer 2, a C.S.N. desktop,,

no s/n.
Computer 3, a Acer Travelmate 200 laptop,

s/n - 9144G017J5105016CDT.
Floppies 1 - 36, Thirty-six 3.5 inch floppy disks.
\CD-ROMs 1 - 21, Twenty-one CD-ROMs.
advised that above media and computers were owned by J

I
SEARCH : \ copy of Computer 1's HD was made to HD using the
Logicube Hard Disk Duplicator.
A copy of Computer 2's HD was made to HD using the

A copy \of Computer 3's HD was made to HD using the

A logical copy of Floppies 1 - 36 's files were made to

hard drive using the MXCOPY utility. Recoverable deleted files
on Floppies 1 - 36 '£ were recovered to hard drive using the XDF
utility. Read errors were encountered on Floppies 6, 9, 13, 15,
Investigation on 01/16/2002 att ]
FUe# 265A-NY-280350 Date dictated 01/16/2002
by __J _ 9/11 Law Enforcement Privacy /_
*ThtK"Bocument contains neither recommendations nor conclusions of the FBI. It is the property of the FBI agency;
FD-302a (Rev. 10-6-95)
265A-NY-280350
Continuation of FD-302 of , On 01/15/2002 Page
17, 19, 28, 30 and 33 - 36. A CD-ROM was prepared from the
logical file and recovered file copies.
CD-ROMs 1 - 7 , 1 0 - 1 9 and 21 were copied using the
CD Copy utility. CD-ROMs 8, 9 and 20 were not readable and not
processed.
REQ #34-1 000000122

FD-302 (Rev, 10-6-95)
-1-

SPECIMENS:
NYO Q5S5 - Seagate Hard Disk Drive, (E01960358)

s/n 6ED1RDE6
NYO Q5B6 - Compaq Armada 3500 Notebook (E01960358)
computer, s/n J9062
NYO Q586a - IBM HDD, s/n AGOAG044005
EXAMINATION:
This report supplements a report dated 3/21/02, reported

under 265A-BS-89704.
NYO Q585 was imaged to DDS3 tape and to a sterile
examination hard drive using the Safeback utility. The image file
was processed using the Forensic Toolkit (FTK). Files identified
by FTK in the Documents, Spreadsheets, Databases, Graphics,
Encrypted and Other Known categories were exported to disk and
thereafter copied to CD Rom.
Encrypted files were processed using both the Password
Recovery Toolkit and the Distributed Network Attack {DNA)
utilities. A PRTK report was printed. Twelve files decrypted by
DNA were copied to CD Rom in their decrypted form.
NYO Q586 contains one hard drive. This drive was imaged
to DDS3 tape and to a sterile examination hard drive using the
Safeback utility. The image file was processed using the Forensic
Toolkit (FTK). Files identified by FTK in the Documents, Graphics,
Other Known categories were exported to disk and thereafter copied
to CD Rom.
investigation on 3/25/04 at New York CART Lab
Rle# 265A-NY-259391 Date dictated
contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loWA Hff^QJ23
amicev.wpd
FD-3021 (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of CART Examination . On 3 / 2 5 / 0 4 , Pag« 2_
Physical copies of NYO Q585 and Q586a were made using a

Logicube Drive Duplicator.
The FTK work files and the image files from NYO Q585 and
Q586 were archived to DDS4 tape.
anticev.wpd
RED #34-1 000000124

FD-302 (Rev. 10-6-95)
- 1 -

Analysis Response Team (CART) Field Examiner.
SPECIMEN(S):
NYOQ587 - Maxtor Hard Drive (HD), (E01960359)

serial number (s/n) T3RHOS4C
NYOQ588 - Maxtor HD, (E01960359)

s/n T3H26RYC
NYOQ589 - Magneto Optical Disk (MOD), (E01960359)

labeled "Safeback Image Madrid
Computer 2 and 3"
NYOQ590 - MOD, (E01960359)

labeled ^Computer 14"
NYOQ591 - Seagate HD, (E01960359)

s/n 6ED3PW4J
NYOQ592 - MOD, (E01960359)

labeled "Partial Safeback of Computer 9"
NYOQ593 - Western Digital HD, (E01960359)

S/n WD-WMAAR2397114

s/n WD-WMA751063599
NYOQ595 - CD-ROM, (E01960359)

labeled "219 Floppy Disks'

s/n 6ED3PPW9

s/n WD-WMA6V1144420
Investigation on
03/13/2002 at New York
FUe#
265A-NY-259391 Dictated 03/13/2002
Eorcernent Privacy"!
REQ #34-1
nc nether recommendations nor conclusions of the FBI. It is the property of the
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of • On

. s/n 6ED3PW4C
NYOQ599 - Maxtor HD, (E01960359)

s/n T3RHOSXC
•NYOQ600 - Western Digital HD, (E01960359)

s/n WD-WMA6V1145260

s/n WD-WMA9L1183844
NYOQ602 - IBM HD, (E01960359)

s/n YJEYJ2K5933

s/n 6ED3PB&P
NYOQ604 - NYOQ"?02 - Ninety-Nine CD-ROMs (E01960359)
Also submitted:
CD-ROM labeled "Photos of original evidence"
A physical image of NYOQ587 was made to both tape and

hard drive using the Safeback utility. The Access Data Forensic
Tool Kit was used to process NYOQ58"7. Files from the following
categories were exported to hard drive and written to CD-ROM:
Documents - partial
Spreadsheets - partial
Graphics - partial
Other known - partial
Unknown - partial.
The names of the files exported were changed to ensure
uniqueness. The Access Data Forensic Tool Kit case files,
REQ #34-1
000000126
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of , On Q 3 / 1 3 / 2 0 Q 2
Safeback image files and exported files were written to tape

using the Windows 2000 Backup utility.

Tool Kit was used to process NYOQ588. Files from the following
categories' were exported to hard drive and written to CD-ROM:
Documents - partial
Databases - partial
Graphics - partial
Unknown - partial.
The Access Data Forensic Tool Kit was used to process

NYOQ589. Files from the following categories were exported-to
hard drive and written to CD-ROM:
Documents - partial
Graphics - partial
Unknown - partial.
uniqueness. The Access' Data Forensic Tool Kit case files and
exported files were written to CD-ROM using the EZ-CD Creator
utility.
The Access Data Forensic Tool Kit was used to process

NYOQ590. Files from the following categories were exported to
hard drive and written to CD-ROM:
Documents - all
Spreadsheets - all
Databases - all.
000000127
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of 03/11/2002 .Page

Tool Kit was used to process NYOQ591. No pertinent files were
found on NYOQ591. The Access Data Forensic Tool Kit case files
and Safeback image files were written to tape using the Windows
2000 Backup utility.
NYOQ592. was found to contain no data and was not

processed.

Other known - partial.
The nair.es of the files exported were changed to ensure

Documents - partial
Databases - partial
Graphics - partial
From E-Mail - partial
E-Mail Messages - partial
Unknown - partial.
NYOQ595 contained image files, logical copies and

recovered deleted files for two hundred and nineteen floppy
disks. The Access Data Forensic Tool Kit was used to process the
image files contained on NYOQ595 with the exception of the
REQ #34-1
000000128
FD-302a (Rev. 1O6-95)
265A-NY-259391
Continuation of FD-302 of -• On03/13/?00? . Page
following floppy disk image files: 1, 3, 10, 12, 15, 37, 38, 40,
119, 128, 139, 147, 151, 152 and 175. Files from the logical
copies and recovered deleted files for these floppy disks were
exported manually. Files from the following categories were
exported to hard drive and written to CD-ROM:
Documents - partial
Spreadsheets - all
Graphics - partial
E-Mail Messages - all
Unknown - partial.
uniqueness. The Access Data Forensic Tool Kit case files and
exported files were written to CD-ROMs using the EZ-CD Creator
utility.
Documents partial
Spreadsheets partial
Databases partial
Graphics partial
From E-Mail partial
E-Mail Messages partial
Temp Internet partial
Other known partial
Unknown - partial.
Tool Kit was used to process NYOQ597 . Files from the following
Documents - partial
REO #34-1 000000129

FD-302a [Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of '___ , On 0 3 / 1 3 / 2 0 0 2 Pag6 _
Databases - all
Unknown - partial.
Documents - all
Graphics - all
Unknown - partial.
Documents - partial
Databases - partial
Graphics - partial
Other known - partial.
Tool Kit was used to" process NYOQ600. Files from the following
RED #34-1 000000130

FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of .- On 03/13/200? .Page T_

Documents partial
Spreadsheets partial
Databases partial
Graphics partial
From E-Mail partial
E-Mail Messages partial
Archives partial
Other known partial
Unknown - partial.
Documents - partial
Databases - partial
Graphics - partial
Unknown - partial.
using the'Windows 2000 Backup utility.
Documents - partial
Graphics - partial
Temp Internet - all
Unknown - partial.
RED #34-1 000000131

FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of . On 03/13/2002 .Page 8


Other, known - partial.
uniqueness. The Access Data Forensic Tool Kit case files/
.Safeback image files and exported files were written to tape
using the .Windows 2000 Backup utility.
The Access Data Password Toolkit was run on all

exported files from NYOQ587 - NYOQ603 with a report created.
NYOQ604 - NYOQ702 were copied using the CD Duplicator.
#34-1
000000132
FD-302 (Rev. 10-6-95)
-1-

Analysis Response Team (CART) Field Examiners:
SPECIMEN(S):
NYO Q703 - DVD ROM Media, labeled (E019S2299)

"Crouching Tiger & Hidden Dragon, Disk 1"
NYO Q704 - DVD ROM Media, labeled (E01962299)
"Crouching Tiger & Hidden Dragon, Disk 2"
EXAMINATION:
The contents of Q703 and Q704 were examined using
Microsoft Windows Explorer and CD Inspector (v2.0.0). The DVD
media contained files consistent with those found on DVD video
media. When attempting to view the video contained on the DVD the
InterVideo WinDVD utility produced an error stating that the DVD
was formatted for a market other than the United States.
Investigation on 05/17/2002 *' New York
F»t » 2 6 5 A - N Y - 2 5 9 3 9 1 Date dictated

9/11 Law Enforcement E'rivac-
by
dqc>«ij*nl -contains neither recommendations nor conclusions of the F3I. li is the property of the FBI and is loane
j 1rrJrnn(»RVs arf. not tn h<> distributed nutside vour aeencv.
FD-302(Rev. 10-6-95)
Dulc of transcription 05/23/2000

SPECIMEN(S):
NYOQ194 - four (4) CDROM disks containing, a safeback
image of an Apple hard disk drive (HDD).
EXAM:
NYOQ194 were restored to HDD using the safeback utility. The
restored HDD was mounted and logical files were copied to CDROM
using the Toast utility.
investigation on 05/23/2000 a' New York

File* 265A-NY-259391-CC Date dictated 05/23/2000
by L u w ^niorcenent Privacy
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;
aJfa34 eoltents are not to be distributed outside your agency. 000000134
9/11 Law Enforcement Sensitiv
\. 10-6-95)
- 1-
. Date of transcription 12/20/1999
\n 12/16/1999-. the following items were provided by the

] [Authorities:
One (1) Dell laptop .computer, model PPS, serial number
(s/n) JH5J65160, p/n,. 08627. Ref # 991216E.
One (1) Compaq laptop computer, model 4/25, s/n 53085.
Ref # 991216D.
One (1) Generic tower computer, no model, no s/n. Ref #
991216A & 99121SB. *
One (1) Generic mini-tower computer, no model, no s/n.
Ref # 991216B.
One (1) PD650 Plasmon optical disk cartridge. Ref #
991216F.
Sixty-nine (69) CDROM disks. Ref # 991218E., 991219A,
991218C, 991218D.
Fifty-five (55) 3.5" floppy disks. Ref # 991216C,.
One (1) Helical-Scan 4mm Data Cartridge labeled
Bkup". No Ref tt.
\o (2) document reproductions containing drawingsof
buildings and arabic writings. No Ref #.
•On 12/19/1999, two (2) 5.25" floppy disks Ref # 991219C,
and two (2) CDROM disks Ref # 991219B were provided to the CART FE
copying.
The following search was conducted by a Computer Analysis
Response Teatn (CART) Field Examiner (FE) .
SEARCH;
A -Dell laptop was imaged to magneto optical disk (MOD)

using the safeback utility. A logical copy was made to MOD using
the codeblue utility. Recovered deleted files was made to MOD
using the XDF32 utility. Residue was extracted to MOD using the
REDX utility. The hard disk drive (HDD) needed to be removed from
the computer because the power cord was not supplied, and the
battery was not charged.
Investigation on 12/20/1999 "1 £
Files 265A-_NY.-2_59391 _ Date dictated 12/20/1999

by 9/11 Law Enforcement Privacy]
This document contains neiiher recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency,
!fcnts are not to be distributed outside your agency. 000000135
FD-302a(Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of CART SEARCH . ._ . On 1 2 / 2 0 / 1 9 9 9
A Compaq laptop was imaged to MOD using the safeback

utility. A logical copy was made using the codeblue utility.
Recoverable deleted files was made to MOD using the XDF32 utility.
The HDD was removed from the computer because the computer was in
non-functioning condition.
A tower computer was imaged to 4mra DDS3 tape cartridge

using the safeback utility. A logical file copy was made to MOD
using the codeblue utility. Recovered deleted files were made to
MOD using the XDF32 utility. The tower computer had two HDDs,
however one was not connected and would not spin up when power was
applied.
A mini-tower was imaged to MOD using the safeback
utility. A logical file copy was made to MOD using the codeblue
utility. Recovered deleted files were made to MOD using the XDF32
utility.
A PD650 Plasmon optical disk cartridge was copied to
Iomega Jazz cartridge using Windows Explorer.
Floppy diskettes were imaged to MOD using the copyqm
utility.
CDROMS were imaged to files using the Adaptec CD creator
utility and copied to 4mm DDS3 tapes using Windows Explorer.
All MODs, 4mm tapes, Jazz cartridges, Zip cartridges,

CDROMs and documents were prqvded to the search coordinator.
RED #34-1 000000136

FD-302(Rev. 10-6-95)
-1 -

SPECIMEN(S):
NYOQ109 - a magneto optical disk (MOD) containing an image, logical
files and deleted files from a compaq laptop.
NYOQ110 - two (2) 4mm tape containing images from thirty-six (36)
CD-ROM disks.
NYOQ112 - a 4mm tape containing an .image of a generic tower server
computer.
NYOQ113 - an MOD containing an image of a generic mini tower
computer.
NYOQ114 - an MOD containing a logical file copy and deleted files
from a generic tower server computer.
NYOQ115 - an MOD containing an image of a Dell laptop computer.
NYOQ116 - an MOD containing data from fifty-five (55) 3.5" floppy
diskettes and the image of one (I) CD-ROM disk.
NYOQ117 - an MOD containing images from two (2) CD-ROM disks..
NYOQ118 - an Iomega Jaz cartridge containing data from a PD650

optical disk.
NYOQ121 - An Iomega Zip 250 disk containing data from a 5.25 inch
floppy diskette.
NYOQ122 - a CD-ROM disk containing data from a CD-ROM disk.
NYOQ301 - a CD-ROM disk labeled Al-Iman.
NYOQ302 - a CD-ROM disk labeled 990423_1227.
Investigation on Q7/2Q/2QQQ »' New York
File # 265A-NY-259391 Daic diclated 07 . 2 0 . 2 0 0 0

by 9/11 Law Enforcement Priva
. J
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency'
REQ aft3t4rolents are not to be distributed outside your agency. 000000137
FD-302a (Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of CART EXAM , On 0 7 / 2 0 / 2 0 0 0 . Page
NYOQ303 - a CD-ROM disk labeled 12/15/99- 03:30.
NYOQ304 - a CD-ROM disk labeled 12/16/99 04:00.

NYOQ309 - a CD-ROM disk labeled CD1 Azzam Targima.

NYOQ311 - a CD-ROM disk labeled CD-2 Azzam Thakafah.
EXAM:
NYOQ109 was restored to a hard disk drive (HDD) using the Safeback
utility. Logical files, deleted files and residue were copied to
CD-ROM using the Adaptec EZ CD creator utility.
NYOQ110 - all thirty-six (36) CD-ROM images were restored to CD-ROM
using the Adaptec EZ CD creator utility.
NYOQ112 was restored to HDD using the Safeback utility. A search
was conducted for all files with the extensions .skr, .pkr, and
.asc. The following files were found:
REQ #34-1 000000138

FD-302a(Rev. 10-6-95)
265A-NY-259391
Continuation of FD-302 of CART EXAM .On 07/20/2000 .P*B°
logical, deleted and residue was copied to CD-ROM using the Adaptec
EZ CD Creator utility.
NYOQ113 was restored to HDD using the Safeback utility. Logical,
deleted and residue was copied to CD-ROM using the Adaptec E2 CD
Creator utility.
NYOQ115 was restored to HDD using the Safeback utility. Logical,
deleted and residue was copied to CD-ROM using the Adaptec EZ CD
Creator utility.
NYOQ116 - floppy images were self-extracted to floppy diskettes.
NYOQ117 was restored to CD-ROM using the Adaptec EZ CD Creator

utility.
A logical copy of NYOQ118 was made to CD-ROM using the Adaptec EZ
CD Creator utility.
NYOQ121 - a floppy image was restored to diskette, logical copies
of two floppies were made to CD-ROM using the Adaptec EZ CD Creator
utility.
NYOQ122 could not be copied due to damage to the CD-ROM.
NYOQ301 was copied to CD-ROM using a Champion CD-ROM copier.

NYOQ304 was copied to CD-ROM using a Champion 'CD-ROM copier,
NYOQ305 was copied to CD-ROM using a Champion CD-ROM copier,
NYOQ306 was copied to CD-ROM using 'a Champion CD-ROM copier,
REQ #34-1 000000139

FD-302 (Rev. 10-6-95)
-1 -

SPECIMEN(S):
Ql - a 3Hi" floppy diskette.

Q2 - a Magneto-optical disk (MOD) containing the image,
logical and deleted files from an Altimo Supreme laptop computer.
Q3 - a 3W floppy diskette.
Q4 - a 34" floppy diskette.
Q152 - an MOD containing the image, logical and residue of
an Altimo Supreme laptop computer.
EXAMINATION:
Q2 and Q152 were restored to a hard drive (HD), The system
was then booted. Since the operating system was in arabic, a
translator was provided to assist in printing documents from the HD.
All documents were provided to the case agent.
Ql, Q3 and Q4 were provided to the case agent as well.
File I 2 6 5 A-NY- 252802 Date disced 5/21/1999

I 9/11 Law Enforcement Privacy I
REQJh#S"l™l3?t contains nei*er recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to yoQ|fe0iQO 0140
FD-302 (Rev. 10-6-95)
. - 1 -

SPECIMEN(S):
Ql - a 3%" floppy diskette.

Q2 - a Magneto-optical disk (MOD) containing the image,
logical and deleted files from an Altimo Supreme laptop computer
obtained November 1998.
Q152 - an MOD containing the image, logical and residue of
an Altimo Supreme laptop computer obtained February 1999 .
EXAMINATION:
Q2 and Q152 were restored to a hard drive (HD). The system
was then booted. Since the operating system was in Arabic, a
translator was provided to assist in printing documents from the HD.
All documents were provided to the case agent.
Ql, Q3 and Q4 were copied and provided to the case agent as
well.
File * 265A-NY-252802 Date dictated 5/21/1999

by | 9/11 Law Enforcement Pri vacv
'&d.mlnf mntains neither recommendations nor conclusions of the FBI. it is the property of die FBI and is loaned to yW/VWWn n+ A •>
FD-302 (Rev. 10-6-95)
- 1-

The following search was conducted by a Computer
Analysis Response Team (CART) Field Examiner (FE). This search
was done following.the procedures and using tools provided by the
FBI Laboratory.
A covert computer search/seizure ducted at the
The following computer was searched and data was seized

from the hard drive (ED):
One (1) Altimo Supreme laptop computer.
An image of the HD was made/to magneto-optical disk
(MOD) using the Safeback utility. Logical copies of both
partitions of the HD were made to MOD using the Codeblue utility.
Recoverable deleted files were transferred to MOD using the
Makefer utilities.
In addition, three (3) 3.5" floppy diskettes (FD) were were '
imaged to FD.
Investigation on 10/31/ 98
Filef 265A-NY-252802 Date dictated 11/06/98
by I 9/11 Law Enforcement Privacy
contains neither recommendations nor conclusions of the F31. It is the property of the FBI and is loaned to yoin f¥f}<ft'<Q Q T A O
7-1 (Rev. 2-21-91)
- M. HorvattT)
WASHINGTON, D. C. 20535
Date: March 14, 1996

To: SAC, New York
FBI File NO. 2 65A-NY-252 802
LabNo. 50120018 D BY
Reference: Preliminary Laboratory Report Dated 3 / 6 / 9 5
Your No. 265A-NY-252802
Re: 9/11 Law Enforcement Sensitive
OO: NEW YORK
Specimens received:
Specimens:
Ql Toshiba T1950CT/200 Laptop Computer, Model

Number PA1152EA, SN# 02414578
Qli One magneto-optical cartridge
Qlj One internal computer hard drive
Qlk,Qll Two magneto-optical cartridges
Also Submitted:
One 3.5" diskette containing software to perform
decryption of files contained on Ql.
Results of Examination,:
Specimens Qla through Qlh which are referenced in this
report were previously described in Laboratory Report dated
3/S/95. Specimen Ql was hand carried from New York Division to
the FBI Laboratory on April 12, 1995. All specimens were
analyzed using computer resources currently available to the
FBI Laboratory.
2 - 265A-HN-12924
MFH:mfh (6)
REQ #34-1 This Renort Is Furnished For Official Use Only 000000143
LdW Enforce^nt Sensltlve /9/ii Law Enforcement Privacy
\. Specimen Ql was previously examined in"] Jon 1/23/95.

It--,w'a-s noted that the date /contained within the computer was
set to'1/22/95, one day from the actualAdate of the
examination.
An image backup of Ql was written to \ magneto-optical
cartridge and labeled Qli. The SAMPO virus, was found on the
laptop computer. This virus has been determined to be non-
destructive to ,information contained on the hard drive. A
logical copy of all/files contained on Ql was also copied to
Qli- . "V .
An image composite of Ql'a-, and Qlb was written to a
.ter hard drive and ,labelled-.Q
computer ,labelled-..QJ_i—._£his' image, represents
Ql's status during examination in1I I
Also submitted item, referred to as ' decryption software' •.
was received at the FBI Laboratory on 4/9/95 from SA'1 )
I I This software was used to produce text output of
encrypted files contained on Ql. Nine out of twenty files,
whose contents were unknown, were decrypted to a readable form.
These files have been printed and copies of each were supplied
to .New York, FBIHQ and AUSA Mike Garcia., One database file
appears to be password protected. The password is unknown.
It was determined through Toshiba International that Ql

was manufactured overseas. Serial number 024l4.p78 existed but
. was not assigned- to a model T1950CT/200 . It is 'assigned to a
•.model T1910CS/200. The laptop assigned to the given serial.
\rmmber 0241467B was found to be sold to the company'! 1
I ~1 on March 24, 1994, This company is located in
England.
Directory listings and erased files listings were produced
for Ql. These were compared to listings that were created for
the tape backups Qla through Qlc. No differences in active
files were encountered. Differences were encountered in the
erased file information. At the two separate times of
examination, each had some erased file information that did not
exist or could not be retrieved at the opposite time. The
newly available erased files were recovered and reviewed. File
listings have been produced that represent which files were
retrieved at which time.
Slack information was retrieved from Ql and compared to
the slack information that was retrieved during the examination
in Manila and differences were encountered. Both versions have
been printed and are being delivered to AUSA Mike Garcia.
Lab # 50120018 D BY
Page 2
REQ #34-1 000000144

Sensitive
A text string search was performed on Ql for the strings

/ I. The
result was negative.
Copies of all .WAV and .LAV sound files were made to
diskette and shipped overnight to New York Division upon
request, along with directory and erased file listings, and
decrypted file information.
Five (5) additional image backups were written to tape.
Four tapes were shipped to New York Division and one is being
shipped to the AUSA's office in New York. Seven (7) hard
drives received from AUSA Mike Garcia were used to restore the
image contained on Qli. Five hard drives were shipped back to
the New York Division and two were shipped directly to the
AUSA's office in New York.
A cassette recording was made of four sound files and sent
to Language Services for translation. The cassette recording
and results from Language Services were forwarded to the New
York Division.
The contents of Qli were copied to two additional magneto-
optical cartridges, Qlk and Qli. An image backup was made of
Qlj and also written to Qlk and Qli. A second image backup of
Qlj was written to tape.
The FBI Laboratory is keeping on file seven (7) backup
tapes (Qla through Qlg), two magneto-optical cartridges {Qli
and Qlk), the Also Submitted item containing the decryption
software and a copy of• all printouts, erased information and
encrypted information.
Two additional image backup tapes, one copy of the
decryption software, one magneto-optical cartridge (Qli), two
printouts of slack information, listings of erased files
retrieved and a copy of all notes is being shipped overnight to
AUSA Mike Garcia.
Lab # 50120018 D BY
Page 3
REQ #34-1 000000145

(Rev. 10-01-1999)
Precedence: ROUTINE \: 01/13/2000
To: Laboratory Attn: ERF. EST-1

SSA
From: Laboratory
CART RM. ms
Contact:
Approved By:
Drafted By:
Case ID #: 265A-NY-252802 (Pending)
Title: I I / 9/11 Law Enforcement

Sensitive
Synopsis: Request ERF assistance in analysis of software.

Reference: 265A- NY - 252802 Serial 1449
Details: Three (3) 2.3G3 magneto optical cartridges (CART Q225-
Q227)and one (1) 3/%" 1.44MB floppy diskette (CART Q228)
containing images /and files of a laptop were submitted to the
CART Unit for examination.
Images . (Q225-Q227) of the laptop were restored to a
staging IDE hard/disk drive (Seagate Medalist 8641 Model ST38641A
S/N VR103440) and a copy of all logical data, recovered erased
files and extracted residue information are on two (2) CD-ROMs
being forwarded to ERF EST-1 for further analysis by request of
SAJ |(FBIHQ NSD ITOS).
A copy of the incoming EC from NSD is attached for
ERF's assistance in further analysis of the restored images.
REQ #34-1 000000146

To: Laboratory From: Laboratory
Re: 265A-NY-252802, 01/13/2000
LEAD(s):
Set Lead 1:
ERF EST-1
AT FBI ACADEMY OUANTICO, VA
Request ERF EST-1 further analyze restored image of

laptop located on staging IDE hard disk and the two (2) CD-ROMs
containing logical, erased and residue data. Additionally, CART
request the return of the IDE staging hard disk (Seagate Medalist
8641 Model ST38641A S/N VR103440) to FBIHQ CART UNIT upon
completion of analysis.
REQ #34-1 000000147

. „ LABO»ATO»T ^^T
WASfflNGTON, D. C. 20535
CMC-. February 1,2000

To: NSD
rros . .
Attn: SA
case ID NO, 265A-NY-252802
000127007 BI
: Communication dated 01/27/2000
Your No.:
-1 ....-.••••-'-•......" 9/11 Lav; E n f o r c e m e n t Privacy
Title: ................ '
Date specimens received: January 27, 2000
Specimens:
Re-submission of Q225-Q228 from laboratory number 000106009 BI (265A-NY-252802)
which was completed on January 13, 2000.
The results of the Computer Analysis Response Team (CAKIlfiiaSunatio
are included in this report. Specimens Q225-Q228 were returned to SAL J FBJ«
NSD ITOS, who should make a determination to what extent these materials require entry
into the ACS collected items database.
Page 1 of 1
This Report is Furnished for Official Use Only 000000148

REQ #34-1
7-la (Rev. 5-18-99)
LABORATORY

Report of Examination
Examiner Name: L
J Daw: February 1,2000
Unit; Computer Analysis Response Team phoocNo.: 202-324-6225
Case ID No.: 265A-NY-252802 UbNa: 000127007 BI
Results of Examinations:
One (1) copy of each previously submitted specimens Q225-Q228 were made. No
hardcopy printouts were made or any other analysis conducted.
No hardcopy printouts or magnetic/optical media are being retained by the FBI

Laboratory.
CART - Page 1 of 1
REQ #34-1 This Report is Furnished for Official Use Only

000000149
August 13, 1999

National Security
ITOS / NS3C
ATTN: E I' 265A-NY-259391
990608001 AB
Communication dated June 6, 1999
(S) 265A-NY-259391
(S) USAMA BIN LADEN;
AOT-IT
June 8, 1999
Specimens :
of
Q53 Seagate hard drive, model ST3 917 3W, part of a 5-dr.ve
Q RAID assembly, SN: LM040163
Q54 Seagate hard drive, model ST3 917 3W, part of a 5-drive
Q RAID assembly, SN: LM041289
055 Seagate hard drive, model ST39173W, part of a 5-drive
055 Hi* assembly, SN: LM027194
" NE50 RAID controller assembly, model DS500-SR, SN:
97324E2913
(over)
Page 1
000000150
\Q #34-1
(U) The results of the Computer Analysis Response Team
(CART) are included in this report. Specimens Q51-Q55 and NESO^
are being returned directly to the Evidence Control Technician in
New York Division. Five (5) hard drives containing work product
are being returned directly to the case agent in New York, who
should make a determination to what extent these items should be
entered into the ACS collected items database. Twenty-eight (28)
CDs containing extracts from work product have been sent to Tampa
Division for further analysis.
Page 2
REQ #34-1 000000151

)/ll Law Enforcement Privacy
August 13, 1999

Computer Analysis Response Team |_
(S) 265A-NY-259391 990608001 AB
(U) Specimens Q51-Q55 were configured as a Redundant
Array of Independent Disks (RAID), and could only be analyzed
by installing them into NE50. Once installed, the drives
functioned as a single storage device with several partitions.
Thus, analysis was conducted on these partitions rather than on
the individual specimens themselves. An examination was
conducted on the four data partitions: Binl, Bin2, Bin3, and
Bin4.
(U) Raw data was recovered from each Bin and
examined for fragments of audio files. The extracted fragments
were then converted to a non-proprietary audio format. Results
of the recovery, interim examination, and conversion processes
were placed on external hard drives, sorted according to Bin
number and date/time. All non-zero length recovered audio
files were also copied to CDS, using the non-proprietary
format.
(U) No hardcopy printouts or magnetic-optical media
are being retained.
CART - Page 1 of 1
REQ #34-1 000000152

7-1 (Rev. 5-13-99)

LABORATOKT
Date: April 19, 2000

To: SAC
ATTNNL
Case ID No.: 265 A-NY-259391-PP
Lab No.: 000310006 BI
Reference: Communication dated: 3/6/2000
Your No.:
Title- USAMA BIN LADIN;
MAJOR CASE 161;
OO:NY
Date specimens received: March 10, 2000
Specimens:
Q56 One (1) CDROM labeled as "O80-I t"™^.?^?^1'^ !
Number SCG/69) DELETED FILES MAC QUADRA 700 MAC HSI .
Q57 One (1) CDROM labeled as "O82< lnumberSCG/78) FLOPPY

IMAGES FOR MAC CSL/274/98 WORK COPY 1 OF 1".
One (1) CDROM labeled as "Qpd ^number SCG/78) WORK COPY 1

Q58
OF 1 COPY OF' CDR'S". :
Q59 One (l)CDROM labeled as "Q82| humber SCG778) FLOPPIES

WORK CQPY CSU274/98 1 OF IT
Q60 One (I) CDROM labeled as "098 | [number PLW/40) ZIP DISK
d2/l6/OOPLW/40/8",
• Page 1 of 1
,,i
Sensitive

REQ #34-1
9/11 Law E n f o r c e m e n t Sensitive
Q61 One (1) CDROM labeled as "QR2 1 Uimher SCG/78) ITEMS

SCG/78,1 SCG/72.2 WORK COPY 02/16/00".
Q62 One (i)GDROM labeled as "OS'S I "Inumber SCO/73) DELETED

FILES 02/16/00 SCG/73 MAC H.D".
One (1) CDROM labeled as "Q861 humber KRA/2110) MAC HARD
Q63
DRIVE KRA/2110 MAC 8200/120 2/16/00".
Q64 One (1) CDROM labeled as "0861 Inumber KRA/2110) DELETED

..FILES KRA/2110 2/16/00 MAC 8200/120".
Q65 One <1) CDROM labeled as "SCG/69 MACINTOSH ESI 9/13/99 WORK
COPY #2 DISK 1 OF 1".
Q66 One (1) CDROM libeled as "PJW/28 IMAGE COPY APPLE MACINTOSH
QUADRA 700 9/13/99
Q67 One (1) CDROM labeled as "QUANTTM PRO DRIVE SCG/20 2/11/00
IMAGE.CQPY". \e (1) CDROM labeled as."O88l Inumber SCG/20) DELETED
Q68
FILES SCG/20 2/17/00 QUANTUM PRO DRIVE".
One (1) CDROM labeled as "Q99| ]number PLW/35) SIDE A COPY

Q69
CD 2/17/00 PLW/35/133",
One (1) CDROM labeled as ] number PLW/35) SIDE B COPY
Q70
OF CD 2/17/00 PLW/35/122".
Q71 One (1) CDROM labeled as "Q87LZH1 number PLW/4> DELETED

FILES 2/16/00 POWER MAC PLW/4 8200".
One (1) CDROM labeled Inumber PLW/4) HARD DRIVE

Q72
PLW/4 POWER MAC 8200 02/16/00".
Q73 One (1) CDROM labeled as "092 I jnumber PLW/40) ZIP DISK
DELETED FILES 2/17/00 PLW/4072T\e (1) CDROM labeled as "Q93
number PLW/40) ZIP DISK
Q74
2/17/00 PLW/40/3".
One (1) CDROM labeled as "Q94 number PLW/40) ZIP DISK
Q75
2/17/00 PLW/40/4".
One (1) CDROM labeled as "Q95 number PLW/40) ZIP DISK
Q76
2/17/00 PLW/40/5".
One (1) CDROM labeled as " number PLW/40) ZIP DISK
Q77
2/17/00 PLW/40/6".
Page 2 of 1
000310006 BI
000000154
RF.O #34-1
Q78 One (1) CDROM labeled as "Q97 number PLW/40) ZIP DISK
2/17/OOPLW/40/7". ..
Q79 One (1) CDROM labeled as "Q91 number PLW/40) ZIP DISK
WORK COPY MAC CSU274/98 PLW/40/1#.
The results of the Computer Analysis Response Team (CART) examination
are included in this report.
Specimens Q56 - Q79 has been returned to the Evidence Control Technician
in your office. All hardcopy printouts have been forwarded to case agent SA| |
I I who should make a determination to what extent these materials require entry into
the ACS collected items database.
Page 3 of 1
000310006 BI
REO #34-1 000000155

f--U (Rev. 5-18-99)

LABORATORY

April 19, 2000
Unit. Computer Analysis Response Team phoneNo.: 202-324-6225

Case ID No.: 265A-NY-259391-PP UbNo.: 000310006 BI
Results of Examinations: ,
All contents of specimens Q56 - Q79 have been reviewed and hardcopy printouts
were produced from specimens Q56 -Q79 for review by the case agent.
Documents recovered from specimens 056 - 079 containing Arabic characters have
been reviewed by Language SpecialistF " T o r interpretation and results were
forwarded to the case agent.
Laboratory.
CART - Page 1 of 1

REQ #34-1
WITHDRAWAL NOTICE

NND PROJECT NUMBER: 51095 FOIA CASE NUMBER: 30383
COPIES: 1 PAGES: 2
ACCESS RESTRICTED
DOCUMENT DATE: 12/03/2001 DOCUMENT TYPE: FBI 302
FROM: FBI Lab
TO: ADIC New York

WITHDRAWAL NOTICE
7-la (Rev. 5-18-99)
LABORATORY

:I ) one: December 3, 2001

Un-lt: Computer Analysis Response Team Phone NO.: 202-324-6225
Case ID No.: (S) 265A-NY-259391 Lab No.: Oil 109001 BI
Results, of Examinations:
(TJ) Specimens Q112, Q113, Ql 14 and Ql 16 are four (4) IDE hard disk drives
(HDD). Specimens Q115, Q117, Q118 and Q119 are duplicate copies (1 - IDE HDD and 3 -
tarv>.^| of specimens Ql 12, Ql 13, Ql 14 and Ql 16 made by CART Examiner SA
t! d therefore no analysis was performed on these specimens.
(U) Specimens Q112, Ql 13, Ql 14 and Ql 16 were analyzed for active and erased
files as well as residual data using ILOOK. Drive to Drive copies were also made of
specimens Q112, Ql 13, Q114 and Q116 onto four (4) IDE HDD. ILOOK results for
specimens Q112, Q113, Ql 14 and Q116 were copied to (4) IDE HDD. Indexing of all active
files was performed using DT Search and those results were copied onto four (4) magneto
optical cartridges fMOGsl. The work product from specimens Q112, Q113.Q114 and Ql 16
are being retained by SAL ]for further review at FBI HQ.
(U) Safeback images were made of ILOOK results for specimens Oil 2, Ql 13, Ql 14
and Ql 16 onto eight (8) 4mm data tapes and were forwarded to SA| | (WFO)
for further review.
(U) No hardcopy printouts or magnetic/optical media are being retained by the FBI
Laboratory.
CART - Page 1 of 1
i This Report is Furnished for OfficialUse Only 000000159

7-1 (Rev. 5-13-99)
LABORATORY
Date: January 17, 2002

To; SAP Nftw Ynrk
ATTN:|
case ID NO.: 265 A-NY-259391-12
Lab No.: 020107003 BI
Reference: Communication dated 12/17/2001
Your No.:
Title: USAMA BIN LADEN

MAJOR CASE 161
SUB FILE 1-2

Sensitive
•19/11 Law Enforcement Privacy
Date specimens received: January 07, 2002 |
Specimens: | \0 Computer hard drive storage system and vid
inside cover of case: D8083-2E). \1 IDE mini Seagate laptop hard drive (model S
NE2 Wooden video collection box with no serial or model numbers.

The results of the Computed Analysis Response Team (CART) examination
are included in this report. ;
Specimens Q20, Q20.1 and NE2 along with CD-ROM copies (3) of
examination results have been returned tojERF Video Collection Unit ETI „-,— Jper
request of case agent SAJ I (NYFO). Three (3) CD-*OMs Containing
examination results were sent to case agent I I™ FEDEX. Case agent
1 [should make a determination to what extent these materials require entry
;S collected items database.
into the ACS
Page 1 of 1

#34-1
7-V(Rev.5-18-99)
LABORATORY

: Report of Examination
v. I-1 Date: January 17, 2002
Examiner Name: | |
Unic V Computer Analysis Response Team nooeNo.: 202-324-6225
a* ID NoV 265A-NY-259391-I2 ub NO, 020107003 BI
Specimen Q20.1 is an IDE mini Seagate laptop hard drive (model ST91685AG S/N
FN608903) wîch was retrieved from specimen Q20 (computer hard dnve/video power
supply unit). Specimen Q20.1 was examined for active and deleted files.
As requested in the communication 12/17/2001, a recovery of active graphical files
Was contend on specimen Q20.1 and saved onto CD-ROM. Recovery ofde eted£Ues was
also conducted on specimen Q20.1 yet did not yield any deleted f1^*"*^^^^
all active files as well as all active files found on specimen Q20.1 were saved to CD-ROMs.
Three (3} CD-ROMs Staining all examination results of specimen Q20.1 were
ollecta
field conditions.
Laboratory.
CART - Page 1 of 1

RED #34-1
(0X26/1998) '"•--....
"FEDERAL BUREAU OF INVESTIGATION

Precedence: Routine " D.ate: June 23, 2003
To: -New York Attn: SA'

1-49
From: Investigative Technology

Cyber Technology Section/CART Unit,
Contact:
Approved By:
Drafted By:
Case ID #: 265A-NY-259391-CC -

Major Case 161
Synopsis: To provide results of a CART examination and the

disposition of the evidence.
Reference: 2G5A-NY-259391-CC-331
Enclosures: Enclosed is an FD-302 to be maintained' in the

requesting division's case file.
Details: The results of the CART examination are detailed in the

enclosed FD-302. The submitted evidence in the captioned matter
and the digital output results of the CART examination have been
sent co the Kansas City evidence control technician. No digital
media is being retained at CART headquarters and this matter is •
considered closed.
REO #34-1 000000162

FD-302 (Rev. 10-6-95)

Included herein are the results of a digital forensic

examination performed by an FBI CART Certified Forensic Examiner.
This examination has been performed in accordance with CART
policies and procedures.
Case Reference: Laboratory Number 020612002 AB
Specimens:
Q516 One (1) Verbatim 4.1 GB magneto-optical disk, lot

number 01026564, with handwritten label "10-18-01
SAMSUNG External USB Drive 1 of 3 . . . DISK 1" .
number 00427522, with handwritten label "10-18-01
External USB Hard Drive SAMSUNG . . . DISK 2".
number 01026564, with handwritten label "265A-NY-
259391-CC Computer Used by Ziyad Khaeel . . . 3-26'
02 DISK 1 of 2".
259391-CC Computer Used by Ziyad Khaeel . . . 3-26-
02 DISK 2 of 2" .
259391-CC HD From Computer Used by Ziyad Khaeel 8-
2000/12-2000 . . . DISK 1 of 2".
investigation on 06/23/2003 at HQ Lab, Washington, DC

File* 265A-NY-259391-CC^3 t V'^ Date dictated 06/23/2003
by IT/FE 9/11 Law Enforcement Privacy
This document contains neither recommendations nor conclusions of the FBI. ed to your jigejicy,__
It is the property of the FBI and is loaned_ agency;
ire not lo be distributed outside your agency. 000000163
•'9/11 Law Enforcement
Sensitive
F0-30iii (Rev. 10-6-95)
\265A-NY-259391-CC
Continuation of FD-3Q2 of CART .Forensic Examination ,On 06/23/2003 .Page
Q521 \e (1) .Verbatim 4 . 1 GB magneto-opticalXdisk, lot

25^3_9,1CC HD From Inside Computer Used by [ ]
[_____] Segate. [sic] HD From 8-2000/12-2000 . . .
DISK 2 of 2" . ,.
Request: Per 'an electronic communication, 255A-NY-259391-CC-331,

from NY 1-49 SAl I CART was requested to restore
three Safeback images. Subsequently, SA | ] requested that the
restored images and original evidence be sent to Kansas City
Division. No other procedures were requested.
Summary of Results: The Safeback images, provided on magneto-
optical disks as described above, were restored to new laboratory
hard drives which had been wiped.
Derivative Evidence (DE): Following were produced as derivative
evidence:
DEHQl Maxtor 10 GB hard drive, SN B1DCB47E, containing

restoration of Safeback image from Q516 and
Q517.Verification mdBsum (for the derivative
evidence drive only, not to be used to compare to
original evidence drives) :
6c7ff6cc330aecdbde5cac61a5910c95
DEHQ2 Maxtor 10 GB hard drive, SN B1DCB4FE, containing
restoration of Safeback image from Q518 and Q519.
Verification mdSsum (for the derivative evidence
drive only, not to be used to compare to original
evidence drives):
2d2e77fb69108b5f76e2e533cOfb35el
DEHQ3 Maxtor 10 GB hard drive, SN B1DBYBTE, containing
restoration of Safeback image from Q520 and Q521.
Verification mdSsum (for the derivative evidence
drive only, not to be used to compare to original
evidence drives):
95775aff5f769e289c78dbc2eea6d06d
Examination: Images from the specimens were restored to hard

drives as described above. These drives were attached to a
REQ #34-1 000000164

FD-302a (Rev..lO-6-95)
265A-NY-259391-CC
Continuation of FD-3Q2 of CART Forensic Examination , On 06/23/2003
laboratory computer, and the case agent.reviewed the contents.

These interim work product drives were subsequently wiped, and the
original images restored to them again. It is these drives that are
being transmitted as the Derivative Evidence drives.
At the direction of the .case agent, all original evidence

and derivative evidence was sent to Kan«.aa p-i tv Division evidence
control technician, for the attention of I 3 The notes
of examination are being placed in a 1A envelope and being retained
in the FBI Information Technology Division file. No electronic
media copies of the original or derivative evidence are being
retained by headquarters.
REQ #34-1 000000165

Sensitive
FD-302 (Rev. 10-6-95)
- 1-


Case Reference: Laboratory Number 030122051
Specimens:
AFGP 2002 804371 QHQ001 IBM Travelstar 2.5"10.OS
GB ATA/IDE notebook
drive,model DJSA-210, SN
42MZ9347.
Request: Per a Department of Defense Office of General Counsel

Memorandum dated September 25, 2003, Subject: Computer Hard Drive
Analysis, a forensic analysis of the subject specimen was
requested. Additionally, three specific files were.requested.to be
recovered: an article entitled)
Summary of Results: A full forensic examination was conducted, and

the four requested files were identified and recovered from the
specimen. However the recovered documents differed slightly from
the descriptions given by the Office of General Counsel.
Additionally, one of the requested files, "arrival.doc", was
password protected, and the password had to be recovered before
completing recovery of the document.
Derivative Evidence (DE): Following is a list of digital media

containing results of the examination.
DEHQ010 'CD with summary results of the examination, with

web-based organizing indices.
investigation or 10/15/2003 at HQ La.b Washington DC

* 265A-NY-259391-EEE ^|CJO Date dictated 10/15/2003
by ITS/FE| 9 / H âH Enforcement Privacy"
me«l contains neither recommendations nor conclusions of the FBI. It is the property of f.he FBI and is
jTi»«te: -\r^ nnt m k^ Hish'ihutftri musifle vour D0encv.
FD-302a (Rey. 10-6-95)
265A-NY-259391-EEE
Continuation of FD-302 of Computer Forensic Exam , On 10/15/2003 , Page
DEHQ011 5 DVDs containing full results of the examination,

with'-web-based organizing indices.
DEHQ012 3 DVDs containing copies of the image file segments

used to perform the examination.
DEHQ013 Western Digital 20 GB hard drive, SN WMAAR1214879,

containing full\results of the examination.
DEHQ014 Printed copy of the. file
DEHQ015 Printed copy of the file
DEHQ019 4-mm DAT containing Safeback image of DEHQ013.

Examination: •
The specimen had one FAT32 partition. The operating system ori the
partition was Windows ME. The following processes were performed
directly on the specimen:
1. A "digital signature", in the form of an md5 hash, was
calculated, with result a550a975c3f9316a588b43ca5a434df8 ,
2. An image file, in 15 segments, was made of the specimen.
3. A final md5 hash was calculated, with result

a550a975c3f9316a588b43ca5a434df8.
All other forensic procedures were performed on the image file

segments. These forensic procedures were as follows:
1. An md5 hash was calculated on the concatenated segments,

with result a550a975c3f9316a58Bb43ca5a434df3.
2. The file system was mapped, and an md5 hash was

calculated for every file. These results were then
compared with a standard list of hashes for known system
REQ #34-1 000000167

Fbr3.02aX.Rev. VO-6-95)
\E
Continuation pf FD-302 of '. Computer Forensic Exam ,On 10/15/2003 .Page 3_
and, application files, and the known files were not

further examined. ...
3\ Deleted, files and residua, were extracted.
, 4.\ file list was produced, in 'the form of a Microsoft

\s data, base.
B.. The four requested files were found. ,One requested file,
I "I, ''--was password protected, '--as was one non-
requested file, I I. Passwords were recovered for
both files. The four requested files, plus F I,
were printed out. Some of the requested files-as found
, differed slightly from the descriptions given by the
contributor. Specifically, the travel document referenced
, was six pages in length, not three. Also, the article
'. entitledf
6. Internet usage reports were generated, and e-mail files

were examined. Although there were indications that the
specimen had been used to access the Internet, there
appears to have been no usage of standard e-mail programs
(such as Outlook and Outlook Express) for user e-mail
messages.
7. All results were extracted to DEHQ013, along with .

forensic logs.
8. A final md5 hash was calculated on the concatenated image
file segments, with result
a550a975c3f9316a588b43ca5a434df8.
9. Summary and full results, along with copies of the image

file segments, were copied to a CD and eight DVDs. These
products were DEHQ010, DEHQ011, and DEHQ012.
10. An md5 hash was calculated on DEHQ013, with result

Ib21e86call56efa6f0999fdl9b61b8b. An image was made of
this drive and placed on a 4-mm data tape.
QHQ001 and DEH1019 are being returned to FBI Document
Exploitation evidence control. DEHQ10-DEHQ18 are being returned to
the Department of Defense Office of General Counsel. The notes of
REQ #34-1 000000168

FD-302a(Rcv. 10-6-95)
265A-NY-259391-EEE
Continuation of FD-302 of Computer Forensic Exam_ . On 10/15/2003
examination, along with a copy of DEHQ010, are being retained in a

1A envelope in the FBI Investigative Technology Division f i l e .
REO #34-1 000000169

(01/26/-1998) ""•-••......
Precedence: Routine """••-... Date: 1/16/2004
To: 'Counter terrorism Attrr:--...

\s Analysis Section
\DOCX, Room 4648
From: Investigative Technology

Digital Evidence Section/CART UniJi,
Contact:
Approved By:
Drafted By:
Case ID ft: 265A-NY-259391-EEE

MAJOR CASE 161
00: NY
Synopsis: To provide results of a CART examination and the
disposition of the evidence.
Reference: 265A-NY-259391-EEE-44
Enclosures: Enclosed is an FD-302 to be maintained in the
requesting division's case file.
Details: The results of the CART examination are detailed in the
enclosed FD-302. The submitted evidence in the captioned matter
and DEHQ1-DEHQ3 have been sent to DOCX Evidence Control and the
digital output CD results of the CART examination have been sent
to the contributor. No digital copies of the evidence are being
retained at CART headquarters. This matter is considered closed.
+4
000000170
9/11 Law Enforcement Privacy 9/11 Law Enforcement
Sensitive
FD.-302 (Rev. 10-6-9S)
1-

This examination has been performed in accordance .'with CART
Case References: Laboratory Number 030122051 PB
Specimens:
QHQ1 IBM TravelStar, DJSA-210, 10.06GB hard drive, serial
number 42MZ9347. \n Digital, WD200,. 20GB hard drive
NEHQ1
WMA6K3663033, labeled | \m 11
Room A; IBM TravelStar 10..06GB"
NEHQ2 Maxell 4mm tape labeled, '|_ J, Item 11
Room A; IBM TravelStar 10.06GB"
\: Per 265A-NY-2593 91-EEE-44, an examination was conducted
and two (2) duplicate copies of the hard drive were made.
\Summary of Results: Three copies of QHQ1 were made. The copies
\were verified using MDSSUMs. All three MD5s were\. The
MD5 was a550a975c3f9316a588b43ca5a434df8.
A CART forensic examination was completed. ' .The results
of the examination were saved to CD-ROMS, specifically''.the data
related to Internet files. The CDs were provided to 5A | |
for review.
Derivative Evidence (DE): A list of digital media containing
results of examination. Items will be listed by DE number.
DEHQ1 Copy of QHQ1 copied to a

Samsung, SV2044D 20GB hard
drive, SN: 0191J1FN523505
investigation an. 01/22/2003 al HQ Laboratory ^Washington, DC

File # 2 6 5 A ^ N Y - 2 5 9 3 9 1 - E E E Date dictated 0 9 / 2 3 / 2 0 0 3
by CSFE
This
his -dacumem contains neither recommendations nor conclusions
conclusion of the FBI. It is the property of the FB! and is
t*J --.W _J -^* -^ i \ji — *• - M^& nrtt tn ^»« r(irtrtk..ttt/J r>n^r>>rl* >.n<ir in«n~ii
FD-302a(Rev. 10-6-95)
265A-NY-259391-EEE
,t^™, f
Continuation of FD-302 ot
CART Forensic Examination .
_ 01/22/2003
, On , Page
DEHQ.2 . Copy of DEHQ1 copied to a

Maxtor, 2B015H1 15GB hard drive, SN: B1STFAPS
DEHQ3 Copy of DEHQ1 copied to a
Western Digital, WD200 20GB hard
drive, SN: WMAAR1213546
DEHQ4-DEHQ9 CDRW containing logical files
from QHQ1
Examination:
The drive contained a single FAT32 formatted partition.
The following processes were performed on QHQ1:
Three duplicates of QHQ1 were made utilizing three
forensically wiped hard drives.
A standard partition traverse was conducted on DEHQ1 and
the drive was mapped. A file listing was created and saved to an
Access database. Deleted files were recovered and all data was
extracted to a staging drive. The logical files were extracted and
saved to DEHQ1 in their original directory structure. Six (6) CDs
containing all logical files from DEHQ1 were created for the case
agent to review.
All original evidence was returned to DOCX Evidence
Control. DEHQ1-DEHQ3 and NEHQ1 and NEHQ2 were returned to DOCX
Evidence Control. DEHQ4-DEHQ9 were provided to....5A-r I of
the New York Division. The notes of examination are being placed
in a 1A envelope and .being.- retained in the FBI ITD file.
000000172
EXAMINATION REPORT
REGIONAL COMPUTER FORENSIC LABORATORY
Date: September 17, 2002

....-•-""9/11 Law Enforcement Privacy
To:
From:
Reference: 265A-NY-259391 (Operation Enduring Freedom)

NTRCFL # R2-02-599
Weeks 09/02/2002 - 09/13/2002

I 1
Processed the following "Harmony Numbers"
AFGP-2002-903209
AFGP-2002-903291
AFGP-2002-903270
AFGP-2002-903269
AFGP-2002-903262
APGP-2002-903259
AFGP-2002-903219
AFGP-2002-903299
AFGP-2002-903277
AFGP-2002-903275
AFGP-2002-903287
AFGP-2002-903389
AFGP-2002-903385
AFGP-2002-903280
AFGP-2002-903293
AFGP-2002-903276
Created copies of two (2) repository drives for "Phase 1" exarrunaaon
Attached directory listing of contents
Created Harmony Upload CD with PDF files for upload to Harmony
Installed nw repository drive in Exam machine
NORTH TEXAS REGIONAL COMPUTER FORENSICS LABORATORY

301 N O R T H M A R K E T STREET, SUITE 215 000000173
*„„_-, DALLAS, TEXAS 75202 00000017.*
jO —X^ ***?n
NT^RCFL EXAMINATION REPORT

REGIONAL COMPUTER FORENSIC LABORATORY
/|9/11 Law Enforcement Privacy

Date: August 22, 2002
To:
From:
Reference: 265A-NY-259391 (Operation Endunng Freedom)

NTRCFL # R2-02-0599 • i
Passdown Log Ejxam Workstation #4

Weeks 08-05-2002 / 08-15-2002
[SfTRCFL - DALLAS
Processed the following Harmony Numbers
AFGP-2002-004954 AFGP-2002-007123
AJGP-2002-003788 APGP-2002-007108
AFGP-2002-004955 APGP-2002-007129
AFGP-2002-00712S AFGP-2002-007128
AFGP-2002-00710S AFGP-2002-007111
APGF-2002-007103 AFGP-2002-007095
AFGP-2002-800417 AFGP-2002-007106
APGP-2002-007096 AFGP-2002-007104
AFGP-2002-007122 AFGP-2002-007112
APGP-2002-800490 APGP-2002-007U9
AFGP-2002-007096 AFGP-2002-007120
AFGP-2002-007117 AFGP-2002-007110
APGP-2002-007101 APGP-2002-007107
AJFGP-2002-007127 APGP-2002-007102
AFGP-2002-007115 APGP-2002-007097
AFGP-2002-007098 APGP-2002-007114
AFGP-2002-800412 APGP-2002-007124
APGP-2002-800425 AFGP-2002-007113
AFGP-2002-800434 AFGP-2002-007116
AFGP-2002-800426 ALPB-2002-800413
AFGP-2002-800443 ALBP-2002-800418
AFGP-2002-800421 AFGP-2002-004948
AFGP-2002-800464 APGP-2002-004947
AFGP-2002-007121 ALBP-2002-800639-2
APGP-2002-007118
NORTH T E X A S R E G I O N A L COMPUTER FORENS1CS LABORATORY

3 0 1 N O R T H M A R K E T S T R E E T , S U I T E 215
DALLAS, T E X A S 75201
000000174
• Page 2
Created copies of two (2) repository drives for '"'Phase 1" examination
Attached directory listing of contents.
Created Harmony Upload CD with PDF files for upload to Harmony
Installed new repository drive in Exam workstation #4 8/14/2002
No problems were noted with the exam machine.
r^-n/^ J10 000000175

Sensitive
FD-302 (Rev. 10-6-95)
- 1-
Dale of transcription 10/20/2003


Case Reference: Laboratory Number 030122051
Specimens:
AFGP 2002 804371 \1 IBM Travelstar 2.5"10.06
GB ATA/IDE notebook
drive,model -DJSA-210, SN
42MZ9347.
Request: Per a Department,of Defense Office of General Counsel

Memorandum dated September 25, 2003, Subject: Computer Hard Drive
Analysis, a forensic analysis of the subject specimen was
; requested. Additionally, three soegif ic f i
^recovered: an article entitled
Summary of Results: A full forensic examination was conducted, and

the -four requested files were identified and recovered from the
specimen. However the recovered documents differed slightly from
the descriptions given by the Office of General Counsel.
Additionally, one of the requested files. I 1, was
password protected, and the password had to be recovered before
completing recovery of the document.
Derivative Evidence (DE): Following is a list of digital media
containing results of the examination.
DEHQ010 CD with summary results of the examination, with
web-based organizing indices.
investigation on 10/15/2003 at HQ Lab Washington DC
File* 265A-NY-259391-EEE Date dictated 10/15/2003

by ITS/FE I 9/11 Law Enforcement Privacy
This document contains neither recommendations nor conclusions of ihe FBI. It is the property of the FBI and is loaned to your afVWft f\ "7 C
FD-302a (.Rev. 10-6-95)
265A-NY-259391-EEE
Continuation of FD-302 of Computer _Forensic Exam , On 10/15/2003 , Page
DEHQ011 5 'DVDs containing full results of the examination,

withx.web-based organizing indices.
DEHQ012 3 DVDs containing copies of the image file segments
used to perform the examination.
DEHQ013 Western Digital 20 GB hard drive, SN WMAAR1214879,

containing full, results of the examination.

DEHQ019 4-mm DAT containing Safeback image of.DEHQ013.

Examination:
The specimen had one FAT32 partition. The operating system on the
partition was Windows ME. The following processes were performed
directly on the specimen:
1. A "digital signature", in the form of an md5 hash, was
calculated, with result a550a975c3f9316a588b43ca5a434df8,
2. An image file, in 15 segments, was made of the specimen.
3. A final md5 hash was calculated, with result

a550a975c3f9316a588b43ca5a434df8.
All other forensic procedures were performed on the image file
segments. These forensic procedures were as follows:
1. An md5 hash was calculated on the concatenated segments,

with result a550a975c3f9316a588b43ca5a434df8.
2. The file system was mapped, and an md5 hash was

calculated for every file. These results were then
compared with a standard list of hashes for known system
A _
000000177
FD-302a(Rtv, 10-6-95)
265A-NY-259-391-EEE
Continuation of FD-302 of Computer 'Forensic Exam , On 10/15/2003 , Page
and application 'files, and the known files were not

further examined.
3 Deleted files and residue were extracted.
4 A file list was produced, in ,the form of a Microsoft

Access dat'a base. "''••-,.
\ four requested
me files were found'.-,, One requested file,
L J/ '.was password protected,---, as was one non-
requested file, I j. Passwords were recovered for
both files. The four requested files, plus \e printed out. Some,
differed slightly from the descriptions given by the

contributor. Specifically, the travel document referenced
was six pages in length, not three. Also, the article
e n t i t l e d ! " ' ' I
Internet usage reports were generated, and e-mail -files

were examined. Although there were indications that the
specimen had been used to access the Internet, there
appears to have been no usage of standard e-mail programs
(such as Outlook and Outlook Express) for user e-mail
messages.
All results were extracted to DEHQ013, along with
forensic logs.
A final md5 hash was calculated on the concatenated image

file segments, with result
a550a975c3f9316a588b43ca5a434df8.
9. Summary and full results, along with copies of the image

file segments, were copied to a CD and eight DVDs. These
products were DEHQ010, DEHQ011, and DEHQ012.
10, An md5 hash was calculated on DEHQ013, with result

Ib21e86call66efa6f0999fdl9b61b8b. An image was made of
this drive and placed on a 4-mm data tape.
QHQ001 and DEH1019 are being returned to FBI Document

Exploitation evidence control. DEHQ10-DEHQ18 are being returned to
the Department of Defense Office of General Counsel. The notes of
000000178
FD-302a(Rev. 10-6-95)
265A-NY-259391-EEE
Continuation of FD-302 of Computer Forensic Exam . On 10/15/2003 , Page
examination, along with a copy of DEHQ010, are being retained in a

1A envelope in the FBI Investigative Technology Division f i l e .
000000179
0
'%&&&<•
DOCUMENTS RELATING °
to
M&OMPUTER ANALYSIS RESPONSE TEAM
lÊPORTS, OR PREDECESSOR
UTA TION REPORTS,
FROMAL
'MÔCIATED SUBJECTS FROM 1995
W[lJGH SEPTEMBER 11, 2001.
•v ..•!*, . ~> r^_ *
"•*-*~,C
KESPONSIVE
TO
REQUESTS #34-1
'• (. _ [PACKET #3]
yL5O RESPONSIVE TODR#34-2
'IVE MATERIALS (IMAGES OR VERBAL) CONCERNING TRAVEL
lijQCUMENTS DERIVED FROM THOSE HARD DRIVES.)
COMMISSION COPY
DOCUMENT DELETION CODES

"B" - FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI





'9/11 Law Enforcement Privacy
12/8/98
Computer Analysis Response Team | |
262-NY-267856 981022001 S/I FX SX
Media from specimens Q791-Q798 were removed from

their casings and labeled, respectively, Q791.1-Q798.1.
Specimens Q793.1 and Q798.1 were unreadable due to extensive
media errors. Physical images of readable sectors from
specimens Q791.1, Q792.1, and Q794.1-Q797.1 were made to
magneto-optical disk, and errors were logged to the magneto-
optical disk as well.
Specimens Q791.1, Q792.1, and Q794.1-Q797.1 were each
found to contain a Macintosh (HFS) file system. Active files
from specimens Q791.1, Q792.1, and Q794.1-Q797.1 were copied to
magneto-optical disk.
All outputs onto magneto-optical disk were searched

for any strings possibly representing an Internet e-mail
address using the regular expression "[a-zO-9]@ [a-zO-9]". No
significant results were returned.
A Disk Ranger catalog listing was made of specimens

Q791.1, Q792.1, and Q794.1-Q797.1 at the request of, and for
review by, SIOC. All material from the magneto-optical disk
was copied to CD-ROM, and an additional copy of the CD-ROM was
made at the request of, and for review by, SIOC.
REQ. #34-1 000000180

CART - Page 1 of 1
REQ. #34-1 000000181

9/11 Law E n f o r c e m e n t Privacy
""-••-... 12/8/98
Computer Analysis Response Team |_
2S2-NY-267856 980911013 S/I FX SX
Specimen K190 was found to contain a Seagate ST32122A

hard disk drive, serial number XKF04812 / 9J7013-503, which was
referred to as specimen K190.1. A physical image of specimen
K190.1 was made to magneto-optical disk, and all active files
were logically copied to the magneto-optical disk as well.
Directory listings of specimen K190.1 and residue

extracted from specimen K190.1 were copied to the magneto-
optical disk. Three hundred seventy-three (373) erased files
were recovered from specimen K190.1 to the magneto-optical
disk. A long file name directory' listing was also generated
and copied to the magneto-optical disk.
Specimen K191 was found to contain: seventeen (17)

3.5" diskettes, referred to as specimens K191.1-K191.17; a
plastic diskette storage box, referred to as specimen K191.18;
and a cardboard diskette box, referred to as specimen K191.19.
Specimen K191.18 was found to contain four (4) 3.5" diskettes,
referred to as specimens K191.18.1-K191.18.4.
Specimen K192 was found to contain: a cardboard

diskette box, referred to as specimen K192.1; and a cardboard
diskette box, referred to as specimen K192.2. Specimen K192.1
was found to contain ten (10) 3.5" diskettes, referred to as
specimens K192.1.1-K192.1.10. Specimen K192.2 was found to
contain six (6) 3.5" diskettes, referred to as specimens
K192.2.1-K192.2.S.
Media were removed from all diskette casings and

labeled with the respective specimen number, plus the suffix
".1". Specimens K191.4.1-K191.6.1, K191.17.1, K192.1.1.1,
K192.1.2.1, K192.1.4.1-K192.1.10.1, and K192.2.1.1-K192.2.6.1
were found to be unreadable, probably due to there being no
file system format on the media.
REQ. #34-1 000000182

CART - Page 1 of 2
Physical images'of all media specimens containing
file systems were made to magneto-optical disk; error logs were
generated and also copied to the magneto-optical disk.
Directory listings were generated for all media specimens
containing file systems and copied to magneto-optical disk.
Active files on all media specimens containing file
systems were copied logically co magneto-optical disk.
Recoverable erased files on all media specimens containing file
systems were copied to magneto-optical disk. Residue on all
media specimens containing FAT file systems was extracted to
magneto-optical disk.
All materials generated on the magneto-optical disk

were copied to CD-ROM for review by the case agent.
#34-1 000000183
980911013 S / I FX SX
CART - Page 2 of 2
REQ. #34-1 000000184

(01/26/1998) '"•-•-.....
Precedence: PRIORITY Date: 06/10/1999
To: New York Attn: SA I J Computer

Analysis Response Team (CART)
From: New York

Squad 1-45
Contact: SA
Approved By:
Drafted By:
Case ID #: 262-NY-26785S (Pending)

262-NY-267857 (Pending)
Title: KENBOM;
MAJOR CASE 148;
IT-OHAH
00: NEW YORK
TANBOM ;
MAJOR CASE 149;
IT-OHAH
OO: NEW YORK
Synopsis: To set lead for duplication of computer compact discs

(CDS) and diskettes.
Details: The United States Attorneys Office in the Southern

District of New York (SDNY) and the New York Office (NYO) of the
Federal Bureau of Investigation (FBI) are preparing for the-trial
of indicted subjects in the captioned investigations. To that
end, defense attorneys are seeking copies of evidence seized in
the course of FBI investigation.
FBI searches have yielded several computers, computer

diskettes, and related materials. The NYO Computer Analysis
Response Team (CART) has provided on-going computer analysis of
such items. To 'that end, Squad 1-45 is submitting three CDS,
known as KENBOM items IBS68, 1B869, and IBS70, and several
diskettes, known as KENBOM item 1B118, for duplication. Defense
attorneys have requested the listed' materials as part of the
discovery phase of trial preparation. The deadline for
production is June 22, 1999.
REQ. #34-1 000000185

To: New York From: New York
Re: 2 6 2 - N Y - 2 6 7 8 5 6 , 06/10/1999
REQ. #34-1 000000186

To: New York 'From: New York
Re: 262-NY-267856, OS/10/199S
LEAD (s) :
Set Lead 1:
NEW YORK
AT NEW YORK
Squad 1-45 requests that the Computer Analysis Response

Team (CART) duplicate three computer compact disks (CDS) known as
KENBOM items 1B858, 1B859, and 1B860. Squad 1-45 also requests
that CART 'duplicate approximately 100 computer diskettes known as
KENBOM item 113.
REQ. #34-1 000000187

9/11 Law Enforcement. Privacy
. (01/26/1998)
Precedence: PRIORITY Date: 12/OS/1999
To: New York: Attn: SSA |_ I SO-15

CART
From:, New York

Squad 1-45
Contact: SA
Approved By
Drafted By :\e ID #: 262

262-NY-267857 (Pending)
Title: KENBOM
M.C. 148
OHAH-IT
00: NY
Synopsis: Request CART to examine diskettes enclosed.
Enclosures: 102 diskettes for review by CART team.
Details: Enclosed diskettes were seized in captioned case. It

is requested that the CART team examine each diskette and
download items on the diskette for review or translation by the
case squad.
REQ. #34-1 000000188

Re: 262-NY-267856, 12/06/1999
LEAD (s):
Set Lead 1:
NEW YORK
AT SO-15.
Examine enclosed diskettes and download information in

format for review by translator or case squad.
REQ. #34-1 000000189

(Rev. 08-28-2000)
To: \New York Attn: Computer Analysis Response

Team (CART)
From: New York

Squad 1-45
Contact: SAi
Approved By:
Drafted By:
Case ID #: 262-NY-267856 (Pending)

"262-NY-2S7857 (Pending)
Title: KENBOM;
MAJOR CASE 148;
IT-OHAH
OO: NEW YORK
TANBOM;
MAJOR CASE 149;
IT-OHAH
OO: NEW YORK
Synopsis: To set lead for analysis and duplication of several

3.5" disks, three compact disks (CDs), and one laptop hard drive
seized in the course of captioned investigations.
Details: On 08/07/1998, terrorist cells linked to USAMA BIN

LADIN bombed the United States Embassies in Nairobi, Kenya and
Dar Es Salaam, Tanzania. In the course of the ensuing FBI
investigation, NYO seized several computer-related items. The
NYO Computer Analysis Response Team (CART) analyzed and
duplicated the majority of such computer-related items. Squad I-
45 has identified additional items and requests that CART analyze
those items as well and store all recovered data to CD.
Material developed from the additional computer-related

items may be used in future trials and/or for intelligence
purposes. Squad 1-45 anticipates future trials related to the
KENBOM/TANBOM investigation. Although the current Embassy
bombing trial is projected to end by June 2001, two subjects are
currently being extradited from England to che Southern District
REQ. #34-1 000000190


Re: 262-NY-26785S, 05/09/2001
o'f New York (SDNY) and their trial will likely begin within one
year of the date of this communication. It should' also be noted
that, the KENBOM/TANBOM investigation led to the indictment of 22
subjects, 13 of whom are fugitives. In the event that a fugitive
is arrested, NYO and the United States Attorneys Office-SDNY will
prosecute that person.
The computer-related items include:
one laptop computer, known as KENBOM 1B241

five disks, known as KENBOM 1B47 item 12
seven disks, known as KENBOM 1B90 item 3
one disk, known as KENBOM 1B115 item 9
103 disks,and three CDs, known as KENBOM 1B118
two disks, .known as 1B127 items 4 and 7
two disks, known as 1B137 items 20 and 21
Squad 1-45 requests that CART analyze the listed media

and store all recovered data to CD (one CD-per IB number). •
The items listed above are not enclosed. Squad 1-45

requests that CART contact SA | | extension 8014, at
its convenience and the items will be removed from evidence and
released to CART for analysis.
REQ. #34-1 000000191

To: New York Fruin: New York

Re: 262-NY-267856, 05/09/2001
LEAD (s):
Set Lead 1:
ALL. RECEIVING OFFICES
''•.Squad 1-45 requests that NYO CART analyze the

materials listed below and store all recovered data to CDs (one
CD per IB number):
one laptop computer, known as KENBOM 1B241;

five disks, known as KENBOM 1B47 item 12;
seven disks, known as KENBOM 1B90 item 3;
one disk, known as KENBOM 13115 item 9;
103 disks and three CDs, known as KENBOM 1B118;
two disks, known as 1B127 items 4 and 7;
two disks, known as 1B137 items 20 and 21.
The items listed 'above are not enclosed. Squad 1-45

requests that CART contact SAj | extension 8014, at
its convenience and the items will be removed from evidence and
released to CART for analysis.
REQ. #34-1 000000192

' . (wiv.'bs -28-2000)
.Precedence: ROUTINE Date: 08/14/2001
To; New York Attn: Squad 1-45.
Froms, New York

Squad 1-45
Contact: SA
Approved By:
Drafted By:
Case ID #: 262-NY-267B5S-TR (Pending)

262-NY-267857 (Pending)
Title: KENBOM;
MAJOR CASE 143;
IT-OHAH
OO: NEW YORK
TANBOM; /9/11 Law Enforcement

MAJOR CASE 149; •' Sensitive
IT-OHAH
OO: NEW YORK
Synopsis: To provide copies of file lists and substantive text

files found on selected diskettes_(dis_ks) seized from]
Reference: 262-NY-267856-TR Serial 55\R Serial 57,
Enclosures: Attached hereto are copies.of the file lists for 19

disks seized from I Ton 08/20/1998 in I I. Each disk
is known by its New York Office (NYO) Computer Analysis and'
Response Team (CART) Q-number and also by its NYO IB-number.
Files lists were printed from the following disks:
Q119 - Q125 1B90, item 33 (7 disks)

Q126 - Q133 1B127, item 8 (8 disks)
Q134 - Q135 1B137, items 20 and 21 (2 disks)
Q136 13115, item 9 (1 disk)
Q137 . 1B47, item 12 (1 disk)
REQ. #34-1 000000193


Re: 262-NY-267856-TR, 08/14/2001
Also attached hereto are substantive text files and

selected residue files found on four disks within the group of
19. These are the only substantive text files on the entire set
of 19 disks. The following files were printed:
from Q12S\FILES
from Q12S\FILES
from Q12S\FILES
from Q12S\ERASED
from Q126\RESIDUE (not a text file)
from Q134\FILES
from Q134\FILES
from Q134\FILES
from Q134\FILES
from Q136\RESIDUE (not a text file)

from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q13S\FILES
from Q13S\FILES
from Q136\FILES
from Q136'\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q137\ERASED\CD
from Q137\ERASED\CD
from Q137\FILSS
Details: On August 7, 1998, terrorist cells linked to USAMA BIN

LADIN bombed the United States Embassies in Nairobi, Kenya and
Dar Es Salaam, Tanzania. In the ensuing investigation,
investigators from the Federal Bureau of Investigation (FBI) and
REQ. #34-1 000000194

To: New York Fi-^n:- New York

\ Re: 262-NY-267856-TR, 08/14/2001
\n Criminal Investigation Department (CID) searched the
The| ~| search took place on 08/20/1998. Investigators

seized business records, both documentary and electronically-
stored items, along with many other items. Attached hereto are
copies of file lists and substantive text files found on selected
disks seized during that search. Specifically, this communication
addresses 19 disks (each disk is known by its NYO CART Q-number
and also by its NYO IB-number}, including:
Q119 - Q125 1B90, item 33 (7 disks)

Q126 - Q133 1B127, item 8 (8 disks)
Q134 - Q135 1B137, items 20 and 21 (2 disks)
Q136 1B115, item 9 (1 disk)
Q137 1B47, item 12 (1 disk)
During the same search, investigators seized a Daewoo

laptop, known as both NYO CART item Q118 and NYO 1B241. Printable
files from that item are attached to referenced communication,
262-NY-267856-TR serial 57. Investigators also seized
approximately 104 additional disks and two CD-ROMS, known
collectively as NYO 1B118 and known individually as Q12 - Q115
and Q116 - Q117 (respectively). Printable files from those items
are attached to referenced communication, 262-NY-267856-TR serial
55.
Processing Disks Q119 - 0137
NYO CART copied all materials on disks Q119 - Q137 to a

magneto-optical disk and to a CD-ROM contained in KENBOM sub-302
1A1308. Logical files were copied to folders named "FILES;"
deleted files were recovered and copied to folders named
"ERASED;" all other printable characters that were not otherwise
contained in a file were recovered and copied to folders named
"RESIDUE." Each such file folder appears in a parent folder named
by Q-number, such that every disk has its own files folder,
erased folder, and residue folder.
The following disks had no files in their respective

"ERASED" folders: Q120 - Q125 and Q127 - Q133. Disk Q127
contained no files whatsoever.
REQ. #34-1 000000195

To: New York Fi^m: New York

Re: 262-NY-267856-TR, 08/14/2001
All substantive text files contained on the 19 disks

were printed and attached hereto, including:
from Q126\FILES
from Q126\FILES
from Q126\FILES
from Q126\ERASED
from Q134\FILES**
from Q134\FILES**
from Q134\FILES**
from Q134\FILES**
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILSS
from Q136\FIL3S
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136\FILES
from Q136YFILES
from Q136\FILES**
from Q137\ERASED\CD**
from Q137\ERASED\CD**
from Q137\FILES**
All substantive text files are written in Arabic, except those

marked with a double asterisk (**). Those files are written in
English. Documents written in Arabic are being submitted for
translation under separate cover.
Two residue files that contained recognizable English,

names were also printed and attached hereto, including:
REQ. #34-1 000000196


X.Re: 262-NY-267356-TR, 03/14/2001
from Q126\RESIDUE
from Q136\RESIDUE
The remaining files are system files, executable files,

wav files, aud files, etcetera, and do not contain substantive
text.
+4
REQ. #34-1 000000197

9/11 Law Enforcement Privac1
(1.2/31/1995)
To:'- New York Attn: Squad 1-45
From: New York

Squad 1-45
\: - SA
Approved By:
Drafted By:
Case ID #: 262-NY-267856 (Pending)

• 262-NY-267857 (Pending)
Title: KENBOM;
MAJOR CASE 148;
IT.-OHAH
00: NEW YORK
TANBOM;
MAJOR CASE 149;
IT-OHAH
OO: NEW YORK
Synopsis: To summarize computer and computer-related evidence

matters in the .captioned investigations.
Reference: 262-NY-267856 Serial 4643

262-NY-267857 Serial 3469
Enclosures: Enclosed for reference are the following Computer

Assistance Response Team (CART) reports and Latent Fingerprint
Section (LFS) reports:
CART FD-302 dated 07/18/2001, 262-NY-267856-302 serial 1721

LFS Lab Report dated 02/12/1999, 262-NY-267856 serial 3935

LFS Lab Report dated 01/20/1999, 262-NY-267856 serial 3816
CART Lab Reports dated 12/08/1998, 252-NY-267856-E serial 24
(two reports -- 980911013 and 981022001)
CART Lab Report dated 10/14/1998, 262-NY-267856 serial 4651
Details: On August 7, 1998, terrorist cells linked to USAMA BIN
REQ. #34-1 000000198

/J9/11 Law Enforcement
//Sensitive
Re: 262-NY-267856, 08/24/2001
LADIN bombed the United States Embassies in Nairobi, Kenya, and

Dar Es Salaam, Tanzania. The ensuing/investigation led to the
.seizure of several computers and cpmputer-related items. SA
I [ formerly assigned t0 Squad;1 1-45, /oversaw the
processing of all such items as requested by referenced
communications. The following is/ a,summary for each item of
KENBOM/TANBOM evidence classified /as computer or/computer-related
evidence. / / . \
J, Daewoo Laptop
Computer, seized 08/20/1998, Nairobi,. Kenya
KENBOM 1B241; NYO. CART item number Q118
laptop computer from the ['' [offices in Nairobi, Kenya. This

computer is known as KENBOM 1B241 and NYO CART item Q118.
The New York/(NYO) Computer Analysis Response Team

(CART) made a logical copy of all files (including erased and
residue) on the laptop and recorded them to a CD-ROM stored in
KENBOM main file 1A225. See attached FD-302 dated 03/08/2000,
known as KENBOM sub-302 serial 1219. See also KENBOM sub-302
1A946 for CART exam/notes and printout! of BMP and WAV files that
CART was unable to/open. j
A copy 6f the printable files from the laptop is

attached to an electronic communication (EC) dated 03/21/2000,
known as KENBOM sub-TR serial 57. ;
II . Disks and Compact Disks (CD-ROMs), seized

08/20/1998, Nairobi, Kenya j
A. KENBOM 1B47, item 12; NYO CART item number Q137
On August 20, 1998, Isei zed

approximately one disk from the Joffices in Nairobi, Kenya. &
This disk is known as item 12 of KENBOM 1B47 and NYO CART item
Q137.
NYO CART made a logical copy of all files (including

erased and residue) on the disk and recorded them to a magneto-
optical disk and to a CD-ROM stored in KENBOM sub-302 1A1308. See
attached FD-302 dated 07/18/2001, known as KENBOM sub-302 serial
1721.
REQ. #34-1 000000199

'' ,To: New York From: New York

':\, 262-NY-26785S, 08/24/2001
A copy of the printable substantive text files from

'this disk is attached to an EC dated 08/14/2001, known as KENBOM
sub\TR serial 125."--,
V\. KENBOM lB90,"-i,tem 33; NYO CART items Q119 - Q125
approximately seven disks from the"! I offices in Nairobi,

Kenya. These disks are known as item 33 .of KENBOM 1B90 and NYO
CART items\Q119 - Q125.
NYO. CART made a logical copy of all files (including

erased and residue) on the disks and recorded them to a magneto-
optical disk arid to a CD-ROM stored in KENBOM sub-302 1A1308. See
attached FD-302 ''dated 07/18/2001, known as KENBOM sub-302 serial
1721. \.
These disks do not contain printable substantive text

files.
C. KENBOM 13115 item 9; NYO CART item Q136
On August 20, 1998, ^•HI^HH^B^^H seized

approximately one disk from.the| [offices in Nairobi, Kenya.
This disk is known as item 9\of KENBOM 1B115 and NYO CART item
Q136.

erased and residue) on the disk and recorded them to a magneto-
1721.

this disk is attached to an EC dated 08/14/2001, known as KENBOM
sub-TR serial 125.
D. KENBOM 1B118; NYO CART items Q1-.2 - Q115 (disks) and

NYO CART items Q116 and Q117 (CD-R6Ms)
On August 20, 1998,

approximately 104 disks and two CD-ROMs from the [ | offices in
Nairobi, Kenya. These disks and CD-ROMs are known collectively as
KENBOM 1B118 and individually as NYO CART items Q12 - Q115
(disks) and NYO CART items Q116 and Q117 (CD-ROMs).
REQ. #34-1 000000200

\. To: New York From: New York

\. Re: 262-NY-267856, 08/24/2001

.erased and residue) on disks Q12 - Q115 and CD-ROMs Q116 and Q117
and recorded them to CD-ROMs stored in KENBOM main file 1A219.
See attached-.FD-302 dated 01/04/2000, known as KENBOM sub-302
serial 1204. See also KENBOM main file 1A222 for a duplicate set
of CART CD-ROMs'-and KENBOM sub-302 1A905 for CART exam notes.
A copy of "''-the printable files from the disks and CD-

ROMs is-, attached to arixEC dated 03/21/2000, known as KENBOM sub-
TR serial 55.
E. KENBOM 1B127, item 8; NYO CART items Q126 - Q133
approximately-,eight disks from the) [offices in Nairobi,

Kenya. These disks are known as item 8 of KENBOM 1B127 and NYO
CART items Q126\ Q133.

optical disk and to\ CD-ROM stored in KENBOM sub-302 1A1308. See
1721.

disk Q126 is attached to\an EC dated 08/14/2001, known as KENBOM
sub-TR serial 125. The remaining disks do not .contain printable
substantive text files.
F. KENBOM 1B137, items 20 and 21; NYO CART items Q 134

- Q135
On August 20, 1998, ^H| || |H |H BH V seized

approximately two disks from the^^^H offices in Nairobi, Kenya.
These disks are known as items 20 and 21 of KENBOM 1B137 and NYO
CART items Q134 - Q135.
NYO CART made a logical copy of all .files (including

1721.

disk Q134 is attached to an EC dated 08/14/2001, known as KENBOM
sub-TR serial 125. Disk Q135 does not contain printable
REQ. #34-1 000000201

\\''-:. '"Tb-;.. New York Fr^m: New York

\, Re":-./-26.2-NY-267856, 08/24/2001
.substantive text fll.es.
'1II. FAZUL ABDULLAH'MOHAMMED, aka HARUN, Disks, seized

09/02/1998. I I
KENBOM 1B510 items 1 and '2;.. Lab Items K191 and K192
On September 2, 1998, seized

approximately 3? disks from the residence of
|_' I located in | |. It should be noted that\
residence is also known as the residence of Mohamed Said Ali.
Twenty-one 'of these disks are known both as item 1 of KENBOM
\1B510 and, lab item K191; sixteen of these disks are known as both
\item 2 of \KENBOM IBS 10 and lab item K192.
FBIHQ, CART made a physical image of all media specimens

containing file systems to a magneto-optical disk and a CD-ROM
kkown as KENB'pM 1B860. Erased files and residue were recovered
ftom the disks, to -1B860 . Several disks were found to be
unreadable, thus, physical images were not recorded to 1B860. See
attached Lab Report'number 980911013 S/I FX SX dated 12/08/1998,
kndwn as KENBOM s,ub-E\l 24.
A copy of the,printable files from the disks is

attached to an EC dated '03/21/2000, known as KENBOM sub-TR serial
54 . \n addition,-, the 'lab recovered latent fingerprints
and/of latent palm prints ori\r disks, K191.6, K192.1.6,

K192.1\ 9, and K192.2.5. .One latent fingerprint developed on disk
K192.2;5 was identified as a finger impression of FAZUL ABDULLAH
MOHAMMED, aka HARUN. See ''attached Lab Report number 980911013 FX
CW dated 02/12/1999, known', as KENBOM main serial 3935.
IV. FAZUL ABDULLAH MOHAMMED, aka HARUN, Macintosh Computer,

seized 09/02/1998,1 |
\KENBOM 1B513 item 1; Lab Item K189
\0n September 2, 1998, seized a Gr

Macintosh Computer from the residence of |~
located ini I. It should be noTefl _
residence is also known as the residence of Mohamed Said Ali.
This computer is known both as item 1 of KENBOM 1B513 and lab
item K189.
REQ. #34-1 000000202

\v\: New York Fr^m: New York

\V\. 262-NY-26785S, 08/24/2001
Lab item K189 is a first generation Macintosh and does

not, contain an internal hard drive; therefore, CART conducted no
.analysis of this item...
. \o latent prints ""of value were developed on lab item

''•K18.9. See attached Lab Report number 980911013 FX CW dated
02/12/1999., known as KENBOM main ""aerial 3935. It should be noted
thatXitem K189 is not referenced in the Results of Examination;
however, K189. appears in the lab communication as a specimen
examined for latent fingerprints.
V. \ FAZUL ABDULLAH MOHAMMED, aka HARUN, HDD" Central

Processing Unit (CPU), seized 09/02/1998, \
\M lB513\item 2; Lab Item K190
\U from the residence of 1 •-•••••-•••••••located in

| | it should be noted that |_ (residence is also
known as the, residence of Mohamed Said Ali. This CPU is known
both as item .2 of KENBOM 1B513 and lab item K190.
FBIHQ CART determined that the HDD CPU contained a

Seagate ST32122A hard drive, serial XKF04812/9J7013-503, which
was designated as lab item K190.1. CART copied a physical image
of the Seagate hard drive to a magneto-optical disk and a CD-ROM
known as KENBOM 13860. Three-hundred and seventy-three (373)
erased files were '-recovered from the Seagate hard drive to 1B860.
See attached Lab Report number 980911013 S/I FX SX dated
12/08/1998, known as. KENBOM sub-E serial 24.
A copy of the printable files from the Seagate hard

drive is attached to an EC dated 03/21/2000, known as KENBOM sub-
TR serial 54.
The. lab developed latent fingerprints and/or latent

palm prints on the HDD CPU, but no identifications were made. See
attached Lab Report number, 980911013 FX CW dated 02/12/1999,
known as KENBOM main serial 3935.
VI. FAZUL ABDULLAH MOHAMMED, aka HARUN, Briefcase Disks,

seized 09/32/1998, I I
KENBOM 1B521 item 45, Lab Items Q791 - Q798
REQ. #34-1 000000203

1 \, /9/11 Lav; Enforcement Privacy
\' "New York FiwiCi: New York / \: 2 62-NY-2.67856, 08/2 4/2 001/
.-.approximately eight disks /from HARUN'"H - I/

1 ~| The disks were f.6und in a briefcase, known as KENBOM
1B521, that belonged to .HARUN. The disks are known both as item
45 of 1B521 and as lab /items Q791 - Q79'8.
FBIHQ CART copied a physical image of the disks'
readable sectors to a magneto-optical disk and CD-ROM known as
KENBOM 1B859. Lab items Q793 and Q798 wer6 unreadable due to
extensive media errors, thus, physical images were not recorded
to 1B859. Readable specimens were found to contain a Macintosh
(HFS) file''•••system'''. NYO CART labeled the same disks NYO CART items
Ql - Q8 and conducted an independent analysis. NYO CART also
found the readable disks to contain a Macintosh file system. See
attached FD-3Q2 dated 09/15/1998, known as KENBOM sub-302 serial
1698. / ' • -, ' \Q CART searched the magneto-opt
strings possibly representing an internet e-mail, address using

the regular expression *[a-zO-9]@[a-zO-9]" and produced no
significant results. See attached Lab Report number 981022001 S/I
FX SX dated 12/08/1998,. known as KENBOM sub-E serial 24.
As of the date/of this communication, SA | I

| | was reviewing these'.disks and.preparing copies of the
printable files for the KENBOM file.
No latent prints of, value were developed on lab items
Q791 - Q798. See attached Lab Report number 981022001 S/L FX SX
CW dated 01/20/1999, known as KENBOM main serial 3816.
VII. FAZUL ABDULLAH MOHAMMED'',-, aka HARUN, Toshiba Hard Drive,

seized 09/09-11/1998, Nairobi, Kenya
KENBOM 1B902 (part); Lab Item K200.4
^seized a Toshiba 2.5" IDE hard drive, model MK2326FCH, from

^ |in Nairobi, Kenya. Investigation revealed that
HARUN had left this hard drive, along with several other parts
from a Sharp laptop computer, for repair at [
This hard drive is known both as KENBOM 1B902 (part) and lab item
K2 0 0 . 4 .
FBIHQ CART copied a physical image of this hard drive
to a magneto-optical.disk and CD-ROM known as KENBOM 1B858.
REQ. #34-1 000000204

/9/11 Law Enforcement
/Sensitive
"To: New York From: New York
Re: - -.2 62 -NY- 2 6 7856, 03/24/2001
Erased files were recovered from this h^'rd drive and also
recorded to 1B858. """--.... / I \T searched the residue repor
strings, "[a-z]@[a-z] Sender:" and.""re.s-gilts were recorded to

1B858. See attached Lab Report number 580914024 S'/I FX SX dated
10/14/1998, known as KENBOM main serial 465L, \\s of the date of this comnvtmicati
L |was reviewing this hard drive and preparing copies of the

printable files for the KENBOM file./
VIII.
J Computer, seized 09/02^/1998 A'Car Es
Salaam, Tanzania = \\M 1B276 item 59; Lab Item
On or about September 2,1 1998,

seized an Olivetti M24X5, P166-X CJPU. Serial A4979F-Q503'24(T! From
I \\ \in Dar
Es Salaam,. Tanzania. CART determined that the CPU \contained a
Fujitsu MPA3017 AT hard drive. Thte hard drive is Jdnown both, as
item 59 of TANBOM 1B276 and lab |tem K98.1.1. \\
FBIHQ CART copied a physical image of this hard drive

to a 2.3 gigabyte disk and CD-ROM known as TANBOM 1B283.
Investigation revealed that

aka L Jf and its owner]_ (had no
connection to the Embassy bombings in Nairobi, Keny^ and Dar Es
Salaam, Tanzania. In April 200..5, NYO shipped this cbtnputer to the
Regional Security Officer (RSO) in Dar Es Salaam for\n to
Thomas Lyimo. / \.
\ disk, seized 09/02/1
Tanzania
TANBOM 1B276 item 40; Lab Item K138
On or about September 2, 1998,

seized one computer disk, from
"], in Dar Es Salaam, Tanzania. The disk
is known both as item 40 of TANBOM 1B276 and lab item K138.
REQ. #34-1 000000205

' -To: New-Y.prk From: New York

Re:-. . 262-NY-2-67-856, 08/24/2001
Investigation revealed that

aka I / and its owner \ had no
connection to the Emba'ssy bombings in Nairobi, Kenya and Dar Es
Salaam, Tanzania. In April ...2000, NYQ shipped this disk to the RSO
in Dar Es Salaam for return to/ I.
REQ. #34-1 000000206

T5 B55 FBI CART Docs FDR - Entire Contents - Doc Request - Docs - Withdrawal Notices 155

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

T5 B55 FBI CART Docs FDR - Entire Contents - Doc Request - Docs - Withdrawal Notices 155

Transféré par

Droits d'auteur :

Formats disponibles

FBI DOCUMENT REQUEST NO.

John Lehman 2. All investigative materials (images or verbal) concerning travel or

If any requested documents are withheld from production, even temporarily,

March 9, 2004 Daniel Marcus

TEL (202) 331-4060

"SECRET MATERIAL ENCLOSED"

"A" - SOURCE/INFORMANT INFORMATION - Information, the disclosure of which

"B" - FBI TECHNIQUES AND/OR METHODS - Information on sensitive FBI

"C" - NON-RELEVANT FBI CASE INFORMATION - Information neither relevant nor

"D" - FBI PENDING CASE INFORMATION - Information which would impede or

"E" - STATUTORY - Information legally prohibited from release by statute.

"F" - PRIVACY/SECURITY - Information, the disclosure of which would be an

"G" - FOREIGN GOVERNMENT INFORMATION - The identity of a foreign

RG: 148 Exposition, Anniversary, and Memorial Commissions

WITHDRAWAL DATE: 09/08/2008

BOX: 00004 FOLDER: 0001 TAB: 3 DOC ID: 31193682

FOLDER TITLE: T. Eldridge files-FBI CART documents

DOCUMENT DATE: 08/14/1998 DOCUMENT TYPE: FBI 302

FROM: FBI New York

TO: Director FBI

This document has been withdrawn for the following reason(s):

FEDERAL BUREAU OF INVESTIGATION

Precedence:, ROUTINE Date: 06/02/1999

To: FBI Headquarters Attn: NS-3C, Robert Briskman

From: '.New York

Case ID #: 256A-NY-259391-I8 (Pending)

Title: USAMA BIN,, LADIN; \; \Y \.

; Synopsis: Report of investigations conducted in Dhajca,

^Details: At the request of the|

Upon arrival to D h a k a , SA |^^^^^ [-met w i t h

Director, ffM Director JKH^explaTned^is^TJI^^govemment has

9/11 Law Enforcement

,To: FBI Headquarters From: New York

York Office and SA'1 ^^^^^^^nWFO Cart Team, traveled to Dhaka

Director d ( H explained that his government has been attempting

Following this meeting Deputy Director

/ A l l three men are Sunni Muslim.They have

9/11 Law Enforcement Sensitive

REQ #34-1 000000013

To: ..FBI Headquarters From: New York

of.computers seized during a search conducted on 05/04/1999.

According to information provided by the |Htnese individuals

Director\BHH[explained that his government has been attempting

[which will be for-wajrded to the FBI laboratories and

9/11 Lav; Enforcement

REQ #34-1 000000014

To: FBI Headquarters From: New York

Also on this date, three individuals were taken into custody,

Director ^BUH explained that his government has been attempting

Jbut, according to the|

In addition to the above investigation, SAL J met

future information to the ..State Department and to FBI NY. New

9/11 Law Enforcement Sensitive

REQ #34-1 000000015

To: "FBI Headquarters. From: New York

of computers seized during a search conducted on 05/04/1999.

Jbut, according to the

9/11 Lav; Enforcement

REQ 134-1 000000016

RG: 148 Exposition, Anniversary, and Memorial Commissions

WITHDRAWAL DATE: 09/08/2008

BOX: 00004 FOLDER: 0001 TAB: 4 DOC ID: 31193692