The Real Cyberforensics Used To Snoop On Petraeus (And You)

Anonymous, throwaway Google accounts aren't so anonymous, it turns out. Neither is a James Bond-like "digital dropbox." Here's a look into the forensics the FBI used to discover David Petraeus's affair and how it could be used to investigate any email account, anywhere.

In an increasingly weird and tangled affair, Former CIA director David Petraeus, Marine General John R. Allen, Paula Broadwell, Jill Kelley, an unnamed FBI Agent, and others all used various anonymous accounts and message-masking techniques pioneered by terrorists and teens alike. They thought they were communicating with each other with discretion and secrecy.

But FBI investigators found their way through almost all of it.

That's because they're practiced in the field of cyberforensics—detailed Internet and technology detective techniques used every day all around the world. When it comes to the vast majority of activity by Internet users, it's amazingly easy to trace fake email addresses and anonymous blogs back to their owners. Or, put another way, if the director of the CIA's undercover ops can be cracked, so can yours. Here's how.

Cyberforensics firms regularly show up on retainer or on the payroll of law enforcement, lawyers of all stripes, lobbyists, and even intelligence agencies. Every activity on the Internet leaves identity breadcrumbs in the form of activity logs, cookies, GPS activity from mobile phones, and even logs of camera activity and keyboard use secretly copied from targets' computers. Given enough manpower hours, cyberforensics experts can reconstruct the tiniest minutiae of any phone or computer owner's lives. Law enforcement agencies and intelligence agencies also retain their own in-house cyberforensics experts.

The FBI gained access to anonymous Gmail accounts traced to Petraeus and Broadwell through a law, more than 25 years old, that gives law enforcement carte blanche to snoop in email accounts. Provisions of 1986's Stored Communications Act (SCA) allow "government entities" to access email records in storage for less than 180 days "if there is reasonable cause to believe a crime has been committed." For email records that are older than 180 days, a warrant is required. Using the SCA, FBI investigators were able to obtain access to emails Broadwell and Petraeus wrote via Gmail over the past six months. Google routinely discloses government queries into Gmail's archives, and the Electronic Frontier Foundation and others have raised concerns over the SCA, an email bill written back in the halcyon days of Compuserve and GEnie.

Both Petraeus and Broadwell were savvy enough to use Gmail accounts with fake names. But while Petraeus knew his way around email, he wasn't savvy enough for Broadwell and him to take precautions that could have hidden any incriminating emails. Neither used identity-obscuring VPNs and rerouting solutions such as the Tor Project, which could have hindered the FBI from tracing, for instance, Broadwell's fake email account back to her North Carolina home. Apart from Tor, commercially available end-user solutions such as Hotspot Shield and LogMeIn Hamachi obscure the origination points of email messages with varying levels of success. It is important to note that many of those services, especially those that use American servers, may keep IP address logs that are accessible to investigators or hackers.

Darren R. Hayes, the head of Pace University's Computer Information Systems program and a computer forensics expert, tells Fast Company that there are numerous ways for anonymous email accounts to escape detection, or to at least make the process much harder. Commercial services such as GuerillaMail and Mailinator offer disposable, throwaway email addresses whose data can be held on foreign servers outside the reach of the American government; VPNs also make tracing emails much harder.

Spy techniques used by Petraeus and Broadwell to hide their missives did not work. According to the ACLU's Chris Soghoian, Broadwell and Petraeus may have thought leaving unsent messages in draft folders in their anonymous throwaway Gmail account wouldn't leave a digital paper trail. They were wrong. The James Bond-style technique, leaving draft messages in a "digital dropbox," didn't stop Gmail from retaining identifying metadata—data appended to files or messages or other forms of information.

Metadata varies for email depending on the service on which it originates. For instance, Yahoo Mail metadata differs from Gmail, which differs from Outlook servers. Metadata also varies depending on the client software users send their messages from; using metadata, a cyberforensics specialist can find out whether a message sent from a Gmail address was written in Gmail.com, Apple's mail client on the iPad or Mac, or from a user's Outlook client. In some cases, these services add identifying information that could lead investigators to the sender's real name and physical location.

If Petraeus or Broadwell used an email client like Outlook to send messages from their fake Gmail accounts, that likely did them in. According to Digital Trends' Andrew Couts, messages sent from Gmail.com strip identifying IP address metadata, while Gmail messages sent via Outlook, Thunderbird, or Apple's Mail clients all append IP addresses to an email message's metadata. Using an IP address, it is easy to extrapolate the physical location from which an email was sent. Gmail.com, while not including an IP address, attaches routing information that indicates a message's journey through the digital ether and can provide important clues to the original sending location. Similar metadata is appended to image files posted on Facebook, Twitter, Picasa, Flickr, and other popular image-sharing sites, making the lives of cyberforensics specialists incredibly easy when investigating cases. Smartphones routinely attach the GPS coordinates where a photograph was taken and even standard digital photographs include identifying information about the make and model of the camera, Hayes said.

Once FBI investigators traced Broadwell's throwaway email account to her North Carolina home and physical locations that matched her travel schedule, the agency gained access to her primary email accounts. As of press time, it appears they used information obtained there to confirm her and Petraeus were conducting an extramarital affair. The spy chief's involvement in a relationship outside of his marriage, according to press reports, was considered a blackmail risk.

The FBI, NSA, local police departments, and other government entities can all access email account records and histories via sending requests to Google, AOL, and others. These accounts customarily request all information associated with an IP address—meaning that all the email addresses from a household, whether involved in an investigation or not, are culled by law enforcement.

Cyberforensics, though not regularly discussed in the press, are a booming industry. "These days, virtually all cases involve digital evidence. Whether the case is counterterrorism, kidnapping, drugs, or a white collar crime, digital evidence is key," AccessData's Erika Lee tells Fast Company. AccessData, which sells computer forensics software to investigators parsing electronic records and corporations tracing the perpetrators of hacking attacks, is part of a field that does everything from parse the physical locations Facebook status updates were posted from to uncovering the Chinese cybercafes where multimillion dollar attacks on banks were launched from.

In the end, it's important to remember that—as The Week's Marc Ambinder put it—this whole story began "based on the complaints of one person in Tampa who knew a bunch of generals." Based on those complaints, the FBI was able to gain easy access to multiple email addresses, including that of the head of the CIA, without a warrant. Meanwhile, investigators outside the government such as hackers and criminals can always break into anonymous email accounts and trace them back to their owners fairly easily. The important cybersecurity takeaway from L'Affaire Petraeus? For those anonymous emails you absolutely don't want traced back to you, send them via Gmail.com. And use Tor.

Or, you know, don't cheat.

For more stories like this, follow @fastcompany on Twitter. Find Neal Ungerleider, the author of this article, on Twitter.

[Image: Flickr user Douglas Silva Azevedo]

Add New Comment

7 Comments

  • Jhon124

    wow, great article thats really creepy that they can do all that.I wonder how anonymous alot of this "anonymity services " are

  • Ellie K

    I don't find Jill Kelley a sympathetic person, but she DID receive threatening messages. If she filed a complaint, depending on the content of the messages, I would expect there to be follow-up, whether or not she knew "a bunch of generals" (or even one or two in particular).

    It doesn't seem like snooping, for the FBI to request and receive user records from Google, depending on what Broadwell said (under the terms of the SCA). Neither Tor nor Log Mein Hamachi will preserve anonymity once one's state of mind is such that threatening a perceived romantic competitor (regarding an extra-marital affair, not a spouse) is acceptable behavior.

  • Jennifer

    Fascinating post, which would comes across as more authoritative if you had it grammar checked. For example:  "they used information obtained there to confirm her and Petraeus were conducting an extramarital affair." "Her and Petraeus" (objective case) were not doing anything. "*She* and Petraeus" (subjective case) were up to a lot!

  • Thad McIlroy

    Except for GPS metadata, which is not a common feature on digital cameras, photographic metadata has nothing in common to the metadata that did in Petreaus. Even photographs from cellphones rarely record GPS -- less than 3% of the time, according to the one study I found: http://isc.sans.edu/diary.html...

  • Goob

    I thought Facebook scraped image meta data. Or at least I remember photographers being angry a year or two ago because people were taking their images from Flickr and washing them of the meta data. Have they changed the way they store photos?

  • Ray Silva

    You''re not exactly right. If Petreaus and Broadwell had only communicated via the drafts in an anonymous gmail account it would have been highly unlikely that anyone would have discovered anything. For one thing, they could have accessed the account from anywhere, not just their own personal computers. Since no emails were ever sent, there would have been no IP traceroutes of any kind. The FBI "discoveries" came about because of the investigation into Broadwell's threats (which would not have used the Petreaus-Broadwell shared anonymous email). Thus it was Broadwell's rather idiotic activities that opened up investigations which led to the anonymous email account. Properly handled, there isn't a cyberforensics tool in existence that would have discovered the secret communications in draft (except by highly unlikely accident).

  • Ellie K

    The fact that the investigation was initiated based on a complaint made by the recipient of Broadwell's threatening messages should have been at the beginning of the article. Instead, it was at the very end.

    Also, I don't know what is meant by "anonymous throwaway Google Gmail accounts". It is my understanding that that isn't accomplished so easily. Regardless, cyberforensics wasn't nearly as relevant as Broadwell's indiscretion.