Did Manning Zerofill His Computers? Or Did the Military?

Wired has a post on MSNBC’s report that “there is apparently no evidence he passed the files directly to [Julian] Assange, or had any direct contact with the controversial WikiLeaks figure.” In it, Kim Zetter looks to the chat logs to try to explain why there is no such evidence.

If it’s true that investigators have found no evidence linking Manning and Assange, it may be because Manning allegedly erased it from his system. He discussed doing so in his chats with Lamo. Manning noted in the chats that any incriminating evidence of his activities had been “zerofilled”, or erased, from his computers:

But that’s not precisely what the passage she quotes says. Note, because I’ve used a different selection of chat log than Zetter, I have bolded the part she included in her selection (though she includes in her post).

(02:13:51 AM) Lamo: Why does your job afford you access?

(02:13:59 AM) Lamo: except for the UN.

(02:14:03 AM) Manning: because i have a workstation

(02:14:15 AM) Lamo: and World Bank.

(02:14:17 AM) Manning: *had*

(02:14:36 AM) Lamo: So you have these stored now?

(02:14:54 AM) Manning: i had two computers… one connected to SIPRNET the other to JWICS…

(02:15:07 AM) Manning: no, they’re government laptops

(02:15:18 AM) Manning: they’ve been zerofilled

(02:15:22 AM) Manning: because of the pullout

(02:15:57 AM) Manning: evidence was destroyed… by the system itself

(02:16:10 AM) Lamo: So how would you deploy the cables? If at all.

(02:16:26 AM) Manning: oh no… cables are reports

(02:16:34 AM) Lamo: ah

(02:16:38 AM) Manning: State Department Cable = a Memorandum

(02:16:48 AM) Lamo: embassy cables?

(02:16:54 AM) Manning: yes

(02:17:00 AM) Manning: 260,000 in all

(02:17:10 AM) Manning: i mentioned this previously

(02:17:14 AM) Lamo: yes

(02:17:31 AM) Lamo: stored locally, or retreiveable?

(02:17:35 AM) Manning: brb latrine =P

(02:17:43 AM) Manning: i dont have a copy anymore

(02:17:59 AM) Lamo: *nod*

(02:18:09 AM) Manning: they were stored on a centralized server…

(02:18:34 AM) Lamo: what’s your endgame plan, then?

(02:18:36 AM) Manning: it was vulnerable as fuck

As Zetter correctly notes, in this passage Manning suggests files had been zerofilled. But in this passage, he doesn’t say he did it.

Now, in a separate section, Manning says he zerofilled the original of the Rejkjavik 13 cable.

(1:48:50 PM) Lamo: give me some bona fides … yanno? any specifics.

(1:49:40 PM) Manning: this one was a test: Classified cable from US Embassy Reykjavik on Icesave dated 13 Jan 2010

(1:50:30 PM) Manning: the result of that one was that the icelandic ambassador to the US was recalled, and fired

(1:51:02 PM) Manning: thats just one cable…

(1:51:14 PM) Lamo: Anything unreleased?

(1:51:25 PM) Manning: i’d have to ask assange

(1:51:53 PM) Manning: i zerofilled the original

(1:51:54 PM) Lamo: why do you answer to him?

(1:52:29 PM) Manning: i dont… i just want the material out there… i dont want to be a part of it [my emphasis]

Contextually, this might suggest that both mentions of zerofilling refer to the same–all 250,000 cables–since they both come in response to Lamo’s probing questions about the cables. Indeed, Manning’s reference to zerofilling himself, in the context of the Rejkjavik cable, may explain why he no longer has access to any cables he could give Lamo to prove his bona fides. But even if both references both mean to include all the cables, it would remain ambiguous whether Manning zerofilled his computer or someone else did.

And that’s significant, because in a third reference, Manning provides a potential alternative explanation for who zerofilled his computers.

(02:38:45 PM) Lamo: What would you do if your role /w Wikileaks seemed in danger of being blown?

(02:38:48 PM) Manning: but i was a part of it… and completely helpless…

(02:39:01 PM) Lamo: sometimes we’re all helpless

(02:39:34 PM) Manning: try and figure out how i could get my side of the story out… before everything was twisted around to make me look like Nidal Hassan

(02:40:15 PM) Manning: i dont think its going to happen

(02:40:26 PM) Manning: i mean, i was never noticed

(02:41:10 PM) Manning: regularly ignored… except when i had something essential… then it was back to “bring me coffee, then sweep the floor”

(02:42:24 PM) Manning: i never quite understood that

(02:42:44 PM) Manning: felt like i was an abused work horse…

(02:43:33 PM) Manning: also, theres god awful accountability of IP addresses…

(02:44:47 PM) Manning: the network was upgraded, and patched up so many times… and systems would go down, logs would be lost… and when moved or upgraded… hard drives were zeroed

(02:45:12 PM) Manning: its impossible to trace much on these field networks…

(02:46:10 PM) Manning: and who would honestly expect so much information to be exfiltrated from a field network?

That is, Manning suggests that every time computers were moved, they were zerofilled. And whatever happened to his computer while he still had access to him, it might be safe to assume that the downloaded files got zerofilled routinely when the computers were reassigned (remember, as far as we know, he lost access not because of the alleged leak, but because of an altercation with a colleague).

Mind you, I’m skeptical that Manning zerofilled anything himself. That’s because his charging sheet includes multiple references to things he downloaded onto his personal, non-secure computer. Which suggests the most solid evidence they have against Manning comes from that (though they do appear to have evidence he accessed things he did not download onto his computer).

But all that really just ignores the larger point: that none of that evidence–at least given reports–directly connects Manning to Julian Assange.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

  1. MadDog says:

    …But all that really just ignores the larger point: that none of that evidence–at least given reports–directly connects Manning to Julian Assange.

    Nope, and the military responds anonymously via Faux News:

    …”Julian Assange is the CEO of WikiLeaks,” one military official told Fox News on the condition of anonymity. “So it’s unlikely he’s going to be the one getting the brown bag filled with secret documents.” This official declined to provide any information on the actual conduit, but said the prosecution is confident it can make a link to WikiLeaks…

    • phred says:

      Moving the goal posts, eh? Sheesh this gets tedious. They have a fixed outcome in mind and when reality intervenes, they change the narrative to suit. Just once it would be nice if they said, “huh, we made a mistake, we need to reconsider our current course”, but no. They blithely barrel on ahead, facts be damned.

      • lareineblanche says:

        They blithely barrel on ahead, facts be damned.

        There is the word. It is the king of words – Power. Not God, not Mammon, but Power. Power is over your tongue till it tingles with it. Power.
        – Jack London, The Iron Heel

      • MadDog says:

        And even if it is true that the US government can’t link Assange directly to Manning, that in no way lessens the government’s intent to put Wikileaks down.

        Given the MSM rush to invent their own Wikileaks-like portals, the government’s efforts sound familiarly like the proverbial Dutch boy’s finger and the dike.

          • MadDog says:

            I see your point. *g*

            But the NYT isn’t the only game in town. Al Jazeera is already there and I bet folks like The Guardian, Der Spiegel, etc. can’t be far behind.

            There remains the question of whether the governments of the world can and will step in to plug the leaking dikes.

            Still sounds to me like the proverbial Dutch boy.

          • earlofhuntingdon says:

            Yup, WikiLeaks appears to do it at cost; the Times and others want to appease their shareholders and pay to lobby their government.

    • MadDog says:

      one military official told Fox News…

      (My Bold)

      I would note that this is a military official who is talking smack about having enough to prosecute a Manning to Wikileaks connection, and not someone from DOJ.

      Unless I’m totally bonkers, I don’t think the military generally gets to do prosecutions of civilians, and in particular, foreign civilians.

      Or is this fool military official intimating that Wikileaks folks are gonna find themselves declared unlawful enemy combatants with extraordinary rendition to some black site for a waterboard torture session or 183, and then onto Gitmo for predetermined convictions before Military Commissions?

  2. MadDog says:

    …Mind you, I’m skeptical that Manning zerofilled anything himself…

    It may be the case that he, like many computer users, is simply using a computing “term of art”. Like many non-technical computer users using the term boot-up or booting my computer without necessarily knowing what the details of the term actually mean.

    • BoxTurtle says:

      I’m sure that zerofilling a computer when relocated was standard procedure, especially for a classified access PC. Heck, a zerofilled drive CAN sometimes be recovered, depending on the program used and the drive.

      I’m pretty sure he knew what it meant, he uses the word correctly in every reference.

      Besides, if he had zeroed his hard drive without authorization, DOJ would have charged him with obstruction.

      Boxturtle (Still suprised that they didn’t list unpaid parking tickets or loitering)

      • MadDog says:

        …I’m pretty sure he knew what it meant, he uses the word correctly in every reference…

        I’m not so confident in his usage. Particularly with regard to this:

        1:51:02 PM) Manning: thats just one cable…

        1:51:14 PM) Lamo: Anything unreleased?

        (1:51:25 PM) Manning: i’d have to ask assange

        (1:51:53 PM) Manning: i zerofilled the original

        This log info may be out of context, but if not, I’d have to question just what it was Manning says he zero-filled.

        • Rayne says:

          Yeah, agreed, that reference is not in sync.

          Am skeptical about a utility used to zero-fill/military-grade wipe a single file, too, which seems the implication.

          Am skeptical that he also did the zero-fill/military-grade wipe of disk(s) on the machines he used; that’s a utility that probably isn’t widely encouraged since a mistake by somebody with poor tech skills means a permanent, irrecoverable error.

          • MadDog says:

            …Am skeptical about a utility used to zero-fill/military-grade wipe a single file, too, which seems the implication…

            That was what struck me as well. Though technically possible, I doubt the likelihood. Zero-filling an entire hard drive? Yes. A single file? No.

          • SteveInNC says:

            I’m not an IT expert – basically I know enough to be dangerous, but I have two different utilities that claim to do multiple overwrites on selected files. Spybot Search & Destroy has a “Secure Shredder”, and at some point I picked up an undelete utility called Restoration that also has “zero-filling” delete functionality (it lets you select either DOD-grade 7x overwrite or serious overkill 32x overwrite). As far as I can tell they seem to work, though I haven’t actually gone in and looked at bits on the drive in the old file location.

            So has anyone else heard of or used programs like this?

            • NMvoiceofreason says:

              I am an IT geek. I have a program, RestorerPro2000 that can recover data from a formatted partition or drive. There is a program called KillDisk which is available for download on cnet which does the military grade wipe. The Spybot utility is effective in preventing all forms of data recovery except opening the drive in a clean room and data recovery by scanning tunneling microscope.

              Purportedly, the NSA used the equivalent of “burn bags” (bags collecting classified waste which are then burned) with thermite charges over disk drives to raise tehm above their Fermi temperature and make even STM recovery impossible on TS/Crypto equipment.

              Lawyers are often the weakest link in a chain, because they foolishly believe in their silly legal protections and customs, unaware that what is labelled ts/crypto or SAP (special access program) will never see the light of day in any court (although it might lead to the resignation of a FISC judge).

    • NMvoiceofreason says:

      (02:15:18 AM) Manning: they’ve been zerofilled
      (02:15:22 AM) Manning: because of the pullout
      (02:15:57 AM) Manning: evidence was destroyed… by the system itself

      I’m not saying I know anything about this.

      Let’s say that when laptops are used in a SCIF (Specialized Compartmented Information Facility), connected to the crypto networks, especially in a mobile center, then the center is to be moved, or re-deployed for another purpose. The policy might then be to wipe and reload all the computers to prevent “leakage” from one black program into another, or to allow “common carriers” to transport the equipment.

      It might happen like that.

      • MadDog says:

        I do agree that your scenario is likely. The point that I was making was that it seems unlikely that Manning himself was doing the zero-filling. That task was more likely being done by the IT staff, and not Manning himself.

  3. earlofhuntingdon says:

    What was it the Tom Cruise character said in A Few Good Men? “It doesn’t matter what I know. It matters what I can prove.”

    All cases present proof problems, from the simplest to the most arcane. Eye witness testimony is inherently unreliable. Documentary evidence, most especially digital data, is subject to intentional and accidental corruption. The government’s job is to prove its case. Admitting it hasn’t the facts to do so is either a brilliant mindf**k of the defense, or it says they can’t prove many of the allegations and smears they’ve been pouring on Manning and Assange.

    As your post points out, if a journalist wants to hypothesize about how something came about – a rarity in the he said-she said world they inhabit nowadays – then they should examine more than one possibility. If Manning could have zero-filled the memory on drives, then someone else could have, too. If the evidence were conclusive enough to support the theory that only Manning did it or could have done it, that would have been the story. It wasn’t.

  4. WilliamOckham says:

    The central assertion of the linked article makes no sense to me. The evidence linking Manning to Assange certainly wouldn’t be on his DoD computers. If you read the charge sheet carefully, they do not seem to have found evidence on his personal laptop either. It is not even clear what their theory is for how the info got to WikiLeaks. If you assume like I do that Lamo was playing the role of informer, the chat logs suggest that the government was trying to figure out how Manning got the stuff to WikiLeaks.

  5. danw5 says:

    I don’t understand how any PFC would have access to any of that. He had no need to know and should have been out of the loop even if he had a top secret clearance. Does not make sense to me.

  6. jerryy says:

    There is only one sure way to securely wipe a hard drive, by using a BFH (big hammer) or its equivalent to physically destroy the drive.

    Even the secure delete software option will not do much more than stop casual onlookers. If you look in the back of various computer trade magazines you can easily find companies that will use electron microscopes to read the old data off the drive onto a new one and have it back to you within a matter of days. This is routine, (businesses use the service because of the ‘oops’ factor related to bosses and secretaries.)

    • SteveInNC says:

      Yes, I was aware of that method. Actually, the last hard drive that I got rid of, I drilled several holes in the case and poured in some sodium hydroxide solution (lye), which does a number on the aluminum structure of the disk and drive.

      FYI – Lye is VERY corrosive to skin and eyes, and the reaction with aluminum generates hydrogen gas. So if you do this, wear goggles and gloves, and do it outside or in a fume hood.