Discuss as:

Terrorists may leave 'digital breadcrumbs' for investigators

AP Photo/Bob Leonard

This Monday, April 15, 2013 photo provided by Bob Leonard shows second from left, Tamerlan Tsarnaev, who was dubbed Suspect No. 1 and third from left, Dzhokhar A. Tsarnaev, who was dubbed Suspect No. 2 in the Boston Marathon bombings by law enforcement. This image was taken approximately 10-20 minutes before the blast.

The same Internet that makes it easy for terrorists and killers to research targets and stock up on ammunition also makes it easier for them to get caught, thanks to "digital breadcrumbs" that are hard to erase. While Dzhokhar Tsarnaev — the 19-year-old man accused in the Boston Marathon bombing that killed three people and injured more than 170 — remains in serious condition (and unable to speak) at Boston's Beth Israel Deaconess Medical Center, authorities are hunting for clues in many places, both physical and virtual.

"The big thing they are trying to determine is the radicalization," Mark Rasch, former head of the Justice Department's computer crime unit and now an independent consultant at MarkDRasch.com, explained to NBC News. "How did he become radicalized?" Rasch believes authorities are employing digital forensics in an attempt to answer this question. They are likely looking at laptops, desktops and tablets, checking social networks and browser histories, and searching for evidence that Dzhokhar or his 26-year-old brother, Tamerlan — killed in a firefight with police on Thursday night — researched Web pages about bomb making.

"The first place you find digital breadcrumbs is in deleted or cached files," Rasch explains. "The second is in misplaced trust relationships. When you tell someone what you are doing online, say in email, that person has records, too. And even if you deleted it, they might forget to delete it."

Investigators will have to act quickly though, especially if the Tsarnaevs operated as part of a larger group. "There are probably other people out there frantically deleting files," Rasch says, "so this stuff has short shelf life."

Looking into the brothers' online social connections could also potentially yield solid clues. A YouTube account apparently set up by Tamerlan has come to light. It includes several Islamic extremist videos organized into two playlists — "Islam," set up six months ago, and "terrorists," set up five months ago. On Twitter, Dzhokhar posted, "Ain't no love in the heart of the city, stay safe people" in the hours after the Boston Marathon bombing — and a day later said he was "stress-free." Investigators may even follow the shakier leads, too, like the alleged sightings of the brothers on Russia's vKontakte social network.

John Tlumacki / Boston Globe / Getty Images Contributor

Police officers with their guns drawn hear the second explosion down the street. The first explosion knocked down a runner at the finish line of the 117th Boston Marathon.

But combing social media may prove to be a dead end. "Remember (Dzhokhar's) roommates had no idea what was going on," Rasch cautions, "so the fact that people are friends with (the brothers) online, or follow them on Twitter, could be meaningless."

In the case of physical computer equipment, wiping a hard drive, or even attempting to destroy it, may not leave information entirely unaccessible. In the home shared by Adam Lanza — the gunman who killed 26 people at Sandy Hook Elementary School in Newtown, Conn. — and his mother, who he also killed, authorities discovered a heavily damaged computer and hard drives which had been removed and subjected to additional damage.

Experts told NBC News at that time of the discovery that while certain types of damage could render chances of data recovery "pretty much nonexistent," authorities would have a shot as long as the platters — the disks on which data lives — are only partially chipped or scratched. (Efforts by an FBI lab to extract information from Lanza's hard drives have produced nothing of value, NBC News reported in February.) 

Norway gunman Anders Behring Breivik, who confessed in 2011 to killing 93 people, left behind a notable trail of digital breadcrumbs. An Internet diary included entries such as: "It would have saved me a lot of hassle if I could just 'borrow' a cup of sugar and 3kg of C4 (explosive) from my dear neighbor." Further Internet postings, online discussions and attempts to join radical groups on Facebook provided further clues.

And of course, cellphone text messages can also be used to mount a case against an accused killer. Suspected Aurora, Colo., shooter James Holmes — who reportedly used the Web to stockpile over 6,000 rounds of ammunition — sent threatening texts to a university psychiatrist, said the doctor when she testified in court in early April.

However the facts stack up against the Tsarnaev brothers, it's clear to an expert like Rasch that they could have done more to cover their tracks — but didn't.

"If you wanted to conceal your identity, you would use throwaway accounts online," Rasch said. "It's easy to conceal what you are doing. If I wanted to look up how pressure-cooker bombs worked, I would never use my own computer or my own accounts."

"They did very little to conceal their identities ... just look at the way they planted the bombs and planned their escape," he concluded. "That likely means there will be a lot found out online."