The U.S. Department of Defense (DOD) seized hundreds of computers and around 60T bytes of data as part of an investigation into how details of the U.S. invasion plan for Operation Iraqi Freedom were leaked to The New York Times, a DOD official said.

The investigation ended in 2003 without finding the source of the leak. However, it has prompted changes within the department, which is developing new software tools and investigative strategies for computer crime cases that involve large amounts of data, said Lt. Col Ken Zatyko, director of the DOD's Computer Forensics Laboratory.

The investigation was prompted after details of the U.S.'s planned invasion of Iraq appeared in a series of newspaper articles in the Times beginning in July 2002. The articles revealed various details of the planned invasion and options that were being considered by military planners. Operation Iraqi Freedom was launched in March 2003.

The Times articles set off an intense effort within the DOD to discover the source of the leak. Hundreds of computer servers and desktop systems were seized at a number of locations, including U.S. Central Command at MacDill Air Force Base in Tampa, Florida, and from military bases in the Persian Gulf region, including the U.S. Naval base in Bahrain, Zatyko said.

In all, around 60T bytes of data, including data stored on computer hard drives and other data storage devices, was collected and brought back to the DOD's computer forensic lab at the DOD Cyber Crime Center (DC3), he said. A terabyte is a unit of measurement equal to 1,024G bytes, or 1,048,576M bytes.

One Times reporter was also subpoenaed for information pertaining to the leak, but that subpoena was quashed, according to Catherine Mathis, vice president of corporate communications at The New York Times Co.

At DC3, a team of DOD computer forensics investigators searched through the data looking for evidence -- such as an e-mail message or document transfer -- that would link a particular individual to a Times reporter, Zatyko said. Ultimately, the investigation failed, in part because of the challenge of sifting through the huge volume of data, he said.

"It was a 'needle in the haystack' case," Zatyko said. "The challenge is to reduce all that data and hone in on the document that was sent to the reporter."

The DOD investigators did discover a number of versions of a presentation that contained information linked to the articles, as well as e-mail messages to reporters. However, they could not find evidence that the presentation or other sensitive information was sent to the Times, and DC3's investigation ended at the end of 2003 without finding those responsible for the leaks, Zatyko said.

There are a number of possible explanations for why the investigation failed. The best explanation is that the information to the Times wasn't transferred digitally, Zatyko said. "They could have just printed it out and provided it (to the reporter) as a hardcopy document," he said.

The failure to find the source of the leak shows that reporters and their sources are getting sophisticated about covering their trail using information technology, said Bob Giles, Curator of the Nieman Foundation for Journalism at Harvard University. "The people inside the government are being smart about how they're (leaking information) and not doing it in a way that's going to get them caught," he said.

The DC3 is changing the way it conducts large computer forensic investigations in the wake of the case, Zatyko said.

In particular, the DC3 has established a section of its lab and a team of examiners just to work on cases with large data sets, replacing ad hoc teams created to address case requests as they came in. DC3 is also using a combination of commercial forensic software and proprietary tools to comb seized data stored on large capacity storage area networks (SANs) and network attached storage (NAS) devices.

The new DC3 approach replaced individual examiners working on separate workstations, which led to inconsistencies in the forensic examination process and duplication of effort between examiners, Zatyko said.

With the Iraq battle plan leak investigation closed at DC3, forensic investigators are trying out the new techniques on a more common source of large data set investigations: child pornography cases, he said.

"We're focusing on the child porn issue and moving out from there," Zatyko said.