Following the publication by Politico of Supreme Court Justice Samuel Alito’s Majority Opinion Draft to Overturn Roe v. Wade, Chief Justice Roberts authenticated the leaked document and said he had “directed the Marshal of the Court to initiate an investigation into the source of the leak. Whether or not the leak itself is illegal, however, the question of how a technical investigation of this document would proceed raises interesting questions for journalists as well as potential sources.
Leak investigators have three key areas to analyze the clues: the document itself, the environment in which the document circulated, and the potential identity of the funder. Each area in turn presents lessons and opportunities for potential leakers to adopt various anti-legal strategies to subvert future leak investigations.
Since the leaked opinion appears to be a scan or photocopy of a paper document instead of a transcription or recreation, the image may be analyzed for any unique markings that could allow investigators to identify what particular physical copy of the document has been leaked.
The front page features several of these potentially unique identifying markers, including a highlighted title, page fold, and what appear to be staple perforations.
Other pages also reveal subtle markings that could identify the specific hard copy of the leaked document. For example, the lower left region of page 90 has a singular point; the fact that it is not present on other page images indicates that it is a stray mark present only on that physical page of the document, as opposed to a flake of dust on the scanner bed.
If investigators were able to locate a physical copy of the document matching the characteristics found in the leaked file, this would allow them to conclude that it was the physical copy that was leaked. This is important, as it could establish the provenance of the document, which could in turn identify potential leaks.
For example, if it was known that this particular physical copy of the document was handled by certain specific people, those people would naturally be suspected – although there is of course a scenario where someone outside the chain of custody intended could have obtained the physical copy copy, for example, simply by taking it from someone else’s desk or finding it on a photocopier. Again, it is also possible that the original source of the document was digital and that the source printed a copy before disclosing it, or that Politico itself printed the digital copy before publishing it.
Investigators could also analyze the metadata of the digital version of the document using software such as ExifTool for any clues as to when, where, how or by whom the digital copy was created. They could also exploit potential information leakage vulnerabilities in the PDF creation and redaction process, which could inadvertently leave unintended and potentially identifying information in the digital document.
In addition to the document itself, leak investigators will likely pay attention to the environment from which the leak originated. Modern commercial desktop printers typically come with a variety of ancillary functions such as photocopying and scanning, while typically keeping a log of jobs performed by the printer, which may include information such as file name and the number of pages in the document, the date and time. the job was completed, along with the username or IP address that initiated the job. If the printer also offers the ability to email a photocopy or scan of a document, a log can keep track of which jobs were sent to which email addresses and can even store a copy of the digital document in his memory.
Investigators will likely audit printer and network logs to see which staff members opened or interacted with the document in question. Investigators could also determine who had had occasion to access the document as part of their day-to-day duties, as well as where the particular copy of the leaked document was physically stored and who had had occasion to access this space.
The practice of anomaly-based insider threat detection involves investigating personnel who display any type of irregular behavior or activity. For example, if a staff member usually enters the office on workdays at 8:00 a.m. and leaves at 5:00 p.m., but the access logs indicate that he enters the office at 10:00 p.m. on Saturday in the days preceding the leaked, that finding would likely subject that staffer to scrutiny, which could include analysis of available surveillance footage.
Staff computer and phone usage, particularly web browsing, could also be analyzed to see if anyone has ever visited the news site that published the leak, in this case Politico , or visited other web pages of potential interest, such as those that describe whistleblowers or leaks. Rudimentary analysis might include searching the desktop browsing history, while a more in-depth and sophisticated investigation would involve analyzing network traffic logs to determine if Politico was accessed from a mobile device connected to the Office Wi-Fi. Of course, in the case of Politico, a news website that covers politics and politics, it’s likely to appear in a lot of staff diaries and so probably wouldn’t be a particularly fruitful find for investigators. .
A “sentiment analysis” can also be performed as part of an insider threat investigation by analyzing the various thoughts and opinions expressed by staff members in office communications. This type of analysis could also use what is often referred to as “open source intelligence”, in the form of a review of staff social media posts to see if anyone has expressed interest in Politico, or thoughts about Alito’s opinion, or more generally signs of discontent. with their employer. In addition, sentiment analysis may also include a review of staff posts on internal forums, as well as emails and private messages sent through employer-controlled channels, such as direct messages sent through Slack .
Takeaways for potential leaks
These potential leak investigation methods can also be interpreted as lessons for future leakers to evade identification by adopting a number of anti-legal measures.
To reduce the potential amount of information investigators can glean from a leaked document, leakers could send reporters a transcript or reproduction of the document instead of the original source document itself. Although a transcription of the document will not pass a barium meal test – in which each individual is given a uniquely worded copy of the document, the sophisticated forms of which can deploy a natural language watermark, subtly altering the syntactic structure of each version of a document — it would nevertheless neutralize all other attempts to identify the source documents. Transcription would circumvent efforts to identify stray or intentional markings on a page, as well as attempts to identify positional watermarks such as subtle character or line-spacing changes unique to each version of a document. Of course, this would also make it more difficult for journalists to verify the authenticity of a document, and care would have to be taken that the source did not leave any identifying metadata in the transcript file.
It’s best to avoid office equipment when copying a document, but using personal equipment can also be risky. Source camera identification is the forensic process of identifying the camera that took a particular photo. Sometimes this type of identification can be based on obvious characteristics such as visible scratches on a lens or dead pixels on a screen. In other situations, the unique features of an image may not be visible to the naked eye, but may instead be based on the unique image sensor noise produced by each camera, otherwise known as no -photo response uniformity.
In other words, if leaked photographs of a document were to emerge and leak investigators had particular suspects in mind, they could analyze the photos posted on social media by the suspects to see if they provide an algorithmic match to the noise model in the leaked photos. . When making audio recordings or photographs, it would therefore be preferable to adopt the principle of one-time use: use a temporary device such as a camera or a cheap smartphone that will only be used for the needs of the leak, then discard the device.
To avoid running afoul of anomaly detection triggers, potential leakers might consider making document acquisition part of their normal routine instead of engaging in unusual behavior like clocking in at the office. at odd hours or download files in bulk. Likewise, leakers should avoid browsing media at work, both on their personal devices and, of course, on their work devices. It is also best to avoid expressing any type of disagreement or dissatisfaction with employer policies or decisions in any corporate, public or personal forum (such as during happy hour), as rigorous insider threat monitoring can keep an eye out for such behavior.
The leaks and subsequent leak investigations are back and forth between forensics and counter-forensics, operational security and its failings. Although the risk of source identification can never be entirely eliminated, there are nevertheless various practical technical countermeasures that can be adopted to reduce the additional risk to sources who are already at great risk.