Bin Laden himself would first write emails in his offline computer, save them to a thumbdrive and pass it on to a trusted courier who would then go miles away from Abbottabad to an Internet cafe and send the Al-Qaeda leader email messages copying and pasting them, that same courier would also save and copy all of the replies to Bin Laden onto a memory thumb drive and take them back to the compound for Bin Laden to read in his computer.
The Navy SEALs reportedly gathered 100 flash memory drives after they killed bin Laden, containing thousands of email messages and hundreds of email addresses, expected to lead to a small flood of subpoenas to email providers demanding computer IP connection addresses, and account holder details.
Al-Qaeda operatives are known to change their email addresses often, it is likely that many of those email addresses have already been closed down but email providers do not erase all of the data from their server straight away, it can be kept for years after the account has been closed down, most likely months thought, email contents are not typically stored, but the last connection IP address with time and date are. Bin Laden’s computer hard disk also contained a huge amount of electronic documents that are still being looked into by Arabic translators working for the US Government.
Computer forensics Bin Laden computer
Bin Laden’s computer forensic analysis could be carried out by the National Media Exploitation Center (NMEC) a little known Department of Defense organisation that is designated as “clearinghouse for processing DoD collected documents and media“, their priorities are likely to be to discover imminent plots and finding out Al-Qaeda operatives living in the USA.
The most likely scenario is that a wide range standard law enforcement computer forensics software (Encase, FTK, Sleuthkit) will be used, they will not rely on just a single tool, assuming no encryption was used, the forensics software will first index everything on the machine allowing for quick manual searches of keywords, terrorists are known to use keywords for their targets and comrades, this makes law enforcement work much more difficult when documents are leaked and conversations overheard.
Al-Qaeda encryption software
The US Department of Defence isn’t revealing if Bin Laden was using any encryption, but it is known that a few years back Al-Qaeda supporters released via an Islamic forum called Al-Ekhlaasan an encryption program called Mujahideen Secrets 2, it was the second release of this encryption software targeted at Al-Qaeda supporters, it can encrypt emails, securely wipe data and encrypt text messages as ASCII for easy posting at bulletin boards and websites.
This custom Al-Qaeda encryption tool, still used, provides different encryption algorithms, including AES, and symmetrical encryption keys (256 bit), asymmetrical encryption keys (2048 bit), it can be run from a USB thumbdrive to be used from an internet cafe, there is no need to install it in your computer.
As good as the Asrar al-Mujahideen encryption tool can be, one downside of using this custom tool to cipher messages is that the encrypted messages always start with the unique text: “#—Begin Al-Ekhlaas Network ASRAR El Moujahedeen V2.0 Public Key 2048 bit—” giving away that the user is likely an Al-Qaeda supporter since this encryption software is not publicly available for download.
The Al-Malahem Media Foundation from Al-Qaeda in the Arabian Peninsula – AQAP, publishes an online English language magazine called Inspire Magazine that always ends with the a three different contact email addresses and a copy of their public encryption key created with Mujahedeen Secrets.
Al-Qaeda in the Arabian Peninsula (Yemen) has proved itself an adaptable professional terrorist organization that ditched traceable mobile phones in favour of walkie-talkies and uses coded names, they routinely use encryption for emails when they must send them.
A copy of Mujahedeen Secrets 2 encryption software with an English interface and Arabic instructions, can still be downloaded from the US Government funded Internet Archive website:– http://ia600403.us.archive.org/33/items/Asrar-Mujahideen/new_asr_v2_4.rar
The .rar file is password protected with: Asrar@_EkLaAs.TsG@[$^/!p@]z-2008
UPDATE 2016: It has been recently confirmed in the news that Yahoo Mail acting under a secret US subpoena was mass scanning all email traffic in real time to detect messages containing the identifier header that this software adds and reporting them to law enforcement for further investigation.