Agents Following Suspects' Lengthy Electronic Trail Web of Connections Used to Plan Attack

By David S. Fallis and Ariana Eunjung Cha Washington Post Staff Writers Thursday, October 4, 2001; Page A24

They booked airline tickets online. They used the Internet to learn about the aerial application of pesticides. They exchanged scores of e-mails.

The tech-savvy hijackers and alleged associates who orchestrated the attacks on New York and Washington appeared to use a web of electronic connections to plan and communicate in relative anonymity.

But their computer habits also left a lengthy electronic trail. A small army of law enforcement agents using subpoenas and at least one warrant under the Foreign Intelligence Surveillance Act (FISA) is working to chart the conspirators' path through the online clues they left behind -- and, possibly, to head off future acts of terrorism.

During the past three weeks, federal officials have visited libraries from Florida to Virginia, culling log-in sheets and seizing computer equipment where suspected hijackers and associates may have logged time. In searches across the United States, they have seized computers the suspects and alleged accomplices may have used.

Agents have handed out subpoenas and search warrants to just about every major Internet company, including America Online, Microsoft, Earthlink, Yahoo, Google, NetZero, Travelocity and many smaller providers.

One warrant issued under the FISA allows authorities to monitor e-mail, chat rooms and Web sites of an Earthlink user, said Dan Greenfield, vice president of communications for the Internet provider.

The orders have yielded hundreds of e-mails linked to the hijackers in English, Arabic and Urdu, according to a source. Some messages have included "operational details" of the attack, FBI sources said.

Authorities also have asked banks and credit card companies to scour their databases for information about the suspected hijackers and their associates.

Prosecutors in South Florida have subpoenaed records from ChoicePoint, one of the nation's largest information providers, sources said. Law enforcement officials want former addresses, job histories, property records and an array of other information about the alleged conspirators.

The number of digital leads for investigators to run down is "astounding," a source said. There is so much to sift through that the core FBI computer forensics team working on the 11th floor of the agency's headquarters on Pennsylvania Avenue has been augmented by more than 50 other specialists, most from other government agencies, spokeswoman Debbie Weirman said.

Among the leads the government is investigating are the origins of a threat against the United States made before the Sept. 11 attack and an online posting that sought information about how to create a short-wave radio Internet connection in parts of Afghanistan and Iran, a source said.

Federal agents are also trying to determine the significance, if any, of a message posted to a Yahoo financial discussion board at 6:59 p.m. Sept. 10. It predicted: "to the deapest part called the center of the earth by this wekend north east region will be destroyed new providance soon to fall apart."

But many of the electronic trails are dead ends, sources say.

The suspected terrorists took precautions to protect their communications, often using public terminals instead of dialing into computers from residences and motel rooms, sources said. Some used e-mail services that are largely anonymous and created multiple, temporary accounts. And investigators believe they may have used encryption or steganography -- the ancient practice of hiding messages within pictures and objects -- to trade information on the Web.

The computer experts' task also has been complicated by hoaxes, false tips, threats and even suspicious-looking messages posted by well-meaning citizens. One prankster created a Yahoo account for "Mohamed Atta" -- identified as one of the plot's leaders -- that lists one of his hobbies as "flying airplanes."

And investigators must act fast because each day computer systems automatically dump old data to make room for new information. With more than 1 billion computers on the Internet, there is no standard for which information is kept, or for how long. Some trails vanish in hours.

"All the stuff that falls away quickly has fallen away," said Fred Cohen, a computer security expert at Sandia National Laboratories. At the end of each month, he said, "a whole lot of information" is permanently destroyed.

The most solid evidence against the plotters may lie buried in the log files of companies that provide Internet access. The files track the dates and times of log-ins for each account. Using a phone number or Internet protocol address, law enforcement agents may be able to locate the computer of origin.

The FBI has declined to provide detailed information about its online sleuthing. But it is known that the hijackers booked at least nine of their tickets for the four doomed Sept. 11 flights on the Web, two to three weeks before the attack.

The suspects used public computer terminals at libraries in Florida. In Del Ray Beach, two of the suspected hijackers glared at a librarian as she watched them surf the Web for an hour.

In San Diego, a man, now detained, allegedly showed three of the suspected terrorists how to use the Internet, according to news reports. Zacarias Moussaoui, a French Moroccan man who was detained before the attack and is being held as a material witness, used a free Hotmail account to secure pilot training at a Norman, Okla., flight school.

Moussaoui, who has been linked to the terrorists through a telephone call he placed to a roommate of Atta's in Germany, came under suspicion when he sought flight training in Minnesota, telling instructors he needed to know only how to steer the plane, not to take off or land. The FBI lacked enough information to obtain a court order to search Moussaoui's computer until after the attack, when agents found that his hard drive contained information about crop-dusting taken from the Internet, Newsweek reported.

Another possible hint of the plot came two hours before planes crashed into the World Trade Center, when two employees of Odigo Inc. in Herzliya, Israel, received electronic instant messages declaring that some sort of attack was about to take place. The notes ended with an anti-Semitic slur.

"The messages said something big was going to happen in a certain amount of time, and it did -- almost to the minute," said Alex Diamandis, vice president of sales for the high-tech company, which also has offices in Lower Manhattan. He said the employees did not know the person who sent the message, but they traced it to a computer address and have given that information to the FBI.

In Hollywood, Fla., the FBI last weekend quizzed Paul Dragomir, manager at the Longshore Motel, about a visit in late August from two men he believes were hijackers Atta and Ziad Samir Jarrah, who demanded 24-hour Internet access.

Loaded down with baggage and laptops, the men signed in at the small pink beachfront motel using apparent aliases. They claimed to be computer engineers from Iran, Dragomir said, and said they were down from Canada to find jobs.

They booted up a laptop, showing Dragomir that they had NetZero Internet accounts. For the next few hours, Dragomir unsuccessfully tried to accommodate the men.

Then, "we all three went to their room. They had two laptops and different CDs on the bed. They were already plugged in and waiting for telephone lines," he said.

The need to be online at any moment suggests that the hijackers were looking for Web pages or messages that would signal progressive phases of the operation, experts said.

Dragomir said he refunded their $175 in cash and they left. "They got very angry. One of the guys said, 'You don't understand. We are here on a mission.' "

Staff writers Justin Blum, Scott Higham, Carol D. Leonnig and Robert O'Harrow Jr., and researchers Jeff Himmelman and Richard Drezen, contributed to this report.

-- Anonymous, October 04, 2001