Public investigation into SAS leads to deleted computer evidence
- Author, Joel Gunter, Hannah O’Grady, Rory Tinman
- Role, BBC News
As the BBC has revealed, the public inquiry into alleged war crimes committed by the SAS in Afghanistan has uncovered a previously deleted database that could contain crucial evidence.
The files were permanently deleted from a server by a British special forces contractor in 2016 during an SAS murder investigation.
But the public investigation team has now secured backups of the server – which is part of a special forces communications system codenamed “Sonata” – and is said to have been created before the files were deleted.
The backups likely contain information about SAS operations in which members of the elite regiment were suspected of unlawfully killing unarmed Afghan prisoners and civilians.
A spokesman for the investigation confirmed to the BBC that they had received the backups, adding: “We now have the relevant material and are considering a technical solution to retrieve and review the data to determine its relevance to the investigation.”
The spokesman said that over the course of several days of hearings on computer evidence last December, the inquiry team was contacted by someone offering access to the backups, but the inquiry declined to comment on the source of the offer.
This is the first time that investigators outside of the British Special Forces have obtained backup copies of Sonata, blocking previous attempts by the Royal Military Police (RMP) to copy the server.
To the horror of RMP investigators, in 2016 a contractor hired by the UK Special Forces (UKSF) during the murder investigation ran a program on the server that could irretrievably delete previously deleted files.
This process, known as ‘zeroing’, contravened the RMP’s explicit instructions to UKSF that no data should be tampered with before the server was copied.
Fight for the Sonata
During the force’s investigation into the SAS, the RMP quickly identified Sonata as a possible source of key evidence. However, according to lead investigator Maj Jason Wright’s internal log, the RMP’s efforts to access or copy the server met resistance and delays from the UKSF from the outset.
According to the logbook, Maj Wright, then a Captain, also encountered resistance within the RMP. He wanted to use the force’s legal powers to seize the server, but his superior, Gold Commander John Harvey, instructed Maj Wright not to use them.
After months of downtime, UKSF informed the RMP of its intention to migrate the server’s contents to a new system. If RMP investigators waited for this process to be completed, they would then be able to take physical possession of the old server and all data stored on it.
According to RMP Warrant Officer James Priddin, who led the technical effort to seize the server, this plan was agreed at the highest levels, following a “gentlemen’s agreement” between then-Director of Special Forces General James Chiswell and then-Head of RMP Brigadier General David Neal that the RMP would not seize the server using police powers.
Ministry of Defence documents disclosed during a court case several years later revealed that shortly before this agreement was concluded, Brigadier Neal had been accused by an RMP colleague of attempting to wrongfully close down a separate SAS murder investigation.
The RMP agreed to the delay, but placed a condition that no data stored on Sonata could be altered or deleted in any way during the migration process. The condition was communicated in writing to the Office of the Director of Special Forces, and a staff officer agreed in writing.
However, after further delays, the RMP was informed by the UKSF that a program called SDelete had been run on the server, which was specifically designed to permanently delete previously deleted files.
The contractor cited the reason for using SDelete as being to speed up the migration process by first permanently deleting deleted data and not migrating it unnecessarily.
The news shocked WO Priddin, who had personally received written assurances from UKSF that no data would be changed or deleted during the migration.
“The deleted data had been irretrievably removed from the hard drives,” he later wrote. “After that, it is impossible to determine what the data was. It was a clean, forensic deletion.”
Maj Wright wrote in his log that the deletions “were either inadvertent and caused by an error/communication breakdown within (UKSF HQ) or were a deliberate act to prevent RMP from accessing this data.”
Throughout the process, the server’s backups were never made available to the RMP by the UKSF. The RMP’s investigation was closed in 2019 and the backups remained unexamined until the public inquiry held a week of hearings into the deletions last December, after which someone came forward.
In a memo summarising the Sonata case, Maj Wright noted that this was not the first time data had been deleted from UKSF.
In 2010, during an earlier investigation into an alleged extrajudicial killing by the SAS, UKSF headquarters staff had “forensically wiped a client laptop the day before RMP had an opportunity to recover it,” Maj Wright wrote.
He added: “The deletion of evidence immediately before recovery by RMP is at best coincidental; at worst it can be viewed as suspicious.”
A Ministry of Defence spokesman said: “The Ministry of Defence is fully committed to supporting the independent inquiry into Afghanistan in its continuing work and it is therefore appropriate to await the outcome of its work before making any further comment.”
The RMP and General Chiswell also stated that they fully support the work of the Independent Commission of Inquiry into Afghanistan and that it would not be appropriate to comment while the investigation is ongoing.
Brigadier General Neal and Lt. Colonel Harvey did not respond to a request for comment.
Do you have information about this story that you would like to share?
Contact us via Safe dropa highly anonymous and secure way to report to the BBC using the TOR network.
Or with the Signal messaging appa fully encrypted messaging service to protect your data.
- SecureDrop: http://kt2bqe753wj6dgarak2ryj4d6a5tccrivbvod5ab3uxhug5fi624vsqd.onion/
- Call: 0044 7714 956 936
Please note that the SecureDrop link only works in a Tor browser. More information about security and anonymity can be found here.
What tips does the Utah Hockey Club have? – Deseret News
Travis Kelce revealed an intrusive thought as he carried Taylor Swift on stage
Charrier and Levi remind fans of “Book of Carol”
About The Author
