SAS war crimes inquiry obtains huge cache of new evidence, BBC reveals

Getty The SAS worked alongside Afghan special forces units on night raids during the height of the conflict. Getty
The SAS worked alongside Afghan special forces units on night raids during the height of the conflict

The public inquiry into alleged SAS war crimes in Afghanistan has obtained a previously deleted cache of data that could hold crucial evidence, the BBC can reveal.

The files were permanently erased from a server by a UK Special Forces contractor in 2016, during a murder investigation into the SAS.

But the public inquiry team has now secured backups of the server – part of a Special Forces communications system codenamed "Sonata" – believed to have been created before the files were erased.

The backups are likely to contain information about SAS operations on which members of the elite regiment were suspected of unlawfully killing unarmed Afghan detainees and civilians.

A spokesperson for the inquiry confirmed to the BBC that they had obtained the backups, adding: “We now hold the relevant material and are exploring a technical solution to retrieve and review the data to determine its relevance to the investigation.”

The spokesperson said the inquiry team was approached during several days of hearings about computer evidence last December by someone offering them access to the backups, but the inquiry declined to comment on the source of the offer.

This is the first time backups of Sonata have been obtained by investigators outside UK Special Forces, which blocked previous efforts by the Royal Military Police (RMP) to copy the server.

To the dismay of the RMP investigators, a contractor hired by UK Special Forces (UKSF) during the murder investigation in 2016 ran a program on the server designed to permanently erase previously deleted files.

This process, known as "zeroing", flew in the face of explicit instructions the RMP had given to UKSF that no data should be tampered with before the server could be copied.

Battle to obtain Sonata

The RMP quickly identified Sonata as a potential source of key evidence during the force’s investigation into the SAS, but according to the internal logbook of lead investigator Maj Jason Wright, the RMP’s efforts to obtain or copy the server encountered resistance and delays from UKSF from the outset.

According to the logbook, Maj Wright – who was then a captain – also met resistance from within the RMP. He wanted to use the force’s legal powers to seize the server, but his senior officer, Lt Col John Harvey, who was the Gold Commander, directed Maj Wright not to use them.

After months of stalemate, UKSF informed the RMP that it planned to migrate the contents of the server over to a new system, and that if the RMP investigators would wait for this process to be completed it could then take physical possession of the old server and all the data on it.

According to RMP Warrant Officer James Priddin, who led the technical effort to obtain the server, this plan was agreed at a high level following a “gentleman’s agreement” between then-Director Special Forces Gen James Chiswell and then-head of the RMP Brig David Neal that the RMP would not seize the server using police powers.

Ministry of Defence documents disclosed during a court case several years later showed that shortly before this agreement was made, Brig Neal had been accused by a fellow RMP officer of trying to improperly close down a separate SAS murder investigation.

The RMP agreed to the delay, but set the condition that no data stored on Sonata could be in any way modified or deleted during the migration process. The stipulation was issued in writing to the office of the director of UK Special Forces, and a staff officer replied in writing to agree.

But, following further delays, UKSF informed the RMP that a program had been run across the server called SDelete, which is specifically designed to permanently erase previously deleted files.

The reason given by the contractor for the use of SDelete was that it sped up the migration process by first permanently erasing deleted data, rather than migrating it unnecessarily.

But the news shocked WO Priddin, who had personally received the written assurance from UKSF that no data would be modified or deleted during the migration.

“The deleted data had been permanently erased from the hard drives,” he would later write. “There is no way of understanding what the data was afterwards. It was a clean, forensic delete.”

Maj Wright wrote in his logbook that the deletions were “either unintentional and caused by error/communication breakdown within [UKSF headquarters] or an intentional act to prevent RMP from accessing that data”.

Throughout the process, the backups of the server were never made available to the RMP by UKSF. The RMP’s investigation was wound down in 2019, and the backups sat unexamined until the public inquiry held a week of hearings about the deletions last December, prompting someone to come forward.

In a memo summarising the Sonata case, Maj Wright would note that this was not the first time data had been deleted by UKSF.

In 2010, during a previous investigation into an alleged extrajudicial killing by the SAS, UKSF headquarters staff had “forensically wiped a laptop client machine the day before RMP had the opportunity to recover it”, Maj Wright wrote.

He added: “The deletion of evidence immediately prior to recovery by RMP is coincidental at best; at worst, this may be deemed suspicious.”

A spokesperson for the Ministry of Defence said: “The MoD is fully committed to supporting the Independent Inquiry relating to Afghanistan as it continues its work and so it is appropriate we await the outcome of its work before commenting further.”

The RMP and Gen Chiswell also said that they fully support the work of the Independent Inquiry relating to Afghanistan and that it would not be appropriate to comment while the inquiry was ongoing.

Brig Neal and Lt Col Harvey did not respond to a request for comment.

Grey line

Do you have information about this story that you want to share?

Get in touch using SecureDrop, a highly anonymous and secure way of whistleblowing to the BBC which uses the TOR network.

Or by using the Signal messaging app, an end-to-end encrypted message service designed to protect your data.

  • SecureDrop: http://kt2bqe753wj6dgarak2ryj4d6a5tccrivbvod5ab3uxhug5fi624vsqd.onion/
  • Signal: 0044 7714 956 936

Please note that the SecureDrop link will only work in a Tor browser. For information on keeping secure and anonymous, here's some advice on how to use SecureDrop.

Grey line