/* HRSVEA, B6402-13, Jesper Blomström, 2013-09-04 HEARING WITH SECURITY SERV

1. /* HRSVEA, B6402-13, Jesper Blomström, 2013-09-04
2. HEARING WITH SECURITY SERVICE'S AUTHOR OF "INVESTIGATION OF REMOTE CONTROL
3. POSSIBILITIES 2012-0201-BG25023-26" FROM THE LOGICA/NORDEA TRIAL AGAINST
4. ANAKATA. TRANSCRIPTED AND TRANSLATED BY QNRQ.SE (@QNRQ)
5. NO COPYRIGHT, ONLY LOVE.
6.  
7. SECURITY SERVICE'S FORENSIC'S REPORT (ENGLISH): http://minfil.org/wj8s2CNoSUxIyFmVlPHc6VNYLtMw4a71/sfa7deb9b3/investigation_of_remote_control_possibilities_2012-0201-BG25023-26.pdf
8. AUDIO RECORDING (SWEDISH): http://minfil.org/Qdc2dab7ba/HRSVEA__B6402-13__Jesper_Blomstr_m__Inspelning_1__15689677.mp2
9.  
10. DURING TRIAL JESPER ADMITS THAT ANAKATA'S COMPUTER COULD HAVE BEEN REMOTELY
11. CONTROLLED VIA THE FOLLOWING PYTHON CODE:
12.  
13. import socket, subprocess
14.  
15. s = socket.socket(socket.AF_INET, socket.SOCK_STREAM))
16. # Bind to port 9999 (example) on any network device
17. s.bind(("", 9999))
18. s.listen(1)
19. # Accept connections from clients
20. conn, addr = s.accept()
21.  
22. # Loop forever
23. while 1:
24. # Read command sent from client
25. data = conn.recv(1024)
26. # Close link if no command is received
27. if not data: break
28. print("[+] Connection established")
29. # Execute received command
30. output = subprocess.check_output(data.decode().rstrip())
31. # Send output of executed command back to the client
32. conn.send("OUTPUT\n------\n".encode())
33. conn.send(output)
34.  
35. conn.close()
36. */
37.  
38.  
39. JUDGE: This is a hearing with Jesper Blomström and the prosecutor begins.
40. HENRIK: Thank you very much. Just a short... Yes, you know that we have had this hearing now in the Appeal Court with this Jacob Applebaum and you were present at the police hearing with him also.
41. JESPER: Mm...
42. HENRIK: And he questions, well we can say quite a lot, about the conclusions and writings that is in this PM that you stand as author of that is on page 411 until page 417 in the investigation material. A PM that is dated 14th March 2013. I can say that during the end of this long hearing there are two writings, if I understand Jacob Applebaum, perhaps that wasn't very easy, then he means that there are direct errors or at least inconsistency connected to this. The first thing that I would like to ask you about, but perhaps before I enter these general points, you also know that there has been a general questioning that has been discussed in the Appeal Court process, we have also talked about it continously. I will very easily ask the first question: do you still stand for the conslusions that you made in this PM?
43. JESPER: Yes, I do. I have authored this PM together with a co-worker that I dare claiming is one of best on Microsoft and Windows in Sweden, but I am the one that stand for all conslusions. But we have helped each other when writing it. I also think that it's important to read the introduction of the PM when reading the conclusions, because we were given a task from the Stockholm County Police department that the computer had been remotely controlled first through one way that we investigated and then another that we controlled, so that you have that in the back of your head when you read the PM. With all facts in hand, since there has emerged a discussion, that perhaps I should have expanded the explanations additionally or that I should have formulated myself a bit softer in certain ways, but I definitely stand for the conclusions.
44. HENRIK: When you say that perhaps you should have formulated yourself a bit softer, is there something in particular that you are thinking about? I know that you have looked at this PM.
45. JESPER: It's when we write that we don't see any programs that have been used for remotely controlling the computer. Based on the given task and the circumstances then in those frames we don't see any traces.
46. HENRIK: When we have asked, both lawyer Salomonsson and I, this Jacob Applebaum about these various firewall rules that are attached as attachment 1 in this PM, then he pushes on various, if I understand correctly, possibilities for remote control via various programming languages and some debugger and OpenVPN server and... How do you look at, for example in these programming languages Neko and Python, do you know anything about those programming languages?
47. JESPER: Yes, Python definitely. Neko I have learned about in relation to Haxe and other languages, but yes I know what they are. But it must be clear when reading this that these are only rules that show programs and what they are allowed to do. It doesn't say anything about whether the program is even running or not. It is required that a program is running and accepts connections for it to be possible to remotely control a computer, that's the first. And secondly the programs that are specified in the firewall don't even have to exist, they are only rules that we see here. And it's a lot of rules, I know. It can be worth adding that we haven't looked at every every file in every computer, because it's like a giant haystack with enormous, thousands, of files in various ways. And then we would need to go through each individual program: is it this one that has remotely controlled, is it this, is it this, and that whole part. There hasn't been any investigation like that on the computer because there is simply not enough time.
48. HENRIK: And then I would like to enter these specific points that have been questioned. The first one on page 412, I know that lawyer Salomonsson reported previously on this. Under... the latest point on the rules and so forth. It goes like this: "no active network services with remote control possibilities are accessible via the local firewall". Here Jacob Applebaum says: that is wrong.
49. JESPER: Then I can say that he hasn't been with us when we have started the computer to see what is actually spinning on the computer; which services are available, which programs are running waiting for remote control, if there would be any, which we haven't discovered.
50. HENRIK: What does this mean then: "no active network services with remote control possibilities are accessible via the local firewall". Can you explain what that sentence means?
51. JESPER: Yes, if you now have a program that would enable remote control then that program must be running somehow on the computer. Either by starting it or that it is starting automatically. And then if we take Remote Desktop, which would be the normal way of remotely controlling a Windows computer this way, we have concluded that it is not automatically started and it does not allow such login or remote control. It hasn't been started at all since July 2011, when the computer was reinstalled. Those are the conclusions that we, that I, have made.
52. HENRIK: So that conclusion, you still stand by that?
53. JESPER: Yes.
54. HENRIK: The second point which was questioned is the second last on page 413 which says "the login related events that occur in the operating system's security log show no other source addresses than 127.0.0.1 or ::1".
55. JESPER: Yes, Windows has a behavior like that by default in itself that there are various services that perform logins against the operating system itself. Those are entirely normal events that have occured there in the security log.
56. HENRIK: And once again, what does this mean? "The login related events that occur in the operating system's security log show no other source addresses than 127.0.0.1" and so forth.
57. JESPER: Now we are beginning to dig into technical complexity, it's not like I have answers to everything since I wrote this together with a co-worker, but we have not found any traces of remote control performed by another computer.
58. HENRIK: What does these two source addresses mean?
59. JESPER: 127.0.0.1 is a way to describe the local computer, and ::1 is another way of describing it. So...
60. HENRIK: So that means that no others, in the operating system's security log, there are no other addresses indicating logins except these internal ones, if we can call them that?
61. JESPER: Exactly. In my impression the system has a function that it logs into itself.
62. HENRIK: And then I also understood Applebaum like that this statement would be contradictory in relation to the first: "no active network services with remote control possibilities are accessible via the local firewall", that the latter would show that the first is wrong. Do you have any comments on that?
63. JESPER: No, I feel that I'm not really able to comment that. There is nothing that contradicts something else.
64. HENRIK: What is it that (inaudible)
65. JESPER: No, but we are going into such advanced technical details that we need to ask those really good Windows people I think to straighten out how Windows sub systems work and that whole part, if we are going into that detail.
66. HENRIK: No. But you still stand by these conclusions in relation to task that you were given?
67. JESPER: Yes, that's how it is.
68. HENRIK: Thank you, no more questions.
69. JUDGE: Salomonsson.
70. OLA: Perhaps you can't answer that, but Applebaum (inaudible) activity, so he is on this level and can express himself. Do you know anything about his person? The prosecutor was on the line of asking him if he has an academic education, do you know anything about Applebaum so to say, in the IT world? You live with IT a lot.
71. JESPER: Yes, I do. I know nothing about his academic background and all that, but...
72. OLA: It's not that, it's irrelevant. It's the knowledge, not how it's acquired.
73. JESPER: I dare saying that the person that has authored this PM is probably significantly sharper on Microsoft and Windows internals so to say.
74. OLA: Then we should take him here, I think. I would like the name of that person.
75. JESPER: Mm...
76. OLA: And who is that?
77. JESPER: He is sitting over there, Jörgen Olofsson.
78. OLA: And why haven't we gotten to know this before we almost close the case?
79. JESPER: I have said that...
80. OLA: Wait a little, this is a question to the prosecutor. Why is this coming here now? Applebaum is going to be on a plane tomorrow to the European Parliament, this is something that... you should know, this is something that we on the defender side have said that this is a relevant part. If we go back to this that the prosecutor read, this "there are no active listening network services accessible". How did you start the computer, do you remember that?
81. JESPER: We have mirrored it and created an identical environment as he has had on the computer. So we started it in many ways and investigated it.
82. OLA: But isn't it like that, I understand that, it doesn't start automatically? Is it like that?
83. JESPER: Which one?
84. OLA: The computer.
85. JESPER: The computer. A computer doesn't start automatically.
86. OLA: No, not his. That it's started manually so to speak, after...
87. JESPER: A computer? Surely you can start it manually, yes.
88. OLA: Starting the program.
89. JESPER: That's another thing, yes. You can start programs manually, yes. But if you look at for example Remote Desktop, which has occurred in hearings earlier would be a way to remotely control the computer, then that is nothing that has started automatically and that service hasn't been started at all since July 2011.
90. OLA: And you can see that?
91. JESPER: Yes.
92. OLA: OK. Let's see, this with... What the prosecutor read on 413, "the login related events that occur", that is also a conclusion that you stand by. But, can they have connected to OpenVPN, do you know that?
93. JESPER: OpenVPN is not a remote control program in itself. I have noticed that OpenVPN has existed, a VPN is something that is established if you want to communicate securely over an insecure network, like the Internet, then you establish an encrypted tunnel so to speak and this OpenVPN, my impression is that they have used OpenVPN to connect out and remotely control other computers, but it's nothing that automatically enables anybody else to remotely control your computer just because OpenVPN is installed.
94. OLA: Is there a way to connect inwards?
95. JESPER: Yes, how, we must ask then? Just because OpenVPN server, it doesn't enable that anybody gets access to the server. From there you must use for example Remote Desktop to connect.
96. OLA: I will, can I show you something?
97. JESPER: Absolutely.
98. OLA: This, if you look at this. It's the same thing as I showed earlier. This is a program.
99. JESPER: Yes.
100. OLA: You recognize that also I think.
101. JESPER: Yes, it's a Python program with some kind of remote control...
102. OLA: When you see this, do you know if you have been looking for things like this in seized material, primarily in the Macbook?
103. JESPER: I repeat the introduction of the PM. We were given a task from the County Police that it has been remotely controlled so, so or so differnt ways. And that has been our primary focus. Then we have expanded this search and thought that OK, can we see any other traces, some other logs from remote control? What you are showing for me is some sort of Python program/script and I can't answer to if that exists on the computer or not. What we see in the firewall rules is that it allows Python to communicate, if I remember correctly. What I believe that means is that someone has made some kind of Python program/script that needs network access for something. It can be downloading a website, communicating with a website or anything...
104. OLA: Or remotely controlling the computer.
105. JESPER: We can't entirely exclude that, if I formulate it that way. Yes, someone can have written a complete remote control program in Python and that is what is allowed. You are right about that.
106. OLA: I am only asking from my side... Wait, Gottfrid. The question is actually only, as I have understood, you haven't searched for it, and that is not intended as critique.
107. JESPER: No, I understand.
108. OLA: You have these directives that you talk about, and this does not fit within those directives as I understand. The searching for this.
109. JESPER: No, then we would need to go into every file on the computer to see the programs. Just because it says python.exe in the firewall rules, it's not certain that it is Python. It can be anything.
110. OLA: The question is... Let's see, I have something else here just let me find it.
111. JESPER: Mm.
112. OLA: I am assuming, Jesper, that you speak English fairly well.
113. JESPER: It's OK, mm.
114. OLA: (inaudible) look at these points here that are marked in green, then we will soon clarify for the Appeal Court what this is.
115. JESPER: Let's see, which context is this... It's some...
116. OLA: You can look at that last row and then you understand a little bit, and then (inaudible). Considering this task to check the computer, I would think that this is...
117. JESPER: Mm, wait... Mm, yes.
118. OLA: What I have shown you now, Jesper, is also material that has been received but I can't say with which authority it is written. But it is so to speak a manual of how to search computers for reaching the conclusion of: guilt or innocense, which is exercised in other countries. Now you're looking at these points, and I'm asking generally: have you done for example these checks?
119. JESPER: Mirroring the harddrives as early as possible which it said somewhere in the beginning, we did that, absolutely. And we have wished that the Cambodian police would do things a certain way, for example waiting for the Swedish police before conducting the raid.
120. OLA: Is there anything here that you spontaneously feel, in regards of the material, that hasn't been done in this investigation?
121. JESPER: Well, there are many things. We haven't gone through all programs on the entire computer, and since we haven't gone through all programs then we haven't investigated all programs for being trojans either. But I must also add that I have actually all pieces of the puzzle here, and it's not only a matter of the technology but...
122. OLA: No, but we can agree on that. I don't have any more questions then.
123. GOTTFRID: Yes, yes, yes (whispers)
124. OLA: Yes, that's right. I think that during a comppleting hearing with you, Jesper, you spoke about locked... Let's see, I will find the question. We spoke about editing the logs despite them possibly being locked by the operating system, do you remember that?
125. JESPER: Yes, and that is regarding Windows logs, the event logs that are connected to the various security...
126. OLA: I think it was like this, that you earlier in that hearing said that it's impossible to edit the files then.
127. JESPER: No, they are locked by a sub system in Windows, it's not just a text file residing there that you can put NULL into and such things. I can add another thing that I reacted on when I sat listening to this earlier witness with Holmboe, Richard who was heard, where he says that it's possible to clean these logs with for example scripts for PowerShell that he has said. But the thing is that even if you do that you will get row which says that the log has been cleaned.
128. OLA: Yes, he said that.
129. JESPER: He said that? OK. I didn't pick that up, but OK.
130. OLA: Editing leads to cleaning, so there is still some kind of result.
131. JESPER: Yes.
132. OLA: Then the question is, in this context, isn't it possible to access, via direct access, is that correct? Disk access, direct access to the disk.
133. JESPER: Yes, exactly.
134. OLA: To evade this.
135. JESPER: The lock, yes.
136. OLA: I don't think you touched on that subject earlier, but you can do that.
137. JESPER: We spoke then about the problems with someone remotely accessing it to edit these things simultaneously, which is very hard since they are locked. That requires you to do things that are very difficult.
138. OLA: Then that's that. Do you know that, or if, there are available tools for this?
139. JESPER: I don't dare answering exactly what tools are available, but I definitely believe that it exists.
140. OLA: Sap 2(?), do you know what that is?
141. JESPER: I have heard about it, but I...
142. OLA: Mm... (Gottfrid writes down question, judge and Ola speaking irrelevance.) We are doing it like this since I think it's better if I ask the question than if Svartholm Warg does it himself.
143. GOTTFRID: For example.
144. OLA: I will take this with you Jesper.
145. JESPER: Mm...
146. OLA: If you know of available guides and tools for cleaning event logs in Windows?
147. JESPER: I know that there has been, but I don't know if anything has changed with Windows 7 for example, it's...
148. OLA: I understand from the question that there are available tools for specifically Windows making it available for more or less anybody.
149. JESPER: Mm, I don't dare answering which possibilities exist right now for that type of operating systems, 64 bit Windows 7.
150. OLA: I have gotten a name, Metasplit.
151. GOTTFRID: Sploit!
152. OLA: Perhaps you don't want to say that.
153. JESPER: Yes, I know of Metasploit, mm...
154. OLA: It's probably something like that, but maybe you don't know what it is.
155. JESPER: It's something more than specifically cleaning logs, it's a complete framework for doing all kinds of things in relation to offensive actions.
156. OLA: And then an argumentative question from Gottfrid, how is it that you with that background say that it's impossible?
157. JESPER: If we think about it like this then, I don't know what (inaudible), but let's assume getting access to a computer and only moving in the RAM, perhaps things like that can be done to avoid leaving traces and that is correct, you can do that. But you will have problems as soon as the computer restarts, which it has done many times, you would also need to survive a reinstall for remote control and that's not possible for anybody.
158. OLA: Then I think we are finished with that.
159. JESPER: Thank you.
160. JUDGE: Is it finished?
161. OLA: It's finished!