View
216
Download
0
Category
Preview:
Citation preview
8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26
1/7
Investigation of remote control possibilities, regarding seizure
2012-0201-BG25023-26
During hearings with Gottfrid Svartholm Warg the defendant has claimed that his computer, seizure
2012-0201-BG202!-2", has #een remotel$ controlled via %erminal Services and &owershell Server'
%he (ount$ Bureau of )nvestigation in Stoc*holm as*ed the Securit$ Service if there are signs ofremote control on the operating s$stem on the Windows partition in mentioned seizure'
onclusions!
Based on facts #elow and o#servations we ma*e the assessment that the investigated computer hasn+t
#een remotel$ controlled since the operating s$stem was installed on 2011-0-11'
"etails!
%he operating s$stem on the Windows partition has #een reinstalled once' %he actual operative s$stem,Windows " #it, was installed 2011-0-11' .iles from the previous operating s$stem are preserved in
the windows'old director$' %he contents of this folder has not #een ta*en into account in this &/'
%he Securit$ Service has focused its investigation on availa#le logs and firewall rules in the seizure and
ma*e the following conslusions around these
%he oldest entr$ in the operating s$stems securit$ log is dated 2011-0-1'
%he Securit$ Service does not find an$ installed software that can #e used for remote control'
%he onl$ installation of &owershell Server that the Securit$ Service finds resides in the windows'old
director$ and the timestamp for last modification and last access against this installation shows 2011-
0!-0'
%he %erminal Services34emote des*top service is not configured for remote control'
%hose logs that are tied to %erminal Server34emote Des*top do not contain signs of e5ternal
connections'
%he 4emote(onnection/anager log file is empt$'
%he 6ocalSession/anager log contains onl$ references to the local computer'
%he services for %erminal Server34emote Des*top are not configured to #e started
automaticall$'
%imestamps for registr$ *e$s connected to %erminal Server34emote Des*top show that the
configuration has not #een modified since the operating s$stem was installed'
7vaila#le logs and the rules of the local firewall have #een searched for signs of the computer having
#een remotel$ controlled without finding that remote control can #e proven'
8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26
2/7
%he #uilt in firewwall is active and allows onl$ incoming traffic which matches the users set
rules' %his regards all firewall profiles'
%he firewall is not configured to log #loc*ed or allowed connections'
%he Securit$ Service has assessed that, amongst the programs that are allowed to
communicate through the firewall, there are no programs that can have #een used for remotecontrolling the computer' See appendi5 1 for a list of valid firewall rules'
8o active listening networ* services with remote control a#ilit$ is accessi#le through the localfirewall'
%he service for Windows 4emoting is not configured for remote control'
%he #uilt in firewall is not configured to allow Windows 4emoting'
%imestamps for registr$ *e$s connected to Windows 4emoting show that the configurationhasn+t #een modified since the operating s$stem was installed'
%he remote management log file for Windows 4emoting is empt$'
%he Win4/ service has not started according to logs'
%he #uilt in function for forwarding traffic via the netsh command, portpro5$, does not show an$
forwarded %(& traffic'
%he login related events that occur in the operating s$stem+s securit$ log show no other addressesthan 12'0'0'1 or 1'
9ser 7ccount control :97(; is activated an configured to
8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26
3/7
8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26
4/7
8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26
5/7
8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26
6/7
8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26
7/7
7ll listed firewall rules have the following columns in common, hence the$ have #een e5cluded from
the ta#le due to limited space' 8either have inactive rules #een included in the ta#le'
allowed computers an$allowed users an$
override no
ena#led $es
=esper Blomstr>m
)% Securit$ SpecialistDept' of )nformation Securit$ and &reservation of ?vidence in )% environments
Securit$ Service
010-" 0 00
Recommended