Top Banner

of 7

Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26

Jun 04, 2018

Download

Documents

mary eng
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript

  • 8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26

    1/7

    Investigation of remote control possibilities, regarding seizure

    2012-0201-BG25023-26

    During hearings with Gottfrid Svartholm Warg the defendant has claimed that his computer, seizure

    2012-0201-BG202!-2", has #een remotel$ controlled via %erminal Services and &owershell Server'

    %he (ount$ Bureau of )nvestigation in Stoc*holm as*ed the Securit$ Service if there are signs ofremote control on the operating s$stem on the Windows partition in mentioned seizure'

    onclusions!

    Based on facts #elow and o#servations we ma*e the assessment that the investigated computer hasn+t

    #een remotel$ controlled since the operating s$stem was installed on 2011-0-11'

    "etails!

    %he operating s$stem on the Windows partition has #een reinstalled once' %he actual operative s$stem,Windows " #it, was installed 2011-0-11' .iles from the previous operating s$stem are preserved in

    the windows'old director$' %he contents of this folder has not #een ta*en into account in this &/'

    %he Securit$ Service has focused its investigation on availa#le logs and firewall rules in the seizure and

    ma*e the following conslusions around these

    %he oldest entr$ in the operating s$stems securit$ log is dated 2011-0-1'

    %he Securit$ Service does not find an$ installed software that can #e used for remote control'

    %he onl$ installation of &owershell Server that the Securit$ Service finds resides in the windows'old

    director$ and the timestamp for last modification and last access against this installation shows 2011-

    0!-0'

    %he %erminal Services34emote des*top service is not configured for remote control'

    %hose logs that are tied to %erminal Server34emote Des*top do not contain signs of e5ternal

    connections'

    %he 4emote(onnection/anager log file is empt$'

    %he 6ocalSession/anager log contains onl$ references to the local computer'

    %he services for %erminal Server34emote Des*top are not configured to #e started

    automaticall$'

    %imestamps for registr$ *e$s connected to %erminal Server34emote Des*top show that the

    configuration has not #een modified since the operating s$stem was installed'

    7vaila#le logs and the rules of the local firewall have #een searched for signs of the computer having

    #een remotel$ controlled without finding that remote control can #e proven'

  • 8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26

    2/7

    %he #uilt in firewwall is active and allows onl$ incoming traffic which matches the users set

    rules' %his regards all firewall profiles'

    %he firewall is not configured to log #loc*ed or allowed connections'

    %he Securit$ Service has assessed that, amongst the programs that are allowed to

    communicate through the firewall, there are no programs that can have #een used for remotecontrolling the computer' See appendi5 1 for a list of valid firewall rules'

    8o active listening networ* services with remote control a#ilit$ is accessi#le through the localfirewall'

    %he service for Windows 4emoting is not configured for remote control'

    %he #uilt in firewall is not configured to allow Windows 4emoting'

    %imestamps for registr$ *e$s connected to Windows 4emoting show that the configurationhasn+t #een modified since the operating s$stem was installed'

    %he remote management log file for Windows 4emoting is empt$'

    %he Win4/ service has not started according to logs'

    %he #uilt in function for forwarding traffic via the netsh command, portpro5$, does not show an$

    forwarded %(& traffic'

    %he login related events that occur in the operating s$stem+s securit$ log show no other addressesthan 12'0'0'1 or 1'

    9ser 7ccount control :97(; is activated an configured to

  • 8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26

    3/7

  • 8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26

    4/7

  • 8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26

    5/7

  • 8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26

    6/7

  • 8/13/2019 Investigation of Remote Control Possibilities Anakata 2012-0201-BG25023-26

    7/7

    7ll listed firewall rules have the following columns in common, hence the$ have #een e5cluded from

    the ta#le due to limited space' 8either have inactive rules #een included in the ta#le'

    allowed computers an$allowed users an$

    override no

    ena#led $es

    =esper Blomstr>m

    )% Securit$ SpecialistDept' of )nformation Securit$ and &reservation of ?vidence in )% environments

    Securit$ Service

    010-" 0 00


Related Documents
01 Tr3263eu00tr 0201 Course Intro

01 Tr3263eu00tr 0201 Course Intro

Category: Documents
マーケティング概論 0201

マーケティング概論 0201

Category: Documents
2007 0201 Tekst Diplomskog

2007 0201 Tekst Diplomskog

Category: Documents
02010 practico 0201

02010 practico 0201

Category: Education
XP 0201 ECONOMÍA INTERNACIONAL

XP 0201 ECONOMÍA INTERNACIONAL

Category: Documents
0201 toldim

0201 toldim

Category: Documents
Why cov 0201

Why cov 0201

Category: Education
Adopted 5 October2017 Williamson ... - 0201.nccdn.net€¦ · Web viewAdopted 5 October2017 Williamson ... - 0201.nccdn.net

Adopted 5 October2017 Williamson ... -...

Category: Documents
SpareParts 0201

SpareParts 0201

Category: Documents
Tol #0201 27112014

Tol #0201 27112014

Category: Documents
Email Mailer 0201

Email Mailer 0201

Category: Documents
0201 Pattern Practice

0201 Pattern Practice

Category: Education