MH17: как и кто?

Информация о пользователе

Привет, Гость! Войдите или зарегистрируйтесь.


Вы здесь » MH17: как и кто? » Против официальной версии » Макс + Яна MH17 - 5 years onv


Макс + Яна MH17 - 5 years onv

Сообщений 1 страница 30 из 178

1

https://www.dropbox.com/s/o3s03aqzz1g4p … d.pdf?dl=0

OG IT Forensic Services   https://ogitforensics.com/AboutUs.html

2

1

Digital Forensic Services
Digital Forensic Reporting – Final Report V1.0
Bonanza Media
MH17 Video and Audio Forensic Analysis
Case: OGIT-001-095-08-04-2019

Prepared By:
Rosen, Akash MSc, CHFI, GCIH, Assoc. ICFA, HCME
Computer Incident Response & Forensics
26th May 2019

3

2
Bio of Akash Rosen (A.Rosen)
Hancom Certified Mobile Forensic Examiner – HCME
Certified Hacking & Forensic Investigator – CHFI
SANS Hackers Techniques and Incident Handling – GCIH
#18524
Associate Member of Institute of Certified Forensic Account
(0212221)
Master’s in computer science (Dec 2010)
University of Malaya, Malaysia
Bachelor of Science Degree in Computer Science (2002)
University of Technology Malaysia
Certificate in Data Processing (1998)
Polytechnic Sultan Ahmad Shah

Location: Malaysia
A.Rosen is the founder of the 1st Private Digital Forensic Investigation firm, OG IT Forensic
Services in Malaysia (ogitforensics.com). He has been providing digital forensic services
for private companies in Malaysia since early 2010. He is an expert in Cyber Security Incident
Response and Digital Forensics Investigation on all types of cybercrimes.
A.Rosen holds a master’s in computer science, achieved various certifications and has
undergone security technical training such as Global Information Assurance Certification (GIAC)
Certified Incident Handler (GCIH), and Certified Hacking & Forensic Investigator (CHFI). He is also
an Associate Member of the Institute of Certified Forensic Accountants (CFA).
A.Rosen has been working closely with law agencies, other International Digital Forensic
Investigators and Forensic Accountants mainly handing digital crimes and providing relevant
digital evidences related to financial frauds, IP infringement, contractual/employment issues,
data theft and many other types of cybercrime.
Since early 2010, A.Rosen, had been providing digital forensic analysis and verification
services such as computer forensics, mobile phone forensic, email forensics, audio & voice
biometrics, video forensics, digital images & pdf file forensics, social networking analysis, cloud
forensics, database forensics, live security incident response and IoT forensics now.
A.Rosen also provides cyber intelligence investigation solutions for banking and law
enforcement agencies and support them by providing the latest awareness and prevention of
cybercrimes such as due diligence countermeasures in respect of anti-money laundering,
intelligent fraud, targeted threat Intelligence, and many more.
A.Rosen has appeared as an expert witness in Malaysian courts and support many legal
departments of local and international companies in digital forensic investigation for financial
fraud, data theft and other digital crime cases.
He has been working for more than 15 years in the IT Security field where he worked
mostly on various types of security technologies, provided security solutions (including security
risk consultation) and gained significant experience as well as developed the first global security
operation center in a MSC Status company handling real time monitoring and investigating
security threats for more than 100 clients globally.

4

3

List of some of the court cases being an expert witness as Digital Forensic Investigative


1. A case of audio recording verification of an old parent (father) who had passed away. This
was a litigation on property. Authenticity of audio for tampering - Dec 2014
Civil Case No: 22NCVC-314-03/2012 (Kuala Lumpur)
Expert Witness: Yes
2. A conversation in audio conference recording system was recorded with the account owner
and the banking personal allegedly approving the money transfer. Voice biometric analysis on
the bank account owner to verify the speakers – Dec 2015
Suit No. 1047 of 2013 (Singapore)
Expert Witness: Not Required
3. Verification of audio recording performed by SPRM (Suruhanjaya Pencegah Rasuah
Malaysia). Engaged by a lawyer.
Criminal Case No: 61R-2-04/1250 (SJ4) (Johor Bahru)
Expert Witness: Not required
4. Raw oil stock was manipulated. This is financial fraud case – Jul/Sept 2016
Johor High Court Case No: 22NCVC – 28 – 02 / 2014 (Johor Bahru)
Expert Witness: Yes
5. An employer had transferred funds into an employee account and claim the employee had
done fraud – Oct 2013
Criminal Case No: 62D-(383-385)-10/2011 & 62D-(326-347)-9/2011 (Shah Alam)
Expert Witness: Yes
6. 2 directors had moved company’s money out of country, evidence was stored in old mobile
which was claimed not extractable – Apr 2014
Civil Case No: 22NCVC-78-01-2012 (Shah Alam)
Expert Witness: Yes
7. Spear phishing/email fraud by international fraudster causing loss of USD30 Million.
Civil Case No: 22NCC-465-12/2014 (Labuan/Kuala Lumpur)
Expert Witness: Yes
8. Audio Forensic and Verification of audio files for any tampering which is the main evidence of
the defence – May 2016
High Court Case No: 22NCC-135-05/2015 (Kuala Lumpur)
Expert Witness: Yes
9. Sales team diverting corporate business to own and Competitor Company – May 2016
Penang High Court: PA-22NCvC-78-05/2016
Expert Witness: Yes

5

4
10. Software house internal fraud. Full email acquisition and forensics analysis – Jul 2016
High Court Case No: 22NCC-312-10/2015 (Penang)
Expert Witness: Required
11. A small case involving a family matter – Apr 2017
Court Case No: PA-33-367-10/2016 (Penang)
Expert Witness: Not required
12. Mobile phone audio verification - Mac 2017
Kuching High Court Case: KCH-22NCvC-10/2-2014 (Kuching)
Expert Witness: Required
13. Anthon Piller Order – Jul 2017
Penang High Court Civil Suit: 22NCvC-91-05/2016 (Penang)
Expert Witness: Required
14. Software development dispute – Oct 2017
KL High Court Case No: WA-22NCVC-91-02/2017
Expert Witness: Required
15. Financial fraud case in logistic sector – Oct 2017
Kuala Lumpur High Court Case: BA-22NCVC-463-08/2016
Expert Witness: Required
16. Internal property matter - Nov 2017
Shah Alam Court: BA-B52NCVC-127-04/2016
Expert Witness: Yes
17. Sales Fraud Case – Jan 2018
Ipoh High Court Case No: AA-22NCVC-38-05/2017
Expert Witness: Required
Submit Forensic Report to Commercial Crime Investigation Department – Ipoh
Ref No: JK KPN 168/17 No Repot: 478/18
18. Business fraud/property matter
Kuching High Court Case No: 22NCVC-10/3/2016
Expert Witness: Required
19. Mobile Phone Chat Verification - Jun 2018
Penang High Court Case No: PA-22NCvC-184-09/2017
Expert Witness: Yes
20. Mobile Phone Chat Communication – WhatsApp Verification
Negeri Sembilan High Court: NA-22NCVC-63-10/2017
Expert Witness: Yes

6

5

21. Mobile Phone Chat Communication – WhatsApp, WeChat and Emails
Butterworth Sesyen Court: PB-A52NCC-57-07/2018
Expert Witness: Yes
22. Audio, Video and Photo Verification
Shah Alam High Court: BA-23NCvC-38-12/2018
Expert Witness: Yes
23. Many other digital forensics/cyber-crime investigative cases dealt with internal
management team
Education:


Certifications:

- Cisco Certified Network Associate - CCNA 2002
- Cisco PIX Firewall (CSPFA - Course) 2003
- Sun Solaris Administrator I & II & III (SCSA - Course) 2003
- Checkpoint System Administrator - CCSA (Course) 2005
- Hack In The Box, Hand on Hacking - Zone H 2007
- ITIL Foundation V2 2007
- Talent Selection 2007
- ITIL Foundation V3 2008
- Certified Hacking & Forensic Investigator - CHFI 2008
- HITB - Web Application Security Advance Attack & Defense 2008
- Manager Excellence Training 2009
- Managing People Through Change 2009
SANS Hackers Techniques and Incident Handling (GCIH #18524)
Dec, 2010
- Kepner & Tregoe (KT) Jan, 2011
- ITIL V3 – Intermediate Operational Support & Analysis (OSA)
Mac, 2011
- Associate Member of Institute of Certified Forensic Account (0212221)
Mac, 2012
- Managing Risk in The Enterprise
Apr, 2012
- Attending Security Conferences till now

7

6

Work History:


Private Digital Forensic Investigator/Examiner – Feb 2011 – Now
• Digital Forensic Investigation (on Computer hard disk, mobile, clouds,
social networking, audio & video etc…) for local clients in Malaysia, Borneo
and aboard
• Handling/Investigating Digital Crime (Financial Fraud & Data Theft) cases
with Forensic Accountant/Lawyers
1. Total Financial Fraud Cases in Malaysia worth of < RM200 Mil – 6
2. Total Financial Fraud Cases outside of Malaysia worth of > RM200 Mil - 2
3. Others/Data Theft Cases > 50 cases both inside and outside of Malaysia
• Perform LIVE Security Incident Response on any compromised systems
• eDiscovery & Digital Investigation Case Management expertise
- all types of media, digital files, multimedia files (audio/videos/images)
• Email server and client verification and forensic analysis
• Image/Picture Forensic Analysis on editing and counterfeiting
• Steganography Analysis (Image and Files- docs/PDF)
• Audio and Video Forensic analysis for any manipulation/ tampering
- Video Recording (With Audio)
- CCTV Video Analysis
- Verification of audio files from media
- Audio transcript capturing (listening and reporting with support of
audio forensic tools)
- Image/Video Ballistics
• Voice Biometric/Printing Forensic Analysis
- Audio recordings identification from camera and mobile phones
analysis for speaker
• Social Networking analysis (Fb, Twitter, Internet mails, G+, etc...)
• Analyze Digital Evidence (ESI) and writing report to be presented in court
• Provide testimony in court as an expert witness for digital forensic
evidences
Mahkamah Kuala Lumpur (High Court), Mahkamah Shah Alam (High
Court), Johor High Court, etc...
• Working closely with law firms and law enforcement as below;
- Commercial Crime Division, Royal Malaysian Police, etc...
• Provide Cyber security awareness for Law Enforcement and private
industries
• Design and Setup digital forensic labs and provide standard of Digital
Forensics process

8

7

• Integrations solutions for SIEM/SIRT/eDiscovery/Incident Mgmt. tools
(PTK/INCMan/FTK/EnCase, Paraben, Belkasoft, Magnet, Intella, Cellebrite,
Systools, etc...)
• Mobile forensic expert – Device Seizure, Oxygen, Cellebrite, Mobiledit,
Tarantula, etc...)
• Audio/Video Forensic (Verifeyed, Audition, EVB, SISII,etc...)
• Open Source Digital Forensic Training (DEFT,SIFT - and education hands
on)
• Malware Botnet/Cyber Intelligence solution providers in Malaysia
• Reseller Digital Forensic solutions
- Paraben (USA), DFlabs (Italy), Decision Group (Taiwan), FFT (India),
Group-IB (Russia), CyFIR (US), IntelCrawler (US), etc…
• Computer Forensic Group, Consortium of Digital Forensic Specialist Group
and Mobile Forensic & Investigation Group
• Network Forensic Analysis and Threats monitoring using Open Source
Intelligence
• Security Incident Management solution provider
• Data recovery and analysis
• Provide Social Networking Analysis and cloud forensics acquisition
• Cloud forensic analysis and e-discovery
• Degaussing and Destroying data services
Other Information Security Experience:
Global Security Operation Center – APJ (GSOC APJ) Technical
Delivery Expert, Jun 2007 – Feb 2011 - EDS
The Global Security Operations Centers (GSOC) provides 24x7 staffed
centers for monitoring and managing all aspects of enterprise security (IDS,
IPS, WIDS, AV and SIEM) on a consolidated basis.
• Operation Management of GSOC APJ (Asia Pacific Japan) (multiple large
clients of all types of industries – Financial, Banking, Insurance, Energy,
Food, Gambling, etc..) - Mostly APJ and US Accounts
• Monitoring of all types of Security Events/Alerts/Attacks – both from
standard Security Dashboard and leveraged Security Management
Consoles: IBM ISS Site Protector, HP Tipping Point, MC Afee NSM,
Sourcefire Defense Center and Cisco SecureWork
• Provide In-Depth Security Incident Investigation
(identification/containment/eradication) for all types of attacks/threats
• Provide recommendation and consultation on current security
threats/malicious code

9

8

• Working with GSIRT/Forensic team on Access Data - eDiscovery
• Prepare alert handling document and standardize the process for each
Client/Environment.
• Involved in escalations and perform client liaison role with Account Security
Officers (ASO) for any security incident
• Involved in analyzing risk (risk assessment) from current security trend for
the clients
• Work closely with GIS Engineering for new tools/system for future mode of
operation (FMO) – Investigations tools, incident mgmt. tools
• Work with End Point Security, SIEM, IDS/IPS, GSIRT (Forensic), TVMR team
for GSOC Services
• Growth and planning for GSOC worldwide (tools for Future Mode of
Operation), work closely with GIS Engineering team
• On boarding new account to GSOC (testing/implementing), leveraged
solution
• Review and provide security consultant on Infrastructure Security - GSOC
worldwide
• Certified ISO 20000 for GSOC APJ
Other roles;
• Holding a Security Expert role within EDS Security
• Involve and conduct a triage call with GCIRT for real security incident
response
• Manage team perform Vulnerability Assessment
• Perform Live Security Incident Response for local clients
• Compile and gather IDS alert trend for network forensic analyst from all
source of Cyber Security Provider
▪ IBM ISS - X-Force
▪ ThreatLinq – Tipping Point
▪ MC Afee NSM - Intruvert
▪ SourceFire - VRT
▪ iDefense, Bugtraq, CVE
▪ Other Security sites Symantec, CERT, Microsoft, Redhat,
Solaris, IBM, etc..
• Testing Proposed Security Solution/Product/Research with the team
Information Security Analyst/Advance/Specialist, Nov 2003 – Jun
2007,
EDS

10

9

Perform hands on Security Technical for Local Clients and some other
regions
- UNIX Security Hardening (all platforms)
- UNIX Security Management (Patching/Access Management)
- Firewalls Implementation/Deployment/Management
- VPN/RAS Security Implementation/Management
- Proxy server management and email server security
- IBM ISS IDS/IPS Deployment/Management/Monitoring/Reporting
- Vulnerability Management and Web Application Penetration Testing
- Involvement in Security Projects/RFP and Security Solutions
- Representing Security and involve directly in all client
meetings/projects.
- Compliance and Audit management
- Data Security – File Security/File Transfer Security/Encryption/DLP
- End Point Security – AV for Local Clients
- Security Access Management
- Provide security risk assessment and roadmaps along with growth to
the clients
- Security Incident handling and forensic analysis
- PABX and audio call recording system security management
- Others ad hoc requirements, being able to help in any technical related
task
https://d.radikal.ru/d36/1907/a1/6a673ac3297c.png

текст

Relevant Technical Expertise:
UNIX (Solaris, IBM-AIX, HP-UX)/Linux (Redhat,
/Ubuntu)
Firewall Engineering/Management (PIX,
Checkpoint)
IDS/IPS Management (IBM ISS, McAfee NSM,
Source Fire, Tipping Point, Cisco)
Server Hardening (UNIX)
Information Infrastructure Security
Vulnerability Scanning & Penetration Testing
CIRT / Security Monitoring & Incident Handling
Security Attacks/APT/Investigation
Security Research/Testing Tools/Exploiting
VPN/Key Management/RAS
Security Identity Management
Compliance and Audit Management
ISO ISMS Certification

11

10

https://c.radikal.ru/c32/1907/6e/7b4cf7da42a4.png

текст

SIEM (RSA Envision, ArcSight, Snare, Tripwire,
Sensage, Secure Work)
Application Security Assessment
Computer Forensic/Analysis
Open Source Forensic
Mobile Phone Forensic/Analysis
Handheld Forensics/Analysis
Malware Analysis
Image, Video, PDF Forensic Analysis
Audio Video Forensic
Video Biometric

Relevant Project Expertise:
Business Process (Involved In Business Team)
Solution Architect Team
Managing Projects (Mostly Security related)
Security Risk Assessment/Management
Relevant Industry Expertise:
Financial/Insurance/Banking/IT
Industry/Energy/Healthcare/Automotive/Retail
Medical
Others
Relevant Services Delivery:
ITIL Standards
Enterprise Security Services – Infrastructure
Security
Digital Forensic Expert and Consultations

12

11

List of training provided by Akash Rosen:


i. BAR Council Kuala Lumpur - Fundamentals of Digital Forensic Evidence, KL, MY - March
2015
ii. ii. BAR Council Penang - Fundamentals of Digital Forensic Evidence, Penang, MY - Sept
2015
iii. 5th Annual Practical Forensic Auditing and Fraud Investigation Technologies, - Singapore
- Oct 2015
iv. Global Legal Confex 2016 Challenges in the Global Legal Industry: Digital Forensic
Evidences Challenges, Singapore - Feb 2016
v. Management Science University (MSU) - Computer Forensic Challenge -Digital Forensic:
Open Source Digital Forensic - Shah Alam, MY - Mac 2016
vi. 6th Annual Practical Forensic Auditing and Fraud Investigation Technologies, Kuala
Lumpur, MY - May 2016
vii. 10th Annual Alliance IFA Meeting (Talk on Digital Forensic), Kuala Lumpur, MY - Nov
2016
viii. Management Science University (MSU) - Computer Forensic Challenge - Mobile
Forensics - Shah Alam, MY - Dec 2016
ix. A Guide and Workshop for Forensics Skills, Kuala Lumpur - April 2017
x. Fundamentals of Digital Forensic Evidences, RHB Bank, KL, - May 2017
xi. Digital Evidence Workshop for Akademi Audit Negara 23rd -24th Oct 2017
xii. CYFRIC – UTM Digital Forensic Competition 2017 – Main Judge – 28th Oct 2017
List of cases online


1. Seeking the source of the data breach - 23/11/2017
https://themalaysianreserve.com/2017/11 … ta-breach/
2. Fake CORs costing Customs dearly – 13/11/2017
https://www.thestar.com.my/news/nation/ … documents/
3. Vodafone bags the Guinness World Record for creating largest ZooZoo album – 11/08/2016
https://brandequity.economictimes.india … m/53649310
4. a.Mesiniaga faces contingent liability of RM8.2m in suit by Amanah Raya 07/03/2017
https://www.theedgemarkets.com/article/ … amanahraya
b. Mesiniaga cautions of RM8.23mil potential liability if it loses civil suit – 08/03/2017
https://www.thestar.com.my/business/bus … ivil-suit/

13

12

Contents
Digital Forensic Reporting – Final Report V1.0............................................................................................ 1
1.0 Document Control......................................................................................................................... 14
1.1 Distribution List............................................................................................................................... 14
1.2 Purpose........................................................................................................................................... 14
1.3 Disclaimer ....................................................................................................................................... 14
1.4 Terminology .................................................................................................................................... 15
1.5 Case Information............................................................................................................................. 16
1.6 Forensic Analysis Process................................................................................................................ 17
1.6.1 Video Forensic Process Flow .................................................................................................... 19
1.6.2 Audio Video Forensic Analysis Process..................................................................................... 20
1.7 Executive Summary......................................................................................................................... 23
1.8 Timeline ........................................................................................................................................ 25
2.0 Acquisition and Verification .......................................................................................................... 26
2.1 Video Source Details ....................................................................................................................... 26
2.1.1 Video 1 - SSU, Radio interception of conversations between terrorists, "Boeing-777" plane
crash ................................................................................................................................................. 27
2.1.2 Video 2 - MH17 crash: leaked tape proven FAKE by audio analysis. Анализ перехвата
разговоров ополчения ДНР. ........................................................................................................... 31
2.2 Video Acquisition and Verification .................................................................................................. 36
3.0 Video File Analysis and Audio Findings Statements ...................................................................... 44
3.1 Video File Analysis and Statements................................................................................................. 44
3.2 Audio Track Analysis and Finding Statements................................................................................. 48
3.3 Video 1 Metadata - SSU, radio interception of conversations between terrorists, Boeing-777 plane
crash.mp4 ............................................................................................................................................. 55
3.4 Video 2 Metadata - MH17 crash leaked tape proven FAKE by audio analysis. Анализ перехвата
разговоров ополчения ДНР..mp4....................................................................................................... 60
4.0 Video 1 Analysis - SSU, radio interception of conversations between terrorists, Boeing-777 plane
crash.mp4 ................................................................................................................................................. 65
4.1. Audio 1, Track-1 – Duration 0:18.4 – 0:36.1, Conversation between I.Bezler ("Bes") and Vasyl
Mykolaiovych Geranin (9031921428) ................................................................................................... 72
4.2 Audio 2 - Track 2, Track 3 & Track 4 – Duration 0.43.3 – 1:49.0, conversation between Major and
Grek ...................................................................................................................................................... 78
4.2.1 Audio 2, Track-2 - 0.43.3 - 0.52.9 - Conversation between Major and Grek. ........................... 79
4.2.2 Audio 2, Track-3 – Duration 0.54.5 - 1:08.0, conversation between Major and Grek. ............. 84

14

13

Confidential
4.2.3 Audio 2, Track-4 – Duration 1:09.4 – 1:49.0, conversation between Major and Grek. ............ 89
4.3 Audio 3 - Track 5 - from time 1:50 to 2:22.8 ................................................................................... 94
4.4 Video 1 Audio Tracks Edit/Manipulation....................................................................................... 100
4.4.1 Audio 1, Track-1 .............................................................................................................. 100
4.4.2 Audio 2, Track-2 ..................................................................................................................... 104
4.4.3 Audio 2, Track-3 ..................................................................................................................... 105
4.4.4 Audio 2, Track-4 .............................................................................................................. 107
4.4.5 Audio 3, Track-5 .............................................................................................................. 111
4.5 Voice Biometric (Voice ID) Analysis - From Video 1 Audio Tracks ............................................... 114
4.5.1 Audio 1, Track 1 Voices .......................................................................................................... 120
4.5.2 Audio 2, Track 2 Voices .......................................................................................................... 122
4.5.3 Audio 2, Track3 Voices ........................................................................................................... 124
4.5.4 Audio 2, Track 4 Voices .......................................................................................................... 126
4.5.5 Audio 3, Track 5 Voices .......................................................................................................... 128
5.0 5.0 Video 2 - MH17 crash leaked tape proven FAKE by audio analysis. Анализ перехвата
разговоров ополчения ДНР..mp4......................................................................................................... 131
6.0 Summary..................................................................................................................................... 139
7.0 Appendix..................................................................................................................................... 143

15

14

1.0 Document Control
1.1 Distribution List


Document                                     Name                           Role                    Representing


MH17-Forensic Reporting Final         Akash                      Forensic                OG IT Forensic Services
V1.0-26052019                              Rosen                      Investigator


1.2 Purpose
The purpose of this document is to provide an overview of analysis findings of a reported
incident received by OG IT Forensic Services. This report provides the summary of the current
case assigned by Bonanza Media.
1.3 Disclaimer
The information and contents of this document is confidential. It is intended solely for the use of
Bonanza Media, its appointed solicitor and other professionals. Save and extract the forgoing any
photocopy/extraction/imaging without the permission of OG IT Forensic Services is strictly
prohibited. OG IT Forensic Services makes no representation or warranties with the respect to
the contents or use of this document, and specifically disclaims any express or implied warranties
or usefulness for any particular purpose of this publication. OG IT Forensic Services reserve the
right to change or revise this document, at any time.
I confirm the correctness of my expert report and understand that in giving my report my
overriding duty is to the court and that I have complied with that duty.

16

15

1.4 Terminology


Term                     Definition


Hash Hash value for integration purposes
MD5 Message Digest 5 – Hashing algorithm
SHA1 Secure Hashing Algorithm
S/N Serial Number
Cluster Area in a hard disk
Imaging Process forensic image of the media (bit copying)
MACB Modified, Access, Created & Birth of a file
USB Universal Serial Bus
Evidence Media Hard disk acquired (image copy)
OS Operating System
Kb Kilo Byte (kB)
SIP Source IP Address
Exif Exchangeable image file format
JPEG/JPG Joint Photographic Experts Group (Image/Photo format)
PNG Portable Network Graphics (Image/Photo format)
GIF Graphics Interchange Format (Image/Photo format)
Exiftool Metadata extraction from Photos/Media
SDCard Secure Digital Card (Memory Card)
OGITFS OG IT Forensic Services
OGLab OGITFS IT Forensic Laboratory equipped with Commercial Forensic Software
MP4 MPEG-4 Part 14
WeBM audiovisual media file format for video
Hz Spectral Frequency cycle in in a second
AAC Advance Audio Coding for audio compression
FFMPEG An audio/video codec library / command for transcoding multimedia files

17

16

1.5 Case Information


Incident/Case        OGIT-001-095-08-04-               Reported                8th Apr 2019
#:                                    2019                           Date/Time:

Report                     Akash Rosen
Compiled By:

Report                 Ms. Yana Yerlashova /
Recipient:            Mr. Max van der Werff

OG IT Forensic Services digital forensic expert was engaged by Yana Yerlashova and Max
van der Werff, founder of Bonanza Media to collect, acquire, verify, and perform digital forensic
analysis on uploaded video files on YouTube social media as listed as in Table 1.5.1 below. The
main scope of this case is assigned to;
i. Verify the video files are genuine based on the source
ii. Verify the audio track in the video files are genuine especially in video 1 as listed
in Table 1.5.1.
iii. Verify any kind of manipulation seen in the audio stream in Video 1 as listed Table
1.5.1.
Table 1.5.1: Video File Details


Video   Video File Name                         Source of the Video File                                        Remark


Video 1   SSU, radio interception of  https://www.youtube.com/watch?v=BbyZYgSXdyw  - Original Video uploaded by SSU
             conversations between                                                                                   - Consist of 5 audio tracks of
             terrorists, "Boeing-777"                                                                                    planeintercepted audios
             crash


Video 2  MH17 crash: leaked tape    https://www.youtube.com/watch?v=T34AB6CImTE  - Original Video uploaded by Sound
             proven FAKE by audio analysis.                                                                        Russia
            Анализ перехвата                                                                                         - Showing part of audios in Video 1
             разговоров ополчения ДНР.                                                                           are faked


Refer to Table 2.1.1 showing the details of the video files.

18

17
1.6 Forensic Analysis Process
The process of the forensic verification and analysis for digital media/evidence involves the
following:
i. Seizure of digital media source (cloud storage) and forensic acquisition
ii. Authentication of the source media/files
iii. Processing (Recovery, Indexing, Metadata gathering, etc...)
iv. File extractions (audio/video streams), verification and analysis of files (digital
evidence)
v. The production of a report based on the collected evidence for the benefit of the court
or the initiator of the process.

https://d.radikal.ru/d35/1907/b8/ee97b667df00.png

Flow 1.1: Forensic Analysis Process

текст Flow 1.1

Acquisition -> Authentication
Reporting
Processing-> Extraction -> Analysis
Preservation

The video files details as listed in Table 2.1 was provided on the 8th April 2019 by Bonanza
Media to OG IT Forensic Services expert.
An acquired image is a bit stream copy of a media (hard disk/mobile). It copies every single
bit of the media into an image file. The verification (authentication) of the acquired image files
shows the acquisition of media was verified. During the Authentication process, copy of the
image was verified with hash value to ensure the authenticity of the image acquired. The main
reason for authentication was to ensure the integrity of the information, preservation of digital

19

18

evidence and to get it accepted as evidence in court if it’s needed as per the standard of ISO
27037 (Guidelines for identification, collection, acquisition, and preservation of digital evidence).
The industry standard for computer evidence authentication is known as RSA Security MD5
(Message Digest 5) algorithm. Each file has a unique MD5 hash value. SHA1 and SHA2 is another
hashing algorithm. Refer to section 2.0 showing the acquisition of the acquired image.
The checksum value (MD5) of the media acquisition is listed in the Acquisition report. It is
very important to have a forensic verification done from the source origin. Forensic software is
read only tools and all attached evidence files (acquired image) can’t be tampered in any way.
The forensic software maintains the preservation of digital evidence (electronic store information
within the forensic software) as per ISO 27037 standard.
The processing of the media is performed using the commercial forensic software, where
media data recovery, indexing, system artefacts parsing, internet artefacts parsing, email
recovery and parsing’s, keywords searches, etc... are done. The keyword search hits were
reviewed, and the extraction of the files done accordingly by OG IT Forensic Services team. The
analysis is performed based on the scope of the case and report are generated.
The software used for this audio forensic analysis was;
i. Adobe - Audition
ii. Speech Technology Center - SIS II
iii. MediaInfo - Extraction of Audio Video details/EXIF data
iv. ExifData - Extraction of Metadata/Exchangeable Information of File
v. FFMPEG - extraction of audio and video frames
vi. FAW Project - FAW Professional – Web Acquisition
vii. Magnet - WPS - Web Acquisition
viii. X1 Social Discovery

20

19

1.6.1 Video Forensic Process Flow

https://d.radikal.ru/d29/1907/e0/e8bc009e591a.png
Flow 1.2: Forensic Analysis Process Flow for Video Files

текст Flow 1.2

Identify source video files on YouTube URL
https://www.youtube.com/

Video Files downloaded from
i. Video 1 - https://www.y2mate.com/youtube/watch?v=T34AB6CImTE
ii. Video 2 - https://www.y2mate.com/youtube/BbyZYgSXdyw

Preserved the downloaded video file and
verified the hash value

Gather/review metadata of the video files
Added the video files inside Adobe Audition for
Analysis
Added the video files inside SIS II for analysis
Collected audio wave signals, audio properties
and signal characteristics ID for all the
individual voices.
Collected audio wave forms, analyzed audio by
listening to identify the tampering in the audio
by comparing frequencies and background
noises in the spectrum signals.
Added the facts and analysis
results in the reporting

21

20
1.6.2 Audio Video Forensic Analysis Process
Any recorded digital video file has a container. The container is like a box contains the
video stream, audio stream and metadata details. It is also referred as MOV, MP4 or AVI. A video
metadata (media info) are vital data/details of the video itself such as the date created, date
modified, date access, format, about the content produced, format, types, software, tracks,
codec, frames, audio, etc. It is stored at the beginning of the video files depending on the format
of the video. A codec is a software that compresses the video so it can be stored and played back.
Sample of codec is AVC, MPEG-4, H.264 and many more. An audio recorded file will contain audio
stream and its metadata of the audio itself. Audio has different set of codec such as MP4, M4A,
mp4a and many more. WebM is a container format (with the file ending *.webm) for multimedia
files, i.e. for videos and audio files. Within this container, the video codecs VP8 and VP9 and the
audio codecs Vorbis and Opus are used. First announced at the Google conference I/O 2010,
WebM was planned as an alternative to the existing MP4 format with its H.264 code.
The location of the video’s metadata and the content of the video stream and audio
stream are located separately in the video file container. Refer to Flow 1.3, a video file has video
stream and the audio stream. The video and audio stream can be used for the content verification
as well depending on the metadata details. Video stream contents are video frames (count by
size and frame per seconds) and the audio stream content are the audio wave (count sampling
rate, bitrate, channel, etc...).

https://a.radikal.ru/a16/1907/72/6de6202027e4.png
Flow 1.3: Recorded Video/Audio File Forensic Analysis Process

текст Flow 1.3

Video Files
(*.MOV, MP4, etc...)
Video Stream
(Stream #0.0)
Audio Forensic – Noise Level
analysis/Spectral Review
Audio Stream
(Stream #0.1)
Extract for analysis and verification of tampering
Consist
Metadata of the videos - date
created, modified, types,
streams, audio stream details,
video stream details, etc...

22

21

The audio stream can be used to validate the continuous and constant noise sound level
of the audio. The noise sound is the background sound of the recorded audio/video. The measure
of signal strength relative to background noise is called SNR (Signal to Noise Ratio). The ratio is
usually measured in decibels (dB) using a signal-to-noise ratio formula. Normally, any audio’s SNR
> 10 dB (decibels) are accepted. As long the background noise is constant, the audio can be
analyzed by looking the purple color of the noise level (in Audition CC audio analysis tool) if it was
edited or tampered because the noise sound can’t be regenerated to be as similar as during the
recorded time of the audio/video.
The analysis of the audio/video files are done as stated below (refer to Flow 1.3);
i. Firstly, analysis on the audio/video’s metadata (media info) from the video
- Review the detail format field of the metadata from the audio/video.
- Gather all information from metadata field extracted from the video file
- Analyzed the details of video stream and audio stream
- Analysis for any abnormal entry on the video.
ii. Gather information and details of the source of the audio/video recorder (source)
recorded the video. In this case are the digital media as listed in Table 1.5.1.
Note: If the date creation and the date modified are same or after adding the duration
of the audio/video recorded, the gaps between the date created and modified date
are meeting the duration, it means the recorded audio/video digital files are original
and not edited or tampered.
iii. Then, to verify the video are not tampered, the audio stream will be extracted and
analyzed further.
iv. Video frames are also extracted to identify the frames size and number of frames
showing continuous movement in each frame per second (not tampered). In this case,
the video frames are not analyzed as the audio tracks are the focus.
v. Extraction of audio stream from recorded video file is very important to validate the
video was tampered or edited. By reviewing the noise level, analyst can determine if
the audio was edited. By looking at the spectral wave, it can determine if the audio
was tampered or edited as well.

23

22

vi. Similar analysis is done for recorded audio files as per stated above (iv).
vii. Reviewing the video are done as below;
i. Review Identify if the video is continuously recorded such as below;
a. No pause from the beginning of the video to the end of the video recording
b. No stop from the beginning of the video to the end of the video recording
c. The clarity of the video and the surrounding
d. The sound of the background (noise)
e. The quality of the video and others aspect related to video (duration, speech,
etc...)
ii. Identify any kind of digital watermarking on the video such as time or logo
- Watermarking is a method to ensure the integrity of the video content and avoid
tampering to the video frames.
Note:
i. Cepstrum view is main for pitch determination/analysis - vocal excitation (pitch) and vocal tract
(formants)
ii. Fast Fourier Transform is an algorithm that computes the Discrete Fourier transform (DFT) of
a sequence, or its inverse (IDFT). Fourier analysis converts a signal from its original domain (often
time or space) to a representation in the frequency domain and vice versa

24

23

1.7 Executive Summary
The Video 1 file named as “radio interception of conversations between militants, "Boeing-777" plane
crash.mp4” is actually a video file which was created and uploaded into You Tube media by Security
Service of Ukraine (SSU). This video contains 5 audio tracks related to the intercepted radio audio
conversation between few militants on the fatal incident day of MH17 flight - 17/07/2014. Video 1 file
with the 5 intercepted recorded audios tracks was converted and compressed into WeBM format and
uploaded into YouTube. Refer to Table 2.2.1 and 3.1.1 showing the details of the video file.
Firstly, and the most important fundamental ground of the audio/video forensic analysis is to ensure
to determine the original source and authenticity of the recorded video/audio file. This must be validated
to ensure the audio recorded is not tampered. All the 5 audio tracks which was embedded and showed
(aired) in the video had no details of the original sources of the recorded/intercepted audio are from.
Therefore, the audio files /audio tracks are highly potential of already been edited, tampered or had been
manipulated. Secondly, all audio tracks in the Video 1 were seen as incomplete audio conversations in.
Original audio recording files is compulsory required to validate the whether the recording is tampered or
legitimate. Unfortunately, that information is not available.
Nevertheless, since there is no original source of original recorded audio, the audio stream in the
video files was evaluated/analyzed based on the content of the audio signals/waves/spectrum. The noise
floor in the audio which is the background noise (sound) is important to validate the recording is normal.
The analysis of the audio signal/waves/spectrums) showing that:
i. The audio recordings are showing telephone conversation recording ~ 8kHz.
ii. Very short of audio conversation and there are inconsistencies of the audio tracks. Refer to
Section 4.0.
iii. Only part of the conversation is available. Refer to Section 4.0.
iv. Inconsistent of stereo and mono channel in the audio tracks seen – Track 1 and Track 5 had
mono recording. Track 2, Track 3 and Track 4 are Stereo. Refer to Section 4.0.
v. There were possible cuts and merging seen in the spectrum signal waves as it can be seen in
the background noise changes. Refer to Section 4.4.
vi. Absents of signal. It also means recording are cut or not the complete recording. Refer to
Section 4.4.

25

24

vii. The audio quality is low, where the audibility of the spoken voice is not very clear. Refer to
Section 4.5.
There are inconsistencies in the audio tracks and some part of the conversation was removed. It Is clear
that only part of the original conversation was added into Video1 audio stream’s and make it available.
Refer to Section 3.0 showing the Findings statements and Section 6.0 Summary.

26

25
1.8 Timeline

https://d.radikal.ru/d36/1907/64/bd50d46ae57e.png

текст

17/07/2014
MH17 Plane Fatal Crash

17/07/2014
-Showing Published in YouTube Channel
-Video 1: SSU, radio interception of
conversations between terrorists,
"Boeing-777" plane crash
Refer Figure 2.1.1.4

26/07/2014
-Showing Published in YouTube Channel
-MH17 crash: leaked tape proven FAKE by audio
analysis. Анализ перехвата разговоров
ополчения ДНР.
Refer Figure 2.1.2.4

4/08/2014
-Last Modified/Updated (Original header)
-MH17 crash: leaked tape proven FAKE by audio
analysis. Анализ перехвата разговоров
ополчения ДНР.
Refer Figure 2.1.2.3

1/11/2018
-Last Modified/Updated (Original header)
-Metadata showing 1/11/2018 (Encoded/Tagged)
-Video 1: SSU, radio interception of conversations
between terrorists, "Boeing-777" plane crash
-Refer Figure 2.1.1.3

Reference:
Table 2.1.1: Video Source Details
Table 2.2.1: Acquired (downloaded) Video Files Details
Table 3.1.1: Video File Analysis – Metadata from Video Files
Table 3.2.1: SSU, radio interception of conversations between terrorists, Boeing-777 plane crash Intercepted
Audio Tracks Analysis
Table 4.5.1: Voice Biometric (Voice ID) Analysis - Audio Tracks from Video 1
Table 4.5.2: Details of Individual Voice ID for Voice Biometrics Analysis Exported

Video 1 Audio Tracks Reference:
(Refer to Figure 4.4 & Diagram: 4.1)
i. Audio 1, Track 1 (Section 4.1)
ii. Audio 2, Track 2 (Section 4.2.1)
iii. Audio 2, Track 3 (Section 4.2.2)
iv. Audio 2, Track 4 (Section 4.2.3)
v. Audio 3, Track 5 (Section 4.3)

27

26

2.0 Acquisition and Verification

The source of the digital video files.
2.1 Video Source Details
Table 2.1.1: Video Source Details
https://b.radikal.ru/b12/1907/f1/322a404a01d4.png

28

27

https://b.radikal.ru/b39/1907/31/cc770eedc589.png
Figure 2.1.1.1: Video 1 - SSU, Radio interception of conversations between terrorists, "Boeing-777" plane crash
URL: https://www.youtube.com/watch?v=BbyZYgSXdyw showing Published 17/07/2014

29

28

https://c.radikal.ru/c26/1907/cb/48d1133301e9.png
Figure 2.1.1.2: Video 1 - SSU, Radio interception of conversations between terrorists, "Boeing-777" plane crash details (Web Inspector view)

30

29

https://b.radikal.ru/b42/1907/c9/f6c72888ff6f.png
Figure 2.1.1.3: Video 1 - SSU, Radio interception of conversations between terrorists, "Boeing-777" plane crash - format WeBM and source (Web
Inspector view) - Showing last modified 1st Nov 2018


Вы здесь » MH17: как и кто? » Против официальной версии » Макс + Яна MH17 - 5 years onv