Investigation of remote control possibilities, regarding seizure 2012-0201-BG25023-26

During hearings with Gottfrid Svartholm Warg the defendant has claimed that his computer, seizure 2012-0201-BG2 02!-2", has #een remotel$ controlled via %erminal Services and &owershell Server' %he (ount$ Bureau of )nvestigation in Stoc*holm as*ed the Securit$ Service if there are signs of remote control on the operating s$stem on the Windows partition in mentioned seizure' onclusions! Based on facts #elow and o#servations we ma*e the assessment that the investigated computer hasn+t #een remotel$ controlled since the operating s$stem was installed on 2011-0,-11' "etails! %he operating s$stem on the Windows partition has #een reinstalled once' %he actual operative s$stem, Windows , "- #it, was installed 2011-0,-11' .iles from the previous operating s$stem are preserved in the windows'old director$' %he contents of this folder has not #een ta*en into account in this &/' %he Securit$ Service has focused its investigation on availa#le logs and firewall rules in the seizure and ma*e the following conslusions around these0 1 %he oldest entr$ in the operating s$stems securit$ log is dated 2011-0,-1-' 1 %he Securit$ Service does not find an$ installed software that can #e used for remote control' 1 %he onl$ installation of &owershell Server that the Securit$ Service finds resides in the windows'old director$ and the timestamp for last modification and last access against this installation shows 20110!-02' 1 %he %erminal Services34emote des*top service is not configured for remote control' 1 %hose logs that are tied to %erminal Server34emote Des*top do not contain signs of e5ternal connections' 1 %he 4emote(onnection/anager log file is empt$' 1 %he 6ocalSession/anager log contains onl$ references to the local computer' 1 %he services for %erminal Server34emote Des*top are not configured to #e started automaticall$' 1 %imestamps for registr$ *e$s connected to %erminal Server34emote Des*top show that the configuration has not #een modified since the operating s$stem was installed' 1 7vaila#le logs and the rules of the local firewall have #een searched for signs of the computer having #een remotel$ controlled without finding that remote control can #e proven'

1 %he #uilt in firewwall is active and allows onl$ incoming traffic which matches the users set rules' %his regards all firewall profiles' 1 %he firewall is not configured to log #loc*ed or allowed connections' 1 %he Securit$ Service has assessed that, amongst the programs that are allowed to communicate through the firewall, there are no programs that can have #een used for remote controlling the computer' See appendi5 1 for a list of valid firewall rules' 1 8o active listening networ* services with remote control a#ilit$ is accessi#le through the local firewall' 1 %he service for Windows 4emoting is not configured for remote control' 1 %he #uilt in firewall is not configured to allow Windows 4emoting' 1 %imestamps for registr$ *e$s connected to Windows 4emoting show that the configuration hasn+t #een modified since the operating s$stem was installed' 1 %he remote management log file for Windows 4emoting is empt$' 1 %he Win4/ service has not started according to logs' 1 %he #uilt in function for forwarding traffic via the netsh command, portpro5$, does not show an$ forwarded %(& traffic' 1 %he login related events that occur in the operating s$stem+s securit$ log show no other addresses than 12,'0'0'1 or 001' 1 9ser 7ccount control :97(; is activated an configured to <7lwa$s 8otif$<, which means that Windows warns when programs tr$ to install software or change the computer configuration, and when the user tries changing the computer configuration' %his also results in that the user must accept programs that want to e5e5ecute with administrative permissions, something which complicates remote controlling without a graphical interface'

7ll listed firewall rules have the following columns in common, hence the$ have #een e5cluded from the ta#le due to limited space' 8either have inactive rules #een included in the ta#le' allowed computers0 an$ allowed users0 an$ override0 no ena#led0 $es =esper Blomstr>m )% Securit$ Specialist Dept' of )nformation Securit$ and &reservation of ?vidence in )% environments Securit$ Service 010- "2 ,0 00