The Venezuela-FARC connection
Posted by Charles II on May 15, 2008
One of the stories we have followed is the attempt of the US government to destabilize the left-wing government of Hugo Chavez in Venezuela. One of the more recent developments had to do with the assassination of Colombian FARC rebels by military incursion across the border of Ecuador , which led to the call-up of the Venezuelan army, a lot of manly chest-pounding, and an eventual diplomatic resolution.
In the course of this, the Colombians claimed to have captured three laptop computers and associated hardware with information that proved, they said, that Hugo Chavez was funding and collaborating with the FARCies. This is a big deal, since FARC is designated by the US as a terrorist group, even though they are the heirs to a generations-old civil war. The Busheviks have reserved the right to invade any country aiding terrorists, which would give them the right to invade Venezuela if it weren’t completely illegal under international law.
If the allegations of FARC-Venezuelan collaboration are true, it wouldn’t be the first time that a head of state used a terrorist group (or, depending on who you ask, freedom fighters) to harass a neighbor. We seem to be doing much the same with the MEK in Iran. But since Venezuela is not the United States, it has to play under a different set of rules.
There have been serious questions about the provenance of the computers. Interpol has answered one of those questions. Rory Carroll and Sybilla Brodzinksi, The Guardian:
The international police organisation announced that a two-month forensic investigation of laptops seized in a raid by Colombian security forces concluded they belonged to the Revolutionary Armed Forces of Colombia (Farc)….
Ronald Noble, Interpol secretary general, said his experts had found “no alteration of the data by Colombian officials”. Internationally accepted methods for handling computers were not always followed, he said, but Bogotá had not modified, altered or created files. Interpol said the amount of information – 37,872 word documents and 210,880 photographs – was much greater than previously thought.
“Internationally accepted methods for handling computers” turns out to be an understatement. According to Gregory Wilpert of Venezuela Analysis:
However, between March 1 and March 3, when the material was in the hands of Colombia’s anti-terrorist unit accessed the data 48,555 times …
More as it comes available. Comments from the computer-astute on what Interpol’s investigation does and does not show would be appreciated.
Phoenix Woman said
The giveaway here is that the latest allegations are being used to revive as true the nonsense about the “$300 million” that Greg Palast debunked months ago.
Stormcrow said
It isn’t too hard to determine, to within a reasonable degree of certainty, whether attempts were made to alter data on a seized hard drive.
Particularly if that hard drive is from a Windows system.
The first thing a competent examiner will do is simply lift off a byte-for-byte and sector-for sector copy of absolutely everything on the evidentiary drive. He’ll use a device that physically prohibits writing to the drive, a “write-blocker”, to dub off this copy. At the same time the copy is made, cryptographic hashes of the copy and the original are taken, compared, and stored. These will serve as practical demonstration of the copy quality.
Second thing he does is, tag the original drive, bag it, and lock it in a safe. All later examination is performed on the copy, which is an actual file or files on another (usually larger) hard drive.
“Deleting” a file in the usual way merely makes it hard to look up. As if you “removed” a library book by simply removing it’s catalog card, so nobody consulting the card catalog could find it.
But you could still find it with a brute-force search of every single book in the library. You’ll find the book, if you do it that way.
That’s what a forensic analyst does. If the actual data sectors themselves have not been overwritten yet, traces of the original file will be found. Maybe the entire file.
Somebody trying to tamper with an evidence drive is going to try to alter more than just one or two files. The more files they fool with, the higher the odds evidence of the tampering will be found. And with ordinary deletion, odds are really good if only one file was altered or removed.
You can “securely” delete a file by not only removing it’s entries in file allocation tables, but also overwriting the data blocks themselves. Programs that do this are well known, publicly available, and free.
But here, the nature of Windows comes into play. It is a very highly redundant system, by accident rather than design in most cases.
That file can and often does leave traces in the Registry. You’d be surprised how trivial some of the things are that are stored there are. Last 10 files accessed? In the Registry, for sure. And much more besides.
How about “index.dat” files? These are binary index files that Windows leaves all over the place. Recently opened files are indexed there, along with URLs visited with IE. They’re easy meat for forensic tools.
This gets better. Remember what happens when you “revert” a Windows disk to an earlier time? Well, that restore data may also contain one or more copies of the “deleted” file”.
If the investigator finds file traces in ANY of these locations, and the file itself is gone, without leaving residual data behind, he won’t have to guess what to think. He’ll know what to think.
I would not want to be asked to remove evidence from a Windows system in a file-by-file fashion. The odds I would fail are just too great. And I know a little about where to go and what to do in order to accomplish this.
Of course, all of the above discussion assumes that the forensics people are both ethical and competent.
Charles said
Thanks, Stormcrow. I do assume that Interpol is a reasonable forensic source.
The main issue here is, and always has been interpretation. Just because FARC says that El Presidente Chavez is going to give them $300M in small, unmarked bills doesn’t mean that it’s likely to occur in this universe. It’s not very plausible that he could, or would. According to an independent observer, cited in Wilpert’s article, the documents so far published depict a cordial but distant relationship between Caracas and the FARC. “Cordial” might not mean a lot, since (a) Latin American correspondence tends to be a bit flowery, and (b) Chavez was trying to negotiate the release of hostages, under which conditions “cordial” works better than “rude.”
As for fabricating evidence, I would think it would be easier to do by creating a disk from scratch, perhaps using a number of real intercepts. The problem, I would think, would be getting the time stamps just right. I find it difficult to believe that the FARC would have laptops with five years of correspondence, just sitting around in the Ecuadorian jungle. Not to mention 210,000 photos.
Stormcrow said
No, that would be horribly difficult. The thought of the practical problems makes me want to run, screaming.
You’d have to emplace not only your fabricated evidence, but all the other files Windows would put there. And enough “other stuff” to make the fabrication hold water. Restore partition, disk label, the works. Plus the personal “out of policy” stuff you might expect Joe Average to put on a hard drive.
It’d be almost like planting a gun in a house by building a fabricated house around the planted gun.
In fact, in order to make this work, you’d probably have to tamper with the system drive anyway. It’d store the maker’s information, model, and serial number in the Registry. Not only for attached NTFS disks, but for thumb drives and externals as well. I know that for a fact, because I was taught to look for them there. And the serial isn’t on the platter, it’s on the firmware on the printed circuit board attached to the disk. You can scrub an entire platter cleaner than laundered money, which I’ve done, and not touch the serial number at all.
210,000 photos will take up maybe 10 to 20 GB, assuming an average file size of 50KB to 100KB, respectively. If you assume some of these are thumbnails or image previews, drop that by a factor of 10. We’re talking about a minimum of three system drives, two externals, and three thumb drives. Spread out over that much real estate, 20GB isn’t going to bulk out beyond reason.
Yeah, I can believe five years of correspondence. Low volumes of email don’t take up much disk space.
As for the alleged age, the stuff you’ll discover if you ever do a whole-disk file recovery on a disk of your own will flat out amaze you. Again, I know whereof I speak, because I did just that, about nine or ten months ago. When I was digging for a Firefox bookmark file I figured had been “deleted”. Jeeze. I was running through stuff that dated back to mid-2003.
Software that’ll do that is cheap if you don’t care about forensic levels of quality, i.e., guarantee that the original media was untouched, timestamps were preserved int the copy, and no data was omitted. “Recover My Files” isn’t a tool that’ll stand up in court, but it doesn’t cost $ 1.8K a pop, either.
Stormcrow said
The thing that does boggle my mind is that FARC, or whoever it was, didn’t encrypt the bloody hard drives.
But what the hell. Nobody else does. Never mind the fact that BIOS level encryption for laptop system drives has been field-proven in VERY large enterprise environments for going on half a decade now.
They don’t even encrypt CC numbers when they send them out over a long-distance network wire. Never mind the fact that the technology is not only off-the-shelf, it’s Open Source and free. Has been for 15 freaking years.
International Hackers Indicted for Sniffing Credit Cards from Dave & Busters
The only way those sniffers could have raked in so much as a place name was if the data on the wire was not encrypted.
This sort of thing makes me want to run amok. What the hell does it take to educate people???
Charles II said
Interesting stuff, Stormcrow. Then I suppose that if Interpol validates the contents, it’s probably legit.
What I meant by finding it difficult to imagine five years of correspondence and 210,000 photos is (a) what the ^%$# are guerrillas doing with so many photos? Running a dating service? I suppose that they might have been browsing porn sites, but good gracious. It hardly leaves time for blowing up bridges or smuggling cocaine, (b) I wouldn’t imagine the lifetime of laptops would be very long in the South American jungle. Talk about being a road warrior! The electric plugs you recharge on probably carry anywhere from 70-150V, you aren’t likely to be getting DSL or cable, which means few patches or new software, there’s probably not a lot of time for system maintenance, there’s the problem of lizards, insects, or small mammals getting into the media drives, bullet holes, spam….
All I’m saying is these guys weren’t operating under the pristine conditions that you and I may enjoy.
BTW, I don’t know that it was five years of correspondence. I just counted up the files I have generated/received working most of the day, and that is a LOT of files, even for three computers.
serial catowner said
That, or you could do the short form. The WaPo would indict a ham sandwich if it was brown and had a Spanish accent, and the NYT would follow suit with “sources” who have “suspicions”. Cue the network ‘experts’ who also work for the arms manufacturers and season heavily with ominous labels and alerts at the top and bottom of the screen.
Facts? We don’t need no stinkin’ facts!
Hillary Rodham Peron « The Mississippifarian said
[...] USS Maine explodes in Venezuelan highlands: Hearst chain dispatches war correspondents [...]