Explosion Norway

[Magda Hassan]

A good find Dave, thank you!

A mailing list has been established for continued discussion of manifest related analysis/forensics

Send an email to manifest-analysis-request@analysis.no.net with the word "subscribe" in the body text (not subject) to participate.

Mailing list archives: http://lists.homelien.no/pipermail/manifest-analysis/

With many minds working the problem, there is a possibility of breakthroughs in understanding what the codes are all about. It might be prudent not to reveal an obvious solution or profound insights to the public immediately for various reasons such as security. In light of this we have established an email address to contact our group in private.

If you think you are close to a solution or a breakthrough in your analysis, or wish to share something in private, please contact us at post@analysis.no.net. This mailbox is read only by enemy^x, edison and sventy (@irc). Rest assured we will make sure credit is given where credit is due.

OUR FINDINGS SO FAR:

we performed some analysis of the original .docx manifest, its embedded objects, images and text. See our log at http://analysis.no.net/
some footnotes in the manifest contain what seem to be internet links but are in fact not valid urls. ( list at http://app.homelien.no/~oystein/manifurl...rdered.txt )
these strings are formatted in a particular, segmented way.
after some analysis, it has been discovered that the first segment contains information which can be easily converted into geographical coordinates (which coordinate system is not known)
when plotted on a map in the most obvious way, these coordinates/points correspond with major european cities (see graphical map at http://u.no.net/4fi )
some of these cities are represented with more than one coordinate/point (ex: oslo, stockholm, london, paris)
the coordinates are precise down to street level, resolution is limited by an uncertainty of approximately 111 (n-s) x 55.5 (e-w) meters
reverse geocoding revealed the following approximate list of street addresses: http://analysis.no.net/strange_urls_geo.txt. Note that this list is probably irrelevant, se previous note about resolution limits.
the coordinates may be real, bogus, or they may contain partial information.
there are other regular segments in the strings which seem to contain:
a signed integer (sign indicated by tokens "plusf" or "subf")
a 7-letter ascii word (normally the two leading letters in this word are uppercased, but in 4? cases there is only one uppercase letter)
a 12-digit sequence of decimal digits (one string segment diverges from this and has only 9 digits)
additionally, 2 unicode symbols corresponding to letters in the serbian cyrillic alphabet in the range 0x402-0x428, except for 3 instances of a latin uppercase A (0x41) in the segment set.
we believe there are 46 (unique) obscured strings in the manifest document (see .docx, .pdf, .txt )
considering our preliminary findings, proper cryptanalysis of the 46 strings and the manifest as a whole is probably warranted.
if you are able to contribute, please join the mailing list.
please inform anyone interested in contributing to this research of our team effort web page: http://analysis.no.net/

Join #forensic on irc.homelien.no (EFNET)


(http://chat.efnet.org/irc.cgi webclient)


The original document as received by mail: Original-2083 - A European Declaration of Independence.docx
The original document as text: Original-2083 - A European Declaration of Independence.txt



Creation date: 2011-03-07T17:53:00Z
Prosecution date: 2011-07-22T11:23:00Z

011-07-22T11:23:00 Manifest was saved the last time
14:07 email sent
15.25 Oslo bomb went off? (http://aslwww.cr.usgs.gov/Seismic_Data/t...O_24hr.gif)

Forensic details

I would like to encourage all skilled people in participating in analyzing the details around the attacks against Oslo performed by Andreas Breivik.

The main purpose of this forensic is to evaluate all aspects of the email to make sure that it does not contain hidden features.

- Get details from the .docx which may be used to identify the computer used for the last save.
- Verify the timeframe
- Verify that pictures in the manifest does not include hidden information.
- Verify that the text in manifest does not contain hidden messages.


Verified that there is alot of different versions of the manifesto on the internet. Based on this, starting my search for the original .docx.


01/08-11
10:38 GMT+1 Called Oslo Politidistrikt asking for PÃ¥l-Fredrik Hjort Kraby. He was not available.
Asked to speak with a representative for the Breivik case. The receptionist could not tell me whom to speak with
since she just returned from vacation. She will inform the violence department of the Oslo police of my contact details.
11:48 GMT+1 Received a call from 22669072. I presented myself and my wish to receive the original mail from breivik including the
original .docx manifesto. I also explained the reasons why I would like to receive the manifesto but it was not an option
for the police to distribute case details under any circumstances.
- Searched for whom received the manifest, found Jan Simonen in the news.
- Found his blogg http://www.frie-ytringer.com/
- Whois on frie-ytringer.com gave me his phone number.
- Contacted Jan Simonsen and explained that I would like to receive the original email from breivik. He told me that
most of the world had been in contact to receive it. Gave him some instructions on how to email me the document so
that I would receive it with all details including smtp headers etc.
22:48 GMT+1 Received the original .docx file from Jan Simonsen by mail. Was not sent as attachment. He will resend when he get help
to send as attachment.

02/08-11
Extracted the .docx data. extracted/

17:06 GMT+1 Found metadata in image31.png (St. George's Cross) located on page 848.
Last modified 4/12/2006 06:11:09 UTC

Most of the images was saved using Adobe Photoshop with the company name Ducky

No hidden files or information was found in the images.

image58.jpeg - image78.jpeg was made by gd-jpeg v1.0 (using IJG JPEG v62), default quality.
image58.jpeg - image78.jpeg is identical to the ones found at http://www.iragreen.com/view/884/

There are 1595 unique urls in the document.
There is a total of 1715 url references in the document.
list urls.txt

wordcount.txt count occurences.

Strange urls in the manifest strange_urls.txt

Checked most of the anonymizers on the net to check if the url syntax matches. Have'nt found any match yet.
In the manifest Breivik says that he has been using tor and ipredator. No match.

My guess is that he is trying to hide the urls using eighter some simple encryption or a homebrewed encryption.

Running wget -q --spider got me checked_urls.txt. Seems like the --spider option has
has some bugs, there are several "NA:" sites which is operational. Will check this later.

Edison has done some research on the encryption found at: http://app.homelien.no/~oystein/manifurls/

It could also be refering to coordinates. 51.517.-0.083 is Liverpool Street Railway Station

The Una Bomber also left crypted details about places he had hidden stuff which took FBI over 10 years to solve,
maybe Breivik was inspired by this and used the same tactics.

Reverse geocoding gave strange_urls_geo.txt

Still need to verify if plusf/subf has any specific meaning regarding the coordinates.

Having some problems getting the correct unicode characters on the end of the urls, will fix the list so it's correct tomorrow.

04:19 GMT+1 Good night for eNEMY^x

06:46 GMT+1 Seems like Edison went to sleep

03/08-11

11:07 GMT+1 Unicode is fixed http://app.homelien.no/~oystein/manifurl...rdered.txt

I belive Edison punshed them manually.

Started to call some former colleagues and crew members to try to get more people invovled in cracking the algorithm used
for what is believed to be crypted data on the end of the coordinates.

12:17 GMT+1 Called the police (22669072) again to ask them if they are getting somewhere and informed them about the idea that this could be
gps coordinates. Still receiving no information, he will forward the information to another department.

http://app.homelien.no/~oystein/manifurls/bookurls.py python script for extracting urls with unicode.
http://app.homelien.no/~oystein/manifurls/places37.kml KML file containing the original coordinates.
http://u.no.net/4fi KML mapping of all the coordinates found on google maps.

Does google api give any opertunities to check for close by political buildings or something like that?

Just to clarify, the links are given multiple places in the document so I don't believe that there is any linking between
the page number or other and the link.


From the document:

Cache locations:

These portable cases should be dug down in locations where you will have access to them (not necessarily easy access).
Location should be in the most deserted location possible, optimally where no one is allowed to walk freely
(national parks ^Ö private forests, areas with limited access and where there are few metal detector enthusiasts).
Save the encrypted GPS coordinates for each location at a safe place (not in your home/safe house).

He refers to Garmin GPS in the Document.

I didn't cache the ebay feedback page before ebay removed the listings of his buyings. Does anyone know if he bought
another GPS device? If so, which GPS device did he buy? Maybe this can explain more in detail .

13:56 GMT+1 Calling Garmin (http://www.garmin.com/no/company/contact_us/) 815 69 555.
Got the number for their technical department (69233630).
Called their tech department and Garmin does not identify nor has seen any outputs with this syntax/format.

It seems more and more likely that we are on the right track.

14:15 GMT+1 KGB`x has started to research each address returned from the coordinates and will return with more details later.

15:26 GMT+1 Both police and NSM (https://www.nsm.stat.no/) has been updated/informed.


03/08-11

12:25 GMT+1 Received call

14:01 GMT+1 ....