Slashdot Mirror

← Back to Stories (view on slashdot.org)

Turkish Journalist Jailed For Terrorism Was Framed, Forensic Report Shows (vice.com)

Posted by BeauHD on from the incriminating-evidence dept.

An anonymous reader quotes a report from Motherboard: Turkish investigative journalist Baris Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer. But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive. The attackers also attempted to control the journalist's machine remotely, trying to infect it using malicious email attachments and thumb drives. Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it's been seen in the wild. Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to Ergenekon, an alleged armed group accused of terrorism in Turkey. A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware. Spencer said no other forensics expert noticed the Ahtapot trojan in the OdaTV case, nor has determined accurately how those documents showed up on the journalist's computer. However, almost all the reports have concluded that the incriminating files were planted. "We are not guilty," Baris Pehlivan told Andrada Fiscutean via Motherboard. "The files were put into our computers by a virus and by [attackers] entering the OdaTV office secretly. None of us has seen those documents before the prosecutor showed them to us." (OdaTV is the website Pehlivan works for and "has been critical of the government and the Gulen Movement, which was accused by Turkish president Recep Tayyip Erdogan of orchestrating the recent attempted coup.") In regard to the report, senior security consultant at F-Secure, Taneli Kaivola, says, "Yes, [the report] takes an impressive level of conviction to locally attack a computer four times, and remotely attack it seven times [between January 1, 2011, and February 11, 2011], as well as a certain level of technical skill to set up the infrastructure for those attacks, which included document forgery and date and time manipulation."

3 of 103 comments (clear)

  1. Re:Turkey is due for some DEMOCRACY by unixisc · · Score: 4, Informative

    Actually, democracy, as imposed by the EU, was what brought Turkey to this point. Under Kemal Mustafa Ataturk and his successors, Turkey was a military backed authoritarian regime that kept Islam on a leash. Then, when they wanted to enter the EU, Brussels told them that they had to become as democratic as the EU countries.

    Problem w/ that was that while geographically, Turkey may be positioned to be a part of Europe, culturally, the Turks are not European at all: they are Islamic. Their democratic underpinnings are similar to that of their Arab and Iranian neighbors: it shows in their attitudes towards the Armenians and the Kurds. Also, under Erdogan, Turkey has been only too happy to rediscover not just its Ottoman, but also its greater Turkic past - be it Seljuk, Tatar, Khwarezmid, Timuride, Moghul... pasts. Which is fine, but it doesn't lay the groundwork of a democratic Turkey being a pluralistic society the way the EU would desire.

  2. Re:Turkey is due for some DEMOCRACY by Solandri · · Score: 4, Informative

    Politically, the whole fustercluck dates back to the end of the first World War. The Ottoman Empire was on the losing side, and ceased to exist after WWI. The European victors carved its territory up along arbitrary lines, without regard for the cultural and even lingual boundaries. Those lines became the modern country borders we know today. Most of the modern Middle-eastern conflicts trace their roots back to this. Iraq, Kuwait, Syria, Israel/Palestine, and Turkey.

    Culturally, it would've made a lot more sense to divide the territory up into Turkey, Kurdistan, and Arabia plus maybe a few other small countries, instead of the patchwork it is today.

  3. Re:Contain highly technical content :) by ArsenalConsulting · · Score: 3, Informative

    You have asked a question we would like more people in our industry to ask! My (this is Mark Spencer) last two articles in Digital Forensics Magazine introduced the Anchors in Relative Time analysis technique and included examples of cases in which it was applied. I'm going to try and strike a compromise in my explanation below between my technical articles and the Motherboard article:

    What do you do if you need to analyze a Windows computer but already have reason not to trust any of its dates and times? One option is to identify events which have occurred in a particular order regardless of any associated dates and times. Let's take just two types of events (related to file system transactions) into consideration for now. File system transactions in the NTFS $LogFile and $UsnJrnl metafiles increment via Log Sequence Numbers (or LSNs) and Update Sequence Numbers (or USNs), respectively. It does not matter whether someone was manipulating the clock during these transactions or if someone manipulated dates and times in the $MFT (related to files and folders associated with the transactions) after the fact - the LSNs and USNs have still incremented in an orderly fashion.

    So where do you go now? You can start identifying "legitimate" and "illegitimate" anchors. Windows startups and shutdowns result in a flurry of activity in the $LogFile and $UsnJrnl metafiles. You could model what those flurries look like on the computer in question and determine, in relative time and regardless of any dates and times, when Windows startups and shutdowns occurred. Once you have established Windows startup and shutdown anchors (which we have done not only on Windows boot volumes but auxiliary volumes as well), you can then start putting the more entertaining stuff into context with them.

    Does this basic concept make sense? I only focused on Windows and a couple simple event types here (some others require multiple elements in order to determine an increment), but once you understand the basic concept you can do really powerful things from there. The basic concept is not that complex, but applying it can be a major hassle... in the Odatv case, the hassle was well warranted.

    On a side note, there has been enough interest in this case that I'm planning on putting a detailed case study on our website at https://arsenalexperts.com/Cas.... It also happens to be one of the few cases we're able to talk about without restrictions, so I'm motivated to drink enough coffee to get it done.