Thursday, May 29, 2008

The new smear against Chavez

Chris Carlson writes:
Washington and its faithful lackeys in the media have launched a new offensive against Hugo Chávez and the government of Venezuela... Washington and its unofficial spokesmen in the media are... accusing Hugo Chávez of having ties to the Colombian guerrilla organization FARC. And they claim that the computer recently "uncovered" from a guerrilla camp has the evidence to prove it.

...

After all, how easy would it have been for the Colombian government to simply load whatever files they wanted onto the computer, or simply prepare the computer ahead of time and claim that it was found it at the FARC camp? As Venezuela expert Eva Golinger said, "How easy it is to just write a document in Word on some computer and say it was written by someone else!"

For this reason, the Colombian government invited the International Police (Interpol) to analyze the data and validate the information found on the computers. But contrary to the claims of the Colombian government and the international media, Interpol did nothing of the sort. The Interpol examination was limited to determining one thing: whether or not the computer files were manipulated after March 1, the date the Colombian military bombed the FARC camp and supposedly gained possession of the evidence.

When Interpol's report stated that there was no evidence the files were manipulated, Colombia and Washington immediately jumped on this as validation for their claims. The international media faithfully echoed the official line. "FARC Computer Files Are Authentic," said one headline from the Washington Post. "Venezuela Offered Aid to Colombian Rebels," read another. And the next day, the BBC confidently stated, "Colombia did not fake Farc files."

But even Interpol's own report reveals that they have no way of verifying this. Many of the files found on the computer were dated in the future, in 2009 and 2010, throwing out the reliability that any of the dates on the computer are accurate, and suggesting that the dates had been altered.

The Interpol report is interesting reading. It's written at a very low level of technical detail - at one point it footnotes the word "encrypted"! ("Encryption is a method of scrambling and encoding data to prevent anyone except the intended recipient from reading that data.") This is a political document, not a technical one. But it's still possible to glean a little bit of technical information about Interpol's forensic methods.

Much has been made of Interpol's acknowledgment that "Access to the data contained in the eight FARC computer exhibits between 1 March 2008, when they were seized by Colombian authorities, and 3 March 2008... did not conform to internationally recognized principles for handling electronic evidence by law enforcement."

Per Interpol's account, soon after the seizure, some Colombian intelligence officer accessed the data on the computers directly, by booting up their operating systems and browsing the files, whereas the proper forensic procedure is to first copy the hard drives bit-for-bit with special computer forensic equipment and then examine the copies. The problem is that even if nothing is deliberately changed by the user while browsing, various system and application files will be automatically updated by the operating system and by applications like Word. (Presumably among other things Interpol is referring to swap and hibernation files.)

However, Interpol asserts, Colombia's improper procedures did no real damage: "The direct access to the eight seized FARC computer exhibits between 1 March 2008 and 3 March 2008 left traces in the system files... However, INTERPOL’s experts found not a single user file... had been created, modified or deleted."

The obvious question is, how do they know? The following is all Interpol tells us in its paragraph on methodology:
Each file on a computer or an electronic storage device has an electronic timestamp that specifies the date and time on which the file was created, last accessed, last modified or deleted. Using forensic software, INTERPOL’s experts extracted the timestamp information for the files on each exhibit, distinguishing between system files and user files. They also verified the system time settings on each of the three seized laptop computers, as these settings provided a baseline for the timestamps. For files on external hard disks or USB thumb drives, the date and time settings are usually taken from the computer to which they were connected when the files were created, accessed, modified or deleted.
This is in accord with Interpol's detailed descriptions of what it found, and in particular with its defense of Colombia's improper handling of the evidence. While many user files were timestamped as "accessed" after March 1, none were timestamped as "created" or "modified" after March 1.

But, the file timestamps prove nothing alone; they're easy to fake. Interpol itself implicitly acknowledges this, when they explain the files dated to 2009 and 2010 as having been copied from a computer with an erroneous system time setting. Changing the system time setting is one way to make fake timestamps, but not the only way; timestamps can also be modified directly. With root access, on a Unix machine, this is within my capabilities, as a half-decent programmer without any expertise on computer security or forensics.

Did Interpol check anything else, then? A few oblique references suggest they did - for example, the assertion regarding the future-timestamped files that "analysis of the characteristics of these files" shows they were "originally created prior to 1 March 2008 on a device or devices with incorrect system time settings". But, the unclassified version of the report doesn't even clearly assert that some deeper examination was carried out, let alone explain how. If we are determined to have faith in Interpol's competence and impartiality, we can assume that the classified version includes better evidence; I admit my faith is lacking. And raw faith is the only option - if I'm reading the report correctly, the classified version with a "full, in-depth forensic analysis" was "delivered to Colombian authorities" and no one else.

There are a couple of reasons to doubt Interpol's ability to detect forgery even assuming timestamps were just the beginning of its investigation. I'm no expert, but the acknowledged modification of system files by Colombian officials between March 1 and March 3 has to have reduced the possibility of using these files, or physical traces of activity on the hard drives, to verify the timestamps. Further, Interpol lauds Colombia's handling of the electronic evidence after it was handed over to the Colombian computer forensics experts on March 3. Apparently, Colombia has access to the same kind of sophisticated computer forensic equipment, capable of bit-by-bit operations on a hard drive, as Interpol. One has to assume that this equipment could also be used to make forgeries of a sophistication beyond what I, or even the most skilled hacker accessing a system remotely, could manage.

There is also reason to doubt Interpol's impartiality. The report tends to conflate the absence of evidence of tampering with proof that no tampering occurred, but it does not use wording as strong as that of Interpol head Ronald Noble, who has insisted, "No one can ever question whether or not the Colombian government tampered with the seized FARC computers", and that, "We are absolutely certain that the computer exhibits that our experts examined came from a FARC terrorist camp." While Noble described FARC as "terrorist", he "commended the professionalism of Colombian authorities", according to the Washington Post. Noble came to Interpol after more than a decade of work in various departments of the U.S. government, which the WaPo prefers not to mention. Chavez' description of him as a "gringo policeman" appears to be basically accurate.

Taking a step back, even if the electronic evidence Colombia claims to have seized from FARC is authentic and unmodified, this doesn't prove Chavez is backing FARC. Others have discovered good reason to doubt both whether the documents and photos leaked by Colombia to the media really come from the computers Interpol examined, and whether the interpretations of their contents given by Colombia and by Chavez' media foes are accurate. We have to conclude that despite all the fuss in the past few weeks, we've really learned nothing new about Venezuela's relationship to FARC.

No comments: