Mailing list archives: http://lists.homelien.no/pipermail/manifest-analysis/
With many minds working the problem, there is a possibility of breakthroughs in understanding what the codes are all about. It might be prudent not to reveal an obvious solution or profound insights to the public immediately for various reasons such as security. In light of this we have established an email address to contact our group in private.
If you think you are close to a solution or a breakthrough in your analysis, or wish to share something in private, please contact us at email@example.com. This mailbox is read only by enemy^x, edison and sventy (@irc). Rest assured we will make sure credit is given where credit is due.
2011-03-07T17:53:00ZProsecution date: 2011-07-22T11:23:00Z011-07-22T11:23:00 Manifest was saved the last time 14:07 email sent 15.25 Oslo bomb went off? (http://aslwww.cr.usgs.gov/Seismic_Data/telemetry_data/snaps/11_204/KONO_24hr.gif) Forensic details I would like to encourage all skilled people in participating in analyzing the details around the attacks against Oslo performed by Anders Behring Breivik. The main purpose of this forensic is to evaluate all aspects of the email to make sure that it does not contain hidden features. - Get details from the .docx which may be used to identify the computer used for the last save. - Verify the timeframe - Verify that pictures in the manifest does not include hidden information. - Verify that the text in manifest does not contain hidden messages. Verified that there is alot of different versions of the manifesto on the internet. Based on this, starting my search for the original .docx. 01/08-11 10:38 GMT+1 Called Oslo Politidistrikt asking for Pål-Fredrik Hjort Kraby. He was not available. Asked to speak with a representative for the Breivik case. The receptionist could not tell me whom to speak with since she just returned from vacation. She will inform the violence department of the Oslo police of my contact details. 11:48 GMT+1 Received a call from 22669072. I presented myself and my wish to receive the original mail from breivik including the original .docx manifesto. I also explained the reasons why I would like to receive the manifesto but it was not an option for the police to distribute case details under any circumstances. - Searched for whom received the manifest, found Jan Simonen in the news. - Found his blogg http://www.frie-ytringer.com/ - Whois on frie-ytringer.com gave me his phone number. - Contacted Jan Simonsen and explained that I would like to receive the original email from breivik. He told me that most of the world had been in contact to receive it. Gave him some instructions on how to email me the document so that I would receive it with all details including smtp headers etc. 22:48 GMT+1 Received the original .docx file from Jan Simonsen by mail. Was not sent as attachment. He will resend when he get help to send as attachment. 02/08-11 Extracted the .docx data. extracted/ 17:06 GMT+1 Found metadata in image31.png (St. George's Cross) located on page 848. Last modified 4/12/2006 06:11:09 UTC Most of the images was saved using Adobe Photoshop with the company name Ducky No hidden files or information was found in the images. image58.jpeg - image78.jpeg was made by gd-jpeg v1.0 (using IJG JPEG v62), default quality. image58.jpeg - image78.jpeg is identical to the ones found at http://www.iragreen.com/view/884/ There are 1595 unique urls in the document. There is a total of 1715 url references in the document. list urls.txt wordcount.txt count occurences. Strange urls in the manifest strange_urls.txt Checked most of the anonymizers on the net to check if the url syntax matches. Have'nt found any match yet. In the manifest Breivik says that he has been using tor and ipredator. No match. My guess is that he is trying to hide the urls using eighter some simple encryption or a homebrewed encryption. Running wget -q --spider got me checked_urls.txt. Seems like the --spider option has has some bugs, there are several "NA:" sites which is operational. Will check this later. Edison has done some research on the encryption found at: http://app.homelien.no/~oystein/manifurls/ It could also be refering to coordinates. 51.517.-0.083 is Liverpool Street Railway Station The Una Bomber also left crypted details about places he had hidden stuff which took FBI over 10 years to solve, maybe Breivik was inspired by this and used the same tactics. Reverse geocoding gave strange_urls_geo.txt Still need to verify if plusf/subf has any specific meaning regarding the coordinates. Having some problems getting the correct unicode characters on the end of the urls, will fix the list so it's correct tomorrow. 04:19 GMT+1 Good night for eNEMY^x 06:46 GMT+1 Seems like Edison went to sleep :) 03/08-11 11:07 GMT+1 Unicode is fixed http://app.homelien.no/~oystein/manifurls/urls-unicode-ordered.txt I belive Edison punshed them manually. Started to call some former colleagues and crew members to try to get more people invovled in cracking the algorithm used for what is believed to be crypted data on the end of the coordinates. 12:17 GMT+1 Called the police (22669072) again to ask them if they are getting somewhere and informed them about the idea that this could be gps coordinates. Still receiving no information, he will forward the information to another department. http://app.homelien.no/~oystein/manifurls/bookurls.py python script for extracting urls with unicode. http://app.homelien.no/~oystein/manifurls/places37.kml KML file containing the original coordinates. http://u.no.net/4fi KML mapping of all the coordinates found on google maps. Does google api give any opertunities to check for close by political buildings or something like that? Just to clarify, the links are given multiple places in the document so I don't believe that there is any linking between the page number or other and the link. From the document: Cache locations: These portable cases should be dug down in locations where you will have access to them (not necessarily easy access). Location should be in the most deserted location possible, optimally where no one is allowed to walk freely (national parks ^Ö private forests, areas with limited access and where there are few metal detector enthusiasts). Save the encrypted GPS coordinates for each location at a safe place (not in your home/safe house). He refers to Garmin GPS in the Document. I didn't cache the ebay feedback page before ebay removed the listings of his buyings. Does anyone know if he bought another GPS device? If so, which GPS device did he buy? Maybe this can explain more in detail . 13:56 GMT+1 Calling Garmin (http://www.garmin.com/no/company/contact_us/) 815 69 555. Got the number for their technical department (69233630). Called their tech department and Garmin does not identify nor has seen any outputs with this syntax/format. It seems more and more likely that we are on the right track. 14:15 GMT+1 KGB`x has started to research each address returned from the coordinates and will return with more details later. 15:26 GMT+1 Both police and NSM (https://www.nsm.stat.no/) has been updated/informed. 03/08-11 12:25 GMT+1 Received call 14:01 GMT+1 ....