Main Page

From analysis-wiki

Jump to: navigation, search

Welcome to analysis-wiki

Project homepage: http://analysis.no.net

The purpose of this wiki is to avoid duplication of effort and to be a central repository of theories, findings and data.

Please note: anonymous editing on the wiki has been disabled as of 2011-08-18 because of vandalism. Register an account to participate.

Important information

A mailing list has been established for continued discussion of manifest related analysis/forensics Send an email to manifest-analysis-request@analysis.no.net with the word "subscribe" in the body text (not subject) to participate.

Mailing list archives: http://lists.homelien.no/pipermail/manifest-analysis/

With many minds working the problem, there is a possibility of breakthroughs in understanding what the codes are all about. It might be prudent not to reveal an obvious solution or profound insights to the public immediately for various reasons such as security. In light of this we have established an email address to contact our group in private.

If you think you are close to a solution or a breakthrough in your analysis, or wish to share something in private, please contact us at post@analysis.no.net. This mailbox is read only by enemy^x, edison and sventy (@irc). Rest assured we will make sure credit is given where credit is due.

Live chat

Join #forensic on irc.homelien.no (EFNET) (via web: http://chat.efnet.org/irc.cgi)

Our original findings

  1. we performed some analysis of the original .docx manifest, its embedded objects, images and text. See our log at http://analysis.no.net/
  2. some footnotes in the manifest contain what seem to be internet links but are in fact not valid urls. ( list at http://app.homelien.no/~oystein/manifurls/urls-unicode-ordered.txt )
  3. these strings are formatted in a particular, segmented way.
  4. after some analysis, it has been discovered that the first segment contains information which can be easily converted into geographical coordinates (which coordinate system is not known)
  5. when plotted on a map in the most obvious way, these coordinates/points correspond with major european cities (see graphical map at http://u.no.net/4fi )
  6. some of these cities are represented with more than one coordinate/point (ex: oslo, stockholm, london, paris)
  7. the coordinates are precise down to street level, resolution is limited by an uncertainty of approximately 111 (n-s) x 55.5 (e-w) meters
  8. reverse geocoding revealed the following approximate list of street addresses: http://analysis.no.net/strange_urls_geo.txt. Note that this list is probably irrelevant, se previous note about resolution limits.
  9. the coordinates may be real, bogus, or they may contain partial information.
  10. there are other regular segments in the strings which seem to contain:
    1. a signed integer (sign indicated by tokens "plusf" or "subf")
    2. a 7-letter ascii word (normally the two leading letters in this word are uppercased, but in 4? cases there is only one uppercase letter)
    3. a 12-digit sequence of decimal digits (one string segment diverges from this and has only 9 digits)
    4. additionally, 2 unicode symbols corresponding to letters in the serbian cyrillic alphabet in the range 0x402-0x428, except for 3 instances of a latin uppercase A (0x41) in the segment set.
  11. we believe there are 46 (unique) obscured strings in the manifest document (see .docx, .pdf, .txt )
  12. considering our preliminary findings, proper cryptanalysis of the 46 strings and the manifest as a whole is probably warranted.
  13. if you are able to contribute, please join the mailing list.
  14. please inform anyone interested in contributing to this research of our team effort web page: http://analysis.no.net/
Retrieved from "http://analysis.no.net/wiki/index.php/Main_Page"
Personal tools