Expert Witness Report on ByLock Investigation 13 September 2017 Version: 1.0 Status: Final Pages: 33 Author: Fox-IT Classification: PUBLIC PUBLIC This document is classified as PUBLIC. Fox-IT BV Olof Palmestraat 6 2616 LM Delft Postbus 638 2600 AP Delft Nederland Telephone: +31 (0)15 284 7999 Fax: +31 (0)15 284 7990 E-mail:
[email protected] Internet: www.fox-it.com Copyright © 2017 Fox-IT BV All rights reserved. No part of this document shall be reproduced, stored in a retrieval system or transmitted by any means without written permission from Fox-IT. Violations will be prosecuted by applicable law. The general service conditions of Fox-IT B.V. apply to this documentation. Trademark Fox-IT and the Fox-IT logo are trademarks of Fox-IT B.V. All other trademarks mentioned in this document are owned by the mentioned legacy body or organization. PUBLIC - 2 DOCUMENT MANAGEMENT Version Management Project name : BREEZEWOOD Subject : Expert witness report on ByLock investigation Date : 13 September 2017 Version : 1.0 Status : Final Authors : Fox-IT This version replaces all previous versions of this document. Please destroy all previous copies! PUBLIC - 3 TABLE OF CONTENTS 1 Introduction 5 2 Issues Addressed 6 3 Approach 7 3.1 Analysis of MIT investigation and report 7 3.2 Fact-checking 7 4 Findings 8 4.1 What is Fox-IT’s opinion on the investigation methodology used by MIT in the ByLock investigation? 8 4.1.1 Transparency and evidence authenticity 8 4.1.2 Application servers and the ByLock.net domain 9 4.1.3 Open-source research 10 4.1.4 Sub-conclusions