Home Turkey Human Rights Blog [Blogpost] Using the ByLock in 1970

[Blogpost] Using the ByLock in 1970

By on

This is the translation of the article of lawyer Mr Levent Maziliguney published in Meridyenhaber. 

Please don’t say that there was no Internet in 1970 so Bylock could not be used. I know too that the internet was not invented yet in 1970. But it seems that some people don’t know. How? Let me explain.

Earlier, in a social media post, I shared the screenshot of the Bylock Detection and Evaluation Report issued by the Police which was claiming that the suspect used the Block app in 1970.  It was the first time, I saw such report. I was naïve enough to think that there cannot be another example. To my surprise, there are many similar examples. Upon the request of the subject’s family by covering the all concerning data on it (except the date of last online) I am sharing another example.

( The users that used the ID ……. The user profile data Id: ……….. Username: ………… Password: ………….. Name : …………… Message: …………. Last online : 1970-01-25 08:11:19)

( The users that used the ID ……. The user profile data Id: ……….. Username: ………… Password: ………….. Name : …………… Message: …………. Last online : 1970-01-25 08:11:19)

The last online part of the Bylock Detection and Evaluation Report claims the date that suspect was last online is 25 January 1970. This is similar to that I shared on social media. I saw such (discrepant) dates (1970) in the investigation files of at least eight members of higher judiciary who were all arrested.

….

Now let me explain this with a plain language. Why this happens at the first place? Why an impossible date such as 1970 is included in the reports? I will explain its reason by using excel then you can try what I’m going to tell in your homes with your computers.

Bylock is a Linux based application and in Linux, the beginning (of calendar) date (default date)  set as January 1st, 1970. In case the data is deleted, changed, corrupted etc. and when the remaining part of the data is read, you see January 1st, 1970. This kind of a problem / discrepancy is evaluated as the indicator of deletion, change or corruption in the data, which means that the data integrity is somehow disrupted.

It will be beneficial to explain the change in the data with screenshots and with an example that can be tried easily. The most common operating system today is Microsoft Windows. In almost all personal computers, the Word and Excel applications are used. In the Windows operating system, the beginning of the calendar is set as January 1st, 1900  The numeral version of this date equals to “1”(one). For example, if the format of a cell in which it’s written 01/01/1900 in Microsoft Excel is changed to number from date, it is possible to see that the date is transformed to number 1(one). Which means that the number “1” and the date “1 January 1900” is the same in the computer language in a way. If we want to see and read the same data as numbers, it will be “1”, if we want to see it as dates, it will be “1 January 1900”. Everyone can try this in their computers. We will try a more contemporary date.

When we write the date this article is written (17 February 2019) in Microsoft Excel cell as 17/02/2019, in case the cell is in date format, it will be read as it is in the screenshot below. By the way, there may be differences in date formats according to the Excel version but it is not important. If your version requires you to write it as 17.02.2019, you will write that way.

2

When you change the format of that cell to “number”, you will see the number 43513. According to the Windows operating system and Excel application, the number 43513 and the date 17 February 2019 are defined equivalently and its appearance (its analysis in a way) is shaped in accordance with the format we chose.

3

Now let’s think that we have a data to be analyzed which has a date information. This date will be in computer language, which means in the language of 1 and 0 or hex. No need for technical details, Excel will solve everything.

For example, if there will be any corruption, delete or change in the number (the data) 43513 for any reason and the first two digits are removed, which means the number becomes 513, the equivalent date of the changed number (data) will also change. The equivalent date of the new data after delete/change/corruption becomes 27 May 1901. Please look at the two screenshots below and try it in your own computers.

4

5

If we return to the Bylock Detection and Evaluation Report with the date 1970 which we gave the example of with the first screenshot, as it is impossible for someone to use the application in 1970, the situation is clear. It is clear according to me that a similar situation occurred as the Bylock application is Linux based and its beginning date is 01 January 1970 and the last login date is analyzed as 25 January 1970, which is impossible. It should be understood as the indicator of the delete/corruption/change (or whatever it is) in the concerning part of the data acquired from Lithuania.

If you would remember, there is a famous hard drive which includes the data stack of 109 GB’s which is obtained from Lithuania. Even if we did not see it, we heard that it exists and read many official documents about it. The most important document regarding this digital data is  an expert opinion prepared by Assistant Professor Baha Şen and Rafet Öngöçmen who were assigned by the Public Prosecutor in Ankara within the investigation no. 2016/104109. We understand from the report text that the assignment of the experts is made in 27 September 2016 but the report has the date 12 July 2016. I will present the screenshots of the date of that so there will be no suspicions.

6

Now let’s go to the page 26 of the expert opinion and provide a screenshot from it, leaving the reading part to you.

7

Translation of the screenshot is below:

The file with the capacity 113.789.140 KB (108 GB (116.520.079.360 bytes)) named “ibdata1”is seen to be a database file of MySQLand the necessary work to reveal the chart structure of the data inside is done. But as the regarding file system is corrupted, the scheme components could not be reached.

In order to be able to reach the data in the file ibdata1 and recover the data as tables, the tools “Persona Data Recovery (percona-data-recovery-tool-for-innodb” https://www.percona.com/and “TwinDB Data Recovery (undrop-for-innodb)” are used. https://recovery.twindb.com/

As a result of the processes with the mentioned tools, it is seen that there are (28) tables in total inside the “ibdata1” and there are two separate databases named “appDb” and “wordpress”, there are (15) tables in addDb and (11) tables in wordpress. The “appDb” which belongs to the “byLock” database is examined detailed way.

In summary, the experts which I know that they are specialists tell that the file was corrupted and we recovered the data with some technical methods.

The Bylock Detection and Evaluation Reports with the date 1970 confirms that the data is corrupted too, right?

Let’s end this article here. Let’s leave the legal evaluation of this issue to much more experienced legal experts than me. But let’s not forget that in these judgements, we need to make the technique and law to speak the same language somehow. The Law cannot judge with presumptions or approaches as engineering does. The basic question the technical experts should answer is that whether there is “suspicion” in technical determinations. If there is suspicion, it is clear who will make use of it: in dubio pro reo

Categories: Turkey Human Rights Blog

Tags:

%d bloggers like this: