2
Bio of Akash Rosen (A.Rosen)
Hancom Certified Mobile Forensic Examiner – HCME
Certified Hacking & Forensic Investigator – CHFI
SANS Hackers Techniques and Incident Handling – GCIH
#18524
Associate Member of Institute of Certified Forensic Account
(0212221)
Master’s in computer science (Dec 2010)
University of Malaya, Malaysia
Bachelor of Science Degree in Computer Science (2002)
University of Technology Malaysia
Certificate in Data Processing (1998)
Polytechnic Sultan Ahmad Shah
Location: Malaysia
A.Rosen is the founder of the 1st Private Digital Forensic Investigation firm, OG IT Forensic
Services in Malaysia (wwwogitforensics.com). He has been providing digital forensic services
for private companies in Malaysia since early 2010. He is an expert in Cyber Security Incident
Response and Digital Forensics Investigation on all types of cybercrimes.
A.Rosen holds a master’s in computer science, achieved various certifications and has
undergone security technical training such as Global Information Assurance Certification (GIAC)
Certified Incident Handler (GCIH), and Certified Hacking & Forensic Investigator (CHFI). He is also
an Associate Member of the Institute of Certified Forensic Accountants (CFA).
A.Rosen has been working closely with law agencies, other International Digital Forensic
Investigators and Forensic Accountants mainly handing digital crimes and providing relevant
digital evidences related to financial frauds, IP infringement, contractual/employment issues,
data theft and many other types of cybercrime.
Since early 2010, A.Rosen, had been providing digital forensic analysis and verification
services such as computer forensics, mobile phone forensic, email forensics, audio & voice
biometrics, video forensics, digital images & pdf file forensics, social networking analysis, cloud
forensics, database forensics, live security incident response and IoT forensics now.
A.Rosen also provides cyber intelligence investigation solutions for banking and law
enforcement agencies and support them by providing the latest awareness and prevention of
cybercrimes such as due diligence countermeasures in respect of anti-money laundering,
intelligent fraud, targeted threat Intelligence, and many more.
A.Rosen has appeared as an expert witness in Malaysian courts and support many legal
departments of local and international companies in digital forensic investigation for financial
fraud, data theft and other digital crime cases.
He has been working for more than 15 years in the IT Security field where he worked
mostly on various types of security technologies, provided security solutions (including security
risk consultation) and gained significant experience as well as developed the first global security
operation center in a MSC Status company handling real time monitoring and investigating
security threats for more than 100 clients globally.

4
10. Software house internal fraud. Full email acquisition and forensics analysis – Jul 2016
High Court Case No: 22NCC-312-10/2015 (Penang)
Expert Witness: Required
11. A small case involving a family matter – Apr 2017
Court Case No: PA-33-367-10/2016 (Penang)
Expert Witness: Not required
12. Mobile phone audio verification - Mac 2017
Kuching High Court Case: KCH-22NCvC-10/2-2014 (Kuching)
Expert Witness: Required
13. Anthon Piller Order – Jul 2017
Penang High Court Civil Suit: 22NCvC-91-05/2016 (Penang)
Expert Witness: Required
14. Software development dispute – Oct 2017
KL High Court Case No: WA-22NCVC-91-02/2017
Expert Witness: Required
15. Financial fraud case in logistic sector – Oct 2017
Kuala Lumpur High Court Case: BA-22NCVC-463-08/2016
Expert Witness: Required
16. Internal property matter - Nov 2017
Shah Alam Court: BA-B52NCVC-127-04/2016
Expert Witness: Yes
17. Sales Fraud Case – Jan 2018
Ipoh High Court Case No: AA-22NCVC-38-05/2017
Expert Witness: Required
Submit Forensic Report to Commercial Crime Investigation Department – Ipoh
Ref No: JK KPN 168/17 No Repot: 478/18
18. Business fraud/property matter
Kuching High Court Case No: 22NCVC-10/3/2016
Expert Witness: Required
19. Mobile Phone Chat Verification - Jun 2018
Penang High Court Case No: PA-22NCvC-184-09/2017
Expert Witness: Yes
20. Mobile Phone Chat Communication – WhatsApp Verification
Negeri Sembilan High Court: NA-22NCVC-63-10/2017
Expert Witness: Yes

6

Work History:

Private Digital Forensic Investigator/Examiner – Feb 2011 – Now
• Digital Forensic Investigation (on Computer hard disk, mobile, clouds,
social networking, audio & video etc…) for local clients in Malaysia, Borneo
and aboard
• Handling/Investigating Digital Crime (Financial Fraud & Data Theft) cases
with Forensic Accountant/Lawyers
1. Total Financial Fraud Cases in Malaysia worth of < RM200 Mil – 6
2. Total Financial Fraud Cases outside of Malaysia worth of > RM200 Mil - 2
3. Others/Data Theft Cases > 50 cases both inside and outside of Malaysia
• Perform LIVE Security Incident Response on any compromised systems
• eDiscovery & Digital Investigation Case Management expertise
- all types of media, digital files, multimedia files (audio/videos/images)
• Email server and client verification and forensic analysis
• Image/Picture Forensic Analysis on editing and counterfeiting
• Steganography Analysis (Image and Files- docs/PDF)
• Audio and Video Forensic analysis for any manipulation/ tampering
- Video Recording (With Audio)
- CCTV Video Analysis
- Verification of audio files from media
- Audio transcript capturing (listening and reporting with support of
audio forensic tools)
- Image/Video Ballistics
• Voice Biometric/Printing Forensic Analysis
- Audio recordings identification from camera and mobile phones
analysis for speaker
• Social Networking analysis (Fb, Twitter, Internet mails, G+, etc...)
• Analyze Digital Evidence (ESI) and writing report to be presented in court
• Provide testimony in court as an expert witness for digital forensic
evidences
Mahkamah Kuala Lumpur (High Court), Mahkamah Shah Alam (High
Court), Johor High Court, etc...
• Working closely with law firms and law enforcement as below;
- Commercial Crime Division, Royal Malaysian Police, etc...
• Provide Cyber security awareness for Law Enforcement and private
industries
• Design and Setup digital forensic labs and provide standard of Digital
Forensics process

8

• Working with GSIRT/Forensic team on Access Data - eDiscovery
• Prepare alert handling document and standardize the process for each
Client/Environment.
• Involved in escalations and perform client liaison role with Account Security
Officers (ASO) for any security incident
• Involved in analyzing risk (risk assessment) from current security trend for
the clients
• Work closely with GIS Engineering for new tools/system for future mode of
operation (FMO) – Investigations tools, incident mgmt. tools
• Work with End Point Security, SIEM, IDS/IPS, GSIRT (Forensic), TVMR team
for GSOC Services
• Growth and planning for GSOC worldwide (tools for Future Mode of
Operation), work closely with GIS Engineering team
• On boarding new account to GSOC (testing/implementing), leveraged
solution
• Review and provide security consultant on Infrastructure Security - GSOC
worldwide
• Certified ISO 20000 for GSOC APJ
Other roles;
• Holding a Security Expert role within EDS Security
• Involve and conduct a triage call with GCIRT for real security incident
response
• Manage team perform Vulnerability Assessment
• Perform Live Security Incident Response for local clients
• Compile and gather IDS alert trend for network forensic analyst from all
source of Cyber Security Provider
▪ IBM ISS - X-Force
▪ ThreatLinq – Tipping Point
▪ MC Afee NSM - Intruvert
▪ SourceFire - VRT
▪ iDefense, Bugtraq, CVE
▪ Other Security sites Symantec, CERT, Microsoft, Redhat,
Solaris, IBM, etc..
• Testing Proposed Security Solution/Product/Research with the team
Information Security Analyst/Advance/Specialist, Nov 2003 – Jun
2007,
EDS

10

12

Contents
Digital Forensic Reporting – Final Report V1.0............................................................................................ 1
1.0 Document Control......................................................................................................................... 14
1.1 Distribution List............................................................................................................................... 14
1.2 Purpose........................................................................................................................................... 14
1.3 Disclaimer ....................................................................................................................................... 14
1.4 Terminology .................................................................................................................................... 15
1.5 Case Information............................................................................................................................. 16
1.6 Forensic Analysis Process................................................................................................................ 17
1.6.1 Video Forensic Process Flow .................................................................................................... 19
1.6.2 Audio Video Forensic Analysis Process..................................................................................... 20
1.7 Executive Summary......................................................................................................................... 23
1.8 Timeline ........................................................................................................................................ 25
2.0 Acquisition and Verification .......................................................................................................... 26
2.1 Video Source Details ....................................................................................................................... 26
2.1.1 Video 1 - SSU, Radio interception of conversations between terrorists, "Boeing-777" plane
crash ................................................................................................................................................. 27
2.1.2 Video 2 - MH17 crash: leaked tape proven FAKE by audio analysis. Анализ перехвата
разговоров ополчения ДНР. ........................................................................................................... 31
2.2 Video Acquisition and Verification .................................................................................................. 36
3.0 Video File Analysis and Audio Findings Statements ...................................................................... 44
3.1 Video File Analysis and Statements................................................................................................. 44
3.2 Audio Track Analysis and Finding Statements................................................................................. 48
3.3 Video 1 Metadata - SSU, radio interception of conversations between terrorists, Boeing-777 plane
crash.mp4 ............................................................................................................................................. 55
3.4 Video 2 Metadata - MH17 crash leaked tape proven FAKE by audio analysis. Анализ перехвата
разговоров ополчения ДНР..mp4....................................................................................................... 60
4.0 Video 1 Analysis - SSU, radio interception of conversations between terrorists, Boeing-777 plane
crash.mp4 ................................................................................................................................................. 65
4.1. Audio 1, Track-1 – Duration 0:18.4 – 0:36.1, Conversation between I.Bezler ("Bes") and Vasyl
Mykolaiovych Geranin (9031921428) ................................................................................................... 72
4.2 Audio 2 - Track 2, Track 3 & Track 4 – Duration 0.43.3 – 1:49.0, conversation between Major and
Grek ...................................................................................................................................................... 78
4.2.1 Audio 2, Track-2 - 0.43.3 - 0.52.9 - Conversation between Major and Grek. ........................... 79
4.2.2 Audio 2, Track-3 – Duration 0.54.5 - 1:08.0, conversation between Major and Grek. ............. 84

14

1.0 Document Control
1.1 Distribution List

Document                                     Name                           Role                    Representing

MH17-Forensic Reporting Final         Akash                      Forensic                OG IT Forensic Services
V1.0-26052019                              Rosen                      Investigator

1.2 Purpose
The purpose of this document is to provide an overview of analysis findings of a reported
incident received by OG IT Forensic Services. This report provides the summary of the current
case assigned by Bonanza Media.
1.3 Disclaimer
The information and contents of this document is confidential. It is intended solely for the use of
Bonanza Media, its appointed solicitor and other professionals. Save and extract the forgoing any
photocopy/extraction/imaging without the permission of OG IT Forensic Services is strictly
prohibited. OG IT Forensic Services makes no representation or warranties with the respect to
the contents or use of this document, and specifically disclaims any express or implied warranties
or usefulness for any particular purpose of this publication. OG IT Forensic Services reserve the
right to change or revise this document, at any time.
I confirm the correctness of my expert report and understand that in giving my report my
overriding duty is to the court and that I have complied with that duty.

16

1.5 Case Information

Incident/Case        OGIT-001-095-08-04-               Reported                8th Apr 2019
#:                                    2019                           Date/Time:

Report                     Akash Rosen
Compiled By:

Report                 Ms. Yana Yerlashova /
Recipient:            Mr. Max van der Werff

OG IT Forensic Services digital forensic expert was engaged by Yana Yerlashova and Max
van der Werff, founder of Bonanza Media to collect, acquire, verify, and perform digital forensic
analysis on uploaded video files on YouTube social media as listed as in Table 1.5.1 below. The
main scope of this case is assigned to;
i. Verify the video files are genuine based on the source
ii. Verify the audio track in the video files are genuine especially in video 1 as listed
in Table 1.5.1.
iii. Verify any kind of manipulation seen in the audio stream in Video 1 as listed Table
1.5.1.
Table 1.5.1: Video File Details

Video   Video File Name                         Source of the Video File                                        Remark

Video 1   SSU, radio interception of  https://www.youtube.com/watch?v=BbyZYgSXdyw  - Original Video uploaded by SSU
             conversations between                                                                                   - Consist of 5 audio tracks of
             terrorists, "Boeing-777"                                                                                    planeintercepted audios
             crash

Video 2  MH17 crash: leaked tape    https://www.youtube.com/watch?v=T34AB6CImTE  - Original Video uploaded by Sound
             proven FAKE by audio analysis.                                                                        Russia
            Анализ перехвата                                                                                         - Showing part of audios in Video 1
             разговоров ополчения ДНР.                                                                           are faked

Refer to Table 2.1.1 showing the details of the video files.

18

evidence and to get it accepted as evidence in court if it’s needed as per the standard of ISO
27037 (Guidelines for identification, collection, acquisition, and preservation of digital evidence).
The industry standard for computer evidence authentication is known as RSA Security MD5
(Message Digest 5) algorithm. Each file has a unique MD5 hash value. SHA1 and SHA2 is another
hashing algorithm. Refer to section 2.0 showing the acquisition of the acquired image.
The checksum value (MD5) of the media acquisition is listed in the Acquisition report. It is
very important to have a forensic verification done from the source origin. Forensic software is
read only tools and all attached evidence files (acquired image) can’t be tampered in any way.
The forensic software maintains the preservation of digital evidence (electronic store information
within the forensic software) as per ISO 27037 standard.
The processing of the media is performed using the commercial forensic software, where
media data recovery, indexing, system artefacts parsing, internet artefacts parsing, email
recovery and parsing’s, keywords searches, etc... are done. The keyword search hits were
reviewed, and the extraction of the files done accordingly by OG IT Forensic Services team. The
analysis is performed based on the scope of the case and report are generated.
The software used for this audio forensic analysis was;
i. Adobe - Audition
ii. Speech Technology Center - SIS II
iii. MediaInfo - Extraction of Audio Video details/EXIF data
iv. ExifData - Extraction of Metadata/Exchangeable Information of File
v. FFMPEG - extraction of audio and video frames
vi. FAW Project - FAW Professional – Web Acquisition
vii. Magnet - WPS - Web Acquisition
viii. X1 Social Discovery

20
1.6.2 Audio Video Forensic Analysis Process
Any recorded digital video file has a container. The container is like a box contains the
video stream, audio stream and metadata details. It is also referred as MOV, MP4 or AVI. A video
metadata (media info) are vital data/details of the video itself such as the date created, date
modified, date access, format, about the content produced, format, types, software, tracks,
codec, frames, audio, etc. It is stored at the beginning of the video files depending on the format
of the video. A codec is a software that compresses the video so it can be stored and played back.
Sample of codec is AVC, MPEG-4, H.264 and many more. An audio recorded file will contain audio
stream and its metadata of the audio itself. Audio has different set of codec such as MP4, M4A,
mp4a and many more. WebM is a container format (with the file ending *.webm) for multimedia
files, i.e. for videos and audio files. Within this container, the video codecs VP8 and VP9 and the
audio codecs Vorbis and Opus are used. First announced at the Google conference I/O 2010,
WebM was planned as an alternative to the existing MP4 format with its H.264 code.
The location of the video’s metadata and the content of the video stream and audio
stream are located separately in the video file container. Refer to Flow 1.3, a video file has video
stream and the audio stream. The video and audio stream can be used for the content verification
as well depending on the metadata details. Video stream contents are video frames (count by
size and frame per seconds) and the audio stream content are the audio wave (count sampling
rate, bitrate, channel, etc...).

Flow 1.3: Recorded Video/Audio File Forensic Analysis Process

22

vi. Similar analysis is done for recorded audio files as per stated above (iv).
vii. Reviewing the video are done as below;
i. Review Identify if the video is continuously recorded such as below;
a. No pause from the beginning of the video to the end of the video recording
b. No stop from the beginning of the video to the end of the video recording
c. The clarity of the video and the surrounding
d. The sound of the background (noise)
e. The quality of the video and others aspect related to video (duration, speech,
etc...)
ii. Identify any kind of digital watermarking on the video such as time or logo
- Watermarking is a method to ensure the integrity of the video content and avoid
tampering to the video frames.
Note:
i. Cepstrum view is main for pitch determination/analysis - vocal excitation (pitch) and vocal tract
(formants)
ii. Fast Fourier Transform is an algorithm that computes the Discrete Fourier transform (DFT) of
a sequence, or its inverse (IDFT). Fourier analysis converts a signal from its original domain (often
time or space) to a representation in the frequency domain and vice versa

24

vii. The audio quality is low, where the audibility of the spoken voice is not very clear. Refer to
Section 4.5.
There are inconsistencies in the audio tracks and some part of the conversation was removed. It Is clear
that only part of the original conversation was added into Video1 audio stream’s and make it available.
Refer to Section 3.0 showing the Findings statements and Section 6.0 Summary.

26

2.0 Acquisition and Verification
The source of the digital video files.
2.1 Video Source Details
Table 2.1.1: Video Source Details

28

Figure 2.1.1.2: Video 1 - SSU, Radio interception of conversations between terrorists, "Boeing-777" plane crash details (Web Inspector view)