I’ve already blogged about how my computer was confiscated and formatted. Today’s post will be about the investigation I took (at home) in order to find out what actually took place regarding my computer and its formatting. This post may get a little technical, but I’ll try to keep the technical-speak to a minimum.

Chat Software Was Installed

One of the first things my Information Technology Support Team (ITST) told me was that I had some kind of Internet Relay Chat (IRC) software installed on my computer and that I had downloaded the MP3s using that software. I asked what the software was called. They told me it was called incircle.

A quick Google search (incircle irc) revealed the culprit. Approximately five entries from the top was a site I commonly visit called TechCrunch. According to TechCrunch’s about page, the blog is “a weblog dedicated to obsessively profiling and reviewing new Internet products and companies. In addition to new companies, we will profile existing companies that are making an impact (commercial and/or cultural) on the new web space.”

TechCrunch Blog Article Screenshot - InCircles Chat Application is Embedded

The article that was listed on Google was, “The Six Biggest New Ideas In Chat.” I browsed to the article, and immediately knew that this page was the culprit that resulted in my computer being confiscated.

On the right side is a new chat software by InCircles. InCircles is a small Flash chat application that allows all the users browsing a particular web page to chat with each other. I still could not connect the dots between this application and the downloading of MP3s.

A Deeper Investigation

I called my dad and told him I had found the page that caused the confiscation. He suggested I download a program called Paros and Wireshark. Both programs enabled me to monitor and capture the traffic when I browsed to the offending web page.

After several captures, I concluded that all that the InCircles chat application was doing was accessing the file (SWF) needed to run the application. InCircles also refreshed itself periodically, but it was not downloading any particular file.

I still couldn’t figure out where the MP3s came into play. Nothing showed up in either capture. I decided to do another capture just in case I might have missed something. I did.

The Culprit

TechCrunch Log - 4 MP3 Files Shown

As you can see from the partial log (click on the image for a larger view), TechCrunch attempted to download four MP3s. All resulted in 404 errors, meaning that the files weren’t on the server to even be downloaded.

The ITST told me that they only found legitimate MP3s on my computer and not the ones they were looking for. The “not found” errors explain why the MP3s were never found on my computer. The MP3s weren’t found because they were never downloaded; unfortunately, the attempted download of an MP3 file (from an unauthorized source) triggered a security violation.

The ITST assumed that InCircles and the MP3 files were related somehow — that’s why they accused me of installing chat software and using it to download MP3s. Further analysis of the captured data revealed that the 404 errors all happened at the same moment in time. A user (such as myself) could not have deliberately “attempted” to download four MP3s at exactly the same (to the second).

Conclusion

It is my belief that InCircles had nothing to do with the MP3 files. It looks from the capture that TechCrunch was the one that attempted to download the MP3s. Whether these MP3s were supposed to work with InCircles remains a mystery.

The sad conclusion is that I browsed to a simple web page and got my computer formatted.