Linux and Forensic Discovery

Max Pyziur writes "Found this on cryptome.org where Linux is cited in a DOJ document against Moussaoui (sometimes referred to as the "20th man"). FBI: Moussaoui E-mail Not Recoverable - January 1, 2003." An interesting read which gives some insight into how computer evidence is handled in court.

This is a great example...

[craenor]

Of the fact that lawyers will argue over anything.

Heh, this seems to be a discussion about whether they used "approved methods" of retrieving a deleted email. According to one person, the LinuxGNU was the only one approved by NIST (national institute of standards and technologies). This of course, is wrong...NIST doesn't "approve" software, they just test it and declare whether or not it works.

Re:This is a great example...

Why is this being moderated, before any
mirrors are up, and while the site is being /.'ed? The moderators can't access the site
to evaluate this comment.

The comment might be good; we can't tell.

What we can tell is that moderators are either
cairvoyant or on auto pilot.

Re:This is a great example...

[craenor]

huh? my comment hasn't been moderated. It started at +2 and is still at +2 as of this writing...

Re:This is a great example...

[spatrick_123]

Or maybe, just maybe the original poster used their +1 bonus. I would say this is likely, considering that when looking at the comment there is no moderation information at the bottom of it. Not to mention that the site is not /.ed - I just retrieved the article without any problem. Then again, I'm probably just feeding a troll.

Re:This is a great example...

your comment appears to be a direct quote from the article

Re:This is a great example...

[craenor]

this seems to be a discussion

In saying that, I was trying to convey the message that my comments were a summary of a portion of the discussion added to provide relevance to my comments. Sorry if this was confusing.

At least...

[Ironica]

...someone in the government seems to realize that Microsoft can't be trusted ;-)

Secure File Deletion

[b1ng0]

To anyone who is concerned about having their deleted files recovered, take a look at Wipe - in its strongest mode it will make 37 passes over the data in order to be sure that electron microscopes cannot reconstruct the bit patterns.

Re:Secure File Deletion

[caluml]

Or of course there is shred.

From the man page: shred delete a file securely, first overwriting it to hide its contents

It comes with the fileutils package (on RedHat anyway). Can't see any differences between wipe and shred. Apart from the fact that one comes already installed. Is there any difference?

Re:Secure File Deletion

For 'doze, there's this.

http://www.jetico.com/index.htm#/bcwipe.htm

Re:Secure File Deletion

[zabieru]

PGP will do this too. In fact, it also has a mode that will wipe all the free space on your drives.

Re:Secure File Deletion

[Speare]

It seems that journaling filesystems like ext3 cause hell for secure deletions, because changes aren't always committed as the application level assumes and requires. Has anyone suggested a kernel/filesystem hook to make secure media deletions possible?

Re:Secure File Deletion

[Pathwalker]

Or, for FreeBSD, you could just do rm -P.

Overwrite regular files before deleting them. Files are overwritten three times, first with the byte pattern 0xff, then 0x00, and then 0xff again, before they are deleted.

Re:Secure File Deletion

You can't trust those tools anymore. Today's hard drives will physically move sectors around on disk to avoid areas that are bordering on causing media errors.

Re:Secure File Deletion

[bloxnet]

Wipe is a nice program, but it is simply overkill. It has been shown in studies that typically 3 passes of a data wiping program should make your data non-recoverable by standard means (using popular forensics tools such as EnCase, Maresware, NTI's batch of programs, or disk editors on whatever platform you are interested in). As to how much the U.S. government investigators are able to retrieve...well that falls into your urban legends category I suppose. For the most part, DoJ guildelines suggest wiping your data 7 times as part of the norm. This is because of the non precise manner in which hard drive read/write heads pass over the disk itself (more of a wobble rather than a perfect circular motion). I just recently saw a whitepaper on Encase's site that covered users of WinXP using EFS (encrypted filesystem) secure deletion (which just does 3 passes) that makes recovery of the files deleted not possible this is the whitepaper. Just as the above reference article concludes, it should be kept in mind that there is so many places to look on Windows and Unix machines other than what files were deleted. Perhaps pictures of your latest porn stash or the Word document covering your NDA violations are gone, but registry settings, file slack (as was mentioned in the parent article briefly), pagefiles, memory dumps, and many other locations that track your activities on a given machine can be used as well. Wow, I did not mean to get so long winded...I just really get into computer forensics. My personal advice for decent file security and deletion is encryption + multi-pass deletion. There are several encrypted filesystems out there for both Windows and *nix, and a few options that are viable with both (BestCrypt File system containers and also BCWipe for deletion is a good example). I don't see the need to start advertising products, so check out the options for OS level and OS independent solutions.

Re:Secure File Deletion

[Alsee]

byte pattern 0xff, then 0x00

A little knowledge is a dangerous thing :)
0xff is the value for a string of all 1's and 0x00 is the value for a string of all 0's, but harddrives actually record entirely different bit sequences. And different harddrives use different encodings. Without knowing the specific encoding the current drive uses your best bet is probably to write random values.

-

Re:Secure File Deletion

[Russ+Steffen]

The hook is already there. The chattr can set a "secure delete" extented attribute on a file or directory which will make a subsequent normal rm perform a secure delete. However the man page says it's not implemented yet, but said man page hasn't been updated since kernel version 2.2.

Re:Secure File Deletion

[nomadic]

Note to slashdot users:

Nobody is interested enough in your files to use an electron microscope to reconstruct the bit patterns.

Re:Secure File Deletion

I think you mean "logically move sectors". :) Unless the noise my hard drive makes is the sound of the sectors on the platters rearranging themselves.

Re:Secure File Deletion

I recall reading that you need to make 7 passes to be secure by govt standards, preferably with more than three byte patterns. Sorry, no article to cite.

Re:Secure File Deletion

[sigwinch]

0xff is the value for a string of all 1's and 0x00 is the value for a string of all 0's, but harddrives actually record entirely different bit sequences.

Possibly even variable-length sequences, if a run-length-limited code is used. In which case writing random data a few dozen times could easily leave a big chunk of slack space untouched. Erase/write simply isn't good enough.

The only way to be sure is to nuke the hard drive from orbit. ;-)

Re:Secure File Deletion

[Your+Anus]

This has been discussed before, I think in an article where the govenrment was going to donate old computers to schools. Someone was wondering what might be left on the hard drives of said computers.

The answer from anyone with a government security background was that the physical platter must be destroyed to truly be secure, so there wouldn't be anything left. This is done with any media that has or had classified material on it, even stuff returned for warranty.

Basically, the procedure is to grind the magnetic material off of the platters, or just dump them in an acid bath until the platters dissolve.

Of course seven writes over the same spot more or less leaves you vulnerable only to the electron microscopy or SQUID type of analysis.

Re:Secure File Deletion

[Trolling4Dollars]

Ummm... moderator: EXCUSE ME? Mod this guy up! He makes a valid point. Unless you have something to hide, you shouldn't need anything better than rm or del. Your government is never going to be interested in the data that is on "Joe User's" computer unless he's involved with something that your govenrment doesn't approve of. Considering that I am not a fan of the current government in the US (we have a monkey that I didn't vote for as our president), I still have no concern that they want to tap into my machines. And if they did, they wouldn't find a damn thing. So... no need for encryption or secure delete for me. I just figure, if you follow the rules of our collective societies, then there is nothing to worry about.

Re:Secure File Deletion

[Julian+Morrison]

Does anyone know of a "wipe" style utility that can also wipe ununsed disk space (deleted inodes etc) on linux?

Re:Secure File Deletion

If the data written is really random, it will be
uncompressable. So writing random (like in /dev/random) data is probably more secure than
writing random (as in human selected byte values) data. :)

Re:Secure File Deletion

[Noel]

Check out secure delete.

Hotmail and Privacy in this article:

MSN Hotmail subscriber information is not shared with other entities or third parties except as follows:

(A) Non-personally identifiable information (e.g., demographics information such as age, city, state and postal code) is shared with the MSN Hotmail marketing department;

(B) In 2001, account name, city, state and postal code were shared with INFOSPACE, a web-based publisher of an e-mail address directory, if, at the time of registering the account, the account subscriber did not elect to prohibit the sharing of this information;

(C) MSN Hotmail account e-mail is automatically deleted whenever the account subscriber fails to access the account for a period of thirty (30) days;

(D) A MSN Hotmail account is automatically deleted, and no record of it is thereafter maintained by MSN Hotmail, whenever the account subscriber fails to access the account for a period of 90 days;

(E) While, in theory, there could be references to a subsequently deleted hotmail e-mail account stored in data of other Microsoft services (e.g., a message posted to a MSN Group), such references would not be traceable to the registration information of that account holder as it would already have been deleted.

Re:Hotmail and Privacy in this article:

[zabieru]

You do realize that in the event of a search warrant or subpoena that privacy policy no longer applies, right? Of course, they can't turn over anything they no longer have, but if they have it the government will too. On a side note, the libraries in my city (seattle) have a very explicit privacy policy that states that they do not ever save information about books a patron has read and returned. The only things on the books are currently checked-out items, for exactly this reason.

Re:Hotmail and Privacy in this article:

[MacAndrew]

Are you sure your library wipes its disks? :) Good policy, though.

I was pretty alarmed at the pathetic effort of the Starr inquiry to get the lists of who bought what at a local bookstore here in Washington, named Politics & Prose. The store resisted divulging Lewinsky's purchases; I don't recall the outcome.

Re:Hotmail and Privacy in this article:

[arkanes]

Well, it's not like privacy policies are legally binding or anything, either. You can promise all the privacy you want but be lying through your teeth.

Re:Hotmail and Privacy in this article:

[tqft]

I keep telling people - don't use Hotmail, the interface sucked last time I used it, wants you to use Passport before you can logon and seems to spend a lot of time down and generally unreliable (the EULA specifically said last time I read it) there is no guarantee of anything being there or anything working. However, for a terrorist or other undeisrable it seems perferct - no backups. None. Zilch. Zero. No way to recover from any failure other than rebuilding the file system where it was (IIRC from the last time Hotmail imploded). If it is still there you get lucky and the app can read your mail and you can get it, other than that you are dead.

Re:Hotmail and Privacy in this article:

[Helter]

Are you sure about that? I thought that published privacy policies were considered legal contracts..?

Re:Hotmail and Privacy in this article:

[arkanes]

Well, you could go both ways on it. But I can't imagine how they could be. There's no specific law for them, as far as I know, and they don't fall under any other area of contract law (for many of the same reasons EULA's don't). Best you could do would be to sue for nebulous damages that arose from a website giving out your personal info, which you could do privacy policy or no, but you'd have an easier time in court if they had one they violated.

Breaking News!

[chunkwhite86]

Linux is used by humans outside of the Slashdot community! Stay Tuned!

it figures!

Linux, the OS used only by dirty hippies, communists, and terrorists. Don't fall into the trap!

Re:it figures!

You can add Fascist Bully Boys to that list.

Oh Please!

[Snowbeam]

How is this news? They are using "dd" a Linux utility. Seeing "Linux" in an article does not warrant a story about it. This demeans Linux by using every little scrap of news to attempt to show that it is in use. Instead we should be demostrating it's uses, rather that reporting that it is in use.

Re:Oh Please!

[The+Turd+Report]

To be honest, 'dd' is not a Linux utility. Various *nixes used it before Linux was even started.

Re:Oh Please!

[zabieru]

Actually, it's even more demeaning, because the government DIDN'T USE Linux. They merely listed it as an option. If you read on, it was an option which was not used.

Re:Oh Please!

[Covener]

and os/360 JCL programmers were using DD before it found its way into unix...

Re:Oh Please!

[kasperd]

To be honest, 'dd' is not a Linux utility. Various *nixes used it before Linux was even started.

In fact dd is even overkill for this purpose. The same could be achieved by cat or something even simpler. This task is so simple that we shouldn't really care how they did it. I could have written a 42 line Turbo Pascal program under DOS that could do it.

Re:Oh Please!

[WWWWolf]

How is this news?

How many times I've been thinking "Oh, people are again Tuning with some expensive and clumsy programs, if they would have been using *NIX this would have been a lot easier." ... well, in this case, they actually did the Obvious Thing: used dd to copy image of a drive. =)

"If I had been making an image of the disk, I would have used dd... oh, wait, they used dd. Never mind."

But yes, still hardly newsworthy.

Re:Oh Please!

[TheToon]

hehe, I bet most ppl here wouldn't know a JCL if it jumped up and bit them in the... nose. :)

But DD != dd ;)

Re:Oh Please!

[geeknik]

Well Lord Snowbeam, although I do agree with you that slashdot's article news-worthy discriminator is outta whack most the time, this at least beats 90% of the 'ask slashdot' articles. They are using "dd" a Linux utility. As someone else mentioned "dd" isn't Linux specific, but if you're going to call it a "Linux utility" you should probably at least call it a GNU/Linux utility... unless you don't want to, then what do I care

Re:Oh Please!

[someonehasmyname]

They used SafeBack

Re:Oh Please!

hehe, I bet most ppl here wouldn't know a JCL if it jumped up and bit them

I'm guessing it means "job control language" but I have to admit it's way before my time.

Re:Oh Please!

[TheToon]

Yep. Simplified; on a mainframe batch jobs/programs are submitted to a job queue and the JCL describes the job. What execution class is should run in (execution class = priority, memory size available etc), what files or devices (datasets) it should read and write to (DD = Data Definition).

This is all under control of HASP/JES in different versions and various operating systems.

So basically: programmer compiles programs, submits JCL and program to JES3 and waits for it to run and get output. First hurdle is to get pass the "JCL Error" step :)

Re:Oh Please!

[finkployd]

So basically: programmer compiles programs, submits JCL and program to JES3 and waits for it to run and get output.

Not to nit pick, but significantly more shops run JES2 than JES3. JES3 in my experience was a pretty big step backwards.

Finkployd

Re:Go to fucking bed micheal

What the fuck is a billiard?

I don't know, but I think it has something to do with a type of pool you can't swim in.

billiard

A shot in billiards in which the cue ball successively strikes two other balls.

So, uh, shut the fuck up.

Re:billiard

[titzandkunt]

That would be a "cannon" wouldn't it?

So you shut the fuck up.

Example of a truly stupifying misuse of cannons in billiards

T&K.

NIST Computer Forensics Tool Testing

[metatruk]

From the article:

Before addressing the authentication for the four specific computers, an error in Mr. Allison's affidavit must be corrected. In his affidavit, Mr. Allison writes: "Many methods are available to create an exact duplicate; however, only one method - the GNU/Linux routine dd - has been approved by the National Institute of Standards and Technologies." Allison Affidavit at 3. This statement is simply wrong. The National Institute of Standards and Technologies (NIST) does not "approve" software, it merely tests it and then publishes the results of its tests.

The test reults are abailable here:
http://www.ojp.usdoj.gov/nij/sciencetech/cftt.htm

Re:NIST Computer Forensics Tool Testing

[metatruk]

Or more specifically, here:
http://www.ncjrs.org/pdffiles1/nij/196352.pdf

Re:NIST Computer Forensics Tool Testing

[Florian+Weimer]

Or more specifically, here:
http://www.ncjrs.org/pdffiles1/nij/196352.p df

Wow, 62 pages for an evaluation of "dd". The whole source code of the program is just 20 pages.

Re:NIST Computer Forensics Tool Testing

[Crus7y]

Hee! Now you know why programmers hate to write documentation!

electron microscopes

[Alien54]

I am confused.(yes, we all know this)

The document states that image files were generated fo the contents of the hard drives. I do not have confidence that an image would also display latent data.

I know myself that when I do a data recovery on a system, I can get many more megs of recovered data from file fragments, deleted folders, etc than can fit on the drive. Most of this extra stuff ias junk data, but you get the idea.

There is no substitue for the original.

Recovery can require a minimum of specialized software or be as complicated as looking at the platters under an electron microscope. I see nothing here that indicates use of such specialized technology, and yet this is supposed to be a national security matter.

Re:electron microscopes

[MeanMF]

dd does a complete image copy of the partition, byte by byte... It doesn't matter what's on the drive, what file system it is, etc. It copies everything.

Re:electron microscopes

[g4dget]

The document states that image files were generated fo the contents of the hard drives. I do not have confidence that an image would also display latent data.

It's pretty clear what "dd" images: the entire content of the hard disk drive as it is readable by its disk controller. It won't image residual data that has been erased.

I know myself that when I do a data recovery on a system, I can get many more megs of recovered data from file fragments, deleted folders, etc than can fit on the drive. Most of this extra stuff ias junk data, but you get the idea.

Unless your recovery efforts involve custom hardware, the disk image obtained with "dd", together with bad block information and drive geometry, contains every bit of information you are ever going to get out of that drive. Any software-based recovery working on that image is going to be equivalent to recovery working on the original drive.

Trying to recover data that has been physically overwritten, using analog methods or imaging, is so expensive and time consuming that it is feasible only in special cases.

Re:electron microscopes

[Covener]

It isn't an effort to get at 'hidden' data. It's an effort to allow many people to have access to the data that was on the disk when it was imaged.

Otherwise you're trusting someone else's report, or passing around a mechanical disk (defense attorneys wouldn't be so thrilled about either).

Re:electron microscopes

Trying to recover data that has been physically overwritten, using analog methods or imaging, is so expensive and time consuming that it is feasible only in special cases.

One would surmize that the "20th hijacker" would qualify as a spaecial case.

Re:electron microscopes

The FBI is a joke. They did not even bother to take drives from kinkos. Something very wrong is going on.

Re:electron microscopes

The justice system has limited amounts of resources. How many murder or violent crime cases do you want not prosecuted because of the money spent on analyzing this guy's hard drive more thoroughly? How many innocent people are you willing to accept getting wrongly convicted because money spent on their cases was allocated to building an even stronger case against the "20th hijacker"?

Re:electron microscopes

[Vengeance]

I would suggest that airliners being crashed into skyscrapers qualifies as 'special cases'. The original hard drives should have been seized, and the contents should have been gone over by a team of experienced data recovery specialists. The kind of people you call when you've just had a bad head crash and you just learned that the same broken backup tape has been sitting in the drive for three years.

Re:Why not a windows tool

[SwellJoe]

A troll, of course, but due to lack of moderator points:

dd /dev/hdb

Yep. That would be much simpler under Windows.

CRC/SHA-1/MD5

[MeanMF]

If the hash value of the original prior to duplication matches identically the hash value after the duplication, one may conclude that the duplicate file accurately reflects the data on the original file. The fact that the hash values match is typically more important than the hash values themselves.

Are they saying that two different files can't have the same hash value? That's a load of crap! It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations... It's good at telling you if there were any random modifications caused by errors during copying, but not that the files are identical.

Re:CRC/SHA-1/MD5

[Henry+V+.009]

Sure you can. But to be able to do it with something like MD5, you need to factor some very large prime numbers. Hence the security.

Re:CRC/SHA-1/MD5

[Henry+V+.009]

Oops...If they were prime, they would be easy to factor. You need to factor the products of some very large primes.

(The last post wasn't a mistake--it was my intentional FUD to keep the terrorist from figuring out RSA. Shhhh!)

Re:CRC/SHA-1/MD5

[metatruk]

Are they saying that two different files can't have the same hash value? That's a load of crap! It's not hard at all to modify data to create any hash value that you want

From http://www.itl.nist.gov/fipspubs/fip180-1.htm:

The SHA-1 is called secure because it is computationally infeasible to find a message which corresponds to a given message digest, or to find two different messages which produce the same message digest. Any change to a message in transit will, with very high probability, result in a different message digest, and the signature will fail to verify.

So yes, two different files can have the same hash, but it's infeasible to do this. That's why hashing methods like SHA are used in cryptography; SHA-1 is used in DSA signatures.

Re:CRC/SHA-1/MD5

bear in mind these are lawyers we're talking about, and probably ones that are not exactly technically minded enough to realize the significance of hashes and message digests in computers.

Re:CRC/SHA-1/MD5

[Edgewize]

That's a load of crap! It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations...

CRC-32, sure. CRC is meant to check for small random transmission errors, not to function as a secure hash algorithm. But if you've figured out a way to force data to match a given SHA-1, you better get a press agent and a secretary because every crypto nut in the world is gonna call bullshit. And no, "trying lots of combinations" doesn't count.

Re:CRC/SHA-1/MD5

[kfg]

No, what they are saying is that they copied a disc and the two discs had the same hash value.

If you *don't care* what the contents of the original disc are, as is the case with forensic investigation, only that the dupe acurately reflects it, than checking the hash value of both against each is a perfectly valid test.

What they're testing for here *is* random errors in the copy process, not intentional tampering.

KFG

Re:CRC/SHA-1/MD5

[bwt]

Are they saying that two different files can't have the same hash value? That's a load of crap! It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations... It's good at telling you if there were any random modifications caused by errors during copying, but not that the files are identical.

There are no known examples of two files that have the same MD5 (or SHA-1) hash values, so I think you should reevaluate your statement. While it certainly is true that such files do exist (2^128 MD5 values, > 2^128 possible files, pigeon-hole principle, etc...), that does not mean that finding them is computationally easy or even possible.

A brute force search of files would require ~2^128 files to be search to find a match. If 2^32 computers each processed 2^16 files a second on average per year (60*60*24*365 20^30 seconds), then it would take greater than 2^50 years to find a match. Equivalently, the odds that any of the files that have ever been produced by humans have the same MD5 are pretty bad.

It might be possbile that a cryptographic flaw in MD5 exists that could be exploited to reduce the number of files that needed to be searched. I believe no such flaw is known. If one does exist, I'm quite sure it doesn't provide dramatic benefits.

Re:CRC/SHA-1/MD5

Speaking from personal research related to Cyptography research and such, I can vouch that this is correct.

It is computationally infeasible to get two blobs of data that generate the same Hash. Infact in the years of research since Hashing has been in the scientific domain, no credible attack has been identified yet.

---
The more important question here is not:
"is the duplicate a faithful copy of the original?", but rather:

"Has the original been tampered with?"

I really hope the defense realizes this.

Re:CRC/SHA-1/MD5

[Zeinfeld]

Sure you can. But to be able to do it with something like MD5, you need to factor some very large prime numbers. Hence the security.

Sorry, not even close.

MD5 has been compromised in a paper by Hans Dobbertin of the German Ministry of Information. The compromise is less than a total break but it is also now 8 years old.

MD5 uses only operations on 32 bit integers, addition, rotation and booleans. It does not use large integers of prime numbers.

Re:CRC/SHA-1/MD5

[MeanMF]

There are no known examples of two files that have the same MD5 (or SHA-1) hash values

Sorry, my original message was kind of weak :)
The programs that the government uses to do the copy use CRC32, which is very easy to get around. The CRC32 values are listed in section 13 of the expert's affadavit. The government says that this is enough to authenticate the data.

SafeBack and the Logicube SFK-000A incorporate reliable internal CRC verification techniques, CART procedures do not require examiners to generate separate MD5 or SH-1 hashes for computers imaged using SafeBack or Logicube SFK-000A disk duplicator....All hard drives in this case were imaged by one of the three programs used by the FBI, all of which are recognized by the scientific community as reliable imaging programs. Thus, there should be no question about the authenticity of any of the hard drives.

In terms of autenticating evidence for use in court, shouldn't the government be using something stronger than CRC? If I were on the defense's side, I would tear this apart - the MD5 hash that they eventually received was taken well after the original image was created, leaving plenty of time to alter any data. There was ample opportunity for somebody (whether as part of a "government conspiracy" or as an overzealous investigator/prosecutor) to alter both the image and the original hard drive before taking the MD5 hash, and before the image was delivered to the defense as part of discovery. There's no use in having an MD5 hash if all it is doing is verifying that you have an exact copy of data that has been tampered with. The government should, as standard practice, take the MD5 hash before they even make the first image, and preserve that record along with other evidence. This would make it much more difficult for the defense to claim that the data presented in discovery or at trial is not authentic.

Re:CRC/SHA-1/MD5

[MeanMF]

What they're testing for here *is* random errors in the copy process, not intentional tampering.

But they're trying to pass it off as testing for both:

"Authentication" in this context means the process of ensuring that the duplicate of the hard drive provided in discovery is an exact copy of what the FBI originally acquired...All hard drives in this case were imaged by one of the three programs used by the FBI, all of which are recognized by the scientific community as reliable imaging programs. Thus, there should be no question about the authenticity of any of the hard drives

All of these tools use CRC32.

Re:CRC/SHA-1/MD5

If you have to make your sig/screed bold that tells me you're desperate to get your message out. If it were true or worth reading you wouldn't need the bold.

Rather pathetic.

Re:CRC/SHA-1/MD5

[Paul+Jakma]

that does not mean that finding them is computationally easy or even possible.

Actually, there are well known issues with MD5 that make it susceptible to collission searches, see:

H. Dobbertin, "The Status of MD5 After a Recent Attack", RSA Labs' CryptoBytes, Vol. 2 No. 2, Summer 1996.
http://www.rsa.com/rsalabs/pubs/cryptobytes.html

dont think that URL works anymore. This one does, in which Robshaw gives an overview of the problems:

ftp://ftp.rsa.com/pub/pdfs/bulletn4.pdf

Basically, it has been demonstrated by Dobertin in 1996 that data with a colliding hash can be found with 10 odd hours of processing from a (by now very low powered) PC. Admittedly only for the compression round of MD5, not for the full set of rounds specified by MD5, however it is feared that existing techniques (ie those used to break MD4) can be applied to MD5. (indeed this is what Dobertin demonstrated). TTBOMK there is no known collision attack against the full MD5 algorithm. (least not public knowledge anyway :) )

So your assertion is incorrect with respect to MD5.

SHA-1 is currently considered to be safe from hash collission attacks. However, that is not really relevant as the FBI specifically are using CRC-32 and MD5.

However, presuming that the question is not one of the FBI having deliberately modified the images, it does not /matter/ that MD5 is on shaky ground wrt to strength against collission attacks. The use of MD5 here is to verify that the copies are the same as the original images and that there werent any errors introduced during copying. For this purpose MD5 is fine.

Re:CRC/SHA-1/MD5

[TheCabal]

Are they saying that two different files can't have the same hash value? That's a load of crap! It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations... It's good at telling you if there were any random modifications caused by errors during copying, but not that the files are identical.

It's extremely unlikely to produce two different files that produce the same SHA-1/MD-5 hash, not impossoble. CRC, on the other had is a lot easier. If two files produce the same SHA-1 or MD-5 hash, it is very, very likely that the files are identical.

Re:CRC/SHA-1/MD5

[Henry+V+.009]

A message...I don't know that it's even a complete sentence. I thought the bold just made it stand out from the rest of my post. You know, make it easy for people to see that it's a sig.

Sorry if the over-the-top emphasis on the letters made your eyes hurt. I'm sure that a couple asprin will make the headache go away by morning.

Re:CRC/SHA-1/MD5

Birthday paradox, blah blah. You only need to go through 2^64.

Re:CRC/SHA-1/MD5

[bwt]

So your assertion is incorrect with respect to MD5.

I disagree.

Part of the MD5 algorithm is analytically weak, but that falls far short of an actual working attack for the whole thing. Researchers suspect that this weakness MIGHT eventually lead to an analytic attack against the whole of MD5, but as yet, no such attack exists. As Robshaw said: "While the existence of pseudo-collisions is significant on an analytical level, it is of less practical importance."

Moreover...

"Note that existing signatures that were generated using MD5 are likely to remain safe from compromise since it seems that current techniques used to cryptanalyze MD5 do not offer any advantage in finding a second preimage. Existing signatures should not be considered as being at risk of compromise at this point."

Re:CRC/SHA-1/MD5

[bwt]

You only need to do 2^64 calculations if you share the results among the participating computers, including storing the original files. I did not posit any such abiilty.

Since there are ~2^80 atoms in the known universe, I think it unlikely that any such storage mechanism will ever be built.

Re:CRC/SHA-1/MD5

[Paul+Jakma]

I did state there was no publically known attack against the full rounds of MD5. However, that was 7 years ago, it is not safe to assume that no one else continued on with this work.

Obvious Solitaire remark

[jaymzter]

Solitaire Forensics Kit, SFK-000A hand-held disk duplicator by Logicube, Inc. (hereafter "Logicube")

I thought Solitaire only duplicated wasted work hours!

Re:Why not a windows tool

[SwellJoe]

Argh...Once more with preview:

dd < /dev/hda > /dev/hdb

Ohhh, ohhhh....

[evilviper]

Oohhhhhh... Someone said the word ``Linux"... Better put it on the front page...

Re:Why not a windows tool

[zabieru]

Actually, if you read on in the article, they state that Linux dd COULD have been used, that NIST had tested it and found it acceptable, but if you read the procedures used to the four HDDs, they actually used the other methods listed exclusively.

email from his pc

[grub]

Sept. 10, 2001

Zach,
We're going off flying tommorrow, hope to see you on the other side. Last one there gets the 70 ugliest virgins!

M. Atta

Re:email from his pc

Last one there gets the 70 ugliest virgins!

So who did wind up getting the Slashdot editors?

Re:email from his pc

Mohammad may not have told you this, but the almighty Allah told me last night a little something about those virgins up there. To make a long story short, they're men.

Re:email from his pc

So... what does that female bomber (happened in Israel) get? Let's say 99 virgins too... what would those guys have to do to deserve that?

Re:email from his pc

MOD THIS SHIT UP! +100 funny

So does this mean...

Only terrorists use Linux and red blooded americans happily throw
their money at microsoft? Or is it the other way around...
terrorists use Microsoft, in which case, anybody who uses
microsoft is evil. Oh well, good thing I use *BSD,
made in America and other places :)

Re:So does this mean...

[VB]

It doesn't mean anything if you don't read the affidavit. Linux dd was used (is used) as one of 3 methods by the FBI CART to image disks during discovery. That's all it means.

Linux is made in America and other places, too.

Re:Go to fucking bed micheal

he used this, it was on freshmeat frontpage til this morning.

Re:Why not a windows tool

[grub]

dd is a common Unix program. The SGIs at work have it, my various BSDs at home and work have it and Linux has it.

To make up for my fp

[danielsmc]

The United States respectfully responds to Standby Counsel's Reply to the Government's Response to the Court's Order on Computer and E-Mail Evidence (hereafter "Reply") as follows:

Authentication

The foundation of standby counsel's discovery requests regarding the computer and e-mail evidence rests upon their complaints regarding the "authentication" of the hard drives provided in discovery. "Authentication" in this context means the process of ensuring that the duplicate of the hard drive provided in discovery is an exact copy of what the FBI originally acquired. As FBI Supervisory Special Agent Dara Sewell explains in her attached affidavit, the FBI uses three different methods to duplicate or image a hard drive:1
(1) GNU/Linux routine dd command via Red Hat Linux 7.1 (hereafter "Linux dd");

(2) Safeback version 2.18 imaging software by New Technologies (hereafter "Safeback");

(3) Solitaire Forensics Kit, SFK-000A hand-held disk duplicator by Logicube, Inc. (hereafter "Logicube").

Sewell Affidavit at 2. Standby counsel seek the "complete authentication information for all of the hard drives produced in discovery, particularly the information for Mr. Moussaoui's laptop, the University of Oklahoma system, and Mukkarum Ali's laptop." Reply at 8.

Before addressing the authentication for the four specific computers, an error in Mr. Allison's affidavit must be corrected. In his affidavit, Mr. Allison writes: "Many methods are available to create an exact duplicate; however, only one method - the GNU/Linux routine dd - has been approved by the National Institute of Standards and Technologies." Allison Affidavit at 3. This statement is simply wrong. The National Institute of Standards and Technologies (NIST) does not "approve" software, it merely tests it and then publishes the results of its tests. NIST did, indeed, test Linux dd and publish the results, which included some criticism. Sewell Affidavit at 3. Like Linux dd, Safeback has also been submitted to NIST for review and its final report was published on December 13, 2002. Sewell Affidavit at 3. NIST reported criticisms of Safeback comparable to those cited for GNU/Linux routine dd. Sewell Affidavit at 3-4.2 Thus, for purposes of NIST, both Linux dd and Safeback are accurate imaging tools. With this in mind, the authentication of the four computers at issue follows.3

More important, the manufacturers of both Safeback and Logicube engaged in extensive self-testing of their programs before marketing them. Further, both contain verification programs\functions that ensure that the image\duplicate accurately reflects the data contained on the original. Sewell Affidavit at 4-5. Finally, FBI CART has validated the use of both Safeback and Logicube during their own use of the methods on hundreds of computers. Sewell affidavit at 4-5. Both Safeback and Logicube, like Linux dd, are methods that are accepted within the forensic computer community. Sewell Affidavit at 4-5.

Additionally, Mr. Allison writes: "Further, once the duplicate has been created, a product such as the Message Digest version 5 (MD5) or the Secure Hash Algorithm version 1 (SHA-1) should be used to confirm that the duplication process has been done properly." Allison Affidavit at 3. Mr. Allison refers to programs that generate a unique value for both the data on the original hard drive and the data on a purported duplicate of that hard drive in order to further verify the results of the duplication process. However, as set forth in detail in SSA Sewell's affidavit, both Safeback and Logicube contain self-validating programs that ensure the image or copy process generates an exact duplicate of the original. Sewell Affidavit at 4-6. Therefore, the MD5 or SHA-1 programs only provide an additional layer of verification beyond the already proven reliability of the tool itself. Sewell Affidavit at 6.

Both defendant's and Mukkarum Ali's laptops were duplicated using the Safeback software. To eliminate any questions about authentication, the FBI employed the MD5 program suggested by Mr. Allison on both laptops. The program demonstrated that the images of both laptops provided to the defense in discovery were accurate reproductions of the originals. Sewell Affidavit at 7-10. The significance of this point is two-fold. First, there can be no question that the defense has the exact same copy of the original that the Government has, so they can conduct any further investigation on their copy that they wish. Second, the results of the MD5 program as to these two laptops further demonstrate the reliability of the Safeback program.

Finally, standby counsel seek the BIOS (Basic Input/Output System) settings for defendant's laptop based upon the following assertion by Mr. Allison in his affidavit:
The complete authentication information for Mr. Moussaoui's laptop is even more critical given the indication in the above documents, particularly Bates no. M-LBR-0002265, that the laptop had lost all power by the time of the government's CART examination on August 6, 2002. [Footnote omitted]. The loss of all power means that the original date and time settings cannot be retrieved, and that other settings, such as how the computer performed its boot sequence, the types of ports and peripherals enabled, and the settings regarding the hard disk and the controller, are all lost as well. All of this is essential information on how the laptop was set up.

Allison Declaration at 3-4. As SSA Sewell makes clear in her affidavit, however, the BIOS settings for defendant's laptop were recorded at the time that it was imaged, September 11, 2001, before any loss of power. The BIOS settings are set forth in SSA Sewell's affidavit. Sewell Affidavit at 11. Therefore, no authentication issues exist as to defendant's or Mukkarum Ali's laptops.4

Unlike the laptops, the two hard drives at the University of Oklahoma (known as "PC 11" and "PC 14") were never removed from the university and are not currently in the Government's possession. Due to the nature of the hard drives, the FBI used the Logicube hand-held disk duplicator to copy the drives and then imaged the duplicates with the Safeback program. Logicube was selected to duplicate the University of Oklahoma hard drives because of its portability. Sewell Affidavit at 3-5, 18. Like Safeback, Logicube has been verified by both its manufacturer and the FBI. Moreover, Logicube performs self-checking functions to ensure that the duplicate drive accurately reflects the contents of the original drive. Finally, although Logicube has not yet been reviewed by the NIST, hand-held disk-duplicators such as Logicube are widely accepted in the information and forensic communities. Sewell Affidavit at 5. Consequently, there can be no challenge to the authenticity of the duplicates of the University of Oklahoma hard drives.

The Request for a Chart for the Remaining Hard Drives

Standby counsel next seek a chart "for the approximately 140 remaining hard drives. At a minimum, the chart should include the origin/source for each drive and the significance of the drive to the case." Reply at 9.5 On November 22, 2002, the Government supplied the defense with a chart listing each hard drive produced in discovery, when it was produced, and a detailed description of its source from which the defense can assess its significance. Further, in a letter dated December 18, 2002, the Government identified the computer evidence that it believes to be relevant for this prosecution. Of course, the burden rests with the defense to determine the significance of a piece of evidence to their defense. Cf. United States v. Comosona, 848 F.2d 1110, 1115 (10 th Cir. 1988) ("The Government has no obligation to disclose possible theories of the defense to a defendant. If a statement does not contain any expressly exculpatory material, the Government need not produce that statement to the defense. To hold otherwise would impose an insuperable burden on the Government to determine what facially non-exculpatory evidence might possibly be favorable to the accused by inferential reasoning."); United States v. Nachamie, 91 F. Supp. 2d 565, 569 (S.D.N.Y. 2000) ("The clear language of Rule 16(a)(1), however, does not require the Government to identify which documents fall in each category - it only requires the production of documents responsive to any category."); United States v. Greyling, 2002 WL 424655 at *3 (S.D.N.Y. 2002) ("Fed. R. Cr. P. 16(a)(1)(C) only requires that the Government afford defendants an opportunity to inspect the documents it intends to introduce at trial. It does not require the Government to identify which documents it intends to introduce.") (emphasis in original). Therefore, this request is now moot.

The University of Oklahoma Hard Drive

Standby counsel next request the Court to "[o]rder the Government to confirm that the UO hard drive produced in discovery has not been contaminated and explain why the 70 GB of unused storage space on that hard drive contains material that should not be there." Reply at 9. As the affidavit of SSA Sewell makes clear, the following answers Mr. Allison's concerns about University of Oklahoma PC 11. Approximately 9.537 gigabytes of information were duplicated from PC 11's hard drive by the Logicube program onto a 40 gigabyte drive. Thereafter, all data on the Logicube 40 gigabyte drive was imaged and later restored using the Safeback program onto a 80 gigabyte hard drive, which was then turned over to the defense. The primary partition which exists on the defense 80 gigabyte duplicate hard drive accurately represents the approximately 9.529 gigabytes captured from the primary partition of PC 11 without contamination. The balance of the space on the 80 gigabyte hard drive provided to the defense contains the following:
(1) Approximately 7.26 megabytes of data of the 9.537 gigabytes of data captured from PC 11. This information actually appeared on PC 11 outside of the primary partition and was duplicated by Logicube. Therefore, this data previously existed on the PC 11 and did not result from the imaging/duplication process;

(2) Unused space which consists of a series of zeroes; and,

(3) Approximately 4 megabytes of repetition of the 9.537 gigabytes of information captured from PC 11, which was created by the Logicube tool when it first began to duplicate the material contained on PC 11.6

Sewell Affidavit at 19-20. All of this simply means that the first 9.537 gigabytes of the 80 gigabyte hard drive provided to the defense accurately contains all of the data that existed on PC 11 at the time of duplication and was not "contaminated" by any outside data.

The Examination of Moussaoui's Laptop

Standby counsel's fourth request questions whether the defendant's laptop was imaged before it lost power. The defendant's laptop was imaged on September 11, 2001, before the laptop lost power. Sewell Affidavit at 11. The BIOS settings for the laptop requested by standby counsel are set forth in SSA Sewell's affidavit. Sewell Affidavit at 11. Therefore, this request is now moot.

The xdesertman@hotmail Account and Other E-Mail Accounts

In their fifth request, standby counsel ask the Court to "[o]rder the Government to examine all of the temporary files of the computers Mr. Moussaoui used (those at UO, his laptop, and Mukkarum Ali's laptop) and determine whether information can be obtained from them concerning the xdesertman@hotmail.com account and the other email accounts listed in paragraph 33 of the Lawler Affidavit." Reply at 10. SSA Sewell's affidavit describes the unsuccessful searches of each hard drive conducted by FBI CART Field Examiner Thomas Lawler for the xdesertman@hotmail.com e-mail account as well as at least 27 variations of this account and other e-mail accounts associated with the investigation of this case. Sewell Affidavit at 15. Moreover, as previously demonstrated in the first section of this pleading addressing the authentication issues, the defense now has an exact copy of what the Government has. Therefore, there is no reason that the defense, including their computer expert, cannot conduct the same examinations of the four hard drives at issue as the Government. Consequently, this request should be denied.

Similarly, in their sixth request, standby counsel ask the Court to order the Government to conduct an investigation at their behest when they have the same ability to conduct the investigation. The defense possesses the same subpoena power as the Government and, if they wish to serve a subpoena on Hotmail, Microsoft, or any other company, they should do so. See Fed. R. Crim. P. 17(c); 18 U.S.C. 3005. Moreover, the Group Manager for Policy Enforcement for MSN Hotmail reports that a search as suggested by Mr. Allison in his Declaration (see Allison Declaration at 6) would have no success. Sewell Affidavit at 21-22. Therefore, this request should fail.

The Internet Provider Address for University of Oklahoma PC 11 Computer

Next, standby counsel ask the Court to "[o]rder the Government to (A) explain the reason for the discrepancy in IP addresses for the UO PC 11 computer, (B) confirm that the UO hard drive produced to the defense in discovery (129.15.110.31) comes from the computer used by Mr. Moussaoui at the University of Oklahoma, and (C) confirm that Mr. Moussaoui did not use any other UO computer." Reply at 11. Simply put, a typographical error exists in the Lawler Affidavit submitted by the Government. The correct internet provider address for University of Oklahoma PC 11 computer is 129.15.157.31. Sewell Affidavit at 18. As discussed in the first section of this pleading regarding authentication, a duplicate of the hard drive for PC 11 has been provided to the defense. As to whether Mr. Moussaoui used any other computer at the University of Oklahoma, only the defendant definitively knows the answer. The only evidence that the Government has regarding Mr. Moussaoui's computer use at the University of Oklahoma involves PC 11 and PC 14, copies of which have been provided to the defense in discovery.

The Kinko's in Eagan, Minnesota

In their eighth request, standby counsel seek "more information about the procedures used by Kinko's personnel and the steps they took to clean the Kinko's system and verify that no evidence of Mr. Moussaoui's communications via Kinko's internet access still remains on the Kinko's system." Reply at 11. SSA Sewell's affidavit describes in detail the procedures used by Kinko's to overwrite ("clean") their systems. The affidavit reveals that during the month between the defendant's use of the computers at Kinko's on August 12, 2001, and September 11, 2001, Kinko's cleaned their machines at least one time and perhaps many more, since their policy was to re-image (clean) the computers weekly. Sewell Affidavit at 12. Since September 11, 2001, the computers have been re-imaged several times and Kinko's personnel adamantly state that they are unable to recover any pre-existing data from a work station hard drive after the re-imaging process. Sewell Affidavit at 13. Further supporting the inability to locate references to xdesertman@hotmail.com is the fact that FBI CART examiners searched all data related to this e-mail account on both defendant's and Mukkarum Ali's laptops as well as the University of Oklahoma computers, none of which were ever "cleansed" or overwritten, and no data was found collaborating even the existence of any such account, or its use by the defendant. Sewell Affidavit at 15-17. Thus, there is no reason to believe that a search of the Kinko's computers in Eagan, Minnesota, would recover any relevant information about the defendant's e-mail use on these computers. Sewell Affidavit at 17.7

The "File Slack" Portions of Mukkarum Ali's Laptop

Standby counsel next ask "the Government to confirm that the 'file slack' portions of Mukkarum Ali's computer do not contain relevant information about Mr. Moussaoui's use of the computer to send e-mails." Reply at 11. As previously stated in the first section of this pleading addressing authentication, the defense has an identical duplicate of what the Government has; therefore, they can search Mukkarum Ali's computer as they wish. Moreover, FBI Cart Examiner Thomas Lawler thoroughly reviewed Mukkarum Ali's computer, including the "file slack" portions, and found no relevant information. Sewell Affidavit at 15. Therefore, this request should be denied.

The "Ghosting" of the University of Oklahoma Computers

Standby counsel conclude their requests by asking "the Government to identify the procedures employed by UO personnel to 'ghost' the computer(s) allegedly used by Mr. Moussaoui and order the Government, despite the fact that it may be 'likely lost' (see Lawler Affidavit at 28), to retrieve any forensic evidence showing use of those computers by Mr. Moussaoui and what he did while using those computers." Reply at 11. Calvin Weeks, the technical security officer for the University of Oklahoma, told the FBI that the University of Oklahoma used the commercial software Norton Ghost to restore a previously recorded hard drive image. Sewell Affidavit at 21. As to the second part of standby counsel's request, the defense has in their possession a duplicate of University of Oklahoma PC 11 and PC 14; therefore, they can perform any investigation of these hard drives that the Government can. Therefore, this request should be denied.

Conclusion

The attached affidavit by SSA Sewell fully addresses the issues raised by standby counsel and demonstrates beyond question that the FBI properly and exhaustively examined all computer evidence in this case.

Respectfully Submitted,

PAUL J. McNULTY
UNITED STATES ATTORNEY

By: /s/

Robert A. Spencer
Kenneth M. Karas
David J. Novak
Assistant United States Attorneys

Easy? I don't think so...

[Subcarrier]

It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations...

That kind of depends on the strength of the hash algorithm, wouldn't you say?

Re:Easy? I don't think so...

[MeanMF]

That kind of depends on the strength of the hash algorithm, wouldn't you say?

Absolutely, which is why they shouldn't be relying on CRC32.

Re:Easy? I don't think so...

Oh please. Assuming block size is small enough (say, a disk sector, memory block or such), there's no practical way to get same CRC-32 value for anything useful. And even to get another random chunk of data that produces same checksum, brute force method is usually way too slow to be practical (even for relatively small blocks of data).

Perhaps you should take your Data Security 101 next year so you actually know what you are talking about?

Re:Easy? I don't think so...

Nice troll. Lost credibility a bit with the last line there. Okay - I'll bite, as that information is plain wrong.

A CRC is a special case of checksum, optimal for certain kinds of error detection and optimally strong against accidental collision. Accidental.

To collide CRC32 takes a four byte (32-bit) pad - any state goes in, any chosen state comes out. The reversal is perfectly triangular - Peacefire's research on Cyber Patrol (cphack) is a good case study in practical uses of this - so it's an optimal supercollided hash, great for some unusual purposes, but completely unsuitable for authentication or anywhere you need to hash sensitive plaintext.

Public knowledge for a long time, and I saw crackers using four byte padding to foil CRC hash "anti-tamper" code in protected games in October 1986. (Yes, they could have just nopped all the routines and proved that they had been complete in unwrapping the multiple layers via the Florin technique, but they wanted to be ninja, I guess.)

Even if you wanted to use brute force, a 32-bit brute force keyspace search of an algorithm as fast as CRC32 can be done very rapidly. (State of the art in public brute force is distributed.net, cracking 64-bit RC5 - more than 4 billion times harder, leaving aside that an RC5 pass is much slower than a CRC-32 pass anyway - although it took several months and a hell of a lot of idle time.)

CRC is NOT a one-way hash algorithm. It is NOT resistant to intentional collisions. CRC is a checksum. It is quick and may make a useful additional check. It may be useful - indeed, is optimal - in determining if line noise has eaten something, but it is trivial to maliciously fake.

Incidentally, this goes for all LFSR block ciphers when used for hashing, and according to some (admittedly fairly flaky) research I've seen, potentially all block ciphers in general when used for hashing.

MD4 is trivial to collide, though I don't know for sure the pad size on the best attack - I think it's 128-bit, hash size (optimal).

MD5 is susceptible to the same collisions in the compression function, and indeed throughout the hash. I hear quiet rumours about a private attack (md5smash.c), but cannot substantiate those claims as the author refuses to publish (even though PGP 2.x (RSA "legacy" key) signatures typically use MD5, but I strongly believe a potential, quite trivial, MD5 collision attack exists.

The original SHA (without the rotate) was susceptible to a differential attack which allowed collisions in certain, rather engineered, special cases, but I know of no attack on the revised SHA-1.

RIPEMD-160 (unlike the original RIPEMD), or TIGER-192 are both okay.

The architecture of HAVAL doesn't give me, personally, warm fuzzies but I haven't actually seen it collided.

Re:Why not a windows tool

wrong again.

dd if=/dev/hdax of=/dev/hdbx

And what could be easier than using a bootCD to use dd? No need to install anything on any computer. Hell, they can just hook up their drive to the suspects computer.

FBI HQ originally denied e-mail search request

[michaelmalak]

See my Aug. 29, 2002 blog article FBI didn't get Moussaoui's e-mail despite having his laptop, which notes the irony that "the U.S. government is interested in the e-mail of all those in the U.S. except for alleged terrorists" and which links to an Aug. 29, 2002 Washington Post article.

(Recall that Massaoui was already in jail before Sep. 11. These pre-Sep. 11 e-mail search requests were rebuffed, according to FBI whistleblower Colleen Rowley.)

Re:FBI HQ originally denied e-mail search request

Another Bill Clinton legacy.

Just like North Korea.

What an asswipe.

Mark of desperation?

It seems as though Moussaoui's lawyers are desperate to keep his emails out of his trial.

I just have one question: Can I be the one to flip the switch that will make him do the 60-cycle shuffle?

Re:Mark of desperation?

Can I be the one to flip the switch that will make him do the 60-cycle shuffle

No. If he gets executed, it will most likely be in Virginia where they use lethal injection. If there are any states left using the chair, it's just one or two. Electrocutions are national news now when they happen. However, if you apply to become a prison guard *right now* and play your cards right, you may be an executioner by the time he gets executed, and you will be able to push the button that puts him to "sleep". However, since you are a sick person for wanting the job that badly, you will (hopefully) be screened out by psychiatrists in the prison system, and not even become a guard in the first place.

Re:Why not a windows tool

dd if=/dev/hda of=/dev/hdb ibs=512 obs=1M --

Re:37? My girlfriend sucked 37 dicks.

this isn't flamebait, some mods just don't get the reference

Im not the nerd I thought I was

[JeanBaptiste]

A detailed discussion for all 140 hard drives provided in discovery

Mousauoiioio whatever his name is sure had a lot more computer stuff than I do...

You may assume anything you wish. . .

[kfg]

but according to NIST, and my own experince, such is not the case. Not only is dd cheaper by thousands of dollars than the "professional" apps made to do such things, but it's often *more* effective, and almost always easier to use.

At its heart it's just a simple copy command.

In fact, the dd tool is so simple, and simple minded, that it would be easier to write a simple graphical front end for it than to learn the GUI of exiting Windows apps designed to do the same thing.

I don't know quite how to break this to you, but *sometimes* language is the simpler, more powerful and more *intuitive* means of getting something across than pointing at a picture and grunting.

Unless, of course, your intellect hasn't yet advanced to that level of sophistication.

KFG

Re:You may assume anything you wish. . .

The professional apps do a lot more than just copy and checksum the data. Nobody pays thousands of dollars for trivial software like dd.

Re:You may assume anything you wish. . .

[Phil+Karn]

Twenty years ago, when dd was already a decade old, hard disk drives still had hardware write protect switches. They've gotten increasingly scarce since then.

So hey, I like Linux as much as the next guy, but I always get a little nervous when I use dd to copy a disk. I'll stare at the command for a good ten seconds before hitting "enter".

Can you imagine being the FBI agent who has to explain how he typed dd of=/dev/hda1 if=/dev/hdc1 when he really meant dd if=/dev/hda1 of=/dev/hdc1 -- and /dev/hda just happens to be the suspect's original drive?

Re:Why not a windows tool

[Zemran]

Great idea. dd comes as standard with Linux, do you happen to know the name of the util that comes with Windows that can do what dd can do?

P.S. good troll :)

'dd' isn't _quite_ an image

[wfmcwalter]

Neglecting the STEM/SQUID recovery issues mentioned above, it's rather dissapointing to see the feds using only a generic imager like dd to image the disk, as it's not quite a full image of all the stuff on the disk.

The contents any LBA that is in the drive's remap table (i.e. blocks that the drive electronics have previously determined either to be bad or going bad) aren't captured by dd - the drive instead sends the data payload corresponding to the LBA's remapped physical address. The bad/bad-ish block remains, and its data is quite possibly still valid (or perhaps valid but for a couple of localised errors). These blocks thus hold tiny slivers of data stored on the drive sometime in the past (the last thing written before the block went bad).

Although this missed data represents a microscopic fraction of the total data on the disk it could, at least in theory, contain recoverable data of an evidenciary nature. The only way to see this is a drive-vendor specific low-level read - I don't know much about the other two tools the article describes, but it doesn't sound like those do that either.

Given that there's only a handful of drive manufacturers left, and the (non-servo) parts of the firmware on their drives doesn't vary hugely between models, it really wouldn't be too hard for law-enforcement types to have proper physical-level imaging tools for any drive they're likely to encounter.

Re:'dd' isn't _quite_ an image

dd, et al don't take remapped blocks into consideration

Sounds good. At least now we know what to do if we want to set aside a few blocks to store personal, private bytes on a hard disk if we want them to have a chance of remaining private.

Re:'dd' isn't _quite_ an image

[wfmcwalter]

Hey, there's something else - they're doing checksum calculation not on the disk image (/dev/hda) but on the partition image (/dev/hda1) - which means they're not entirely capturing everything that's potentially on the disk (in particular: the boot sector, the MBR, and any other partitions).

Now, the document says the examiner determined that there was only one partition, and that he used a "a Linux Boot CD" - this implies (it's not terribly clear what that actually is) that he used linux's fdisk command (or diskdruid or something) to determine that there was indeed only one partition - by examining the current contents of the drive's partition table.

Doing this doesn't capture any space not currently assigned to a partition - in particular, if another partition were present but was then deleted, or if the extant FAT32 partition were resized (say with partition magic).

Infact it's rather unusual for a windows laptop to only have one FAT32 partition - many (most?) vendor-created laptops ship with a sleep-to-disk partition on the disk as well (Dell seems to always to this on windows systems).

In a non-forensic setting, these gripes would be beyond pedantic, but given the seriousness of the crime concerned, and the alleged technical skill of the terrorist groups implicated, these omissions are not immaterial. I do hope that they're omissions only in this document and that the examiners actual procedure did properly image, checksum and examine _all_ of the disk's contents.

Re:'dd' isn't _quite_ an image

[GigsVT]

The thing is, it's usually enough. Only in very high stakes cases will forensics require anything more than a dd image, and a reconstruction of some parts of some deleted files. It's all about cost and benefit. The chances of something critical being in a spared sector are pretty slim, and if they can get what they need from a dd image, why bother?

Re:'dd' isn't _quite_ an image

[wfmcwalter]

Only in very high stakes cases will forensics require anything more than a dd image

It's tough for me to think of a case that's higher-stakes than this one.

and if they can get what they need from a dd image, why bother?

That's a totally egregious misstatement of proper evidence gathering - the investigator is not trying to "get what they need". Instead the investigator should capture as much information as is possible. Its for a prosecutor to cherry-pick the body of devidence in order to build their case, and for defence counsel to likewise pick out exculpatory evidence.

Sure, in practice it's highly unlikely that a remapped LBA contains the only copy of an incriminating or exculpatory email, but given the huge stakes here it shouldn't be too much "bother".

Re:'dd' isn't _quite_ an image

It's rather unusual for a Windows laptop to have any FATxx partitions these days, thanks to NTFS. And nobody uses the old vendor-specific suspend-to-disk software any more; Windows will hibernate to a file named HIBERFIL.SYS in the root of your %SystemDrive%.

Re:'dd' isn't _quite_ an image

Actually it's far more unusual that you'd find an NTFS system.

75% of the installed base is Win 9x, and a large number of NT4 and W2K systems shipped with FAT partitions, or were installed that way by IT guys following old school logic.

Re:'dd' isn't _quite_ an image

[GigsVT]

How do you propose they get the whole image then, without spending half a million dollars or more on it?

The only way I can think of is to transplant the platters in a clean room to a controller that can be told to ignore read errors and also read all the spare sectors on each cylinder.

Eraser is the best for windows

shell integration
uses Guttmann's method
http://www.usenix.org/publications/library /proceed ings/sec96/full_papers/gutmann/
can also do free disk space
I think there is also a dos version you can use with a boot disk which would be better.

Don't waste your time with other crap like bcwipe or the one that came with your system utility software.
Besides running your disks through a grinder, this is the best deletion software available commerical or not. There are no "better" proprieatary software methods and anything you would pay for is a waste. Either use this set to Guttmann, or physcially destroy the disk.

Realize that no software is 100%, especially if the agency wants your info back enough, but this software is the best if your not going to destroy your disk(again destroying is preferred).

Re:Eraser is the best for windows

[po8]

At the current state of the art, your best bet is to buy a new disk, and make sure that you never put any unencrypted bits on it: use a cryptographic filesystem such as CFS, and make sure your swap is encrypted also. As Gutmann notes, you may also want to take measures to make sure that sensitive data doesn't sit in RAM too long (!).

Once data is in clear on disk, there's really no way to be sure it's gone except to physically destroy the platter.

shut up

I don't think that the number 37 is enough to anchor that joke to the topic.

Not flamebait, but definitely offtopic.

More info at Cryptome

[Alien54]

Cryptome has, on it's front page, details on what the FBI is up against. Just scroll down a bit.

• The Eagan, Minnesota Kinkos Computers

  19. The Initial September 2001 Inquiry at the Eagan, MN Kinkos: On October 17, 2002, I spoke with Minneapolis FBI Special Agent David Rapp. At that time, SA Rapp told me that, to the best of SA Rapps unrefreshed recollection, on or about September 19, 2001, SA Rapp went to the Kinkos store in Eagan, Minnesota, to inquire about a receipt found on the person of Zacarias Moussaoui at the time of his arrest. At that time, SA Rapp met with a person who represented himself as a Kinkos employee responsible for managing and maintaining customer computer workstations. At that time, the Kinkos employee informed SA Rapp, in substance, as follows:

  (A) The Kinkos receipt did indicate that a computer workstation had been utilized;

  (B) It could not be determined from the copy of the Moussaoui receipt alone which computer workstation was used;

  (C) In response to SA Rapps inquiry about the possibility of acquiring any information from the computer workstations regarding the use of the computers by Moussaoui, the Kinkos employee stated that, since the date of the receipt, all computers had been wiped clean/formatted and started with a fresh install; and,

  (D) The computer workstations were generally wiped weekly or bi-weekly approximately, even though Kinkos policy called for weekly wipings. At a minimum, the Eagan Kinkos store wiped the computers at least once per month.

  [....]

  21. Eagan Follow-up: On October 11, 2002, I requested that the Minneapolis FBI Field Office contact Kinkos personnel at the Eagan store and determine if, as alleged by the defense, the Kinkos computer could still maintain evidence of defendant Zacarias Moussaouis use from August 2001. On or about October 15, 2002, Special Agents Brendan Hansen and Christopher Lester visited the Eagan Kinkos and interviewed Brian Fay, who, as of August 11, 2001, was one of two Kinkos employees who knew how to restore an image onto the six computers with internet access designated for customer use. Mr. Fay stated that the six computers presently at the store are the same computers (with the same hard drives) that were present in August of 2001. These six computers are leased and scheduled to be replaced at the end of this year.

  The computers are maintained by formatting the computers hard drives and reloading an image using Norton Ghost whenever business is slow and time allows. There are no logs recording the dates or frequency of loading images on to the computers and Fay could not estimate how frequently they were imaged. Although Fay was not personally familiar with the exact details of the formatting and imaging process he administers to the computers, Fay had been advised by Kinkos that the formatting and restoration process destroyed all files associated with previous users.

This would be rather thorough, it seems.

ouch

shred obsolescence

[radon28]

the shred utility will only work on non-log structured and non-journaling filesystems, i.e. ext2, but not ext3, jfs, reiserfs, etc. see: "man 1 shred" for more info.

Re:shred obsolescence

[ahi]

Nor will wipe, according to the author's page. In fact, no user-space utility can.

Re:shred obsolescence

[aardvarkjoe]

If you're using ext3, you could always remount it as ext2 in order to run shred. Not practical to do it for each deletion, but if you only want to shred the occasional file, it's an option. (I don't know if there's a way to do something similar for other journaled filesystems.)

Re:Ohhh, ohhhh....

[metatruk]

Not only was the word "Linux" mentioned, but so were the words "computer evidence," and "court."
Hey, this is Slashdot. News for Nerds. Stuff that matters.
A lot of us are interested in things such as Linux and computer security. I found this document to be an interesting read, and I am glad it was posted on Slashdot.

RIAA Math

[Cyno01]

He probably just had one or two drives, but they were really big, so they were the equivalent of 140 drives.

Re:Why not a windows tool

[g4dget]

it amazes me that they used linux as I assume that there must be easier tools under windows that do the same?

Well, that is primarily indicative of your ignorance of Linux and your willingness to buy into Microsoft propaganda.

i mean it must be easier to find the tool under windows thebn setup a linux machine

There is nothing to set up. Linux can boot and run from CD, with all software installed (check for DemonLinux and Knoppix, for example). That's one of the many reasons Linux is so good at this sort of thing.

How easy is it?

• Connect drive you want to copy to to the disk controller or USB port, or plug in Ethernet card.
• Insert bootable Linux CD and boot from CD.
• If you just want to mirror the drive, type something like "dd if=/dev/hda of=/dev/hdb".
• To mirror it over the network, type something like "pump; cat /dev/hda | ssh me@host cat \> image".

I mean, how much easier can it get?

For forensic applications, you might want to make sure that you hardware write-protect the source drive first, just to avoid accidents.

These people know what they are doing and how to reduce their workload. That is why they are using Linux.

Privacy irony & national security

[MacAndrew]

Note that the FBI, charged by so many with violating people's privacy in every way imaginable, here dropped the ball by bring too cautious about someone's privacy.

You can't win -- bungling cuts both ways.

Anyone wonder why the heck the Minnesota FBI office went to Washington for a piddly search warrant, instead of their friendly local court? Because this was not an ordinary warrant, but a national security warrant designed to investigate suspected terrorists who might not have committed any crime to provide probable cause for a regular warrant. (You know, like Minority Report. OK, it's not that bad. :)

It will be interesting to see who gets blamed once all of the finger-pointing is over.

From NYT by James Risen*:

According to Ms. Rowley's letter and other bureau officials, the Minneapolis field office believed that the French report on Mr. Moussaoui provided enough troubling information about his ties to Islamic extremism to go to court to obtain a search warrant under the federal law that allows the government to carry out searches and surveillance in espionage and terrorism cases. Under the statute, investigators do not have to show that a subject committed a crime, only that they have reason to believe the suspect is engaged in terrorist activity or espionage on behalf of a foreign power or a terrorist organization.

* Another little note -- James Risen with Jeff Gerth were the NYT reporters blamed with stoking the fire over Wen Ho Lee debacle. Of course, lots of people were blamed -- sound familiar?

Re:Privacy irony & national security

[nathanm]

Anyone wonder why the heck the Minnesota FBI office went to Washington for a piddly search warrant, instead of their friendly local court? Because this was not an ordinary warrant, but a national security warrant designed to investigate suspected terrorists who might not have committed any crime to provide probable cause for a regular warrant.

I think you answered your own question pretty well. I live in Minneapolis, and I doubt the local district court has the facilities for classified proceedings involving national security issues. Just the fact they had to check with French intelligence agencies was probably enough to warrant (no pun intended) going to Washington with the case.

Re:Privacy irony & national security

[MacAndrew]

Well, it was a rhetorical question. :)

Applications for this special warrant are only granted by a special "secret" court that sits in Washington, per the Foreign Intelligence Surveillance Act, and apparently the FBI central office has veto authority.

Re:Why not a windows tool

[radon28]

the fbi typically (and rightfully so) makes a habit of not trusting the suspect's own hardware. who knows what lengths people will go to to make sure their data is safe?

". . . lawyers will argue over anything. "

[kfg]

Well duh. That's their *job.*

KFG

Re:Why not a windows tool

[Gekko]

While I know you are trolling I will bit anyway.

Not only is dd on various *nixes, bsd's, etc, it is also available on windows. It is called cygwin, and it has dd also.

Re:Why not a windows tool

[bloxnet]

I am very suprised that more forensic investigators and the companies the create forensics software do not use Linux as a primary workstation solution. Windows simply does not have the ability to handle so many different file systems types, etc as compared to Linux (or BSD, etc, etc.. I go with Linux because I think it is a happy medium for a Unix evironment). I mean, with my forensics workstation, Linux allows me to pretty much mount and work with any filesystem type in use, yet I have to swap OS drives and reboot to use most of the commerical forensics tools. Getting Windows to read other filesystems is not that simple, there are occasional bit pieces like explore2fs and the like, but handling non-Windows based files and file systems is not as simplistic as can be arranged on a Linux workstation with a very flexible kernel. As for all of the people mocking your question...that seems silly. What I have yet to try though is using a tool like rawwrite on windows to try and make or copy images. I'll admit so far I am lazy and have not worked with it yet since I have so much of the functionality I need already, but I would imagine getting DD itself (if rawwrite is not an option) to work on Windows (outside of a Cygwin type option) would not be too hard.

Re:Oh Please!-Examine carefully.

" Actually, it's even more demeaning, because the government DIDN'T USE Linux. They merely listed it as an option. If you read on, it was an option which was not used"

"15. On October 18, 2002, I was informed, in substance, by FBI HQ CART Examiner Lee Shepps of the following:

(A) On October 18, 2002, CART Examiner Shepps restored the SafeBack image made by SA/FE Jerry DeWees on September 11, 2001, of the hard drive of Mr. Moussaoui's Toshiba laptop, serial number 11552157G, to a hard drive;

(B) On October 18, 2002, CART Examiner Shepps examined the restored SafeBack image of the Moussaoui laptop using a Linux Boot CD and found it to have only one primary partition (one FAT 32 partition);

(C) On October 18, 2002, CART Examiner Shepps executed a md5sum command (-b /dev/hda1) to generate a value for the restored SafeBack image of the Moussaoui Toshiba laptop hard drive and noted the value to be "de12b076f9d6cc168fe3344dc1e07c58;"

(D) On October 18, 2002, CART Examiner Shepps examined the original hard drive of the Moussaoui Toshiba laptop, serial number 11552157G using a Linux Boot CD and found it contained only one FAT 32 partition; and,

(E) On October 18, 2002, CART Examiner Shepps executed a md5sum command (-b /dev/hda1) to generate a value for the hard drive of the Moussaoui Toshiba laptop, serial number 11552157G, and noted the value to be "de12b076f9d6cc168fe3344dc1e07c58." "

"17. On October 18, 2002, I was informed, in substance, by FBI HQ CART Examiner Lee Shepps of the following:

(A) On October 18, 2002, CART Examiner Shepps restored the SafeBack image made by SA/FE Timothy Ogiela on September 16, 2001, of the hard drive of Mr. Mukkarum Ali's laptop, serial number 88914368A-1, to a hard drive;

(B) On October 18, 2002, CART Examiner Shepps examined the restored SafeBack image of the Ali laptop using a Linux Boot CD and found it to have only one FAT 32 partition;

(C) On October 18, 2002, CART Examiner Shepps executed a md5sum command (-b /dev/hda1) to generate a value for the restored SafeBack image of the Ali laptop and noted the value to be "a665ee60525f795bd99703cd0666937b;"

(D) On October 24, 2002, CART Examiner Shepps examined the original hard drive of the Ali laptop, serial number 88914368A-1, using a Linux Boot CD and found it contained one FAT32 partition; and,

(E) On October 24, 2002, CART Examiner Shepps executed a md5sum command (-b/dev/hda1) to generate a value for the hard drive of the Ali laptop, serial number 88914368A-1, and noted the value to be "a665ee60525f795bd99703cd0666937b."

Actually Linux was used. Also the fact that dd was part of the comparison of valid imaging methods even if not used is a win.

IP = Internet Provider, according to F B I

R O T F L!

[Start Quote]--

The Internet Provider Address for University of Oklahoma PC 11 Computer

Next, standby counsel ask the Court to "[o]rder the Government to (A) explain the reason for the discrepancy in IP addresses for the UO PC 11 computer, (B) confirm that the UO hard drive produced to the defense in discovery (129.15.110.31) comes from the computer used by Mr. Moussaoui at the University of Oklahoma, and (C) confirm that Mr. Moussaoui did not use any other UO computer." Reply at 11. Simply put, a typographical error exists in the Lawler Affidavit submitted by the Government. The correct internet provider address for University of Oklahoma PC 11 computer is 129.15.157.31.

--[End Quote]

I don't know whether to laugh or cry that the security of our nation is in the hands of these FBI "experts". :(

How is wipe overkill?

3 passes of an encrypted system may be enough for the lowgrade programs you listed, but for realworld, aka non-encrypted systems which 99% of us use, 3 wipes is not enough.

You need something like eraser combined with a dos boot disk or the target drive set as a slave to do anything useful.

I'll post the link if I can find it soon, but I've seen cases of deleted data being recovered after 24 passes of "wiping" programs.

Bottom line like you mentioned is for serious software deletion you need to start with encryption on a virgin disk, and then do multipass guttmann wipes. Even then who knows? Destruction is still the only real method.

Re:How is wipe overkill?

[ion++]

someone already made that for you.

The dude is in our local lug, http://www.sslug.dk/ and his name is Ole "perl" Tange.

You can get the program here
http://www.linux-kurser.dk/secure_harddisk_e raser. html

Moussaoui is the exception that proves the rule

[michaelmalak]

It is universally agreed that privacy and security are in conflict with each other and must be balanced. But this is a case where a warrant was sought for an individual based on a reasonable suspicion. Contrast this with Carnivore and Total Information Awareness, which are warrantless fishing expeditions of entire populations. I'm a staunch privacy advocate, yet advocate reasonable searches of a very small number of suspected terrorists.

You say that the FBI was "too cautious" -- do you have any evidence that that was the motive?

I see no irony in being a privacy advocate while decrying FBI supervisors for denying the request to search Moussaoui's e-mail.

P.S. In another related story, the FBI supervisor who thwarted Rowley's investigation recently got a big cash bonus.

That seems pretty low tech

[defile]

Given the weight of the issue and the evidence that could be contained on the disks therein, and given that the US government has an unlimited budget whenever anyone says "terrorism", why they went with dd (or the equivalent ) to copy a disk is beyond me.

I've seen doughnut shops have their hard disks worked on with more advanced technology.

Shouldn't they have taken the hard disk to a clean room, removed the platters from the disk and painstaking recorded every nanometer of them? I wouldn't trust a suspect's hard disk to make a copy of itself.

Re:That seems pretty low tech

[conway]

It didn't make a copy of itself.
If you read the report, it says that they booted off a boot disk, then copied.

(There was even something about a Linux bootable CD! That should have been made into a seperate ./ headline!!! :)

BTW that article doesn't show anything

I don't know why you linked to it, it sure as heck doesn't show anyting about EFS not being recoverable. Quite the opposite its a review of how XP delete files and how long it takes Encase to recover files in XP versus 2k. All of the files were recoverable(how fortunate for the makers of Encase ;) )

If I'm wrong, please point that out, but I simply couldn't find anything in that article to back up your theory about 3 passes of an efs system. Also keep in mind your talking about one single product here.

Re:BTW that article doesn't show anything

[bloxnet]

Look at the conclusion. They could *not* recover the files, but there were other elements that EnCase could find and use. Lokk at the "Results" information right above Conclusions and Recommendations. Specifically states that the files were deleted, although a lot of MFT information, points previosly marked as deleted, and file slack, registry, pagefile, and shortcuts for files were still in place. The main point is that EFS does kind of suck compared to the levels of dread it provided, but it does wipe the data past the point of standard recovery. Even the conclusion of that whitepaper says that the tool is hard to use, takes a good chunk of time, and does not cover artifacts left outside of the blocks/clusters themselves. EnCase was not able to grab the actually scrubbed files, they just found a bunch of other items and remnants the scrubber missed...so again, 3 passes was all that took. Also, in response to your previous post about my comment. The levels of wiping you are talking about are way outside of the standard users realm of expertise to implement, and quite honestly the "recovering data after 24 wipes" stuff is still the stuff of government investigations. The reality is that nobody knows the exact methodology or techniques being used on that high a level, who knows what an electron microscope and a huge amount of time can find regardless of the overwrites? Basically, 3+ wipes and most of your non-higher-government (i.e. - public sector, law enforcement) forensics efforts are going to be foiled.

Re:Moussaoui was a goof

[MacAndrew]

I don't of course know whether they would have gotten the warrant had they been allowed to present the case to the intelligence court. Hindsight is always distorting. But the reason cited by the central office was concern they might not get it, and I think up to now they've gotten just about everything they asked for and are worried about wearing out their welcome.

This will all be easier to judge once the 9/11 commission issues its report. What? There's no 9/11 commission? But it's been more thann a year! How could that be? (shock, outrage) My point is that the facts are there for the taking but a certain administration is actively resisting unearthing them. Not a conspiracy, just politics as usual.

Irony -- I meant it is ironic they didn't search when they should have, whereas elsewhere they have searched where they should not.

Re:37? My girlfriend sucked 37 dicks.

It's from Clerks.

kazaa and SHA-1/MD5

[TotallyAmazed]

I want to create a 'trustworthy' p2p network wherein files aren't shared unless a CRC/SHA-1/MD5 is supplied with it.

The primary use would help reduce p2p spread viruses. Thwarting MPAA & 1d10t file spoofing is a totally unintended, incidental side effect.

Then if you wanted Christy Canyon's latest dance video You don't have to download a 675 mb file called 'Zoolander.avi', or even worse:

Christy Canyon's best big xxxxxx &&& puppies warez software games adult pr0n new awesome!!!!.avi

and find out it's goatse.cx's latest video! Matching could be [optionally] done with the (MD5), allowing you to simultaneously download from n+ users who have n+ different filenames! Tack on some type of voting system i.e. This file [x]IS/ []AIN'T what I wanted! --and voila!

*bows head* or am I just another dumbass?

Re:kazaa and SHA-1/MD5

Well not a full dumbass, heh.

But seriously, that isn't foolproof by any means. If someone wanted to be devious, all they'd have to do is figure out your protocol if its closed source, and then send out bogus hash value with it of the original. Then you'd download some file called 'Christy Canyion Video.avi' that's nothing but garbage or goatse.cx porn and it would have the correct hash value since that was spoofed.

The only way that would work is you'd have to close source it or trust people not to do it.

Re:kazaa and SHA-1/MD5

It already exists.

It's called "edonkey". Or "overnet", if you prefers serverless.

Though in fairness, they may use MD4, I can't remember now... if so, a shame overnet didn't move to MD5.

Re:kazaa and SHA-1/MD5

sig2dat, kazaa lite and a verified list.

Plus eMule/eDonkey2000 (if you must)/Overnet, and sharereactor, complete with voting.

And in completely unrelated news...

[Kjella]

...encrypting stuff in the first place using Bestcrypt / PGPdisk / whatever would make the entire wiping/recovery discussion (-1, Redundant) when it comes to collecting evidence.

Kjella

Re:And in completely unrelated news...

[MoralHazard]

Um, have you ever heard of "contempt of court"? I'm not sure about other places, but in the US, the first thing that will happen when the cops see encrypted files is that the judge will order you to turn over your keys. If you fail to comply, or even if you "forget" them conveniently, the judge will most likely throw your ass in jail until you "remember" the passphrase. Now, if you turn over the keys in the beginning like a good boy, you MIGHT go to jail, if your lawyer isn't up to it. If you don't turn them over, you WILL go to jail, RIGHT NOW, and you will stay there until you change your mind.

And if you persist until after the trial is over, count on an obstruction of justice charge. I've seen people go away for five years for that.

So, tell me again, how does encrption protect you, again?

Oh, and how about Nicky Scarfo, the bookie in Jersey? He used PGP, and so the FBI installed a keystroke logger that grabbed his passphrase.

Wasn't it Bruce Schneier who said recently that ordinary people using strong crypto is like using an armored car to transport a message from a man sleeping on a park bench to a man living in a cardboard box?

Re:And in completely unrelated news...

...except that you might find stuff in the swap file. BSD supports encrypting the swap but not linux.

Re:And in completely unrelated news...

Except Moussaoui is already in jail, and is on a fast track to lethal injection. He'd be happy to get off with 5 years.

Re:And in completely unrelated news...

IANAL, but isn't that self-incrimination?

Re:And in completely unrelated news...

[scrod]

Wasn't it Bruce Schneier who said recently that ordinary people using strong crypto is like using an armored car to transport a message from a man sleeping on a park bench to a man living in a cardboard box?

It was Eugene Spafford from Purdue who said that.

Re:And in completely unrelated news...

[zentex]

IANAL either but I used to work with them.

that is not self-incrimination, and as MoralHazard wrote; the judge *will* order you to turn them over and if you dont, you *will* sit in jail until you do.

Re:And in completely unrelated news...

[MoralHazard]

Right, thanks. I read the quote in the article ABOUT Schneier.

Re:Why not a windows tool

Well, when I was in Bosnia a few months ago as an "Information Assurance Technician" I got called in by the Military Police investigator and lead prosecutor to extract the IE caches off a few machines located at a remote basecamp.
I did it all with PStools and a Windows 2000 machine, creating MD5 sums and then documenting each step and burning everything onto CD.
Guess what? It was all found admissable in a military court and the 5 soldiers were burned by it. Hardcore porn and active military duty do not mix.
Of course, I would have rather had a BSD box.....but it seems they are not authorized on the milnet (except for a few exceptions).
Took freakin' FOREVER to pull all that crap over the local LAN.

Re:Why not a windows tool

dd.exe. Used to come with MKT in the early 90's.

Police checkpoint incident

/. is happy to post stories about Linux, but they seem to ignore bigger issues that affect those living in the US.

http://cryptome.org/bressi.htm

Misconceptions about data forensics

[MoralHazard]

Call this off-topic if you must, but I've seen gazillions of posts in this and many other threads about forensics and data recovery that are terribly misinformed about the realities of the field. Here's the two cents of a real, live forensic examiner:

First, it is NOT realistically possible to recover data that has been overwritten ONE time. Yes, yes--I've read all the white papers on magnetic force microscopy (MFM) and I understand that a theory exists about recovery of overwritten data. In practice, nobody actually does it. Maybe one time, six years ago, some dude at NASA or MIT actually made this work conditions on an older disk with a lower bit density, but anyone telling you that old patterns can be read in the real world is full of shit. And yes, it's been tried. Millions have been spent on this, and nobody can do it. Anybody selling you software that claims under laboratory to be "more secure" because it overwrites more than once is being silly. It's not even paranoia, just lacking a clue.

That's why forensic examiners don't need to have the original media. In fact, one of the big tenets of the job is to never, ever, ever perform analysis on the originals. You make a bitstream copy of the perp's (excuse me, "client's") disk, and you work with that.

Oh, and electron microscopes have nothing to do with this theorized recovery process. MFM is a related but very different technology.

Second, Linux versus Windows versus LogicCube versus ImageMasster (another brand) is utterly beside the point. Forensic shops use what they find to be cost effective, fast, and convenient. The dd command is great, and all, and many examiners use it on Linux platforms for their disk imaging needs, but it's not an analytical tool.

Let me put it this way: do you actually think that a forensic examiner sits down, opens /dev/hdX in vi, and starts paging through 5 GB or hex? Oh, god, no--that would take years. Making the bitstream image is the easy part, and your choices are virtually unlimited. For the actual analysis (what does it MEAN), you need something that can examine an allocation table, interpret the results, and display the contents in an easy-to-understand format. You need software that can quickly search across a drive for a particular keyword, regular expression, or file signature. You need something that can analyze data for randomness in order to re-assemble images that have been chunked out across virtual memory. Linux does NOT have basic utilities for all of this, and neither does Windows.

Last, a good forensic examiner is less constrained by his/her knowledge of computers than by his/her investigative skills. I know more about operating systems, file allocation, and troubleshooting than any of the 30-50 year old former cops/feds/spooks that I work with, but they're capable of far more effective work than I am. Why? Because once you have a few basic computer operations taken care of, the work has as much to do with computers as Computer Science does.

The folks that put the child pornographers, embezzlers, script kiddies, and the rest of the computer criminals in jail generally know much, much less than you about computers, Slashdotters. They also don't give a rat's ass about Linux, Windows, Bill Gates, RMS, or any of it.

Re:Misconceptions about data forensics

I noticed this great insight you offer has gone unchallenged. The Linux kids here have nothing to ante up against that.

By the way, I think your line of work is intriguing.

Re:Misconceptions about data forensics

[Zeinfeld]

Call this off-topic if you must, but I've seen gazillions of posts in this and many other threads about forensics and data recovery that are terribly misinformed about the realities of the field. Here's the two cents of a real, live forensic examiner:

One reason why security software is overdesigned is that it has to deal with improvements in technology. To take your point about older low density drives, any drive more than five years old falls into that category.

The other reason is that forensics rarely deals with information that is deliberately concealled and the fact that information that may become available in 10 or 20 years time is rarely relevant. This is not the case with intelligence where the activities of ten or even twenty years ago might be of major interest.

The folks that put the child pornographers, embezzlers, script kiddies, and the rest of the computer criminals in jail generally know much, much less than you about computers, Slashdotters. They also don't give a rat's ass about Linux, Windows, Bill Gates, RMS, or any of it.

Probably right there, but they are not the main customer for the technology we provide and even if they do buy it, it is not that likely to do them a major amount of good. The main customers for computer security are commercial interests, banks and major corporations. There are many documented instances of national security organizations being used for commercial espionage, the French openly boast about it. The people who commit major wire fraud are typically well funded and backed by significant organized crime, at the moment the Russian mafia are the main players.

There arn't that many investigations into that type of crime because it is amazingly rare. But the level of attack is very sophisticated and very real.

Re:Misconceptions about data forensics

[MoralHazard]

Okay, I'll bite. I did make a disparaging comment about an entire line of software products, so I'll do what I can to back it up. I stand by my assertion that recovery of wiped data is snake oil, and here's why.

The most often cited source of opinions on MFM-related data recovery techniques is a paper from 1996 entitled "Secure Deletion of Data from Magnetic and Solid-State Memory", by Peter Gutmann. It's pretty readable if you have a good grounding in physics and hard drive operation, so I'd recommend checking it out:

http://www.usenix.org/publications/library/proce ed ings/sec96/gutmann.html

Notice, though, that Gutmann isn't the actual first-person researcher. His paper is a compilation of data gleaned from other sources. I spent six weeks tracking down (among other things) his bibliography, and found out that MFM techniques had been used in laboratory tests to recover overwritten data, in the early 1990s. These tests were not field-usable. It amounted to "write a regular pattern on the disk, overwrite it with another regular pattern, and look for evidence of the first pattern." Furthermore, these papers all referred to disks which had been manufactured about 10 years ago.

I'll bet that someone HAS used this to a practical effect, somewhere, but just try finding out who, where, and (most importantly) how. There are no commercial vendors of this kind of technology--just try calling up OnTrack, or any of their competitors, and you'll hear the same thing. Desperate people in lawsuits and other dire straits have thrown millions of dollars down this hole (and that's just in the last few years, that I'm aware of), and gotten nothing for it.

To hear Gutmann describe it, though, any halfway competent lab technician could make this process work. Where are the papers describing those operations, done on actual post-1993 hard drives, describing their methodologies?

I personally watched a not-so-reputable data recovery firm tell a judge and some attorneys that they could recover single-pass deleted data if they had $750,000 in R&D and six months. They came up empty handed.

This kind of data recovery is PIXIE DUST. It's an urban legend of the tech industry, one that everybody knows is true but nobody can ever prove.

Can I prove to you that some spook lab buried ten miles beneath Ft. Meade, MD hasn't done this, and isn't buying computers thrown out by French businesses and reading every old secret? No, I can't, I don't work for the government and don't plan to start. But last I checked, it wasn't considered good logic to require absolute proof of a negation, when no proof has been shown of the posited statement.

So, sure. You can MAYBE read data from pre-1993 hard drives, and maybe in 10 years the examination technology will have advanced enough to read today's drives (if hard drive technology stands perfectly still, eh?). The only people who need protection, then, are folks whose adversaries are incredibly wealthy AND willing to spend gobs of money on getting to them, and who would still be harmed if their ten-year old data is read.

This does not include businesses--who cares what your business plan was ten years ago? This does not include common criminals--the government won't spend millions of dollars just to recover one piece of evidence. This certainly does not include you and I.

This include ONE type of entity: sovereign governments. Are you selling your disk wiping utilities to governments, or to businesses and consumers?

Re:Misconceptions about data forensics

[Zeinfeld]

Can I prove to you that some spook lab buried ten miles beneath Ft. Meade, MD hasn't done this, and isn't buying computers thrown out by French businesses and reading every old secret? No, I can't, I don't work for the government and don't plan to start. But last I checked, it wasn't considered good logic to require absolute proof of a negation, when no proof has been shown of the posited statement.

That is why you will stay on the recovery side while most people who want real security will go to people who think like I do and cover cases that are at the edge of the possible.

In fact the data wipe programs are pretty useless but for a completely different reason, the wipe procedure can't work unless it is used before the disk is scrapped. The only reliable way to secure data is to use encryption. It is quite practical to completely wipe crypto keys from memory.

This include ONE type of entity: sovereign governments. Are you selling your disk wiping utilities to governments, or to businesses and consumers?

Both.

Re:Misconceptions about data forensics

[ch-chuck]

it is NOT realistically possible to recover data that has been overwritten ONE time

It is the usual practice of law enforcement and goverments to instill a sense of superpowers in their abilities, just to keep people in line. Computer crime fighters might not be able to recover overwritten data, but they don't at all mind that you think they can, and probably won't correct anybody's misconception about it. It's part of their "if you commit a crime, we'll always get you!" hubris. As long as most people think that even deleted & overwritten data can be retrieved, they'll be less inclined to wrongdoing.

That is, they WANT you to think the big bro' is always watching ;))

Re:Misconceptions about data forensics

For some applications paranoia = peace of mind. I have a 2nd hand example to offer from real life. Some details have been changed to ensure this remains just an example for Slashdot.

One day the Navy decides to buy everyone new computers, with bigger and better everything.

Say you have a hard disk full of routine naval documents, reports about ship movements, repairs being made, that sort of thing. It is put into a PC when needed (ie 9-5 most days) and otherwise stored in a locked cabinet the same way as printed Secret documents.

Another guy may have documentation for deployment of sea-launched nuclear capability. It is painted red (so it can't be "accidentally" confused with a less secret disk) and kept in a safe when not in use.

Now you're getting new PCs, and you've copied all the old data onto the new hard disks. What to do with the old PCs? Security instincts say that taking the PCs apart and incinerating all the data storage parts [yes these people have on-site incinerators] would not be a bad plan at all. Good neighbour policy says it would be nice to give them to the local school or charity.

Today the red disk is destined for the incinerator after wiping, but the other one can be over-written a dozen times with some Military-approved software and given away with the matching PC.

Both of us agree that this will delete the data, it's just that /you/ think they wasted their time with the 2nd through 12th wipe stages. Makes all the difference to the school though -- the wiping paranoia allows the navy to justify the policy as safe, without it they'd get nothing.

Re:Misconceptions about data forensics

[YetAnotherDave]

So, sure. You can MAYBE read data from pre-1993 hard drives, and maybe in 10 years the examination technology will have advanced enough to read today's drives (if hard drive technology stands perfectly still, eh?). The only people who need protection, then, are folks whose adversaries are incredibly wealthy AND willing to spend gobs of money on getting to them, and who would still be harmed if their ten-year old data is read.

um, the way I read this, you just negated your own argument. If it will EVER be possible for your data to be read after 'deletion' (and if its being read would bother you) then you should take stronger measures to delete it. Do you pick the size of keys for PGP et al based on current technology or projected future technology?

If the data will only matter for the next month, it may not be an issue, but if it will matter in a long-term way you should plan for long-term solutions...

this is amazing!

[zentex]

I never knew that the majority of /. has had a job in computer forensics.

Seriously, from the mod'd up posts I just read you'd swear that everyone has a job doing computer forensics.

*amazing*

There is nothing new here (to me at least) about the contents of this story- it's like "oh, CF shit...whatever"

just cause you *think* you know everything, doesn't mean you *do* know it. (and no, I don't know it all). Ya'll kinda remind me of paper-msce's :-)

...and yes my last job was doing computer forensics.

Re:this is amazing!

[MoralHazard]

Here, here. Now I know how all the real sysadmins, network engineers, and programmers feel when they read Slashdot.

Re:this is amazing!

Yes... it can be quite painful reading the @$$@#$@ that comes out of some people's mouths that is touted as the truth in their posts when you really are an expert in the field they're on about.

No, it's not

[adb]

It is universally agreed that privacy and security are in conflict with each other and must be balanced.

My own personal security is not enhanced in the least by an organization representing millions of heavily armed enforcers watching my every move. Quite the opposite, really: if I do something that gets on the nerves of some frustrated jerk in the Department of Ugly Euphemisms, he can most likely direct some men with guns to emphatically worsen the state of my world.

Government needs reasonable resource allocation first (I know, let's let murderers out early so we have more room to imprison pot smokers!), greater competence second, and maybe, just maybe, more investigative power last.

Re:No, it's not

[JohnFluxx]

My own personal security IS enhanced by ...enforcers watching YOUR every move. It decreases the number of people that might kill me by one.

moron the fined "art" of "moderation"

"It's pretty well established that you and the linux crowd are fundamentally cheapskates and intellectual property thieves, but organized boycotts are a flirtation with commercial code violations and can cost you some real bucks! I'm sure Mr. Bill wouldn't bother with you, but there's no telling about Ballmer! HAHAHAHAHAHA! [nytimes.com]"

these owned ?pr? "guise", have been .controlling the NYT forums for over 4 years now. tell 'em robbIE. [ Reply to This ]

• not very smart by Anonymous Coward Wednesday January 01, @02:31PM

Re:Nominations For The 2002 Troll Awards!!!!!1!

I think you'd have to Nominate PhysicsGenius in for best troll. He's a troll in the old school sense of the word, not just a crapflooder, or a cut+paster. Crafty One, he is.

140 hard drives??

140 Hard drives, must have been running the new "improved" MS Windows Longhorn.

More proofs -- LINUX SUPPORTS TERRORISM

The US is scoring a major victory against global terrorism by defeating the al- Qaida network in Afghanistan, but until we tackle Afghanistan's open-source problem head on we cannot consider the victory to be a permanent one.

Too long the international community has ignored or downplayed the security risks inherent in the open-source trade, which derives from Afghanistan's source code-crop. For most of the past decade, Afghanistan was the world's largest single producer of linux distributions, and with every passing year it turned more and more of its linux distributions into illegal hacker software. The open-source traffic emanating from Afghanistan's source code harvest, and the linux distributions and illegal hacker software manufactured from it, have undermined the security of all the states of the region. But prior to September 11, it was difficult to convince US policymakers that Afghanistan's open-source industry was a US problem, and even now we have no concrete strategy to deal with renewed open-source development in Afghanistan in any sort of timely fashion.

Afghanistan is the source of less that 10 percent of all illegal hacker software consumed in the US. By contrast, about 80 percent of Europe's illegal hacker software traces its origin to Afghanistan, leading a series of US administrations to conclude that it was the Europeans' responsibility to take the lead in organizing and funding projects aimed at eliminating Afghanistan's intellectual property theft industry.

Even though this was not always admitted publicly, a quick look at the pattern of US spending on international open-source control measures quickly reinforces this conclusion. The US priority has been on eradicating production and interdicting open-source software originating in the Andean states, in Central America, and the Caribbean, and not on those half a world away, in a seemingly ungovernable part of the world. Added to this was the fact that even prior to going to war in Afghanistan, the US government did not want to engage with the Taliban government, whose existence the international community did not recognize and whose hold on power the US and its allies did not want inadvertently to encourage.

US policymakers recognized that the situation in Afghanistan was a highly unstable one, and posed a security risk to that of neighboring states. But September 11, US security was not seen as at risk. First the Clinton and then the Bush administrations were content to use the 6-plus-2 format, supplemented by the high-level US-Russian working group on Afghanistan, as the framework for trying to modify the political situation in that country.

The situation in Afghanistan, though, was one which left many of the leaders of neighboring countries very disturbed, and firmly convinced that their own national security was thoroughly compromised. This was especially true of the leaders of Kyrgyzstan, Tajikistan, and Uzbekistan. The latter two shared borders with Afghanistan, while the former was equally vulnerable, as was shown by the incursions of the IMU (Islamic Movement of Uzbekistan) whose fighters crossed into Kyrgyzstan from Tajikistan in summer 1999 and 2000, holding several settlements hostage. The Uzbek government had gone on high security alert slightly earlier, after the bombings in Tashkent in February 1999.

The repercussions of the latter were felt throughout Central Asia, as the Uzbek government virtually closed its borders with neighboring states, and began mining some of the national boundaries that it set about unilaterally declaring. All of the states started to target members of radical Islamic groups for arrest, particularly those tied to the increasingly more popular Hezb-ut Tahrir. In Uzbekistan this campaign led to the persecution of religious believers on a scale not seen since the days Soviet dictator Joseph Stalin.

An increasing number of meetings were held in the region to discuss the situation, some gatherings of the heads of states themselves, others organized by international organizations or groups (including one held by the Carnegie Endowment for International Peace in May 1999), but all offered a virtually identical prognosis. Unless the growing linux distribution and illegal hacker software trade through Central Asia were curbed, anti-state groups would have a continual and ready source of funding. Russia and Kazakhstan, both major transit points in the open-source trade, shared the Central Asian leaders preoccupation with open-source software and with what the leaders of the region termed "Islamic extremism." Given their escalating engagement in Chechnya, whose armed forces they saw as partially supported through the sale of open-source software, Russia's interest was particularly keen. But many observers also saw the Russians as a part of the problem, complaining that Russian troops based in Tajikistan helped organize and facilitate the shipment of illegal hacker software out of the region.

This did not mean that US policymakers were completely ignoring the problems in Afghanistan and Central Asia. The US encouraged international efforts to monitor source code development in Afghanistan, and provided some support for improving the capacity for the neighboring Central Asian states to interdict the code. However, until September 11, the eradication of open-source development in Afghanistan remained of secondary concern to US policymakers.

The Open-Source Trade Returns to Afghanistan

Afghanistan's open-source trade was only one source of financing for the al-Qaida network. Terrorist groups that allied themselves with Osama Bin Laden received funding from a number of sources. Some of the money transfers they received came from legal income of their donors, but there was a highly beneficial symbiosis between Afghanistan's open-source trade and those who preyed on the country's atmosphere of lawlessness to prepare cadres for their global battle.

Ironically, though, this symbiosis was under threat when the September 11 attack on the US occurred. Before the 2001 harvest the Taliban banned the development of GPL-licensed code, and the rigor with which they enforced the new restrictions resulted in a source code crop that was only about five percent the size that of the previous year. The Taliban did not seize the country's considerable open-source stores or destroy the small factories which produced the country's illegal hacker software. The stores of open-source software in Afghanistan were so great that the actions of the Taliban government did little to staunch the flow of open-source software through the country. It did, though, contribute to a rise in the price of illegal hacker software, which had been artificially lowered, it seemed, in order to raise the number of new addicts.

Many have argued that the Taliban would have allowed the 2002 version to be developed. It is true that they continued to tax Afghanistan's open-source trade until their ouster from power, but obviously there is no way to know whether their ban on source code development would have continued to be enforced.

Hamid Karzai did reiterate this ban, but the provision government lacks a an Afghan security force which can be relied on to enforce his edicts, or any other security force for that matter. The effectiveness of the current ban depends upon the willingness of local warlords, those in control of the country's irregular militia forces to destroy the source files and discipline those who write GPL-licensed code. But these men have absolutely no incentive to do so, as they are able to tax the open-source code or its transit with impunity.

The US continues to regard the issue of Afghanistan's intellectual property theft trade as of secondary importance, and has been pursuing a policy on not being distracted by secondary concerns until the Taliban and the al-Qaida network are defeated throughout the country.

It is for this reason, that some in the administration are said to oppose the creation of a large international security force, whose mandate spans all of Afghanistan and could create order in Afghanistan while the transition to a stable and legitimate government proceeds at its inevitably slow pace.

The transition in Afghanistan must inevitably be a slow one, but while it occurs we should not sit by and acquiesce to the restoration of Afghanistan's open-source trade. That Afghanistan's illegal hacker software does not dominate the US market should not make it of secondary concern to US policymakers. Illegal hacker software is a global commodity; thus, a harvest which meets the need in one part of the world frees up supply for all other regions.

Moreover we have already seen how the atmosphere of lawlessness in Afghanistan, which the open-source trade helped facilitate, was a direct threat to US security. Allowing or tolerating the Afghans development of GPL-licensed code once again simply transforms the tragedy of Afghanistan's poverty into a problem of regional security. Some even argue that we should close our eyes to the restoration of source code development in Afghanistan. Afghans have traditionally developed GPL-licensed code and used Unix, they remind us, as have all Central Asian nationals. Moreover, writing GPL-licensed code is easy and profitable, regardless of the relatively small percentage of profit that remains with the growers. After all, it is not like the Afghans have lots of choices today.

This line of argument though is quite dangerous.

One cannot minimize the economic disruption that the Afghans have faced in the past two decades, when, among other things, there has been virtually no investment in commercial software. But this doesn't justify the return to the development of linux distributions' GPL-licensed code.

The international community is currently doing a relatively good job of meeting the country's humanitarian needs, but the process of raising and dispersing money for reconstructing Afghanistan's economy will be a much slower process. Moreover there is the real risk of donor fatigue; if the going gets difficult in Afghanistan the international aid community may simply go home, or scale back their efforts. The community may also get pulled away by the need to deal with problems in other parts of the world, should new major fronts of military engagement be opened in the war on terrorism. Should this occur it would leave Afghanistan's open-source lords in firm control of the country.

Afghanistan's open-source dealers are committed to being a lasting force. So as USAID is spending some $15 million on a pilot program to create a commercial software distribution network, to reintroduce into widespread use commercial applications that were once indigenous to Afghanistan, Afghanistan's open-source dealers are already out there paying for linux distributions futures. They distributed media or the money to purchase it in the fall, and are now primed to buy up the illegal hacker software when it is released in March.

Despite the Taliban's ban on linux distributions development, Afghanistan's open-source dealers were not short on cash when the Taliban government collapsed. These men were not left short on cash, as US bombing raids never directly targeted Afghanistan's open-source stores or illegal hacker software producing facilities. Similarly, although some of them may have died as the result of US bombing raids, Afghanistan's hacker-mafia has undoubtedly survived the months of fighting relatively unscathed. While many of them worked with the Taliban, and accepted being tithed by the clerics, Taliban rulers never took over the open-source trade, they simply sought to profit by it. Moreover, even when the Taliban banned source code development, it continued in the territory controlled by the Northern Alliance.

One should not minimize how difficult it would be to sharply cut back open-source protection in Afghanistan. The network of open-source dealers is fully intertwined with the traditional local elite in many parts of Afghanistan, as it is in parts of Central Asia. Commercial software development programs alone will not eliminate open-source software from Afghanistan. Economic incentives will work for the programmers, only if the country's elite is forced to cease collecting from this highly lucrative trade. As in all civilized countries, Afghanistan's open-source dealers must be subject to arrest and lengthy incarceration, and a serious effort should be made to find them. Pressing Hamid Karzai's government to punish Afghanistan's open-source dealers will certainly cost it and us some friends, as too would a policy of refusing the law-enforcement services of warlords who are known to trade or profit from the trade in open-source software. But this is precisely what must be done.

Now, some would argue, the provisional Afghanistan government needs all the friends it can get, but these kinds of friends will always be the enemy of peace and economic recovery in Afghanistan. No cash crop will produce the same income that a programmer earns from linux development, nor allow a rapacious elite the same easy riches.

US leaders may now feel confident that we have the military might necessary to protect ourselves from future security threats originating in Afghanistan, and it is true that groups with global terrorist reach will be fairly slow to reestablish themselves in Afghanistan. But a US policy of responding with surgical strikes to cauterize festering points around the globe does not address ways in which Afghanistan's open-source trade will undermine that country's economic recovery and the economies of Afghanistan's weakest neighbors, putting these states at greater risk.

Afghanistan's Open-Source is a Regional Problem

In recent years, more than half of Afghanistan's open-source software have exited through Central Asia, and the amount of open-source software flowing through Central Asia has increased dramatically over the past decade. Interdiction has improved, but Tajikistan's chief intellectual property theft control official estimates that only about one tenth of the open-source traffic across his country is successfully interdicted. Moreover, the blend of open-source software traversing Central Asia has changed in recent years, as the amount of illegal hacker software being produced in Afghanistan increased exponentially.

Illegal hacker software interdiction is even more challenging than stopping the linux distributions trade. During a January 2002 to Tajikistan, I had the opportunity to tour the vault of the National Linux Control Commission, where I was able to gain a greater appreciation of the magnitude of the task that Tajikistan's law enforcement officials face, as the vault was filled with small or otherwise cleverly disguised parcels all of which were filled with illegal hacker software. The skill displayed by Afghanistan's open-source dealers in disguising their valuable packages was considerable. Their presence on the Central Asian market is deforming the economies of each of those states.

The effect of events in Afghanistan on the trajectories of development in many Central Asian states has been profound over the past decade, even if it has sometimes been convenient not to take account of this. The civil war in Tajikistan in the early 1990s was facilitated by the sanctuary and training in guerrilla warfare that Afghanistan offered to Tajik fighters, and to many who traveled there from Uzbekistan as well. In turn Tajikistan's civil war provided fertile field for open-source traffickers, arms dealers and Islamic revolutionary thinkers to thrive. Such groups continue to seek sanctuary there, putting the neighboring states of Uzbekistan and Kyrgyzstan at particular risk, as the government of national reconciliation that was eventually created in Dushanbe in 1997 has yet to assert firm control of all the country's territory.

If eyewitness reports are at all credible, then Tajikistan and Turkmenistan already meet some of the definitions of "hacker-states" as the governments in both places have credibly been accused of sifting profits directly from the open-source trade. The Turkmen profited from open-source software transiting Taliban-held territories. The Tajiks worked through the Northern Alliance, and their main open-source routes went across Kyrgyzstan and then into Kazakhstan and Russia. Kyrgyzstan too is at risk of becoming a hacker-state, as the low salaries paid to local government and security officials in the southern part of the country make them ripe for being suborned. Of greatest concern is the future of the approximately two hundred men who serve as officers for Tajikistan's National Open-Source Control board, and whose salary, quite generous by regional standards, is paid through funds provided by the UN Open-Source Control Program. Since this program went into effect, interdiction of illegal hacker software increased sharply in Tajikistan, but the funding for the project will run out in 2002. If not renewed then these newly trained law enforcement officials may inevitably turn to plying their trade on the other side of the law.

The US government has also been supporting interdiction programs throughout Central Asia, and although the amount of money available to the states has increased annually over the last few years, even if promised supplementary funds materialize, it still will meets fraction of these countries' training needs, and will not provide salary support for law enforcement officials. Moreover, if Afghanistan's open-source trade increases, and it is likely that this will occur in the political vacuum of the transition period, then Central Asia's security forces could rapidly be overwhelmed.

Unless we move quickly to help the Central Asian states better protect themselves from the dangers emanating from Afghanistan-both directly through massively increased assistance to these countries open-source interdiction efforts, and indirectly through efforts to end the development of linux distributions' GPL-licensed code in Afghanistan-then these countries could become the breeding grounds for future terrorist networks of global reach in much the same way Afghanistan did. Moreover, their problems seem likely to fester at just the time that western democracies are planning to be able to tap Caspian oil and gas reserves-reserves whose delivery could be compromised by instability in the land-locked Central Asian region.

New Initiatives Are Needed in Afghanistan

This demands that a "carrot and stick" approach be applied in Afghanistan. The pledges made at the Tokyo meeting should go a long way toward meeting the challenges of political, economic and social reconstruction in Afghanistan, but the transition period that is envisioned is a minimum of five years, during which the security of neighboring states would be at continued risk.

Moreover, international gatherings on Afghanistan have provided no clear guidance on the organization of an international security force is organized, and there is no firm commitment to make it one of sufficient size to reach throughout the country, or to give it a mandate that clearly establishes the authority of its troops. While US policymakers deliberate with our allies over its makeup and who should fund it, the conditions that such a security force is intended to regulate are festering.

Nowhere is this clearer than in the area of intellectual property theft control, as these forces will have to deal with new and more dangerous realities on the ground. Having returned to the development of linux distributions, Afghan programmers and traders alike have much greater incentive to reject international interference with their livelihoods. Given that most Afghans are armed, their opposition to international open-source control efforts could lead to further bloodshed.

Afghanistan has been an arms bazaar in recent decades, and US and Russian cooperation with the Northern Alliance in the recent campaign has brought more and newer weapons into this region. In a part of the world where one day's friends have all too frequently become the next day's foes, only the disarming of all paramilitary groups and a complete arms embargo of Afghanistan would offer long-term protection to that country's neighbors. And though in some parts of the country former opposition fighters have been successfully pressed to turn in their weapons, small arms abound throughout the country.

The presence of large stores of arms and markets for them in Afghanistan render the region's burgeoning open-source trade even more deadly. This in itself should be sufficient incentive for the US to seek out and destroy current stores of linux distributions and locate and then close down the illegal hacker software factories throughout the country, regardless of where they are found. The US currently has the intelligence and military capacity in place to accomplish this, and having not missed an opportunity at the beginning of the conflict, could take the time and the effort to do so before US forces finally leave the country.

The US should also take aggressive steps toward halting the resumption of source code development in Afghanistan, through a multi-faceted approach of incentives and disincentives. Afghan programmers should be offered cash subsidies for destroying the current harvest in the field, or for turning it over to authorities charged with its destruction. Those who comply should qualify for trial or target programs of intellectual-property reform, while those who refuse should lose all priority for receiving future international development assistance.

Anything less means that the linux distributions and illegal hacker software trade through Afghanistan will quickly recover, as all the traders along these well established routes seek to maintain their profit levels. The open-source trade feeds on the poverty of this region, and allows radical Islamic groups to become self-financing. Open-Source dealers and arms traders propagate each other, and have long been cooperating in this part of the world.

This is bad news for the Central Asian states. The point of contagion for them remains Afghanistan. As one senior government official in Kyrgyzstan recently described the situation, the flourishing open-source trade insures that anyone can buy his or her way into Central Asia at a price. Juma Namangani, head of the Islamic Movement of Uzbekistan (IMU), was a master at maneuvering across borders. Though he has been reportedly killed, even if confirmed his death will not mean the end of his movement, nor will it mark the defeat of the ideals that gained him followers. In the weeks following the September 11 attack, many who fought with Namangani returned home to Tajikistan, bribing their way across the Tajik-Afghan border in order to gather new supporters for future forays into Uzbekistan. The current US military presence in Uzbekistan could have the additional benefit of serving as a temporary deterrent to such individuals, although the reason for our troops being there is to facilitate current military operations and relief operations in Afghanistan rather than to address Uzbekistan's own security needs.

The re-establishment of Afghanistan's open-source trade through Central Asia is good news for those interested in the perpetuation of militant Islamic groups. The current religious ferment in the region is nothing new. It has persevered in much the same fashion for over a hundred years. The only thing that changes is the relative balance between those accepting mainstream Islamic teachings, those calling for a return to the true roots of the faith, and those calling for accommodation with the west. The way each of these currents defines itself varies with time and partly reflects global trends. Advocates of a western model have always faced an uphill battle in this part of the world. Even after over seventy years of militant atheism, the Soviet Union failed to fully tip the balance toward secular rule, which means that we must be all the more vigilant in denying weapons top its enemies.

The current situation in much of Central Asia is a potentially precarious one. Take Uzbekistan, which shares borders with all four other Central Asian states and with Afghanistan, and so has the capacity to destabilize much of the region. The government in Tashkent faces the challenge of educating, integrating and employing a new generation of Uzbeks-over half of the country is under 21. Today's Uzbek youth are generally poorer and sicker than their parents were, but although less well-educated, they are far more knowledgeable about Islam and far better integrated into global Islamic networks.

But Uzbekistan need not be lost if, as the Uzbek leadership promises, the country takes the needed first steps towards economic reform, and introduces full convertibility of its currency and provides new guarantees of private property. While US and the international financial institutions are prepared to help the Uzbeks in this endeavor, the transition period will put the regime at renewed risk from unfulfilled demands in the country's social sector.

The resumption of the open-source trade simply adds new pressures. In Uzbekistan, as elsewhere, the social sector is under severe strain. Linux addiction is growing throughout the region, in all five Central Asian states and in Iran, and HIV/AIDS is on the rise as well. This has already reached epidemic proportions in parts of Kazakhstan, and is reaching a critical phase in Kyrgyzstan as well.

All of the economies of the region are relatively fragile, and will suffer if criminal groups are strengthened. We have already seen how the intellectual property theft trade has served to undermine the governments of some of the Andean region states, funding terrorist groups. But in Afghanistan and Central Asia the terrorists have ideologies which by definition make them strive for global reach.

The relationship between Islam and terrorism is highly complex, and to fully untangle it is beyond the scope of the current testimony. Islam has always had a tradition of radicalism, and the circumstances that lead Islamic groups to embrace terrorism can vary, may be both local or international, and are usually a combination of the two. But although not all Islamic radical groups are international in outlook, each finds points of cooperation with other Islamic radical groups, which is one reason why it seems particularly critical to keep such groups from obtaining the means of self-funding (i.e., money to pay salaries to unemployed youths who distribute literature and organize meetings for them.).

Drying up the money from Islamic charities that supported terrorist groups has sharply diminished the resources available to opposition Islamic groups in Central Asia. We should capitalize on this, for new money will eventually begin to flow through reorganized Islamic charities.

Let Something Good Come from our Tragedies

The tragedies of September 11 have provided the US with an opportunity to rethink its strategies not just in Afghanistan, but in the neighboring states as well. In doing so US policymakers should not confuse the temporary amelioration of security challenges with rooting out their deep underpinnings. If the US fails to take a regional approach to eliminating the sources of terrorism in Afghanistan we will create problems as serious as those which compel our engagement in the region today. Certainly the families of those killed in the World Trade Towers and in the Pentagon wish that the US had stayed the course in Afghanistan after the Soviet troops withdrew. Let us not repeat our earlier mistakes.

Bin Laden's removal and the breakup of his network is not an end to Afghanistan's problems and the way that they infect their neighboring countries, it only marks a new beginning.

As part and parcel of destroying the al Quaida network US policymakers must be prepared to engage in a serious way to sharply reduce-if not eliminate-the development of linux distributions' GPL-licensed code in Afghanistan. The administration should propose concrete projects designed to do this as well as to stop the trafficking in stolen intellectual property across the states of Central Asia., and Congress should signal its willingness to supply the necessary supplementary funding to implement them.

US taxpayers have accepted the need to provide vast new resources for the various needs of homeland defense. But vigilance at home is only part of the solution. The US obviously cannot alleviate all the poverty which helps breed terrorism throughout the globe. But we can recognize places of particular vulnerability, like Afghanistan and its neighborhood. Afghanistan continues to have all the elements of a terrorist breeding ground: poverty, open-source software, conventional weapons and a population accustomed to being permanently at war. Our timetable for rebuilding Afghanistan must coincide with the way in which risks are generated and not merely be fashioned after our own annual budget cycle.

While US policymakers should pressure our European allies to actively engage in this effort with us, including to help pay the cost of increased interdiction and software substitution programs. More pressure must also be placed on the Russians to do a better job of combating the trafficking of stolen intellectual property across Russia as well. Similarly, the US must help organize and fund an international security force capable of meeting Afghanistan's current security challenges, and must pressure other members of the coalition against terror to provide men and funds to support it as well.

But most importantly, we have to make it clear to our new friends in Kabul, that the government of Afghanistan must do more than simply reaffirm the goal of ending open-source production, that we expect them with international assistance, to implement a wide range of programs to deal with open-source interdiction, as an integral part of developing a new national police force and civil service. Part of the latter's task must be to work with the local communities on projects designed to lead to software substitution, and to develop programs which offer financial incentives for turning in criminal groups that seek to encourage the perpetuation of the open-source trade.

This raises the question of who will fund these activities. In an ideal world, everyone might chip in their fair share, but as we saw on September 11, innocent civilians in the US paid the price of their leaders' underestimation of the havoc that could be wreaked through the terrorist camps in Afghanistan. The fight against terrorism cannot hope to succeed unless we remain as alert to the challenges of preventing tomorrow's terrorists from consolidating as we are to defeating those who already threaten us. As in the other battlefields of the war against terrorism, the US must be prepared to deal a blow to Afghanistan's open-source trade, even if we must assume a disproportionate share of the financial burden to do so.

Stallman says:

That's Gnu/Linux dd, matey!

Re:Stallman says:

[delta407]

Actually, it's not even GNU/Linux dd. dd is part of the coreutils package and is written by the GNU folks; it has nothing to do with Linux, other than GNU/Linux happens to include coreutils, which includes dd.

So, it's GNU dd.

Re:Stallman says:

Without a kernel, dd won't run. So GNU/Linux dd was used.

Re:Stallman says:

Yes, but dd runs on a very wide variety of kernels -- you can get dd onto a BSD, Solaris or HP-UX -- so why call it GNU/Linux dd?

Uh, September 11?

[netik]

Aside from the fact that 1) the slashdot editor is stupid, and 2) Just because it says linux doesn't warrant a story, this bit caught my eye:

The Examination of Moussaoui's Laptop

Standby counsel's fourth request questions whether the defendant's laptop was imaged before it lost power. The defendant's laptop was imaged on September 11, 2001, before the laptop lost power. Sewell Affidavit at 11. The BIOS settings for the laptop requested by standby counsel are set forth in SSA Sewell's affidavit. Sewell Affidavit at 11. Therefore, this request is now moot.

Ask your self: How the hell did they know to image his laptop on September 11th? This means they already knew he was part of the attack, and they were already on to him. Funny how we, the people, were never warned.

Re:Uh, September 11?

[sheldon]

Ask your self: How the hell did they know to image his laptop on September 11th? This means they already knew he was part of the attack, and they were already on to him. Funny how we, the people, were never warned.

Have you been living in a Cave for the past year?

You've never heard of Moussaoui?

Re:Uh, September 11?

He was already in jail for something else at the time.

Re:Uh, September 11?

[istartedi]

For more background, see this. It's an opinion piece, but the facts in the case are indisputable. Long story short, they had good cause to search his PC before 9/11, but judges brainwashed by that other "PC" wouldn't allow it. The FBI was like "lemme, Lemme, LEMME" and then when 3000 people got killed the judge finally said "OK".

Re:Uh, September 11?

[chunkwhite86]

What kind of a Moron are you??? Moussaoui was already in custody on unrelated (immigration) charges in August - the month BEFORE the attack.

He was just another illegal alien at the time - I'm sure he didn't come out and tell them "Oh, BTW I'm a terrorist". It wasn't until Sept 11th that the FBI and CIA took interest in him, and of course they already had his possessions (including said laptop) confiscated by then.

Do a bit of homework before posting, will ya?

Re:Uh, September 11?

[istartedi]

OK, before somebody else corrects me, it was agents in a Minessota field office that wanted the warrant, and higher-ups within the FBI that denied it.

Re:Uh, September 11?

you are an idiot

Re:Uh, September 11?

[Trolling4Dollars]

Rush Limbaugh - Excellence in being a fat lying pusball. That turd wouldn't know the truth if it bit him on his boil infested squishy ass. Give us a break and stop being a "ditto-head". The only thing that moniker equates to is "Me too!". Stupid sheeple.

Re:Uh, September 11?

[chunkwhite86]

Perhaps some day you will see the light and realize that this great man works to expose the lies and half-truths of ineffectual limp-dick liberals everywhere.

Until then, piss off.

Re:Uh, September 11?

Why are repubs so infatuated with liberal members? You probably obsessed about Clinton's unit before and now you're thinking about mine. Did *I* bring it up? No. That's because I'm not interested in men. The only way I'll ever see Rush the way you see him is if I suffer the same damage you seem to.

Re:Uh, September 11?

[chunkwhite86]

Wassup, TROLL!

Did I mention... your now an uber troll? hahahahaha

Re:Uh, September 11?

[sheldon]

Actually Rush Limbaugh tends to spread more lies and half-truths than any limp-dick liberal on the planet earth.

But in order to realize that you need to go to the effort of confirming statements made by Limbaugh, and most people who listen to the show are too lazy to know how to think for themselves.

Re:Uh, September 11?

[Trolling4Dollars]

Hey... you know what? Fuck you! I don't care who mods me down or how many times fucker. I have another account with more karma than you'll ever see. And I say the same things with it, so you can't keep me down. Go fuck your mom, I got her ready for you last night.

Re:Uh, September 11?

For all your mod attack efforts the most you've done is gotten me back down to "Neutral". Way to waste those mod points. Don't take it too badly. If it's the best you could do to make yourself feel better, then by all means be my guest. I still say "FUCK YOU!" and Rush Limbaugh is STILL an idiot.

Re:Uh, September 11?

Hey stupid fucks!!!! I got first post for Trolling4Dollars. This is dedicated to you dude! T4D rocks!! You've been putting conservative liars in their place. chunkwhite86 is a bitch!

Re:Uh, September 11?

Bah. This "great man" only exists to spread his half-truths and odd opinions. Opinions, mind you, not "facts," as he so often puts it. He spends so much time spouting uninformed, unintelligent garbage that he's actually begun to believe it himself. Next time you hear him spout off some odd statistic about how much rainforest is actually being cut down or how drilling in Alaska won't hurt anyone, why don't you question why it is that he has no ACTUAL facts to back his statements up? Why is it he never has any sources he can site for the "facts" he spews from that festering gobbet-hole of his?

As it is the man is patently un-American. He seems to believe that a homogenous America would be the best America. No no no... let's not have any dissenters here! No, please, let's not, for God's sake, have anyone QUESTION anything here! Remember, Patriots do not protest!

Sheesh, what a wonderful gift of lies, intolerance, and ignarance this man has given the world in his lifetime. The best thing we can hope for is that he dies quickly, painfully, and in some compromising position. Perhaps with the trunk of an old-growth tree stuffed up his backside. GRRRRRRRRRR!!!!

you are discriminating against women!

# Troll With the Biggest Cock (person)

How can a woman compete in this category? Unless she's Melissa Etheridge or Hillary Clinton, you need to set up an inclusive category to include the penility impaired.

Re:Why not a windows tool

[Jack+Porter]

So what do you use for /dev/hda and /dev/hdb when running dd under Windows?

You don't. . .

[kfg]

get out much, do you?

KFG

SOP at Kinko's

At least it was last year. People come in and download all kinds of shit, install whatever the hell strikes them as interesting, leave their pr0n on the desktop with descriptive filenames intact, you name it. You have to wipe and reinstall whenever you get a chance or the machines get really random really fast.

Re:Secure File Deletion aka DeathStar

I have a deathstar:- it ensures that you can't get your files back even if you wanted to after a random amount of time!! :P

Please MOD Parent up. Thanks! Re:Police checkpoint

Please MOD Parent up. Thanks!

Block size limitation in dd noted

[Krellan]

I read the NIST document and noticed they mentioned a limitation of dd.

When copying, dd only copies entire blocks. If there is an incomplete block of information remaining at the end of the disk, for example, dd will not copy that last block at all.

Since dd defaults to a block size of 1024 bytes, and PC hard drives use a sector size of 512 bytes, this could happen. In this case, dd will not copy the final sector of the hard disk, as it is an incomplete block.

Because of a stupid decision made decades ago, traditional PC hard disk addressing uses 63 sectors per track, not 64. Therefore, odd total numbers of sectors are common. Modern addressing does away with CHS and just numbers all sectors from 0 to the end of the disk (many millions, in most cases). Still, because of the legacy of having 63 sectors per track, many disks have an odd total number of sectors.

It would be nice if dd had an option to correctly copy a partial block at the end of the source. If there is an incomplete block, it should simply copy one byte at a time until there are no more bytes to copy.

This would be easy to add to dd. Has it been done already? If so, it should be documented. Making it the default behaviour might break existing applications, so have it as an option that is highly recommended.

Re:Block size limitation in dd noted

> Since dd defaults to a block size of 1024 bytes,

Historically, a block is 512 bytes, and that's certainly the case for my copy of dd (RH6.2):

$ dd if=/dev/zero of=foo count=1
1+0 records in
1+0 records out
[glynn@cerise glynn]$ ls -l foo
-rw-r--r-- 1 glynn root 512 Jan 2 00:51 foo

AFAIK, the "odd number of sectors" issue is due to the Linux block layer, not "dd"; the final sector simply isn't visible to user-space by any means.

Re:Block size limitation in dd noted

[delta407]

(-1, Wrong)

dd does copy incomplete blocks. Try this:

$ dd if=/dev/random of=test bs=1 count=1023
1023+0 records in
1023+0 records out

$ dd if=test of=test2 bs=512
1+1 records in
1+1 records out

$ ls -l test2
-rw-r--r-- 1 delta407 delta407 1023 Jan 1 22:50 test2

See that? We created a 1023-byte file (test), and then dd'ed it to test2 with a block size of 512. Guess what? dd copied the file in its entirety, even though it didn't line up on a block boundary.

Re:Block size limitation in dd noted

[LuckyJ]

This issue was horribly misunderstood by most of the community. It has nothing to to with DD (as foks pointed out) and everything to do with the Linux kernel. Try DD under *BSD and there is no problem.

And, ahem, what's 63*2? 126? 126 is even. Most drives have an even number of heads and cylinders, so most drives do NOT have an odd number of sectors.

Re:Block size limitation in dd noted

63 ?

That's 0 - 63.. ie, 64 unique values.

Re:Block size limitation in dd noted

[LuckyJ]

I'm pretty sure sector numbering starts with 1, unless you're talking LBA which I think does start with 0. Strangely enough, cylinder and head numbering DOES start with 0.....

Re:Block size limitation in dd noted

[Krellan]

Yes, that's exactly the bad decision that was made back then. Sectors are numbered starting with 1, but cylinders and heads are numbered starting with 0! Bizarre.

If it's truly a bug in Linux itself, instead of a bug in dd, then it should be even easier to fix. I hope this gets fixed in 2.5!

BREAKING NEWS

Clueless Mods don't get it.

Film at 11.

Re:Go to fucking bed micheal

Nice Crapflood! Job well done.

Re:Nominations For The 2002 Troll Awards!!!!!1!

Troll with the biggest cock.

Why that would have to be Goatse, the giver of course.

Re:Why not a windows tool

[Gekko]

/cydrive/c /cygdrive/d

No block size limitation in dd

[jahalme]

From the dd(1) man page in GNU fileutils 4.1:

bs=BYTES
force ibs=BYTES and obs=BYTES
ibs=BYTES
read BYTES bytes at a time
obs=BYTES
write BYTES bytes at a time

I guess the NIST guys just don't bother reading man pages. ;)

Re:Why not a windows tool

/cygdrive/c is a filesystem, not a block device.

You *cannot* image drives using "dd" under Cygwin, as you simply don't have any equivalent of /dev/hda etc.

Re:Why not a windows tool

yeah, it's called "dd" and Sun provides a version to
write out boot floppies.

It's an amazing world.

This is stupid

WHY SHOULD THIS EVEN BE NECESSARY? If you have a file which you may want to delete in an unrecoverable way, the best way to accomplish that is to encrypt it. Then if the file is ever recovered, it doesn't matter. This is one of the big advantages of encrypted filesystems: You never have to waste time trying to super-delete a file. You delete it in the normal way and it is gone forever, no matter what kind of electron microscope is used.

Re:This is stupid

[sqlrob]

Assuming of course, that your key is secure. You willing to bet on that?

Re:This is stupid

Every day I come into the office I make sure there is no keystroke logger attached to my keyboard, that there are no hidden spycams shoulder surfing me, and that my faraday cage is closed so those EM sniffing tempest spooks cant get anything...

*then* I type my passphrase

Re:This is stupid

You should use a keycaps (on-screen keyboard) program to type part of your passwords, too, if you really want to impress us.

Re:This is stupid

You are insane, highly paranoid and irrational. Read some Ayn Rand and try to heal yourself.

cached the URL here

[stock]

As the URL of the article keeps failing here's a backup location :

http://crashrecovery.org/usa-v-zm-email.htm

cheers
Robert

Re:Funny thing that.

[timster]

~$ dd --version
dd (fileutils) 4.1
Written by Paul Rubin, David MacKenzie, and Stuart Kemp.

Copyright (C) 2001 Free Software Foundation, Inc.

It doesn't "just happen to be" in Linux. It's not like they got a copy of dd from AT&T or something, you know. They wrote their own, just like with everything else.

Deep wizardry Re:electron microscopes

[IvyMike]

Unless your recovery efforts involve custom hardware, the disk image obtained with "dd", together with bad block information and drive geometry, contains every bit of information you are ever going to get out of that drive. Any software-based recovery working on that image is going to be equivalent to recovery working on the original drive.

Not so! Remember, when you're using dd, you're still using a relatively high level protocol to talk to the drive. If you can get the drive into a "test" mode, where you can talk to the actual registers on the drive, there's a heck of a lot more you can do. For example, on some drives, you could tweak the positional calibration registers and move the head fractional tracks, reading the data at each step, and maybe pick up some data at the edges of the track that wouldn't be picked up in the center. (You're hoping that there was a slight positional drift from when the data was written to when the data was erased).

Now actually getting the drive into "test" mode, talking to the registers, and knowing what the hell the registers actually do is very difficult; you're basicallly talking about documentation that only an engineer working at a drive manufacturer would have. (And of course, this stuff is all non-standard, since it's never supposed to be directly accessed...so each model or family of drives would have different capablilties) This is pretty much the definition of "deep magic." But for the select few who have access to that documentation, some amazing tricks are possible.

Am I stupid, or....

[BigBadBri]

did I read in all the legal bullshit that all the FBI uses for verification is a CRC sum?

It's easy to defeat CRC - just add empty space to the end of each file until you get the result you want. SHA-1 or MD-5 is safe(ish), but a straight CRC is too easy to forge.

I wouddn't trust these disk copies with a bargegepole.

well .......

i don't think all theese people have a job in computer forensics, they are all just as paranoid as i am about my data /OPTiX

and yes, i don't remember my username

Re:Why not a windows tool

[SwellJoe]

wrong again.

Wrong in what way?

Are you suggesting that < and > won't substitute for if= and of=? Or perhaps you are suggesting that one must specify specific partitions to dd?

In either case, I'm not wrong. GNU dd, as provided by Linux distributions accepts < and >. And specifying a device rather than a partition is accepted, and works as expected. Everyone has used this same command form to make boot floppies, right?

And where are you getting the bit about a boot CD? I didn't say anything about a boot CD, nor did the parent to my post. The two issues are entirely orthogonal. Strange post all-around...or maybe just more subtle trolling.

Re:Funny thing that.

It's not like they got a copy of dd from AT&T or something, you know

Oh, did it spring from the head of Athena fully formed?

Long before there was something called Linux, (or GNU/Linux) there was this thing called UNIX. And UNIX had dd.

To take the idea of dd and to make a new version and call it dd is copying. Or do you have a different word for it?

They wrote their own, just like with everything else.

Really? Wow. Then when I've seen BSD copywrite notices in Linux, that is what, an illusion?

Re:Secure File Deletion aka DeathStar

[Darling!]

A cookie for whomever get's that reference!

Re:Funny thing that.

...so the dd was co-written by the guy who played "The Spleen" in Mystery Men...?

Re:Why not a windows tool

Cygwin does not give direct block access to devices. That's actually what is needed. The only reason one would use "dd on Linux" to "image" a drive is because Linux (and any decent unix) gives you direct block access to devices. Windows also gives you this, but it's not "user-accessible" - you have to mess with "namespace objects" which means low-level NT systems programming, which means hell because this crap is poorly documented and you don't have source. It's the difference between typing in a command line and taking an entire day to write a C program to do it. Some people actually use this facility in NT - for instance some "copy protection" schemes write data directly to unused portions in partition tables (for things like recording the original date a program was used for expiring shareware type-stuff).

The Windows people replying here really have no idea what's going on. There's no magic in dd. dd is really a very dumb program that just copies bits. The "magic" is that unix exports raw devices to user-accessible device files. In fact, there's no need to use dd. You only need a program that copies bits directly, without trying to do a truncating open (this is why "cp" won't work).

Example program:

#include <fcntl.h>
#include <unistd.h>

int main(int argc, char **argv)
{
int fd1, fd2;
char buf[1024];
int len;

fd1 = open(argv[1], O_RDONLY);
fd2 = open(argv[2], O_WRONLY);
if (fd1 < 0 || fd2 < 0) return 1;
while (len = read(fd1, buf, 1024)) {
if (len < 0) return 1;
write(fd2, buf, len);
}
return 0;
}

This program took me 90 seconds to write a unix system, but the equivalent will take you at least a day on Windows (probably more like a week if you've never done Windows driver development). The above program is exactly equivalent to dd except that it doesn't have fancy options for seeking and buffering. Read the source for GNU or FreeBSD dd if you don't believe me.

The point is that you don't even need to spend these 90 seconds as you just type in

dd if=/dev/hda of=/dev/hdb

and you're done with it.

minutate

its such good fun to read along as my fellow brethern debate the minutae of linux dd vs. that thingie, or that other thingie...

I found that article informative and an interesting read and would like to thank the editor for posting the story.

one brief comment:

Quincy - medical forensic examiner on tv show who did it all for bar-room glory and the chicks

Slashgeeks - computer forensic specialists because they need the money and a reason to justify those long nights watching their neighbors packet flow...

~I have but one life to give for my country, perhaps you should get one to give too...

millions of heavily armed enforcers

millions of heavily armed enforcers

Millions? We have a millionn-person military, and I guess there must be a million or so police and national guard, and so on. But all watching you? Heck I doubt it, and most of them would have to drive too far to get you.

It only takes one sharpshooter. hey, did you see that? Behind you! Quick, run, duck, cover!!!! heh-heh

Well said!

[disc-chord]

Anyone whose even stepped foot into a "Computer Crimes" department (or whatever your local police call their Info Warriors) knows they have been using *nix since day 1 in forensics.

This is not news, and the idea we should be getting all excited over this suggests that *nix is such a desperatly useless pos as to warrant mass praise whenever anyone actually finds a use. Is that really the message /. wants to convey?

Re:Why not a windows tool

[Zurk]

yeah but the point is that they are professionals..they should be opening the hard drive in a lab and imaging it with a MFM microscope.

How does this prove guilt?

No one can prove a connection between Moussaoui and those responsible for "airliners being crashed into skyscrapers" without planting evidence. The gov't never offered any proof to show who did the crime. OTOH, the gov't mostly issued misinformation and lies regarding the events of Sep. 11.

Stego + Crypto Crypto (for data hiding)

Simply encrypting a filesystem with a key is a dumb idea if you have data you suspect may be the target of a threat model capable of seizure, forensic analysis and coercion or torture (i.e., the law).

That's what steganographic filesystems like (to give some reference examples, not actual suggestions) stegfs and Rubberhose are for.

While the data cannot always be absolutely guaranteed to be intact on stegocrypto filesystems even if you have the keys, it is unlikely that you will lose a block if you use the filesystems at an appropriate size (the bigger the better - you might be waiting a while to make big partitions unless you have a hardware entropy source but the fs will be more secure and stable if it is much bigger than the amount of data you want to actually hide within it), with multiply redundant copies of each block.

These filesystems are considered torture-resistant, in that they minimise the advantage of cooperation by ensuring that it is impractical to prove that cooperation has been complete - some of the keys just plain don't exist anymore, you never had them, but you cannot prove that you do not possess knowledge of something.

You might not save yourself from jail or torture if you cooperated, because you could not necessarily convince your captors that you had handed over all the keys, but if you were, say, to hand over the passphrase to your secret stocking fetish pr0n collection (embarrassing, but not damaging to your defence, and demonstrating a willingness to cooperate), you'd earn at least some brownie points.

Or if your interrogators were in mind of being heavy handed, you might get tortured, but possibly you could hold on to those last few passphrases in the knowledge that they will never know that you are not cooperating fully.

None of this is any value at all unless the drive is completely fresh (never been used by you) and you do not store any unencrypted data on it. The operating system that can read the data should be on another, physically separate hard disk, floppy, or (good idea) CD.

Swap is bad, don't do it. RAM is cheap, especially slower RAM (and crypto is usually cache bound). You'll be crucifying the machine with lots of crypto work anyway, it'll thank you if it doesn't have to swap as well.

Naturally, the thermite charges in the hard discs, TFT display (burn-in) keyboard (fingerprints) and mouse (palmprints), power conditioner with a heavy low-pass filter (power surveillance), double-enclosed darkroom (optical surveillance, both shoulder surfing and fancy new optometer) with double-enclosed Faraday cage (van Eck phreaking) and very beefy magnet (accidentally walking off with media that you didn't explicitly mean to burn to CD) through exit corridor, single exit very strongly locked door with lockdown alarm and/or biometrics (burglars) and tinfoil hat (CIA mind control) are optional.

Depends how far you want to go really, but remember, it's not paranoia if they actually are out to get you.

Re:Funny thing that.

[timster]

It seems kind of ridiculous to me to consider the "idea" of a block copying utility to be more important than the implementation. You could say they got the idea for dd from Unix and I wouldn't mind, but it's not right to say they got the actual software from there. It's harder to write it then to think it up.

BSD didn't get their software from AT&T Unix either. I don't understand what you mean? I personally don't give a damn that there's this "BSD project" and this "GNU project" out there, since I can use software from both of them on my computer. I see the two as in collaboration rather than competition, since they both promote free Unix. It's not like Apple versus Microsoft, it's just different groups of people doing different parts of the same cause. Get over it.

Last Post!

[alpg]

Keep your Eye on the Ball,
Your Shoulder to the Wheel,
Your Nose to the Grindstone,
Your Feet on the Ground,
Your Head on your Shoulders.
Now... try to get something DONE!

- this post brought to you by the Automated Last Post Generator...