Linux and Forensic Discovery

Max Pyziur writes "Found this on cryptome.org where Linux is cited in a DOJ document against Moussaoui (sometimes referred to as the "20th man"). FBI: Moussaoui E-mail Not Recoverable - January 1, 2003." An interesting read which gives some insight into how computer evidence is handled in court.

Ohhh, ohhhh....

[evilviper]

Oohhhhhh... Someone said the word ``Linux"... Better put it on the front page...

Easy? I don't think so...

[Subcarrier]

It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations...

That kind of depends on the strength of the hash algorithm, wouldn't you say?

'dd' isn't _quite_ an image

[wfmcwalter]

Neglecting the STEM/SQUID recovery issues mentioned above, it's rather dissapointing to see the feds using only a generic imager like dd to image the disk, as it's not quite a full image of all the stuff on the disk.

The contents any LBA that is in the drive's remap table (i.e. blocks that the drive electronics have previously determined either to be bad or going bad) aren't captured by dd - the drive instead sends the data payload corresponding to the LBA's remapped physical address. The bad/bad-ish block remains, and its data is quite possibly still valid (or perhaps valid but for a couple of localised errors). These blocks thus hold tiny slivers of data stored on the drive sometime in the past (the last thing written before the block went bad).

Although this missed data represents a microscopic fraction of the total data on the disk it could, at least in theory, contain recoverable data of an evidenciary nature. The only way to see this is a drive-vendor specific low-level read - I don't know much about the other two tools the article describes, but it doesn't sound like those do that either.

Given that there's only a handful of drive manufacturers left, and the (non-servo) parts of the firmware on their drives doesn't vary hugely between models, it really wouldn't be too hard for law-enforcement types to have proper physical-level imaging tools for any drive they're likely to encounter.

Re:Secure File Deletion

You can't trust those tools anymore. Today's hard drives will physically move sectors around on disk to avoid areas that are bordering on causing media errors.

Re:Why not a windows tool

[g4dget]

it amazes me that they used linux as I assume that there must be easier tools under windows that do the same?

Well, that is primarily indicative of your ignorance of Linux and your willingness to buy into Microsoft propaganda.

i mean it must be easier to find the tool under windows thebn setup a linux machine

There is nothing to set up. Linux can boot and run from CD, with all software installed (check for DemonLinux and Knoppix, for example). That's one of the many reasons Linux is so good at this sort of thing.

How easy is it?

• Connect drive you want to copy to to the disk controller or USB port, or plug in Ethernet card.
• Insert bootable Linux CD and boot from CD.
• If you just want to mirror the drive, type something like "dd if=/dev/hda of=/dev/hdb".
• To mirror it over the network, type something like "pump; cat /dev/hda | ssh me@host cat \> image".

I mean, how much easier can it get?

For forensic applications, you might want to make sure that you hardware write-protect the source drive first, just to avoid accidents.

These people know what they are doing and how to reduce their workload. That is why they are using Linux.

Moussaoui is the exception that proves the rule

[michaelmalak]

It is universally agreed that privacy and security are in conflict with each other and must be balanced. But this is a case where a warrant was sought for an individual based on a reasonable suspicion. Contrast this with Carnivore and Total Information Awareness, which are warrantless fishing expeditions of entire populations. I'm a staunch privacy advocate, yet advocate reasonable searches of a very small number of suspected terrorists.

You say that the FBI was "too cautious" -- do you have any evidence that that was the motive?

I see no irony in being a privacy advocate while decrying FBI supervisors for denying the request to search Moussaoui's e-mail.

P.S. In another related story, the FBI supervisor who thwarted Rowley's investigation recently got a big cash bonus.

Re:Misconceptions about data forensics

[MoralHazard]

Okay, I'll bite. I did make a disparaging comment about an entire line of software products, so I'll do what I can to back it up. I stand by my assertion that recovery of wiped data is snake oil, and here's why.

The most often cited source of opinions on MFM-related data recovery techniques is a paper from 1996 entitled "Secure Deletion of Data from Magnetic and Solid-State Memory", by Peter Gutmann. It's pretty readable if you have a good grounding in physics and hard drive operation, so I'd recommend checking it out:

http://www.usenix.org/publications/library/proce ed ings/sec96/gutmann.html

Notice, though, that Gutmann isn't the actual first-person researcher. His paper is a compilation of data gleaned from other sources. I spent six weeks tracking down (among other things) his bibliography, and found out that MFM techniques had been used in laboratory tests to recover overwritten data, in the early 1990s. These tests were not field-usable. It amounted to "write a regular pattern on the disk, overwrite it with another regular pattern, and look for evidence of the first pattern." Furthermore, these papers all referred to disks which had been manufactured about 10 years ago.

I'll bet that someone HAS used this to a practical effect, somewhere, but just try finding out who, where, and (most importantly) how. There are no commercial vendors of this kind of technology--just try calling up OnTrack, or any of their competitors, and you'll hear the same thing. Desperate people in lawsuits and other dire straits have thrown millions of dollars down this hole (and that's just in the last few years, that I'm aware of), and gotten nothing for it.

To hear Gutmann describe it, though, any halfway competent lab technician could make this process work. Where are the papers describing those operations, done on actual post-1993 hard drives, describing their methodologies?

I personally watched a not-so-reputable data recovery firm tell a judge and some attorneys that they could recover single-pass deleted data if they had $750,000 in R&D and six months. They came up empty handed.

This kind of data recovery is PIXIE DUST. It's an urban legend of the tech industry, one that everybody knows is true but nobody can ever prove.

Can I prove to you that some spook lab buried ten miles beneath Ft. Meade, MD hasn't done this, and isn't buying computers thrown out by French businesses and reading every old secret? No, I can't, I don't work for the government and don't plan to start. But last I checked, it wasn't considered good logic to require absolute proof of a negation, when no proof has been shown of the posited statement.

So, sure. You can MAYBE read data from pre-1993 hard drives, and maybe in 10 years the examination technology will have advanced enough to read today's drives (if hard drive technology stands perfectly still, eh?). The only people who need protection, then, are folks whose adversaries are incredibly wealthy AND willing to spend gobs of money on getting to them, and who would still be harmed if their ten-year old data is read.

This does not include businesses--who cares what your business plan was ten years ago? This does not include common criminals--the government won't spend millions of dollars just to recover one piece of evidence. This certainly does not include you and I.

This include ONE type of entity: sovereign governments. Are you selling your disk wiping utilities to governments, or to businesses and consumers?

Re:This is stupid

[sqlrob]

Assuming of course, that your key is secure. You willing to bet on that?