Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux and Forensic Discovery

Posted by michael on from the dd-a-double-edged-sword dept.

Max Pyziur writes "Found this on cryptome.org where Linux is cited in a DOJ document against Moussaoui (sometimes referred to as the "20th man"). FBI: Moussaoui E-mail Not Recoverable - January 1, 2003." An interesting read which gives some insight into how computer evidence is handled in court.

6 of 260 comments (clear)

  1. Oh Please! by Snowbeam · · Score: 5, Interesting

    How is this news? They are using "dd" a Linux utility. Seeing "Linux" in an article does not warrant a story about it. This demeans Linux by using every little scrap of news to attempt to show that it is in use. Instead we should be demostrating it's uses, rather that reporting that it is in use.

    --
    I am Lord Snowbeam. Heed my call!
  2. electron microscopes by Alien54 · · Score: 4, Interesting
    I am confused.(yes, we all know this)

    The document states that image files were generated fo the contents of the hard drives. I do not have confidence that an image would also display latent data.

    I know myself that when I do a data recovery on a system, I can get many more megs of recovered data from file fragments, deleted folders, etc than can fit on the drive. Most of this extra stuff ias junk data, but you get the idea.

    There is no substitue for the original.

    Recovery can require a minimum of specialized software or be as complicated as looking at the platters under an electron microscope. I see nothing here that indicates use of such specialized technology, and yet this is supposed to be a national security matter.

    --
    "It is a greater offense to steal men's labor, than their clothes"
    1. Re:electron microscopes by g4dget · · Score: 4, Interesting
      The document states that image files were generated fo the contents of the hard drives. I do not have confidence that an image would also display latent data.

      It's pretty clear what "dd" images: the entire content of the hard disk drive as it is readable by its disk controller. It won't image residual data that has been erased.

      I know myself that when I do a data recovery on a system, I can get many more megs of recovered data from file fragments, deleted folders, etc than can fit on the drive. Most of this extra stuff ias junk data, but you get the idea.

      Unless your recovery efforts involve custom hardware, the disk image obtained with "dd", together with bad block information and drive geometry, contains every bit of information you are ever going to get out of that drive. Any software-based recovery working on that image is going to be equivalent to recovery working on the original drive.

      Trying to recover data that has been physically overwritten, using analog methods or imaging, is so expensive and time consuming that it is feasible only in special cases.

  3. FBI HQ originally denied e-mail search request by michaelmalak · · Score: 4, Interesting
    See my Aug. 29, 2002 blog article FBI didn't get Moussaoui's e-mail despite having his laptop, which notes the irony that "the U.S. government is interested in the e-mail of all those in the U.S. except for alleged terrorists" and which links to an Aug. 29, 2002 Washington Post article.

    (Recall that Massaoui was already in jail before Sep. 11. These pre-Sep. 11 e-mail search requests were rebuffed, according to FBI whistleblower Colleen Rowley.)

  4. Privacy irony & national security by MacAndrew · · Score: 4, Interesting
    Note that the FBI, charged by so many with violating people's privacy in every way imaginable, here dropped the ball by bring too cautious about someone's privacy.

    You can't win -- bungling cuts both ways.

    Anyone wonder why the heck the Minnesota FBI office went to Washington for a piddly search warrant, instead of their friendly local court? Because this was not an ordinary warrant, but a national security warrant designed to investigate suspected terrorists who might not have committed any crime to provide probable cause for a regular warrant. (You know, like Minority Report. OK, it's not that bad. :)

    It will be interesting to see who gets blamed once all of the finger-pointing is over.

    From NYT by James Risen*:
    According to Ms. Rowley's letter and other bureau officials, the Minneapolis field office believed that the French report on Mr. Moussaoui provided enough troubling information about his ties to Islamic extremism to go to court to obtain a search warrant under the federal law that allows the government to carry out searches and surveillance in espionage and terrorism cases. Under the statute, investigators do not have to show that a subject committed a crime, only that they have reason to believe the suspect is engaged in terrorist activity or espionage on behalf of a foreign power or a terrorist organization.

    * Another little note -- James Risen with Jeff Gerth were the NYT reporters blamed with stoking the fire over Wen Ho Lee debacle. Of course, lots of people were blamed -- sound familiar?
  5. Re:Block size limitation in dd noted by delta407 · · Score: 4, Interesting
    (-1, Wrong)

    dd does copy incomplete blocks. Try this:
    $ dd if=/dev/random of=test bs=1 count=1023
    1023+0 records in
    1023+0 records out

    $ dd if=test of=test2 bs=512
    1+1 records in
    1+1 records out

    $ ls -l test2
    -rw-r--r-- 1 delta407 delta407 1023 Jan 1 22:50 test2
    See that? We created a 1023-byte file (test), and then dd'ed it to test2 with a block size of 512. Guess what? dd copied the file in its entirety, even though it didn't line up on a block boundary.