Slashdot Mirror
Linux and Forensic Discovery
Max Pyziur writes "Found this on cryptome.org where Linux is cited in a DOJ document against Moussaoui (sometimes referred to as the "20th man"). FBI: Moussaoui E-mail Not Recoverable - January 1, 2003." An interesting read which gives some insight into how computer evidence is handled in court.
Of the fact that lawyers will argue over anything.
Heh, this seems to be a discussion about whether they used "approved methods" of retrieving a deleted email. According to one person, the LinuxGNU was the only one approved by NIST (national institute of standards and technologies). This of course, is wrong...NIST doesn't "approve" software, they just test it and declare whether or not it works.
...someone in the government seems to realize that Microsoft can't be trusted ;-)
Don't you wish your girlfriend was a geek like me?
To anyone who is concerned about having their deleted files recovered, take a look at Wipe - in its strongest mode it will make 37 passes over the data in order to be sure that electron microscopes cannot reconstruct the bit patterns.
Linux is used by humans outside of the Slashdot community! Stay Tuned!
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
How is this news? They are using "dd" a Linux utility. Seeing "Linux" in an article does not warrant a story about it. This demeans Linux by using every little scrap of news to attempt to show that it is in use. Instead we should be demostrating it's uses, rather that reporting that it is in use.
I am Lord Snowbeam. Heed my call!
The test reults are abailable here:
http://www.ojp.usdoj.gov/nij/sciencetech/cftt.htm
The document states that image files were generated fo the contents of the hard drives. I do not have confidence that an image would also display latent data.
I know myself that when I do a data recovery on a system, I can get many more megs of recovered data from file fragments, deleted folders, etc than can fit on the drive. Most of this extra stuff ias junk data, but you get the idea.
There is no substitue for the original.
Recovery can require a minimum of specialized software or be as complicated as looking at the platters under an electron microscope. I see nothing here that indicates use of such specialized technology, and yet this is supposed to be a national security matter.
"It is a greater offense to steal men's labor, than their clothes"
A troll, of course, but due to lack of moderator points:
/dev/hdb
dd
Yep. That would be much simpler under Windows.
If the hash value of the original prior to duplication matches identically the hash value after the duplication, one may conclude that the duplicate file accurately reflects the data on the original file. The fact that the hash values match is typically more important than the hash values themselves.
Are they saying that two different files can't have the same hash value? That's a load of crap! It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations... It's good at telling you if there were any random modifications caused by errors during copying, but not that the files are identical.
I thought Solitaire only duplicated wasted work hours!
If thou see a fair woman pay court to her, for thus thou wilt obtain love
Argh...Once more with preview:
/dev/hda > /dev/hdb
dd <
Oohhhhhh... Someone said the word ``Linux"... Better put it on the front page...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Actually, if you read on in the article, they state that Linux dd COULD have been used, that NIST had tested it and found it acceptable, but if you read the procedures used to the four HDDs, they actually used the other methods listed exclusively.
Sept. 10, 2001
Zach,
We're going off flying tommorrow, hope to see you on the other side. Last one there gets the 70 ugliest virgins!
M. Atta
Trolling is a art,
dd is a common Unix program. The SGIs at work have it, my various BSDs at home and work have it and Linux has it.
Trolling is a art,
You do realize that in the event of a search warrant or subpoena that privacy policy no longer applies, right? Of course, they can't turn over anything they no longer have, but if they have it the government will too. On a side note, the libraries in my city (seattle) have a very explicit privacy policy that states that they do not ever save information about books a patron has read and returned. The only things on the books are currently checked-out items, for exactly this reason.
The United States respectfully responds to Standby Counsel's Reply to the Government's Response to the Court's Order on Computer and E-Mail Evidence (hereafter "Reply") as follows:
/s/
Authentication
The foundation of standby counsel's discovery requests regarding the computer and e-mail evidence rests upon their complaints regarding the "authentication" of the hard drives provided in discovery. "Authentication" in this context means the process of ensuring that the duplicate of the hard drive provided in discovery is an exact copy of what the FBI originally acquired. As FBI Supervisory Special Agent Dara Sewell explains in her attached affidavit, the FBI uses three different methods to duplicate or image a hard drive:1
(1) GNU/Linux routine dd command via Red Hat Linux 7.1 (hereafter "Linux dd");
(2) Safeback version 2.18 imaging software by New Technologies (hereafter "Safeback");
(3) Solitaire Forensics Kit, SFK-000A hand-held disk duplicator by Logicube, Inc. (hereafter "Logicube").
Sewell Affidavit at 2. Standby counsel seek the "complete authentication information for all of the hard drives produced in discovery, particularly the information for Mr. Moussaoui's laptop, the University of Oklahoma system, and Mukkarum Ali's laptop." Reply at 8.
Before addressing the authentication for the four specific computers, an error in Mr. Allison's affidavit must be corrected. In his affidavit, Mr. Allison writes: "Many methods are available to create an exact duplicate; however, only one method - the GNU/Linux routine dd - has been approved by the National Institute of Standards and Technologies." Allison Affidavit at 3. This statement is simply wrong. The National Institute of Standards and Technologies (NIST) does not "approve" software, it merely tests it and then publishes the results of its tests. NIST did, indeed, test Linux dd and publish the results, which included some criticism. Sewell Affidavit at 3. Like Linux dd, Safeback has also been submitted to NIST for review and its final report was published on December 13, 2002. Sewell Affidavit at 3. NIST reported criticisms of Safeback comparable to those cited for GNU/Linux routine dd. Sewell Affidavit at 3-4.2 Thus, for purposes of NIST, both Linux dd and Safeback are accurate imaging tools. With this in mind, the authentication of the four computers at issue follows.3
More important, the manufacturers of both Safeback and Logicube engaged in extensive self-testing of their programs before marketing them. Further, both contain verification programs\functions that ensure that the image\duplicate accurately reflects the data contained on the original. Sewell Affidavit at 4-5. Finally, FBI CART has validated the use of both Safeback and Logicube during their own use of the methods on hundreds of computers. Sewell affidavit at 4-5. Both Safeback and Logicube, like Linux dd, are methods that are accepted within the forensic computer community. Sewell Affidavit at 4-5.
Additionally, Mr. Allison writes: "Further, once the duplicate has been created, a product such as the Message Digest version 5 (MD5) or the Secure Hash Algorithm version 1 (SHA-1) should be used to confirm that the duplication process has been done properly." Allison Affidavit at 3. Mr. Allison refers to programs that generate a unique value for both the data on the original hard drive and the data on a purported duplicate of that hard drive in order to further verify the results of the duplication process. However, as set forth in detail in SSA Sewell's affidavit, both Safeback and Logicube contain self-validating programs that ensure the image or copy process generates an exact duplicate of the original. Sewell Affidavit at 4-6. Therefore, the MD5 or SHA-1 programs only provide an additional layer of verification beyond the already proven reliability of the tool itself. Sewell Affidavit at 6.
Both defendant's and Mukkarum Ali's laptops were duplicated using the Safeback software. To eliminate any questions about authentication, the FBI employed the MD5 program suggested by Mr. Allison on both laptops. The program demonstrated that the images of both laptops provided to the defense in discovery were accurate reproductions of the originals. Sewell Affidavit at 7-10. The significance of this point is two-fold. First, there can be no question that the defense has the exact same copy of the original that the Government has, so they can conduct any further investigation on their copy that they wish. Second, the results of the MD5 program as to these two laptops further demonstrate the reliability of the Safeback program.
Finally, standby counsel seek the BIOS (Basic Input/Output System) settings for defendant's laptop based upon the following assertion by Mr. Allison in his affidavit:
The complete authentication information for Mr. Moussaoui's laptop is even more critical given the indication in the above documents, particularly Bates no. M-LBR-0002265, that the laptop had lost all power by the time of the government's CART examination on August 6, 2002. [Footnote omitted]. The loss of all power means that the original date and time settings cannot be retrieved, and that other settings, such as how the computer performed its boot sequence, the types of ports and peripherals enabled, and the settings regarding the hard disk and the controller, are all lost as well. All of this is essential information on how the laptop was set up.
Allison Declaration at 3-4. As SSA Sewell makes clear in her affidavit, however, the BIOS settings for defendant's laptop were recorded at the time that it was imaged, September 11, 2001, before any loss of power. The BIOS settings are set forth in SSA Sewell's affidavit. Sewell Affidavit at 11. Therefore, no authentication issues exist as to defendant's or Mukkarum Ali's laptops.4
Unlike the laptops, the two hard drives at the University of Oklahoma (known as "PC 11" and "PC 14") were never removed from the university and are not currently in the Government's possession. Due to the nature of the hard drives, the FBI used the Logicube hand-held disk duplicator to copy the drives and then imaged the duplicates with the Safeback program. Logicube was selected to duplicate the University of Oklahoma hard drives because of its portability. Sewell Affidavit at 3-5, 18. Like Safeback, Logicube has been verified by both its manufacturer and the FBI. Moreover, Logicube performs self-checking functions to ensure that the duplicate drive accurately reflects the contents of the original drive. Finally, although Logicube has not yet been reviewed by the NIST, hand-held disk-duplicators such as Logicube are widely accepted in the information and forensic communities. Sewell Affidavit at 5. Consequently, there can be no challenge to the authenticity of the duplicates of the University of Oklahoma hard drives.
The Request for a Chart for the Remaining Hard Drives
Standby counsel next seek a chart "for the approximately 140 remaining hard drives. At a minimum, the chart should include the origin/source for each drive and the significance of the drive to the case." Reply at 9.5 On November 22, 2002, the Government supplied the defense with a chart listing each hard drive produced in discovery, when it was produced, and a detailed description of its source from which the defense can assess its significance. Further, in a letter dated December 18, 2002, the Government identified the computer evidence that it believes to be relevant for this prosecution. Of course, the burden rests with the defense to determine the significance of a piece of evidence to their defense. Cf. United States v. Comosona, 848 F.2d 1110, 1115 (10 th Cir. 1988) ("The Government has no obligation to disclose possible theories of the defense to a defendant. If a statement does not contain any expressly exculpatory material, the Government need not produce that statement to the defense. To hold otherwise would impose an insuperable burden on the Government to determine what facially non-exculpatory evidence might possibly be favorable to the accused by inferential reasoning."); United States v. Nachamie, 91 F. Supp. 2d 565, 569 (S.D.N.Y. 2000) ("The clear language of Rule 16(a)(1), however, does not require the Government to identify which documents fall in each category - it only requires the production of documents responsive to any category."); United States v. Greyling, 2002 WL 424655 at *3 (S.D.N.Y. 2002) ("Fed. R. Cr. P. 16(a)(1)(C) only requires that the Government afford defendants an opportunity to inspect the documents it intends to introduce at trial. It does not require the Government to identify which documents it intends to introduce.") (emphasis in original). Therefore, this request is now moot.
The University of Oklahoma Hard Drive
Standby counsel next request the Court to "[o]rder the Government to confirm that the UO hard drive produced in discovery has not been contaminated and explain why the 70 GB of unused storage space on that hard drive contains material that should not be there." Reply at 9. As the affidavit of SSA Sewell makes clear, the following answers Mr. Allison's concerns about University of Oklahoma PC 11. Approximately 9.537 gigabytes of information were duplicated from PC 11's hard drive by the Logicube program onto a 40 gigabyte drive. Thereafter, all data on the Logicube 40 gigabyte drive was imaged and later restored using the Safeback program onto a 80 gigabyte hard drive, which was then turned over to the defense. The primary partition which exists on the defense 80 gigabyte duplicate hard drive accurately represents the approximately 9.529 gigabytes captured from the primary partition of PC 11 without contamination. The balance of the space on the 80 gigabyte hard drive provided to the defense contains the following:
(1) Approximately 7.26 megabytes of data of the 9.537 gigabytes of data captured from PC 11. This information actually appeared on PC 11 outside of the primary partition and was duplicated by Logicube. Therefore, this data previously existed on the PC 11 and did not result from the imaging/duplication process;
(2) Unused space which consists of a series of zeroes; and,
(3) Approximately 4 megabytes of repetition of the 9.537 gigabytes of information captured from PC 11, which was created by the Logicube tool when it first began to duplicate the material contained on PC 11.6
Sewell Affidavit at 19-20. All of this simply means that the first 9.537 gigabytes of the 80 gigabyte hard drive provided to the defense accurately contains all of the data that existed on PC 11 at the time of duplication and was not "contaminated" by any outside data.
The Examination of Moussaoui's Laptop
Standby counsel's fourth request questions whether the defendant's laptop was imaged before it lost power. The defendant's laptop was imaged on September 11, 2001, before the laptop lost power. Sewell Affidavit at 11. The BIOS settings for the laptop requested by standby counsel are set forth in SSA Sewell's affidavit. Sewell Affidavit at 11. Therefore, this request is now moot.
The xdesertman@hotmail Account and Other E-Mail Accounts
In their fifth request, standby counsel ask the Court to "[o]rder the Government to examine all of the temporary files of the computers Mr. Moussaoui used (those at UO, his laptop, and Mukkarum Ali's laptop) and determine whether information can be obtained from them concerning the xdesertman@hotmail.com account and the other email accounts listed in paragraph 33 of the Lawler Affidavit." Reply at 10. SSA Sewell's affidavit describes the unsuccessful searches of each hard drive conducted by FBI CART Field Examiner Thomas Lawler for the xdesertman@hotmail.com e-mail account as well as at least 27 variations of this account and other e-mail accounts associated with the investigation of this case. Sewell Affidavit at 15. Moreover, as previously demonstrated in the first section of this pleading addressing the authentication issues, the defense now has an exact copy of what the Government has. Therefore, there is no reason that the defense, including their computer expert, cannot conduct the same examinations of the four hard drives at issue as the Government. Consequently, this request should be denied.
Similarly, in their sixth request, standby counsel ask the Court to order the Government to conduct an investigation at their behest when they have the same ability to conduct the investigation. The defense possesses the same subpoena power as the Government and, if they wish to serve a subpoena on Hotmail, Microsoft, or any other company, they should do so. See Fed. R. Crim. P. 17(c); 18 U.S.C. 3005. Moreover, the Group Manager for Policy Enforcement for MSN Hotmail reports that a search as suggested by Mr. Allison in his Declaration (see Allison Declaration at 6) would have no success. Sewell Affidavit at 21-22. Therefore, this request should fail.
The Internet Provider Address for University of Oklahoma PC 11 Computer
Next, standby counsel ask the Court to "[o]rder the Government to (A) explain the reason for the discrepancy in IP addresses for the UO PC 11 computer, (B) confirm that the UO hard drive produced to the defense in discovery (129.15.110.31) comes from the computer used by Mr. Moussaoui at the University of Oklahoma, and (C) confirm that Mr. Moussaoui did not use any other UO computer." Reply at 11. Simply put, a typographical error exists in the Lawler Affidavit submitted by the Government. The correct internet provider address for University of Oklahoma PC 11 computer is 129.15.157.31. Sewell Affidavit at 18. As discussed in the first section of this pleading regarding authentication, a duplicate of the hard drive for PC 11 has been provided to the defense. As to whether Mr. Moussaoui used any other computer at the University of Oklahoma, only the defendant definitively knows the answer. The only evidence that the Government has regarding Mr. Moussaoui's computer use at the University of Oklahoma involves PC 11 and PC 14, copies of which have been provided to the defense in discovery.
The Kinko's in Eagan, Minnesota
In their eighth request, standby counsel seek "more information about the procedures used by Kinko's personnel and the steps they took to clean the Kinko's system and verify that no evidence of Mr. Moussaoui's communications via Kinko's internet access still remains on the Kinko's system." Reply at 11. SSA Sewell's affidavit describes in detail the procedures used by Kinko's to overwrite ("clean") their systems. The affidavit reveals that during the month between the defendant's use of the computers at Kinko's on August 12, 2001, and September 11, 2001, Kinko's cleaned their machines at least one time and perhaps many more, since their policy was to re-image (clean) the computers weekly. Sewell Affidavit at 12. Since September 11, 2001, the computers have been re-imaged several times and Kinko's personnel adamantly state that they are unable to recover any pre-existing data from a work station hard drive after the re-imaging process. Sewell Affidavit at 13. Further supporting the inability to locate references to xdesertman@hotmail.com is the fact that FBI CART examiners searched all data related to this e-mail account on both defendant's and Mukkarum Ali's laptops as well as the University of Oklahoma computers, none of which were ever "cleansed" or overwritten, and no data was found collaborating even the existence of any such account, or its use by the defendant. Sewell Affidavit at 15-17. Thus, there is no reason to believe that a search of the Kinko's computers in Eagan, Minnesota, would recover any relevant information about the defendant's e-mail use on these computers. Sewell Affidavit at 17.7
The "File Slack" Portions of Mukkarum Ali's Laptop
Standby counsel next ask "the Government to confirm that the 'file slack' portions of Mukkarum Ali's computer do not contain relevant information about Mr. Moussaoui's use of the computer to send e-mails." Reply at 11. As previously stated in the first section of this pleading addressing authentication, the defense has an identical duplicate of what the Government has; therefore, they can search Mukkarum Ali's computer as they wish. Moreover, FBI Cart Examiner Thomas Lawler thoroughly reviewed Mukkarum Ali's computer, including the "file slack" portions, and found no relevant information. Sewell Affidavit at 15. Therefore, this request should be denied.
The "Ghosting" of the University of Oklahoma Computers
Standby counsel conclude their requests by asking "the Government to identify the procedures employed by UO personnel to 'ghost' the computer(s) allegedly used by Mr. Moussaoui and order the Government, despite the fact that it may be 'likely lost' (see Lawler Affidavit at 28), to retrieve any forensic evidence showing use of those computers by Mr. Moussaoui and what he did while using those computers." Reply at 11. Calvin Weeks, the technical security officer for the University of Oklahoma, told the FBI that the University of Oklahoma used the commercial software Norton Ghost to restore a previously recorded hard drive image. Sewell Affidavit at 21. As to the second part of standby counsel's request, the defense has in their possession a duplicate of University of Oklahoma PC 11 and PC 14; therefore, they can perform any investigation of these hard drives that the Government can. Therefore, this request should be denied.
Conclusion
The attached affidavit by SSA Sewell fully addresses the issues raised by standby counsel and demonstrates beyond question that the FBI properly and exhaustively examined all computer evidence in this case.
Respectfully Submitted,
PAUL J. McNULTY
UNITED STATES ATTORNEY
By:
Robert A. Spencer
Kenneth M. Karas
David J. Novak
Assistant United States Attorneys
It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations...
That kind of depends on the strength of the hash algorithm, wouldn't you say?
"I have opinions of my own, strong opinions, but I don't always agree with them." -- George H. W. Bush
wrong again.
dd if=/dev/hdax of=/dev/hdbx
And what could be easier than using a bootCD to use dd? No need to install anything on any computer. Hell, they can just hook up their drive to the suspects computer.
(Recall that Massaoui was already in jail before Sep. 11. These pre-Sep. 11 e-mail search requests were rebuffed, according to FBI whistleblower Colleen Rowley.)
Mousauoiioio whatever his name is sure had a lot more computer stuff than I do...
but according to NIST, and my own experince, such is not the case. Not only is dd cheaper by thousands of dollars than the "professional" apps made to do such things, but it's often *more* effective, and almost always easier to use.
At its heart it's just a simple copy command.
In fact, the dd tool is so simple, and simple minded, that it would be easier to write a simple graphical front end for it than to learn the GUI of exiting Windows apps designed to do the same thing.
I don't know quite how to break this to you, but *sometimes* language is the simpler, more powerful and more *intuitive* means of getting something across than pointing at a picture and grunting.
Unless, of course, your intellect hasn't yet advanced to that level of sophistication.
KFG
Great idea. dd comes as standard with Linux, do you happen to know the name of the util that comes with Windows that can do what dd can do?
:)
P.S. good troll
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
The contents any LBA that is in the drive's remap table (i.e. blocks that the drive electronics have previously determined either to be bad or going bad) aren't captured by dd - the drive instead sends the data payload corresponding to the LBA's remapped physical address. The bad/bad-ish block remains, and its data is quite possibly still valid (or perhaps valid but for a couple of localised errors). These blocks thus hold tiny slivers of data stored on the drive sometime in the past (the last thing written before the block went bad).
Although this missed data represents a microscopic fraction of the total data on the disk it could, at least in theory, contain recoverable data of an evidenciary nature. The only way to see this is a drive-vendor specific low-level read - I don't know much about the other two tools the article describes, but it doesn't sound like those do that either.
Given that there's only a handful of drive manufacturers left, and the (non-servo) parts of the firmware on their drives doesn't vary hugely between models, it really wouldn't be too hard for law-enforcement types to have proper physical-level imaging tools for any drive they're likely to encounter.
## W.Finlay McWalter ## http://www.mcwalter.org ##
shell integrationy /proceed ings/sec96/full_papers/gutmann/
uses Guttmann's method
http://www.usenix.org/publications/librar
can also do free disk space
I think there is also a dos version you can use with a boot disk which would be better.
Don't waste your time with other crap like bcwipe or the one that came with your system utility software.
Besides running your disks through a grinder, this is the best deletion software available commerical or not. There are no "better" proprieatary software methods and anything you would pay for is a waste. Either use this set to Guttmann, or physcially destroy the disk.
Realize that no software is 100%, especially if the agency wants your info back enough, but this software is the best if your not going to destroy your disk(again destroying is preferred).
It doesn't mean anything if you don't read the affidavit. Linux dd was used (is used) as one of 3 methods by the FBI CART to image disks during discovery. That's all it means.
Linux is made in America and other places, too.
www.dedserius.com
VB != VisualBasic
-
The Eagan, Minnesota Kinkos Computers
This would be rather thorough, it seems.19. The Initial September 2001 Inquiry at the Eagan, MN Kinkos: On October 17, 2002, I spoke with Minneapolis FBI Special Agent David Rapp. At that time, SA Rapp told me that, to the best of SA Rapps unrefreshed recollection, on or about September 19, 2001, SA Rapp went to the Kinkos store in Eagan, Minnesota, to inquire about a receipt found on the person of Zacarias Moussaoui at the time of his arrest. At that time, SA Rapp met with a person who represented himself as a Kinkos employee responsible for managing and maintaining customer computer workstations. At that time, the Kinkos employee informed SA Rapp, in substance, as follows:
(A) The Kinkos receipt did indicate that a computer workstation had been utilized;
(B) It could not be determined from the copy of the Moussaoui receipt alone which computer workstation was used;
(C) In response to SA Rapps inquiry about the possibility of acquiring any information from the computer workstations regarding the use of the computers by Moussaoui, the Kinkos employee stated that, since the date of the receipt, all computers had been wiped clean/formatted and started with a fresh install; and,
(D) The computer workstations were generally wiped weekly or bi-weekly approximately, even though Kinkos policy called for weekly wipings. At a minimum, the Eagan Kinkos store wiped the computers at least once per month.
[....]
21. Eagan Follow-up: On October 11, 2002, I requested that the Minneapolis FBI Field Office contact Kinkos personnel at the Eagan store and determine if, as alleged by the defense, the Kinkos computer could still maintain evidence of defendant Zacarias Moussaouis use from August 2001. On or about October 15, 2002, Special Agents Brendan Hansen and Christopher Lester visited the Eagan Kinkos and interviewed Brian Fay, who, as of August 11, 2001, was one of two Kinkos employees who knew how to restore an image onto the six computers with internet access designated for customer use. Mr. Fay stated that the six computers presently at the store are the same computers (with the same hard drives) that were present in August of 2001. These six computers are leased and scheduled to be replaced at the end of this year.
The computers are maintained by formatting the computers hard drives and reloading an image using Norton Ghost whenever business is slow and time allows. There are no logs recording the dates or frequency of loading images on to the computers and Fay could not estimate how frequently they were imaged. Although Fay was not personally familiar with the exact details of the formatting and imaging process he administers to the computers, Fay had been advised by Kinkos that the formatting and restoration process destroyed all files associated with previous users.
ouch
"It is a greater offense to steal men's labor, than their clothes"
the shred utility will only work on non-log structured and non-journaling filesystems, i.e. ext2, but not ext3, jfs, reiserfs, etc. see: "man 1 shred" for more info.
Not only was the word "Linux" mentioned, but so were the words "computer evidence," and "court."
Hey, this is Slashdot. News for Nerds. Stuff that matters.
A lot of us are interested in things such as Linux and computer security. I found this document to be an interesting read, and I am glad it was posted on Slashdot.
He probably just had one or two drives, but they were really big, so they were the equivalent of 140 drives.
"Sic Semper Tyrannosaurus Rex."
Well, that is primarily indicative of your ignorance of Linux and your willingness to buy into Microsoft propaganda.
i mean it must be easier to find the tool under windows thebn setup a linux machine
There is nothing to set up. Linux can boot and run from CD, with all software installed (check for DemonLinux and Knoppix, for example). That's one of the many reasons Linux is so good at this sort of thing.
How easy is it?
- Connect drive you want to copy to to the disk controller or USB port, or plug in Ethernet card.
- Insert bootable Linux CD and boot from CD.
- If you just want to mirror the drive, type something like "dd if=/dev/hda of=/dev/hdb".
- To mirror it over the network, type something like "pump; cat
/dev/hda | ssh me@host cat \> image".
I mean, how much easier can it get?For forensic applications, you might want to make sure that you hardware write-protect the source drive first, just to avoid accidents.
These people know what they are doing and how to reduce their workload. That is why they are using Linux.
You can't win -- bungling cuts both ways.
Anyone wonder why the heck the Minnesota FBI office went to Washington for a piddly search warrant, instead of their friendly local court? Because this was not an ordinary warrant, but a national security warrant designed to investigate suspected terrorists who might not have committed any crime to provide probable cause for a regular warrant. (You know, like Minority Report. OK, it's not that bad.
It will be interesting to see who gets blamed once all of the finger-pointing is over.
From NYT by James Risen*:
* Another little note -- James Risen with Jeff Gerth were the NYT reporters blamed with stoking the fire over Wen Ho Lee debacle. Of course, lots of people were blamed -- sound familiar?
the fbi typically (and rightfully so) makes a habit of not trusting the suspect's own hardware. who knows what lengths people will go to to make sure their data is safe?
Well duh. That's their *job.*
KFG
While I know you are trolling I will bit anyway.
Not only is dd on various *nixes, bsd's, etc, it is also available on windows. It is called cygwin, and it has dd also.
I mod down any one who says "I'm sure I will get modded down for this"
I am very suprised that more forensic investigators and the companies the create forensics software do not use Linux as a primary workstation solution. Windows simply does not have the ability to handle so many different file systems types, etc as compared to Linux (or BSD, etc, etc.. I go with Linux because I think it is a happy medium for a Unix evironment). I mean, with my forensics workstation, Linux allows me to pretty much mount and work with any filesystem type in use, yet I have to swap OS drives and reboot to use most of the commerical forensics tools. Getting Windows to read other filesystems is not that simple, there are occasional bit pieces like explore2fs and the like, but handling non-Windows based files and file systems is not as simplistic as can be arranged on a Linux workstation with a very flexible kernel. As for all of the people mocking your question...that seems silly. What I have yet to try though is using a tool like rawwrite on windows to try and make or copy images. I'll admit so far I am lazy and have not worked with it yet since I have so much of the functionality I need already, but I would imagine getting DD itself (if rawwrite is not an option) to work on Windows (outside of a Cygwin type option) would not be too hard.
R O T F L!
:(
[Start Quote]--
The Internet Provider Address for University of Oklahoma PC 11 Computer
Next, standby counsel ask the Court to "[o]rder the Government to (A) explain the reason for the discrepancy in IP addresses for the UO PC 11 computer, (B) confirm that the UO hard drive produced to the defense in discovery (129.15.110.31) comes from the computer used by Mr. Moussaoui at the University of Oklahoma, and (C) confirm that Mr. Moussaoui did not use any other UO computer." Reply at 11. Simply put, a typographical error exists in the Lawler Affidavit submitted by the Government. The correct internet provider address for University of Oklahoma PC 11 computer is 129.15.157.31.
--[End Quote]
I don't know whether to laugh or cry that the security of our nation is in the hands of these FBI "experts".
3 passes of an encrypted system may be enough for the lowgrade programs you listed, but for realworld, aka non-encrypted systems which 99% of us use, 3 wipes is not enough.
You need something like eraser combined with a dos boot disk or the target drive set as a slave to do anything useful.
I'll post the link if I can find it soon, but I've seen cases of deleted data being recovered after 24 passes of "wiping" programs.
Bottom line like you mentioned is for serious software deletion you need to start with encryption on a virgin disk, and then do multipass guttmann wipes. Even then who knows? Destruction is still the only real method.
You say that the FBI was "too cautious" -- do you have any evidence that that was the motive?
I see no irony in being a privacy advocate while decrying FBI supervisors for denying the request to search Moussaoui's e-mail.
P.S. In another related story, the FBI supervisor who thwarted Rowley's investigation recently got a big cash bonus.
Given the weight of the issue and the evidence that could be contained on the disks therein, and given that the US government has an unlimited budget whenever anyone says "terrorism", why they went with dd (or the equivalent ) to copy a disk is beyond me.
I've seen doughnut shops have their hard disks worked on with more advanced technology.
Shouldn't they have taken the hard disk to a clean room, removed the platters from the disk and painstaking recorded every nanometer of them? I wouldn't trust a suspect's hard disk to make a copy of itself.
I don't of course know whether they would have gotten the warrant had they been allowed to present the case to the intelligence court. Hindsight is always distorting. But the reason cited by the central office was concern they might not get it, and I think up to now they've gotten just about everything they asked for and are worried about wearing out their welcome.
This will all be easier to judge once the 9/11 commission issues its report. What? There's no 9/11 commission? But it's been more thann a year! How could that be? (shock, outrage) My point is that the facts are there for the taking but a certain administration is actively resisting unearthing them. Not a conspiracy, just politics as usual.
Irony -- I meant it is ironic they didn't search when they should have, whereas elsewhere they have searched where they should not.
Are you sure your library wipes its disks? :) Good policy, though.
I was pretty alarmed at the pathetic effort of the Starr inquiry to get the lists of who bought what at a local bookstore here in Washington, named Politics & Prose. The store resisted divulging Lewinsky's purchases; I don't recall the outcome.
...encrypting stuff in the first place using Bestcrypt / PGPdisk / whatever would make the entire wiping/recovery discussion (-1, Redundant) when it comes to collecting evidence.
Kjella
Live today, because you never know what tomorrow brings
Look at the conclusion. They could *not* recover the files, but there were other elements that EnCase could find and use. Lokk at the "Results" information right above Conclusions and Recommendations. Specifically states that the files were deleted, although a lot of MFT information, points previosly marked as deleted, and file slack, registry, pagefile, and shortcuts for files were still in place. The main point is that EFS does kind of suck compared to the levels of dread it provided, but it does wipe the data past the point of standard recovery. Even the conclusion of that whitepaper says that the tool is hard to use, takes a good chunk of time, and does not cover artifacts left outside of the blocks/clusters themselves. EnCase was not able to grab the actually scrubbed files, they just found a bunch of other items and remnants the scrubber missed...so again, 3 passes was all that took. Also, in response to your previous post about my comment. The levels of wiping you are talking about are way outside of the standard users realm of expertise to implement, and quite honestly the "recovering data after 24 wipes" stuff is still the stuff of government investigations. The reality is that nobody knows the exact methodology or techniques being used on that high a level, who knows what an electron microscope and a huge amount of time can find regardless of the overwrites? Basically, 3+ wipes and most of your non-higher-government (i.e. - public sector, law enforcement) forensics efforts are going to be foiled.
Call this off-topic if you must, but I've seen gazillions of posts in this and many other threads about forensics and data recovery that are terribly misinformed about the realities of the field. Here's the two cents of a real, live forensic examiner:
/dev/hdX in vi, and starts paging through 5 GB or hex? Oh, god, no--that would take years. Making the bitstream image is the easy part, and your choices are virtually unlimited. For the actual analysis (what does it MEAN), you need something that can examine an allocation table, interpret the results, and display the contents in an easy-to-understand format. You need software that can quickly search across a drive for a particular keyword, regular expression, or file signature. You need something that can analyze data for randomness in order to re-assemble images that have been chunked out across virtual memory. Linux does NOT have basic utilities for all of this, and neither does Windows.
First, it is NOT realistically possible to recover data that has been overwritten ONE time. Yes, yes--I've read all the white papers on magnetic force microscopy (MFM) and I understand that a theory exists about recovery of overwritten data. In practice, nobody actually does it. Maybe one time, six years ago, some dude at NASA or MIT actually made this work conditions on an older disk with a lower bit density, but anyone telling you that old patterns can be read in the real world is full of shit. And yes, it's been tried. Millions have been spent on this, and nobody can do it. Anybody selling you software that claims under laboratory to be "more secure" because it overwrites more than once is being silly. It's not even paranoia, just lacking a clue.
That's why forensic examiners don't need to have the original media. In fact, one of the big tenets of the job is to never, ever, ever perform analysis on the originals. You make a bitstream copy of the perp's (excuse me, "client's") disk, and you work with that.
Oh, and electron microscopes have nothing to do with this theorized recovery process. MFM is a related but very different technology.
Second, Linux versus Windows versus LogicCube versus ImageMasster (another brand) is utterly beside the point. Forensic shops use what they find to be cost effective, fast, and convenient. The dd command is great, and all, and many examiners use it on Linux platforms for their disk imaging needs, but it's not an analytical tool.
Let me put it this way: do you actually think that a forensic examiner sits down, opens
Last, a good forensic examiner is less constrained by his/her knowledge of computers than by his/her investigative skills. I know more about operating systems, file allocation, and troubleshooting than any of the 30-50 year old former cops/feds/spooks that I work with, but they're capable of far more effective work than I am. Why? Because once you have a few basic computer operations taken care of, the work has as much to do with computers as Computer Science does.
The folks that put the child pornographers, embezzlers, script kiddies, and the rest of the computer criminals in jail generally know much, much less than you about computers, Slashdotters. They also don't give a rat's ass about Linux, Windows, Bill Gates, RMS, or any of it.
Well, it's not like privacy policies are legally binding or anything, either. You can promise all the privacy you want but be lying through your teeth.
I never knew that the majority of /. has had a job in computer forensics.
:-)
...and yes my last job was doing computer forensics.
Seriously, from the mod'd up posts I just read you'd swear that everyone has a job doing computer forensics.
*amazing*
There is nothing new here (to me at least) about the contents of this story- it's like "oh, CF shit...whatever"
just cause you *think* you know everything, doesn't mean you *do* know it. (and no, I don't know it all). Ya'll kinda remind me of paper-msce's
Appended to the end of comments you post. 120 chars.
My own personal security is not enhanced in the least by an organization representing millions of heavily armed enforcers watching my every move. Quite the opposite, really: if I do something that gets on the nerves of some frustrated jerk in the Department of Ugly Euphemisms, he can most likely direct some men with guns to emphatically worsen the state of my world.
Government needs reasonable resource allocation first (I know, let's let murderers out early so we have more room to imprison pot smokers!), greater competence second, and maybe, just maybe, more investigative power last.
Ask your self: How the hell did they know to image his laptop on September 11th? This means they already knew he was part of the attack, and they were already on to him. Funny how we, the people, were never warned.
So what do you use for /dev/hda and /dev/hdb when running dd under Windows?
get out much, do you?
KFG
I have a deathstar:- it ensures that you can't get your files back even if you wanted to after a random amount of time!! :P
I read the NIST document and noticed they mentioned a limitation of dd.
When copying, dd only copies entire blocks. If there is an incomplete block of information remaining at the end of the disk, for example, dd will not copy that last block at all.
Since dd defaults to a block size of 1024 bytes, and PC hard drives use a sector size of 512 bytes, this could happen. In this case, dd will not copy the final sector of the hard disk, as it is an incomplete block.
Because of a stupid decision made decades ago, traditional PC hard disk addressing uses 63 sectors per track, not 64. Therefore, odd total numbers of sectors are common. Modern addressing does away with CHS and just numbers all sectors from 0 to the end of the disk (many millions, in most cases). Still, because of the legacy of having 63 sectors per track, many disks have an odd total number of sectors.
It would be nice if dd had an option to correctly copy a partial block at the end of the source. If there is an incomplete block, it should simply copy one byte at a time until there are no more bytes to copy.
This would be easy to add to dd. Has it been done already? If so, it should be documented. Making it the default behaviour might break existing applications, so have it as an option that is highly recommended.
Dr. Demento On The 'Net!
/cydrive/c /cygdrive/d
I mod down any one who says "I'm sure I will get modded down for this"
From the dd(1) man page in GNU fileutils 4.1:
;)
bs=BYTES
force ibs=BYTES and obs=BYTES
ibs=BYTES
read BYTES bytes at a time
obs=BYTES
write BYTES bytes at a time
I guess the NIST guys just don't bother reading man pages.
http://crashrecovery.org/usa-v-zm-email.htm
cheers
Robert
I keep telling people - don't use Hotmail, the interface sucked last time I used it, wants you to use Passport before you can logon and seems to spend a lot of time down and generally unreliable (the EULA specifically said last time I read it) there is no guarantee of anything being there or anything working. However, for a terrorist or other undeisrable it seems perferct - no backups. None. Zilch. Zero. No way to recover from any failure other than rebuilding the file system where it was (IIRC from the last time Hotmail imploded). If it is still there you get lucky and the app can read your mail and you can get it, other than that you are dead.
The Singularity is closer than you think
Quant
Assuming of course, that your key is secure. You willing to bet on that?
~$ dd --version
dd (fileutils) 4.1
Written by Paul Rubin, David MacKenzie, and Stuart Kemp.
Copyright (C) 2001 Free Software Foundation, Inc.
It doesn't "just happen to be" in Linux. It's not like they got a copy of dd from AT&T or something, you know. They wrote their own, just like with everything else.
I have seen the future, and it is inconvenient.
Are you sure about that? I thought that published privacy policies were considered legal contracts..?
Unless your recovery efforts involve custom hardware, the disk image obtained with "dd", together with bad block information and drive geometry, contains every bit of information you are ever going to get out of that drive. Any software-based recovery working on that image is going to be equivalent to recovery working on the original drive.
Not so! Remember, when you're using dd, you're still using a relatively high level protocol to talk to the drive. If you can get the drive into a "test" mode, where you can talk to the actual registers on the drive, there's a heck of a lot more you can do. For example, on some drives, you could tweak the positional calibration registers and move the head fractional tracks, reading the data at each step, and maybe pick up some data at the edges of the track that wouldn't be picked up in the center. (You're hoping that there was a slight positional drift from when the data was written to when the data was erased).
Now actually getting the drive into "test" mode, talking to the registers, and knowing what the hell the registers actually do is very difficult; you're basicallly talking about documentation that only an engineer working at a drive manufacturer would have. (And of course, this stuff is all non-standard, since it's never supposed to be directly accessed...so each model or family of drives would have different capablilties) This is pretty much the definition of "deep magic." But for the select few who have access to that documentation, some amazing tricks are possible.
Well, you could go both ways on it. But I can't imagine how they could be. There's no specific law for them, as far as I know, and they don't fall under any other area of contract law (for many of the same reasons EULA's don't). Best you could do would be to sue for nebulous damages that arose from a website giving out your personal info, which you could do privacy policy or no, but you'd have an easier time in court if they had one they violated.
Actually, it's not even GNU/Linux dd. dd is part of the coreutils package and is written by the GNU folks; it has nothing to do with Linux, other than GNU/Linux happens to include coreutils, which includes dd.
So, it's GNU dd.
did I read in all the legal bullshit that all the FBI uses for verification is a CRC sum?
It's easy to defeat CRC - just add empty space to the end of each file until you get the result you want. SHA-1 or MD-5 is safe(ish), but a straight CRC is too easy to forge.
I wouddn't trust these disk copies with a bargegepole.
oh brave new world, that has such people in it!
wrong again.
Wrong in what way?
Are you suggesting that < and > won't substitute for if= and of=? Or perhaps you are suggesting that one must specify specific partitions to dd?
In either case, I'm not wrong. GNU dd, as provided by Linux distributions accepts < and >. And specifying a device rather than a partition is accepted, and works as expected. Everyone has used this same command form to make boot floppies, right?
And where are you getting the bit about a boot CD? I didn't say anything about a boot CD, nor did the parent to my post. The two issues are entirely orthogonal. Strange post all-around...or maybe just more subtle trolling.
A cookie for whomever get's that reference!
DAAARLING NO BAAKAAA!
Anyone whose even stepped foot into a "Computer Crimes" department (or whatever your local police call their Info Warriors) knows they have been using *nix since day 1 in forensics.
/. wants to convey?
This is not news, and the idea we should be getting all excited over this suggests that *nix is such a desperatly useless pos as to warrant mass praise whenever anyone actually finds a use. Is that really the message
yeah but the point is that they are professionals..they should be opening the hard drive in a lab and imaging it with a MFM microscope.
It seems kind of ridiculous to me to consider the "idea" of a block copying utility to be more important than the implementation. You could say they got the idea for dd from Unix and I wouldn't mind, but it's not right to say they got the actual software from there. It's harder to write it then to think it up.
BSD didn't get their software from AT&T Unix either. I don't understand what you mean? I personally don't give a damn that there's this "BSD project" and this "GNU project" out there, since I can use software from both of them on my computer. I see the two as in collaboration rather than competition, since they both promote free Unix. It's not like Apple versus Microsoft, it's just different groups of people doing different parts of the same cause. Get over it.
I have seen the future, and it is inconvenient.
Keep your Eye on the Ball,
Your Shoulder to the Wheel,
Your Nose to the Grindstone,
Your Feet on the Ground,
Your Head on your Shoulders.
Now... try to get something DONE!
- this post brought to you by the Automated Last Post Generator...