Slashdot Mirror
File Systems for Electronic Surveillance Devices?
An anonymous reader asks: "A friend recently discovered that her vehicle had been bugged by the police (for reasons I won't go into here). It seems the set-up had been wired into the car's electronics, so that whenever the car was going the microphones were recording the occupants' conversations. Unfortunately I didn't get to see everything she recovered, as she was a bit exuberant in her removal and disposal. However, I have been given a 20G Fujitsu notebook hard drive and some kind of audio processing chip from a manufacturer by the name of Topoint, and have been asked if I can examine the contents. You can read on to hear about my efforts so far, but I have several questions: If the surveillance device came from a vendor, what kind of file system might they use, and if - as I suspect - it is encrypted, do I have any options other than writing zeros over the drive and putting it to less controversial use?"
"Not knowing what to do with the audio chip, I focused on the notebook hard drive. I got an adapter, connected it as master on my desktop and booted up. After checking the BIOS to see if the drive was recognised (it was), I was presented with a full-screen simple line diagram showing the floppy drive slot, a floppy with an arrow in front of it and across the bottom, the F keys with the F1 key depressed. Hitting F1 with or without entering a disk resulted in 'Non-system disk error...' So much for the direct approach.
Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.
Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."
Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.
Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."
I would try grabbing the data off of the drive as an image, then "playing" the image as if it were one large audio file.
Good for you man! Just be thankful you're not in the US or your attempt to reverse-engineer the audio encryption could land you in prison.
They bugged her car with a 20G laptop harddrive?
I smell bullshit.
Either way, what you are doing is a aiding and abetting. You should give it back to her after wiping your prints off it.
Ok, so you've got a hard drive that was a part of a criminial investigation on your hands. And you are trying to get the data off it, which, while fun, sure, is interfering with said criminal investigation.
So then you go and post on Slashdot about how best to hack the hardware you have in hand.
I think you have bigger probems than the technical ones you are facing. Get a lawyer.
http://radio.weblogs.com/0103443/
...is how she discovered the bug? Just random digging through the car's guts one day, or was there something suspicious that tipped her off? If there's a way of spotting it, that sort of info could be useful to the rest of us. For that matter, how would you even tell this wasn't just part of the car's electronics if you weren't a mechanic?
Sounds like a fun little project and I wish you the best of luck, but someone should point out that what you are doing may be considered as some form of interferance with the law, and at the very least you will be making some detectives at the PD very unhappy. I think I would wash my hands of it and return it to the friend... stay out of it. Or if you have good reason to get involved in it, you should probably consult a lawyer before you go any farther.
/. posts the article about a person who was arrested for interfering in an investigation and tampering with police property?
Perhaps I should start a pool as to when
I would find it a hard choice to make myself -- just on the coolness factor, but use some common sense before you find yourself in hot water!
More Caffeine. NOW
dd if=/dev/hdb of=/home/me/image
/home/me/image -- if disk was
/home/me/image|less and see if you notice anything special. If all your strings will be 4-letter random words, most probably it is encrypted and you are out of luck. Or maybe not, if they used something like XOR -- try building a hystogram of byte values distribution. If it is flat -- well, then you are screwed with a well-encrypted disk, and your best bet is to secretly ship the disk to a TLA of your country's adversary. ;-)
(assuming you have free 20G on your HDD)
Then try file
used just to dump data, you might as well see that it is a WAV file.
Then try strings
Paul B.
It would be fun to send that drive to one of those data recovery outfits that do free quotes. They are the pros, they might see something you might miss.
If the drive does lack a file system there will most likely have been a header written at the start of each 'session' possibly with a timestamp. Have you tried looking for repeating patterns in the raw data that might delineate chunks of audio.
/dev/hdb /dev/hdb > /dev/dsp
Two things to try (assuming you have the drive as hdb.
1. strings
2. cat
You never know, they may have been that lazy.
If the police bug your car, do they still own the bug, or have they abandoned the property? Anyone know any precedent for that one?
Forget reading the data.
Format the whole thing with fat32
Fill the entire drive with gay porn.
Reinstall in car.
Assuming the audio chip has a part number on it, try to get the datasheet from the manufacturer. See what format data it outputs, and perhaps the data on the hard drive is raw output from the audio chip. (If the audio chip's native format is 12 bit, 8k samples/sec, then that might be what's on the HD. If the audio chip supports some sort of audio compression, etc...)
/dev/hdb /dev/audio or something like that (I'm not a Linux guy)). If the HD was used just to dump raw wave data to, you'll hear something (possibly squeaky voices if it's the wrong format, but you'll be able to tell there's something there). Even if there's a filesystem of some sort that you can't interpret, that would just be noise at the beginning of the playback, before it got to the real audio.
A reasonable first step would be to try to take the entire contents of the drive and send it out your sound card... (dd
If it really is encrypted, then you'd have to do some sort of cryptanalysis, and I have no idea how to even begin cryptanalysis on audio data. At that point, I say open the HD up and scrape the platters until they're shiny silver instead of shiny brown.
First, if you encounter something like this in the future, don't try to boot from it. (It's always possible there could be code to detect an unauthorized machine and start deleting itself.)
Next, as another poster suggested, use dd to get a copy of the disk. Make a few copies while you're at it, and write them to DVDs, DLTs, or some other media.
Finally, do the processing. Here are some ideas:
Write all zeros to the drive, then put it back in the car. Drive around for set intervals of time (100 minutes, 200 minutes, etc.) then pull the data from the drive to see how much was filled up. (Hint: it's from the start of the drive to where the long string of zeros starts.) Try it with minimal noise, try it with talking, and try it with music.
Run 'file' or 'strings' on the image. Try catting it to your sound device. Plot the data in both 2D and 3D and look for any patterns. (Encrypted data shouldn't have any.)
And unless you want to be charged as an accessory after the fact or evidence tampering, you will get far, far away from that woman, even if the sex is good.
No, really.
If voting were effective, it would be illegal by now.
you only want to know how long, you say? easy. just look for the stamp or sticker that gives the date of insta ... oh, wait, you said you were outside the US? nevermind then....
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Check for UFS variants (UFS, FFS, UFS2). Pico and NanoBSD are popular choices for really small single-purpose devices.
"Shiny brown? Uhhh. What kinda data do you store in "shiny brown" medium?"
This story, and most of the comments.
Personally I would physically destroy it. As in place it in a crucible and turn it into a sculpture of something else.
The FBI can read disks after being erased 7 times. (Or so they have admitted. Technology has changed since then so I don't know what the current abilities are) SRM (secure rm, google it) might be able to do something, but when the police are after me I wouldn't trust it.
Note when I say destroy it, I don't mean you do it. I mean she should do this. You don't want to be charged with anything.
they're precision made to be airtight.
...
Not so. If they were airtight, they wouldn't have the little filter holes, and they wouldn't have a maximum operating altitude.
But they do have sharp edges
Infuriate left and right
Are you sure it was really used to record audio? I would think they would want to hear what people say when the car is turned off too. Just running the chip 100% of the time and only recording to disk when there is actual audio would make sense and should be a low enough power draw to avoid draining the car battery if she drives it more than once a week.
Maybe it is some sort of location/gps recorder. The car should not move when turned off, so wiring it to the ignition/accessories circuits makes more sense and the "microphone(s)" were actually gps antennae. Plus, maybe the name on the chip is really "Topo Int" as in short for "topographic intelligence."
I want to know more about how she discovered it. Where was it exactly and what made her decide to look in the first place?
When information is power, privacy is freedom.
Well, considering you posted to Slashdot, I would assume that either you don't care if the authorities find out that their "bug" has been reappropriated, or perhaps you wish to blatenly rub that fact in their face? If your friend can be reasnoably certain that the bug did not capture any sensitive conversation (which I might guess is the case by her willingness to trust you with the drive rather than destrying it outright), then why not post a torrent? I'm sure plenty of amatuer and moonlight crypanalysists, file-system and audio engineers would love to check that data out. You can use "cat /dev/hdb | gzip > /image.gz" to pull the image off the drive, compress it, and dump it into a file which you could then release to the public.
Most filesystems store data at the lowest level in a more-or-less raw format on the disk for performance reasons. (on-the-fly compression or encryption is CPU intensive) Even something like ReiserFS would have chunks of recognizable (though perhaps out-of-order) raw audio file visible on the drive. Try feeding the output to your sound card. A good way to do this would be with "SoX" (Sound eXchange, an audio conversion tool for linux... "apt-get install sox"). SoX comes with "play" a command which basically just sends data to the sound card, and for raw data allows you to specify what format (8 bit or 16 bit? 22khz or 48khz?) it should play the audio at. Also if you suspect something other than 8 or 16 bit, try bitshifting the sample a couple times so that the first sample begins on a byte boundry.
Another useful tool is called "ent", which applies a number of entropy tests to a sample. True raw audio data should have only some entropy. Blank filesystem structure should have almost no entropy. Encrypted or very highly compressed data will appear to be almost entirely entropy. ("apt-get install ent" on Debian or Knoppix)
You could anylise the drive in chunks to see how much is filled with medium entropy (uncompressed audio), how much is high entropy (encrypted or compressed data) and how much has almost no entropy (empty space), and using this statistic in conjunction with any info you can find on the sample rate and number of bits from the chip, calculate how much audio is stored on the drive, and thus how long it has been installed.
I've seen that "line-drawing" before. It is probably just your BIOS telling you it can't find a boot sector on the drive. (which isn't terribly supprising) But if the people who made the device were particularily nefarious, it could be a fake splash screen which only *looks* like your BIOS, at which you must enter the secret code to proceed into the true playback application. (But that's almost too far-fetched to be a possibility. almost...) If you really wanted to eliminate that possablity, you would use hexedit (apt-get install hexedit) to look at the first sector for the magic number. it should be at the end of the sector (offset of 512k minus 4 I think), but I can't remember off the top of my head what the magic number is supposed to be for bootable i386 media. If the magic number is not there, that splash screen is just your BIOS. (Also a good way to check for stealth-boot-sector viruses. >:-} )
Anyway, good luck, and I hope you have firm legal ground to stand on where you are. Be careful. Angry Feds are not a pleasant thing.
LOL, she just tore out her dealer-installed Lo-Jack system. I'd hate to be her at the end of her lease term....
You may effectively disabled a factory-installed diagnostic set that was installed in every N car by its automotive engineering team.
When the dealer gets the flag based on your VIN, then he proceeds to replace it.
Never power up a suspected drive. Always treat it as a computing forensic evidence and process it accordingly.
Boot partition checkout (try all 18 of them). If that fails, entropy is the first stage of resolution.
Partition identification will take you a long way.
Only google on Topoint is in mainland China,
Check out http://www.topoint.com.cn/
The kind of people who steal laptops for industrial espionage can hire top-flight expertise. They don't need to Ask Slashdot.
Time is Nature's way of keeping everything from happening at once... the bitch.
DBAN even has a bootable cd to do the job, and a custom number of times.
...if they had gone to the trouble to bug the ride, that the crib and the phone, etc would be bugged as well?
You might want to be looking more places than those small platters right now....
Get a lawyer.
No, no, not later. Not in a couple of days. Close your browser window right now and go talk to a lawyer before you wind up spending five-to-ten in Federal pound-me-in-the-ass prison.
What are you, mental?
Do you have any idea how few eavesdropping devices are planted each year? Do you have any idea how much legal rigamarole law-enforcement has to do to actually do a B&E and plant bugs? We already know law-enforcement cares enough about the situation to do God knows how much paperwork: do you think they'll just say "oh, good catch, you got us, don't worry, you can go free"?
And then, to make matters worse, you post on Slashdot where you acknowledge that you know the material is evidence in an ongoing investigation and ask for help in tampering with it?
Let me say this one more time: you are not 1337. You are not too cool for school. You are not immune to prosecution.
At some point they're going to want that information. They're going to discover that it's been removed from the car. At that point, they know they don't need to be subtle--someone already knows they were bugging. So they're going to haul in your friend and point out just how long five years in a Federal penitentiary is, and they're going to ask her--probably her, directly, since if she's anything like you she's dumb enough not to want a lawyer present--what she did with it. If she cooperates, they'll play nice. If she doesn't, well... hey. One more conviction in the old win-loss book is always a good thing.
And then they're going to come after you. And when they get to you, you're not going to have anyone you can rat out on. You're going to be left holding the Fuck-Me-Harder bag.
Get a lawyer right now. Not later. Not in an hour. RIGHT. NOW.
And grow up, while you're at it.
Parent has it right. The Advanced Hex Editor (AXE) has this functionality. Lots of fun when looking at uncompressed graphic formats like icons stored in executables. :)
:)
Grab a few megs from the start of the disk and use sox, the sond exchange to tack audio headers onto it, and try various codec conversions, endian swaps, etc.
There's every chance that the audio chip was interfaced to the drive very simply, as you theorized, without a filesystem. I'm aware of a product which lets you access an ATA device via RS232, it's called the StampDrive. As far as I can tell, it's a PICmicro that's been taught a basic subset of the ATA spec, and it acts as a storage broker for any device that can speak async serial.
People who build their own dataloggers have lots of experience with this sort of dirt-cheap interfacing. Your audio bug is, after all, just a specialized datalogger. A few minutes with a search engine should find plenty of info on the subject.
Post back with any success stories.
Yah, drag it to iTunes!
Billy
If most of the data on the drive is raw audio, that could work anyway, apart from choppiness when you get to a file information.
I mean, there are some people that would define Al Queda's actions as defending the human rights of the Middle East. Sinn Féin is a political party, but it has deep ties to the IRA. Not every one is what they say they are, or what they tell themselves they are.
This signiture copied from somewhere.
OK, we've had lots of clever answers about what can be done with this hard drive but so far I haven't seen the most important question being asked. So I'll ask if for you.
WHY WAS YOUR FRIEND BEING BUGGED?
Getting something done like this is not easy and whoever planted the listening device in your friends car went to a load of trouble just to hear her conversations. Government authorities do not bug people just for fun, so what is it that your friend has done to make the Feds (or whoever they are) notice her?
Ed Almos
Budapest, Hungary
The more corrupt the state, the more numerous the laws. - Tacitus, 56-120 A.D.
So don't say 'Federal'- we don't know if that applies. Don't tell them to get a lawyer- it may not matter. Either post relevant info or slink off with a slightly queasy feeling in your stomach.
I hope they're innocent in whatever they are doing, but I'd rather not see a real criminal get helped here. But I can't stop anyone, either.
It's HIM (well, her) who owns copyright on data recorded there.
Go figure...
In short, there are no "ones" or "zeroes" on your hard drive, but only certain signals that represent them. Somewhat oversimplifying, when you write 1 over 1, the value is slightly larger than 1 written over 0.
It doesn't matter for the hard drive as long as both are well over certain threshold and will never get confused with 0. But when you subtract a perfect 1 from all of the "ones" on the hard drive (and leave the "zeroes" alone), then you will get a weak signal which is a shadow of the previous data. Amplify it and you have more or less the same signal that was there before the overwriting.
You can do it once more and get the data before that, and repeat it until you hit the limitation of your equipment sensitivity and the noise of the signal itself, but recovering few generations of data is usually possible, and recovering the previous data is trivial, especially when you deleted it with zeroes, so you don't even have to bother with removing the 1s.
That is why I always run:
shred -vz /dev/hda
before I stop using any hard drive.
From info shred:
Shred is available in GNU fileutils.
See also Secure Deletion of Data from Magnetic and Solid-State Memory paper by Peter Gutmann, first published in the Sixth USENIX Security Symposium Proceedings, San Jose, California, July 22-25, 1996.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Thanks for a great post, I think I'll start using shred now. Thanks!
I think it is just as likely that the guy's friend is being illegally spied on by a private investigator or an individual. If this was police property and the bug was legal and there was a warrant then I think they would have heard from the cops already.
using plausible guesses for data rate and integer width.
The ear and brain are very good at hearing patterns and extracting information.
In the days of analog "scrambling" it turned out that it was extremely difficult to scramble speech in such a way as to make it unrecognizable; all sorts of plausible-sounding signal transformations could be interpreted by ear with practice.
It's worth a try. At the beginning, don't spend a lot of time trying to figure out whether you're decoding it properly. Just do _something_ that will get data off the disk and into a speaker _quickly_ and listen to samples.
"How to Do Nothing," kids activities, back in print!
yes... except for the fact that the poster actually states that the recording device was taken apart inexpertly. So I don't think it's possible to reinsert the drive and get an operational configuration.
He/She found a hard drive in a car. How can the police prove that he/she knew that it was police/government property? Does it have "property of the police" stamped on it? Also, how is the device "stolen"? It was found in the person's car. They didn't steal it from some house, or from someone else's car. If I find an item in my car, am I stealing it if I remove it? What am I supposed to do, leave it there? I would say that whoever installed the device in the car is the person doing the stealing, because it uses the car's power to operate, and thus uses gasoline that the car's owner paid for.
but if you're in this sort of situation in the us, and are being targetted as a political activist, you probably want to talk to the national lawyer's guild. www.nlg.org.
If she's in the EU, she should consider Art. 8 European Convention on Human Rights.
Article 8 - Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
If she's in the UK, there's RIPA 2000 and he's fucked.
Or did you think that the entire world was on EST?
"Avoid employing unlucky people - throw half of the pile of CVs in the bin without reading them." -- David Brent