File Systems for Electronic Surveillance Devices?

An anonymous reader asks: "A friend recently discovered that her vehicle had been bugged by the police (for reasons I won't go into here). It seems the set-up had been wired into the car's electronics, so that whenever the car was going the microphones were recording the occupants' conversations. Unfortunately I didn't get to see everything she recovered, as she was a bit exuberant in her removal and disposal. However, I have been given a 20G Fujitsu notebook hard drive and some kind of audio processing chip from a manufacturer by the name of Topoint, and have been asked if I can examine the contents. You can read on to hear about my efforts so far, but I have several questions: If the surveillance device came from a vendor, what kind of file system might they use, and if - as I suspect - it is encrypted, do I have any options other than writing zeros over the drive and putting it to less controversial use?" "Not knowing what to do with the audio chip, I focused on the notebook hard drive. I got an adapter, connected it as master on my desktop and booted up. After checking the BIOS to see if the drive was recognised (it was), I was presented with a full-screen simple line diagram showing the floppy drive slot, a floppy with an arrow in front of it and across the bottom, the F keys with the F1 key depressed. Hitting F1 with or without entering a disk resulted in 'Non-system disk error...' So much for the direct approach.

Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.

Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."

First, make a copy!

[PaulBu]

dd if=/dev/hdb of=/home/me/image

(assuming you have free 20G on your HDD)

Then try file /home/me/image -- if disk was
used just to dump data, you might as well see that it is a WAV file.

Then try strings /home/me/image|less and see if you notice anything special. If all your strings will be 4-letter random words, most probably it is encrypted and you are out of luck. Or maybe not, if they used something like XOR -- try building a hystogram of byte values distribution. If it is flat -- well, then you are screwed with a well-encrypted disk, and your best bet is to secretly ship the disk to a TLA of your country's adversary. ;-)

Paul B.

Re:First, make a copy!

[BJH]

If you're living in the US, you might not be aware of it, but most major US retail sites make it quite difficult for people overseas to utilise their services.
For example, they refuse to allow the use of credit cards with a billing address outside the US, require a copy of the front and back of the card to be sent to them by snailmail, charge absolutely exorbitant shipping rates (I'm talking $US40 for non-express shipping on a $US100 item that's no bigger than a hardback book), and that sort of thing.

Re:First, make a copy!

[Dr.+Evil]

Don't forget customs brokerage and the occasional secondary shipping charge for customs to intercept, find nothing and send it on its way.

Re:Investigate the audio chip first

[mkavanagh2]

Be careful when opening HDDs, though; they contain sharp edges on the casing, since they're precision made to be airtight. I have a cool scar where I nearly cut my fucking knuckle off on a harddrive casing.

Re:Hmm

[ar32h]

Toppoint may build custom chips / build clone chips.
Any/all numbers on the chip would probably be more useful than the manufacturer's name.

Also, and perhaps a red herring, could the device in question be the product found here?
It is a GPS tracker with audio recording capability. It also happens to take 20G drives and uses a SOIC for control.
It may be a jump, but Toppoint could have been the board builder.

Exact same thing happened to me.

[Perdo]

And unless you want to be charged as an accessory after the fact or evidence tampering, you will get far, far away from that woman, even if the sex is good.

No, really.

Re:Things to try

Plot the data in both 2D and 3D and look for any patterns. (Encrypted data shouldn't have any.)

Plot what vs. what (vs. what)? As for randomness, well-compressed data won't have any patterns either!

Shred

[Pan+T.+Hose]

A) How in the hell can they read zeroes? Perhaps if you *deleted* the data (i.e. on an OS level) they can read it, but I doubt that if you filled the drive with zeros they could do anything.

In short, there are no "ones" or "zeroes" on your hard drive, but only certain signals that represent them. Somewhat oversimplifying, when you write 1 over 1, the value is slightly larger than 1 written over 0.

It doesn't matter for the hard drive as long as both are well over certain threshold and will never get confused with 0. But when you subtract a perfect 1 from all of the "ones" on the hard drive (and leave the "zeroes" alone), then you will get a weak signal which is a shadow of the previous data. Amplify it and you have more or less the same signal that was there before the overwriting.

You can do it once more and get the data before that, and repeat it until you hit the limitation of your equipment sensitivity and the noise of the signal itself, but recovering few generations of data is usually possible, and recovering the previous data is trivial, especially when you deleted it with zeroes, so you don't even have to bother with removing the 1s.

That is why I always run:

shred -vz /dev/hda

before I stop using any hard drive.

B) Assuming they can, destroy it in some other way.

From info shred:

The best way to remove something irretrievably is to destroy the media it's on with acid, melt it down, or the like. For cheap removable media like floppy disks, this is the preferred method. However, hard drives are expensive and hard to melt, so the `shred' utility tries to achieve a similar effect non-destructively. This uses many overwrite passes, with the data patterns chosen to maximize the damage they do to the old data. [...]

Shred is available in GNU fileutils.

See also Secure Deletion of Data from Magnetic and Solid-State Memory paper by Peter Gutmann, first published in the Sixth USENIX Security Symposium Proceedings, San Jose, California, July 22-25, 1996.

Abstract: With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult. [emphasis added]

Introduction: [...] In the 1980's some work was done on the recovery of erased data from magnetic media, but to date the main source of information is government standards covering the destruction of data. There are two main problems with these official guidelines for sanitizing media. The first is that they are often somewhat old and may predate newer techniques for both recording data on the media and for recovering the recorded data. For example most of the current guidelines on sanitizing magnetic media predate the early-90's jump in recording densities, the adoption of sophisticated channel coding techniques such as PRML, the use of magnetic force microscopy for the analysis of magnetic media, and recent studies of certain properties of magnetic media recording such as the behaviour of erase bands. The second problem with official data destruction standards is that the information in them may be partially inaccurate in an attempt to fool opposing intelligence agencies (which is probably why a great many guidelines on sanitizing media are classified). By deliberately under-stating the requirements for media sanitization in publicly-available guides, intelligence agencies can preser