File Systems for Electronic Surveillance Devices?

An anonymous reader asks: "A friend recently discovered that her vehicle had been bugged by the police (for reasons I won't go into here). It seems the set-up had been wired into the car's electronics, so that whenever the car was going the microphones were recording the occupants' conversations. Unfortunately I didn't get to see everything she recovered, as she was a bit exuberant in her removal and disposal. However, I have been given a 20G Fujitsu notebook hard drive and some kind of audio processing chip from a manufacturer by the name of Topoint, and have been asked if I can examine the contents. You can read on to hear about my efforts so far, but I have several questions: If the surveillance device came from a vendor, what kind of file system might they use, and if - as I suspect - it is encrypted, do I have any options other than writing zeros over the drive and putting it to less controversial use?" "Not knowing what to do with the audio chip, I focused on the notebook hard drive. I got an adapter, connected it as master on my desktop and booted up. After checking the BIOS to see if the drive was recognised (it was), I was presented with a full-screen simple line diagram showing the floppy drive slot, a floppy with an arrow in front of it and across the bottom, the F keys with the F1 key depressed. Hitting F1 with or without entering a disk resulted in 'Non-system disk error...' So much for the direct approach.

Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.

Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."

Let me get this straight:

[Anonymous+Crowhead]

They bugged her car with a 20G laptop harddrive?

I smell bullshit.

Either way, what you are doing is a aiding and abetting. You should give it back to her after wiping your prints off it.

Re:Let me get this straight:

[fm6]

They bugged her car with a 20G laptop harddrive? I smell bullshit.

Why? A bug has to store its recordings somewhere. Despite what you see on The Sopranos, radio links are unreliable and do not produce quality recordings. There are alternatives for storage such as Flash ROM, but none of them have any really compelling advantages. A notebook drive is small enough to conceal easily amongst all the hardware under the hood of a car. 20 GB is probably overkill, but nowadays it's hard to buy hard drives smaller than that.

If you were designing a car bug, what would you use for storage?

Re:Let me get this straight:

[phUnBalanced]

If you were designing a car bug, what would you use for storage?

Something without moving parts.

Re:Let me get this straight:

[benjamindees]

what you are doing is a aiding and abetting.Aiding *what*? Sounds like the friend discovered a hard drive in her car and decided to keep it, which is perfectly reasonable.

Last time I checked it still isn't a crime to disassemble your own property, despite what Lexmark says.

Sounds like the dipshits who can't even spy on people without being discovered lost the right to their harddrive.

Re:Let me get this straight:

[uofitorn]

IF the submitter took advice from a helpful comment, would the poster be aiding and abetting as well?

"Data Recovery"

[vancera]

It would be fun to send that drive to one of those data recovery outfits that do free quotes. They are the pros, they might see something you might miss.

Re:Whose property is it?

[trick-knee]

> Anyone know any precedent for that one?

eh, any precedent would be country-specific anyway. and he ain't tellin' which country, for obvious reasons.

Investigate the audio chip first

[DavidYaw]

Assuming the audio chip has a part number on it, try to get the datasheet from the manufacturer. See what format data it outputs, and perhaps the data on the hard drive is raw output from the audio chip. (If the audio chip's native format is 12 bit, 8k samples/sec, then that might be what's on the HD. If the audio chip supports some sort of audio compression, etc...)

A reasonable first step would be to try to take the entire contents of the drive and send it out your sound card... (dd /dev/hdb /dev/audio or something like that (I'm not a Linux guy)). If the HD was used just to dump raw wave data to, you'll hear something (possibly squeaky voices if it's the wrong format, but you'll be able to tell there's something there). Even if there's a filesystem of some sort that you can't interpret, that would just be noise at the beginning of the playback, before it got to the real audio.

If it really is encrypted, then you'd have to do some sort of cryptanalysis, and I have no idea how to even begin cryptanalysis on audio data. At that point, I say open the HD up and scrape the platters until they're shiny silver instead of shiny brown.

Re:First, make a copy!

[fm6]

(assuming you have free 20G on your HDD)

If he doesn't, he should spend a few bucks on a new disk before proceeding. Working off a copy is absolutely mandatory for something like this.

Re:Neat, but you might want to talk to a lawyer...

[Saeed+al-Sahaf]

Perhaps I should start a pool as to when /. posts the article about a person who was arrested for interfering in an investigation and tampering with police property?

If it isn't marked, who's to know who it belongs to or who installed it? We can make educated assumptions, but unless it says "Property of XYZ Police Department", who knows? And even than, it's in your car, without your permission, what the hell do you know why it's there?

But, I think this post is a load of shit from someone who wants to see some data on a stolen drive that has nothing to do with any "investigation", and probibly came from a stolen laptop owned by the company this person works for.

Is it really audio?

[Jah-Wren+Ryel]

Are you sure it was really used to record audio? I would think they would want to hear what people say when the car is turned off too. Just running the chip 100% of the time and only recording to disk when there is actual audio would make sense and should be a low enough power draw to avoid draining the car battery if she drives it more than once a week.

Maybe it is some sort of location/gps recorder. The car should not move when turned off, so wiring it to the ignition/accessories circuits makes more sense and the "microphone(s)" were actually gps antennae. Plus, maybe the name on the chip is really "Topo Int" as in short for "topographic intelligence."

I want to know more about how she discovered it. Where was it exactly and what made her decide to look in the first place?

Get a lawyer.

[rjh]

Get a lawyer.

No, no, not later. Not in a couple of days. Close your browser window right now and go talk to a lawyer before you wind up spending five-to-ten in Federal pound-me-in-the-ass prison.

What are you, mental?

Do you have any idea how few eavesdropping devices are planted each year? Do you have any idea how much legal rigamarole law-enforcement has to do to actually do a B&E and plant bugs? We already know law-enforcement cares enough about the situation to do God knows how much paperwork: do you think they'll just say "oh, good catch, you got us, don't worry, you can go free"?

And then, to make matters worse, you post on Slashdot where you acknowledge that you know the material is evidence in an ongoing investigation and ask for help in tampering with it?

Let me say this one more time: you are not 1337. You are not too cool for school. You are not immune to prosecution.

At some point they're going to want that information. They're going to discover that it's been removed from the car. At that point, they know they don't need to be subtle--someone already knows they were bugging. So they're going to haul in your friend and point out just how long five years in a Federal penitentiary is, and they're going to ask her--probably her, directly, since if she's anything like you she's dumb enough not to want a lawyer present--what she did with it. If she cooperates, they'll play nice. If she doesn't, well... hey. One more conviction in the old win-loss book is always a good thing.

And then they're going to come after you. And when they get to you, you're not going to have anyone you can rat out on. You're going to be left holding the Fuck-Me-Harder bag.

Get a lawyer right now. Not later. Not in an hour. RIGHT. NOW.

And grow up, while you're at it.

Re:Get a lawyer.

[hrieke]

No, some just take you out back and put a bullet in your head just for the hell of it.

Now let's say that the AC posting this story lives in an enlighted country, he will end up in front of a judge and jurry here before long. You don't screw around with investigations.