File Systems for Electronic Surveillance Devices?

An anonymous reader asks: "A friend recently discovered that her vehicle had been bugged by the police (for reasons I won't go into here). It seems the set-up had been wired into the car's electronics, so that whenever the car was going the microphones were recording the occupants' conversations. Unfortunately I didn't get to see everything she recovered, as she was a bit exuberant in her removal and disposal. However, I have been given a 20G Fujitsu notebook hard drive and some kind of audio processing chip from a manufacturer by the name of Topoint, and have been asked if I can examine the contents. You can read on to hear about my efforts so far, but I have several questions: If the surveillance device came from a vendor, what kind of file system might they use, and if - as I suspect - it is encrypted, do I have any options other than writing zeros over the drive and putting it to less controversial use?" "Not knowing what to do with the audio chip, I focused on the notebook hard drive. I got an adapter, connected it as master on my desktop and booted up. After checking the BIOS to see if the drive was recognised (it was), I was presented with a full-screen simple line diagram showing the floppy drive slot, a floppy with an arrow in front of it and across the bottom, the F keys with the F1 key depressed. Hitting F1 with or without entering a disk resulted in 'Non-system disk error...' So much for the direct approach.

Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.

Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."

Investigate the audio chip first

[DavidYaw]

Assuming the audio chip has a part number on it, try to get the datasheet from the manufacturer. See what format data it outputs, and perhaps the data on the hard drive is raw output from the audio chip. (If the audio chip's native format is 12 bit, 8k samples/sec, then that might be what's on the HD. If the audio chip supports some sort of audio compression, etc...)

A reasonable first step would be to try to take the entire contents of the drive and send it out your sound card... (dd /dev/hdb /dev/audio or something like that (I'm not a Linux guy)). If the HD was used just to dump raw wave data to, you'll hear something (possibly squeaky voices if it's the wrong format, but you'll be able to tell there's something there). Even if there's a filesystem of some sort that you can't interpret, that would just be noise at the beginning of the playback, before it got to the real audio.

If it really is encrypted, then you'd have to do some sort of cryptanalysis, and I have no idea how to even begin cryptanalysis on audio data. At that point, I say open the HD up and scrape the platters until they're shiny silver instead of shiny brown.

Re:First, make a copy!

[fm6]

(assuming you have free 20G on your HDD)

If he doesn't, he should spend a few bucks on a new disk before proceeding. Working off a copy is absolutely mandatory for something like this.

Get a lawyer.

[rjh]

Get a lawyer.

No, no, not later. Not in a couple of days. Close your browser window right now and go talk to a lawyer before you wind up spending five-to-ten in Federal pound-me-in-the-ass prison.

What are you, mental?

Do you have any idea how few eavesdropping devices are planted each year? Do you have any idea how much legal rigamarole law-enforcement has to do to actually do a B&E and plant bugs? We already know law-enforcement cares enough about the situation to do God knows how much paperwork: do you think they'll just say "oh, good catch, you got us, don't worry, you can go free"?

And then, to make matters worse, you post on Slashdot where you acknowledge that you know the material is evidence in an ongoing investigation and ask for help in tampering with it?

Let me say this one more time: you are not 1337. You are not too cool for school. You are not immune to prosecution.

At some point they're going to want that information. They're going to discover that it's been removed from the car. At that point, they know they don't need to be subtle--someone already knows they were bugging. So they're going to haul in your friend and point out just how long five years in a Federal penitentiary is, and they're going to ask her--probably her, directly, since if she's anything like you she's dumb enough not to want a lawyer present--what she did with it. If she cooperates, they'll play nice. If she doesn't, well... hey. One more conviction in the old win-loss book is always a good thing.

And then they're going to come after you. And when they get to you, you're not going to have anyone you can rat out on. You're going to be left holding the Fuck-Me-Harder bag.

Get a lawyer right now. Not later. Not in an hour. RIGHT. NOW.

And grow up, while you're at it.