File Systems for Electronic Surveillance Devices?

An anonymous reader asks: "A friend recently discovered that her vehicle had been bugged by the police (for reasons I won't go into here). It seems the set-up had been wired into the car's electronics, so that whenever the car was going the microphones were recording the occupants' conversations. Unfortunately I didn't get to see everything she recovered, as she was a bit exuberant in her removal and disposal. However, I have been given a 20G Fujitsu notebook hard drive and some kind of audio processing chip from a manufacturer by the name of Topoint, and have been asked if I can examine the contents. You can read on to hear about my efforts so far, but I have several questions: If the surveillance device came from a vendor, what kind of file system might they use, and if - as I suspect - it is encrypted, do I have any options other than writing zeros over the drive and putting it to less controversial use?" "Not knowing what to do with the audio chip, I focused on the notebook hard drive. I got an adapter, connected it as master on my desktop and booted up. After checking the BIOS to see if the drive was recognised (it was), I was presented with a full-screen simple line diagram showing the floppy drive slot, a floppy with an arrow in front of it and across the bottom, the F keys with the F1 key depressed. Hitting F1 with or without entering a disk resulted in 'Non-system disk error...' So much for the direct approach.

Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.

Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."

Investigate the audio chip first

[DavidYaw]

Assuming the audio chip has a part number on it, try to get the datasheet from the manufacturer. See what format data it outputs, and perhaps the data on the hard drive is raw output from the audio chip. (If the audio chip's native format is 12 bit, 8k samples/sec, then that might be what's on the HD. If the audio chip supports some sort of audio compression, etc...)

A reasonable first step would be to try to take the entire contents of the drive and send it out your sound card... (dd /dev/hdb /dev/audio or something like that (I'm not a Linux guy)). If the HD was used just to dump raw wave data to, you'll hear something (possibly squeaky voices if it's the wrong format, but you'll be able to tell there's something there). Even if there's a filesystem of some sort that you can't interpret, that would just be noise at the beginning of the playback, before it got to the real audio.

If it really is encrypted, then you'd have to do some sort of cryptanalysis, and I have no idea how to even begin cryptanalysis on audio data. At that point, I say open the HD up and scrape the platters until they're shiny silver instead of shiny brown.

Re:First, make a copy!

[fm6]

(assuming you have free 20G on your HDD)

If he doesn't, he should spend a few bucks on a new disk before proceeding. Working off a copy is absolutely mandatory for something like this.