Slashdot Mirror

← Back to Stories (view on slashdot.org)

File Systems for Electronic Surveillance Devices?

Posted by Cliff on from the discrete-audio-data-storage dept.

An anonymous reader asks: "A friend recently discovered that her vehicle had been bugged by the police (for reasons I won't go into here). It seems the set-up had been wired into the car's electronics, so that whenever the car was going the microphones were recording the occupants' conversations. Unfortunately I didn't get to see everything she recovered, as she was a bit exuberant in her removal and disposal. However, I have been given a 20G Fujitsu notebook hard drive and some kind of audio processing chip from a manufacturer by the name of Topoint, and have been asked if I can examine the contents. You can read on to hear about my efforts so far, but I have several questions: If the surveillance device came from a vendor, what kind of file system might they use, and if - as I suspect - it is encrypted, do I have any options other than writing zeros over the drive and putting it to less controversial use?" "Not knowing what to do with the audio chip, I focused on the notebook hard drive. I got an adapter, connected it as master on my desktop and booted up. After checking the BIOS to see if the drive was recognised (it was), I was presented with a full-screen simple line diagram showing the floppy drive slot, a floppy with an arrow in front of it and across the bottom, the F keys with the F1 key depressed. Hitting F1 with or without entering a disk resulted in 'Non-system disk error...' So much for the direct approach.

Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.

Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."

13 of 136 comments (clear)

  1. Interesting...could it be that there isn't a FS? by mc_barron · · Score: 5, Interesting
    What an interesting story! Could it be possible that the drive has no structure? Couldn't the audio data be directly written from the beginning to the end of the disk sectors without being an actual file?

    I would try grabbing the data off of the drive as an image, then "playing" the image as if it were one large audio file.

  2. What I'd really like to know... by Anonymous Coward · · Score: 2, Interesting

    ...is how she discovered the bug? Just random digging through the car's guts one day, or was there something suspicious that tipped her off? If there's a way of spotting it, that sort of info could be useful to the rest of us. For that matter, how would you even tell this wasn't just part of the car's electronics if you weren't a mechanic?

  3. Neat, but you might want to talk to a lawyer... by CokeJunky · · Score: 3, Interesting

    Sounds like a fun little project and I wish you the best of luck, but someone should point out that what you are doing may be considered as some form of interferance with the law, and at the very least you will be making some detectives at the PD very unhappy. I think I would wash my hands of it and return it to the friend... stay out of it. Or if you have good reason to get involved in it, you should probably consult a lawyer before you go any farther.

    Perhaps I should start a pool as to when /. posts the article about a person who was arrested for interfering in an investigation and tampering with police property?

    I would find it a hard choice to make myself -- just on the coolness factor, but use some common sense before you find yourself in hot water!

    --
    More Caffeine. NOW
  4. Re:Interesting...could it be that there isn't a FS by Anonymous Coward · · Score: 3, Interesting

    If the drive does lack a file system there will most likely have been a header written at the start of each 'session' possibly with a timestamp. Have you tried looking for repeating patterns in the raw data that might delineate chunks of audio.

    Two things to try (assuming you have the drive as hdb.
    1. strings /dev/hdb
    2. cat /dev/hdb > /dev/dsp

    You never know, they may have been that lazy.

  5. Whose property is it? by anthony_dipierro · · Score: 2, Interesting

    If the police bug your car, do they still own the bug, or have they abandoned the property? Anyone know any precedent for that one?

  6. Re:Hmm by monkeyserver.com · · Score: 3, Interesting

    I wonder, how is that illegal? She finds this stuff in her car, it's in her personal vehicle. Does it say, "Government property - no tampering!" If not, then I would assume that if some one places something into my personal property, and leaves it there, it becomes mine. Which means I can do whatever I want with it.

    That may not be true, but it's such a gray area, how am I supposed to know what it is, or why it's there. I mean for all I know it could be part of my car, in which case I can do what I want with it.

    But yes, I'd agree that telling the world via slashdot that I want to foil the police's efforts to find a "criminal" is pretty dumb.

    --
    http://monkeyserver.com --- weeeeee
  7. Things to try by Requiem+Aristos · · Score: 5, Interesting

    First, if you encounter something like this in the future, don't try to boot from it. (It's always possible there could be code to detect an unauthorized machine and start deleting itself.)

    Next, as another poster suggested, use dd to get a copy of the disk. Make a few copies while you're at it, and write them to DVDs, DLTs, or some other media.

    Finally, do the processing. Here are some ideas:
    Write all zeros to the drive, then put it back in the car. Drive around for set intervals of time (100 minutes, 200 minutes, etc.) then pull the data from the drive to see how much was filled up. (Hint: it's from the start of the drive to where the long string of zeros starts.) Try it with minimal noise, try it with talking, and try it with music.

    Run 'file' or 'strings' on the image. Try catting it to your sound device. Plot the data in both 2D and 3D and look for any patterns. (Encrypted data shouldn't have any.)

  8. Re:Hmm by Anonymous Coward · · Score: 1, Interesting
    I wonder, how is that illegal? She finds this stuff in her car, it's in her personal vehicle. Does it say, "Government property - no tampering!" If not, then I would assume that if some one places something into my personal property, and leaves it there, it becomes mine.

    Except the submitter assumes it was placed by the police, so we have to trust him that he knows it's government property. Anyway, all that's mute. If this is real, it's probably likely the police don't worry too much about following the law.

  9. Some ideas. by CyberVenom · · Score: 4, Interesting

    Well, considering you posted to Slashdot, I would assume that either you don't care if the authorities find out that their "bug" has been reappropriated, or perhaps you wish to blatenly rub that fact in their face? If your friend can be reasnoably certain that the bug did not capture any sensitive conversation (which I might guess is the case by her willingness to trust you with the drive rather than destrying it outright), then why not post a torrent? I'm sure plenty of amatuer and moonlight crypanalysists, file-system and audio engineers would love to check that data out. You can use "cat /dev/hdb | gzip > /image.gz" to pull the image off the drive, compress it, and dump it into a file which you could then release to the public.

    Most filesystems store data at the lowest level in a more-or-less raw format on the disk for performance reasons. (on-the-fly compression or encryption is CPU intensive) Even something like ReiserFS would have chunks of recognizable (though perhaps out-of-order) raw audio file visible on the drive. Try feeding the output to your sound card. A good way to do this would be with "SoX" (Sound eXchange, an audio conversion tool for linux... "apt-get install sox"). SoX comes with "play" a command which basically just sends data to the sound card, and for raw data allows you to specify what format (8 bit or 16 bit? 22khz or 48khz?) it should play the audio at. Also if you suspect something other than 8 or 16 bit, try bitshifting the sample a couple times so that the first sample begins on a byte boundry.

    Another useful tool is called "ent", which applies a number of entropy tests to a sample. True raw audio data should have only some entropy. Blank filesystem structure should have almost no entropy. Encrypted or very highly compressed data will appear to be almost entirely entropy. ("apt-get install ent" on Debian or Knoppix)

    You could anylise the drive in chunks to see how much is filled with medium entropy (uncompressed audio), how much is high entropy (encrypted or compressed data) and how much has almost no entropy (empty space), and using this statistic in conjunction with any info you can find on the sample rate and number of bits from the chip, calculate how much audio is stored on the drive, and thus how long it has been installed.

    I've seen that "line-drawing" before. It is probably just your BIOS telling you it can't find a boot sector on the drive. (which isn't terribly supprising) But if the people who made the device were particularily nefarious, it could be a fake splash screen which only *looks* like your BIOS, at which you must enter the secret code to proceed into the true playback application. (But that's almost too far-fetched to be a possibility. almost...) If you really wanted to eliminate that possablity, you would use hexedit (apt-get install hexedit) to look at the first sector for the magic number. it should be at the end of the sector (offset of 512k minus 4 I think), but I can't remember off the top of my head what the magic number is supposed to be for bootable i386 media. If the magic number is not there, that splash screen is just your BIOS. (Also a good way to check for stealth-boot-sector viruses. >:-} )

    Anyway, good luck, and I hope you have firm legal ground to stand on where you are. Be careful. Angry Feds are not a pleasant thing.

  10. Failed due process on Computing Forensic by Dark+Coder · · Score: 3, Interesting


    Never power up a suspected drive. Always treat it as a computing forensic evidence and process it accordingly.

    Boot partition checkout (try all 18 of them). If that fails, entropy is the first stage of resolution.

    Partition identification will take you a long way.

    Only google on Topoint is in mainland China,
    Check out http://www.topoint.com.cn/

  11. Plot the data and look for patterns, yes. by Myself · · Score: 3, Interesting

    Parent has it right. The Advanced Hex Editor (AXE) has this functionality. Lots of fun when looking at uncompressed graphic formats like icons stored in executables. :)

    Grab a few megs from the start of the disk and use sox, the sond exchange to tack audio headers onto it, and try various codec conversions, endian swaps, etc.

    There's every chance that the audio chip was interfaced to the drive very simply, as you theorized, without a filesystem. I'm aware of a product which lets you access an ATA device via RS232, it's called the StampDrive. As far as I can tell, it's a PICmicro that's been taught a basic subset of the ATA spec, and it acts as a storage broker for any device that can speak async serial.

    People who build their own dataloggers have lots of experience with this sort of dirt-cheap interfacing. Your audio bug is, after all, just a specialized datalogger. A few minutes with a search engine should find plenty of info on the subject.

    Post back with any success stories. :)

  12. Play the contents of the disk as raw data... by dpbsmith · · Score: 2, Interesting

    using plausible guesses for data rate and integer width.

    The ear and brain are very good at hearing patterns and extracting information.

    In the days of analog "scrambling" it turned out that it was extremely difficult to scramble speech in such a way as to make it unrecognizable; all sorts of plausible-sounding signal transformations could be interpreted by ear with practice.

    It's worth a try. At the beginning, don't spend a lot of time trying to figure out whether you're decoding it properly. Just do _something_ that will get data off the disk and into a speaker _quickly_ and listen to samples.

    --

    "How to Do Nothing," kids activities, back in print!

  13. How is this tampering and stealing? by Anonymous Coward · · Score: 2, Interesting

    He/She found a hard drive in a car. How can the police prove that he/she knew that it was police/government property? Does it have "property of the police" stamped on it? Also, how is the device "stolen"? It was found in the person's car. They didn't steal it from some house, or from someone else's car. If I find an item in my car, am I stealing it if I remove it? What am I supposed to do, leave it there? I would say that whoever installed the device in the car is the person doing the stealing, because it uses the car's power to operate, and thus uses gasoline that the car's owner paid for.