File Systems for Electronic Surveillance Devices?

An anonymous reader asks: "A friend recently discovered that her vehicle had been bugged by the police (for reasons I won't go into here). It seems the set-up had been wired into the car's electronics, so that whenever the car was going the microphones were recording the occupants' conversations. Unfortunately I didn't get to see everything she recovered, as she was a bit exuberant in her removal and disposal. However, I have been given a 20G Fujitsu notebook hard drive and some kind of audio processing chip from a manufacturer by the name of Topoint, and have been asked if I can examine the contents. You can read on to hear about my efforts so far, but I have several questions: If the surveillance device came from a vendor, what kind of file system might they use, and if - as I suspect - it is encrypted, do I have any options other than writing zeros over the drive and putting it to less controversial use?" "Not knowing what to do with the audio chip, I focused on the notebook hard drive. I got an adapter, connected it as master on my desktop and booted up. After checking the BIOS to see if the drive was recognised (it was), I was presented with a full-screen simple line diagram showing the floppy drive slot, a floppy with an arrow in front of it and across the bottom, the F keys with the F1 key depressed. Hitting F1 with or without entering a disk resulted in 'Non-system disk error...' So much for the direct approach.

Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.

Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."

Interesting...could it be that there isn't a FS?

[mc_barron]

What an interesting story! Could it be possible that the drive has no structure? Couldn't the audio data be directly written from the beginning to the end of the disk sectors without being an actual file?

I would try grabbing the data off of the drive as an image, then "playing" the image as if it were one large audio file.

Things to try

[Requiem+Aristos]

First, if you encounter something like this in the future, don't try to boot from it. (It's always possible there could be code to detect an unauthorized machine and start deleting itself.)

Next, as another poster suggested, use dd to get a copy of the disk. Make a few copies while you're at it, and write them to DVDs, DLTs, or some other media.

Finally, do the processing. Here are some ideas:
Write all zeros to the drive, then put it back in the car. Drive around for set intervals of time (100 minutes, 200 minutes, etc.) then pull the data from the drive to see how much was filled up. (Hint: it's from the start of the drive to where the long string of zeros starts.) Try it with minimal noise, try it with talking, and try it with music.

Run 'file' or 'strings' on the image. Try catting it to your sound device. Plot the data in both 2D and 3D and look for any patterns. (Encrypted data shouldn't have any.)