Slashdot Mirror

← Back to Stories (view on slashdot.org)

File Systems for Electronic Surveillance Devices?

Posted by Cliff on from the discrete-audio-data-storage dept.

An anonymous reader asks: "A friend recently discovered that her vehicle had been bugged by the police (for reasons I won't go into here). It seems the set-up had been wired into the car's electronics, so that whenever the car was going the microphones were recording the occupants' conversations. Unfortunately I didn't get to see everything she recovered, as she was a bit exuberant in her removal and disposal. However, I have been given a 20G Fujitsu notebook hard drive and some kind of audio processing chip from a manufacturer by the name of Topoint, and have been asked if I can examine the contents. You can read on to hear about my efforts so far, but I have several questions: If the surveillance device came from a vendor, what kind of file system might they use, and if - as I suspect - it is encrypted, do I have any options other than writing zeros over the drive and putting it to less controversial use?" "Not knowing what to do with the audio chip, I focused on the notebook hard drive. I got an adapter, connected it as master on my desktop and booted up. After checking the BIOS to see if the drive was recognised (it was), I was presented with a full-screen simple line diagram showing the floppy drive slot, a floppy with an arrow in front of it and across the bottom, the F keys with the F1 key depressed. Hitting F1 with or without entering a disk resulted in 'Non-system disk error...' So much for the direct approach.

Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.

Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."

32 of 136 comments (clear)

  1. Interesting...could it be that there isn't a FS? by mc_barron · · Score: 5, Interesting
    What an interesting story! Could it be possible that the drive has no structure? Couldn't the audio data be directly written from the beginning to the end of the disk sectors without being an actual file?

    I would try grabbing the data off of the drive as an image, then "playing" the image as if it were one large audio file.

  2. What I'd really like to know... by Anonymous Coward · · Score: 2, Interesting

    ...is how she discovered the bug? Just random digging through the car's guts one day, or was there something suspicious that tipped her off? If there's a way of spotting it, that sort of info could be useful to the rest of us. For that matter, how would you even tell this wasn't just part of the car's electronics if you weren't a mechanic?

  3. Neat, but you might want to talk to a lawyer... by CokeJunky · · Score: 3, Interesting

    Sounds like a fun little project and I wish you the best of luck, but someone should point out that what you are doing may be considered as some form of interferance with the law, and at the very least you will be making some detectives at the PD very unhappy. I think I would wash my hands of it and return it to the friend... stay out of it. Or if you have good reason to get involved in it, you should probably consult a lawyer before you go any farther.

    Perhaps I should start a pool as to when /. posts the article about a person who was arrested for interfering in an investigation and tampering with police property?

    I would find it a hard choice to make myself -- just on the coolness factor, but use some common sense before you find yourself in hot water!

    --
    More Caffeine. NOW
    1. Re:Neat, but you might want to talk to a lawyer... by Saeed+al-Sahaf · · Score: 2, Insightful
      Perhaps I should start a pool as to when /. posts the article about a person who was arrested for interfering in an investigation and tampering with police property?

      If it isn't marked, who's to know who it belongs to or who installed it? We can make educated assumptions, but unless it says "Property of XYZ Police Department", who knows? And even than, it's in your car, without your permission, what the hell do you know why it's there?

      But, I think this post is a load of shit from someone who wants to see some data on a stolen drive that has nothing to do with any "investigation", and probibly came from a stolen laptop owned by the company this person works for.

      --
      "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  4. First, make a copy! by PaulBu · · Score: 4, Informative

    dd if=/dev/hdb of=/home/me/image

    (assuming you have free 20G on your HDD)

    Then try file /home/me/image -- if disk was
    used just to dump data, you might as well see that it is a WAV file.

    Then try strings /home/me/image|less and see if you notice anything special. If all your strings will be 4-letter random words, most probably it is encrypted and you are out of luck. Or maybe not, if they used something like XOR -- try building a hystogram of byte values distribution. If it is flat -- well, then you are screwed with a well-encrypted disk, and your best bet is to secretly ship the disk to a TLA of your country's adversary. ;-)

    Paul B.

    1. Re:First, make a copy! by fm6 · · Score: 4, Insightful
      (assuming you have free 20G on your HDD)
      If he doesn't, he should spend a few bucks on a new disk before proceeding. Working off a copy is absolutely mandatory for something like this.
    2. Re:First, make a copy! by BJH · · Score: 2, Informative

      If you're living in the US, you might not be aware of it, but most major US retail sites make it quite difficult for people overseas to utilise their services.
      For example, they refuse to allow the use of credit cards with a billing address outside the US, require a copy of the front and back of the card to be sent to them by snailmail, charge absolutely exorbitant shipping rates (I'm talking $US40 for non-express shipping on a $US100 item that's no bigger than a hardback book), and that sort of thing.

    3. Re:First, make a copy! by Dr.+Evil · · Score: 2, Informative

      Don't forget customs brokerage and the occasional secondary shipping charge for customs to intercept, find nothing and send it on its way.

  5. "Data Recovery" by vancera · · Score: 2, Insightful

    It would be fun to send that drive to one of those data recovery outfits that do free quotes. They are the pros, they might see something you might miss.

  6. Re:Interesting...could it be that there isn't a FS by Anonymous Coward · · Score: 3, Interesting

    If the drive does lack a file system there will most likely have been a header written at the start of each 'session' possibly with a timestamp. Have you tried looking for repeating patterns in the raw data that might delineate chunks of audio.

    Two things to try (assuming you have the drive as hdb.
    1. strings /dev/hdb
    2. cat /dev/hdb > /dev/dsp

    You never know, they may have been that lazy.

  7. Whose property is it? by anthony_dipierro · · Score: 2, Interesting

    If the police bug your car, do they still own the bug, or have they abandoned the property? Anyone know any precedent for that one?

    1. Re:Whose property is it? by trick-knee · · Score: 2, Insightful

      > Anyone know any precedent for that one?

      eh, any precedent would be country-specific anyway. and he ain't tellin' which country, for obvious reasons.

  8. Re:Hmm by monkeyserver.com · · Score: 3, Interesting

    I wonder, how is that illegal? She finds this stuff in her car, it's in her personal vehicle. Does it say, "Government property - no tampering!" If not, then I would assume that if some one places something into my personal property, and leaves it there, it becomes mine. Which means I can do whatever I want with it.

    That may not be true, but it's such a gray area, how am I supposed to know what it is, or why it's there. I mean for all I know it could be part of my car, in which case I can do what I want with it.

    But yes, I'd agree that telling the world via slashdot that I want to foil the police's efforts to find a "criminal" is pretty dumb.

    --
    http://monkeyserver.com --- weeeeee
  9. A better idea by crstophr · · Score: 5, Funny

    Forget reading the data.

    Format the whole thing with fat32
    Fill the entire drive with gay porn.

    Reinstall in car.

    1. Re:A better idea by dgatwood · · Score: 5, Funny
      Even better, find a bunch of people on the street who you don't know. Hand them scripts and ask them to read them while you drive the car. In those scripts, they should confess to dozens of crimes that never happened. One might admit that he/she hid the body in the foundation of the Microsoft building, another that he murdered some famous person (who isn't dead... or better yet, who is, but who died naturally, ideally before the 'murderer' was born), etc.

      As the recording gets longer, make the conversations get more and more outrageous. One person tells the other that he used to be a she who, in turn, used to be a he. Another goes into a tirade about how his father beat him, so now he feels like he should beat his children... except that he doesn't have children, so he beats up random children on the playground instead. At some point, the line "I'm not your Uncle, I'm your father" appears. "But wait, that would make me your brother." "Eww.... You married your sister?"

      By the end, everybody is sleeping with everyone, family trees are intertwined in amusing ways, the priest is having an affair with the school nurse, and the horny schoolgirl talks about how she once had sex with the governor/president/whatever. It all culminates with someone deciding to off him/herself, not because he/she did anything wrong, but because he just found out that his sister had become a prostitute to raise money to help pay for his cancer treatment while he sold his cancer drugs to help pay for her AIDS treatment. Be sure to accurately simulate the sound of a gunshot through the roof of a car.

      Watch the amusement as the police A. try to find the blood stains, B. try to find the bullet hole, C. try to figure out who the heck all those people are, and D. arrest a senior government official for underage sex. If you pull it off without getting caught, it would be the prank of the century....

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  10. Investigate the audio chip first by DavidYaw · · Score: 5, Insightful

    Assuming the audio chip has a part number on it, try to get the datasheet from the manufacturer. See what format data it outputs, and perhaps the data on the hard drive is raw output from the audio chip. (If the audio chip's native format is 12 bit, 8k samples/sec, then that might be what's on the HD. If the audio chip supports some sort of audio compression, etc...)

    A reasonable first step would be to try to take the entire contents of the drive and send it out your sound card... (dd /dev/hdb /dev/audio or something like that (I'm not a Linux guy)). If the HD was used just to dump raw wave data to, you'll hear something (possibly squeaky voices if it's the wrong format, but you'll be able to tell there's something there). Even if there's a filesystem of some sort that you can't interpret, that would just be noise at the beginning of the playback, before it got to the real audio.

    If it really is encrypted, then you'd have to do some sort of cryptanalysis, and I have no idea how to even begin cryptanalysis on audio data. At that point, I say open the HD up and scrape the platters until they're shiny silver instead of shiny brown.

  11. Things to try by Requiem+Aristos · · Score: 5, Interesting

    First, if you encounter something like this in the future, don't try to boot from it. (It's always possible there could be code to detect an unauthorized machine and start deleting itself.)

    Next, as another poster suggested, use dd to get a copy of the disk. Make a few copies while you're at it, and write them to DVDs, DLTs, or some other media.

    Finally, do the processing. Here are some ideas:
    Write all zeros to the drive, then put it back in the car. Drive around for set intervals of time (100 minutes, 200 minutes, etc.) then pull the data from the drive to see how much was filled up. (Hint: it's from the start of the drive to where the long string of zeros starts.) Try it with minimal noise, try it with talking, and try it with music.

    Run 'file' or 'strings' on the image. Try catting it to your sound device. Plot the data in both 2D and 3D and look for any patterns. (Encrypted data shouldn't have any.)

  12. Re:Let me get this straight: by fm6 · · Score: 2, Insightful
    They bugged her car with a 20G laptop harddrive? I smell bullshit.
    Why? A bug has to store its recordings somewhere. Despite what you see on The Sopranos, radio links are unreliable and do not produce quality recordings. There are alternatives for storage such as Flash ROM, but none of them have any really compelling advantages. A notebook drive is small enough to conceal easily amongst all the hardware under the hood of a car. 20 GB is probably overkill, but nowadays it's hard to buy hard drives smaller than that.

    If you were designing a car bug, what would you use for storage?

  13. Re:Hmm by ar32h · · Score: 5, Informative

    Toppoint may build custom chips / build clone chips.
    Any/all numbers on the chip would probably be more useful than the manufacturer's name.

    Also, and perhaps a red herring, could the device in question be the product found here?
    It is a GPS tracker with audio recording capability. It also happens to take 20G drives and uses a SOIC for control.
    It may be a jump, but Toppoint could have been the board builder.

  14. Re:Let me get this straight: by phUnBalanced · · Score: 2, Insightful

    If you were designing a car bug, what would you use for storage?

    Something without moving parts.

  15. Exact same thing happened to me. by Perdo · · Score: 3, Informative

    And unless you want to be charged as an accessory after the fact or evidence tampering, you will get far, far away from that woman, even if the sex is good.

    No, really.

    --

    If voting were effective, it would be illegal by now.

    1. Re:Exact same thing happened to me. by themassiah · · Score: 3, Funny

      even if the sex is good The what?

      --
      - Sometimes you're the pidgeon, sometimes you're the statue.
  16. Re:Let me get this straight: by benjamindees · · Score: 2, Insightful

    what you are doing is a aiding and abetting.Aiding *what*? Sounds like the friend discovered a hard drive in her car and decided to keep it, which is perfectly reasonable.

    Last time I checked it still isn't a crime to disassemble your own property, despite what Lexmark says.

    Sounds like the dipshits who can't even spy on people without being discovered lost the right to their harddrive.

    --
    "I assumed blithely that there were no elves out there in the darkness"
  17. Re:Let me get this straight: by DustMagnet · · Score: 3, Funny
    If you were designing a car bug, what would you use for storage? Something without moving parts.

    I wish the police would put a large flash device in my car!

    --
    'SBEMAIL!' is better than a goat!!
  18. Is it really audio? by Jah-Wren+Ryel · · Score: 2, Insightful

    Are you sure it was really used to record audio? I would think they would want to hear what people say when the car is turned off too. Just running the chip 100% of the time and only recording to disk when there is actual audio would make sense and should be a low enough power draw to avoid draining the car battery if she drives it more than once a week.

    Maybe it is some sort of location/gps recorder. The car should not move when turned off, so wiring it to the ignition/accessories circuits makes more sense and the "microphone(s)" were actually gps antennae. Plus, maybe the name on the chip is really "Topo Int" as in short for "topographic intelligence."

    I want to know more about how she discovered it. Where was it exactly and what made her decide to look in the first place?

    --
    When information is power, privacy is freedom.
  19. Some ideas. by CyberVenom · · Score: 4, Interesting

    Well, considering you posted to Slashdot, I would assume that either you don't care if the authorities find out that their "bug" has been reappropriated, or perhaps you wish to blatenly rub that fact in their face? If your friend can be reasnoably certain that the bug did not capture any sensitive conversation (which I might guess is the case by her willingness to trust you with the drive rather than destrying it outright), then why not post a torrent? I'm sure plenty of amatuer and moonlight crypanalysists, file-system and audio engineers would love to check that data out. You can use "cat /dev/hdb | gzip > /image.gz" to pull the image off the drive, compress it, and dump it into a file which you could then release to the public.

    Most filesystems store data at the lowest level in a more-or-less raw format on the disk for performance reasons. (on-the-fly compression or encryption is CPU intensive) Even something like ReiserFS would have chunks of recognizable (though perhaps out-of-order) raw audio file visible on the drive. Try feeding the output to your sound card. A good way to do this would be with "SoX" (Sound eXchange, an audio conversion tool for linux... "apt-get install sox"). SoX comes with "play" a command which basically just sends data to the sound card, and for raw data allows you to specify what format (8 bit or 16 bit? 22khz or 48khz?) it should play the audio at. Also if you suspect something other than 8 or 16 bit, try bitshifting the sample a couple times so that the first sample begins on a byte boundry.

    Another useful tool is called "ent", which applies a number of entropy tests to a sample. True raw audio data should have only some entropy. Blank filesystem structure should have almost no entropy. Encrypted or very highly compressed data will appear to be almost entirely entropy. ("apt-get install ent" on Debian or Knoppix)

    You could anylise the drive in chunks to see how much is filled with medium entropy (uncompressed audio), how much is high entropy (encrypted or compressed data) and how much has almost no entropy (empty space), and using this statistic in conjunction with any info you can find on the sample rate and number of bits from the chip, calculate how much audio is stored on the drive, and thus how long it has been installed.

    I've seen that "line-drawing" before. It is probably just your BIOS telling you it can't find a boot sector on the drive. (which isn't terribly supprising) But if the people who made the device were particularily nefarious, it could be a fake splash screen which only *looks* like your BIOS, at which you must enter the secret code to proceed into the true playback application. (But that's almost too far-fetched to be a possibility. almost...) If you really wanted to eliminate that possablity, you would use hexedit (apt-get install hexedit) to look at the first sector for the magic number. it should be at the end of the sector (offset of 512k minus 4 I think), but I can't remember off the top of my head what the magic number is supposed to be for bootable i386 media. If the magic number is not there, that splash screen is just your BIOS. (Also a good way to check for stealth-boot-sector viruses. >:-} )

    Anyway, good luck, and I hope you have firm legal ground to stand on where you are. Be careful. Angry Feds are not a pleasant thing.

  20. Failed due process on Computing Forensic by Dark+Coder · · Score: 3, Interesting


    Never power up a suspected drive. Always treat it as a computing forensic evidence and process it accordingly.

    Boot partition checkout (try all 18 of them). If that fails, entropy is the first stage of resolution.

    Partition identification will take you a long way.

    Only google on Topoint is in mainland China,
    Check out http://www.topoint.com.cn/

  21. Get a lawyer. by rjh · · Score: 3, Insightful

    Get a lawyer.

    No, no, not later. Not in a couple of days. Close your browser window right now and go talk to a lawyer before you wind up spending five-to-ten in Federal pound-me-in-the-ass prison.

    What are you, mental?

    Do you have any idea how few eavesdropping devices are planted each year? Do you have any idea how much legal rigamarole law-enforcement has to do to actually do a B&E and plant bugs? We already know law-enforcement cares enough about the situation to do God knows how much paperwork: do you think they'll just say "oh, good catch, you got us, don't worry, you can go free"?

    And then, to make matters worse, you post on Slashdot where you acknowledge that you know the material is evidence in an ongoing investigation and ask for help in tampering with it?

    Let me say this one more time: you are not 1337. You are not too cool for school. You are not immune to prosecution.

    At some point they're going to want that information. They're going to discover that it's been removed from the car. At that point, they know they don't need to be subtle--someone already knows they were bugging. So they're going to haul in your friend and point out just how long five years in a Federal penitentiary is, and they're going to ask her--probably her, directly, since if she's anything like you she's dumb enough not to want a lawyer present--what she did with it. If she cooperates, they'll play nice. If she doesn't, well... hey. One more conviction in the old win-loss book is always a good thing.

    And then they're going to come after you. And when they get to you, you're not going to have anyone you can rat out on. You're going to be left holding the Fuck-Me-Harder bag.

    Get a lawyer right now. Not later. Not in an hour. RIGHT. NOW.

    And grow up, while you're at it.

    1. Re:Get a lawyer. by hrieke · · Score: 2, Insightful

      No, some just take you out back and put a bullet in your head just for the hell of it.

      Now let's say that the AC posting this story lives in an enlighted country, he will end up in front of a judge and jurry here before long. You don't screw around with investigations.

      --
      III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIIIV IIVIIIIIIVIII...
  22. Plot the data and look for patterns, yes. by Myself · · Score: 3, Interesting

    Parent has it right. The Advanced Hex Editor (AXE) has this functionality. Lots of fun when looking at uncompressed graphic formats like icons stored in executables. :)

    Grab a few megs from the start of the disk and use sox, the sond exchange to tack audio headers onto it, and try various codec conversions, endian swaps, etc.

    There's every chance that the audio chip was interfaced to the drive very simply, as you theorized, without a filesystem. I'm aware of a product which lets you access an ATA device via RS232, it's called the StampDrive. As far as I can tell, it's a PICmicro that's been taught a basic subset of the ATA spec, and it acts as a storage broker for any device that can speak async serial.

    People who build their own dataloggers have lots of experience with this sort of dirt-cheap interfacing. Your audio bug is, after all, just a specialized datalogger. A few minutes with a search engine should find plenty of info on the subject.

    Post back with any success stories. :)

  23. Play the contents of the disk as raw data... by dpbsmith · · Score: 2, Interesting

    using plausible guesses for data rate and integer width.

    The ear and brain are very good at hearing patterns and extracting information.

    In the days of analog "scrambling" it turned out that it was extremely difficult to scramble speech in such a way as to make it unrecognizable; all sorts of plausible-sounding signal transformations could be interpreted by ear with practice.

    It's worth a try. At the beginning, don't spend a lot of time trying to figure out whether you're decoding it properly. Just do _something_ that will get data off the disk and into a speaker _quickly_ and listen to samples.

    --

    "How to Do Nothing," kids activities, back in print!

  24. How is this tampering and stealing? by Anonymous Coward · · Score: 2, Interesting

    He/She found a hard drive in a car. How can the police prove that he/she knew that it was police/government property? Does it have "property of the police" stamped on it? Also, how is the device "stolen"? It was found in the person's car. They didn't steal it from some house, or from someone else's car. If I find an item in my car, am I stealing it if I remove it? What am I supposed to do, leave it there? I would say that whoever installed the device in the car is the person doing the stealing, because it uses the car's power to operate, and thus uses gasoline that the car's owner paid for.