File System Forensic Analysis

nazarijo writes "The field of investigative forensics has seen a huge surge in interest lately, with many looking to study it because of shows like CSI or the increasing coverage of computer-related crimes. Some people see a career opportunity there, and are moving toward computer forensics, marrying both law enforcement and investigations with their interest in things digital. Central to this field is the study of data storage and recovery, which requires a deep knowledge of how filesystems work. Brian Carrier's new book File System Forensic Analysis covers this topic with clarity and an uncommon skill." Read on for the rest of Nazario's review. File System Forensic Analysis author Brian Carrier pages 600 publisher Addison Wesley Professional rating 9 reviewer Jose Nazario ISBN 0321268172 summary The standard for digital filesystem forensics

It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools like undelete and lazarus work, and how they can be defeated.

Carrier's book isn't a legal book at all, and it doesn't pretend to offer much insight into the law surrounding forensics. Instead it focuses on technical matters, and is sure to be the gold standard in its field. This is important, because it comes at you expecting you to have some knowledge, even if only informal, of what a filesystem contains. With a basic understanding of data structures, you'll get a wealth of information out of this book, and it will be a good reference long after you've first studied it.

File System Forensic Analysis is divided into three sections. These are arranged in the order that you'll want to study them to maximize the benefit you can hope to achieve, namely an understanding of how to examine filesystems for hidden or previously stored data. The first three chapters cover a fundamental series of topics: Digital Investigation Foundations, Computer Foundations, and an introduction to Hard Disk Data Acquisition. While they start at a basic level (e.g. what hexadecimal is), they quickly progress to more developed topics, such as the types of interfaces (SATA, SCSI, IDE), the relationship of the disk to the computer system as a whole, and how data is stored in a file and filesystem at a basic level. A lot of examples given use Linux, due to the raw, accessible nature of UNIX and UNIX-like systems, and the availability of tools like 'dd' to gather data.

Part 2 covers "Volume Analysis," or the organization of files into a storage system. This introduces the basics of things like partition tables (including how to read one). The next few chapters cover PC-based partitions (DOS and Apple), server-based partitions (BSD, Solaris and GPT partitions), and then multiple disk volumes like RAID and logical volumes. With this introduction, the final chapter of the section covers how to use these filesystem descriptions in practice to look for data during analysis. Filesystem layouts, organization, and things like journals and consistency checks are covered with a clarity and exactness that's refreshing for such a detailed topic.

Having covered the basics of filesystems, Part 3 covers the bulk of the book and material. Several chapters follow that specifically show you how to analyze particular filesystems by using their data structures to direct your reads. A range of filesystems are covered, including FAT, NTFS, EXT2 and EXT3, and the BSD types UFS1 and UFS2. Each filesystem has two chapters, one devoted to concepts and analysis, another entirely about data structures. Dividing each filesystem type like this lets Carrier focus first on the theory of each filesystem and its design, and then the practical use of its design to actually understand how to pull data off of it.

The real strength of File System Forensic Analysis lies in Carrier's direct and clear descriptions of the concepts, the completeness of his coverage, and the detail he provides. For example, a number of clear, well-ordered and simple diagrams are peppered throughout the book, explaining everything from allocation algorithms to NTFS alternative data streams. This use of simple diagrams makes the topics more easily understood, so the book's full value can be appreciated. This is the kind of thing that sets a book apart from its peers and makes it a valuable resource for a long time.

Finally, Carrier brings it all together and shows us how many aspects of filesystems can be examined using his "sleuth kit" tools, freely available and easy to use. Without appearing to hawk this tool at the expense of other valuable resources, you get to see how simple and direct filesystem manipulations can be done using a direct approach. This kind of presentation is what makes File System Forensic Analysis a great foundation.

Overall I'm pleased with File System Forensic Analysis, I think that Carrier has achieved what few technical authors do, namely a clear explanation of highly technical topics which retains a level of detail that makes it valuable for the long term. For anyone looking seriously at electronic forensics, this is a must have. I suspect people who are working on filesystem implementations will also want to study it for its practical information about NTFS. Overall, a great technical resource.

You can purchase File System Forensic Analysis from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

STEP ONE

[jos3000]

Don't forget to mount the drive as read only!

Re:STEP ONE

[Janitha]

Don't forget to mount the drive (physically) first.

Re:STEP ONE

[MyLongNickName]

I, for one, do not want to know about your personal life. Thanks.

Re:STEP ONE

[Tackhead]

> Don't forget to mount the drive (physically) first.

And if you can't securely delete or deniably encrypt your pictures of that step, you deserve whatever punishment the geeks in the forensic lab can nail you with. Dude, sick!

Re:STEP ONE

Mounting a filesystem changes (meta)data on the disk. Step TWO, watch more CSI TV to figure out what Setp ONE should be....

STEP TWO

[varmittang]

Make a bit for bit duplicate.

CSI

[Seumas]

Why in the hell would you choose a dull career like forensic investigation based on a TV show? That would be like becoming a cop because you want to be like Dirty Harry. How many of these gits go into college for this kind of career, because they think it's going to be exciting and they're going to discover the case-cracking evidence in a few hours, grab their gun and go make an arrest?

Re:CSI

[Brento]

That would be like becoming a cop because you want to be like Dirty Harry.

Or becoming a hacker because I wanted to meet Sandra Bullock. Man, what a time-waster this has turned out to be.

Re:CSI

[abb3w]

Why in the hell would you choose a dull career like forensic investigation based on a TV show?

Or engineering? After all, if ya canna change the laws of physics, where's the fun in it?

Monkey see, monkey do....

Re:CSI

[smashin234]

Fact is, lots of people choose careers because of how they are portrayed in the media.

Why do so many people try to become actors or professional athletes?

I am sure if all the professional waitors in LA saw what their life was really going to be like, they would have chosen a different field.

Or how about computer science? How many of us computer nerds saw hackers the movie when we were young and turn out to really like it and want to do it as a career? I actually know some people who did that and to this day still work with computers.

Now they aren't hackers, but most people who watch CSI are not going to be technicians who solve every crime and work with beautiful women. I mean, in CSI, even the nerdy technician is cooler then most people I know.

Re:CSI

[garcia]

Or becoming a hacker because I wanted to meet Sandra Bullock. Man, what a time-waster this has turned out to be.

Too bad your mom wouldn't let you buy that motorcycle eh?

Re:CSI

I don't know about actors but I'd imagine the desire to be a professional athlete has just a little something to do with the mega-million dollar contracts that are constantly discussed on ESPN.

Re:CSI

[MogNuts]

The only beautiful woman on any of the CSI's is the latin one on Miami. The rest are barely cute. The only hot ones are some of the extras who get killed, play hookers, etc.

Then again, this is slashdot and standards for nerds are a bit different (sorry had to say it) ;-)

Re:CSI

[jpostel]

I wanted to meet Angelina Jolie... I should have become a cambodian orphan instead.

Re:CSI

[globalar]

It's almost like choosing a president based on what you see on TV...

But seriously, imagination is an important part of human life. I've made a lot of important choices based on my perceptions and ideals that were pretty ignorant and idyllic. Of course real life is boring. I will probably stay within the same 50 mile radius for most of my life. I will eat the same things over and over again. I will only really know a handleful of people. I will pass by the same strangers everyday. And my job doesn't really account for much.

But I still keep those stupid notions that there is an exciting and fulfilling part of life hidden, just beneath the commonality. Maybe what I do is really important, and I just don't notice. Or something. Yeah, it's a myth. No more "real" than most of TV. It's just another way to "escape" without leaving the trappings of what we know. To each his own.

Re:CSI

[That's+Unpossible!]

Why in the hell would you choose a dull career like forensic investigation...

As opposed to an exciting career, like computer programming?

Seriously, I do a lot of programming as part of my job, and perhaps the most fun I have at work is when some luser decides to fuck with us and I get assigned to track down as much information as possible about this person's activity on our network.

If I ever had to find another job, I'd seriously consider getting into computer forensics, or the FBI computer investigation division.

Just because you don't go make an arrest doesn't mean your discoveries won't directly lead to an arrest. And usually the best kind ... when the loser is least expecting it, because they didn't think anyone was sharp enough on the other end of the line.

Re:CSI

[myowntrueself]

"Or becoming a hacker because I wanted to meet Sandra Bullock. Man, what a time-waster this has turned out to be."

Which reminds me of that recent movie poster of her... I could have sworn that Sandra had cleavage. What, did they airbrush it out or was I imagining things in the first place?

Re:CSI

[Shanep]

Why in the hell would you choose a dull career like forensic investigation based on a TV show?

Computer forensics does not always have to be dull.

You can sometimes do things you ordinarily would not be allowed to do, because you are doing them to "assist the court", sometimes which explicit blessing from the court in the form of a court order. Reverse engineering, network packet analysis, log file analysis, filesystem analysis, cryptography (algorithm deduction, password cracking), statistics, data mining. Using sniffers, hacking tools, debuggers like IDA Pro, getting to use devices not available to the public, etc.

It does not have to be boring. And the more you delve beyond the superficial, the more rewarding it is to find evidence yourself and others had missed.

It can actually be very exciting.

Re:Your rights online?

[hal9000(jr)]

I would say a book on how to snoop on people hard drives and see what they deleted is pretty privacy invasive? Most legal investigations are invasive by their very nature.

Long Live Computer Geeks!

[ilselu1]

Computers are Cool now... Hurray!

Re:Long Live Computer Geeks!

[ilselu1]

Indeed. :-p

Here is an even better question

[crow_t_robot]

How long will it be before there are a million "IT Forensics" certification mills out there advertising on the radio to knuckle-dragging GEDs to come get certified and make $$$ in this "HOT, NEW, EXCITING INDUSTRY!!!"

Re:Here is an even better question

[Seumas]

Will they have to have wavy blonde hair and wear pink polo shirts and go to Brown College? :P

That's probably one of my bigger pet peeves. People in technology jobs who are not passionate about technology. You see it all the time, unfortunately. You don't have to be passionate about your current job - but you should be passionate about tech.

I mean, you wouldn't go into teaching if you didn't care about teaching, right? (At least, initially).

Re:Here is an even better question

[MrAnnoyanceToYou]

The computer industry could use an infinite number of women with wavy blonde hair, pink polo shirts, and a good education, as far as I'm concerned.

Re:Here is an even better question

[myowntrueself]

"That's probably one of my bigger pet peeves. People in technology jobs who are not passionate about technology."

One of my pet peeves is people who work in technology jobs who are passionate about technology to the point where they will convince a client to go for the latest, most bleeding-edge technologies for their most critical, sensitive, 'must never go down' applications.

I prefer a cautious approach when it involves getting woken up at 3am on a regular basis because some *geek* decided to use something that had never been properly tested, had only just been released, that noone else in the company has ever used, for some production system... thats when I get that murderous blood-rage for people who are 'passionate about technology'.

Re:Here is an even better question

[gfody]

your passion is dead. the passionate people are more than happy to be waken up at 3am if something has gone wrong

Re:Here is an even better question

[myowntrueself]

"the passionate people are more than happy to be waken up at 3am if something has gone wrong"

And they are usually the people who cause the problem in the first place.

When you work with sensitive systems they should *not* go wrong at 3am.

It should never be a *happy time* to get up at 3am to fix something. You should get mad as hell, fix it then make sure that it doesn't break again.

If you are *happy* to get up at 3am to fix it, you have less incentive to make sure it doesn't happen again.

Eager Beavers typically cause more problems than they fix.

Re:Here is an even better question

[gfody]

I'm not saying you should be excited and happy to be getting waken up at 3am to fix something. You make it sound like there is a conflict of interest. Of course its frustrating and inconvenient to have to do this. However, the passionate person puts the features and functionality of modern software before his selfish desire to never be bothered.

You sound like the sort of grump who would deploy 10 year old feature-lacking constrictive software, because you are unwilling to be bothered to learn the idiosyncrasies of the latest stuff.

I bet your pissy 3am grump sessions are from systems running software so old they haven't been QA'd against the hardware you're running them on. Or do you go so far as to install the 10 year old software on 10 year old hardware? In that case do your headaches come from dead cpu fans or bad power supplies?

There will always be 3am calls. Wouldn't you rather be learning and helping make the modern software more stable? I already know your answer is that you would rather not be bothered at 3am in the first place.. because you've lost your passion.

Re:Here is an even better question

[myowntrueself]

In my experience, problems with production systems in the wee small hours are due to overenthusiastic deployment of software and systems that are inadequately tested.

*overenthusiastic*

Re:Here is an even better question

[typical]

I ate at a Long John Silver's a couple years ago where both the cashier and a guy working the grill in the back commented that they were getting computer forensics degrees.

Re:Here is an even better question

[theTerribleRobbo]

Passionate != Idiotic.

It's very possible to be passionate about technology, but not act like an irresponsible clown when it comes to mission critical systems.

Re:Here is an even better question

[myowntrueself]

this is true hence I did phrase my initial comment a little carefuly.

If you have a client who is supposed to be making a couple grand an hour off of a system you build for them -- which they pay you big bucks to build and maintain for them -- and your resident passionate-about-technology geek thinks 'oh shiny new technology, must convince client to buy it so I can play with it' thats every bit as bad as a pointy haired boss deciding which database server to get 'because the purple ones have more RAM'.

Thats what I'm getting at.

Re:Your rights online?

[Gnpatton]

The idea is that the information is on the hard drive no matter how you are able to get at it. Handing someone your hard drive after you've deleted and emptied the recycle bin is equivalent to handing them your privacy.

Ignorance is not a defense.

I might get this

[L.+VeGas]

This sounds really interesting. I've been fascinated for a while with how the file / folder metaphor has become so entrenched that people have a difficult time imagining any other way of thinking about it.

As the OS has become more sophisticated, most computer users now never see things like a disk defrag. They really think that there is a file, all in one spot in their computer, that sits literally next to other files in the same folder. The idea that you can recover a file that has been "deleted" seems like deep wizardry, with no thought to the more impressive wizardry that makes "files" out of pieces of metal with a magnet.

Re:I might get this

[FireFlie]

My question, however, is what type of audience this book is for (I know the reviewer said what the book expected of you prior). The type of people that you are describing (and there are millions of them out there) would probably be mistified by this book (and many would probably believe they understood the contents).

The review makes it sound like someone that has taken a college level class on operating systems would not gain much from reading this book.

Re:I might get this

[garcia]

I was more interested in a story that recently appeared on CourtTV's Forensic Files. It was about the first known (at least what they claim as such) forensic analysis of computer disks that had been cut (with pinking shears).

From their website:

"Shear" Luck"

When the wife of an Air Force Sergeant is found dead on a Philippines air base, investigators are baffled. With no leads and no new suspects, they are forced to re-examine the man they suspected all along. Using a pioneering technique in computer forensics, authorities are able put together the pieces of a chilling puzzle. TV-14 V

Basically they used "post-it-note" like glued Scotch tape to piece the 5 1/4" floppy back and read it. What they originally believed would take 1+ million dollars to do ended up costing less than $150 -- $50 of which was a blown/tossed floppy drive head due to a poorly reconsructed disk.

Needless to say Tivo has been nabbing every one of these episodes and I'm hopelessly hooked.

Other views on the book

[sidney]

For alternate opinions on the book see this review by Rob Slade in RISKS Digest, and this short rebuttal of Slade's review by Simson Garfinkle.

Re:Other views on the book

by Simson Garfinkle.

I garfinkled your mother!

Wrong

Information wants to be free!

STEP ZERO:

[abb3w]

Make sure by ordering the right adapter for doing forensic's work that Your Young Apprentice (or PFY) can't screw this up. A read-only adapter means the drive can't be mounted rewritably. No, it's not cheap. But what's $500 to the assurance that your evidence chain is prevented from fuckup at the hardware level?

And no, I don't work for these people. I just think they make some nifty geek toys.

No, that's not why I have SCSI drives on my home server. Honest; it's for the RAID performance....

Re:STEP ZERO:

[milktoastman]

awroijh'[wpgjt ]3QRJPOKJMR'P;K Mq/ef nQE G wkv d/c. ,xz WEF"{Ojr'[IQYRFH[r8h0fKWJEFH /

Re:STEP ZERO:

[pegr]

Make sure by ordering the right adapter for doing forensic's work that Your Young Apprentice (or PFY) can't screw this up.
 
Well, instead of using an OS that does what it damn well wants (like mount all drives read/write by default), why don't you use Linux and simply create a drive image straight from the raw device without mounting at all? Gen an MD5 on the fly to ensure integrity. Use DCFLDD instead of dd for that trick...
 
Funny story: I was in a training class and the topic turned to forensic analysis. I mentioned that the Air Force wrote a wonderful tool, the previously mentioned DCFLDD. Well, this math geek that I was certain worked for some three-letter outfit turned around and looked at me like I was spewing nuclear launch codes! After I assured him that the Air Force open sourced it (and brought up a download URL on his laptop), he seemed to get the clue...
 
Since he's also a likely slashdot reader, "Hi Dave!" ;)

Re:STEP ZERO:

[computational+super]

Funny story

You keep using that word. I do not think it means what you think it means.

Re:STEP ZERO:

[nester]

Uh, most drives have a write-protect jumper on them. There's no reason to spend $500 just for write protection. The first thing you should do, after setting that jumper, is copy it to another drive (or dd it to a file), anyway, unless you're going to send it ata read-long cmds or something.

Re:STEP ZERO:

[pegr]

Funny story

You keep using that word. I do not think it means what you think it means.
 
Guess you had to be there...

Re:STEP ZERO:

[Shanep]

No, that's not why I have SCSI drives on my home server.

There are plenty of SCSI write blockers out there.

Re:STEP ZERO:

[randomblast]

Why is it always a Dave?

Re:STEP ZERO:

[COMON$]

Why use an OS at all, there are plenty of imagemasters out there logicube has some nice ones that I have used personally. Sure they are pricey but you can do whatever you want to the cloned drive, mount it, run its OS to see what kind of setup the offender had, rip out items, delete, add run hashes, whatever you want and not worry about hurting the original drive sitting across the room from you in an antistatic bag.

Re:STEP ZERO:

[markov_chain]

Yeah, and then like the parent said, the new guy confuses 'if' and 'of' and bye-bye evidence... does the AF tool have some reasonable sanity checks?

Re:STEP ZERO:

[Shanep]

Well, instead of using an OS that does what it damn well wants (like mount all drives read/write by default),

I agree, gathering evidence with Windows sucks.

why don't you use Linux and simply create a drive image straight from the raw device without mounting at all?

Because in court, things can get nasty like this...

Barrister: Did you use a (looks at freshly written note) "write blocker", Mr. Smith?
Forensics guy: No, I did not need to. I refrained from mounting the disk and copied it at a raw block-for-block level (confusing to judge).
Barrister: Yes or No Mr. Smith, did you use a "write blocker".
Forensics guy: No.
Barrister: And a "write blocker" is a forensics industry standard method for preventing contamination of captured evidence? (Judge respects witnesses who respect the court enough to make sure their captured evidence is absolutely accurate and original evidence could not have been altered).
Forensics guy: Yes, but...
Barrister: Mr. Smith, you failed to take a basic precaution to make absolutely certain that the captured evidence was not altered in any way, by using a basic device that is normally a part of the toolkit of a computer forensic professional. Do you posess a "write blocker" Mr. Smith?
Forensics guy: Yes (No).
Barrister: Then WHY did you not use it?! (You ARE a computer forensics professional are you not Mr. Smith?)
Forensics guy: gasp gasp (blush) choke...

The point is, if you are gathering evidence of this sort, then write blockers are tools you should have and always use. All the opposition needs to do is raise doubt. And then you and your client are screwed.

When you take the stand or put on an affidavit, the opposing legal team will attack:

1/ Your findings and the methods you used to get to them.
2/ Your evidence.
3/ You credibility.

and at a worst case...

4/ Accuse you of tampering with ORIGNAL EVIDENCE which has been tendered to the court!

Not having a write-blocker says, "I am not a computer forensics professional".

Having a write-blocker and not using it says, "I am sloppy and failed to use a simple tool at my disposal to assist the court as best I could".

Whether your evidence is exactly the same as the other forensics experts is beside the point. They have attacked your credibility and that can go against your findings (even if they are completely correct). You have nothing to gain from not using a write-blocker (which you should already have) and everything to loose. I would love to just capture evidence with FreeBSD and just copy from the raw device. But at the end of the day, the cost of a $500 write-blocker, which you get to use over and over, should be peanuts compared with what you make each day you work on cases which requires its use.

Re:STEP ZERO:

[Shanep]

Uh, most drives have a write-protect jumper on them.

Even if the HDD you were capturing evidence from had a write-protect jumper, the point of a write-blocker is that it removes doubt. You plug it in and it will not allow writes to the drive. You don't have to worry about what jumper to short, etc. A simple and absolute solution leads to a simple and absolute statement on the stand.

BTW, can you point me to a HDD which has a write-protect jumper? I don't recall ever seeing one.

Re:STEP ZERO:

[jhoffoss]

The tool is dd that automagically pipes the data stream through a checksummer to generate an md5/sha1/sha128/sha256 (IIRC) on a specified windowsize (from one 512b block to the entire device/file).

There is nothing special as far as what is/is not a valid source/destination device.

Re:STEP ZERO:

[jizmonkey]

Well, this math geek that I was certain worked for some three-letter outfit turned around and looked at me like I was spewing nuclear launch codes! After I assured him that the Air Force open sourced it (and brought up a download URL on his laptop), he seemed to get the clue...

Why didn't you let the fucker twist in the wind? I've looked at DCFLDD, and although it can be useful it's just about the most trivial modification to a GPL tool there is. If some low-level tool wants to have a heart attack over thinking state secrets are on the Internet, I certainly wouldn't be the one to disabuse him.

Re:STEP ZERO:

[jafac]

Don't a lot of drives have a Read-Only jumper these days?

Re:STEP ZERO:

[nester]

My scsi seagates have always had them, and i've seen them on others.

Re:STEP ZERO:

[markt4]

There are plenty of SCSI write blockers out there.

This is not meant sarcastically. Are there really? My experience is that there are very few. The only ones I've ever seen, and I can't find links to them anymore, are full forensic recovery PC's, not adaptors like the parent links to. Can you point me to any such devices? I have a real need.

PS And, yes I know many SCSI drives have a write-protect jumper setting, but not all do, and the exceptions are important too.

Re:STEP ZERO:

[drsmithy]

Uh, most drives have a write-protect jumper on them.

SCSI drives, maybe. I don't think I've ever seen an IDE or SATA drive with one.

Re:STEP ZERO:

[kwark]

[grabs a drive from desk]
It's a dead Quantum Atlas IV (SCSI):
http://support.dell.com/support/edocs/storage/6848 p/Jumpers.htm
[search of other drives]
Found some more dead IDE drives, which all lack a WP jumper.

Re:STEP ZERO:

[pegr]

Why didn't you let the fucker twist in the wind?
 
Cause he was otherwise a very cool guy. Standard with-clue geek with other character redeeming characteristics... Not everyone who works for Uncle Fed is a mindless drone. Especially this three-letter organization... (Come to think of it, he was leaving Uncle Fed to start his own practice.)

Re:STEP ZERO:

[Shanep]

Found some more dead IDE drives, which all lack a WP jumper.

Okay. I obviously have not seen enough SCSI drives then!

Re:STEP ZERO:

[Shanep]

Hi,

Plenty is probably exagerating at little. ; )

These are what I can find at the moment, although I have seen other models which I can't find at the moment...

Paralan - SCSI Write Blocking Board.
FORENSiCPC - FireWire800 + USB2.0 SCSI Bridge Kit
Digital Intelligence.

Re:STEP ZERO:

[drmerope]

This says much more about the courts and peoples inability to offer the right explanation at the right time.

That is there is a clear answer at "Then WHY did you not use it?!"

"Because such a device is Kludge. It is a black-box that cannot be verified and as such as is no better than the "black-box" of the operating system.

Moreover, the latter is used and effectively tested by millions whereas only a handful of people purchase such "write blockers"

Ultimately such a device merely relocates the nexus of trust and fails to actually improve the surety of the evidence."

So says the expert with confidence.

Re:STEP ZERO:

[yatt]

well i found it funny and wasn't there...

Re:STEP ZERO:

That's because you're a twatty american wanker who has no grasp of humour.

Re:STEP ZERO:

[Shanep]

Ultimately such a device merely relocates the nexus of trust and fails to actually improve the surety of the evidence.

I agree with a lot of what you have said. But...

Court cases are all about being most convincing to a judge and sometimes a jury. They typically don't understand the technical issues, so expert witnesses are expected to explain the findings in an accessible manner.

Write-blockers do however work and are expected to be used. There is little to go wrong with a write-blocker/expert combination and a lot more that can go wrong with a software/expert combination.

You do the best for the court and write-blockers provide the best solution for capturing evidence accurately without modifying the orignal. You can't accurately capture original evidence if the act itself alters it, even if ever so slightly.

What you have to understand though, is that even if you are the best computer forensics expert to have ever walked the Earth, the barristers on the opposing side NEED to find fault with you, your findings and your evidence. They do it for a living and they are really good at it. That can take a small issue and have your evidence and findings thrown out.

Because such a device is Kludge. It is a black-box that cannot be verified and as such as is no better than the "black-box" of the operating system.

I would not call the forensic quality write-blockers on the market "a kludge". They perform a basic role to a level that is accepted by the highest courts and experts (the real ones). They are very simple, yet vital. They go a long way to preventing human error.

Moreover, the latter is used and effectively tested by millions whereas only a handful of people purchase such "write blockers"

The software in question is extremely complex and has to be driven by an error prone human. The write-blocker on the other hand, is a very simple device dedicated for one thing and is simply plugged into the drive to be captured.

Re:STEP ZERO:

[drmerope]

"I would not call the forensic quality write-blockers on the market "a kludge". They perform a basic role to a level that is accepted by the highest courts and experts (the real ones). They are very simple, yet vital. They go a long way to preventing human error."

Being fairly well versed in the SATA specifications, I can tell you that having such a device in the middle that behaves as that device does, is not a part of the specification. Therefore I labeled it a kludge. I concede that might be to make a nit-picky point that plays on the emotional impact of kludge to discredit something which is merely absent from the specification rather than prohibited by it.

"The software in question is extremely complex and has to be driven by an error prone human. The write-blocker on the other hand, is a very simple device dedicated for one thing and is simply plugged into the drive to be captured."

I'm sure it seems that way, but in reality it some hardware running a program stepping through a state-machine and acting man-in-the-middle to filter the requests.

I agree it is dedicated. Still I think the Honda analogy might apply. Honda sells inexpensive, reliable cars in large volumes. Hondas last, Hondas perform as expected, etc. They do these things much better than competing products because their economies of scale can command the commitment of substantial engineering services. A car such as a Jaguar would have to cost 10x as much as its already inflated price + sell at the same volume as it does now to pay for the engineering that Honda can get for the accord.

These devices might be very simple, but in terms of relevant man-hours that doesn't make them better designed.

I think its a very difficult calculus without a certain result a priori to determine which actually has the greater risk, if you had to select one method over the other.

Of course, I'm sure we can agree that the *right* answer is that you should do it both ways.

Re:STEP ZERO:

[Shanep]

Of course, I'm sure we can agree that the *right* answer is that you should do it both ways.

Absolutely. I prefer write-blocker and capturing from an OS which does not "think" for me. ; )

Do you really think those devices are out of spec? Many of them are switchable between writable and write-block and merely don't pass any write commands on to the drive. It seems pretty simple to me. Humans on the other hand, have bad days. There is that classic story of Linus Torvalds dialing up to the internet, but instead of dialing with his MODEM device, he accidentally dialled his HDD device! Writing some characters over the beginning of the disk.

People make mistakes, write-blockers are simple and almost eliminate any damage that a mistake may have caused. I say almost, because people are of course always able to accidentally switch to writable(if their blocker is switchable).

Re: Honda and economies of scale, a write blocker is super basic. Get commands, pass anything on which is not any type of write command. An OS and userland tools on the other hand, are very complex. This is a core functionality of products made by companies which make these devices and they need to stand up the scrutiny of the court.

My point, is that these devices are very simple and thus little can go wrong with them. There are few buttons for a person to push. I beleive they adhere to specs but simply choose to drop certain commands, kind of like a firewall. OS and apps are way too complex and people stuff up when they have lots of buttons to push.

Re:STEP ZERO:

[danielrose]

Inconceivable!

Re:The "How To Destroy Your HD" Thread

[Gnpatton]

Install an old version of windows, unpached with no firewall protection.

2 other great books I have used...

I suggest getting: Incident Response (Kevin Mandia and Chris Prosize) and also Computer Forensics (Warren G. Kruse and Jay G. Heiser). Both are an excellent read, and the Mandia book has some wonderful documents to use for real-life situations.

Forensics? Wouldn't know it from the review

[Red+Flayer]

In all, a good review of the book. However, the focus on forensics is left out of the review -- just wanted to point out that the book is more than a text on file system management, search, and data recovery.

Although, of course, the book does a very good job of being that as well.

Re:The "How To Destroy Your HD" Thread

microwave ;)

Re:Your rights online?

[vettemph]

I would like to see the compliment to this book.
"How to keep your thoughts and PC data yours and yours alone."

How do you know if your encrypted volume is really as secure as you think it is?

Re:The "How To Destroy Your HD" Thread

[abb3w]

A nice gob of thermite over the drives

Custom built 5.25" bay metal box, front side key locked switch controlling 12v powered spark igniter for magnesium primer charge; remainder of the box filled with thermite. Install in the computer's top bay. You can generally get all the way through at least eight drives that way, but if you have vertical mount drives, you'll want a second kaboom bay in the lowest 5.25 bay. Have a good UPS, and have a metal-bottomed water tank below the computer (camoflage as an overclock device), because that much thermite does NOT stop quickly.

They can pry my PGP key from my computer's cold dead... um, slag. =)

Re:STEP ONE!!!111oneoneone

[idontgno]

Don't forget to mount a scratch monkey!

No, really!

Complement not Compliment

You get a "compliment" when someone tells you you're pretty. When something COMPLEtes another it is called a "complement".

Re:Complement not Compliment

[vettemph]

Score is zero because there is no (+5, Dick)

Re:Your rights online?

[MoralHazard]

Shouldnt this be catagorized as your rights online?

Slashdot has a separate category for books, smart guy. That's why it's in the "books" category and not the "your rights online" category. If Slashdot reviewed a book about civil rights, British history, how to grow your own pot, Microsoft's dealing with Satan, or ANY topic, it would go under "books".

I would say a book on how to snoop on people hard drives and see what they deleted is pretty privacy invasive?

Join the 21st century... I mean, join the 1990s. Hard disk forensic analysis has been a booming field in the last 10 years. It's a crucial part of most computer forensic investigations.

Do you also think that biology books on DNA testing, or texts on explosives chemistry fingerprinting, are "privacy invasive"?

More to the point, are you now, or have you ever been, a member of the Tinfoil Hat Brigade?

I could be wrong....

NOW you're on to something...

people who bought this book also bought:

[museumpeace]

a series of how-tos and standards docs
At the behest of the DOJ, NIST has been grinding out standards on how to forensically analyze a hard drive an other arcana for several years now.

NIST even provides tools: http://www.cftt.nist.gov/

New TV show..

[Bnderan]

I will look forward to watching SCSI-Miami.

Re:New TV show..

[R2.0]

I don't know that a show pronounced "scuzzy Miami" would do so well - accurate though the title may sound.

What about encryption?

[tacokill]

I know that encryption is a topic unto itself but it is becoming more and more common for people to create PGP Disks or DriveCrypt disks.

How do those things fit into this topic? I mean, the filesystem stuff is great and interesting but it doesn't seem to do any good if all you can recover is a PGP Disk file*.

Can someone much smarter than me tell me how data forensics deals with that????



* PGP Disk: a pgp encrypted file that can be mounted as a drive letter. It is, literally, a file just sitting there on your harddrive. You mount the file (after providing the secret passphrase) and voila! - you now have an encrypted drive to copy files in and out of.

Re:What about encryption?

Any encryption will do. Government and Corporations are getting more invasive and I can see encryption become a big thing in the future for general PC users & for those whole value their privacy. The "What do you have to hide" people can just simply go jump off a cliff.

Re:What about encryption?

Forensics addresses it like this: if your application
to run your encryption (i.e. bcrypt, etc.) leaves the
password in cache (which, actually a number of
encryption programs really do this) then retrieving
the passphrase is trivial work. Here is an instance
where having a corporate image that does not empty the
memory on reboot is helpful for forensics. Just even
having tools that are not authorized for use can be
grounds for termination. Of course, encrypted data
would not get you the answer of WHAT was encrypted,
but it could make that employee be watched (i.e.
installing a keylogger for further evidence in a
criminal case). Understand, though, that merely having
these apps on a PC does not mean that the user even
knows they are there (someone could be storing the
apps there, for use on a different system).

Re:What about encryption?

[jonadab]

> tell me how data forensics deals with [a PGP Disk file]?

First you recover the PGP Disk file, using the sorts of techniques discussed in the book this review covers. Then you apply cryptanalysis, using the sorts of techniques discussed in cryptography and cryptanalysis books.

Re:What about encryption?

you apply cryptanalysis, using the sorts of techniques discussed in cryptography and cryptanalysis books.

Or, alternately, you ship the subject to Gitmo and apply electroshock, the drip can, and threats of "repatriation" in order to coerce^h^h^h^h^hconvince the subject to give up the "secret password".

Or, even less sinister, turn the subject's keyboard over, because the damn "secret password" is Post-It (tm) noted there.

Re:What about encryption?

[ColaMan]

Can someone much smarter than me tell me how data forensics deals with that????

You also recover the swap file / partition and grep it for passphrases. Because even though PGP is pretty good :-) about keeping things out of swap, "grep the swap file" is probably the next thing to do after a dictionary attack fails.

Re:What about encryption?

That's why you need OS X 10.4 with encrypted swap. Seriously under-hyped feature.

Re:What about encryption?

[sshore]

They'll start with a brute-force of the passphrase. Many people choose foolishly short passphrases.

Then comes the rubber hose. Basically, they just beat the key out of you.

Forget the cryptanalysis stuff. That takes too long, and unless the subject is dead or it has to be covert, this is much faster.

Re:What about encryption?

[Algan]

What if I don't have a swap partition? With memory prices being so low these days, who needs swap anymore? Personally I'm happy with my 1 GB of real RAM. When I'll need more, an extra GB can be had for the price of a dinner at a fancy restaurant...

Re:What about encryption?

[hirebrand]

Have the judge ask the perp what the password is and if he refuses send him to jail for contempt of court?

Re:What about encryption?

[typical]

Rebooting doesn't zero RAM (assuming that it's an instantaneous reboot, not killing the power and letting it sit off). If you're dedicated and are looking at a locked computer, you can reboot the computer, boot into a CD with software that can scan through memory, and go to town.

I once hung my Power Mac 6100/60 after spending almost four hours writing a paper in BBEdit without saving (yes, that was pretty stupid under Classic Mac OS), rebooted, and started dumping out data to the disk from memory from MacsBug. I think Andy Ihatkno (or whatever the guy's name is -- Mac people will know who I'm talking about) once wrote an article about something along these lines in MacUser, years ago.

Re:What about encryption?

[jetmarc]

> Can someone much smarter than me tell me how data forensics deals with that????

More often than not, these encryption tools are not watertight. They are incomplete solutions to the problem.

The type of tool you describe, mounts an encrypted disk-image. Dictionary and brute force attacks aside, the disk-image itself is usually impossible to crack.

However, when the image is mounted (legitimately), the password and key material reside on the hosting computer. That is, they reside outside the scope of the encrypted disk-image - for example in the RAM memory, maybe in the swap file on the boot harddisk, or maybe even in regular files (keystroke logger spyware, anyone?).

Some of these unwanted storage locations appear avoidable. For example, when allocating memory for the key, one can request "non-swappable" memory. But even if the developper knew and did this, WinXP hibernation or any laptops' suspend-to-disk sleep mode can still compromise your password and key material. And even the best antivirus software does not guarantee a 100% clean machine.

In addition to these possible leaks of the password/key, there is another big risk. Whenever the disk-image is mounted, the contained files are accessable to the machine. They can be copied out to not-secured areas of the system, without the user knowing. For example, when you open a WORD document, a temporary copy might be created in the Windows "Temp" folder (on the windows harddisk). While you type, undo buffers are created as well, for your changes to be undone if you wish so. If, while the document is open, the memory manager decides to page out your document to the swap file, it ends up on the boot drive as well. When you print the document, a copy of it is rastered and stored in the printer queue (again, on the windows harddisk).

It's obvious - while the files inside the disk-image might be uncrackable, their temporary copies all around the windows harddisk are not. These tools are secure only, when the disk-image is isolated from the producing machine. Ie, you can use them to protect a CD-R backup (where nothing but a 700MB disk-image is burned).

For working with content, I rather recommend a full-disk encryption tool. These encrypt every sector of your physical harddrive (all of them). Whenever the operating system writes a sector, it is encrypted before it makes it to the disk. It doesnt matter if the sector is part of a regular file, a temporary one or even the swap file. If, by definition, there do not exist not-encrypted sectors on your harddrive, there is no way for your harddrive to leak not-encrypted data to attackers.

There are only 2 ways such a system can leak data (dictionary and brute force attacks aside): again, suspend-to-disk sleep modes use to write the RAM content bypassing all drivers (thus bypassing your encryption layer, writing your raw password/key material to disk). And of course, online attacks like viruses and spyware can leak data. As soon as their logs are sent over internet, the secure scope of your harddisk is left and your security is compromised.

Here are a few recommendations for tools that can be used to encrypt whole harddisks:

Securstar DriveCrypt Plus Pack (WinXP)
EncryptionPlus (Win2k + WinXP)
SecMBR (DOS,Win9x)

The latter is a development of mine, email if you are interested.

Also, it is possible to create "VMware" virtual machines that reside on encrypted partitions (eg LoopAES) and run any operating system. With "Venturecom BXP" it is possible to boot a diskless PC with WinXP (from an encrypted server).

Marc

Re:What about encryption?

[archeopterix]

Have the judge ask the perp what the password is and if he refuses send him to jail for contempt of court?

Won't work for StegFS-like tools. ("StegFS is a Steganographic File System for Linux. Not only does it encrypt data, it also hides it such that it cannot be proved to be there.")

Re:What about encryption?

[jonadab]

> > you apply cryptanalysis, using the sorts of techniques discussed
> > in cryptography and cryptanalysis books.
> Or, alternately, you [...] coerce^h^h^h^h^hconvince the subject
> to give up the "secret password".

Cryptanalysts call this "rubber hose cryptanalysis" if you coerce, or "social engineering" if you convince by more subversive and less painful means.

> Or, even less sinister, turn the subject's keyboard over, because the
> damn "secret password" is Post-It (tm) noted there.

This is a form of cryptanalysis by surveillance. Any cryptanalysis book that does not at least mention these methods is not worth the paper it's printed on.

Re:What about encryption?

[d0c0m0]

You can also use a hidden partition, that is an encrypted partition within another encrypted partition, such that the existence of the 'inner' partition cannot be determined.

You would then give up the password to the 'outer' partition in which you might have placed some sensitive looking but legal material (such as your collection of german midget porn). Nobody will know that an inner partition exists where the really sensitive material is placed.

Various tools can do this such as Truecrypt and FreeOTFE for windows. Don't know about Unix/Linux/BSD and OSX.

I do this sometimes...

[MarcQuadra]

I do 'forensics' sometimes. I was freelance fixing computers for a while when one of my clients asked me to find out what her husband was doing online. For a princely sum I began doing 'stealth' missions for many distressed spouses. I uncovered a lot of dirt and presented it with the understanding that I never be named or asked to testify.

Morally, it's a dark-grey zone, but it payed well and I provided the hard evidence needed to end a few broken marriages. All my former clients are better off after they found the truth.

It was odd explaining to the ladies that the VAST majority of men on the web look at porn, and that it's not anything to worry about. I was looking for personal ads, dating sites, child or extreme porn, and S&M personals sites.

It's exciting to get the call at 8am to come and clone a drive on-site. I then take it home and get what I can from it however I can, from mounting and browsing to hexdumping and grepping.

Re:I do this sometimes...

[Dogtanian]

I was looking for personal ads, dating sites, child or extreme porn

What the heck is 'extreme porn'?!

People f*****g on snowboards at 120MPH? Some naked chick with massive fake breasts doing skateboard stunts on a halfpipe while guys standing at the top on each side try to bukakke her while she's paused in mid-air?

"It's not XXX rated.... it's XXXTREME rated!"

Re:I do this sometimes...

[rufusdufus]

Don't get to uptight about explaining to the ladies that men look at porn online, they have a darker secret.

The fact most men are blind to is that the ladies have online boyfriends they chat with all day long.

Re:I do this sometimes...

[Johnny+Mnemonic]

For a princely sum I began doing 'stealth' missions for many distressed spouses.

I'm glad that I use OS X's encrypted home directory, then. I guess you won't be reading my files. You could change my pass by booting to CD (and then I'd know!) but you still couldn't get to my home dir.

Seriously, you ever run into a Mac that had more than a passing effort made at security, and if so were you able to get around the safeguards? Or did you just sub that out?

fwiw, I guess if they wanted you to testify you wouldn't have much of a leg to stand on--a subpoena is a subpoena, and you would either have to ignore it, respect it but stay silent, or 'fess. All would involve legal fees, and I think it could be construed as not legally admissible evidence. In any event, if I was the husband's divorce lawyer, I would ask you some sharp questions.

Re:I do this sometimes...

> fwiw, I guess if they wanted you to testify you wouldn't
> have much of a leg to stand on--a subpoena is a
>subpoena, and you would either have to ignore it, respect it
>but stay silent, or 'fess.

You unwittingly have stumbled across the reason why we don't worry too much about encryption. Dorks can wrap their goods in layers of encryption, but at the end of the day it becomes worth their time to hand over the passphrases. The loudest, most flamboyant who post "I'll n3v3r h4nd 1t 0v3r 2 th3 f3ds!!!" are typically the ones who end up writing it on a tear-soaked interview form. :)

I love how that works out.

Re:I do this sometimes...

[GoatPigSheep]

yeah but if you are being investigated and they have enough evidence against you already, having your personal files encrypted is a big sign of guilt. Personally, unless you have something REALLY big to hide, it's not worth wasting all the cpu cycles on encryption. If you really are serious about encryption, then you want something like IBM's corporate laptops with hardware encryption.

Even then, unless you are in some sensitive field, you SHOULDN'T have anything to hide

Re:I do this sometimes...

"Morally, it's a dark-grey zone, but it payed well and I provided the hard evidence needed to end a few broken marriages. All my former clients are better off after they found the truth."

Is that what you tell yourself? How the hell can you make a bald assertion like that? On what evidence?

Re:I do this sometimes...

[karmatic]

Ok, fine. Boot to CD, Modify the Kernel (log the first 5 minutes of keystrokes, perhaps?), and come back in a few days.

Depending on your state's laws, there is a very good chance that if you are married, the computer is just as much hers as yours.

Re:I do this sometimes...

[redelm]

True. Infidelity is hardly a male-only activity. Females indulge about 2/3rds as often (odd disparity--with whom?), but are always more careful because of larger consequences.

Re:I do this sometimes...

[techno-vampire]

...and S&M personals sites.

Did you ever find one and have the wife respond, "If I'd known earlier he liked that, I'd have given him all the S&M he wants. No need for him to look elsewhere."

Re:I do this sometimes...

> Morally, it's a dark-grey zone, but it payed well
> and I provided the hard evidence needed to end a
> few broken marriages. All my former clients are
> better off after they found the truth.

So how do you eliminate the "setup" cases? Spoues
looking to "manufacture" evidence to be used against
an innocent husband or wife? Your clients may be
"better-off" but how do you know that justice was
served?

Re:I do this sometimes...

[JoeBuck]

"I'd be happy to beat the crap out of him!"

Re:I do this sometimes...

[techno-vampire]

That wasn't exactly what I was thinking of, but it works. I was thinking more in terms of a masochistic husband never realizing that his wife has sadistic tendencies, or a submissive man who didn't know his wife had always wanted to be a dominatrix. You wouldn't think it would happen, but if both are a bit inhibited about their secret desires it could be.

Re:I do this sometimes...

[typical]

I and another buddy that have interest in computer security once sat down, and as a mind game, tried to figure out how to reasonably secure a home computer, without any special hardware, extreme effort, or conditions placed on the user, against local attack. It just wasn't very feasible.

If you think that your Mac will protect you...well, good luck.

A couple thoughts: hardware keyloggers, trojaned bootloaders, etc.

Re:I do this sometimes...

Seriously, you ever run into a Mac that had more than a passing effort made at security, and if so were you able to get around the safeguards?

An AC responds: By taking advantage of the "always-on" network connection, and some PPC assembly coding. I bypassed the boot restrictions by removing the hard drive and placing it as a secondary drive on a another Mac. I tampered with the OS so the keyboard driver had a low level tie to the TCP/IP stack, in order to copy keystrokes to a chosen IP/UDP port where a server awaited listening and recording. Reinstall hard drive in original machine. This got me (over time) the requisite userids, logins, and File Vault passwords. More advanced methods would be needed if working behind a well-designed corporate firewall that would alert to the funny UDP traffic, but this was a home desktop.

Imperfect physical security is the best hole to shoot for, if you can.

(Kids! DON'T try this in your home country without a properly issued warrant!)

Re:I do this sometimes...

sure, give them ideas...

Re:I do this sometimes...

[gr8dude]

You are not correct. People want to hide things because they need the 'psychological comfort' of knowing that their stuff is safe.

It's like with diaries - people hide them because the pages contain sensitive information. A hidden diary is not something which proves that I murder people and hide the evidence; it's proof of the fact that I am a _normal_ human being with my own fears and feelings.

Re:I do this sometimes...

[Johnny+Mnemonic]

hardware keyloggers, trojaned bootloaders

Ok; you might be able to clip a dongle to my keyboard cable that keylogs, maybe you can attach it inside the case so I don't notice it. I guess I'm less worried about being bugged than I am about being either raided, in which case the cops seize my computer and I don't type in my password after; or it being stolen by thieves, who would get to my banking information in Quicken.

I maintain that ex post facto attempts to get information from me would be pretty hard, but I'll concede that some kind of eavesdropping mechanism could steal my secrets and be used to gain access later.

Re:I do this sometimes...

[MarcQuadra]

By 'extreme' porn I meant things that are indicative of a deranged person. If you like pissing on people, that's fine, if you have 2,000 scat videos, that's deranged.

Granted, I myself am quite deranged, but when I do this stuff, I'm working, and I report that which is seriously abnormal.

Re:I do this sometimes...

[MarcQuadra]

I'm just a normal geek, but I'm friends with some very high-end hackers, like 'two degrees' from the guy who had the big Cisco exploit recently, and less from other major exploits (all benign guys, BTW, I work for and associate with the 'light side' only)

Mac OS X has a lot of holes, they just aren't getting exploited. Apple's pretty good at getting them patched, but they have problems in core system design like anyone else.

The firewall on OS X is disabled by default, I'd enable it if I were you. I'm responsible for the Macs at my work and you can bet they've got antivirus AND the firewall on.

Re:I do this sometimes...

[MarcQuadra]

Is that what you tell yourself? How the hell can you make a bald assertion like that? On what evidence?

On the lives of my clients after they finally got out of silently abusive relationships.

There was a case where the husband was gay but wouldn't admit it to the wife or himself because he was concerned about his children. It's BETTER now that 'daddy's gay and mommy's single'.

A person with a functional moral compass knows when things are good and when they aren't. I only take the job when they aren't and the situation would be a net-gain even in the worst of discoveries.

I don't go around swipe-and-snooping for just anyone. I need a detailed history and a valid reason to do this sort of thing. Like a parent reading a kid's journal, you can't just drop in and take a peek any old day, you can only do it if you have a serious concern about safety, sanity, or character.

Re:I do this sometimes...

[MarcQuadra]

I'm the grandparent, FYI.

Yes, this actually happened to ME.

I was living with a wonderful woman for two years. Eventually things got distant and 'weird'.

I was running a squid proxy at home at the time, so I decided to poke through the logs. I found a few porn sites I wasn't fans of, all 'cheating wife' stuff.

On closer inspection, I saw that my SO had ACCOUNTS at these sites, and was posting in forums and such.

I continued my investigation, monitoring much more closely now, and discovered that she was getting S&M training from people I knew!

I confronted her and we fought (obviously), but after I kicked her out, we had what was unarguably the best sexual relationship I've ever had. For over a year _I_ was in charge, and she loved every minute of it. I wouldn't be the person I am today if that hadn't happened to me.

She and I eventually got separated by work and geography, but I wouldn't have agreed to my first client if I hadn't had this experience myself.

Re:I do this sometimes...

[MarcQuadra]

What I produce is NOT court-admissable, it's confirmation of suspicion, it's fodder for an argument.

I don't think the people who would do such a thing would end up calling me, nor do I think they'd get by an interview with me. I get all of my business through referalls that are made while women are alone with each-other, being honest.

In the off chance they do, all they have is a few pages of web sites that computer's been and some data from cached pages. If the husband didn't do it, he'd blame wifey or kids.

My report goes to the client, not a lawyer, not a judge. It's only to find 'the truth' for the client, you can't confront a spouse with lies and expect to get what you want.

Re:I do this sometimes...

[jrockway]

Ah, so now anyone that likes anything other than heterosexual vaginal intercourse is a pervert and should never be allowed to be in a relationship. In fact, if you've ever looked at anything other than Playboy, we should just execute you now.

Nice to know we live in such a progressive society.

Where's my hammer?

[jeweekes]

If you don't want anyone to find out what you have been doing on your computer, then a hammer is the best choice. Works for NSA, and it'll work for you too!

Re:The "How To Destroy Your HD" Thread

[joelsanda]

Install an old version of windows, unpached with no firewall protection.

Install Windows XP and turn off auto update.

Related Links

[jkitchel]

Related links:
Digital Forensic Tool Testing Images
Brian's Tools - Includes links to SleuthKit and Autopsy
Forensic Tool Kit free trial

FTK is a nice tool to play around with for Windows users, especially with the testing images. The free trial does have a limit of 5,000 files per image so if you create or work on testing images you may have to get rid of extraneous junk and leave the good stuff. SleuthKit and Autopsy are great for the *nix environment. After you get those tools working you might give Scan of the Month challenges 24 and 26 from The Honeynet Projecta shot. They're both pretty fun and challenging. Don't worry if you don't know what you're doing. Both of the challenges have writeups done on how to accomplish the tasks and what tools were used if you need guidance.

Re:Related Links

[Stibidor]

Another nifty tool from AccessData that plugs nicely into the FTK is the Registry Viewer. Using the FTK you can find all the Windows registry files on the drive. The Registry Viewer (obviously) will open them and allow you to view just about any key/value including encrypted keys like the Protected Storage (Internet Explorer autofill and Outlook/Outlook Express saved passwords).

Since I enjoy tooting my own horn from time to time, the information referenced in this article was obtained by me and my co-worker (I shamelessly admit to working for WhiteCanyon) using AccessData's FTK and Registry Viewer. It was quite a bit of fun to see our results hit national T.V. :)

Re:The "How To Destroy Your HD" Thread

"Custom built 5.25" bay metal box, front side key locked switch controlling 12v powered spark igniter for magnesium primer charge; remainder of the box filled with thermite. Install in the computer's top bay."....

Sounds like one of those "Build a nuclear bomb" anarchy bullshit articles.

Did you lift that word for word from Phrack.

Re:That is just great

[hoggoth]

> Mmmmm young girls...

You'd better hope nobody does a forensic analysis of YOUR filesystems.

Crooks are going to read-only + encryption

[davidwr]

Crooks who are "smart" are going to encrypted systems and making darn sure there's no unencrypted writable storage lying around. This, plus tamper-evident computer including tamper-evident keyboard and keyboard-connectors and a faraday cage makes it very hard on the police.

Can you say "boot with Suse Live CD and encrypt /dev/hda"? I knew you could.

This only works in jurisdictions that can't force you to reveal your passphrase. In those jurisdictions, smart crooks outsource thier IT to North Korea :).

That still leaves plenty of forensics work for criminals using other people's computers such as white-collar crooks and the 99% of crooks who aren't smart.

"Not Hard Enough" Drives

[Doc+Ruby]

Is anyone still in the business of data recovery for badly crashed hard drives? Like after a headcrash, or being repeatedly smashed inside a notebook during a botched mugging? I used to use a few companies in Manhattan's Financial District, but they're all gone. First they moved to Jersey, now there's no trace. I guess their Financial biz customers all decided, after years of paying $500 per recovery, several times a week, to take out the "backup insurance" their IT was always recommending. So demand dried up. Is there any service available for recovery from drives in worse condition than "sticktion", for under $1000?

Re:The "How To Destroy Your HD" Thread

[hoxford]

You'll want more than a water tank below the computer since water doesn't stop a thermite reaction. Try a couple of layers of firebrick or some other ceramic that won't shatter due to exteme heat.

Save SEVEN BUCKS

Save yourself SEVEN BUCKS by buying the book here: File System Forensic Analysis

Re:Save SEVEN BUCKS

[ZosX]

It is also a scam. By clicking on that link and buying the book, the poster makes money. Its called a referral and it is spam. If someone wants to buy the book they can go price compare themselves. The honest thing to do would be to just simply place a referral free link to the book on amazon. Unfortunately not many people realize that by clicking the link you are generating income. The amount of money this little scheme produces really isn't worth the effort. You'd be better off begging for a quarter or something.

Re:Save SEVEN BUCKS

[ZosX]

I doubt the slashdot sanctioned link would include a referral. The outcry would be too great. People already complain enough about the front page product placement ads I mean stories. A referral will save you no money. It is merely a program for amazon to increase sales by trickling a very small (pennies) portion of the sale to the referrer. The amazon.com price would be the same either way. I could be totally wrong of course, but compare the prices yourself. I doubt you will see any difference.

Re:Save SEVEN BUCKS

[ZosX]

Interesting. You are right. The slashdot link is a referral the best I can tell. I didn't even realize that. I guess that's what I get for not reading TFA to begin with. That's pretty bad when the actual FA is on the beginning of the slashdot page. You really shouldn't buy from either link. Did slashdot itself add the referrer link or the reviewer? I wonder if the poster actually made any money out of this deal.

lashdot
Ads for nerds.
Stuff that used to matter.

(gotta pay for all that bandwith somehow mboy!)

NTFS

[Digital+Pizza]

So, was the author somehow able to get more in-depth documentation on NTFS than the Linux NTFS driver developers have?

I'd love to see reliable and fast NTFS writing capability in Linux without having to use Captive-NTFS. Maybe the developers should buy a copy of this book.

Re:NTFS

Data forensics is all about reading. Writing needs to be avoided at all costs, lest you bork up what you're trying to find out.

So, no, data forensics research will not get you NTFS writing.

Re:NTFS

[dougmc]

So, was the author somehow able to get more in-depth documentation on NTFS than the Linux NTFS driver developers have?

Why would he need it? The current Linux NTFS driver already has was he needs -- reading.

When you're doing any sort of analysis or data recovery of a disk, the first rule is you don't write to the disk. You copy everything somewhere else, preferably bit by bit, then disconnect the original, and then mount the copy of the original, read only and work on it, copying what you recover to another disk.

As for the devices that explicitly prevent writing to the disk, the only real need I see for those would be if you needed to PROVE to a court that you didn't write to a disk. For data recovery (not looking for criminal evidence) you probably don't need that -- just make sure you don't write to the disk and you're fine.

Re:NTFS

[Digital+Pizza]

He wouldn't; where did I say that he did?

I was wondering if the NTFS driver developers for the Linux kernel might find this documentation useful in order to enable NTFS writing in Linux, finally. My question had nothing to do with data recovery and everything to do with the fact that apparently somebody has finally documented NTFS.

Re:NTFS

[dougmc]

that apparently somebody has finally documented NTFS.

I haven't read the book, but I doubt the author has any more information on the NTFS file formats than the Linux NTFS driver developers.

He doesn't need to know any more than they do to recover data off the disk. In fact, it may be that the author learned everything he needed to know about the NTFS file system by reading the Linux NTFS driver source code and any associated reverse-engineered documentation.

Actually, you can recover a lot of data off of a disk without understanding the underlying filesystem format at all. Granted, you'll do better if you understand the format, but it's not essential.

For example, if the police suspect that a computer has child porn on it, you could scan the disk, block by block, looking for blocks that have the JFIF header, and then following the stream after that and seeing if it's a valid jpeg. Most of the time, a small file won't be fragmented at all and you can read almost every jpeg image on the disk this way, even those that were deleted, knowing nothing of the filesystem format.

There's even programs out there that will do this all for you. One common application is recovering pictures off of a compact flash card (or whatever) after your digital camera went haywire and trashed the FAT headers.

Re:NTFS

[danielrose]

If the person I'm gathering evidence on has more money, I may need that right capability....

Having done forensic work...

[bradleyland]

Honestly, this job is probably the coolest I've done. We get the run of any joint we enter. We get to crack people's passwords, read their stuff, and pry into the details that they're trying to hide.

Outside of the unreal timeframe, it is a bit like television. I've been on location at 1 AM acquiring hard drives so that the debtor principles didn't know what we were doing. Walking through the data center with my mag light at that hour of the morning comes pretty close to that feeling you get when you watch CSI on TV. Most of the time, we tell the people on location we're making "backups" of the data so that we can preserve the data in the event of a crash. There's definitely a social element to forensic work (at least in bankruptcy cases).

A typical acquisition may go something like this:

You set up, pull your forms, start noting observations, pull the drives, hook them up to the little black box connected to your laptop's firewire port (a write-blocker), and start having a look at the data. If you've got what you're looking for, you acquire the drive and put everything back together. Boot it all up and be on your way.

You may be doing this in the CEO's office, or in the data center looking for a mail server. The top officers are usually the most important, since they have the most important correspondence and data.

It's a fun job. It's every bit as exciting as what you see on television (for once).

Re:Having done forensic work...

Honestly, this job is probably the coolest I've done.

The adrenaline of solving the puzzle and turning up evidence which no other team has been able to prior is pretty awesome too.

I LOVE computer forensics. Nothing on TV comes close to how cool it can be.

Collecting evidence can be boring. But finding evidence that is intentionally hidden in really creative ways is exciting. Being creative in your methods is also fun and VERY VERY cool when it is a method nobody has ever used before for that problem. Especially when others around you are telling you that you are "going about it all wrong" and then it is *your* evidence and findings which become most important to the case.

Re:Having done forensic work...

[jallen02]

Repo men don't hide FROM debtors, they work FOR the debtors....

Re:Having done forensic work...

[WebwiZ2600]

I'm a student in college and since my sophmore year of highschool I liked the idea of Computer Forensics. Just so I'm not wasteing my time what major should I have? Computer Science, Computer information science, Computer data systems, etc..? Also should crimal law be a minor? Please help a college sophmore before it's to late!!!

Re:Having done forensic work...

[hcdejong]

Walking through the data center with my mag light at that hour of the morning comes pretty close to that feeling you get when you watch CSI on TV.

Mag light? OK, pet peeve time: why walk around in the dark, trying to see by some puny flashlight when you can flip the bloody lightswitch instead?
I understand why it's done on TV (makes for a more dramatic look), but IRL, why bother?

Re:Having done forensic work...

[halleluja]

Honestly, this job is probably the coolest I've done. We get the run of any joint we enter. We get to crack people's passwords, read their stuff, and pry into the details that they're trying to hide.

Come again, what ISP you say you worked for?

Re:Having done forensic work...

[bradleyland]

Couple points of clarification:

Lights - Not every location has a light switch. Some use special "key" like devices to operate the lights, others are automated and use limited lighting in off hours. Also, you don't go walking through turning on every light in the building while en route to your location inside the building, so you're still cruising with your mag light, even when you can turn the lights on.

Repo men - I'm not a repo man. I work in Bankruptcy administration. I work for a consultation firm that is normally employed by the Trustee (who represents the unsecured creditors in a bankruptcy). It is not always an option to shut down a business, because the Trustee faces liability if the business can continue to operate and bring in money still tied up WIP (work in progress). Sometimes "operational cooperation" is important. Most of the time we have the ability to walk into the office during normal operating hours and image someone's hard drive on the spot. It all depends on the goals.

Education - I wish I had more information for you here. There are a wide range of individuals in computer forensics. Some are law enforcement who fell into the computer field. Some are IT workers who are drawn to forensics. Rather than educational recommendations, I'd recommend that you get comfortable with some of the tools. There are some free forensic tools out there that are based on common Unix utilities, as well as some commercial products. EnCase is one of the more popular. Being handy with regular expressions is a huge plus when performing analysis. One of the biggest challenges is weeding through too much information. Also, the field requires a lot of diversity. You'll be dealing with all types of systems; sometimes not even a computer. One growing area is acquiring office products. A lot of copy machines have hard disks in them. Digital copiers scan the image to disk then run the copies from the cached image. We try to recover this data. Diversity is key.

The smoking gun - Definitely a thrill. We recently delivered key evidence in a pretty significant case. The person being prosecuted was infamous in their circle. A Google search for this person turned up a lot of flaming results. That made me feel really good to have a hand in putting him in prison (this was a state receivership turned criminal).

Re:The "How To Destroy Your HD" Thread

The reaction for thermite using iron(III) oxide:

Fe2O3 + 2Al ? Al2O3 + 2Fe; ?H = -851.5kJ/mol

(source: Wikipedia)

MC

[Dogtanian]

If you don't want anyone to find out what you have been doing on your computer, then a hammer is the best choice.

I found that too... I got Hammer to defend my computer, and any time someone tries to take the drive away for forensic examination Hammer stops them by saying "You can't touch this!"

Re:The "How To Destroy Your HD" Thread

[ResQuad]

defenetly a little extreme, but as the other replier stated that water wont stop thermite very quickly. In reality you dont need that much distructive power to distroy a harddrive.

If I had my way, I'd just put a small shapped charge ontop of the harddrive. Small enough to distroy the harddrive (and probably some other stuff in the machine w/ fragmentation) but not big enough to blow up the entire machine. Cases are preety well built now adays, and with some re-enforcement they could take a small shapped explosion (that was not pointed at them). But this is all under the guise that you can get your hands on all this stuff.

What can the real person do to protect themselves is a better question. What quick/distructive meathods are there for the real person.

Re:The "How To Destroy Your HD" Thread

actually if you microwave a CD, it is still about 30% readable which is enough to bust you. I'd expect similar performance from hard drive patters.

Morality of Privacy

[redelm]

You may be concerned that you violated someone's privacy. I would not be. You did not get anything that wouldn't be discoverable during divorce proceedings.

On a more fundamental level, privacy is a conditional right. A person has to behave in order to enjoy it. It is not a shield for wrongdoing. Moreover, in a marriage it is patently obvious that both are willingly giving up privacy. I have fewer qualms with spousal snooping than that on kids or employees.

But beware, the discoveries hurt!

Re:Morality of Privacy

But beware, the discoveries hurt!

Yep... and if you go snooping yourself instead of hiring it out also be prepared to get hurt. I had an extremely rocky marriage, suspected my newlywed wife of wrongdoing and started spooling off copies of all her email conversations.

What started as a "what can I learn that will help me save this marriage" quickly turned into a nightmare when I discovered how bad things really were... cheating, backstabbing, outright plots against me, etc. It hurt, but it also gave me the leverage I needed to get out of the situation before it got immeasurably worse.

Personally, I say "good for you" to anyone who uncovers this kind of thing for spouses. If they have reason to suspect things, they are probably valid and it can be just the push they need to get out of a really bad situation before it gets worse.

Re:Morality of Privacy

[redelm]

Yes, data is data. Denial may feel good in the short-term, but it has a steep longterm costs. What is, is. You'd best know it.

Re:Morality of Privacy

Maybe you should be concerned. 4 people were recently indicted for installing spy ware on their lovers computers

http://www.wired.com/news/privacy/0,1848,68674,00. html?tw=rss.POL

Re:Morality of Privacy

[MarcQuadra]

I'm the grandparent poster, and I agree. I'll go into more detail later in the S&M post, but being in that situation was one of the reasons I got into the industry.

I wanted to help the 'good' people who were wasting their time on 'bad' people.

Re:The "How To Destroy Your HD" Thread

[DarthVain]

That seems a bit over the top, and I bet thermite is probably kinda hard to get your hands onto. I simpler, low tech, cheaper alterative (unless it keeps going up like this) is simple gasoline. I mean HD's arn't that durable anyway, a simple device to open a container (located at the top of your HD bay) full of gas, and another time delayed (say 3 seconds), to ignite (maybe reverse one of those silly USB cigerette lighters I have seen around), or a simple switch off the PSU would probably get the same result. If you have one of those cases with all the fans.... just imagine the kind of blaze you could get going with the air intake! Not to mention this thing is going to set off sprinklers or be doused by fire retandant foam, etc... neither of which is probably very HD friendly.

Me, too.. I have done some of this work..

[Tikicult]

It's really profitable... I was charging $200 an hour. Spent a ton of time digging around on a bunch of CDs, a hard drive and thru a couple of email inboxes. Plus my client had a key logger.

cool stuff.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Bigger questions

[cpu_fusion]

Rather than being so worried about what is there or not, the deeper and far more difficult question is: why is it there?

With the existence of zero-day exploits, spyware-zombies-for-sale, broadband, etc., how can anyone convince a jury beyond a reasonable doubt that someone put the bits there THEMSELF without a confession or video of them actually putting the content there?

People are going to jail because of this shit. Digital evidence is an oxymoron.

Re:Bigger questions

[BosHaus]

If you just have a random file or image of kiddie porn, I don't think that you can prove anything. But if you are looking and see file histories, downloading programs, gigs of data, etc that all point to something illegal, then you can make a case. I would doubt any spyware or zombie would actually go through the trouble of creating the whole path of crime.

Re:Bigger questions

[cpu_fusion]

The problem with your argument is that if one file can be written to your hard drive thanks to a compromised system, any number can be written.

What's even better is that the hacker can erase all their tracks.

Bits are bits. You can't very well determine WHY those bits are there. Whether an individual went through the steps to download the bits themselves, over the course of weeks, or they got dumped there in one pass by someone in China over your broadband connection.

It could happen to ANYONE READING THIS. You could be framed so easily, and some "forensic expert" isn't going to be able to tell the difference.

How does that make you feel?

Re:Bigger questions

[sinewalker]

It is an interesting question, "how did it get there?". I feel confident that I could not be framed convincingly, merely by somebody placing contraband on my PC and making it look like I did it, because if the judge/jury don't ask this question, my defence lawyer would. I fail to see how I could be convicted unless there were additional evidence (such as a trail showing how I got the file, or money transfers showing my purchase, or survailance showing me collecting CD's of kiddie porn from some supplier who they are staking out).

Do you have documented cases where someone was convicted solely on the evidence of files found on a computer? Show Us! This would definately have me worried. But I doubt there could ever be a case.

In order for a forensic investigator to even begin searching your computer, they have to have a good cause to sieze it. They won't get a good cause without other evidence that suggests you might have something to hide there.

Even if Mr.Enemy places such evidence on your PC (using info like in this book to make it look convincing) and then goes to the police claiming your are harbouring kiddie porn and he's worried you might be a distributor, they are going to ask how he knows (he saw it / you showed him it on your computer) and if you then say "but Mr.Enemy framed me" it becomes a he-said/she-said and they are going to need more evidence to convict. They won't neglect the posibility that Mr.Enemy placed it there, especially if Mr.Enemy had the access needed (long hours alone with your PC).

It's easy to be paranoid, but I really feel forensics like this to be much more helpful in leading to evidence that can convict, rather than to being the basis of a conviction itself. And for that I am grateful it's there as a tool.

Re:Bigger questions

[cpu_fusion]

I agree with you to a great extent, including that (hopefully) no one is convicted on this sort of "evidence" alone. Yes, absolutely law enforcement would need probable cause to be siezing and searching a computer, but there are cases (the workplace, repair shop, etc.) where a 3rd party can stumble on to something.

Of course, a remote compromise of your computer could also generate the traffic (say an HTTP request to the White House with a special message) that gives law enforcement probable cause.

I just have grave concerns that our legal and law enforcement systems haven't fully grasped the ease at which a machine can be *remotely* compromised, "evidence" planted, and tracks covered up. One would hope every defense attorney would understand this. I'm just concerned that it will take a decade or two before the courts understand this all as well as they understand matching typerwriters and DNA.

Me too

[ari_j]

For a law firm, I investigated a drive that had been stolen by a former employee. The drive had been recovered, and my task was to determine what he had done with it and whether he had taken or tampered with any of the intellectual property on the drive. It paid very handsomely for the amount of work involved, and it was an intellectual challenge. That said, this book may have made it easier (I didn't read the review in-depth or the book itself, but I assume it wouldn't make the task more difficult).

In this case, I determined that the employee had mounted each partition on the drive to a separate mount point, not in the original structure (such as /, /usr, /home, and so forth; he had mounted it on /mnt1, /mnt2, /mnt3, and such).

It's not as glamorous as extreme porn or personal ads, but it was still interesting.

Re:Me too

[jizmonkey]

The drive had been recovered, and my task was to determine what he had done with it and whether he had taken or tampered with any of the intellectual property on the drive.

I assume he had left evidence of touching the drive, because if he hadn't there would be no way to prove that he had or hadn't "taken" the "intellectual property." (using both words loosely, of course)

Re:Me too

[ari_j]

File access times. Word to the wise: If you want to copy all the files off of a hard drive, mount it read-only or make an image of it and work from that instead.

Re:Me too

[typical]

People mount things with atime?

I never found atime to be useful, and did find it to cause irritating hard drive noise and reduce performance.

Re:Me too

[ari_j]

Very few criminals are all that intelligent about their crimes. Those who are don't even trigger any warning signs that would lead a person to hire a computer forensics guy.

Re:Me too

[MarcQuadra]

I'm a HUGE fan of the firewire disk enclosure, I can just swipe the bytes and examine them from the comfort of my home on my own time.

It's safer when you're in someone's house, too. The last thing I want is for the client's spouse to drop in, I'd have to pretend to be a tech delousing the system, it would be... awkward.

Bayl Abegu Xbernaf qb bhgfbheprq rapelcgvba!!!

Bayl Abegu Xbernaf qb bhgfbheprq rapelcgvba!!!

Actually

[DnemoniX]

You DO NOT want a water tray at the bottom. What makes you think a little bit of water will stop thermite? You need a tray full of sand. The thermite is hot enough to seperate the hydrogen out of water, not a great move.

Re:The "How To Destroy Your HD" Thread

[Seraphim1982]

I bet thermite is probably kinda hard to get your hands onto

Do you really think that aluminum and iron oxide are that hard to get a hold of? Anyone who has passed high school chemistry could make it.
In my experience it is harder finding a way to light the thermite then it is to acutally make the stuff.

Re:The "How To Destroy Your HD" Thread

[level_headed_midwest]

My gen chem teacher in college did that. He used a ground-up rusty bolt, a soda can and tinfoil, some water, and magnesium peroxide (I know it was some magnesium oxide that reacted with water to give O2). He simply lit it and it was like a road flare.

anti-forensics

[BosHaus]

has anyone come out with a book on anti-forensics? That'd be a great read.

Re:anti-forensics

[sinewalker]

you could probably start with this one reviewed, taken in that light it would definately be an exciting read...!

Re:anti-forensics

Phrack 59

Defeating Forensic Analysis on Unix
by The grugq

http://www.phrack.org/phrack/59/p59-0x06.txt

Googling around this will show up some of his most recent stuff.

Problem in the Making?

If they use evidence derived from computer
"forensics" as the basis to charge or convict
someone it seems like a a lot of people could
be falsely charged or jailed. We can't even write
small to midsized software systems without making
mistakes in both the analysis and implementation
phases (and hence bugs!). Do we dare bring people
into court based on someone's analysis of some
system/software/hardware?

Re:Problem in the Making?

[sinewalker]

I will be testifying in a court as an expert witness for a financial company, so I think I can answer this concern with a little bit of authority, though I'm not a law expert.

Generally, I don't see how this would happen -- can you imagine convinsing a jury to convict beyond reasonable doubt based on this evidence alone?

My statement explaining multiple audit trails across three systems is much simpler than filesystem forensics, and it still runs to more than 3 pages of simplified, detailed, step-by-step stuff, took me 3 re-writes with assistance from the feds to make it so a 70-year-old judge could understand it. So proving and then explaining the forensics is going to be much harder.

There's no way you could cook the books to frame someone, unless you had other evidence. Definately not like "CSI". But this filesystem forensic evidence would definately be used (and usefull) to corroborate your other evidence.

We bring people to court based on people's analysis of systems and software all the time, especially for electronic banking fraud. The key to good evidence is demonstrating that it is real, and not cooked-up to suit the plaintif.

Re:The "How To Destroy Your HD" Thread

[jwdb]

Fine if you can let it burn for a bit, but if the cops are busting down your door when you hit the ignition and they immediately put the fire out, there's a chance the platters will survive. If you can damage the platters or heat them enough to demagnitize them, you win. Otherwise they can just stick them into another drive and read everything out.

Jw

Re:The "How To Destroy Your HD" Thread

they don't stand a chance of putting a thermite fire out...

Linux and juries - bad combination

[wsanders]

> why don't you use Linux and simply create a drive image straight from the raw device without mounting at all

Because once you start blathering on and on under cross-examination about raw devices, MD5 hash integrity, etc., the jury, which will probably consist of morons, will slowly doze off into la la land and blow off evrything you are saying.

Much better to spend $500 and tell the jury, "Jethto, Earlene, I got this here special dee-vice that physically prevents tampering."

To quote (fairly accurately IIRC) a juror in the Vioxx trial that just ended, "They started talkin' all that science talk and it was like - wah wah wah wah wah wah" (sound of the Teacher talking from the Charlie Brown videos).

Used to be you could use a microscope

[wsanders]

Back in the 5 1/4" floppy days the media on HDDs was crude enough that you could stain the platter with a special chemical and examine the orientation (well probably the *magnetic* not physical orientation) of the magnetic particles with a microscope.

I am sure a similar technology could exist today, deep in the skunk works of some three-letter-agency.

Re:Used to be you could use a microscope

[jhoffoss]

Oh, you can hire these guys or someone like them to use their scanning electron microscopes to map out the electrons. They can recover several layers of files, even after being deleted/overwritten/zeroed if not done thoroughly enough. Just hope you have over $100k per disk...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The "How To Destroy Your HD" Thread

[auf_weiderzen]

Knew a guy who ran warez server out of his house (~20-30 gigs around 92-93, so pretty good for the day). He kept a couple giant magnets (I think speaker magnets from concert sized speakers) near by so he could just move the magnets/computers closer together in case of a raid.

Don't think he ever had to use them, tho.

Exercise your 5th

[Dog135]

You unwittingly have stumbled across the reason why we don't worry too much about encryption. Dorks can wrap their goods in layers of encryption, but at the end of the day it becomes worth their time to hand over the passphrases.

Haven't they ever tried exercising their 5th amendment rights?

"Yeah, I have illegal data encrypted on my HD, but that could be anything from an illegally downloaded mp3 to child porn. Telling you my password would incriminate myself."

Re:The "How To Destroy Your HD" Thread

Apparently he was hoping that the computers would stick to hard to the magnets that the raiding party would get discouraged and go home.

Seriously, whoever taught people that low-intensity static magnetic fields were dangerous for magentic media should be shot. And yes, even "concert sized speakers" have low-intensity magnetic fields in the grand scheme of things.

How to make thermite at home

[Dog135]

A recent "popular science" article talked about how to make thermite. It's actually quite simple.

(Google cache) (With Pics)

From the article:
In high school, my social studies teacher talked about a substance that could generate heat so intense that a bag of it lit on the hood of a car would melt right through the engine block. Cool, eh? A Vietnam vet, he said that in the war they used blankets of the stuff to destroy sensitive equipment before capture by melting it into a puddle. (Putting holes in the odd jeep engine was just for fun.)
...
Thermite is simply a mixture of iron oxide (like the magnetite sand I discussed last month) and aluminum powder, which I buy commercially. (Incidentally, it's also the stuff that creates the image inside an Etch A Sketch.)

BTW: Magnetite is found by running a strong magnet through beach sand.

So, if you can afford a good magnet and an etch-a-sketch, then you can make thermite.

Ingiting thermite

[Dog135]

In my experience it is harder finding a way to light the thermite then it is to acutally make the stuff.

Have you tried a model rocket igniter? It takes a 12 volt charge, and generates enough heat to ignite the solid fuel in the model rocket engine. If it doesn't get hot enough, stick it in a rocket engine first. The flame should ignite the thermite.

BTW: I read they usually use a sparkler to ignite thermite.

Re:The "How To Destroy Your HD" Thread

[dulridge]

It is much easier to make thermite than a shaped charge.

Southern African school. I was head of chemistry. School had a serious attack of bandits - probably SWAPO who hadn't been paid lately.

30 rounds from an AK47 had wrecked the safe door handle - which was quite a bit older than I was. No electricity, no access to explosives that I hadn't made myself - seeing the no power bit do you really want to try to make explosives with no means of cooling the reaction - I didn't. Yes most of the required reactions are endothermic, but do you really want to bet on it?

Rust is not exactly hard to find, even in a desert - it isn't exactly hard to make your own anyway. Aluminium powder isn't that hard to find either if you can find a grinding wheel.

Magnesium ribbon or barium peroxide to set it off with (thermite isn't that easy to light) is perhaps a little bit harder if you aren't a chemistry teacher. I really really wouldn't want to try water to stop the resultant molten mess. Nor is it a good plan to open a safe whose entire contents are made of paper by this method. How do I know this...?

Remember that most hard drive casings contain a lot of zinc if they aren't actually made of zinc - this will vapourise at thermite temperatures. Ask any welder about how bad an idea it is to inhale zinc vapour, it is likely to be lethal so just hope the cops don't get irate about that bit - dead cops do tend to upset the living ones.

Really, really don't try grinding your rust and aluminium together unless you are seriously sure you know what you are doing - you are not going to be able to put the fire out should you manage to light it

It shoud be possible to heat your drives above their Curie point (AFAIR 650 Centigrade) at which point all the data is gone permanently without such drastic measures. The trick is to be able to do so instantaneously, or at least within a second or two. Rigging up a 600 amp welder to an anti-tamper switch ought to do the trick, but see the comment on zinc vapour.

Best bet is not to have anything incriminating in the first place

A guide to forensic Analysis

Found this Example forensic reports and methods

Comment removed

[account_deleted]

Comment removed based on user account deletion

Nice try.

[jhantin]

Unfortunately, the password itself doesn't incriminate you, the content of your files does. If you don't cough the password up, you'll be held in contempt of court and locked up until the case ends, which if you're up on charges is ... umm ... probably as long as the sentence would have been in the first place. If the password itself consists of incriminating text, the court will apply immunity to that text only to bypass the Fifth. Either way you lose.

Re:The "How To Destroy Your HD" Thread

Well, "back in the day," hard drives would fail when looked at. A meat tenderizer hammer would have doe as good a job, probably. Or just upending enclosure.

Idea for keeping your data from the feds

[syberdave]

Get a laptop, install Linux, and install SSH. (With swap off, of course.) Connect it to a local wired network. Put that laptop in a box with an UPS and that's wired to cut the power when it's forced open.

There. When the police bust in to do a search warrant, they'd force the box open and wipe all the info. ;)

And it might be useful to rig SSH to wipe the data if a certain password is entered. Just in case they force you to give it.

Re:Idea for keeping your data from the feds

the question is how do you "wipe all the info".
A better way is to blow it up.. better yet.. melt it somehow.

Re:Idea for keeping your data from the feds

[syberdave]

Well, everything would be on ramdisk. The box would be rigged to cut the power when it's opened.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re: thermite

[rodgster]

I ahem.... cough cough "saw" a therminte reaction once.

Ignited with some strips of magnesium. IIRC powdered rusted iron and aluminum powder. I suspect it could be electrically initiated.

It lit up the area like it was daylight and burned into the ground about a foot.

Very impressive.

Re:The "How To Destroy Your HD" Thread

[typical]

Seriously, whoever taught people that low-intensity static magnetic fields were dangerous for magentic media should be shot.

They weren't familiar with Earth's magnetic field.

pfffft, RDBMS

[Tablizer]

SELECT *
FROM suspects
WHERE
eyes='beedy'
AND mustache IN ('dark', 'thick')
AND laughStyle = 'Cackle'
AND clothing='Cape'
AND carType='Cadillac'
AND carColor='Black'
AND characterStyle='Shifty'

Re:The "How To Destroy Your HD" Thread

[abb3w]

Sounds like one of those "Build a nuclear bomb" anarchy bullshit articles.

I've criticized the technical merits of some of those... especially when Malkin started blogging about one appearing on some Arab nutjob site, and various other idiots started being even stupider. I had three years majoring in nuclear engineering, prior to dropping out from loss of interest — all of the really interesting problems left in the field are political, and was getting depressed by constantly looking at that aspect.

I could do a better job describing how to build a nuke; my playing around with conventional explosives is pretty limited.

I'm not sure how you'd actually rig the primer for such a Kaboom bay; when my freinds played with thermite a few times, we mostly used a thin magnesium strip sticking out of a wad of strike-anywhere matches, with another match at the end pointing the other way for a fuse. And the folks talking about water dissociation may be right; we mostly worked on an ex-building's concrete slab foundation... which we ruined even more. A concrete slab is often not conveniently close in many apartment buildings — just inconveniently accessible. =)

Recovery after overwriting

[izomiac]

Just wondering, how many overwrites does it take before data is reasonably securely deleted? I know if you're paranoid you could overwrite data dozens of times, and software like DriveCrypt or CompuSec kinda make this issue kinda moot. Still though, I'm curious to see what is actually possible and what is just unreasonably paranoid for individuals.

Re:Recovery after overwriting

[jetmarc]

> how many overwrites does it take before data is reasonably securely deleted

Overwriting files on modern journaled filesystems is not guaranteed to have any effect at all. It is very likely that the filesystem assigns a different set of sectors for every "overwrite".

A better solution is to delete the file, and then overwrite the "free" sectors. This still requires in-depth knowledge of the filesystem (to discover every and all free sectors), which is why this solution might or might not work.

If you want to be on the safe side, overwrite the whole partition at the blockdevice level (erasing all other files on it as well).

Re:Recovery after overwriting

[izomiac]

I've heard several claims of people recovering significant parts of files even after the data has been overwritten multiple times. The best solution is simply to use full disk encryption and be done with it, but if you have one file that you want gone then this is still a useful procedure. By overwrite I mean overwriting the sectors where the data is physically stored. Like with DOD 5220.22-M, overwrite each bit with a 1 or 0, its complement, and then a random bit. But some criticize that standard for being weak with only 3 overwrites. Hence the reason I wonder how many rewrites other have been able to usefully recover data after.

STEP NEGATIVE ONE:

[Irashtar]

Remove all felines from the area.

Re:The "How To Destroy Your HD" Thread

[jwdb]

Of course not - that's not what I was responding to. I was refering to the grandparent's remark that gasoline would be sufficient...

Re:The "How To Destroy Your HD" Thread

[danielrose]

Well, the speaker magnets would not have done much..
OTOH I used to know somebody who made up some thermite and an electrical fuse with the idea of burning the bejesus out of the drives..

Re:The "How To Destroy Your HD" Thread

[DarthVain]

Maybe its because I am from Canada (or was it crappy teachers?), but in my high school chemistry class we didn't learn how to make a thermite bomb.

Re:The "How To Destroy Your HD" Thread

NMRI.

$70 for such an adapter, much cheaper

[advid.net]

This firewire-IDE adapter is only 59.90 euros
http://pearl.fr/article-PE8194-IDE.html

English translation:
You have very important data but they must be read? This adapter enables you to physically prevent the writing (and thus the alteration) of the data.

Re:The "How To Destroy Your HD" Thread

[Skagit]

Thermite is commercially available at some welding supply outfits. In setting rebar for reinforced concrete, sometimes a welded splice is called for to produce long continuous bars. Instead of sending a welding machine and welder to the site, you can get some prepared thermite with the brand name Cad Weld. You get a little crucible, lap the rebar in the chamber, add the thermite and use the ignition stuff in the package. It isn't as fast as a welder and a big Lincoln Electric or as pretty, but it works well in a remote location.

Thermite is a bad choice for indoor (say on a hard disk drive) use because it is a self-contained oxidation-reduction reaction. There is no external oxygen supply required and thus no easy way to snuff it.

There's gotta be a way to rig some sort of electronic solution that would work far better than burning the house down with a thermite charge.

Re:The "How To Destroy Your HD" Thread

[dougmc]

Don't think he ever had to use them, tho.

Good thing, too. Like the goggles, they'd probably do nothing. Though they'd let the FBI know that these probably are the disks they're looking for.

The denser the data gets packed on the disk, the stronger the magnetic field needed to put it there, and the stronger the magnetic field needed to erase it. Weaker magnetic fields will basically do nothing.

Modern tape and hard drives require very strong magnetic fields to erase them. Your bulk eraser or speaker magnets won't do it.

And even if you do have a magnet that's strong enough to make your disk drive unable to read the data that was on it, law enforcement may still be able to read the data through other means. It all depends on how much time and money they're willing to throw at the problem of getting it out.

Encryption matters not.

[MarcQuadra]

While I've never had to do this, on an encrypted machine I'd boot from another box and install a keylogger in your OS. It would only take a few days before I could go back and recover your data.

This is one reason I actually support EFI and other BIOS-replacement ideas, if you could encrypt the entire disk from the BIOS, I wouldn't be able to do this. Until systems can boot from fully-encrypted drives, home folder encryption is only as good as physical security.