Commodore 64 Confuses Austrian Police

toomanyairmiles writes, "It seems that Wolfgang Priklopil, the communications technician who kidnapped Austrian pre-teen Natascha Kampusch, relied on a Commodore 64 as his primary machine. Interestingly this is presenting some problems to the Austrian computer forensics people. Major General Gerhard Lang of the Federal Criminal Investigations Bureau told reporters it would 'complicate investigators' efforts' and would be difficult to transfer the files to modern computers 'without loss.' Could this be the latest in the criminal world's security strategy? Can we expect to see Spectrums, Archimedes, and Atari STs turning up in police investigations soon?"

Have they forgotten RS232?

[Marxist+Hacker+42]

From the article:

There are emulators available which can make a modern PC capable of running Commodore 64 programmes but Maj Gen Lang said it would be difficult to transmit the data from Priklopil's machine to a modern computer "without loss".

What, have they forgotten how to create a DIN-5 to Sub-D9 cable? I'm sure google has several websites with the schematic of the machine (also available in the original user's manual), it shouldn't be THAT hard to construct an asynchronous serial cable.

This is retarded

[Cobralisk]

Seriously, I have a Commodore 64 sitting right next to me hooked up to a dos box as a hard drive. Data is data. You just need a x1541 cable. There are lots of free software tools to facilitate this, and the d64 and t64 formats are well supported. You can even use audio tapes and a soundcard to transfer files. Once you have the data on the PC, there are multitudes of C64 emulators to run the software directly. I've been doing this since the late '90s. Google is your friend.

Re:Why go that far?

[Marxist+Hacker+42]

Two words- Null Modem and Hyperterminal will transfer all the files stored on 5.25" floppies for that Commodore 64 (or even stored on cassette tape) to their Windows machines just fine. It's just ASCII after all, no big problem.

Re:Why go that far?

[Morphine007]

Because in most forensic investigations, they remove the hard-drive from the PC and then perform the investigation using another operating system guaranteed to not have any nasty surprises built in. They're not going to run the risk that buddy has a small script that deletes his entire hard drive if he doesn't hit ctrl-a-s-d-f-enter within seconds of booting up.

There's likely more to it than that as well, but the point is they generally don't want to use the system they've confiscated...

Commodore 64 has an RS-232 interface.

The back of the Commodore 64 has an RS-232 interface. Any schmuck with a bachelor's degree in electrical engineering can hook the Commodore 64's serial interface into the serial interface of any modern desktop.

Re:Commodore 64 has an RS-232 interface.

[Dun+Malg]

The back of the Commodore 64 has an RS-232 interface. Any schmuck with a bachelor's degree in electrical engineering can hook the Commodore 64's serial interface into the serial interface of any modern desktop.

No, actually it doesn't have an RS-232 interface. It has something called a User Port, using a male card-edge connector, which can transmit and receive serial data, but it only does so at TTL levels. But yeah, any schmuck with a soldering iron and a breadboard can slap together a true RS-232 interface using a 25 cent MAX232 chip and a few caps.

Re:Commodore 64 has an RS-232 interface.

[LWATCDR]

It wouldn't take a BSEE to do it most hobbyists could whip one up in a few hours. However it is not really needed. You can buy a device that will allow you to interface a 1541 or 1581 to an PC.

Re:Commodore 64 has an RS-232 interface.

[Noginbump]

No soldering required. RS-232 -> user port plug-in devices were readily available for the C=64. Commodore even sold one, though I can't remember model number. There's probably one on eBay right now...

Re:Commodore 64 has an RS-232 interface.

[compro01]

Yes, but if that schmuck had a BSEE he/she wouldn't, except in the rarest of circumstances, be a cop. The investigators would have to use their brains and find someone who can do the work.

you'd be amazed how many Electronics and Computer technicians the RCMP up here is collecting. they've taken practically the entire graduating class of each (usually 20-30 people per course) for 2 years running at the school I'm at (SIAST).

but i don't have much idea what they're doing at the other 3 campuses, but I'd imagine similar things are happening, so that would be at least 150 techs they've snatched up, if not more.

Re:Commodore 64 has an RS-232 interface.

[complete+loony]

He wired up a cable that would talk directly to the PC parallel port, transferring a whole byte at a time. The transfer loop on the c64 was about 8 cycles per byte @1MHz (from memory, this was about a decade ago) to read the byte, increment the address pointer, and toggle the appropriate wire on the cable, so yes 32KBps was quite possible. The code he wrote impersonated the floppy controller, and would redirect and read / write requests over the cable to the PC which would read / write from a disk image. VERY fast, and very easy to swap disks.

Once while I was at his house, I witnessed him idling in a #c64 irc channel on his c64.... Though he was just using the c64 as a text console to his freebsd box, it was impressive.

Re:Commodore 64 has an RS-232 interface.

[Stormwatch]

That probably is 32KBps as in 32 KiloBits per second.

Then it's Kbps, not KBps.

Re:Commodore 64 has an RS-232 interface.

[LWATCDR]

It is true. The C64 demo scene is alive and well. Now if the cops and the courts would trust one of them is different question.
What gets me is how none of the "experts" can handle anything that isn't a PC. I wounder if the guy had been running Linux, BSD, Minix, SkyOS, an Amiga, or Atari ST if they would be just as lost.
Here is a shop that sells cables that will let you read C64 disks on a PC http://sta.c64.org/x1541shop.html
I suggest they also google PETASCII if they want to break the encryption.

Here's how to do it :)

[mbpark]

Here's the best way to do it:

1. Use Star Commander or the equivalent program (ftp://ftp.zimmers.net/pub/cbm/archiving/c64/emuti l.prg) to make your .d64 files. Additionally, if they're feeling up to the challenge, mnib (http://markus.brenner.de/mnib/index.html).
2. Use PDS Hash Toolkit or some other approved toolkit to hash the disk images you've created.

They can also use 64hdd (www.64hdd.com), set it as drive #10, make directories on the partition they copy the files to, and then individually hash each file using PDS Hash Toolkit. You'll have to hash the 64hdd binaries as well.

If he's a really hardcore user of the C= series, I think the price of that SuperCPU on eBay just went up by a few hundred euro.

reason to use it in one word:

[GeekyMike]

Zaxxon

C64 hardware

[Neo-Rio-101]

There are a myriad of other issues with this too. For one, the Commodore 64 uses PETSCII and not standard ASCII. To complicate matters more, he may have even used GEOS to store his data on floppy disks, and without the right conversaion tools, coverting that to plain text, muchless PC readable media, is going to be tricky without the right C64 hardware. If he had all that CMD hardware, or stored all his information on a hard disk or CMD formatted floppy disk, it will be harder again.

Forensically accurate copies should be cake.

[Myself]

This is simple. Get a Catweasel floppy controller, and use the bundled tools to make images of the disks. You don't even need any of the original Commodore hardware for this, any PC 5.25" drive will do.

If they're too cheap to do that, an X1541 cable and a copy of Star Commander will work fine, plugged between the Commodore drive and a PC. This shouldn't be forensically valid, because the 1541 is a smart peripheral and could concievably be running a modified ROM.

Re:Why go that far?

[dougmc]

What, using Linux? Here's a clue for you:

EXT3-fs: INFO: recovery required on readonly filesystem.
EXT3-fs: write access will be enabled during recovery.

And here's a clue for you ...

You mount it in ext2 mode. ext3 is just ext2+journalling, and you can mount a ext3 partition as ext2. This doesn't replay the journal, so you won't get to see any data actually in the journal, but the rest of the data you can see. And there are other ways that you can ensure that Linux will not write to the disk -- for example, `hdparm -r /dev/whatever' will tell the driver to not let Linux write to the disk, no matter what. That will certainly work for IDE drives, and probably other drive types as well.

However, the police don't generally do this, as it's not quite proof against writing *enough*. Instead, they generally connect the drive to a device that is certified to make writing to the drive IMPOSSIBLE (by cutting that wire, or filtering out those commands) and use the drive that way, either to poke around it or to dd the drive to another drive where you can do your work.

Of course, in this case, the guy is dead, so the standard rules of evidence probably don't need to be applied as carefully. It's not like this data will be used to convict him or something ...

Re:I'll explain this one

[radja]

in dutch cities, riding a bike is often faster than going by car. it's also cheaper and if you get drunk you can walk home with your bike.

Computer Forensics - clear as mud

[gsobol]

Well, I can sum up the whole article like this:
Forensic investigators = not stupid
Article author/editor = selling a story / lack of facts
Court system = flaky justice

Being a computer forensic investigator, what I can tell you is that the problem is not with extracting individual files (being current, deleted, overwritten), or even hashing the contents or drive images themselves. Although this does present a certain technical challenge, this can be overcome. Any forensic investigator will tell you that, what he/she finds during his/hers investigation rarely comes under question or scrutiny. You just can not deny the fact that this "stuff" was found on the suspects media. What almost always comes under scrutiny is the technique used in obtaining the evidence. Where the police do have the tools and techniques that have been court tested for the relatively modern machines and OSes, there is no such tool or a battle tested procedure for capturing and processing data from the Commodore 64. That's what the challenge is all about. It's all about how do you get your evidence, and prevent the defence from shooting it down on a technicality that your approach was not forensically sound, because you have not used the court "approved" forensic tools and techniques. -- a side note: there are no court approved forensic tools, at least not in the USA. There are forensic tools that have gone through court scrutiny and been found to be acceptable, but only in conjunction with a proper forensic sound procedure. The tool is only a tool, like a hammer, it can be used to drive a nail into a wall, or crack someone's skull. Define a proper and sound use :) -- It's easy for technical people to understand the realities and limitations of the technology. It's easy to understand that when you copy the contents of the files from one OS to another the contents do not usually change. But for an average person on the jury, if one computer is old and the other computer is new, and they don't speak the same language, well that means that someone had to translate it, right? And if someone translated it, could they have made a mistake? Of course they could! Of course they DID! Again, the hard evidence - the files, the pictures, the notes, etc.. - do not come under scrutiny. It's the techniques, the procedure, the competence of the investigators that get's questioned, and thanks to our "well educated" and "intelligent" jury, sometimes the guilty go free.

Re:Question

[hab136]

In Austria, yes. But I wouldn't be surprised if defense attorneys are required for dead people in the USA soon. It's almost to the point where you need to consult an attorney before you flush the toilet.

They are required, since both the state and the victim may try to recover money from the dead person's estate.