Slashdot Mirror
New Anti-Forensics Tools Thwart Police
rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."
Simple! Just cut the disk open and count the rings.
What?
This has got to be old news. Over 112% of Slashdotters have been using these programs for years, since at least 3 months from now!
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
I always just keep a few magnets handy... just in case....
I prefer hardware solutions, rather than software ones.
a finger to fudge is just enough to ruin your time_t
"I am not bound to please thee with my answers" [William Shakespeare]
Sigs are too short to say anything truly profound so read the above post instead.
Timestomp? Now I've heard everything.
;)
Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.
Of course, this says nothing of rootkits, which can be downright subversive, embedding themselves into kernel space where not even the OS knows they exist, where they can wreak untold havoc with historical system data or encryption. I bet there's even a script-kiddie version of anti-forensics tools out there, where it just cron-obfuscates anything trackable. Logs, timestamps, frequent automated sweeps of shred over unallocated disk blocks, inode reordering, and so on.
Now that I think about it, that might be a good idea. I got some work to do.
Read: Rabbit Rue - Free serial nove
thats really odd, i seem to remember seeing something similar on our domain controller a few minu
The police should be getting with the times then so they can fight the criminals.
The obvious message to law enforcement is that people don't like others going through their things.
Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.
Personally I'm a fan of disk encryption using algorythms and key-lengths that make it extremely impractical to get in once the system is powered down. If up however... you have three strikes at getting in and all future packets from your IP are silently dropped for several days. Local access isn't a problem either... open the case and power goes out... and after 10 minutes of idle-time the system locks (only way in is password or reboot... obviously reboot isn't helpful)
Call me paranoid. I am. I also like my privacy. Yes, I DO have something to hide: MY LIFE! I don't want you in my stuff at all!!! It doesn't matter that there is nothing illegitimate or illegal on the damn things, I still don't care.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
http://www.cio.com/article/print/114550 - Print version so you don't have to go through ten pages to read it all.
:)
Anonymous coward so no Karma whoring today.
Hate to sound like a apple fanboi, but even for those with something to hide that don't know much about computers at all, and therefore lack the know-how required to use these tools, simply using Mac OS X and turning on File-Vault, sad as it sounds, is enough to confound the majority of law enforcement. Most of the contractors that the police in the UK use are windows only. I know for fact that any linux or 'specialist' computers get passed to a specialist data firm in Germany for decoding...
Macs?
Only in the most serious of cases are macs in the UK sent for hacking if File-Vault's on. They go to Canada and take upwards of a year to crack. If ever.
Unless you've done something pretty fucking serious, and the police know the evidence is on the machine, just can't prove it, they usually won't go to the expense.
Of course, only the most stupid and inept of morons would be doing illegal shit and storing it on their computer without using the most powerful encryption possible, and only storing that which absolutely must be stored. Mind you, criminals are not usually noted for their cunning and intelligence....
It goes without saying that the above does not translate to across the pond, nor does it apply on Security operations with terrorists and the like. How MI5 & MI6 do things is completely different and tends to involve some 'specialist' people from the likes of the I-corps and in-house solutions....
I could elaborate, but I'm not THAT dumb.....
The truth shall always be free: Boris Floricic is Tron.
Thankfully I still have the right to have the data on MY computer not keep tabs on me if I don't want it to. Sorry.. but the timestamps on files weren't there so the police could use them later.. they were there for my convenience.
Let me let everyone in on a dirty little secret about 99% of police computer forensics experts... they are less skilled than most 9 year olds at recovering vital information. Many of them use bootable disks that just check the hard drive for IE's cached files and history, etc, etc. Simple stuff a child could do. These people aren't doing complex low level block analysis. They are doing the level of recovery parents do at the end of the night to see what websites their children went on. Does it surprise anyone then it's extremely easy to fool them? God forbid you use encryption, an OS they aren't familiar with, or hardware they've never seen. They'll never recover anything.
If an officer ever threatens to taze you, say you have a pacemaker.
We had a build tool once that kept over writing over some files we did not want it to because the timestamps were older for some reason. It took me ten minutes to write an app that ran through the directory, opened up the file meta data in every file and manually altered the timestamps of every file.
And with a Slashdot story, TimeStomp just migrated down from hobby to script-kiddie. Ahhh, you gotta just love free open information exchange.
TimeStomp? ...can't `touch` and a bash script accomplish the same thing?
My girlfriend told me that her nephew was going to college for "Computer Forensics" and my immediate response was, when he's done all he'll be able to do is catch cheating spouses. People who are engaging in real criminal activity are already using strong crypto and it's getting easier every day.
You just can't beat the numbers. If there is a 256 bit keyspace and a secure algorithm, you are not going to be able to crack the machine. I suppose that perhaps American and European law enforcement could take a page out of Israel's book and start using "strong persuasion" to get keys from suspects, but I don't imagine that happening any time soon.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
You don't think they'll start messing with this clock, do you? That graph looks like we're too late...or too early?
What?
Pages of interest: Rubber-hose cryptanalysis & Deniable encryption
Clearly you have quite a few problems if you're trying to hide something, and forensics can already read timestamps on your files!
What would be a breakthrough is plausibly deniable encryption which can build fake partitions which look "real" and "used". For instance, it can automatically install an operating system to a hidden partition (that is meant to be given out to forensics after a little bit of a fight). Then it can create normal operating system usage such as email, web access, instant messenger marks, installation of new software over time, etc.
The problem with deniable encryption at the moment is that the user can't justify the lack of activity on the open partition (and the lack of normal usage marks left behind), and therefore it is quite obvious to say that another hidden (and used) partition exists.
Thermite is not an answer either because then it becomes obvious you were hiding something using extreme paranoia measures.
Knowing that a user is playing anti-forensics tricks is quite easy. Proving it in court is most likely a different matter altogether.
>>Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator.
Yes, yes.
Five years ago (2002) there were five people (or less) that knew touch.
Lol. The guy is a moron.
I remember walking through a parking lot in college in 1996 and listening to a couple guys talk about how they would touch their files to make late homeworks appear as if they were done on time.
About a year after that, UCSD switched to a turnin-based system. =)
Linux servers have become a favorite home for memory- resident rootkits because they're so reliable. Rebooting a computer resets its memory. When you don't have to reboot, you don't clear the memory out, so whatever is there stays there, undetected.
I don't mean to sound like a moron or naive but are Linux rootkits really that prevalent? After doing a quick google search for "rootkits for linux", I found a few for the old 2.0 and 2.2 Linux kernels... Have updates that have since come out made life that much harder for the hacking community? Anyone have an idea of what's going on here, because I'm really surprised to see them make the claim that Linux servers are a new favorite home for rootkits...They're using stego? Maybe we drop some stego on them.
Yeah, cause my stego *ROCKS* yo!
I'm thinking even the most avante-garde anti-forensics tool could fool this guy. Yeah, anti-forensics might be a problem for him, but last time I checked, having a future date on your warez or kiddie porn won't save you from prosecution. In fact, using something like Timestomp is more or less likely to convince the jury that you are indeed a criminal.
And likewise, it takes a very *good* steganography tool to really hide things. Sure, you could fool your friends, but you aren't likely to fool a forensic investigator with a basic knowledge of statistics. Could I tell the difference between a good and mediocre steganography tool? Probably. Could the average criminal? Probably not. A mistake as simple as hiding your data in images gleaned from the web would be enough to trip someone up: Here's a hint - if the image looks the same as the one on the web, but the checksums don't match, something's up. I'm guessing a shell script could go through the hard drive and do most of the work for the investigator. 17 hours isn't so short anymore...
If you don't want the cops to find it, use encryption. If you want deniability, use the double-xor technique mentioned in Bruce Shneier's Applied Cryptography. But don't bother thinking that bogus timestamps are going to foil any serious forensic investigator. The relative location of a file's blocks on the hard drive is going to give at least an approximate date of file creation, even if you do obliterate the timestamp, and every forensic investigator worth his salt knows this.
The society for a thought-free internet welcomes you.
look up truecrypt. it has had that plausible deniability thing for years now ;)
And I think to myself.... what a wonderful world
I would like to buy an "e" please.
What?
Of course they blame it on computer utilites! Otherwise they'd have to start trying to catch clever timetraveling bandits!
What would be interesting to me: a tool that deliberately modifies timestamps and/or creates ghost deleted files to tell a normal-looking story of computer use, when the actual history has been anything but.
In other words, forensics tools can assemble the history of file use on a disk. If it's known that the disk was in use before a certain date, but no timestamps can be found before that date (on current or deleted files), one may suspect the disk was wiped at that point. Likewise, physical disk usage for a given file system type has known and studied statistical characteristics over time. If the statistics are off, if you don't find deleted file images where you expect them, you may suspect that the freespace was wiped, or that certain unused disk space that would normally contain deleted file images contained files that are now wiped.
What happens when you have a tool that modifies timestamps on current and deleted files such that a normal distribution of them extend back before the date of disk wipe? Even worse, what happens if the tool can create "ghost" images of deleted files, in order to fool tools that look for normal statistical disk usage?
Once you have such a tool, wiping a disk and starting over can literally be done undetectably. So much for worry about having to maintain disk drive evidence after being hit with a subpoena.
Kythe
In 'Merica, we call it gitmo. Encrypshun don't fool us nohow, nosir.
'fter all, if yah ain't guilty, watcha hidin' stuff fer? Dontcha know there's a war goin' on?
The society for a thought-free internet welcomes you.
find / -type f | touch -t 201705311200
the modification date was'ntobe set the last time it shallhasbeen accessed...
Uhh - got to work on my future imperfect past continuous tense.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
RAMdisk
bash-2.04$
bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME
Imagine a filesystem that is encrypted 3 times, in "headerless" fashion. What I mean by headerless is, whereas a zip file leaves reliable signatures identifying it as a zip file, this scheme would be a naked 128 or 256 or 1024 bit encrypted file (bear with me here) with no signature. There would be no way to even identify this file unless you managed to decrypt it with the right password and the exact corresponding decryption scheme. (It could be a zip file or a rar file or an arj file but you'd have to guess.)
That's for the first layer. Then you use the same (or different) scheme to scramble that already encrypted file again. With the same or different password.
Then you do it a third time.
Granted this would take a hell of a lot of computing power and a single bit of data corruption would screw you royally (which calls for more advanced recovery techniques which leads to some weaknesses...), but the effect is this.
First, you get the hard drive and the whole filesystem is encrypted. It's utterly garbage to you. You don't know which scheme was used to encrypt it. You certainly don't know the password. But you may know it's triple layer encrypted. Or double, or quad.
What is certain is, if you get the correct encryption scheme AND the password for that first layer, the decrypted file is STILL GARBAGE. You don't really know if you got the correct information or not, because you're still looking at a "headerless" pile of garbage data. Good luck guessing that second layer because no matter what, you still get a pile of incoherent garbage.
If you've done this to all your files on your hard drives, DVDs and CDs, this is where you demand your Constitutional right (in the United States) to a SPEEDY trial and then plead the Fifth Amendment in court when asked for your password/encryption schemes. Why? Because if I'm right, the police and their descendants down to the 7th generation will have died of old age before they figure out the 2nd layer, much less the 3rd.
Mind you, the cops may have slapped a keylogger on your system ahead of time. If that's the case, you're screwed.
Lawyers and hackers, please rip my idea to pieces and tell me what you think...
--- Grow a pair, liberals... stop letting the Republicans bully you!
Volatile RAM.
10 minutes to figure out touch?
Give a man a fish, he'll eat for a day, but teach a man to phish...
Give a man a fish, he'll eat for a day, but teach a man to phish...
The tools in the article can also be used by businesses and governments, etc to make it more difficult for hackers to get information like credit card numbers. But somehow I doubt if I could trust a bureaucracy to me anything more than lame.
I read Ken Thompson's Reflections on Trusting Trust, it has always occurred to me that any computer crime is completely untraceable. It is only laziness on the part of the criminal which allows him to get caught. It is possible for someone to completely cover their tracks and leave no evidence of their actions.
But it is also possible to log every action a hacker does. Erasing the logs doesn't do much when the compromised system is virtually hosted and every action recorded for later playback - on a system which isn't even visible to the hacker. And consider the possibility of tracing at the network level. It is possible to physically connect an ethernet chip to a network and capture all traffic on the network without ever joining the network. That is, the card can sniff the wire in a read-only mode without ever publishing its MAC address or responding to ARP queries. Even if the hacker does use encryption, can he really be sure that his machine hasn't been rooted and keylogged? Can today's hackers verify even the microcode inside their processors and BIOS? If he can cover his tracks, so can the FBI.
How does a hacker know his rootkit isn't spying on him? Even if you have the source, a compromised compiler or assembler can still produce a compromised executable. Should you verify the executable by hand, you still have the possibility of a vulnerability in the processor's microcode. Something as simple as making any area of memory available to the NIC when a certain opcode sequence is executed could be hidden very well and provide a veritable back door to law enforcement.
Unless you are willing to build your own computer from scratch and never connect it to a public network, you can never prove that you aren't compromised. Sure, we can talk statistics and likelihood and incentives and human factors and whatnot, but it doesn't change two fundamental aspects of the computer:
Your averge user - heck, even most programmers and hackers - don't have the time to trace through every possible instruction path in the software they use. They aren't going to burn their own BIOS EEPROMs to be sure the BIOS isn't bugging them. They aren't going to surgically remove the processor's cover and verify the die pattern to be sure the microcode isn't compromised.
Instead, they're going to trust the responses their computer shows them. Just like the rest of us - it's a gamble. Maybe the hacker compromised a bank - or maybe, the bank is in cahoots with the FBI, and he's just knocked over the honeypot. He won't know until he goes to the bank - and withdraws his cash, or gets arrested.
Still a pretty big risk, imho.
The society for a thought-free internet welcomes you.
I don't mean to sound like a moron or naive but are Linux rootkits really that prevalent?
Considering that rootkits originated in Unix (hence "root"), I imagine that they are as prevalent in Linux as they are in any operating system (the argument of uptime notwithstanding).
Besides, a rootkit does not have to reside in kernel space to be very effective. Simply replacing many of the key binaries (init, bash, getty, ls, top, ps, etc depending on *nix flavor) will do wonders for probably 98% of systems out there. That said, I'm sure there are some which do reside in kernel space (a kernel module perhaps?) or maybe even some that are simply modified kernels (the source is available after all). How do you know that the kernel your system is running has not been compromised?
After doing a quick google search for "rootkits for linux", I found a few for the old 2.0 and 2.2 Linux kernels...
I tend to doubt you'll find the latest and greatest rootkit via Google. If you know the right people, I'm sure you can get whatever you need.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
This is actually good. It means that broad, automatic surveillance and search of computers is infeasible. For attacks on individual, high-profile cases, like the one Mafia-boss, the high effort can and will be invested. For ordinary citizens, it does not work. And don't bring up the nonsensical idea to outlaw these things. That does not work for the same reason and makes forensics even harder, since then less experts that know these tools will be around.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I feel very comfort having to reset my windows machine...
Well, so stability is bad in this sens?
I'm going to approach this from the perspective of A Bad Guy, because realistically if you're not A Bad Guy and you get arrested you have already hit your security worse case scenario. You're now arrested, your computer is in government hands, and you are about to take major financial and reputational damage before being released. (Some folks might say I'm naiive for assuming you'll be released. Fine, don the tinfoil hats if it please you, but if The Man can lock you up when you haven't done anything then encrypting what you haven't done doesn't afford you additional protection now does it? Similar for the "good guy using encryption" examples like dissidents in China -- lack of discoverable evidence does not render the back of your head immune to gunfire.)
If you're A Bad Guy, on the other hand, there might be a significant difference between "major financial and reputation damage" and "being convicted of possession of child pornography". So lets consider a savvy Bad Guy who has screwed up and somehow alerted law enforcement of his existence. Maybe he was indiscreet with an accomplice, maybe the ISP logs show him as downloading young-kids-get-it-on.avi, maybe the feds caught him receiving a tape in the mail (the Postal Service has a division devoted to investigation for a reason, folks). So somebody had enough evidence to get their boss to sign off on a use of department resources to open an investigation, probably enough evidence to convince a judge to order a search or arrest warrant, and the fishing expedition begins in earnest.
At this point, Bad Guy is boned. He not only has the same problems Not A Bad Guy has with being arrested, but he has an adversary with virtually limitless resources relative to him now picking his security apart. And they will almost certainly find a place where he screwed up. Do they need to beat his passwords out of him? Hardly. If they're confident Bad Guy is a bad guy, when the computer shows clean they'll say "Hmm, we're quite sure these records say he is downloading young-kids-get-it-on.avi... widen the scope of the investigation", and then they'll start strip mining every bit of data they can get about the guy, and when you have a badge and a concerned looking face you can get an awful lot.
And, somewhere, Bad Guy screwed up. It doesn't matter how careful or exotic his protections were, he screwed up somewhere and its probably somewhere that will look stupid in hindsight. The CIA does it all the time, too -- covert ops blown by cell phone records, doesn't matter how many things you get right when the adversary has the luxury of winning from your first mistake. Maybe a photo fell behind his printer, maybe he used his credit card to pay for something sketchy 4 years ago, maybe one of his pedo buddies got picked up three weeks ago and turned state's evidence. Doesn't matter -- a significantly interested adversary will find the 1% of screwups eventually given enough time to look for them. And for the 99% that are behind the impenetrable security barrier? Doesn't matter, that one photo which fell behind your printer will send you to prison for years anyhow.
Help poke pirates in the eyepatch, arr.
Can't the "Crack Staff" (or Cowboy Neal) at /. use advanced tools to track down dweebs who post this crap ?
Now that would be useful
If you fully lock out your machine with say a strong password-based encryption, something the forensics experts can't touch, are you required by law to give up the password? Say they bust into your home after figuring out you run some massive child porn ring, but everything is locked down. It'd be pretty obvious that you'd know the login passwords to your own machines. But what are the consequences for not giving up access? Or the key to a removable drive? etc etc... that sort of thing.
Which begs the question, do courts give as much credibility to this sort of thing when it's used to defend people. "Your honor, analysis of my hard drive will show that on June 15, 2004 at 10:30 pm, I, the sole resident of my apartment, was at my computer downloading and watching porn. Therefore I could not have been at the scene of the crime to commit the murders I am charged with."
I have actually seen Linux rootkits in the wild. Yes, they exist.
Rule is, if you suspect a root kit, do whatever investigation you need to, then back up non-executable data, reformat the hard drive. Reinstall the operating system *and* bootloader from trusted media. Restore and audit data.
LedgerSMB: Open source Accounting/ERP
I am an NSF–funded researcher in computer security, focusing on electronic voting. Data privacy and confidentiality is very important to us, as you can imagine.
Your idea is quite terrible.
First, what do you mean by a file "without signature"? Take a zip archive as an example--even if you strip off the zip header, any forensicist worth his or her salt can figure out it's a zip archive, just because of the way the data is structured. Encrypted filesystems have structure, too. A data forensicist can recognize an encrypted container on the basis of its structure. (Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want.)
Second, you appear to not understand how crypto works. Two layers are better than one, right? So double ROT13 encryption is stronger than single ROT13, right? You're running smack into a major, well-known area of crypto. A lot of ciphers do not composite themselves well. You are almost always better off just picking one algorithm with a strong keysize than a composition of multiple algorithms.
Third, how do you plan on managing all of your keys? Key management is a thorny enough problem in the best of times. By relying on multiple keys you're multiplying the problem immensely.
You really need to do some basic research in crypto.
I don't know if I am missing something, but if a person wiped the disk completely, more than one time, is it possible to recover anything?
Root kits have been available on Linux for at least ten years. I started seeing them in common use in late 1999 or early 2000.
The only thing that's "new" is that the stuff is making its way down the food chain. Things that used to be found only among the "elite", are now commonly found among the script kiddies. Yawn.
What they really should be worried about is what those elite guys are cooking up now, not what they cooked up 5-6 years ago.
Question for you: Do you believe properly implemented strong encryption is breakable ?
The answer is NO. Do not be fooled by DVD and H-DVD, BLUEray they have a fundamental issue that the keys are within the medium, so they are way more difficult to secure.Now, on the forensic issue, the question is: Is it possible to mess up with the data so they become irrecoverable ?
the answer is yes, either with crypting or with messing with the content. The point is: Computer forensic method "assumes" that actions on the computer are similar to actions in real life (in real life you cannot change time flow, you cannot change matter properties, you cannot erase your friend memory), this is NOT the case with computer forensic, the assumprions are wrong and therefore the results are wrong or unreliable.Even the algorithm for finding out doctored digital images can be twarted, if you know the detection algorithm.
Crypting the images is no good, unless, of course the "criminal" has the key and the police has the data.... that would guarantee that the police does not mess with the images and the criminal does not erase the data.... Some of this is like taking a fingerprint of the image and writing it out for the record, but I wonder if there could be a method that "reconstruct a fingerprint" from a modified image....I do not know for more complex system, but in FAT and FAT32 it was relatively easy to change *everything* on the HD level to make it look like it was extremly old. I would assume that with some low level tool it could be possible on ANY system.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Parent is not interesting. Mod down.
a l2002.htm)
Sorry but the idea is juvenile. I'm sure by the time I get to finally posting there will be explanations on basic crypto.
So how about I deal with the legal issues:
5th amendment; assuming they choose to follow it, can be legally circumvented:
see FISHER v. UNITED STATES or if you use biometrics they can just get in anyhow see United States v. Dionisio and if they make you immune to the charges they can force you, it gets tricky later when other crimes may as a result be discovered (a good lawyer would save you from this - but you'd draw their attention to new things...)
A lot of your information is being stored on multiple devices and external locations. External places may legally be out of your control. They may not even need warrants. (http://www.usdoj.gov/criminal/cybercrime/s&smanu
Not to mention all the patriot act, etc going on lately.
You could have enough emails to make you guilty of one-man conspiracy or you may have broken some secret law to which the judge doesn't have clearance to read (both have happened in the USA already.)
Oh and don't forget contempt of court. You could be in jail for the max by the time you can get that overturned. Then there are those grand jury and that defunct special prosecutor things that could be big trouble. Right to a SPEEDY trial? Do you even live in the USA?
Democracy Now! - uncensored, anti-establishment news
You didn't specify units, but unless you were quoting degrees Farenheit, I can't believe you'd still have a working drive after heating it to that temperature. 380C is over 700F
And that's assuming you can get that sort of temperature in anything but spot heating at home. Most residential food-grade ovens don't get that hot -- most of them top out around 500-600F, except on the self-cleaning cycle. I suppose you could put your drive in there, and then run it (that would be a neat experiment for someone with an oven they didn't care too much about...), but once the oven gets above around 600F, the door lock is going to engage and you can't really stop it after that. Only other thing I can think of that gets that hot is a charcoal or propane grill; that might get you the right heat, if you put it on there for long enough with the lid on, and just baked the hell out of it.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
You know nothing about the legal system. In our court system, you are innocent until proven guilty, the burden of proof is on the state. So you don't have to prove there isn't a hidden volume, they have to prove there is. Given that there seems to be no way to do this, they can't make their case. You can't speculate that something might be there. That's one of the most fundamental objections they teach lawyers "Objection, speculation." So all they have is that you have a volume of legal porn, and someone of questionable reputation claiming you have more , assuming they could even get the testimony in (the CI would have to have firsthand knowledge, otherwise it's hearsay). That doesn't meet the standard of beyond a reasonable doubt, doesn't even come close. It is perfectly reasonable to believe that someone might want to encrypt their porn. I'm sure many people do, simply because most people are somewhat embarrassed about it and don't want others to see.
DA's don't get to send people to jail just because they think there is a crime being committed. Hell it takes more than that just to get a warrant and to get past pretrial. You have to prove it beyond a reasonable doubt to land someone in jail. Saying "Well they MIGHT have hidden data!" doesn't cut it and, as I said, isn't even admissible in court. When you get down to it, you can never prove beyond any doubt that you've no hidden data. Maybe you've a really great steganography program and it is hidden as noise in music files. No way to prove or disprove that. However as a defendant you don't have to disprove it, it is the prosecution's responsibility to prove it and if they can't, well then you go free.
Why do you think there are so many people, who are known to be criminals to the police, that walk free? Because knowing and being able to prove it in court are two real different things. Cops may know someone is a drug dealer, but that won't even get a warrant, much less a conviction. They've got to have enough evidence to prove it beyond a reasonable doubt.
withholding the password would be obstruction of justice
Couldn't you choose an incriminating password and plead the 5th?
This post written under Gentoo-linux with an SCO IP license.
I'm not at all surprised at the quality of the so-called amateur hacker tools over the commercial offerings. Case in point is Backorifice, an amazingly useful tool back in the day for anyone trying to admin an MS setup. Obfuscating later forensic analysis has been around since Ceasars ROT13. I for one am glad the wild west style frontier still exists in cyberspace, where the amateurs consistently outperform the professionals. It shows we have barely explored this space, much less settled here.
The one and only tool I've ever heard of them using is Encase. If Encase can't find it, it doesn't exist in their world. It does do OS-X though.
A fraudulent eyewitness looks like the joker card in that scenario. How does the legal system weigh this person's "testimony" assuming it is ramrodded through as "admissible"?
Oyez.com says:I don't get how it's related. Am I missing something?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This bit about the trouble you get into outside of prison even when you're acquitted, is not on topic with the discussion of defending yourself in court against the charge.
The "flaw" pointed out by the GP is only a flaw if you're being tried in a kangaroo court. I don't think our court system has gotten that bad.
I mean, if you're dealing with a corrupt court where you're guilty until proven innocent, you don't even have to be using encryption to get screwed this way. The DA might just as well accuse you of using steganography to hide illegal photos in random files spread all across your hard drive, which is equally impossible to disprove.
I'm not sure what you mean by the "structured nature of the hidden volume", though. TrueCrypt hidden volumes have no plaintext header, just like main volumes, and as long as the crypto methods in use are good ones, the encrypted data will be indistinguishable from random bytes, no matter how well-structured the plaintext is.
There are attacks against hidden volumes, but they basically involve taking snapshots of the whole volume at separate points in time, then obtaining the main volume's key and checking whether any changes have been made to "unused" areas of the filesystem.
That is, I could sneak into your house and copy the disk today (version A), then come back next month, seize the disk (version B), and force you to give up the main volume key. I can then mount both versions of the partition and look for differences between them. If there are any areas that contained random data in version A, and different-but-still-random data in version B, I can be pretty sure it means you were writing to a hidden partition located there.
I think the best defense against that attack would be for TrueCrypt to randomly write chunks of new random data to the free space of mounted volumes, which would disguise the writes made to hidden volumes. (Of course you'd need to use both keys when mounting the main volume so it knew not to clobber your hidden data.)
Visual IRC: Fast. Powerful. Free.
Nope, it's just that different methods are used against different operating systems. Linux can be updated on the fly, so there's no reason not to use something memory-resident. A well designed Linux server will only need to reboot from power or hardware failure. With some of the virtualization stuff I've noticed recently, even that might not be good enough. Windows gets an update, it needs to reboot. Something that's memory-resident would not work as well against Windows. However, it's much easier to 'own' a Windows box than a Linux one due to the differences in how they handle permissions.
.22 pistol than it is to kill a soldier on a battlefield with that same pistol, because the soldier is wearing body armor. But just try to get your pistol to the Secretary of Defense.
.22 pistol = memory-resident ownage. This should not be construed as a threat against the Secretary of Defense, any soldier, or any computer. If I suddenly stop posting, we'll know that even the government wastes time on /.
My analogy is that it's easier to kill the Secretary of Defense with a
*Soldier = Windows, Secretary of Defense = Linux,
I see your informative link, and raise you a pithy comment.
I'm just a crypto noob who indeed did say "rip it to pieces", lol.
I figured I might take a crack at beating some fairly vexing encryption and security problems with some old fashioned American innovation-ism.
I'm pleased as punch that so many people have examined my idea. Maybe someone will improve on it given the flaws that have been pointed out... which was my real intent.
--- Grow a pair, liberals... stop letting the Republicans bully you!
2DES is worse than DES (because of some of the symmetry properties of the DES algorithm). That is why we have 3DES using 2 DES keys.
"Slid down the technical food chain"?
What sort of bastard mixed metaphor..?
Touché (or is that too close to being a pun?)
Give a man a fish, he'll eat for a day, but teach a man to phish...
Comment removed based on user account deletion
http://www.truecrypt.org/hiddenvolume.php
Your welcome.
First, your assessment of the crypto idea is off. See the follow up posts above to learn why.
Second, you seem to know a lot about how the government can legally break its own laws.
Third, if you - I mean government agents - can easily get around all of this 'right to a fair trial' nonsense, then why are you so worried about people using encryption anyway?
You call yourself a security researcher? True, double ROT13 is little better than single ROT13. But - as you should know - ROT13 is a simple substitution cipher and not exactly strong encryption. By your logic Triple DES would be no better than single DES. I think just about everyone on slashdot knows better than that. As for the use of multiple ciphers, it can be a very good idea. Which do you think would be harder to break: a file encrypted with 256bit AES or one that is encrypted with 256bit AES that is then encrypted with Two Fish? I'll put my money on the second option. Assuming that all the keys used are 'good' keys then this is provably stronger. As a 'researcher' you should know that, too. Not to mention the fact that 'layering' your encryption gives you protection against the discovery of 'breaks' in one of the encryption schemes you are employing.
What are you 'researching' anyway? It wouldn't have anything to do with another poorly conceived forensics tool designed to let untrained snoops pick data off of drive images while calling themselves forensics technicians, would it?
I remember an episode of law and order, I think, that the guy had a computer in the room and had built some power magnets into the door frame.
If the computer was taken from that room it was wiped. Not sure how feasible it is, but sounds pretty cool.
There are 10 kinds of people: Those that understand binary, and those that don't.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Encrypt once using a good algorithm. Multiple encryption is Hollywood-style security.
Xenu loves you!
Question for you: Do you believe properly implemented strong encryption is breakable ?
The answer is NO.
How do you know my answer? And it is not that simple. Sure, a direct cryptographic attack is very likely to fail. But if the goal is to get at the data, there may be numerous other options.
Now, on the forensic issue, the question is: Is it possible to mess up with the data so they become irrecoverable ? the answer is yes, either with crypting or with messing with the content.
Again, the anser is not that simple. Sure, if the target knows it is possibly under surveilance and has time to destroy the data and the competence to, it can likely exceed the recovery capabilities of the attacker. But history shows that many people mess up, do not understand how to delete or encrypt properly or do not expect the attack in the first place.
Oh, and BTW: What is your point? It seems to be missing....
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Our justice system is run by elected officials (with media support). If you want fair treatment (justice) you had better hope that:
- it's not an election year
- the case has not generated a lot of media attention
- the case is not worthy of media attention when the DA holds a press conference
- the DA (and many others in the justice system) are not career building, and looking at your case as an opportunity to advance
The last one is the kicker. For every case there are dozens of people in the justice system that will get beneficial career advancement material from a successful conviction. That's my observation.
Don't forget, there's unbreakable encryption to be had as well. Using any decently random data at least as long as the file to encrypt it (even with something as simple as XOR) it's absolutely because without the key file it's random data. Then you just have to store that file on more perishable media like a CD or DVD which can be melted into an unrecoverable puddle within minutes. Hell, use a non random but still unpredictable enough file from the net to encode it (say the patch for a game) and you will always have a copy of the key around somewhere and nobody will have a clue unless they've compromised your system before you perform the encryption.
nt
If you are facing trial for any "garden variety internet crime" -- fraud, CP, whatever -- you don't have to worry about the NSA. Even if they've broken the algorithms, there is _no way in hell_ the NSA will ever get involved -- if it comes out in court that AES256 or any other cipher is cracked, everyone stops using it instantly. The NSA will never tip their hand.
:)
Grandparent was right -- one layer is all you need. And the great-grandparent was wrong -- by current standards, the sun should be a cold dark chunk of rock before the first layer is ever broken.
If, on the other hand, you are a foreign national performing espionage... all bets are off as to what the NSA does to you
FAT and FAT32 are one thing. Unix systems are another. On the latter, the only way to force ctime would be to either set the clock back and modify the inode or to directly modify the block device the filesysem is sitting on. There is no low-level system call to chagne ctime. Neither of these methods is possible without root privileges, and I assumed the environment was a shared unix machine at a university (as the students were talking about "touch"). Presumably, students wouldn't have root access on that machine.
So, who needs script kiddies with tools when M$ can screw up forensics?
You should put a '}' or something at the beginning of your sig.
Nearly any data can be recovered given enough time and budget (much like cracking encryption). I read awhile back that forensics can use an electron microscope to read bit-for-bit from severly damaged platters.
The platter must be liquified or shredded to ensure no recovery.
You say "umm... there isn't a hidden container... there's nothing more there..."
The DA continues to smile. "Prove it to me."
You say "umm... I can't... that's exactly what TrueCrypt means when they say it's hidden... you can't prove it exists and you can't prove it doesn't exist..."
The DA rises from the table. "Say hi to your husband for me when you meet him." Huh? Last time I checked the prosecutor has to prove you guilty, and with only a jailhouse snitch (who has very little credibility) as evidence, what are they going to hang you with? The fact that you may or may not have an encrypted volume on your hard drive? May or may not != beyond a reasonable doubt...unless you mean that possession of a TrueCrypt volume is enough to get indicted (which you correctly state would be life-ruining), but I'm not even sure that would happen.
You've clearly never set foot in a courtroom, and trotting out your NSF-funded status doesn't make you any more believable. I've seen some pretty hilarious NSF grants before, PIs are just better at spinning shit nowadays.
With the first link, the chain is forged.
The term you're reaching for has already been coined. It's called deniable encryption. TrueCrypt, among others, incorporates it. Essentially, you have an encrypted volume within an encrypted volume. Because the encryption doesn't have a signature (the header you refer to), no one ever knows its there. This is useful for defending against so-called "rubber hose" cryptography, where the key is extracted under duress. If the volume is not known, the volume can't be decrypted.
The technique is you create an encrypted volume, throw a few files that would plausibly be encrypted down (some pr0n, Ace of Base MP3's, episodes of Gilmore Girls, or whatever else you'd be embarrassed about having found), and then create another, hidden, volume in the unused space on the original encrypted volume. That way, when your love of Milli Vanilli's music is discovered by handing over the key to your root volume, they'll think that's all you're trying to hide. Or rather, they won't be able to find all that other stuff they think you're hiding, which is the important part.
The truth about Scientology, Xenu, and you: Operation Clambake
You're assuming AC's not running Windows.
But then again, this is Slashdot...
I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.
PGP and GnuPG have a serious flaw, in that both the (encrypted) session key and the ciphertext are transferred between the two parties. This means that law enforcement can always recover the plaintext from the ciphertext by getting the file recipient to give up his passphrase, which always unlocks the session key. Even if the recipient deletes the ciphertext, law enforcement can still obtain it using a wiretap.
To avoid this, the session key should be stored in memory (as in SSH) and deleted by both the sender and receiver after the message has been transferred. That way, even if law enforcement does use a wiretap to grab the ciphertext, the recipient is unable to produce the key after arrest. Result: there is no proof that the message contains anything of interest to law enforcement. However, this requires a network connection between the two parties.
So perhaps the FBI had it backwards - maybe the sex offenders in your example were actually too smart to use PGP!
Its easier to replace the libraries and they are less likely to be properly checked.
The more complex systems get, the easier it is to hide stuff and there just aren't the tools to easily check these things. A diff of a text file isn't that much simpler than a diff of two xml files but it reduced the number of people who will ever check it. Binary config files are even worse. Many major Unix flavors now use binary files (often under the gules of optimizing startup) that can be hand edited with a binary editor to do very interesting and nearly undetectable things on shutdown. Its real handy to be able to do thing after the processing accounting system disk has been unmounted if you want to do things undetected.
would actually set the damn thing to zero anyway?
Wouldn't that like, well, we'd all be dead, right...?
I could just imagine it, "nuclear world war", then some sadcase sitting there, "hmm, guess we better set the ol' Doomsday clock to zero", then the stereotypical English guy "Good show ol' chap!"
I mean, seriously!
In his first post he states that he is a "NSF-funded researcher" and in a later post he write "I'm a computer security Ph.D. candidate"... do, he is just a PhD Student in is high horse...
For fucks sake, I am an Artificial Intelligence Researcher funded by my country's Federal Science and Technology Council and within project N (working hand to hand with X and Y researchers who are very recognized in the field in very prestigious UK universities...). But for fucks sakes, I am a PhD student. Thats all...
That is something I have always hated about some "Doctors", a lot of them get very pretentious and become assholes...
Fortunately in my field, it seems there are a lot of really nice researchers even though they are funded by UK or US defense departments...
Ubuntu is an African word meaning 'I can't configure Debian'
IANAL, but I read one discussing the "I plead the Fifth" approach a while back.
In a nutshell, he said that case law says that the Fifth only applies to statements that directly incriminate you, e.g., asking about your whereabouts on the night of the 17th. Everything else is fair game unless there's a compelling reason otherwise. You can be forced to turn over all papers, and even to give blood or saliva samples, but not to undergo surgery to remove a bullet that may tie you to the scene of the crime.
You might think that encrypted disks are too new for case law, but remember that the situation is analogous to having a safe-deposit box. They are fair game with a proper search warrant and refusing to cooperate is itself a criminal act.
Personally, I disagree to an extent since I think an individuals thoughts should be protected whether they remain unsaid or written in a private journal, but the courts have held that anything written down (on paper or on disk) is not covered by the Fifth.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Linux offers a few encrypted file systems - Here's one - that can include the swap file/partition.
If you're using a swap file instead of a swap partition, it's even easier to use - just put the swap file on an encrypted filesystem & it will autmatically be encrypted right along with the other data.
As a side note - standard username/password encryption is pointless for this anyway - unless you plan on typing in a 1024 bit password anyway. You would need a key on a USB stick that they would just confiscate anyway. Biometrics are iffy - Jello has an 80% success rate at getting past fingerprint recognition.
Alternately you can go with those spiffy cards that provide a 4 - 8 digit number based on the time, but again they would confiscate the card.
The DA just smiles at you and says... "I'd like to see the hidden container inside that TrueCrypt volume. My forensicist says oftentimes people do that with TrueCrypt."
You say "umm... there isn't a hidden container... there's nothing more there..."
The DA continues to smile. "Prove it to me."
You say "Actually, you have to prove to me that there's anything there to hide. You should know that I'm innocent until proven guilty."
Then you walk away scott free. The DA continues to smile for some reason, probably too much crack this morning.
Twinstiq, game news
Comment removed based on user account deletion
Statistically speaking, the encrypted data isn't random it's pseudo random. By re-encrypting it with a known schema, you may be able to identify the original schema by observing the patterns of data shifting between the old & new files.
Not that that is usually a problem, even if the key has to be supplied, most of the disk encryption schemes I've seen require that the OS know in advance which crypto method is being used.
So you have a Judas goat machine which sits around simulating a beige box from the local department store with default settings, surfing the web semirandomly and full of spyware and trojans. It's got folders full of vanilla porn and randomly downloaded crap everywhere. Your *actual* machine sits in a custom safe buried under the house, stores all its data in RAM or random-password-encrypted partitions on your neighbours' open networks, and is laced with thermite. If the Judas machine is removed from the house or the case cracked in a normal way, the thermite in the real machine (as well as the transmitter/sensor in the Judas machine) goes bang. If you really feel you must be able to recover your data at a later time, have the passwords for the partitions stored in an encrypted file somewhere on the internet - one for which you do know the password. What forensics finds: A machine which looks like any other consumer machine - full of crap downloads and vanilla porn. No obvious functioning wireless comms capacity. If they discover the neighbours' networks and poke around in there, they might find the encrypted blocks. But there's no way to prove who put them there, where they came from, or what their purpose is. The neighbours will claim ignorance. Your own PC didn't have any wireless devices. If they've been monitoring wireless transmissions in the area for a while, they might be able to say that something in your house (or nearby) was communicating wirelessly. However, it and the remains of the real PC are now so much charred ash, even if the basement is dug up. Not to mention that there was never any incriminating data stored on that PC at any point anyway. Of course, there are more ways to wreck you than through purely technical evidence - being dragged through the courts and media, for starters - but that's a discussion outside the scope of antiforensics.
Well yes... Even though the majority runs Windows as a primary OS, we all like to pretend otherwise.
Give a man a fish, he'll eat for a day, but teach a man to phish...
And that would be better than just checking 'top' every so often and watching the percentage or having a program that automatically triggers when available memory reduces to a threshold, how? If the performance loss occurs, then you still get a performance loss. You want to catch such things before they become a problem. And if your solution to memory leaks is simply to restart the application, then you want the application to crash as quickly as possible. (or, again, better yet, signal termination when remaining memory is too low, log, and restart the application)
In every circumstance where you can say, "a page file would be good here" it can be argued that the page file would work better as a ramdisk, and if you're messing with that, why not just have that much RAM to begin with and have some utilities to properly manage memory?
Can you be Even More Awesome?!
Good god, this is like listening to Jocks talk about how they lost their iPod collection cause of that porn site they visited. This stupid dribble is making me dumber by the minute...
Go Google a beginners guide to disk encryption and get a clue.
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
Do a google search on rutkowska dma and you can read about the discovery and implementation of tools capable of sucking RAM contents from a live machine. This totally bypasses all security measures in the OS and firmware of a system.
Rootkits and keyloggers can even be installed into RAM via DMA without leaving a trace on disk.
All I can think of for that is Gilmore. And WHY NOT GILMORE?
Democracy Now! - uncensored, anti-establishment news
MacForensicsLab
/ 16/0137205
d epartment-of-injustice.html
a rticlecomments&op=display_comments&ArticleID=11372 &expand_all=true&mode=threaded
http://www.macforensicslab.com/
http://www.macforensicslab.com/mfl_analysis.html
If you are a super criminal you have state protection, See:
Attorney General Alberto Gonzales:
http://politics.slashdot.org/article.pl?sid=07/05
http://tedscolumn.blogspot.com/2007/05/more-from-
http://news.com.com/8301-10784_3-9719339-7.html
But if you've got something [below] this insidious, you're just screwed:
http://www.securityfocus.com/cgi-bin/index.cgi?c=
You'd need Fred: [site is run off a locked volume - DVD]
http://all.net/
He also has, White Glove Linux, LE is for law enforcement only. [click "prices" on left]
http://all.net/WG/dist/index.html
Fred's, The Man(TM)
~hylas
It is typical that tools that might insure the busies don't dig into our brain extensions (computers) are cast mainly as a boon for criminals. Many of the tools described are a boon to those who insist on the right to be secure in their computer based effects. Many are a boon to those who insist on more cyber-freedom than many a State wants to allow.
Must Read:
v ery/
Forensic Discovery [download!]
Dan Farmer and Wietse Venema
http://www.porcupine.org/forensics/forensic-disco
Must Go:
http://www.porcupine.org/forensics/
~hylas
oh, and you used oversimplification to setup a strawman accusing me of contradiction.
Democracy Now! - uncensored, anti-establishment news
Article on one page (as opposed to *10* seperate pages...)
http://www.cio.com/article/print/114550
The best way to do this sort of thing is to just use a swappable drive bay.*
The trick is to use a PCMCIA Type III slot with the setup. Your boot drive is actually a pocket-sized HD.(flash would also work, but it has problems with read/write number of cycles). Time to go home? Take your drive with you.
You could also use an external USB/Firewire pocket drive as well. They can't snoop on it if the drive isn't there(and the advantage of all of these is the quickness that they can be yanked in an emergency.
ian
I am a very private person. Occasionally, I do some public speaking in churches or public meetings, when there's something that needs to be said. Frequently, whoever is running the meeting will say something like "we'll seat you here behind the podium" or "the guest speakers will be seated in the front of the room facing the audience" and I'll politely say "no thank you, I will arrive early enough to sit in the front row and I will get up and come to the microphone when it is time for me to speak". I am not classically shy - I am perfectly willing to talk to hundreds of people and I'm not body-proud or anything - but I feel uncomfortable when I'm held up in public view to no purpose. It makes me feel violated in a way that people who do not have this issue will never be able to understand.
I don't want people reading my mail, tracking my credit card purchases, taking pictures of me in public places, knowing what music I listen to when I'm alone, knowing what web sites I frequent, knowing my favorite flavors of food, or ANYTHING ELSE unless they actually know ME. It's not a reasoned, principled stand; it's a BASIC NEED that was probably a survival trait for my ancestors.
Exactly. I agree with you.
It's all about career building, and looking at each case as an opportunity to advance.
If being part of a media circus would advance thier career, you can bet that a DA would go before a judge without evidence of a crime. It has happened plenty of times.
Yes, it's the exception, but so are information technology cases.
At my previous work we used to take one T-72 main battle tank and line up the old discs on a pavement and drive couple dozen times over them with the tank.
Having had a long term interest in encryption and security I have always been curious about but have never been able to find any reliable information on the Windows built in NTFS encryption, does anybody know how good it is?
Also does anybody know if possible, how can one mount the home directory on logon with true crypt or even is it possible to run the OS on a encrypted volume?
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
We've always had "strong persuasion". It looks like this:
Judge: I order you to reveal the key.
You: No.
Judge: I'm finding you in contempt of court. You'll be going to jail now.
You: For how long?
Judge: Until you reveal the key.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
It is true that you are not required to authorities without representation. It is false that your encryption keys are somehow protected by the 5th amendment.
If you withhold your encryption keys, you are guilty of either: obstruction of justice or contempt of court. Both of them will land you in jail, which was where you were trying to avoid going in the first place.
The 5th amendment only protects you from testifying against yourself under oath. It does not protect your property, files, notes, papers, keys, etc. Those are all evidence and you must give them up if ordered to do so by a judge.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock