New Anti-Forensics Tools Thwart Police

← Back to Stories (view on slashdot.org)

New Anti-Forensics Tools Thwart Police

Posted by CowboyNeal on Thursday May 31, 2007 @02:15PM from the knowing-thine-enemy dept.

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

26 of 528 comments (clear)

Time Stamps? by iminplaya · 2007-05-31 14:17 · Score: 5, Funny

Simple! Just cut the disk open and count the rings.

--
What?
1. Re:Time Stamps? by iminplaya · 2007-05-31 14:42 · Score: 5, Funny
  
  Yes, and notice how I modified the time stamp AND the comment number to make appear the parent is the first post.
  
  --
  What?
Pfft. by RealGrouchy · 2007-05-31 14:18 · Score: 5, Funny

This has got to be old news. Over 112% of Slashdotters have been using these programs for years, since at least 3 months from now!

- RG>

--
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
1. Re:Pfft. by trolltalk.com · 2007-05-31 14:28 · Score: 5, Funny
  
  Gee, and I thought it was a free "feature" included with every version of Windows and DOS.
  FILE0001.CHK
  FILE0002.CHK
  FILE0003.CHK
  FILE0004.CHK
  FILE0005.CHK
  ...
  FILE9999.CHK
  Unable to find COMMAND.COM. Please insert system disk and press reset.
  
  --
  Kevin Smith on Prince
2. Re:Pfft. by bentcd · 2007-05-31 20:59 · Score: 4, Funny
  
  I say we take off and nuke the platters from orbit.
  
  It's the only way to be sure.
  
  --
  sigs are hazardous to your health
3. Re:Pfft. by WhatAmIDoingHere · 2007-05-31 22:43 · Score: 2, Funny
  
  What the hell are you running? Windows 95?
  
  "Infact, its the fastest running, most secure version of windows ever."
  
  But, like you said, you can't run anything on it either!
  
  --
  Not a Twitter sockpuppet... but I wish I was.
4. Re:Pfft. by QuantumFlux · 2007-06-01 02:52 · Score: 2, Funny
  
  [...] we had company restricted secrete data on the disks... I informed IBM of the dilemma [...] You 'secreted' what data on the disks!? That's disgusting... no wonder you didn't want IBM to get at the disks...
Ah, the police... by Icarus1919 · 2007-05-31 14:23 · Score: 4, Funny

I always just keep a few magnets handy... just in case....

I prefer hardware solutions, rather than software ones.
1. Re:Ah, the police... by Simon80 · 2007-05-31 16:13 · Score: 2, Funny
  
  Normally, I'd be inclined to dismiss this tactic, but hey, if it works for the attorney general of the US...
deja vu by Anonymous Coward · 2007-05-31 14:27 · Score: 2, Funny

Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified.

thats really odd, i seem to remember seeing something similar on our domain controller a few minu
Holy Crap by stoneycoder · 2007-05-31 14:44 · Score: 1, Funny

They must be using some NSA type shit. From TFA:
He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio file while eating a sandwich on her lunch break. Now thats what i want, a tool that can tell if someone was eating a sandwhich while downloading a particular file.
1. Re:Holy Crap by alohatiger · 2007-05-31 15:56 · Score: 2, Funny
  
  Come on, all you have to do is check the MEAL_BREAK_MENU_DESCRIPTION meta tag
  
  --
  Bigtime Consulting - "We're the best because we cost the most"
Willunwhen the file istobe created... by flyingfsck · 2007-05-31 15:31 · Score: 2, Funny

the modification date was'ntobe set the last time it shallhasbeen accessed...

Uhh - got to work on my future imperfect past continuous tense.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Re:Never trust the computer! by flyingfsck · 2007-05-31 15:35 · Score: 4, Funny

Well, alternatively one could just use Windows ME on a FAT file system. That screws things up all by itself - no need for fancy tools.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Re:A year ago... by Profane+MuthaFucka · 2007-05-31 15:49 · Score: 5, Funny

Don't knock it. Catching cheating spouses is a great way to get laid. You've already established that they've got no problem sleeping with people other than their husbands, which is 90% of the battle usually.

--
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Re:Touch by dwater · 2007-05-31 16:23 · Score: 2, Funny

>>> ...on one hand...
>
>Yes, yes.
>
>Five years ago (2002) there were five people (or less) that knew touch.

Er, assuming they're using 5 fingers (inc. thumb) then that should be *31* people or less...

>
>Lol. The guy is a moron.

*He's* a moron?

What's that strange gesture you're giving me with your hand? You trying to tell me '4' for some reason?? Hrm...odd.

--
Max.
Re:Here's a real good one by zippthorne · 2007-05-31 17:27 · Score: 2, Funny

You should use ROT-9 followed by ROT-8 followed by ROT-9 again. ROT-13 is pretty weak, but if you use different numbers, apply encryption multiple times, your data will be much safer. TripleROT (9,8,9) is a standard by which all other methods are measured. All without requiring some fancy scheme concocted by guys with foreign-sounding names. Would you trust your security to a foreigner? with a beard?

Oh, and IIRC, withholding the password would be obstruction of justice (assuming they obtained a warrant for the data protected by the password, as per the 4th amendment)

--
Can you be Even More Awesome?!
Re:Here's a real good one by RyuuzakiTetsuya · 2007-05-31 18:25 · Score: 5, Funny

just do some petty theft on top of that and overflow it back to 0x01.

--
Non impediti ratione cogitationus.
withholding the password by cbr2702 · 2007-05-31 18:49 · Score: 3, Funny

withholding the password would be obstruction of justice

Couldn't you choose an incriminating password and plead the 5th?

--

This post written under Gentoo-linux with an SCO IP license.
1. Re:withholding the password by Fred_A · 2007-05-31 21:47 · Score: 2, Funny
  
  It seems to me that the best approach to this problem might be to have a password that self-destructs when it detects that someone is about to physically break into your system. This way, there is no password to give them and whoever it is that is trying to do this (whether it's the Man or bin Laden) there's simply no way for them to succeed. Just watch out for those false positives ...
  In that case isn't the best way just to not know the password ? Just use whatever comes from /dev/urandom at the time to encrypt your data and you can't incrinimate yourself.
  
  --
  
  May contain traces of nut.
  Made from the freshest electrons.
Re:Here's a real good one by mobby_6kl · 2007-05-31 20:57 · Score: 2, Funny

> I didn't think encrpyting data twice or more over increased it's level of security.

Well, it usually does. Unless, of cousre, you're using ROT-13 for your original encryption.
Re:Working drive at 700+F? by Anonymous Coward · 2007-05-31 21:30 · Score: 1, Funny

Sacrebleu!
An electric heater/oven should do the trick quite nicely.
Nonsense, ovens are for cooking croissants, bread and onion soup!
Re:Never trust the computer! by digitig · 2007-05-31 23:04 · Score: 2, Funny

Oy! Now none of my makefiles work properly!

--
Quidnam Latine loqui modo coepi?
Re:oh geez... the "police" by Anonymous Coward · 2007-06-01 00:22 · Score: 1, Funny

Where's the .torrent?
Re:Here's a real good one by Anonymous Coward · 2007-06-01 02:31 · Score: 1, Funny

Yes. Everyone knows that double ROT-13 gives you the original data. Don't be silly. That's why I quadruple it.
No..... No, Just No. by HalAtWork · 2007-06-01 02:44 · Score: 2, Funny

The DA just smiles at you and says... "I'd like to see the hidden container inside that TrueCrypt volume. My forensicist says oftentimes people do that with TrueCrypt."

You say "umm... there isn't a hidden container... there's nothing more there..."

The DA continues to smile. "Prove it to me."

You say "Actually, you have to prove to me that there's anything there to hide. You should know that I'm innocent until proven guilty."

Then you walk away scott free. The DA continues to smile for some reason, probably too much crack this morning.

--
Twinstiq, game news