Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Anti-Forensics Tools Thwart Police

Posted by CowboyNeal on from the knowing-thine-enemy dept.

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

8 of 528 comments (clear)

  1. Print version by Anonymous Coward · · Score: 4, Informative

    http://www.cio.com/article/print/114550 - Print version so you don't have to go through ten pages to read it all.

    Anonymous coward so no Karma whoring today. :)

  2. Re:Pfft. by the+unbeliever · · Score: 4, Informative

    Data can still be recovered. It may only be bits and pieces of files, but it can still be recovered. Clean room data recovery can do some pretty amazing things now.

    The only "sure" way is to melt down the platters and make pretty jewelry with them.

  3. Re:interesting by enrevanche · · Score: 4, Informative

    The date a track was written could possibly be analyzed by looking at how it was written at the microscopic level, but this would probably destroy the disk itself. It would be very expensive. As far as I know, this is only theory and has not actually been done. If somebody has a technique, it would hope that it would require a lot of peer reviewed research to verify it's validity. Anyway, the date a track was written may have nothing to do with the age of the data (file), as the OS may move files around for efficiency. This will not effect the timestamps of a file. The fact is that these timestamps are simply data written on the disk and can easily be changed.

  4. Re:oh geez... the "police" by Kjella · · Score: 4, Informative

    Don't underestimate the tools - many forensic experts couldn't find their way at all outside the tool, but the tools are rather good at three things:
    1) Point them to "interesting" catalogs on most operating systems
    2) Read pretty much any filesystem, including the odd Linux/BSD variants
    3) Scan for files (keywords, against a hash db etc.) without booting your OS

    Encryption is the only thing that'll stand any serious investigation. Though I suppose it'll get you past the "should be bother to check his computer just in case" checks, there is plenty support for not "IE/Windows" machines.

    Examples:
    Operating system Support: Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and
    above, Solaris 8/9 both 32 & 64 bit, AIX, OSX.
      File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
    (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
    NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
    TiVo® 1 and TiVo 2 file systems.
      EnCase software uniquely supports the imaging and analysis of RAID arrays, including hardware
    and software RAIDs. Forensic analysis of RAID sets is nearly impossible outside of the EnCase
    environment.
      Dynamic Disk Support for Windows 2000/XP/2003 Server.
      Ability to preview and acquire select Palm devices.
      Ability to interpret and analyze VMware, Microsoft Virtual PC, DD and SafeBack v2 image
    formats.

    Compound Document and File Analysis: Many files such as Microsoft Office documents, Outlook
    PSTs, TAR, GZ, thumbs.db and ZIP files store internal files and metadata that contain valuable
    information once exposed. EnCase automatically displays these internal files, file structures, data and
    metadata. Once these files have been virtually mounted within EnCase, they can be searched, documented
    and extracted in a number of different ways.

    File Finder: This feature automatically searches through the page file, unallocated clusters, selected files
    or an entire case, looking for predefined or custom file types. This feature differs from the standard
    search, because it looks through the defined areas for the file header information and sometimes the
    footer.

    Analysis: EnCase software has the ability to find, parse, analyze, display and document various
    types of email formats, including Outlook PSTs/OSTs ('97-'03), Outlook® Express DBXs, Lotus
    Notes NFS, webmail such as Hotmail, Netscape and Yahoo; UNIX mbox files like those used by
    Mac OS X; Netscape; Firefox; UNIX email applications; and AOL 6, 7, 8, 9. In some cases,
    EnCase can recover deleted files and depending on the email format, the status of the machine.

    Browser History Analysis: EnCase has powerful and selective search capabilities for Internet
    artifacts that can be done by device, browser type or user. EnCase can automatically parse,
    analyze and display various types of Internet and Windows history artifacts logged when websites
    or file directories are accessed through supported browsers, including Internet Explorer, Mozilla,
    Opera and Safari.

    --
    Live today, because you never know what tomorrow brings
  5. Re:So... by RobertM1968 · · Score: 3, Informative
    I'm not sure what parent is using, but I own a Netfinity, and it can be set up so that
    • Opening the case triggers some action (shut-down, lock-up, email/network/pager/phone alert, etc)
    • changing hardware in the machine triggers some action (shut-down, lock-up, email/network/pager/phone alert, etc)
    • a device failing triggers some action (shut-down, lock-up, email/network/pager/phone alert, etc)
    • Powering off the machine (via the soft-power through mobo switch) triggers some action (lock-up next start, email/network/pager/phone alert, etc)
    • shutting down the power supply (using the switches on the power supplies) triggers some action (lock-up next start, email/network/pager/phone alert even with no power, etc)
    • physically unplugging all 3 power cords triggers some action (lock-up on next start, email/network/pager/phone alert, etc even with no power)
    • cutting the power to the location instantaneously triggers some action (lock-up on next start, email/network/pager/phone alert, etc)
    • and on many models, trying to remove the unplugged unit from a building triggers some action (email/network/pager/phone alert, etc) - with the appropriate RFID station in said building.

    Parts of the machine stay on for a very long time without power, and the whole machine itself can take up to 30 seconds to power down with no power connected. The System Management board has it's own internal power (though minimal), and most every hardware or power related issue gets logged into the hardware's system log - even with no power to the machine (ie: pulling all plugs or hitting the circuit breaker will make the machine log a "No AC Power" with Time & Date stamp; and send out a notification - even though it has no AC power - before the machine drains what is stored internally).

    Pretty neat piece of machinery - and at 130lbs and a ridiculously high "guaranteed uptime" I guess such functions arent much to expect. Even so, many far lower end Netfinity's and their Intellistation brethren have (had) at least a few of the same features/capabilities).

    I am presuming the replacement i Series e-Servers do as well - though that is just a presumption, and reality may be far different.

    -Robert

    PS: Making a home brew solution is very easy [though I think some boards natively support this through their "Case Tamper" pins which just need to be wired to a case intrusion switch (standard roller arm switch)]

    --
    StarTrekPhase2 - The Five Year Mission Continues!
  6. Re:Pfft. by buysse · · Score: 3, Informative

    Eh, I hate feeding trolls. Hey, anonymous weaselnuts? Disk crash is a valid, and descriptive, term for a disk failure. The heads don't touch the disk -- this ain't your fscking vinyl record. If they touch, or *crash*, into the disk surface, bad things happen. It's a crash. Valid term. More correct would be head crash. I've opened up a disk after the distinctive sound to see the beautiful half-millimeter deep groove in the surface of the platter and little strings of metal littering the inside. I've also sent disks that made the same distinctive sound to a data recovery service and gotten back data.

    --
    -30-
  7. Re:Epically bad. by Anonymous Coward · · Score: 5, Informative

    I'm not an NSA funded security researcher, but I'm also slightly less of an arrogant prick than "rjh". So to answer your question about layering encryption without getting into all the you're-not-even-worthy-to-be-asking-this-question crap, here's a brief layperson's answer:

    Essentially your idea is not a bad one, it's just a bit naive -- there are non-obvious subtleties which must be considered in order to make the idea work as well as you hope.

    One issue is that some encryption algorithms (called "groups") have the characteristic that when applied two consecutive times with different keys, the result is the same as if the algorithm was applied only once with some other third key. If this is the case for your favorite algorithm, then your plan adds no extra security compared to just encrypting once. And apparently it's not always easy to know whether this is the case for a complex algorithm, so you should assume the worst.

    Another issue is that if your adversary can guess some plaintext (e.g. by assuming it contains .doc or .jpg headers) they can use a technique that trades off storage for computation and break your multiple encryption much faster than you would have thought.

    One way to overcome these weaknesses is by applying your encryption in "EDE" (encrypt-decrypt-encrypt) mode, where you encrypt with one password, then "decrypt" with a second password (which is obviously not really decrypting but just making the scrambling that much more horrendous), and then encrypting again with a third password. Even this is not as secure as you might expect, but it's still pretty good.

    The well-known security and crypto expert Bruce Schneier has a great book called "Applied Cryptography" (Wiley, 2nd edition 1996, ISBN 0-471-11709-9) which is accessible to average smart, interested, non-NSA-funded Slashdot readers without advanced math degrees. It even has a brief chapter (15) on this exact topic. (Schneier has other great books too.)

    Despite his attitude, "rjh" is right in implying that our common sense is not trustworthy in the area of cryptography -- some of the world's smartest people devote their lives to this stuff and have come up with astonishing and often counterintuitive results. Smarter people than us have already studied this idea, which is basically a good one even though it has pitfalls. Don't let anyone make you make you feel stupid for having an idea or asking a good question.

  8. Re:withholding the password by Damiano · · Score: 3, Informative

    IAAL and no you can't. Try to be funny and what they'll do is grant you immunity for anything revealed in the password itself. Then they'll force you to reveal the password or sit in jail for contempt. Once you reveal the password they can decrypt the drive and use that data in court (even if it's the same as the password).

    The real key here is that the 5th amendment protects you from testifying against yourself. Your "papers" are not considered testimony and not protected.

    Not legal advice, not your lawyer.