New Anti-Forensics Tools Thwart Police

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

Re:Here's a real good one

You'd have to be careful about the choice of encryption algorithms when you do this. There are good reasons (which I can't cite off the top of my head; I'm no cryptographer) why triple DES, for example, has an encrypt-decrypt-encrypt pattern, rather than encrypt-encrypt-encrypt. Even then, all you achieve is a doubling of the effective key length, not a tripling (and remember that the actual key is three times as long - each step uses a different key).

Cryptography is hard. I know enough to know that I know nothing about it, and that I'd screw the pooch on any crypto system I might implement. If you haven't a very solid maths background, and a lot of experience breaking cyphers (and I'm talking about more than just the simple Julius shift here), odds are extremely high that there's a flaw you've overlooked in your system.

Re:Pfft.

[plover]

At work the standard we gave our service vendor for destroying failed drives involved a drill press and epoxy. We're concerned about data thieves, not Three Letter Agencies.

For my personal drives at home, I just use a three pound hammer. A scraped, smashed and warped platter hitting the trash bin is effectively unreadable, and all I'm really concerned about is a bad guy finding bank account information. If someone official really wanted a working drive of mine, pajama-clad ninjas would probably come for it in the middle of the day while I was at work anyway.

Epically bad.

[rjh]

I am an NSF–funded researcher in computer security, focusing on electronic voting. Data privacy and confidentiality is very important to us, as you can imagine.

Your idea is quite terrible.

First, what do you mean by a file "without signature"? Take a zip archive as an example--even if you strip off the zip header, any forensicist worth his or her salt can figure out it's a zip archive, just because of the way the data is structured. Encrypted filesystems have structure, too. A data forensicist can recognize an encrypted container on the basis of its structure. (Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want.)

Second, you appear to not understand how crypto works. Two layers are better than one, right? So double ROT13 encryption is stronger than single ROT13, right? You're running smack into a major, well-known area of crypto. A lot of ciphers do not composite themselves well. You are almost always better off just picking one algorithm with a strong keysize than a composition of multiple algorithms.

Third, how do you plan on managing all of your keys? Key management is a thorny enough problem in the best of times. By relying on multiple keys you're multiplying the problem immensely.

You really need to do some basic research in crypto.