Slashdot Mirror
New Anti-Forensics Tools Thwart Police
rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."
Hate to sound like a apple fanboi, but even for those with something to hide that don't know much about computers at all, and therefore lack the know-how required to use these tools, simply using Mac OS X and turning on File-Vault, sad as it sounds, is enough to confound the majority of law enforcement. Most of the contractors that the police in the UK use are windows only. I know for fact that any linux or 'specialist' computers get passed to a specialist data firm in Germany for decoding...
Macs?
Only in the most serious of cases are macs in the UK sent for hacking if File-Vault's on. They go to Canada and take upwards of a year to crack. If ever.
Unless you've done something pretty fucking serious, and the police know the evidence is on the machine, just can't prove it, they usually won't go to the expense.
Of course, only the most stupid and inept of morons would be doing illegal shit and storing it on their computer without using the most powerful encryption possible, and only storing that which absolutely must be stored. Mind you, criminals are not usually noted for their cunning and intelligence....
It goes without saying that the above does not translate to across the pond, nor does it apply on Security operations with terrorists and the like. How MI5 & MI6 do things is completely different and tends to involve some 'specialist' people from the likes of the I-corps and in-house solutions....
I could elaborate, but I'm not THAT dumb.....
The truth shall always be free: Boris Floricic is Tron.
Let me let everyone in on a dirty little secret about 99% of police computer forensics experts... they are less skilled than most 9 year olds at recovering vital information. Many of them use bootable disks that just check the hard drive for IE's cached files and history, etc, etc. Simple stuff a child could do. These people aren't doing complex low level block analysis. They are doing the level of recovery parents do at the end of the night to see what websites their children went on. Does it surprise anyone then it's extremely easy to fool them? God forbid you use encryption, an OS they aren't familiar with, or hardware they've never seen. They'll never recover anything.
If an officer ever threatens to taze you, say you have a pacemaker.
It is. Hell, if people get sick of it all and the shit hits the wall, I'll be right up there with the 'enemy' pushing for real freedom.
Yes, I don't care If I get flagged for that. I care for my liberty.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
actually, that's a bit extreme, all you need to do is to heat it above the curie temperature (300-380 for Fe-Nd alloys) at this point the magnetic properties become completely dependent on the applied magnetic field, so as it cools down again, the only magnetization left is due to the earths magnetic field. Below this temperature you need to apply a strong magnetic field to reverse *most* of the magnetization (thats how normal recording works). As an added bonus if you do this in such a way as there are not dust contaminants (inductive heating of the platters in a vacuum) you still have a working drive.
If you think imaginary property and real property are the same, when does your house become public domain?
Imagine a filesystem that is encrypted 3 times, in "headerless" fashion. What I mean by headerless is, whereas a zip file leaves reliable signatures identifying it as a zip file, this scheme would be a naked 128 or 256 or 1024 bit encrypted file (bear with me here) with no signature. There would be no way to even identify this file unless you managed to decrypt it with the right password and the exact corresponding decryption scheme. (It could be a zip file or a rar file or an arj file but you'd have to guess.)
That's for the first layer. Then you use the same (or different) scheme to scramble that already encrypted file again. With the same or different password.
Then you do it a third time.
Granted this would take a hell of a lot of computing power and a single bit of data corruption would screw you royally (which calls for more advanced recovery techniques which leads to some weaknesses...), but the effect is this.
First, you get the hard drive and the whole filesystem is encrypted. It's utterly garbage to you. You don't know which scheme was used to encrypt it. You certainly don't know the password. But you may know it's triple layer encrypted. Or double, or quad.
What is certain is, if you get the correct encryption scheme AND the password for that first layer, the decrypted file is STILL GARBAGE. You don't really know if you got the correct information or not, because you're still looking at a "headerless" pile of garbage data. Good luck guessing that second layer because no matter what, you still get a pile of incoherent garbage.
If you've done this to all your files on your hard drives, DVDs and CDs, this is where you demand your Constitutional right (in the United States) to a SPEEDY trial and then plead the Fifth Amendment in court when asked for your password/encryption schemes. Why? Because if I'm right, the police and their descendants down to the 7th generation will have died of old age before they figure out the 2nd layer, much less the 3rd.
Mind you, the cops may have slapped a keylogger on your system ahead of time. If that's the case, you're screwed.
Lawyers and hackers, please rip my idea to pieces and tell me what you think...
--- Grow a pair, liberals... stop letting the Republicans bully you!
When I suffered a bizarrely bad disk crash (i.e., it crashed in an odd way that was much more destructive, and made the data much harder to recover, than most crashes; I've forgotten most of the details, but I remember that) a few years ago, I took my disk to a recovery specialist that does, among other things, contract work for the FBI. I got a brief glimpse inside their clean room. They had disks that had been pounded with hammers, run over with trucks, immersed in salt water ... you name it, these guys could get data off it.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
The DA just smiles at you and says... "I'd like to see the hidden container inside that TrueCrypt volume. My forensicist says oftentimes people do that with TrueCrypt."
You say "umm... there isn't a hidden container... there's nothing more there..."
The DA continues to smile. "Prove it to me."
You say "umm... I can't... that's exactly what TrueCrypt means when they say it's hidden... you can't prove it exists and you can't prove it doesn't exist..."
The DA rises from the table. "Say hi to your husband for me when you meet him."
Moral of the story: it is very, very important that you be able to prove the existence or nonexistence of your data.I don't know how to make it any simpler. If compositing encryption functions makes things harder to break, we'd expect two applications of ROT13 to be stronger than one application of ROT13. It doesn't work that way. And in an exactly similar way, two levels of AES may or may not be any better than a single layer of AES. Or one layer of Blowfish and one layer of 3DES. Or...
If you want to get more sophisticated than this, you need to take a collegiate math course focusing on group theory.
Yeah, but at what point does recovering the data become prohibitively expensive?
At the point where the disk has been entirely overwritten *once* with data. In theory, someone with very specialised equipment could pick out the residual flux transitions from the new ones. However, modern (or rather, disks larger than tens of gigabytes) use a different modulation scheme similar to QAM, and once that is overwritten the old data is irretrievably gone.
That drive you opened was old then eh?
Most current drives are glass platters. I found this out when I had a batch of DeathStars go bad. IBM wanted the drives back for RMA, but we had company restricted secrete data on the disks... I informed IBM of the dilemma and that I would be drilling a pair of holes in the platters. When I did I heard a crunch sound, followed by broken shards of glass coming out the holes.
Got replacement drives in no problem.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
It is a cryptanalysis problem. Encryption scheme are designed so that your clear text will become close-to-random garbage when encrypted. Why? Because if it is not random, forensics can do statistical analysis on the crypted data 1/ to identify the encryption algorithm, 2/ to try to guess the encryption key (http://en.wikipedia.org/wiki/Cryptanalysis/ for more details).
If you crypt your text twice (or more) you modify the entropy of the encryption scheme, and the encrypted data will be not optimally close to random data. As a conclusion, encrypting twice made your data less robust to forensics.
RIP Slashdot. I used to love you. dead account - but slashdot wont let me delete it.