Slashdot Mirror
New Anti-Forensics Tools Thwart Police
rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."
Simple! Just cut the disk open and count the rings.
What?
This has got to be old news. Over 112% of Slashdotters have been using these programs for years, since at least 3 months from now!
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
I always just keep a few magnets handy... just in case....
I prefer hardware solutions, rather than software ones.
Timestomp? Now I've heard everything.
;)
Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.
Of course, this says nothing of rootkits, which can be downright subversive, embedding themselves into kernel space where not even the OS knows they exist, where they can wreak untold havoc with historical system data or encryption. I bet there's even a script-kiddie version of anti-forensics tools out there, where it just cron-obfuscates anything trackable. Logs, timestamps, frequent automated sweeps of shred over unallocated disk blocks, inode reordering, and so on.
Now that I think about it, that might be a good idea. I got some work to do.
Read: Rabbit Rue - Free serial nove
thats really odd, i seem to remember seeing something similar on our domain controller a few minu
The obvious message to law enforcement is that people don't like others going through their things.
Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.
Personally I'm a fan of disk encryption using algorythms and key-lengths that make it extremely impractical to get in once the system is powered down. If up however... you have three strikes at getting in and all future packets from your IP are silently dropped for several days. Local access isn't a problem either... open the case and power goes out... and after 10 minutes of idle-time the system locks (only way in is password or reboot... obviously reboot isn't helpful)
Call me paranoid. I am. I also like my privacy. Yes, I DO have something to hide: MY LIFE! I don't want you in my stuff at all!!! It doesn't matter that there is nothing illegitimate or illegal on the damn things, I still don't care.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
http://www.cio.com/article/print/114550 - Print version so you don't have to go through ten pages to read it all.
:)
Anonymous coward so no Karma whoring today.
Hate to sound like a apple fanboi, but even for those with something to hide that don't know much about computers at all, and therefore lack the know-how required to use these tools, simply using Mac OS X and turning on File-Vault, sad as it sounds, is enough to confound the majority of law enforcement. Most of the contractors that the police in the UK use are windows only. I know for fact that any linux or 'specialist' computers get passed to a specialist data firm in Germany for decoding...
Macs?
Only in the most serious of cases are macs in the UK sent for hacking if File-Vault's on. They go to Canada and take upwards of a year to crack. If ever.
Unless you've done something pretty fucking serious, and the police know the evidence is on the machine, just can't prove it, they usually won't go to the expense.
Of course, only the most stupid and inept of morons would be doing illegal shit and storing it on their computer without using the most powerful encryption possible, and only storing that which absolutely must be stored. Mind you, criminals are not usually noted for their cunning and intelligence....
It goes without saying that the above does not translate to across the pond, nor does it apply on Security operations with terrorists and the like. How MI5 & MI6 do things is completely different and tends to involve some 'specialist' people from the likes of the I-corps and in-house solutions....
I could elaborate, but I'm not THAT dumb.....
The truth shall always be free: Boris Floricic is Tron.
Let me let everyone in on a dirty little secret about 99% of police computer forensics experts... they are less skilled than most 9 year olds at recovering vital information. Many of them use bootable disks that just check the hard drive for IE's cached files and history, etc, etc. Simple stuff a child could do. These people aren't doing complex low level block analysis. They are doing the level of recovery parents do at the end of the night to see what websites their children went on. Does it surprise anyone then it's extremely easy to fool them? God forbid you use encryption, an OS they aren't familiar with, or hardware they've never seen. They'll never recover anything.
If an officer ever threatens to taze you, say you have a pacemaker.
By physically examining the disk you could better determine the age of the data -- but this is not how digital evidence is usually collected.
In fact, this just exposes how ludicrous courts' treatment of digital "evidence" is. The information they accept as evidence can be trivially faked. Think it sounds far-fetched to be framed for a crime? That's not so difficult when someone can just flip a few bits on your hard drive, maybe via a memory-resident-only exploit, then call in an anonymous tip to the police. There will be nothing on the drive to exonerate you. You could then easily spend years in prison for nothing.
It's like the situation we face now with electronic voting, but easier to defraud than even that. The people making these laws and procedures seem to have no idea how computers actually work.
TimeStomp? ...can't `touch` and a bash script accomplish the same thing?
My girlfriend told me that her nephew was going to college for "Computer Forensics" and my immediate response was, when he's done all he'll be able to do is catch cheating spouses. People who are engaging in real criminal activity are already using strong crypto and it's getting easier every day.
You just can't beat the numbers. If there is a 256 bit keyspace and a secure algorithm, you are not going to be able to crack the machine. I suppose that perhaps American and European law enforcement could take a page out of Israel's book and start using "strong persuasion" to get keys from suspects, but I don't imagine that happening any time soon.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
>>Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator.
Yes, yes.
Five years ago (2002) there were five people (or less) that knew touch.
Lol. The guy is a moron.
I remember walking through a parking lot in college in 1996 and listening to a couple guys talk about how they would touch their files to make late homeworks appear as if they were done on time.
About a year after that, UCSD switched to a turnin-based system. =)
Linux servers have become a favorite home for memory- resident rootkits because they're so reliable. Rebooting a computer resets its memory. When you don't have to reboot, you don't clear the memory out, so whatever is there stays there, undetected.
I don't mean to sound like a moron or naive but are Linux rootkits really that prevalent? After doing a quick google search for "rootkits for linux", I found a few for the old 2.0 and 2.2 Linux kernels... Have updates that have since come out made life that much harder for the hacking community? Anyone have an idea of what's going on here, because I'm really surprised to see them make the claim that Linux servers are a new favorite home for rootkits...The date a track was written could possibly be analyzed by looking at how it was written at the microscopic level, but this would probably destroy the disk itself. It would be very expensive. As far as I know, this is only theory and has not actually been done. If somebody has a technique, it would hope that it would require a lot of peer reviewed research to verify it's validity. Anyway, the date a track was written may have nothing to do with the age of the data (file), as the OS may move files around for efficiency. This will not effect the timestamps of a file. The fact is that these timestamps are simply data written on the disk and can easily be changed.
They're using stego? Maybe we drop some stego on them.
Yeah, cause my stego *ROCKS* yo!
I'm thinking even the most avante-garde anti-forensics tool could fool this guy. Yeah, anti-forensics might be a problem for him, but last time I checked, having a future date on your warez or kiddie porn won't save you from prosecution. In fact, using something like Timestomp is more or less likely to convince the jury that you are indeed a criminal.
And likewise, it takes a very *good* steganography tool to really hide things. Sure, you could fool your friends, but you aren't likely to fool a forensic investigator with a basic knowledge of statistics. Could I tell the difference between a good and mediocre steganography tool? Probably. Could the average criminal? Probably not. A mistake as simple as hiding your data in images gleaned from the web would be enough to trip someone up: Here's a hint - if the image looks the same as the one on the web, but the checksums don't match, something's up. I'm guessing a shell script could go through the hard drive and do most of the work for the investigator. 17 hours isn't so short anymore...
If you don't want the cops to find it, use encryption. If you want deniability, use the double-xor technique mentioned in Bruce Shneier's Applied Cryptography. But don't bother thinking that bogus timestamps are going to foil any serious forensic investigator. The relative location of a file's blocks on the hard drive is going to give at least an approximate date of file creation, even if you do obliterate the timestamp, and every forensic investigator worth his salt knows this.
The society for a thought-free internet welcomes you.
look up truecrypt. it has had that plausible deniability thing for years now ;)
What would be interesting to me: a tool that deliberately modifies timestamps and/or creates ghost deleted files to tell a normal-looking story of computer use, when the actual history has been anything but.
In other words, forensics tools can assemble the history of file use on a disk. If it's known that the disk was in use before a certain date, but no timestamps can be found before that date (on current or deleted files), one may suspect the disk was wiped at that point. Likewise, physical disk usage for a given file system type has known and studied statistical characteristics over time. If the statistics are off, if you don't find deleted file images where you expect them, you may suspect that the freespace was wiped, or that certain unused disk space that would normally contain deleted file images contained files that are now wiped.
What happens when you have a tool that modifies timestamps on current and deleted files such that a normal distribution of them extend back before the date of disk wipe? Even worse, what happens if the tool can create "ghost" images of deleted files, in order to fool tools that look for normal statistical disk usage?
Once you have such a tool, wiping a disk and starting over can literally be done undetectably. So much for worry about having to maintain disk drive evidence after being hit with a subpoena.
Kythe
In 'Merica, we call it gitmo. Encrypshun don't fool us nohow, nosir.
'fter all, if yah ain't guilty, watcha hidin' stuff fer? Dontcha know there's a war goin' on?
The society for a thought-free internet welcomes you.
the modification date was'ntobe set the last time it shallhasbeen accessed...
Uhh - got to work on my future imperfect past continuous tense.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Come on, all you have to do is check the MEAL_BREAK_MENU_DESCRIPTION meta tag
Bigtime Consulting - "We're the best because we cost the most"
If you think imaginary property and real property are the same, when does your house become public domain?
Imagine a filesystem that is encrypted 3 times, in "headerless" fashion. What I mean by headerless is, whereas a zip file leaves reliable signatures identifying it as a zip file, this scheme would be a naked 128 or 256 or 1024 bit encrypted file (bear with me here) with no signature. There would be no way to even identify this file unless you managed to decrypt it with the right password and the exact corresponding decryption scheme. (It could be a zip file or a rar file or an arj file but you'd have to guess.)
That's for the first layer. Then you use the same (or different) scheme to scramble that already encrypted file again. With the same or different password.
Then you do it a third time.
Granted this would take a hell of a lot of computing power and a single bit of data corruption would screw you royally (which calls for more advanced recovery techniques which leads to some weaknesses...), but the effect is this.
First, you get the hard drive and the whole filesystem is encrypted. It's utterly garbage to you. You don't know which scheme was used to encrypt it. You certainly don't know the password. But you may know it's triple layer encrypted. Or double, or quad.
What is certain is, if you get the correct encryption scheme AND the password for that first layer, the decrypted file is STILL GARBAGE. You don't really know if you got the correct information or not, because you're still looking at a "headerless" pile of garbage data. Good luck guessing that second layer because no matter what, you still get a pile of incoherent garbage.
If you've done this to all your files on your hard drives, DVDs and CDs, this is where you demand your Constitutional right (in the United States) to a SPEEDY trial and then plead the Fifth Amendment in court when asked for your password/encryption schemes. Why? Because if I'm right, the police and their descendants down to the 7th generation will have died of old age before they figure out the 2nd layer, much less the 3rd.
Mind you, the cops may have slapped a keylogger on your system ahead of time. If that's the case, you're screwed.
Lawyers and hackers, please rip my idea to pieces and tell me what you think...
--- Grow a pair, liberals... stop letting the Republicans bully you!
I read Ken Thompson's Reflections on Trusting Trust, it has always occurred to me that any computer crime is completely untraceable. It is only laziness on the part of the criminal which allows him to get caught. It is possible for someone to completely cover their tracks and leave no evidence of their actions.
But it is also possible to log every action a hacker does. Erasing the logs doesn't do much when the compromised system is virtually hosted and every action recorded for later playback - on a system which isn't even visible to the hacker. And consider the possibility of tracing at the network level. It is possible to physically connect an ethernet chip to a network and capture all traffic on the network without ever joining the network. That is, the card can sniff the wire in a read-only mode without ever publishing its MAC address or responding to ARP queries. Even if the hacker does use encryption, can he really be sure that his machine hasn't been rooted and keylogged? Can today's hackers verify even the microcode inside their processors and BIOS? If he can cover his tracks, so can the FBI.
How does a hacker know his rootkit isn't spying on him? Even if you have the source, a compromised compiler or assembler can still produce a compromised executable. Should you verify the executable by hand, you still have the possibility of a vulnerability in the processor's microcode. Something as simple as making any area of memory available to the NIC when a certain opcode sequence is executed could be hidden very well and provide a veritable back door to law enforcement.
Unless you are willing to build your own computer from scratch and never connect it to a public network, you can never prove that you aren't compromised. Sure, we can talk statistics and likelihood and incentives and human factors and whatnot, but it doesn't change two fundamental aspects of the computer:
Your averge user - heck, even most programmers and hackers - don't have the time to trace through every possible instruction path in the software they use. They aren't going to burn their own BIOS EEPROMs to be sure the BIOS isn't bugging them. They aren't going to surgically remove the processor's cover and verify the die pattern to be sure the microcode isn't compromised.
Instead, they're going to trust the responses their computer shows them. Just like the rest of us - it's a gamble. Maybe the hacker compromised a bank - or maybe, the bank is in cahoots with the FBI, and he's just knocked over the honeypot. He won't know until he goes to the bank - and withdraws his cash, or gets arrested.
Still a pretty big risk, imho.
The society for a thought-free internet welcomes you.
I don't mean to sound like a moron or naive but are Linux rootkits really that prevalent?
Considering that rootkits originated in Unix (hence "root"), I imagine that they are as prevalent in Linux as they are in any operating system (the argument of uptime notwithstanding).
Besides, a rootkit does not have to reside in kernel space to be very effective. Simply replacing many of the key binaries (init, bash, getty, ls, top, ps, etc depending on *nix flavor) will do wonders for probably 98% of systems out there. That said, I'm sure there are some which do reside in kernel space (a kernel module perhaps?) or maybe even some that are simply modified kernels (the source is available after all). How do you know that the kernel your system is running has not been compromised?
After doing a quick google search for "rootkits for linux", I found a few for the old 2.0 and 2.2 Linux kernels...
I tend to doubt you'll find the latest and greatest rootkit via Google. If you know the right people, I'm sure you can get whatever you need.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
I'm going to approach this from the perspective of A Bad Guy, because realistically if you're not A Bad Guy and you get arrested you have already hit your security worse case scenario. You're now arrested, your computer is in government hands, and you are about to take major financial and reputational damage before being released. (Some folks might say I'm naiive for assuming you'll be released. Fine, don the tinfoil hats if it please you, but if The Man can lock you up when you haven't done anything then encrypting what you haven't done doesn't afford you additional protection now does it? Similar for the "good guy using encryption" examples like dissidents in China -- lack of discoverable evidence does not render the back of your head immune to gunfire.)
If you're A Bad Guy, on the other hand, there might be a significant difference between "major financial and reputation damage" and "being convicted of possession of child pornography". So lets consider a savvy Bad Guy who has screwed up and somehow alerted law enforcement of his existence. Maybe he was indiscreet with an accomplice, maybe the ISP logs show him as downloading young-kids-get-it-on.avi, maybe the feds caught him receiving a tape in the mail (the Postal Service has a division devoted to investigation for a reason, folks). So somebody had enough evidence to get their boss to sign off on a use of department resources to open an investigation, probably enough evidence to convince a judge to order a search or arrest warrant, and the fishing expedition begins in earnest.
At this point, Bad Guy is boned. He not only has the same problems Not A Bad Guy has with being arrested, but he has an adversary with virtually limitless resources relative to him now picking his security apart. And they will almost certainly find a place where he screwed up. Do they need to beat his passwords out of him? Hardly. If they're confident Bad Guy is a bad guy, when the computer shows clean they'll say "Hmm, we're quite sure these records say he is downloading young-kids-get-it-on.avi... widen the scope of the investigation", and then they'll start strip mining every bit of data they can get about the guy, and when you have a badge and a concerned looking face you can get an awful lot.
And, somewhere, Bad Guy screwed up. It doesn't matter how careful or exotic his protections were, he screwed up somewhere and its probably somewhere that will look stupid in hindsight. The CIA does it all the time, too -- covert ops blown by cell phone records, doesn't matter how many things you get right when the adversary has the luxury of winning from your first mistake. Maybe a photo fell behind his printer, maybe he used his credit card to pay for something sketchy 4 years ago, maybe one of his pedo buddies got picked up three weeks ago and turned state's evidence. Doesn't matter -- a significantly interested adversary will find the 1% of screwups eventually given enough time to look for them. And for the 99% that are behind the impenetrable security barrier? Doesn't matter, that one photo which fell behind your printer will send you to prison for years anyhow.
Help poke pirates in the eyepatch, arr.
I am an NSF–funded researcher in computer security, focusing on electronic voting. Data privacy and confidentiality is very important to us, as you can imagine.
Your idea is quite terrible.
First, what do you mean by a file "without signature"? Take a zip archive as an example--even if you strip off the zip header, any forensicist worth his or her salt can figure out it's a zip archive, just because of the way the data is structured. Encrypted filesystems have structure, too. A data forensicist can recognize an encrypted container on the basis of its structure. (Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want.)
Second, you appear to not understand how crypto works. Two layers are better than one, right? So double ROT13 encryption is stronger than single ROT13, right? You're running smack into a major, well-known area of crypto. A lot of ciphers do not composite themselves well. You are almost always better off just picking one algorithm with a strong keysize than a composition of multiple algorithms.
Third, how do you plan on managing all of your keys? Key management is a thorny enough problem in the best of times. By relying on multiple keys you're multiplying the problem immensely.
You really need to do some basic research in crypto.
Disclaimer: I am a physicist.
As far as I know, there has not been one scrap of evidence showing that past disk writes can be examined through microscopy, or any other kind of direct physical examination.
The most powerful technique I know of would be Magnetic Force Microscopy (MFM), which is essentially a variant of AFM (Atomic Force Microscopy) that uses a magnetized tip. When I was an undergraduate, I used AFM to image surface features as small as 50 nm, which a quick calculation shows to be comparable to the square root of the physical area used to store a bit on a modern hard drive. Presumably, somebody with more experience or better equipment could do better; it's not a difficult technique if you just want to learn the basics. To actually scan a hard drive in a reasonable amount of time would require a very specialized MFM machine, but I see no reason why such things wouldn't be available to various three-letter agencies.
Now, I don't know whether there is any residual information to get from an overwritten bit, but it would surprise me if there wasn't, and if there is, it can probably be gotten with MFM, if not an easier technique.
You know nothing about the legal system. In our court system, you are innocent until proven guilty, the burden of proof is on the state. So you don't have to prove there isn't a hidden volume, they have to prove there is. Given that there seems to be no way to do this, they can't make their case. You can't speculate that something might be there. That's one of the most fundamental objections they teach lawyers "Objection, speculation." So all they have is that you have a volume of legal porn, and someone of questionable reputation claiming you have more , assuming they could even get the testimony in (the CI would have to have firsthand knowledge, otherwise it's hearsay). That doesn't meet the standard of beyond a reasonable doubt, doesn't even come close. It is perfectly reasonable to believe that someone might want to encrypt their porn. I'm sure many people do, simply because most people are somewhat embarrassed about it and don't want others to see.
DA's don't get to send people to jail just because they think there is a crime being committed. Hell it takes more than that just to get a warrant and to get past pretrial. You have to prove it beyond a reasonable doubt to land someone in jail. Saying "Well they MIGHT have hidden data!" doesn't cut it and, as I said, isn't even admissible in court. When you get down to it, you can never prove beyond any doubt that you've no hidden data. Maybe you've a really great steganography program and it is hidden as noise in music files. No way to prove or disprove that. However as a defendant you don't have to disprove it, it is the prosecution's responsibility to prove it and if they can't, well then you go free.
Why do you think there are so many people, who are known to be criminals to the police, that walk free? Because knowing and being able to prove it in court are two real different things. Cops may know someone is a drug dealer, but that won't even get a warrant, much less a conviction. They've got to have enough evidence to prove it beyond a reasonable doubt.
withholding the password would be obstruction of justice
Couldn't you choose an incriminating password and plead the 5th?
This post written under Gentoo-linux with an SCO IP license.
The "flaw" pointed out by the GP is only a flaw if you're being tried in a kangaroo court. I don't think our court system has gotten that bad.
I mean, if you're dealing with a corrupt court where you're guilty until proven innocent, you don't even have to be using encryption to get screwed this way. The DA might just as well accuse you of using steganography to hide illegal photos in random files spread all across your hard drive, which is equally impossible to disprove.
I'm not sure what you mean by the "structured nature of the hidden volume", though. TrueCrypt hidden volumes have no plaintext header, just like main volumes, and as long as the crypto methods in use are good ones, the encrypted data will be indistinguishable from random bytes, no matter how well-structured the plaintext is.
There are attacks against hidden volumes, but they basically involve taking snapshots of the whole volume at separate points in time, then obtaining the main volume's key and checking whether any changes have been made to "unused" areas of the filesystem.
That is, I could sneak into your house and copy the disk today (version A), then come back next month, seize the disk (version B), and force you to give up the main volume key. I can then mount both versions of the partition and look for differences between them. If there are any areas that contained random data in version A, and different-but-still-random data in version B, I can be pretty sure it means you were writing to a hidden partition located there.
I think the best defense against that attack would be for TrueCrypt to randomly write chunks of new random data to the free space of mounted volumes, which would disguise the writes made to hidden volumes. (Of course you'd need to use both keys when mounting the main volume so it knew not to clobber your hidden data.)
Visual IRC: Fast. Powerful. Free.
http://www.truecrypt.org/hiddenvolume.php
Your welcome.
It's usually quite possible, it depends generally on what you overwrite with, how you do it and how often you do it.
Just filling the blanks with zeros, it's quite trivial to recover the data underneath. Filling it with random static makes it harder. Filling it 3 times makes it even harder. Filling it 30 times adds another layer of hardship.
Generally, though, you can assume this to be a lim 1/x function. It gets harder and harder to recover anything, to the point where you would really have to warrant the expense (in time and money), but the chance never becomes zero. Even after a hundred random static overwrites, there is still a chance.
The reason for this lies in the way HDs work (someone with more knowledge about the physical properties of HDs should probably explain that rather than me). In general, though, you may assume that 3-7 overwrites with static is good enough for almost any application, unless you're a top level terrorist and they know you deleted Osama's current address and phone number.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The short and curly of
this paper is that the Curie temp for Fe(2)Nd is 250 degrees Celsius. An electric heater/oven should do the trick quite nicely. Dunno what happens to the platters at that temp, though.
Something bad is coming when people are suddenly anxious to tell the truth.
I believe the parent poster was speaking in terms of removing the platter from the drive and heating it in some sort of induction heater. This allows precise control of temperature and only directly heats conductive materials. Building one requires only some fairly simple electronics (scroll down for action shots).
You know they call 'em fingers but I've never seen 'em fing. Oh, there they go.
Encrypt once using a good algorithm. Multiple encryption is Hollywood-style security.
Xenu loves you!
Our justice system is run by elected officials (with media support). If you want fair treatment (justice) you had better hope that:
- it's not an election year
- the case has not generated a lot of media attention
- the case is not worthy of media attention when the DA holds a press conference
- the DA (and many others in the justice system) are not career building, and looking at your case as an opportunity to advance
The last one is the kicker. For every case there are dozens of people in the justice system that will get beneficial career advancement material from a successful conviction. That's my observation.
No. For that matter, it's gone for good after one time. You don't even have to make sure all the most recent state transitions are the same direction (which would necessitate 2 passes unless all you're doing is EORing whatever's already there with 1; this is time-efficient, but also trivially reversible).
Once upon a time, heads didn't track so precisely as they do today, and there were sometimes minute traces of data either side of the track; and once upon a time, magnetic media had a wide hysteresis loop that showed an obvious difference between, say, a 1 that used to have been a 0 and a 1 that had always been a 1. Since the Gutmann paper was written, data densities have increased by almost four orders of magnitude. Side traces are almost invisible, and each tiny dot of oxide is driven so far into saturation that it's next to impossible to tell whether it has been changed. The single thing most likely to frustrate the authorities' efforts to recover overwritten data by surface analysis would be the sun exploding before they got halfway -- that's the kind of timescale we're talking about. There has never been a documented case of overwritten data being successfully recovered.
If the magnetic remanence effect were reliable, it would almost certainly have been exploited commercially to increase storage density. Until the advent of cheap solid-state RAM in the mid-1970s, all computer storage was magnetic; and every component in a computer system has fluctuated wildly in price. At some point in the past, such a storage device would definitely have been economically attractive. It never materialised, apart from a "trick recording" function on some reel-to-reel tape recorders, allowing you to shut off the current in the erase head {remember energised erase heads?} and superimpose one recording over another. Perhaps to add vocals to an instrumental track you had already laid down. Since (1) you couldn't listen to the old recording as you were making the new one and (2) it sounded like shite anyway, the feature was discontinued. Anybody sufficiently bothered by its omission could always plumb in their own trick-recording switch.
On the other hand, there are several groups with a vested interest in making people believe the fallacy that data is recoverable after multiple overwrites. These include governments (because they want to give enemy governments the fear), intelligence agencies (because they don't want to admit to how they really found the data), data recovery specialists (because they don't want to admit defeat -- more often than not, there are old versions of data kicking around, since Windows only begins overwriting deleted files as a last resort, when it runs out of virgin disk space), HDD manufacturers (because persuading people to destroy perfectly good used HDDs means they will sell more new ones) and Jerry Bruckheimer (because it looks good on CSI).
Je fume. Tu fumes. Nous fûmes!
Nearly any data can be recovered given enough time and budget (much like cracking encryption). I read awhile back that forensics can use an electron microscope to read bit-for-bit from severly damaged platters.
The platter must be liquified or shredded to ensure no recovery.
The only thing i believe it is a good idea is that if you encrypt it only once, they can try the different standard algorithms via "trial and error" until they get some plain text. Whereas if you put a second layer of encryption, they might not know they got the right algorithm/password as they will at most get the random-like bytes produced by your first encryption layer.
Ubuntu is an African word meaning 'I can't configure Debian'
The DA just smiles at you and says... "I'd like to see the hidden container inside that TrueCrypt volume. My forensicist says oftentimes people do that with TrueCrypt."
You say "umm... there isn't a hidden container... there's nothing more there..."
The DA continues to smile. "Prove it to me."
You say "Actually, you have to prove to me that there's anything there to hide. You should know that I'm innocent until proven guilty."
Then you walk away scott free. The DA continues to smile for some reason, probably too much crack this morning.
Twinstiq, game news
Comment removed based on user account deletion
Here is the wiki for Fourier Transformations. The rough gist for our purpose is that when you composit elements (multiple encryption schema) you get a new schema with identifiable characteristics that can be reversed back to the original elements. IE FTIR works by using a FT to de-convolute a broad spectrum scan into individual frequency components. The math was ugly when I took it 15 years ago & entirely beyond me now.
The same principles should apply to double encrypted systems - artifacts (elements introduced by the encryption algorythm itself & not part of the original file) from the first encryption should be identifyable by re-encrypting with a known encryption algorythm & masking against the known artifacts of double encrypting with differing base algorythms in combination with the known 2nd encryption schema.
To look at it another way, you're not looking for the data, you're looking for the artifacts of the first encryption method. By applying a new function to the result of the first function, you're hoping to improve the signal/noise ratio & show those artifacts. At the proper scale, sin(x),cos(x),x=0.5 all appear to be a flat lines, however the tan(sin(x)) clearly shows the variance at any scale. The same process applies to the encryption process - you should be able to identify the pseudo part of the random appearance of the encrypted data by reprocessing it in a given method. Note that it may take a specific algorythm for each encryption method to make the signal/noise ratio high enough to identify it as a match without actually decrypting the contents.
Note that this still leaves you without a key, but at least you would know which decryption algorythm to be trying to match keys against.
Article on one page (as opposed to *10* seperate pages...)
http://www.cio.com/article/print/114550
The one and only tool I've ever heard of them using is Encase. If Encase can't find it, it doesn't exist in their world. It does do OS-X though.
You are incorrect. I work as a software developer for a US company that specializes in computer forensic software and I work with investigators all over the world as well as the US. Encase definitely is the most widely used tool but it is most definitely not the only one, other tools similar to it are FTK (also widely popular) and something called iLook.
Nearly all of the investigators I have talked to mainly use Encase for it's case management capabilities which it is really good at. It does have many other capabilities such as searching but if Encase doesn't find what they are looking for they can and will use other tools that are available. For instance, Encase does not handle optical media well if the discs contain more than one track and/or has its file system(s) set up in a funny way among other things. By just using Encase data could be overlooked and that is where the software I work on comes into play because it is specialized just for optical media. There are also many other specialized forensic tools available and any decent investigator would look into them.
Another thing I will mention is many people think if they use linux and/or OS-X that they are safe from many of the forensic tools and that is complete bullshit (even though it is true a lot of the forensic software is Windows only). It does not matter at all what OS you are running because standard operating procedure is to image all disk drives, seal up the drives, and then use forensic tools on the images and nearly all of the standard file systems are supported by some tool and even if you did use some obscure file system they could search the binary data (as long as it was not encrypted of course).
I just thought I would straighten your perception out because while it did used to be true years ago it is not the case anymore. Computer forensics is a HUGE field that has been having HUGE growth for quite some time.
Hey, there is only one Return and it's not of the King, it's of the Jedi.
That sounds almost plausible, but I still don't believe it. I've spent a year or two studying cryptanalysis. Fourier transforms on encrypted data have never featured in any modern cryptanalytic approaches I've heard of.
The whole point of encryption is to minimise those statistical artifacts. By encrypting a ciphertext again, you are only applying more entropy to data that already appears quite random. If you don't already have any idea of the underlying plaintext, comparing one ciphertext with a re-encrypted version of the same ciphertext should not reveal anything at all about the original encryption scheme.
I'm afraid I need some links to real papers about using fourier transforms in cryptanalysis to accept this. I've googled for them myself, but I can't find any.