New Anti-Forensics Tools Thwart Police

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

Time Stamps?

[iminplaya]

Simple! Just cut the disk open and count the rings.

Re:Time Stamps?

[iminplaya]

Yes, and notice how I modified the time stamp AND the comment number to make appear the parent is the first post.

Pfft.

[RealGrouchy]

This has got to be old news. Over 112% of Slashdotters have been using these programs for years, since at least 3 months from now!

- RG>

Re:Pfft.

[trolltalk.com]

Gee, and I thought it was a free "feature" included with every version of Windows and DOS.

FILE0001.CHK
FILE0002.CHK
FILE0003.CHK
FILE0004.CHK
FILE0005.CHK
...
FILE9999.CHK
Unable to find COMMAND.COM. Please insert system disk and press reset.

Re:Pfft.

[the+unbeliever]

Data can still be recovered. It may only be bits and pieces of files, but it can still be recovered. Clean room data recovery can do some pretty amazing things now.

The only "sure" way is to melt down the platters and make pretty jewelry with them.

Re:Pfft.

[andy_t_roo]

actually, that's a bit extreme, all you need to do is to heat it above the curie temperature (300-380 for Fe-Nd alloys) at this point the magnetic properties become completely dependent on the applied magnetic field, so as it cools down again, the only magnetization left is due to the earths magnetic field. Below this temperature you need to apply a strong magnetic field to reverse *most* of the magnetization (thats how normal recording works). As an added bonus if you do this in such a way as there are not dust contaminants (inductive heating of the platters in a vacuum) you still have a working drive.

Re:Pfft.

[Daniel+Dvorkin]

When I suffered a bizarrely bad disk crash (i.e., it crashed in an odd way that was much more destructive, and made the data much harder to recover, than most crashes; I've forgotten most of the details, but I remember that) a few years ago, I took my disk to a recovery specialist that does, among other things, contract work for the FBI. I got a brief glimpse inside their clean room. They had disks that had been pounded with hammers, run over with trucks, immersed in salt water ... you name it, these guys could get data off it.

Re:Pfft.

[plover]

At work the standard we gave our service vendor for destroying failed drives involved a drill press and epoxy. We're concerned about data thieves, not Three Letter Agencies.

For my personal drives at home, I just use a three pound hammer. A scraped, smashed and warped platter hitting the trash bin is effectively unreadable, and all I'm really concerned about is a bad guy finding bank account information. If someone official really wanted a working drive of mine, pajama-clad ninjas would probably come for it in the middle of the day while I was at work anyway.

Re:Pfft.

[Gordonjcp]

Yeah, but at what point does recovering the data become prohibitively expensive?

At the point where the disk has been entirely overwritten *once* with data. In theory, someone with very specialised equipment could pick out the residual flux transitions from the new ones. However, modern (or rather, disks larger than tens of gigabytes) use a different modulation scheme similar to QAM, and once that is overwritten the old data is irretrievably gone.

Re:Pfft.

[networkBoy]

That drive you opened was old then eh?
Most current drives are glass platters. I found this out when I had a batch of DeathStars go bad. IBM wanted the drives back for RMA, but we had company restricted secrete data on the disks... I informed IBM of the dilemma and that I would be drilling a pair of holes in the platters. When I did I heard a crunch sound, followed by broken shards of glass coming out the holes.
Got replacement drives in no problem.
-nB

Re:Pfft.

[bentcd]

I say we take off and nuke the platters from orbit.

It's the only way to be sure.

Ah, the police...

[Icarus1919]

I always just keep a few magnets handy... just in case....

I prefer hardware solutions, rather than software ones.

Never trust the computer!

[Trifthen]

Timestomp? Now I've heard everything.

Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.

Of course, this says nothing of rootkits, which can be downright subversive, embedding themselves into kernel space where not even the OS knows they exist, where they can wreak untold havoc with historical system data or encryption. I bet there's even a script-kiddie version of anti-forensics tools out there, where it just cron-obfuscates anything trackable. Logs, timestamps, frequent automated sweeps of shred over unallocated disk blocks, inode reordering, and so on.

Now that I think about it, that might be a good idea. I got some work to do. ;)

Re:Never trust the computer!

[_Sprocket_]

Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.

And that seems to be the point - how many of these types actually know how to use touch or find... much less put together a perl script? By "hobbiest" they're not talking about our level of knowledge... they're talking average punk who thinks double-clicking a rootkit is advanced hacking. Criminals aren't always the sharpest crayons in the box.

I met one of the FBI agents involved in the investigation of Zimmerman over PGP. After that case, she moved on to child pornography cases. I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.

That basic precautions are showing up enough to give investigators a problem says something both about the attackers and the investigations.

Re:Never trust the computer!

[flyingfsck]

Well, alternatively one could just use Windows ME on a FAT file system. That screws things up all by itself - no need for fancy tools.

Re:Never trust the computer!

[Kjella]

I met one of the FBI agents involved in the investigation of Zimmerman over PGP. After that case, she moved on to child pornography cases. I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.

<advocate client="Devil">
So that means one of two things:
1. Smart people aren't trading in child pornography or
2. Smart people weren't caught to begin with, and still aren't

And it probably shows just how stillborn general encryption of mail is. If average people don't learn that under threats of years in prison, what could possibly make regular people do it?
</advocate>

So...

[X0563511]

The obvious message to law enforcement is that people don't like others going through their things.

Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.

Personally I'm a fan of disk encryption using algorythms and key-lengths that make it extremely impractical to get in once the system is powered down. If up however... you have three strikes at getting in and all future packets from your IP are silently dropped for several days. Local access isn't a problem either... open the case and power goes out... and after 10 minutes of idle-time the system locks (only way in is password or reboot... obviously reboot isn't helpful)

Call me paranoid. I am. I also like my privacy. Yes, I DO have something to hide: MY LIFE! I don't want you in my stuff at all!!! It doesn't matter that there is nothing illegitimate or illegal on the damn things, I still don't care.

Re:So...

[X0563511]

It is. Hell, if people get sick of it all and the shit hits the wall, I'll be right up there with the 'enemy' pushing for real freedom.

Yes, I don't care If I get flagged for that. I care for my liberty.

Print version

http://www.cio.com/article/print/114550 - Print version so you don't have to go through ten pages to read it all.

Anonymous coward so no Karma whoring today. :)

Macs...

[Wizard+Drongo]

Hate to sound like a apple fanboi, but even for those with something to hide that don't know much about computers at all, and therefore lack the know-how required to use these tools, simply using Mac OS X and turning on File-Vault, sad as it sounds, is enough to confound the majority of law enforcement. Most of the contractors that the police in the UK use are windows only. I know for fact that any linux or 'specialist' computers get passed to a specialist data firm in Germany for decoding...
Macs?
Only in the most serious of cases are macs in the UK sent for hacking if File-Vault's on. They go to Canada and take upwards of a year to crack. If ever.
Unless you've done something pretty fucking serious, and the police know the evidence is on the machine, just can't prove it, they usually won't go to the expense.
Of course, only the most stupid and inept of morons would be doing illegal shit and storing it on their computer without using the most powerful encryption possible, and only storing that which absolutely must be stored. Mind you, criminals are not usually noted for their cunning and intelligence....

It goes without saying that the above does not translate to across the pond, nor does it apply on Security operations with terrorists and the like. How MI5 & MI6 do things is completely different and tends to involve some 'specialist' people from the likes of the I-corps and in-house solutions....
I could elaborate, but I'm not THAT dumb.....

Re:Macs...

Mind you, criminals are not usually noted for their cunning and intelligence....

Well, you only hear about the ones that get caught.

oh geez... the "police"

[porkThreeWays]

Let me let everyone in on a dirty little secret about 99% of police computer forensics experts... they are less skilled than most 9 year olds at recovering vital information. Many of them use bootable disks that just check the hard drive for IE's cached files and history, etc, etc. Simple stuff a child could do. These people aren't doing complex low level block analysis. They are doing the level of recovery parents do at the end of the night to see what websites their children went on. Does it surprise anyone then it's extremely easy to fool them? God forbid you use encryption, an OS they aren't familiar with, or hardware they've never seen. They'll never recover anything.

Re:oh geez... the "police"

[Kjella]

Don't underestimate the tools - many forensic experts couldn't find their way at all outside the tool, but the tools are rather good at three things:
1) Point them to "interesting" catalogs on most operating systems
2) Read pretty much any filesystem, including the odd Linux/BSD variants
3) Scan for files (keywords, against a hash db etc.) without booting your OS

Encryption is the only thing that'll stand any serious investigation. Though I suppose it'll get you past the "should be bother to check his computer just in case" checks, there is plenty support for not "IE/Windows" machines.

Examples:
Operating system Support: Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and
above, Solaris 8/9 both 32 & 64 bit, AIX, OSX.
  File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
(Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
TiVo® 1 and TiVo 2 file systems.
  EnCase software uniquely supports the imaging and analysis of RAID arrays, including hardware
and software RAIDs. Forensic analysis of RAID sets is nearly impossible outside of the EnCase
environment.
  Dynamic Disk Support for Windows 2000/XP/2003 Server.
  Ability to preview and acquire select Palm devices.
  Ability to interpret and analyze VMware, Microsoft Virtual PC, DD and SafeBack v2 image
formats.

Compound Document and File Analysis: Many files such as Microsoft Office documents, Outlook
PSTs, TAR, GZ, thumbs.db and ZIP files store internal files and metadata that contain valuable
information once exposed. EnCase automatically displays these internal files, file structures, data and
metadata. Once these files have been virtually mounted within EnCase, they can be searched, documented
and extracted in a number of different ways.

File Finder: This feature automatically searches through the page file, unallocated clusters, selected files
or an entire case, looking for predefined or custom file types. This feature differs from the standard
search, because it looks through the defined areas for the file header information and sometimes the
footer.

Analysis: EnCase software has the ability to find, parse, analyze, display and document various
types of email formats, including Outlook PSTs/OSTs ('97-'03), Outlook® Express DBXs, Lotus
Notes NFS, webmail such as Hotmail, Netscape and Yahoo; UNIX mbox files like those used by
Mac OS X; Netscape; Firefox; UNIX email applications; and AOL 6, 7, 8, 9. In some cases,
EnCase can recover deleted files and depending on the email format, the status of the machine.

Browser History Analysis: EnCase has powerful and selective search capabilities for Internet
artifacts that can be done by device, browser type or user. EnCase can automatically parse,
analyze and display various types of Internet and Windows history artifacts logged when websites
or file directories are accessed through supported browsers, including Internet Explorer, Mozilla,
Opera and Safari.

Re:interesting

[enrevanche]

The date a track was written could possibly be analyzed by looking at how it was written at the microscopic level, but this would probably destroy the disk itself. It would be very expensive. As far as I know, this is only theory and has not actually been done. If somebody has a technique, it would hope that it would require a lot of peer reviewed research to verify it's validity. Anyway, the date a track was written may have nothing to do with the age of the data (file), as the OS may move files around for efficiency. This will not effect the timestamps of a file. The fact is that these timestamps are simply data written on the disk and can easily be changed.

Persuasion

[gillbates]

In 'Merica, we call it gitmo. Encrypshun don't fool us nohow, nosir.

'fter all, if yah ain't guilty, watcha hidin' stuff fer? Dontcha know there's a war goin' on?

Re:Persuasion

[Mr2001]

That's what packages like TrueCrypt with hidden volume support are good for. The Man tortures you, you give up a key, and he finds some fake secret files, while your real secret files are still safely hidden.

Re:A year ago...

[Profane+MuthaFucka]

Don't knock it. Catching cheating spouses is a great way to get laid. You've already established that they've got no problem sleeping with people other than their husbands, which is 90% of the battle usually.

Re:interesting

[dwandy]

The people making these laws and procedures seem to have no idea how computers actually work.

It continues to amaze me how the same people that accept that their computer crashes for no reason also accept anything printed by a computer is pure truth.

Here's a real good one

[Travoltus]

Imagine a filesystem that is encrypted 3 times, in "headerless" fashion. What I mean by headerless is, whereas a zip file leaves reliable signatures identifying it as a zip file, this scheme would be a naked 128 or 256 or 1024 bit encrypted file (bear with me here) with no signature. There would be no way to even identify this file unless you managed to decrypt it with the right password and the exact corresponding decryption scheme. (It could be a zip file or a rar file or an arj file but you'd have to guess.)

That's for the first layer. Then you use the same (or different) scheme to scramble that already encrypted file again. With the same or different password.

Then you do it a third time.

Granted this would take a hell of a lot of computing power and a single bit of data corruption would screw you royally (which calls for more advanced recovery techniques which leads to some weaknesses...), but the effect is this.

First, you get the hard drive and the whole filesystem is encrypted. It's utterly garbage to you. You don't know which scheme was used to encrypt it. You certainly don't know the password. But you may know it's triple layer encrypted. Or double, or quad.

What is certain is, if you get the correct encryption scheme AND the password for that first layer, the decrypted file is STILL GARBAGE. You don't really know if you got the correct information or not, because you're still looking at a "headerless" pile of garbage data. Good luck guessing that second layer because no matter what, you still get a pile of incoherent garbage.

If you've done this to all your files on your hard drives, DVDs and CDs, this is where you demand your Constitutional right (in the United States) to a SPEEDY trial and then plead the Fifth Amendment in court when asked for your password/encryption schemes. Why? Because if I'm right, the police and their descendants down to the 7th generation will have died of old age before they figure out the 2nd layer, much less the 3rd.

Mind you, the cops may have slapped a keylogger on your system ahead of time. If that's the case, you're screwed.

Lawyers and hackers, please rip my idea to pieces and tell me what you think...

Re:Here's a real good one

You'd have to be careful about the choice of encryption algorithms when you do this. There are good reasons (which I can't cite off the top of my head; I'm no cryptographer) why triple DES, for example, has an encrypt-decrypt-encrypt pattern, rather than encrypt-encrypt-encrypt. Even then, all you achieve is a doubling of the effective key length, not a tripling (and remember that the actual key is three times as long - each step uses a different key).

Cryptography is hard. I know enough to know that I know nothing about it, and that I'd screw the pooch on any crypto system I might implement. If you haven't a very solid maths background, and a lot of experience breaking cyphers (and I'm talking about more than just the simple Julius shift here), odds are extremely high that there's a flaw you've overlooked in your system.

Re:Here's a real good one

[Fulcrum+of+Evil]

Sure it does - 2DES ~= DES in terms of security, while 3DES is better. Naturally, this means that the 3 level encryption scheme is dependent on the actual algorithm and serves mainly as a method for frustrating forensics. Probably AES - block shuffle - AES (different key) would make for some fun, but that assumes that they just want to convict you of something. If they think you can get at the data and want it bad enough, they'll just work you for it.

Re:Here's a real good one

[RyuuzakiTetsuya]

just do some petty theft on top of that and overflow it back to 0x01.

Epically bad.

[rjh]

I am an NSF–funded researcher in computer security, focusing on electronic voting. Data privacy and confidentiality is very important to us, as you can imagine.

Your idea is quite terrible.

First, what do you mean by a file "without signature"? Take a zip archive as an example--even if you strip off the zip header, any forensicist worth his or her salt can figure out it's a zip archive, just because of the way the data is structured. Encrypted filesystems have structure, too. A data forensicist can recognize an encrypted container on the basis of its structure. (Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want.)

Second, you appear to not understand how crypto works. Two layers are better than one, right? So double ROT13 encryption is stronger than single ROT13, right? You're running smack into a major, well-known area of crypto. A lot of ciphers do not composite themselves well. You are almost always better off just picking one algorithm with a strong keysize than a composition of multiple algorithms.

Third, how do you plan on managing all of your keys? Key management is a thorny enough problem in the best of times. By relying on multiple keys you're multiplying the problem immensely.

You really need to do some basic research in crypto.

Re:Epically bad.

[rjh]

Why do you think hidden-volume mode TrueCrypt is bogus?

Let's imagine that you've got a TrueCrypt container on your hard drive. The FBI gets a tip that you're involved in child porn. You get arrested. The DA has a jailhouse snitch who'll testify that you have kiddie porn. The DA has a forensicist who will testify that you've got an encrypted container on your disk drive. You don't want to be doing 10-to-25 in federal pound-me-in-the-ass prison, because you're a scrawny pimply-faced geek and you don't want to get married off to the biker with the most cigarettes. You tell the DA "... look, okay, here's the passphrase to my TrueCrypt container. See? There's just porn in there I was hiding from my wife! But everyone involved is over 18! Let me go! It's bogus!"

The DA just smiles at you and says... "I'd like to see the hidden container inside that TrueCrypt volume. My forensicist says oftentimes people do that with TrueCrypt."

You say "umm... there isn't a hidden container... there's nothing more there..."

The DA continues to smile. "Prove it to me."

You say "umm... I can't... that's exactly what TrueCrypt means when they say it's hidden... you can't prove it exists and you can't prove it doesn't exist..."

The DA rises from the table. "Say hi to your husband for me when you meet him."

Moral of the story: it is very, very important that you be able to prove the existence or nonexistence of your data.

Can you explain more of this please?

I don't know how to make it any simpler. If compositing encryption functions makes things harder to break, we'd expect two applications of ROT13 to be stronger than one application of ROT13. It doesn't work that way. And in an exactly similar way, two levels of AES may or may not be any better than a single layer of AES. Or one layer of Blowfish and one layer of 3DES. Or...

If you want to get more sophisticated than this, you need to take a collegiate math course focusing on group theory.

Re:Epically bad.

[rjh]

What I love about Slashdot armchair lawyers is their naive faith in the criminal justice system.

So you go to trial. So you're acquitted. But by the time you get acquitted, you're front page news in all the local newspapers. You're getting death threats. Your family is shunned. You get let go from your job because you're bringing too much controversy. Your life, not to put too fine a point on it, is fucked.

You may want to look into Wen Ho Lee, Steven Hatfill, Richard Jewell and John De Lorean, all of whom had this exact thing happen to them.

Hatfill has never been charged. Jewell was totally exonerated, as was De Lorean. Wen Ho Lee pleaded guilty to a minor count just to make the madness stop, and received a profuse apology from the bench for how he was mistreated.

Also, have you been following what happened in Durham, North Carolina recently with respect to prosecutorial misconduct in a rape case?

You really, really need to acquaint your beliefs on how the law works with the reality of how the law works.

Re:Epically bad.

I'm not an NSA funded security researcher, but I'm also slightly less of an arrogant prick than "rjh". So to answer your question about layering encryption without getting into all the you're-not-even-worthy-to-be-asking-this-question crap, here's a brief layperson's answer:

Essentially your idea is not a bad one, it's just a bit naive -- there are non-obvious subtleties which must be considered in order to make the idea work as well as you hope.

One issue is that some encryption algorithms (called "groups") have the characteristic that when applied two consecutive times with different keys, the result is the same as if the algorithm was applied only once with some other third key. If this is the case for your favorite algorithm, then your plan adds no extra security compared to just encrypting once. And apparently it's not always easy to know whether this is the case for a complex algorithm, so you should assume the worst.

Another issue is that if your adversary can guess some plaintext (e.g. by assuming it contains .doc or .jpg headers) they can use a technique that trades off storage for computation and break your multiple encryption much faster than you would have thought.

One way to overcome these weaknesses is by applying your encryption in "EDE" (encrypt-decrypt-encrypt) mode, where you encrypt with one password, then "decrypt" with a second password (which is obviously not really decrypting but just making the scrambling that much more horrendous), and then encrypting again with a third password. Even this is not as secure as you might expect, but it's still pretty good.

The well-known security and crypto expert Bruce Schneier has a great book called "Applied Cryptography" (Wiley, 2nd edition 1996, ISBN 0-471-11709-9) which is accessible to average smart, interested, non-NSA-funded Slashdot readers without advanced math degrees. It even has a brief chapter (15) on this exact topic. (Schneier has other great books too.)

Despite his attitude, "rjh" is right in implying that our common sense is not trustworthy in the area of cryptography -- some of the world's smartest people devote their lives to this stuff and have come up with astonishing and often counterintuitive results. Smarter people than us have already studied this idea, which is basically a good one even though it has pitfalls. Don't let anyone make you make you feel stupid for having an idea or asking a good question.

Re:Epically bad.

[asninn]

But the law and the legal system *did* work in these cases; it was society, the media etc. that didn't. Not that it helps the victims, of course, but you need to recognise that this is a failure of society, not one of the criminal justice system, if you want to fix it.

Re:Epically bad.

[davFr]

I don't know how to make it any simpler. If compositing encryption functions makes things harder to break, we'd expect two applications of ROT13 to be stronger than one application of ROT13.
It is a cryptanalysis problem. Encryption scheme are designed so that your clear text will become close-to-random garbage when encrypted. Why? Because if it is not random, forensics can do statistical analysis on the crypted data 1/ to identify the encryption algorithm, 2/ to try to guess the encryption key (http://en.wikipedia.org/wiki/Cryptanalysis/ for more details).

If you crypt your text twice (or more) you modify the entropy of the encryption scheme, and the encrypted data will be not optimally close to random data. As a conclusion, encrypting twice made your data less robust to forensics.

It's nonsense

[Paul+Crowley]

Encrypt once using a good algorithm. Multiple encryption is Hollywood-style security.