Forensic Computer Targets Digital Crime

coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."

how good is it?

[thatskinnyguy]

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.

Re:how good is it?

[omeomi]

the FBI can see data that has been overwritten 12 times.

The FBI publishes this information?

Re:how good is it?

[Harmonious+Botch]

One of their experts has probably testified to it under oath.

Re:how good is it?

[dclocke]

I wouldn't mind seeing a source on that statistic. Because I'd be pretty comfortable betting my life savings that it's not true.

Re:how good is it?

[Remik]

It doesn't matter how many times, it only matters which methods are used. If you're just using a Windows format (or worse, quick format), you can run it 100 times and the data will still be accessible.

That said, the DoD standard for "wiping" a drive is also excessive in what it requires to declare the media clean. (All 0s, then all 1s, then 010101..., then all 0s again...blah blah blah)

My somewhat expert opinion is that a program that writes the drive to all 0s or all 1s is all you need.

-R

Re:how good is it?

From the description, it doesn't sound to me like it is recovering data sectors that have been overwritten on the disk, but is only recovering the raw data sectors as read by the disk interface. So it can recover data that has been deleted, but not data that has been wiped (written over with something else). Of course if you really want to prevent someone from reading data off your disk the best option is a hardware solution. A ten pound sledge hammer usually does a good job.

Re:how good is it?

[deftcoder]

Agreed, considering the NSA standard for data wipes is 7 random passes...

I'm more comfortable using this though: http://en.wikipedia.org/wiki/Gutmann_method

Re:how good is it?

[thatskinnyguy]

Actually, DoD and NSA spec is 7 times. Google it.

Re:how good is it?

[thatskinnyguy]

An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

Re:how good is it?

[Jah-Wren+Ryel]

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times. Possible, but highly unlikely and certainly expensive if they were able to pull it off.

Read this, including the epilogue:
Secure Deletion of Data from Magnetic and Solid-State Memory

Re:how good is it?

[dclocke]

It does matter how many times. It also matters what methods are used. There is a big difference between formatting and wiping.

Re:how good is it?

[Jah-Wren+Ryel]

Agreed, considering the NSA standard for data wipes is 7 random passes... The NSA has no such standard.
Really, try to find an official source, you won't.

Re:how good is it?

[imemyself]

Would the sledge-hammer actually destroy the platters themselves though? Obviously the drive as a whole would not work, but even if the platters were physically broken into a few pieces, I assume that a lot of the data itself would be intact on the disk. I doubt that there's any off-the-shelf tech that local law enforcement has that would be able to do it, but it wouldn't entirely surprise me of FBI/CIA/NSA/etc, have some sort of capability. Does anyone know any more about this sort of thing out of curiosity?

Re:how good is it?

[thatskinnyguy]

Mod parent up! I said STM in a previous reply to someone else. And as for the expense part, you think the Federal Government cares about expense? Now that would be a first!

Re:how good is it?

[Remik]

I never said otherwise; you replied to the wrong post.

-R

Re:how good is it?

[Beryllium+Sphere(tm)]

If it doesn't involve cracking the disk's case open in a cleanroom (and this is just a hot PC with write blockers), then it's at the mercy of the drive's read head and every bit it gets will be what the drive natively believes is a bit.

Recovering overwritten information isn't the big deal in forensics, anyway. Organizing, managing and documenting the mountain of evidence is. If you're dealing with well written malware, worry that it's not on the disk at all and is strictly RAM-resident.

Re:how good is it?

[Remik]

What matters how many times? As you say, there's a big difference between formatting and wiping.

I don't believe there's any conclusive evidence that data can be recovered from a drive that has been written entirely to 0s or 1s once. In other words, the DoD/NSA standard is over-kill.

I'm less (but still pretty) certain that repeated Windows formats will not make data any less accessible. The only way to make sure data can't be recovered from unallocated space or carved out of file slack is to overwrite those sectors, which a Windows format does not do.

-R

Re:how good is it?

[Jah-Wren+Ryel]

Expensive in time too. If it takes 3 years to extract the information, it isn't going to be useful at trial (which is presumably why they are doing forensic analysis in the first place).

Re:how good is it?

For classified data, they shred the drives.

Moral of the story? If it's really important to keep the data secret, buy a new drive and run the old one through a grinder.

Re:how good is it?

[jimmydevice]

NSA Standard? The NSA didn't exist publicly until sometime in the 60's. Whatever "standards" they have are red herrings, back doors or secret.

Re:how good is it?

[JanneM]

The platters are often glass nowadays. We opened a failed drive a year ago (slow day at work), and the platters themselves, when they break they tend to shatter into multiple small sharp shards. I would hazard that if you can beat the drive well enough that the platters break, you can do a really good job with just three or four whacks.

Re:how good is it?

So you are saying that we should:
1) alias rm to 'shred -uz' (shred's default setting is 25 rewrites)
2) alias RIAA to 'sudo find -L / -type f -exec shred -uz {} \;'
3) ???
4) Profit!

Re:how good is it?

[SamP2]

I keep seeing over and over posts that say that a "hardware" method would be the one that is totally secure, and the best example being a hammer.

You'd be surprised, however, how resistant drives can be do physical damage.

For those who know anything about hard drives (referring to regular platter drives, not solid state), you'd know that inside the rectangular case (made out of crappy soft aluminum) lie several plates connected to each other through a spinner in the middle, and they are made out of pretty strong steel.

When I took my data security course, we practiced destroying data physically. So I opened the hard drive, removed the platters and disconnected them. Then came the fun part, trying to destroy them.

First I tried several grades of sandpaper. All the lighter ones didn't leave a JACK SQUAT mark, no matter how hard I tried. The most heavy ones left _very_ small marks which were only visible in the direction of the strongest applied force. Sanding a whole drive this way would take days, and I wasn't sure it was strong enough to actually fully remove the magnetic cover. If anything, I damaged the sandpaper more than the drive.

Then I tried a metal file. The results were considerably better, with deep strong marks, but again, they only covered the path of the sharpest edge of the file, not the whole contact surface area. I filed away for 5 minutes straight, and I only managed to produce about 30% area of a single side of a single platter which I could say was destroyed with high probability of not being recoverable.

Finally, I tried a heavy hammer on another platter, having locked the platter in a vise. I wasn't impressed. The hammer, at best, produced bends across the drive. After another 5 minutes of hammering away, the drive was certainly not round anymore, but the total surface area actually destroyed by these bends was fairly minimal. Sure, it may prevent an easy automatic way of recovering data using regular means (spinning it against a magnetic reader the same way drives usually work), but I'd say at least 80% of that platter still had data on it. The manual work requiring to read the data piece by piece may indeed take weeks, but it would probably be possible, and having the mentality of "it'll take them too much work to read it" is akin to having the mentality of "nobody will hack me because I'm not a target of interest and they won't bother". From the point of view of a security specialist, it's wrong in principle.

The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.

Another common myth is that you can easily and securely permanently wipe the data with a magnet. The forces required to near-instantly and irrecoverably overwrite the magnetic stripe of the disk are ENORMOUS. During regular usage, a relatively weak magnet is used to read and write on the disk, but it only operates on a minuscule area of the disk (trivially, by writing a bit on an 4 (double sided)-platter 500GB drive, the magnetic edge only operates on 1/500,000,000,000th area of the platter. Now use the denominator to figure out the magnetic intensity required to fully overwrite the whole disk at once. It ain't pretty. Industrial-grade degaussers may do the trick, but not your average home magnet (which, of course, doesn't mean the magnet is not good enough to randomly corrupt a small part of the data which will screw your partition table and make your OS refuse the read the drive anyways). But I somehow doubt the folks in the NSA use Windows XP Home Edition to investigate hard drives.

The "true" way to destroy hard drives is to completely melt them in an incinerator, and t

Re:how good is it?

[hcmtnbiker]

Last i checked, they really don't check past 1 overwrite unless its a matter of national security. Anything beyond 1 overwrite takes special equipment, to read, and even then there's an accuracy issue. Also, the DoD uses a 7 pass for most classified data, so I would be surprised if you could read 12 overwrites in any reasonable amount of time.

Re:how good is it?

[Hex4def6]

Why not just dip the platters in a some corrosive? I'm sure even some like drano might do the trickk.

Or perhaps how about holding the platters up to a propane torch? you wouldn't need to melt them, just get them hot enough that they lose their magnetic field.

Re:how good is it?

[TooMuchToDo]

I always though the best poor man's magnetic eraser would be an old MRI machine. Keep your storage array near the center suspended by a strong, non-metallic material. Someone busts in the door? Just push the breaker on for that MRI machine.

That, my friend, should be enough electromagnetic energy to wipe the entire drive at once.

Re:how good is it?

[ophix]

I use an arc welder. Probably one of the most enjoyable ways of destroying old hard drives that guarantees a lack of data recovery.

Old backup tapes get torched .... literally. My employer lets me use an acetylene torch to burn them.

Hammers are overrated ;}

Arc welders and acetylene torches are where it's at

Re:how good is it?

[ColdWetDog]

You have a weird job.

Re:how good is it?

[zakezuke]

The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself. What's funny is older drives which have had some bad sectors on them, I opened them up and discovered pitting. Whatever managed to get in the drive managed to eat a away at a few small holes.

Anyhow, rather than using brute force to destroy platters, or heat, why not try electrolysis. Sodium carbonate solution, attach to a strong 12V supply, + to platter - to an electrode, and the ferrite layer erode.

Re:how good is it?

[duck0]

...which states in several places that for any remotely modern drive, a few random passes is just as good. duh?

Re:how good is it?

[jimmydevice]

It appears possible to recover previously erased data on old drives, but haven't the drive mfrs used exactly the same technology that the forensic disk morticians used in past years to get at erased crud (if ever)? It seems with vertical recording and super mag heads, the slop, leftover sideband noise and measurable blips of 90's tech now store data. I'm not trying to be factious, drive builders are pushing a lot of boundaries and I doubt they would back off ( unlike the MPAA and DRM ) reducing capacity to retain info for the man. I am drunk.

Re:how good is it?

[DMUTPeregrine]

Pulsed-power. coin shrinkers are an easy solution. Just use the coil around the HDD instead of a coin. I generally just use a grinding wheel. It's hard to read platters once they are dust.

Re:how good is it?

I destroyed several hard drives. A sledge hammer to get the platters out (1 whack) and a propane flame (plumbing supply or home depot $10 for small propane tank and twist on control knob) do the trick. Years back, the platters melted readily, indicating a pot metal construction. Recently, they were tougher, I had to use a special jeweler's ceramic dish to deflect heat back at the drive - perhaps adding an oxygen tank and/or using a hotter burning gas may be the order of the day now.

I'm pretty sure if someone were to want a quick way to destroy data (in case big brother comes), they would look up "thermite" on youtube, and perhaps put a small packet of it on top of their drives in case with a detonator triggered by a wireless call and code:)

Re:how good is it?

[cjanota]

When I was destroying drives for my company, the platters were made differently depending on model. Some would bend tip-to-tip without breaking and others would shatter with a single blow.

Re:how good is it?

[aliquis]

According to Storage review they are made of aluminium (eventually alloys) or glass (eventually mixed with ceramics.)

Re:how good is it?

[Nullav]

I'm more comfortable just hitting the thing with something heavy or melting it all together with thermite. If you're serious about wiping the thing so absolutely no one can read it, you should either write complete nonsense on the disk 30-40 times (maybe something innocuous on the last few passes) or physically destroy it and swap it out.

Re:how good is it?

[The+Lone+Badger]

How about using an oxy-torch to heat the surface of the platter to a nice cherry-red? From what I know of magnetism that should scramble it pretty thoroughly.

Re:how good is it?

[Omnedon]

On a chat board someone posted pictures of a few hard drives that had "encountered" a couple of large caliber rifles. They had holes clean through the drives. I think it was a case of the hard drives being dead and the fun of playing with large caliber rifles more than a desire to "secure erase" data, but someone else commented "ain't no data coming off them drives".

I made a comment, while not as eloquent as the parent above, that a suprising amount of data would still be recoverable. This was greeted by various iterations of "ain't no data...", etc.

A couple of days later I got a message from the original poster. Apparently he had emailed the pictures to his son who was (vaguely) in "law enforcement data recovery" and his son had told him that I was right.

Now what lengths "they" would go to depends on what they thought was on there. Your pirated mp3 collection might be safe. If they were convinced that those drives had been used be Osama bin Laden you can bet that every bit that could be recovered, would be.

Regarding the "old MRI" machine suggested a few posts down... I seem to recall reading (not that my memory is all that great) that MRI machines are kept on a 'warm' standby. To completely power down or power up is not an instantaneous operation. They also weigh several tons and consume an enormous amount of power. It probably wouldn't work, certainly would not be "cost effective" to erase your mp3 collection, and the very fact that you went to such lengths to attempt to erase data would be enough convince them that you had something far more "valuable" to erase than mp3s.

And data can be recovered after fires if someone wants it bad enough. "Incinerate" probably equates to something along the lines of a smelting furnace or thermite.

Re:how good is it?

[compro01]

well, as someone said in a previous discussion:

The only way to truely protect your data is to grind up your hard drive into powder, magnetize it all, then heat it into a liquid. Cool and grind it up again, scatter it into the wind, and just HOPE entropy does the rest.

Re:how good is it?

[garompeta]

What about Thermite? Cheap, easy and fast.
If I were a serious paranoid, I would:
1) Use Whole Hard Drive Encryption. Even in the case that the hard drive is not destroyed, once I turn the computer off the data is not accessible for anybody.
2) If the police bust in, ignite the Thermite, and forget about it. The proper volume of iron oxide will melt down the whole hard drive or at least fusion it in a unique chunk of metal. Try to recover that.
3) If I am worried that the police may come in when I am absent, then rewire the home alarm system to the thermite fuse. Nothing really hard. If someone gets to the room the alarms goes off, and instead of the siren going off, it ignites the fuse initiating the thermite reaction... melting it down, while the feds are still searching in the house for people and the computer.

4) If I were a über-paranoid, then I would build a faraday cage in my room and all of above.

Re:how good is it?

"For classified data, they shred the drives."

They likely only do so because even if the software method for wiping works, human incompetence is probably less for just throwing the drive in a shredder in comparison to having someone run software programs over it without power outages, forgetting etc.

Re:how good is it?

[TheWanderingHermit]

One of our LUG members recently did a presentation on computer forensics. I forgot the group that he took his classes through, but I remember a friend of mine saying they were one of the best. His comment on this was that the myth of data being retrievable after it has been written over is just that, these days: a myth. It seems that was a problem back in the earlier days of hard drives, but not with any recent equipment. It seems that once this became a "fact" it's stayed one for decades, even though there's been no evidence or proof of it being true with any hard drive designs for years.

I don't know how accurate that is, but I know a few others in the LUG started looking into it and nobody posted any links they felt were valid to back up the surviving data myth.

Re:how good is it?

[Big+Nothing]

"the FBI can see data that has been overwritten 12 times"

Bull. Shit.

If the data has been overwritten (actually overwritten, not just "deleted" or disk format) there's not a company/organisation/indivitual in the world that can read the data that used to be stored there.

Granted, an on-track overwrite will in most cases leave residual off-track magnetic trace that could be recovered using exotic forensic techniques, but this can be extremely difficult and highly unreliable - especially for newer HDD's using drive optimization techniques to optimize each individual drive. To successfully recover user-readable data from a drive where the sectors have been overwritten would take a huge amount of man-hours and effort.

For a great introduction to the topic read the paper "Recovering Unrecoverable Data - The Need for Drive-Independent Data Recovery" written by Charles H. Sobey.

Re:how good is it?

[arivanov]

Aaaa...
The good old 00, FF, AA, 55, 5A, A5, 00. This is what memory tests used to do in the days where the memory tech implied possible interference between adjacent bits. I am not sure if this is of any particular relevance to modern hard disk tech though...

Re:how good is it?

...but can it see that I've swapped out the old hard drive with a clean one--which as you ./ types know takes about 1 minute with a laptop--and smashed the original to bits?

Re:how good is it?

[Gordonjcp]

I have to wonder, after how many overwrites can this system detect data?

None.

The drives connect via normal SCSI, SATA or IDE connections. There is no way to read the raw data from the heads. Even if you could, it wouldn't help on any disk made in the past 10 years or so, because modern drives don't use simple on/off transitions to record data. The idea is that with very very old disks, it's possible to see minute fluctuations in the levels of the recorded bits and see what they once were. It's sort-of possible, for certain kinds of data. With modern drives that use an encoding similar to QAM, it's not really possible any more.

I don't care how clever you think the NSA is, there's no way to recover information once it's below the noise floor. I have two brand-new 320G SATA drives sitting here. If anyone cares to try it out, I'll write some data onto it, overwrite it with random garbage, and you can use any data forensics you like to recover the initial set of data. If you can do it, I'll buy you a car.

Re:how good is it?

[PopeRatzo]

If you're not doing anything wrong, or using your computer to write or view anything wrong, or thinking anything wrong, or doing, writing, viewing or thinking anything that someone might construe to be wrong... ...then you have nothing to worry about.

Re:how good is it?

[the_one(2)]

The question is: Does it blend?

Re:how good is it?

[Eevee1]

Alright, but what about something like running it over with a car, or use an angle grinder on it? How effective would those be?

Re:how good is it?

[Fred_A]

I would have added "maybe" at the end of that. you know, just to be on the safe side.

Re:how good is it?

Personally I would heat it to demagnetize the drive. There were stories a few years back about drives recovered from Iraq where they had drilled a hole in it and filled it with cement, glue, or something like that. The drives were taken back to the US, cleaned and then the data recovered.

Re:how good is it?

[suv4x4]

One of our LUG members recently did a presentation on computer forensics. I forgot the group that he took his classes through, but I remember a friend of mine saying they were one of the best. His comment on this was that the myth of data being retrievable after it has been written over is just that, these days: a myth.

Because of the method data is written there will be always some speculation about whether it's possible or not to retrieve overwritten bits. Since HDD manufacturers keep finding magical ways to double the space on the platters every few months, one would consider there's some redundancy on those platters because of which future storage expansion is made possible. It's a matter of having the proper reader.

But many people pitted SSD vs HDD, and my actual question is, what about Flash memory blocks: is it even possible to restore, even theoretically, previous state there. Since the Flash chip interface only reports the last recorded value, and you can't really read the Flash chip in any other way except the standard interface on the chip, I'd say no.

So for would-be criminals, I'd suggest Flash disks. And then quick and strong single electrical charge would be sure to fry the memory without possibility for recovery.

That could make a nice marketing message: "don't want FBI watching your illegal pr0n? use SSD!"

Re:how good is it?

[suv4x4]

An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

I just find it odd that some storage device company hasn't integrated an electron microscope to create infinite storage plate yet :)

Honestly though, if you have so sensitive info just don't put it on your HDD. You can keep it on external Flash storage, which is easily removed, disposed of, or destroyed.

Re:how good is it?

[GPL+Apostate]

Most people have little control of where the info gets cached on the system. You can *think* that it's only on the flash drive, but somehow an app sticks it into swap or a file in a temp folder.

Re:how good is it?

[GPL+Apostate]

That 'DoD' spec is just something written down and specified in one instance, for one category of data. It's just something Symantec or one of the other marketing outfits has dubbed 'The DoD Spec' to impress customers. There are different levels of security, and in many instances the drive just has to be shredded to be considered secure. This isn't even a DoD level precaution. Many of the computers put up for auction at a local university have had their drives shredded, and they are just ordinary 'doze machines on an open campus. There's even a 'drive shredding form' that can be downloaded from the same website that announces their auctions.

Re:how good is it?

Sure, it may prevent an easy automatic way of recovering data using regular means (spinning it against a magnetic reader the same way drives usually work), but I'd say at least 80% of that platter still had data on it.

So you are just guessing that all of these methods that you used left readable data? But you didn't actually try to read it, you were judging based on how the platters LOOKED?

Your story is long, but your method isn't exactly scientific and has no degree of proofiness.

Re:how good is it?

[baboo_jackal]

Actually, DoD and NSA spec is 7 times. Google it.
The DoD standard varies depending on the medium, but I can't find anything that says seven times.

Re:how good is it?

[InvalidError]

If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes. For any modern PRML/EPRML drive, a few passes of random scrubbing is the best you can do. As the paper says, "A good scrubbing with random data will do about as well as can be expected". This was true in 1996, and is still true now.

Seems like Gutmann himself says his method is only relevant for old encoding technologies like RLL and MFM... and he also says he does not know of any organization being known to be capable of completely recovering data after simple overwriting even today - in 2006. Sounds like anything beyond 2-3 random passes is already entering overkill territory.

Re:how good is it?

What about a 100 Tons Hydraulic Shop Press? If you compress it a few time along the main axises, you should be able to do a good job of bending the HD casing and the platter together into a mess.

BTW 20T cost ~ $455 and a 100T press cost $6,250.00.

http://www.amazon.com/100-Capacity-Hydraulic-Shop- Press/dp/B000I1ZU2Y

Re:how good is it?

[jimicus]

If I am worried that the police may come in when I am absent, then rewire the home alarm system to the thermite fuse. Nothing really hard. If someone gets to the room the alarms goes off, and instead of the siren going off, it ignites the fuse initiating the thermite reaction... melting it down, while the feds are still searching in the house for people and the computer.

That will get really annoying the first time you have a false alarm.

Re:how good is it?

[MoralHazard]

Dear God, when will the FUD stop??!!?? This silly meme has been making the rounds for a very long time, ever since Gutmann wrote that god-awful paper for USENIX '96. IT IS NOT TRUE!! There are no scientific or engineering papers that provide any evidence to suggest otherwise--NONE.

Here's the story: Back in 1996, Peter Gutmann published a paper where he described the theoretical possibility of reading small sections of overwritten data, in a largely unreliable fashion. Having gone back through the source he cites, I came to be of the opinion that his assertion was irresponsible, since he makes a very bold claim without pointing out how many qualifications and 'but's are attached to it:

1) The specific techniques he discusses address older hard drive platter recording technologies that were completely supplanted, throughout the industry, in 1996-1997. Newer hard drives changed recording techniques to cram more data onto the same platter area, which eliminated the specific properties that would have allowed Gutmann's proposed recovery method to work.

2) None of Gutmann's citations ever claimed to have made the recovery methods work in a practical fashion (as in, actually recovering a sector of data, let alone a whole file) on a real hard drive. There were a few lab experiments that were NOT performed on hard drives, and nobody was cited as actually implementing a real-world method.

3) Since the 1996 paper (in '99, I believe), Gutmann published a revised draft that really only changed the section talking about this issue, and he significantly backpedaled his claims. Supposedly, some of his colleagues pointed out that his assertion was scientifically unsupported and extremely inflammatory. Net result: In the newest version of that paper, he basically admits that recovery of overwritten data, on modern hard drives, is snake oil.

There's more, though. Having worked in forensics and specifically dealt with federal law enforcement agencies, I get a chuckle when people (usually, the same tinfoil-hat guys who believe in aliens at Roswell) talk like the FBI has secret recovery technology that the private sector doesn't. This is provable bullshit, for several reasons:

1) The FBI has no real engineering capacity, and they're not as good at stuff like this as you think. In data forensics, especially, their equipment, techniques, and training have never been as good as what the private sector has. The private sector has more money, which means it can buy the newest toys and do real R&D, and it can afford to pay the big-ass salaries that cutting edge engineers require. For comparison, go ask somebody at Hitachi or Segate who does hard drive research how much money they make. Then, ask the FBI how much their highest-paid experts make. It's going to be at least a 2:1 difference, maybe more.

2) Secret methodologies are useless to the FBI, because they would never hold up in court. Data forensics depends on its credibility under the standards of scientific evidence, otherwise it gets tossed out of court and the defense wins. The basic test of scientific evidence is "Does the scientific community have a consensus that this method is correct?" If it's a secret method, there can be no consensus in the community, and it can't be used in court.

3) There's a simple thought experiment that verifies this: If it were possible to read data that has been overwritten even once, doesn't that mean that your hard drive has an actual storage capacity is twice what the manufacturer is actually giving you. How much sense does that make? Those guys jump on every technology possible to cram more data into a smaller space, so even if it's space-alien-magic stuff, they'll have an enormous incentive to make it practical to mass-produce. And they usually do just that. There only a tiny bit more usable capacity on your drive (Let alone 12x worth!) than the manufacturer's label says, and that's replacement sectors for areas that develop problems--we know about that, and it's not useful in data forensics for other reasons.

Re:how good is it?

[Anpheus]

Oh, so erasing my hard drive seven times is like ROT-13 to them?

Re:how good is it?

[garompeta]

lol...
That is why it is ideal to have the alarm sensors located in a very specific place, and not to use the home alarm system... some sort of a "dmz zone" within your house, thus reducing the chance of getting a false alarm from the outside...for example a double compartment in the basement with a second alarm system that triggers the thermite. Now if you forget the password, then you re screwed...

Re:how good is it?

and you are sure there haven't been any popup windows with anything "wrong" on them, and nobody has hacked into your computer to use setup a secret FTP site to store "wrong" things there, while making it look as though they are your files.

Re:how good is it?

[nasor]

If your "data security course" was worth a damn, they should have taught you that with modern hard drives it's basically impossible to recover anything that has been overwritten even a single time. There is absolutely no need to physically destroy a hard drive to protect old data. Let me guess, your course was sponsored by Western Digital? I'm sure they would love the idea of people grinding up their perfectly good hard drives.

Re:how good is it?

of course, the big question is, who gets to define "wrong"?

Re:how good is it?

I'd be pretty comfortable betting my life savings that it's not true.

I think that you'd be better off betting your $1.98 in life savings on the quarter slot machines. Maybe it's time you got a better job.

Re:how good is it?

[toddestan]

Why not just dip the platters in a some corrosive? I'm sure even some like drano might do the trickk.

Harddrives platters are commonly coated with DLC (diamond like coating). The Drano is not going to get through that to the metal. The DLC is also why the parent poster had no luck with sandpaper, as the DLC is likely harder than the grit. (the purpose of the DLC is to protect the platters from accidental contact with the heads - it's tough stuff)

However, your idea could work if the chemical was particularly corrosive - just compromise the DLC somewhere (use a file or something) then let the chemistry do its thing.

Re:how good is it?

[toddestan]

A small correction - DLC stands for diamond like carbon, not diamond like coating.

Re:how good is it?

[gweihir]

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.

That is a myth for HDDs. For floppies maybe some overwrites, but for current HDDs the record for recovering from overwrites is zero. The data just is not there anymore after one overwrite, since the HDD manufacturers are this close tho the data storage capacity of the surface. After all, if you could recover one overwrite, then the material could store twice as much data than it does.

Historically that was different. It is not today.

Re:how good is it?

[gweihir]

An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

But the magnetic landscabe is noisy and there is a smalles stable magnetic intensity. After one overwrite it is very likely that the residual magnetisation from the eralier data vanishes in the noise and is too small to be stable, at least fo current disks. Remember that the HDD manufacturers have benn storing very close to the material limits for some time now.

Re:how good is it?

[gweihir]

My somewhat expert opinion is that a program that writes the drive to all 0s or all 1s is all you need.

Agreed. There is evidence that it will be very hard or impossible to recover from that. The German computer magazine c't tried to get a disk file ovewritten once recoverd by several different professional data recovery outfits two years ago or so. They all said a) they cannot do it b) they did not know anybody that could or whether it was even possible.

So, if it is at least that hard, chances are it will not be applied to your disk, unless you manage to do something really high-profile before. After all, they cannot do that to a lot of disks in the faint hopes of finding something.

The thing with all these reports of data recovered from sold or discarded HDDs is that the data there was not overwritten. They just used Windows format. At fault here is Microsoft for not telling the user that the data will not be really overwritten. But MS allways cared more about making it easy for the user than getting the technology right. If they had, they would offer a "secure format" in addition. Oh, and BTW, what a MS format does is called "filesystem creation" on real operating systems.

Re:how good is it?

[gweihir]

Because of the method data is written there will be always some speculation about whether it's possible or not to retrieve overwritten bits. Since HDD manufacturers keep finding magical ways to double the space on the platters every few months, one would consider there's some redundancy on those platters because of which future storage expansion is made possible. It's a matter of having the proper reader.

Untrue. You forget that the manufacturers change that platters and coating also in order to get that higher density.

Re:how good is it?

[gweihir]

So for would-be criminals, I'd suggest Flash disks. And then quick and strong single electrical charge would be sure to fry the memory without possibility for recovery.

And caught your are. The problem here is that you will very likely not even fry the flash chip, but the controller chip. Even if you ''fry'' the flash chip, you will likely only fry its I/O. The cells are still there and store their information. It is expensive, but entirely possible to get at these stored bits.

Also impractical: How do you plan to applic that "quick and strong electrical charge"? Do you mean a high voltage? How high? Chip ESD protection can cope with up to 5000V today. Ok, putt a lot of current behind it. Hmm. Again the problem of likely frying only the I/O circuitry.

Actually what you need to do is either smash the flash chip itself (requires care, these things are sturdy) or melt it (blowtoch for at least 5 Minutes I would say). There, not so easy after all.

Re:how good is it?

I have to take issue with the platters being made from steel. I'm not sure how old the drives you've played with are; but over numerous years and about 20 or so drives that I've mangled...the platters are made of extremely breakable glass-like material. Though they are fairly scratch resistant, as you have stated.

Re:how good is it?

[gweihir]

You can recover data from damaged platters. It does not matter that much whether they are bent or broken. But it is slow and very, very expensive and will not be done unless you manage to do some spectacular act of terrorism or the like.

To be sure, heat the platters up with a blowtorch. If your data only has limited value or nobody suspects it is on the disk, any kind of damage will do or use a single overwrite.

Re:how good is it?

[Bearhouse]

None - it's not making a copy of the physical disk, but just of the data.

I suspect that the main use would be for either clandestine copying of a drive, or when someone's just been busted, but has not had time to wipe the drive.

Re:how good is it?

[gweihir]

You people all like your toys too much. For physical destruction, remove the platters and bend them. Entirely recoverable, but so expensive that nobody will try. Also for reallocated sectors, use encryption.

Re:how good is it?

[gweihir]

Last i checked, they really don't check past 1 overwrite unless its a matter of national security.

Nonsense. It is currently unknowen whether even 1 overwrite can be recoverd as by the physical limitations of the recording material.

Re:how good is it?

[sepluv]

Or try the high voltage Destruct-a-tron.

This image shows what it does to a HDD platter. There is also a page with HDD platter warping movies. Enjoy.

Re:how good is it?

I heard stories in 80's computer clubs that the platters of hard disk drives had a layer of magnesium below the magnetic media. This was hermetically sealed except for a small seal plug. To completely wipe the drive, the seal was broken, the magnesium would react with the oxygen in the air and the drive would be wiped permanently.

Re:how good is it?

[fireforadrymouth]

Because your government agencies are here to help http://rawstory.com//news/2007/New_York_Times_Wire taps_on_Americans_0908.html

Re:how good is it?

[arminw]

......I'd suggest Flash disks.......

I'd suggest two computers. One for all the innocent stuff that the spooks know about and another secret computer that is ONLY used for things that they are not supposed to know about. They'll find and confiscate the "innocent" computer, spend a lot of time on it and only learn that it doesn't contain any data they can use. Meanwhile, the "guilty" computer is disposed of where no human can ever find it.

There are also some pretty solid encryption techniques that even those with near infinite resources (governments?) have a hard time deciphering. Being able to read a bunch of ones and zeros with an electron microscope is useless if the meaning thereof cannot be figured out.

Re:how good is it?

[arminw]

.....Also impractical: How do you plan to applic that "quick and strong electrical charge"?.......

I'd treat such a chip the same way as I do with old credit cards and other information I need to get rid of. A wood stove with a good hot fire inside does it every time. It's very quick and will get rid of stuff, before anyone can smash the door down. Better yet of course is to have nothing incriminating by always being a good boy.

Re:how good is it?

[arminw]

..... when you see the FBI at your door going after all your pirated MP3s, I'd just say don't bet on it to work...........

I think a disk drive tossed into our hot wood stove the moment an unknown knock came to the door, would be useless to the FBI/KGB/CIA/NSA or anyone else of equal expertise. The stove works well on old papers and credit cards also. Everybody with deep dark secrets needs a good wood stove. As a side benefit, it'll keep the house nice and warm for cheap.

Re:how good is it?

[arminw]

...... If I were a über-paranoid,......

I would keep data I did not want looked at by others on a small bootable HD that could not be found and the existence of which would not be known. Nobody would even come looking for it. The computer they confiscated would only contain innocuous or perhaps decoy erroneous information.

Re:how good is it?

[dclocke]

Leave the issue of formatting aside, because it isn't effective. Wiping is the method I was referring to, and it does matter what you overwrite the old data with, and how many times. If, for example, you overwrite your entire disk once, with a pattern of all 1's, it is possible (though very expensive) to manually reconstruct the previous data. A quick Google search found this reference, as an example: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_ del.html

In conventional terms, when a one is written to disk the media records a one, and when a zero is written the media records a zero. However the actual effect is closer to obtaining a 0.95 when a zero is overwritten with a one, and a 1.05 when a one is overwritten with a one. Normal disk circuitry is set up so that both these values are read as ones, but using specialised circuitry it is possible to work out what previous "layers" contained. The recovery of at least one or two layers of overwritten data isn't too hard to perform by reading the signal from the analog head electronics with a high-quality digital sampling oscilloscope, downloading the sampled waveform to a PC, and analysing it in software to recover the previously recorded signal.

Granted, this is about ten years old. I believe I saw another reply in this thread stating that this was an issue only with older disks, and it isn't possible with newer drives. I don't have any specific knowledge regarding that claim, so I suppose it's possible. In short, the point I was trying to make was that by overwriting all bits on a drive, you aren't necessarily removing all information that used to be there. Of course, overwriting more than once is overkill for most of us. If you are worried about somebody spending millions of dollars just to recover the data on one of your hard disks, you have bigger problems to concern yourself with :)

Re:how good is it?

Back when I was in the US Army Signal Corps, we were generally taught to use an oxy-acetylene torch to destroy hard drives as a 'field expedient'. Most motor pools have them. Allegedly there were specific machines certified to destroy hard drives, but I never saw one. The NSA publishes a list of certified destruction devices for classified information, mainly cross cut shredders for paper. In the field, we kept a thermite grenade either strapped to the top of the crypto safe or strapped to the ceiling of the top compartment.

From my own experience, I agree that thoroughly destroying hard drives is more difficult than first glance. Most deployments, I just bribed the EOD guys to wire up the HD's with a couple bricks of C4. Properly placed explosives will atomize any HD. Quick, efficient, and rather entertaining. The alternative was burning it to slag which takes much longer than you'd think and produces interesting (and toxic) fumes.

- RevDisk

Re:how good is it?

[KudyardRipling]

Now I get it! I have nothing to hide. I have blonde hair and blue eyes; I was born in and always have lived in the USA. I should have absolutely no worries. Please explain to me as to why there are these well dressed men at my door who somehow know that my grandmother whom I never met lit candles on Friday evenings?

Blessed are those whose ethnicities have never been criminalised for they shall be denied college aid.

Re:how good is it?

[garompeta]

lol, that doesn't make any sense. Tell me how and where would that "small" hard drive be attached AND pass unnoticed?
Would you deattach it and hide it once the computer is shut down?

But what if it is found? Irreversible destruction of data is your safe free pass to avoid jail, if you had a very compromising data I wouldn't risk it in any way.
But of course if you have a very safe place where to hide it, you can still have to use the thermite, actually twice: 1) to mislead the police, since they would think that the computer they were looking for is destructed, and most of the time they wouldn't bother to search for another backup system if you took so drastic measures.
2) Another thermite in the hidden backup. If they had any reason to suspect that you can be hiding a backup of the data and they find it, boom, evidence destructed.
If they close the case and you don't have any reason to believe they are following you, you deactivate the thermite trap and keep on game.

But what if you need the compromising data online and working in your internal network or if you are processing it 24 hs, whatever it is? How do you unmount and hide it in the precise moment when the feds breaks in?
No matter how small it is, it has to be attached to a motherboard. As long it is connected it will be found. Destruction is the only way out. Thermite.

Note to self:

Don't buy a computer with a Firewire port

Re:Note to self:

[Tuoqui]

It uses the FireWire high-speed serial bus to connect the host computer and provides support for IDE, SATA and SCSI hard disks, Hermann said in a statement. Ultimately the goal of the TreCorder and forensics products similar to it is to provide companies and law-enforcement agencies digital forensic tools that can gather evidence to trap the criminals that will stand up in court.

Of course they are assuming the data coming out of the firewire port can be trusted... If a machine was already compromised it is likely to send junk data to these ports to help conceal itself.

Re:Note to self:

[Technician]

Don't buy a computer with a Firewire port

I prefer encrypted external storage which uses a non-standard filesystem.

My NAS uses an encrypted reiser FS. The filesystem is non-standard. Users have removed the internal HD and attempted to mount it in a Linux PC, but the PC could not find the partition table.

Even if they can mount the drive, without the encryption key, it will take them quite a while to crack the key to the encrypted volume. This is not a connect and copy drive.

System memory? Torrentspy could use one

[mysteryvortex]

System memory too? Sounds like Torrentspy could use one of these.

Not so fast...

[Remik]

2gb/min isn't that fast.

Standalone devices like the Logicube Talon copy twice as fast. They also hash the drives and store audit trails to a CF card.

I can see the potential benefit to creating 3 mirrored drives at once, but it is extremely limited.

-R

Re:Not so fast...

[Tuoqui]

It seems geared for servers where you'd have 3+ drives in RAID configs

Re:Not so fast...

[greenguy]

Your Logicube is nothing compared to the Time Cube.

Re:Not so fast...

[wodon]

The logicube hand held devices do show some pretty fast imaging speeds, but they do not take into account the various device manufacturers drive controllers. In the field, often the best way to get an image is using the suspect's hardware.
These also require you to image RAID arrays as separate drives and reassemble them later.
IXImager http://www.ilook-forensics.org/iximager.html/ can image internally, can image arrays whole and boots from a CD (law enforecement only though).
I have got 4 gig a minute out of it in the field.

Anyway, these boxes just look like a new model of the FREDDIE http://www.dataduplication.co.uk/details/freddie.h tml/

No big news there.
For an imaging box you don't need that high spec a machine, your source disk drives are going to be the bottleneck, not RAM or processor.

Reformat != Overwrite

[Nymz]

I have to wonder, after how many overwrites can this system detect data?

I'm thinking zero overwrites. From the article it appears that the system is a portable solution that only plugs into hard drives, and not a reader of the platters themselves. Software alone can analyze deleted files and a reformated file table, but it cannot use the orignal drive to read information that was overwritten.

I love reporters

[DaftShadow]

"The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min. The same transfer would take 30 to 60 minutes using alternative equipment said Martin Hermann, general director of MH-services..."

And, don't forget this gem:"...eliminates any possibility of falsification in the process."

Although, I must be honest... A pre-configured dual-boot XP/Linux forensics box, 4GB RAM, 2TB internal HD, and a 3TB external backup system, seems like a fairly capable system to drop into the hands computer forensics persons. The article mentions this being chose over sleuthkit, which makes me wonder just how much better (if at all) the software internals are on the TreCorder.

- DaftShadow

Re:I love reporters

[Remik]

There's some pretty good FUD coming from the developers here, as well..

They make it seem like a huge problem that EnCase isn't entirely secure against potential attacks from the target machine. Well...the only time I'd use a software acquisition method is when a hardware acquisition is strictly out of the equation (i.e. live & critical servers that cannot under any circumstances be shut down). How likely are the servers for an airline's ticketing system to be booby-trapped?

They're creating problems and foisting them on the software when the exisitng software is far less likely to ever be used in such situations.

-R

Re:I love reporters

[Fourier]

The article mentions this being chose over sleuthkit, which makes me wonder just how much better (if at all) the software internals are on the TreCorder.

The key isn't so much the software as it is the hardware. The TreCorder uses hardware write blockers to provide a rather strong guarantee that the original data will not be corrupted even if the OS and the acquisition software happen to be written by idiots.

Re:I love reporters

[dgatwood]

FireWire hardware can be set up to allow or disallow DMA requests depending on the device on the other end of the wire. Most OSes now only allow it if the device on the other end looks like a hard drive for security reasons. You can lock them down further if you want:

http://matt.ucc.asn.au/apple/
http://rentzsch.com/macosx/securingFirewire

Linux also has security features in recent versions of its kernel to protect against arbitrary DMA attacks. (Search for firewire-ohci.) Windows does the same thing. With the right tweaks, disabling FireWire DMA is completely within the realm of possibility if you're that paranoid.

Unfortunately. once you have FireWire DMA access, there is no way to actually fake the data in RAM, but you could theoretically require the user to take some action to enable FireWire devices, and upon detecting an unexpected DMA-capable device on the bus, use the power management hardware to power down the PHY for a few seconds, causing a bus reset and a stall for just long enough for you to page everything out to disk and replace the entire contents of RAM with naked pictures of Janet Reno, then reenable the PHY just before you overwrite the page that the wiper code occupies. :-D

Of course, this is very nearly undeniable proof that you are guilty of something. Nobody would do anything REMOTELY that insane if they didn't have something really MAJOR to hide.

Re:I love reporters

[v1]

but also eliminates any possibility of falsification in the process

I just love it when people automatically consider a system impenetrable the second you seal it up with so much as a strip of duct tape.

Who does he work for? Diebold?

Security is never absolute.

Re:I love reporters

[hawk]

>if they didn't have something really MAJOR to hide.

those pictures of Janet Reno come to mind . . .

hawk, assuming that anyone having seen those needs an interface for the blind

Re:System memory? Torrentspy could use one

[tomhudson]

I read the article, and it sounds like its "marketing" - we all know that system memory can't be read the way they claim - by plugging into the hard drives. Sure, you'll pick up what was in swap, but if a person is smart and worried about security, they don't have swap - turn it off, and all memory goes bye-bye.

Last you checked you were wrong

[Sycraft-fu]

You cannot read data overwritten even once unless you disassemble the hard drive. If you use a disk copy utility, any of them, you get nothing more than the current layer of data. That is simply all a hard drive reads. As such if you wished to get any overwritten data you'd have to take the platters out and put them under some other kind of analysis equipment.

As for the feasibility of that, well, there isn't. Sorry. Even if you have a setup to do that, the chances of getting anything useful are extremely low. What you are talking about doing is reading off the data in an analogue format. The theory is that the whole reason we use digital equipment is because of imprecision in storage. So rather than try to detect subtle changes, we simply say "Anything over magnetic level X is a 1, any thing under is a 0." Thus the drive head just mess with the state to change it, not caring about the precise state it is in. Well the theory is also then that there will be a residual of the last data written. If I have a 1 and make it a 0 it will be slightly higher than a 0 that was again made a 0. By analysing the analogue waveform, you are able to guess at what the previous data was.

Ok but there's two major problems with this, especially as applied to law enforcement:

1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right.

2) The amount of data on a modern hard drive is staggering, and the encoding extremely complicated. To try and do something like this, even for one level, could take months if not more, and that's assuming you had a streamlined process down. This isn't simple like "Just read the data." As I said it is "Look at the actual waveform and try to decode older pieces from small fluctuations below the normal 1/0 threshold."

Well this is the kind of stuff intelligence agencies likely dabble in, as they've got the resources and there's no standard of proof. They might well be willing to pour over a drive for years if it gets them information. Even if there are assumptions on the part of the analysts, that's ok. After all that's how code breaking was largely done back in the day: You made assumptions based on the language and known plain texts and such and started guessing at the rest.

However that isn't the kind of shit that flies in court, and not the kind of thing that they've got time for. You'll notice how they talk about copying the data and the importance of maintaining the evidentiary chain. You don't get that when it's some guy with an oscilloscope making guesses.

It may make for good movies and TV, but once something has been overwritten it's done basically. I fyou have evidence to the contrary, I'd love to see it but "I heard," or "Some guy who worked for the FBI said," isn't it. Show the product/method that is used. If it is something that is used in court, it has to be known.

Re:Last you checked you were wrong

[thatskinnyguy]

Scanning Tunneling Electron Microscope

Re:Last you checked you were wrong

[garompeta]

And you forgot to mention that they must have a slight idea of what they are looking for to know the pattern or the format to find or rebuild.

If they don't know what they are looking for, it is almost impossible to discern among all the junk in the hard drive, and this if it is not wiped. If it is overwritten, forget it.

Re:Last you checked you were wrong

Reread the parent - you obviously missed something.

Re:Last you checked you were wrong

[timmarhy]

Should have done a basic google before going off on a big rant, it would have stopped you looking so stupid. There's lots of software out there to recover data from formatted disks.

i've personally used one to recover data from an ext2 parition after i reformatted it as nfts.

lastly, you have NO CLUE if you think a few months or even years of work is any barrier to law enforcment. what, you think they will say to themselfs "oh that kiddie porn ring over wrote their drive, it's going to take 6 months to disect the information, guess we better let them off the hook!"

Re:Last you checked you were wrong

Not talking about formatting the drive.

Re:Last you checked you were wrong

[ORBAT]

Oh the irony.

Reformat != overwrite. It's trivial to recover a reformatted drive since most data is, in fact, not overwritten.

How on earth you got modded up to 2 is completely beyond me.

Re:Last you checked you were wrong

[ColdWetDog]

Not sure what your point is. Sure, a scanning tunneling EM might be able to read the sides of sectors and get an idea of the charge state of the material, but you have to do it bit by bit. The STEMs don't have very large sample chambers so you'd have to chop the drive up into wee little pieces, keeping track of everything all of the time. Sounds wonderfully tedious.

As the OP pointed out, some intelligence agency might do it to find Osama bin Laden, but I really doubt the FBI is going to try this on some dimwitted pedophile.

Re:Last you checked you were wrong

[AmiMoJo]

Furthermore, the idea that it can copy what is in the computers memory is rubbish too.

Aside from anything, Windows and Linux both have memory protection which prevents programs reading any memory except their own, which is cleared before it is given to them. Sure, on Windows if they happened to catch the PC booted up and logged in as an administrator they could install a driver to copy the contents of the PCs RAM, but then they would have tampered with the evidence and it would be worthless anyway.

I wonder how they can prove that the images of the HDD are genuine and have not been altered? Checksums? SH-1 is breakable. Sadly that sort of things tends not to matter. Take the case of , a man convicted of murder based on a single spec of gunpowder found on his clothes which the police admitted was stored in an environment containing firearms residue.

Re:Last you checked you were wrong

It seems you are the one looking so stupid.

Re:Last you checked you were wrong

[darksith69]

Reformat != overwrite.

mkfs.ext3 -c -c device

Re:Last you checked you were wrong

[(negative+video)]

You are, in fact, guessing.

No, magnetic coercion is reasonably predictable. The laws of physics do, in fact, work.

You are looking at imprecise data and trying to figure out what was there. ... Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right.

Hard drive data includes two layers of redundancy, a DC-cancelling code and a comprehensive error-correction code. If the values of both of those are consistent with the extracted data, then it is overwhelmingly likely to be the original data.

Any competent defense attorney would tear such a thing apart.

Not at all. Flimsy evidence is often used to narrow the search for ironclad evidence. For example, suppose a bank account number is recovered, debits from the account are traced and found to have paid for extensive remodeling of the defendants house, and credits are traced and found to have come from the defendant's former business partner who is currently on the lam for tax fraud. Whoops. The jury simply won't care that the account number could have been unreliable.

2) The amount of data on a modern hard drive is staggering, and the encoding extremely complicated. To try and do something like this, even for one level, could take months if not more, and that's assuming you had a streamlined process down.

There are data recovery firms that routinely suck data off of mangled hard drives. Recovering overwritten data would not be much more work.

Re:Last you checked you were wrong

[ArsenneLupin]

Sure, on Windows if they happened to catch the PC booted up and logged in as an administrator they could install a driver to copy the contents of the PCs RAM, but then they would have tampered with the evidence and it would be worthless anyway. ... and, most importantly, they would need to have the presence of mind to do it right there. Usually, however, this is not how these "raids" happen. It's more like "jackbooted thugs cart everything off, and geeks do the analysis months later". Once it's unplugged, all RAM is gone.

Re:Last you checked you were wrong

[orin]

There are a few places that you can start, but I'd start with books like Moenssens books on scientific evidence which go into some detail in terms of the admissability of this sort of evidence.

Re:Last you checked you were wrong

[cp.tar]

There are data recovery firms that routinely suck data off of mangled hard drives. Recovering overwritten data would not be much more work.

According to a poster several posts up, no data recovery company advertises overwritten data recovery.

A mangled drive can still be analysed, as long as its magnetic properties are still present. Overwritten data, however, is way too much trouble: it has to be done bit by bit, and there's quite a lot of work involved for each bit. And current drives measure in hundreds of gigabytes.
And, if you didn't know, even if the process was fully automated up to the level it only took 1 second to analyse each bit, and they worked on 8 bits in parallel, 1 GB would take, oh, some 32 years of constant work.

Re:Last you checked you were wrong

This is partially wrong.
As for any failsafe claims, well yeah, thats what they said about certain VOTING machines.
There are gaps between concentric hard drive rings, and if you 'microstep' the read head, you can make some pretty good guesses, and if you can re-read checksums and block parity, you are on a good wicket. Back in the old days, service engineers SE's ran microstepping software to fix up and recoved bad data, If you assume you can get one bit on either side, and another 2 bits from current sense, 4 bits = 16 times, but that would be costly and time consuming. As the aureal density increases, the cost goes up - new drives are more difficult.

All drive erasing software is rubbish, unless it is drive microcode aware, and can issue firmware level commands, like secure-erase. BTW, the SATA people are not telling whats in the firmware, but like Bluray, give it time.

Then there is the assumption that the average joe does not have access to this frmware, and does his/her own treatments. Anyway, with good crypto, over a raid, one can make things very difficult.

Even when the data is recovered, things like context, and is there a hidden message in all this, when lawyers do their stuff.

Re:Last you checked you were wrong

[baboo_jackal]

Sure, a scanning tunneling EM might be able to read the sides of sectors and get an idea of the charge state of the material, but you have to do it bit by bit
Yeah, if I can remember correctly from a forensic computing presentation we gave to a bunch of high school kids (I obviously didn't give the physical media recovery part), the way it theoretically works is that when the charge of a magnetic domains on a hard disk platter is changed, it's not changed uniformly throughout the entire domain. If you were able to identify a domain that was consistently left unchanged by the drive head (in our example, we used the outermost portion of the domain - say the drive head was aligned so that it acted on the inner portion of each individual track), you could potentially figure out what the last bit written was by looking at it through an EM.

I think that maybe you could also theoretically look at the Bloch walls or something like that. But the real bottom line is that:

1) Is it even possible? I can't find a single example of anyone actually doing this.
2) If possible, who in the world would be able to do it?
3) And, do you really think your secret stash of shemale porno and The Anarchist's Cookbook are that important to them?
4) It's not, so just delete it and move on with your life.

Re:Last you checked you were wrong

[turbidostato]

"1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right."

Not to say you are wrong; I think you are overall right, in fact. But in an ideal world, a competent attorney can't have more than justice gives him (after all, if you can hope for a "competent defense attorney" you should expect for a "competent accusation attorney" too). It's true that telling one single bit to be a 0 or a 1 is "guessing", but a single bit doesn't tell anything. It's a hughe colletion of bits what holds info: if, by fair guessing any single bit to be a 0 or a 1 you end up with the literal text of the USA constitution, you must be pretty sure your guess is right (you can through some statistical analysis at it). If you guess a password and the password in fact gives you access to some protected data, you guess is OK. After all, even for the "true" data on a hard disk (the one coming from the last write), the reader just "guess" the bits on the platters to be 0s or 1s, why its "guess" is more "factical" than any other one you can through at it?

"However that isn't the kind of shit that flies in court"

On the contrary, my friend. There's nothing cualitatively different between this and DNA analysis, which is nothing more than statistics and guessing and you see it holds in court every day (for a very valid reason).

But, in the end, this completly goes out ot the article scope: the device is just a rugged PC that can extract low level data from the hard disks as fast as possible -by using the hard disk readers themselves, so its "sensibility" is just the one you get on "usual" read, so it's nothing more than a glorified dd.

Re:Last you checked you were wrong

[nasor]

Perhaps even more importantly, to my knowledge there are no standard procedures for recovering overwritten data that are currently accepted in U.S. criminal courts. There are pretty strict standards for gathering forensic evidence. The evidence has to be gathered and processed according to "standard procedures" that are pear-reviewed and approved by experts in the field. A forensics examiner can't just make up the procedure as they go along, even if they have such expertise in their field that they are qualified to do so. For example, if you find someone with a suspicious white powder and you think it might be narcotics, there is a list of standard tests that can performed in order to determine the nature of the powder, and each test has to be performed according to a specific procedure. Since no such standard procedures exist for recovering data that has been over-written, it's unlikely that any evidence that was recovered from an over-written disk could be introduced in a criminal trial.

Re:Last you checked you were wrong

[archen]

You could also ask those same questions about a machine that implements DES in hardware. Who would have reason? Who could do it? Who would if they could and you would never hear about it? The answer is... the government. I'd say it is to some extent "possible", however I have my doubts you could even be sure you could recover anything reliably if you did something as simple as zeroed the drive. Now people who "reformat" a drive or think they've deleted something with no way of verifying that something overwrote the bits, that's a different story - and typically that's where the entire "you can never really delete a file" myth comes from. With the new Vista (& MacOS) versioning thing it's probably going to be a whole new realm of files coming back from the dead.

Re:Last you checked you were wrong

[gweihir]

Furthermore, the idea that it can copy what is in the computers memory is rubbish too.

Not quite: They get one shot at this and for that they need to log in as root/administrator. On linux just copy /proc/memory.

The problem here is that they will change parts of the memory map doing that. This may even be criminal destruction of evidence. And reassembling and analysing that memory map will take a huge effort.

Re:Last you checked you were wrong

[gweihir]

Hard drive data includes two layers of redundancy, a DC-cancelling code and a comprehensive error-correction code. If the values of both of those are consistent with the extracted data, then it is overwhelmingly likely to be the original data.

The error correction code can correct small dropouts, not entirely shaky sectors. And current disks are already doing maximum likelyhood decoding (reading the data analog) and use the error correction heavily in normal operation. Just have a look at some SMART status, it tells you the "raw read error rate" which is typically quite high.

Copy the World!

If only it had an ethernet port :( I could copy the internet.........infinite pr0n, yeah!

Seriously, copy 2GB within the confines of your own PC. See how long it takes. This is like saying "I can travel up to 200MPH on my own power (if I'm falling)"

Re:System memory? Torrentspy could use one

[Jah-Wren+Ryel]

I read the article, and it sounds like its "marketing" - we all know that system memory can't be read the way they claim - by plugging into the hard drives. Sure, you'll pick up what was in swap, but if a person is smart and worried about security, they don't have swap - turn it off, and all memory goes bye-bye. They plug into the firewire port and use the PC's own firewire controller to DMA from host memory out across the firewire bus.
That is a standard forensic operation nowadays.

However, some people have already postulated, if not actually implemented, protections against that sort of attack. The idea is that the host can reprogram the PCI bus controller to route all DMA requests from the firewire controller off into some user-specified range of memory. In theory the forensic tool could detect that the PCI controller has been programmed to do that, but it could not do anything about it.

Cyber Cops!!

[doyoulikeworms]

The guy that ninja'd my loot went that a-way!!

doubtful

[crossmr]

does it create a read only image that can never be tampered with? Given the fact that anyone can do just about anything, most digital evidence always leaves me lacking.

Re:doubtful

[Cheesey]

This is a good reason to use full disk encryption. You can't tamper with such an image unless you know the key. If the police accuse you of a crime and confiscate your computer, you can refuse to unlock the hard disk data until you are certain that corrupt policemen will not be able to add new files to incriminate you. (Plus, if your machine gets stolen, the thief has no access to your data.)

Re:doubtful

[crossmr]

unfortunately they don't let you sit there and watch them while they spend days and weeks coming through the contents of your hard drive and other media.

Re:doubtful

[Cheesey]

Doesn't matter. Before you unlock the files, you place a copy in escrow with the help of your lawyer. If the police copy differs from the escrow copy, then tampering is obvious.

Re:System memory? Torrentspy could use one

[Beryllium+Sphere(tm)]

The actual site for the Trecorder doesn't make any claims about making a copy of RAM, that seems to have appeared in the article by spontaneous generation.

But I wonder if it would be possible over a Firewire connection, given that Firewire allows direct memory access.

Drive density

[Beryllium+Sphere(tm)]

I'd enjoy seeing (recent!) references on this, since hard drive technology has moved quite a bit since the Gutmann paper (the epilogue to which says "with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques").

The two best arguments I've seen among the speculation are

AGAINST: if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?
FOR: a read head in a lab doesn't have to be light, may not need to be fast, and definitely doesn't have to cost less than a good dinner. In other words, it's not subject to the limitations of the drive's read head.

Re:Drive density

[timmarhy]

"if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?"

what makes you think they would want to do that? it'd be dog slow, and it'd also be error prone. none of which helps to sell drives.

Re:Drive density

[davmoo]

If its error prone, it wouldn't be of use to law enforcement either.

Re:Drive density

[drsquare]

AGAINST: if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?

Yes, but you'd need to take apart your hard disk and bring in a forensic analyst to actually get any data off it. And there'd be no random access, you could only write to the top layer.

Re:Drive density

[archen]

There was a (more) recent amendment to the entire Gutman paper which I believe was by Gutman although I can't say I'm 100% sure. I was researching exactly how secure Derik's Boot 'N Nuke was so I did a lot of research. Anyway in a nutshell the Gutman methods do not apply to modern (and I think this was years ago) hard drives. Basically with caching and spare sectors you can't be sure the hard drive is even writing the way you think it is, so the foundations of the paper in the techniques used aren't really trustworthy because you can't trust the drive. I think the general conclusion was that 4 writes of random data was probably the best you could do. The Gutman data wiping method does do such wipes but also does a lot of other stuff which is basically a waste of time. If such vooodoo wipes make you feel better, than there's no harm in using them. The method required by the Royal Canadian Mounted Police also seems like it was a bit over thought, but better safe than sorry.

Re:Drive density

[TheLink]

Why not? Some seem to be fond of the following technologies:
1) "Lie detectors"
2) fingerprints

I'm Sure...

[Nom+du+Keyboard]

I'm sure that the RIAA is in line for the first dozen.

But how can it read reformatted data? I was always of the impression that to read more than the most recent data required removing the platters and using special equipment on the naked disc surface. If the original disc heads were reading all these previous layers, they'd never be able to accurately read the current data on the hard drive.

Re:I'm Sure...

[Remik]

Depends what you mean by "reformatted".

Usually:

Deleting only updates the FAT. The data is all still there.

Formatting only deletes the FAT. The data is all still there.

What you're referring to with "reading all the previous layers" is quasi-theoretical ways of getting at data that has been completely overwritten.

Unless your deleting/formatting process actually overwrites the data, it is all still there.

-R

Re:I'm Sure...

[RLiegh]

What about when you replace FAT (or NTFS) with another filesystem entirely? Would the format done by mkfs.ext2 (or whatever) overwrite the data, or would it simply set up a filesystem table and leave the previous data on the drive readily accessible (to anyone who wants to recover it)?

Re:I'm Sure...

[aliquis]

I have no idea what it does but considering how fast most formats are done I'm very confident it doesn't overwrite all data atleast. I guess it atleast overwrites the data on the blocks where it stores superblock backups.

This makes the argument for...

[Nom+du+Keyboard]

This makes the argument for keeping all your important data on a drive with an interface so old and obscure that this new box can't interface to it.

Re:This makes the argument for...

[tehcyder]

This makes the argument for keeping all your important data on a drive with an interface so old and obscure that this new box can't interface to it.

I thought we didn't like security by obscurity here?

Backup Device

[Doc+Ruby]

I wish I had one of those, but not "secure" (and so much cheaper) that can just clone one existing HD I'm replacing onto a larger one with which I'm replacing it. Even 1Gbps would be good.

Maybe there's a dead-simple Linux app that will do this across a Gb-ethernet. Not just "network tar", but which reloads a new drive that's got only a new install of the OS (eg. Ubuntu) with only the non-OS data, plus OS configs (eg. /etc), from the old one.

Re:Backup Device

[piojo]

rsync? The options are there.

Re:Backup Device

[ZwJGR]

dd command with netcat.
If you size the destination partition right, you can clone the partition, in it's entirety, file system and all.
Or you can just clone the partition (or entire disk) to a file.

Re:Backup Device

[GPL+Apostate]

Norton Ghost will do that for many systems. There's a 'Ghost for Unix' utility that should work, also.

Re:Backup Device

[Cheesey]

The job you are talking about is quite easy on Linux because the only file that requires a special post-copy procedure is the kernel image - and even then, you only have to rerun lilo or grub. In fact you can copy an entire disk image using just "cp -a", and it will still boot if you update lilo or grub. The best way to upgrade a Linux system to a new hard disk is to do a copy in that way, with the target disk mounted somewhere in the current system. Then swap the disks, boot from a live CD, and run lilo or grub. Then upgrade the OS if you want once you are up and running. But if you do want to start with a clean install, just copy /home and any parts of /etc that you've changed.

You can use dd and netcat, as another reply suggests, but I've done this many times, and I think it's much better (and easier) to recreate the file system, not least because this provides a really easy way to resize the disk in either direction. It's also faster (dead space is not copied) and defragments the file system too. You only have to use tools like dd, Ghost, PartImage or ntfsclone when the OS acts against easy cloning by having lots of special files that have to be at specific locations on disk. (Every version of Windows has this "feature".)

Re:Backup Device

[Doc+Ruby]

Mostly true. But there's a lot more to reinstalling a corrupted (or possibly) OS than just the kernel image. Or I'd just (apt-get --reinstall install kernel-image). When I upgrade drives, I also like to prune back my installed apps. It decreases the dependency hell. And it removes the bloat from all the apps I installed for one-shot tasks, or experimenting.

I hear there's a way to get APT to generate a graph of all the installed apps, with dependencies. I wish I could use that graph as a UI to prune and add apps from/to the dependency network. That would be the ultimate APT GUI for me. And make it easier to save little config files with complete installation instructions. That could also make rolling my own distros for specific tasks on specific machines a lot easier. Make it all directable from a remote console to a "blank" new host plugged into the network, and it's all easy and efficient.

Anyone make a self distruct system for a PC?

[WarlockD]

Seriously, like some kind of bullet that shoots the hard drive (Maybe 22round, aimed toward the ground) and can be activated at a press of a button?

Re:Anyone make a self distruct system for a PC?

['Aikanaka]

I recommend a thermite disk eraser - http://www.metacafe.com/watch/599982/how_to_make_t hermite/ - which will provide a very quick method of creating a very non-recoverable hard disk. Thermite FTW!

Re:Anyone make a self distruct system for a PC?

[Fulcrum+of+Evil]

A measured amount of thermite should do the trick. Of course, the other trick is to make it work without burning the house down.

Re:Anyone make a self distruct system for a PC?

[aliquis]

Yeah, just open an old HDD, remove the platters and heads and fill it with thermite, connect an electronic igniter (if one exist/works) to the molex-connector and you are good to go!

That will show them not to touch your data ;D

Or in your case put that drive on top of the other and light it yourself when they come knocking on your door.

Re:Anyone make a self distruct system for a PC?

[Zero__Kelvin]

That would certainly give new meaning to the warning: "Be careful what you type when logged in as root. You could easily shoot yourself in the foot!"

Re:Anyone make a self distruct system for a PC?

[F�an�ro]

Encrypting the drive seems to be saver, easier and less prone to devastating and potentially deadly errors.

Not to mention, if you are doing this to protect yourself from the police, then "wired his pc with a bomb" will not sound good in front of a jury.

Re:Anyone make a self distruct system for a PC?

[WarlockD]

Not sure about thermite though. It was the first thing I thought of too, but lets say your on a raised floor, or you don't want to cause a fire:P

Re:Anyone make a self distruct system for a PC?

[hawk]

I tried once. I couldn't get the voice for the countdown right, though . . .

hawk

Re:Anyone make a self distruct system for a PC?

My disks all have a small phial of hydrofloric acid mounted internally. If you do not present the correct code to them within 1 minute of power-up, the acid sprays onto the disk surface and head unit.

The internal airflow is designed to continuously spread the acid over all the critical surfaces, which will, of course, continue to work even if the power is switched off. I got them as spares (surplus to requirements) from the British Foreign Office. They are used for Embassy and spy work, and are also mounted on various British avionic and naval platforms - I don't think the US have anything like them.

Re:Anyone make a self distruct system for a PC?

[iivel]

Couldn't you just keep the HDD in the microwave oven via a long SATA/ESATA connection?

Re:Anyone make a self distruct system for a PC?

[tehcyder]

Jesus Christ, why not just bury an H-bomb in your basement that can be triggered by your thoughtwaves?

Probably a bogus writeup abt being tamper evident

[Beryllium+Sphere(tm)]

If it's like everything else in that space it generates a secure hash of the source material as it's being acquired. Write that down and store it someplace, and you can prove later that the data haven't changed, barring a mathematical breakthrough or the most amazing coincidence in world history.

Secure drives and erasure

[Barny]

Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)

As for the people talking about "safe methods for wiping drives", the only place I (personally) know of that has such requirements is DIGO http://www.defence.gov.au/digo/ they use a furnace, works damn well. The moral of the story is, new drives are cheap, why fuck around with "maybe".

Re:Secure drives and erasure

[markdavis]

Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)

And you don't think there is a built-in backdoor already there from the factory?

Re:Secure drives and erasure

[Barny]

Oh yeah, of course...

And if it became publicly known that Seagate did such a thing they would lose their corporate clients how fast?

Re:System memory? Torrentspy could use one

[Beryllium+Sphere(tm)]

That was Joanna Rutkowska herself:
http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rut kowska-ppt.pdf
Google "Rutkowska DMA" for more discussion (one of my blogs is the third hit).

240 volts to usb/firewire ports

[timmarhy]

This makes me want to disconnect my usb/firewire cables and solder a 240 volt feed to them.

lets see their nifty device copy shit then.

Re:240 volts to usb/firewire ports

[WindowsIsForArseWipe]

You may not realise it but it is actually quite simple to provide protection from direct mains connection to a particular port. It dosen't even cost that much.

Re:Probably a bogus writeup abt being tamper evide

[ColdWetDog]

Or you could just print the data out and drive the defense lawyers insane. Nice and low tech. Not digital at all.

True and permanent data destruction

[__aawavt7683]

Use an IBM Deskstar hard drive:

http://www.astro.ufl.edu/~ken/crash/index.html

Seriously, though, if you use a _power_ sander to sand a platter, it will die. Just like wood, just like metal. Once you get rid of the shine, nothing will be recovered -- assuming you got rid of it mechanically/chemically and not just by covering it.

-DrkShadow

Re:True and permanent data destruction

Please don't remind me, back in the days I ran a RAID-0 setup on two IBM Deathstars... :-(

Well, at least it was blazing fast as long as it worked :-P

What about flash

[SkinnyKid63]

Can overwritten data on a flash hard drive be recovered? I suppose if you're really paranoid you could store data in ram and have it set to randomly overwrite it self if it were about to be compromised.

Re:What about flash

[bussdriver]

Yes.
1) Flash microcontrollers are designed to spread out the write wear on the memory since they have limited writes before they die, your data is staggered all over the place. You can't overwrite a file to wipe it from the medium. In addition, different flash devices do it all differently.

2) In theory, flash never loses data because traces of prior data remain. In real-world use we don't know how many generations back can be recovered by current methods or really the methods themselves because they are proprietary or secret. Physically probing the chips is possble but extremely time intensive and therefore an unrealistic method but the most likely to work the best. Some flash ram is built in ways that allow the design or testing parts of the chips to be leveraged to help get the data back; however, this changes a lot and by brand.

3) the NIST recomends only to totally destroy (burn) flash medium, proving that even in lower security situations they know there is no secure wipe worth bothering with.

4) RAM possibly can be recovered even with the computer has been turned off, I've not found any recent proof of the ability to do this; however, there are papers indicating it is possible to get the last thing in ram using the built-in testing parts of the ram. Also, non-encrypted swap likely has a lot of data worth getting. Apple for example, does not mlock() any passwords in ram so they seem to always end up in your swap file and seemed to be given away by surrounding data.

5) DMA hacks allow external devices to copy active ram rather quickly and quite possibly without the OS having a clue. Firewire was a perfect method for doing this and works on older macs without firmware patches or running pre OS X 10.3 and it is supposed to work on any windows before Vista. Other DMA hacks surely exist. Not to mention methods to crash your KERNEL and hook into debugging features or using the crash dump file. As networking concepts move into your system bus more abilities are likely to develop.

Re:What about flash

what about the trusty microwave?

Degauss it

[LuminaireX]

Easy enough to foil - don't format your drive. Run it through a degausser a few times; that data's unreadable and the drive can never be used again

Soviet Russia

[ultranova]

From post-Soviet Russia, digital crime targets you !

Modern magnetic media is tough

[Mathinker]

The Curie point of modern magnetic media is higher than the melting point of aluminum.

So what does it help them...

[fluch]

...if they copy my hard drive (after they have managed to get pass the hard drive password) if they find most of the partitions encrypted with 256bit AES and the swap partition with 64bit blowfish? Anything usefull there for them?
Cheers,
- Martin

Re:So what does it help them...

[gzunk]

If you're in the UK the police would ask you for the encryption keys. If you don't provide them they prosecute you under Part 3 of the Regulation of Investigatory Powers Act (RIPA), which leads to up to 2 years in jail, 5 years if it's for "national security". Just for withholding the keys. So it depends on whether you think what's on your hard drive is going to get you an even worse punishment.

Re:So what does it help them...

[Vegeta99]

SO what's worse, 5 years in jail cuz you were a fucker and wouldn't give up your password, or 25 years to life for blowing up a subway station? =)

It does not matter!

[Burz]

Firewire ports are hot-pluggable DMA with bus mastering. With the right program, any FW device plugged into your system can suck out the plaintext RAM contents (including your keys), install and run rootkits without even touching the disk, etc.

Discovery of the FW exploit from several years ago.

Recent commentary:

Physical memory acquisition over Firewire is a trendy tactic for snapshotting suspsect systems without the interference of malware. Recall that Firewire, which is basically a glorified DMA controller with a funky cable coming out of it, has presumptively unmediated access to physical memory; your CPU may initialize the Firewire peripheral, but it doesn't get between the peripheral and the memory controller.

I am seeing mention around the web that this kind of access can be done with a PCI card (plugging it into a live system??).

Re:It does not matter!

[Technician]

With the right program, any FW device plugged into your system can suck out the plaintext RAM contents (including your keys), install and run rootkits without even touching the disk, etc.

I guess I needed to be more specific than this statememt.
I prefer encrypted external storage which uses a non-standard filesystem.

To be more specific, hardware based encrypted NAS appliance, not a general purpose PC.
Not only is it lacking a firewire port, but has no place to install one.
http://www.simpletech.com/commercial/simpleshare/

The old version of firmware supports drive encryption. The newer version dropped encryption and has a fancy drop and sort media directory instead.

Several forums have discussed removing the internal drive to read them on a Linux PC, but was unable to mount the filesystem.

The only ports on this box is a power jack, USB ports, and an ethernet connection.

Re:It does not matter!

[Carewolf]

Conventional wisdom says that if someone has physical access to your system your data is no longer safe. Only if the data is encrypted and passive, does it stand a chance.

An unreliable source might have said..

[Gazzonyx]

I've heard from an unreliable source (perhaps it was on slashdot, I can't recall) that a good method for doing this is rather to write data streams randomly. Something like an MP3 or any binary you'd like.

I guess the theory was that if you do this a few times with random sources, the magnetic characteristics (shadows) have not all been changed by the same amount, so you can't apply a logarithmic algorithm to figure out the possible states that the disk could have been in and see if they make any sense.

I'm pretty sure that magnetic shadows work on an inverse square equation, where you are left with 1/2^n (where n is the iteration) of the original images strength after each iterative change. Meaning that if I know that the bank destroys hard drives from their computers with 10 iterations of straight 0s then straight 1s, I could 'play back' the formatting. I'm just pulling that out of thin air, but I think I've heard it somewhere. Please correct me if I'm wrong, along with the corresponding wiki link ;).

More alarming reading...

[Burz]

John Heasman, director of research at NGS Software, spent an hour and a half at the conference scaring the audience out of its wits with his descriptions of several techniques for using the memory space on PCI cards and other devices to load rootkits . Heasman has been at this particular task for some time now, and his work is in no way theoretical; these are working exploits. He's found methods for loading a rootkit onto a PCI device via the flashable ROM.

http://searchsecurity.techtarget.com/columnItem/0, 294698,sid14_gci1246533,00.html

Depends on the kind of format

[Sycraft-fu]

You may notice that Windows has a "quick" and normal format. The difference? About an hour on a large drive. So why the time difference? Well a quick format goes and just writes to disk what is needed for the partition, which is an empty MFT more or less. Takes little time. All sectors are marked as blank and usable, but aren't touched. A full format then goes and zeros all the sectors.

It's actually not for security, but for reliability. During the full format, if there's a sector that's problematic to write to, the drive will mark it as bad and remap to another sector (all drives have extra sectors for that purpose). No data loss occurs since you are just writing zeros. Thus by doing this there's a fairly good chance that all your sectors are good as all of them have been touched.

The side effect, however, is you won't be recovering data with data recovery tools as the drive was well and truly overwritten.

Re:Depends on the kind of format

[Remik]

"A full format then goes and zeros all the sectors."

I don't believe that's true. I believe a full format simply marks all the sectors as unallocated space, not writes 0s. There's a big difference. I've recovered tons of data from a drive that I just formatted (not quickformat) using FTK. If it had been overwritten, that shouldn't have been possible.

-R

Re:Depends on the kind of format

[MikeBabcock]

There's a 'badblocks' tool on Linux to do the same thing. Tools like mke2fs can use the tool or the output from it to get a list of bad blocks to avoid on the hardware.

Personally, I'd recommend using an encrypted filesystem in the first place so that when you wipe out your hard drive you're wiping essentially random-looking encrypted data. Forensics becomes much more difficult when you're trying to separate randomness from randomness.

Re:Depends on the kind of format

If you want the job done right, you've got to DD it yourself.

dd if=/dev/(u)random of=/path/to/device

Don't try this at home kids.

Reality check for you

[Burz]

re: live RAM acquisition - http://it.slashdot.org/comments.pl?sid=291981&cid= 20526915

Not using todays 500gig+ HDs

[cheekyboy]

Maybe the older HDs of under 32gig, but todays high density drives use such modern writing and its so tiny that there is no overlap or
micro leaks to look for. Besides you would need a damn $100m machine to do it.

But, WILL IT BLEND?

[Mr_Krabs]

THAT is the question!

RAID

[spudnic]

So how would they deal with folks who have their data on RAID?

Re:System memory? Torrentspy could use one

[pimpimpim]

Interesting how that is a standard forensic operation if firewire is not really present on so many PCs at all.... Does this work over USB as well?

Complete rubbish

[Joce640k]

TFA talks about cloning disks and "system memory" - so it's unlikely the reporter actually knows what he's talking about (also note that there's a squillion links in the text but not one to a source reference).

On old drives, with, like, one bit per square inch of disk surface, it might have been possible to recover data after a few writes.

With today's data densities (eg. 250Gb per square inch) it's a joke to suggest that they can get it back after 12 random writes (or seven... or whatever) via a "cloning machine".

At these densities a single molecule is enough to tip the balance.

Nope, this is just police FUD and scare-tactics (if it's even true).

Google for "angle grinder"...

[Joce640k]

Ooooh! He used some fine sandpaper on the platters after he carefully disassembled it!!!

Sorry, your "destructive" methods weren't actually very destructive.

2Gb/min is fast?

[gweihir]

Let me see, that is 33Mb/sec, i.e. 4.2MB/sec. This strikes me as exceedingly slow. I can do about 5 times that on my three year old laptop.

Also, since when did shalshod strories just copy the marketing blurb?

Note that nobody is acually using this device...

[Joce640k]

Note that nobody is actually using this device, it's still in the "attracting interest from {unnamed government agency}" phase.

IOW it's bullshit.

Not reformatted datA; reformatted datE!

[thepropain]

Skimmed TFA, and noted the little typo in the summary. And with that it mind, this thing nothing more than souped-up external FireWire drive.

Flash drive remanence

[Beryllium+Sphere(tm)]

>what about Flash memory blocks: is it even possible to restore, even theoretically, previous state there. Since the Flash chip interface only reports the last recorded value, and you can't really read the Flash chip in any other way except the standard interface on the chip, I'd say no.

Ross Anderson's group at Cambridge has done some interesting work on this. If a cell is stuck between a 0 and a 1, all you need to do to read the hidden value is to drop the power supply voltage. Conceptually, if the old value was 0 and you wrote a 1 and got an analog value of 0.6, then you could lower the voltage enough that it would read as 0.4, which would round to 0 and show you the old value.

If memory serves they found that erasure did less to change the physical value of a bit than overwriting did.

Security is fun.

Solution: Cadweld

[Thomas+Shaddack]

Use a small thermite charge. You can use a commercially available mixture of copper thermite, a mixture of copper oxide with aluminium, with included electrical igniter, used for the "cadwelding" process for welding copper. Except that instead of welding two copper bars you will be thermally decomposing a piece of resin with a sliver of silicon inside. For the purchase, to be on the safe side, prepare a cover story about e.g. installing a lightning rod system. Get several packs and test the assembly before actual deployment to be fully confident about its use. You may also put the whole disk-thermite-igniter assembly into a bed made of chamotte or other refractory ceramics, in order to prevent it chewing its way through the floor, and cover it with some spark guard so it won't be spewing fire around.

Re:Solution: Cadweld

[Lehk228]

because that is so much easier than a wood stove. or even a propane blowtorch

Re:Solution: Cadweld

[Thomas+Shaddack]

Both the propane blowtorch and the wood stove rely on the cooperation of the operator, therefore dependent on his/her physical presence and ability to have the five minutes needed. While breaking a glass and pressing a button when the jackbooted ones are kicking in the door, or even just not doing anything and let them trip the fuse themselves, is much more feasible in a crisis situation.

The thermite-based rig can be designed to be tamper-resistant, and to fire when an unauthorized attempt to open it or to remove it from its designated position is detected, a duress button is pressed, or other arbitrary condition is detected.

The same can be achieved without fire, with an encrypted filesystem with a key in SRAM, zeroized in case of tampering or duress. The key store can be connected to the system SMBUS (which is I2C with some minor protocol extensions), which can be accessed either on the motherboard connector, or, if not, on the DIMM socket.

I am not a lawyer

[TinBromide]

But i work in data forensics. We currently have all the capabilities specified by the device in the article with the exception of the speed. We currently work at about 30 mb/sec copying. But we also rip out the hard drives to prevent spoliation. Only thing special about the device is the speed, everything else is common practice.

Marketing Material

[lakiw]

There's a big difference between collecting the data and analyzing it. I've seen the results by ISEC Partners in fooling forensics software, (For example, if you want to hide your pr0n, put it on the 26th partition on your hard drive), and it deals with the inability of forensics analysis software to deal with analyzing targeted malicious files. You are going to have these issues with any software that processes files that previous were under the complete controll of a malicious user. In a non-computer forensics example, suppose your friend gives you a cd with a trojan .jpeg file on it. You can make an exact copy of that file to your computer no problem, but when you view the .jpeg file it installs a back door on your computer. Forensic software has to deal with the same issues. That's where this article is misleading. Their solution does not solve that problem. In fact, it runs Encase right on the box for analyzing the hard drives, (which is one of the tools ISEC Partners looked into breaking). As far as collecting data securely goes, anyone can do that as long as they have a writeblocker, and they do a bitwise copy, (vs a file copy). What they really needed to say in this review is that Trecorder is a one box solution to both collect and analyze forensics data that was specifically configured for that task. That way you don't have to spend the extra 2 minutes to disconnect a the copy of a hard drive from the duper and connect it to your analysis computer.