Forensic Computer Targets Digital Crime

coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."

how good is it?

[thatskinnyguy]

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.

Re:how good is it?

[Jah-Wren+Ryel]

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times. Possible, but highly unlikely and certainly expensive if they were able to pull it off.

Read this, including the epilogue:
Secure Deletion of Data from Magnetic and Solid-State Memory

Re:how good is it?

[SamP2]

I keep seeing over and over posts that say that a "hardware" method would be the one that is totally secure, and the best example being a hammer.

You'd be surprised, however, how resistant drives can be do physical damage.

For those who know anything about hard drives (referring to regular platter drives, not solid state), you'd know that inside the rectangular case (made out of crappy soft aluminum) lie several plates connected to each other through a spinner in the middle, and they are made out of pretty strong steel.

When I took my data security course, we practiced destroying data physically. So I opened the hard drive, removed the platters and disconnected them. Then came the fun part, trying to destroy them.

First I tried several grades of sandpaper. All the lighter ones didn't leave a JACK SQUAT mark, no matter how hard I tried. The most heavy ones left _very_ small marks which were only visible in the direction of the strongest applied force. Sanding a whole drive this way would take days, and I wasn't sure it was strong enough to actually fully remove the magnetic cover. If anything, I damaged the sandpaper more than the drive.

Then I tried a metal file. The results were considerably better, with deep strong marks, but again, they only covered the path of the sharpest edge of the file, not the whole contact surface area. I filed away for 5 minutes straight, and I only managed to produce about 30% area of a single side of a single platter which I could say was destroyed with high probability of not being recoverable.

Finally, I tried a heavy hammer on another platter, having locked the platter in a vise. I wasn't impressed. The hammer, at best, produced bends across the drive. After another 5 minutes of hammering away, the drive was certainly not round anymore, but the total surface area actually destroyed by these bends was fairly minimal. Sure, it may prevent an easy automatic way of recovering data using regular means (spinning it against a magnetic reader the same way drives usually work), but I'd say at least 80% of that platter still had data on it. The manual work requiring to read the data piece by piece may indeed take weeks, but it would probably be possible, and having the mentality of "it'll take them too much work to read it" is akin to having the mentality of "nobody will hack me because I'm not a target of interest and they won't bother". From the point of view of a security specialist, it's wrong in principle.

The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.

Another common myth is that you can easily and securely permanently wipe the data with a magnet. The forces required to near-instantly and irrecoverably overwrite the magnetic stripe of the disk are ENORMOUS. During regular usage, a relatively weak magnet is used to read and write on the disk, but it only operates on a minuscule area of the disk (trivially, by writing a bit on an 4 (double sided)-platter 500GB drive, the magnetic edge only operates on 1/500,000,000,000th area of the platter. Now use the denominator to figure out the magnetic intensity required to fully overwrite the whole disk at once. It ain't pretty. Industrial-grade degaussers may do the trick, but not your average home magnet (which, of course, doesn't mean the magnet is not good enough to randomly corrupt a small part of the data which will screw your partition table and make your OS refuse the read the drive anyways). But I somehow doubt the folks in the NSA use Windows XP Home Edition to investigate hard drives.

The "true" way to destroy hard drives is to completely melt them in an incinerator, and t

Re:how good is it?

[Hex4def6]

Why not just dip the platters in a some corrosive? I'm sure even some like drano might do the trickk.

Or perhaps how about holding the platters up to a propane torch? you wouldn't need to melt them, just get them hot enough that they lose their magnetic field.

Re:how good is it?

[DMUTPeregrine]

Pulsed-power. coin shrinkers are an easy solution. Just use the coil around the HDD instead of a coin. I generally just use a grinding wheel. It's hard to read platters once they are dust.

Re:how good is it?

[TheWanderingHermit]

One of our LUG members recently did a presentation on computer forensics. I forgot the group that he took his classes through, but I remember a friend of mine saying they were one of the best. His comment on this was that the myth of data being retrievable after it has been written over is just that, these days: a myth. It seems that was a problem back in the earlier days of hard drives, but not with any recent equipment. It seems that once this became a "fact" it's stayed one for decades, even though there's been no evidence or proof of it being true with any hard drive designs for years.

I don't know how accurate that is, but I know a few others in the LUG started looking into it and nobody posted any links they felt were valid to back up the surviving data myth.

Re:System memory? Torrentspy could use one

[Jah-Wren+Ryel]

I read the article, and it sounds like its "marketing" - we all know that system memory can't be read the way they claim - by plugging into the hard drives. Sure, you'll pick up what was in swap, but if a person is smart and worried about security, they don't have swap - turn it off, and all memory goes bye-bye. They plug into the firewire port and use the PC's own firewire controller to DMA from host memory out across the firewire bus.
That is a standard forensic operation nowadays.

However, some people have already postulated, if not actually implemented, protections against that sort of attack. The idea is that the host can reprogram the PCI bus controller to route all DMA requests from the firewire controller off into some user-specified range of memory. In theory the forensic tool could detect that the PCI controller has been programmed to do that, but it could not do anything about it.

Drive density

[Beryllium+Sphere(tm)]

I'd enjoy seeing (recent!) references on this, since hard drive technology has moved quite a bit since the Gutmann paper (the epilogue to which says "with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques").

The two best arguments I've seen among the speculation are

AGAINST: if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?
FOR: a read head in a lab doesn't have to be light, may not need to be fast, and definitely doesn't have to cost less than a good dinner. In other words, it's not subject to the limitations of the drive's read head.

Anyone make a self distruct system for a PC?

[WarlockD]

Seriously, like some kind of bullet that shoots the hard drive (Maybe 22round, aimed toward the ground) and can be activated at a press of a button?

Re:Anyone make a self distruct system for a PC?

[aliquis]

Yeah, just open an old HDD, remove the platters and heads and fill it with thermite, connect an electronic igniter (if one exist/works) to the molex-connector and you are good to go!

That will show them not to touch your data ;D

Or in your case put that drive on top of the other and light it yourself when they come knocking on your door.

Secure drives and erasure

[Barny]

Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)

As for the people talking about "safe methods for wiping drives", the only place I (personally) know of that has such requirements is DIGO http://www.defence.gov.au/digo/ they use a furnace, works damn well. The moral of the story is, new drives are cheap, why fuck around with "maybe".

Re:I'm Sure...

[RLiegh]

What about when you replace FAT (or NTFS) with another filesystem entirely? Would the format done by mkfs.ext2 (or whatever) overwrite the data, or would it simply set up a filesystem table and leave the previous data on the drive readily accessible (to anyone who wants to recover it)?

Re:I love reporters

[Fourier]

The article mentions this being chose over sleuthkit, which makes me wonder just how much better (if at all) the software internals are on the TreCorder.

The key isn't so much the software as it is the hardware. The TreCorder uses hardware write blockers to provide a rather strong guarantee that the original data will not be corrupted even if the OS and the acquisition software happen to be written by idiots.

Re:Last you checked you were wrong

[baboo_jackal]

Sure, a scanning tunneling EM might be able to read the sides of sectors and get an idea of the charge state of the material, but you have to do it bit by bit
Yeah, if I can remember correctly from a forensic computing presentation we gave to a bunch of high school kids (I obviously didn't give the physical media recovery part), the way it theoretically works is that when the charge of a magnetic domains on a hard disk platter is changed, it's not changed uniformly throughout the entire domain. If you were able to identify a domain that was consistently left unchanged by the drive head (in our example, we used the outermost portion of the domain - say the drive head was aligned so that it acted on the inner portion of each individual track), you could potentially figure out what the last bit written was by looking at it through an EM.

I think that maybe you could also theoretically look at the Bloch walls or something like that. But the real bottom line is that:

1) Is it even possible? I can't find a single example of anyone actually doing this.
2) If possible, who in the world would be able to do it?
3) And, do you really think your secret stash of shemale porno and The Anarchist's Cookbook are that important to them?
4) It's not, so just delete it and move on with your life.