Forensic Computer Targets Digital Crime

coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."

how good is it?

[thatskinnyguy]

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.

Re:how good is it?

[dclocke]

I wouldn't mind seeing a source on that statistic. Because I'd be pretty comfortable betting my life savings that it's not true.

Re:how good is it?

[deftcoder]

Agreed, considering the NSA standard for data wipes is 7 random passes...

I'm more comfortable using this though: http://en.wikipedia.org/wiki/Gutmann_method

Re:how good is it?

[thatskinnyguy]

An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

Re:how good is it?

[Jah-Wren+Ryel]

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times. Possible, but highly unlikely and certainly expensive if they were able to pull it off.

Read this, including the epilogue:
Secure Deletion of Data from Magnetic and Solid-State Memory

Re:how good is it?

[Jah-Wren+Ryel]

Agreed, considering the NSA standard for data wipes is 7 random passes... The NSA has no such standard.
Really, try to find an official source, you won't.

Re:how good is it?

[Jah-Wren+Ryel]

Expensive in time too. If it takes 3 years to extract the information, it isn't going to be useful at trial (which is presumably why they are doing forensic analysis in the first place).

Re:how good is it?

[SamP2]

I keep seeing over and over posts that say that a "hardware" method would be the one that is totally secure, and the best example being a hammer.

You'd be surprised, however, how resistant drives can be do physical damage.

For those who know anything about hard drives (referring to regular platter drives, not solid state), you'd know that inside the rectangular case (made out of crappy soft aluminum) lie several plates connected to each other through a spinner in the middle, and they are made out of pretty strong steel.

When I took my data security course, we practiced destroying data physically. So I opened the hard drive, removed the platters and disconnected them. Then came the fun part, trying to destroy them.

First I tried several grades of sandpaper. All the lighter ones didn't leave a JACK SQUAT mark, no matter how hard I tried. The most heavy ones left _very_ small marks which were only visible in the direction of the strongest applied force. Sanding a whole drive this way would take days, and I wasn't sure it was strong enough to actually fully remove the magnetic cover. If anything, I damaged the sandpaper more than the drive.

Then I tried a metal file. The results were considerably better, with deep strong marks, but again, they only covered the path of the sharpest edge of the file, not the whole contact surface area. I filed away for 5 minutes straight, and I only managed to produce about 30% area of a single side of a single platter which I could say was destroyed with high probability of not being recoverable.

Finally, I tried a heavy hammer on another platter, having locked the platter in a vise. I wasn't impressed. The hammer, at best, produced bends across the drive. After another 5 minutes of hammering away, the drive was certainly not round anymore, but the total surface area actually destroyed by these bends was fairly minimal. Sure, it may prevent an easy automatic way of recovering data using regular means (spinning it against a magnetic reader the same way drives usually work), but I'd say at least 80% of that platter still had data on it. The manual work requiring to read the data piece by piece may indeed take weeks, but it would probably be possible, and having the mentality of "it'll take them too much work to read it" is akin to having the mentality of "nobody will hack me because I'm not a target of interest and they won't bother". From the point of view of a security specialist, it's wrong in principle.

The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.

Another common myth is that you can easily and securely permanently wipe the data with a magnet. The forces required to near-instantly and irrecoverably overwrite the magnetic stripe of the disk are ENORMOUS. During regular usage, a relatively weak magnet is used to read and write on the disk, but it only operates on a minuscule area of the disk (trivially, by writing a bit on an 4 (double sided)-platter 500GB drive, the magnetic edge only operates on 1/500,000,000,000th area of the platter. Now use the denominator to figure out the magnetic intensity required to fully overwrite the whole disk at once. It ain't pretty. Industrial-grade degaussers may do the trick, but not your average home magnet (which, of course, doesn't mean the magnet is not good enough to randomly corrupt a small part of the data which will screw your partition table and make your OS refuse the read the drive anyways). But I somehow doubt the folks in the NSA use Windows XP Home Edition to investigate hard drives.

The "true" way to destroy hard drives is to completely melt them in an incinerator, and t

Re:how good is it?

[Hex4def6]

Why not just dip the platters in a some corrosive? I'm sure even some like drano might do the trickk.

Or perhaps how about holding the platters up to a propane torch? you wouldn't need to melt them, just get them hot enough that they lose their magnetic field.

Re:how good is it?

[TooMuchToDo]

I always though the best poor man's magnetic eraser would be an old MRI machine. Keep your storage array near the center suspended by a strong, non-metallic material. Someone busts in the door? Just push the breaker on for that MRI machine.

That, my friend, should be enough electromagnetic energy to wipe the entire drive at once.

Re:how good is it?

[jimmydevice]

It appears possible to recover previously erased data on old drives, but haven't the drive mfrs used exactly the same technology that the forensic disk morticians used in past years to get at erased crud (if ever)? It seems with vertical recording and super mag heads, the slop, leftover sideband noise and measurable blips of 90's tech now store data. I'm not trying to be factious, drive builders are pushing a lot of boundaries and I doubt they would back off ( unlike the MPAA and DRM ) reducing capacity to retain info for the man. I am drunk.

Re:how good is it?

[DMUTPeregrine]

Pulsed-power. coin shrinkers are an easy solution. Just use the coil around the HDD instead of a coin. I generally just use a grinding wheel. It's hard to read platters once they are dust.

Re:how good is it?

[compro01]

well, as someone said in a previous discussion:

The only way to truely protect your data is to grind up your hard drive into powder, magnetize it all, then heat it into a liquid. Cool and grind it up again, scatter it into the wind, and just HOPE entropy does the rest.

Re:how good is it?

[TheWanderingHermit]

One of our LUG members recently did a presentation on computer forensics. I forgot the group that he took his classes through, but I remember a friend of mine saying they were one of the best. His comment on this was that the myth of data being retrievable after it has been written over is just that, these days: a myth. It seems that was a problem back in the earlier days of hard drives, but not with any recent equipment. It seems that once this became a "fact" it's stayed one for decades, even though there's been no evidence or proof of it being true with any hard drive designs for years.

I don't know how accurate that is, but I know a few others in the LUG started looking into it and nobody posted any links they felt were valid to back up the surviving data myth.

Re:how good is it?

[PopeRatzo]

If you're not doing anything wrong, or using your computer to write or view anything wrong, or thinking anything wrong, or doing, writing, viewing or thinking anything that someone might construe to be wrong... ...then you have nothing to worry about.

Re:how good is it?

[GPL+Apostate]

Most people have little control of where the info gets cached on the system. You can *think* that it's only on the flash drive, but somehow an app sticks it into swap or a file in a temp folder.

Re:how good is it?

[MoralHazard]

Dear God, when will the FUD stop??!!?? This silly meme has been making the rounds for a very long time, ever since Gutmann wrote that god-awful paper for USENIX '96. IT IS NOT TRUE!! There are no scientific or engineering papers that provide any evidence to suggest otherwise--NONE.

Here's the story: Back in 1996, Peter Gutmann published a paper where he described the theoretical possibility of reading small sections of overwritten data, in a largely unreliable fashion. Having gone back through the source he cites, I came to be of the opinion that his assertion was irresponsible, since he makes a very bold claim without pointing out how many qualifications and 'but's are attached to it:

1) The specific techniques he discusses address older hard drive platter recording technologies that were completely supplanted, throughout the industry, in 1996-1997. Newer hard drives changed recording techniques to cram more data onto the same platter area, which eliminated the specific properties that would have allowed Gutmann's proposed recovery method to work.

2) None of Gutmann's citations ever claimed to have made the recovery methods work in a practical fashion (as in, actually recovering a sector of data, let alone a whole file) on a real hard drive. There were a few lab experiments that were NOT performed on hard drives, and nobody was cited as actually implementing a real-world method.

3) Since the 1996 paper (in '99, I believe), Gutmann published a revised draft that really only changed the section talking about this issue, and he significantly backpedaled his claims. Supposedly, some of his colleagues pointed out that his assertion was scientifically unsupported and extremely inflammatory. Net result: In the newest version of that paper, he basically admits that recovery of overwritten data, on modern hard drives, is snake oil.

There's more, though. Having worked in forensics and specifically dealt with federal law enforcement agencies, I get a chuckle when people (usually, the same tinfoil-hat guys who believe in aliens at Roswell) talk like the FBI has secret recovery technology that the private sector doesn't. This is provable bullshit, for several reasons:

1) The FBI has no real engineering capacity, and they're not as good at stuff like this as you think. In data forensics, especially, their equipment, techniques, and training have never been as good as what the private sector has. The private sector has more money, which means it can buy the newest toys and do real R&D, and it can afford to pay the big-ass salaries that cutting edge engineers require. For comparison, go ask somebody at Hitachi or Segate who does hard drive research how much money they make. Then, ask the FBI how much their highest-paid experts make. It's going to be at least a 2:1 difference, maybe more.

2) Secret methodologies are useless to the FBI, because they would never hold up in court. Data forensics depends on its credibility under the standards of scientific evidence, otherwise it gets tossed out of court and the defense wins. The basic test of scientific evidence is "Does the scientific community have a consensus that this method is correct?" If it's a secret method, there can be no consensus in the community, and it can't be used in court.

3) There's a simple thought experiment that verifies this: If it were possible to read data that has been overwritten even once, doesn't that mean that your hard drive has an actual storage capacity is twice what the manufacturer is actually giving you. How much sense does that make? Those guys jump on every technology possible to cram more data into a smaller space, so even if it's space-alien-magic stuff, they'll have an enormous incentive to make it practical to mass-produce. And they usually do just that. There only a tiny bit more usable capacity on your drive (Let alone 12x worth!) than the manufacturer's label says, and that's replacement sectors for areas that develop problems--we know about that, and it's not useful in data forensics for other reasons.

Re:how good is it?

[toddestan]

Why not just dip the platters in a some corrosive? I'm sure even some like drano might do the trickk.

Harddrives platters are commonly coated with DLC (diamond like coating). The Drano is not going to get through that to the metal. The DLC is also why the parent poster had no luck with sandpaper, as the DLC is likely harder than the grit. (the purpose of the DLC is to protect the platters from accidental contact with the heads - it's tough stuff)

However, your idea could work if the chemical was particularly corrosive - just compromise the DLC somewhere (use a file or something) then let the chemistry do its thing.

Re:how good is it?

[gweihir]

An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

But the magnetic landscabe is noisy and there is a smalles stable magnetic intensity. After one overwrite it is very likely that the residual magnetisation from the eralier data vanishes in the noise and is too small to be stable, at least fo current disks. Remember that the HDD manufacturers have benn storing very close to the material limits for some time now.

Re:how good is it?

[arminw]

..... when you see the FBI at your door going after all your pirated MP3s, I'd just say don't bet on it to work...........

I think a disk drive tossed into our hot wood stove the moment an unknown knock came to the door, would be useless to the FBI/KGB/CIA/NSA or anyone else of equal expertise. The stove works well on old papers and credit cards also. Everybody with deep dark secrets needs a good wood stove. As a side benefit, it'll keep the house nice and warm for cheap.

Not so fast...

[Remik]

2gb/min isn't that fast.

Standalone devices like the Logicube Talon copy twice as fast. They also hash the drives and store audit trails to a CF card.

I can see the potential benefit to creating 3 mirrored drives at once, but it is extremely limited.

-R

Reformat != Overwrite

[Nymz]

I have to wonder, after how many overwrites can this system detect data?

I'm thinking zero overwrites. From the article it appears that the system is a portable solution that only plugs into hard drives, and not a reader of the platters themselves. Software alone can analyze deleted files and a reformated file table, but it cannot use the orignal drive to read information that was overwritten.

Last you checked you were wrong

[Sycraft-fu]

You cannot read data overwritten even once unless you disassemble the hard drive. If you use a disk copy utility, any of them, you get nothing more than the current layer of data. That is simply all a hard drive reads. As such if you wished to get any overwritten data you'd have to take the platters out and put them under some other kind of analysis equipment.

As for the feasibility of that, well, there isn't. Sorry. Even if you have a setup to do that, the chances of getting anything useful are extremely low. What you are talking about doing is reading off the data in an analogue format. The theory is that the whole reason we use digital equipment is because of imprecision in storage. So rather than try to detect subtle changes, we simply say "Anything over magnetic level X is a 1, any thing under is a 0." Thus the drive head just mess with the state to change it, not caring about the precise state it is in. Well the theory is also then that there will be a residual of the last data written. If I have a 1 and make it a 0 it will be slightly higher than a 0 that was again made a 0. By analysing the analogue waveform, you are able to guess at what the previous data was.

Ok but there's two major problems with this, especially as applied to law enforcement:

1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right.

2) The amount of data on a modern hard drive is staggering, and the encoding extremely complicated. To try and do something like this, even for one level, could take months if not more, and that's assuming you had a streamlined process down. This isn't simple like "Just read the data." As I said it is "Look at the actual waveform and try to decode older pieces from small fluctuations below the normal 1/0 threshold."

Well this is the kind of stuff intelligence agencies likely dabble in, as they've got the resources and there's no standard of proof. They might well be willing to pour over a drive for years if it gets them information. Even if there are assumptions on the part of the analysts, that's ok. After all that's how code breaking was largely done back in the day: You made assumptions based on the language and known plain texts and such and started guessing at the rest.

However that isn't the kind of shit that flies in court, and not the kind of thing that they've got time for. You'll notice how they talk about copying the data and the importance of maintaining the evidentiary chain. You don't get that when it's some guy with an oscilloscope making guesses.

It may make for good movies and TV, but once something has been overwritten it's done basically. I fyou have evidence to the contrary, I'd love to see it but "I heard," or "Some guy who worked for the FBI said," isn't it. Show the product/method that is used. If it is something that is used in court, it has to be known.

Re:Last you checked you were wrong

[ColdWetDog]

Not sure what your point is. Sure, a scanning tunneling EM might be able to read the sides of sectors and get an idea of the charge state of the material, but you have to do it bit by bit. The STEMs don't have very large sample chambers so you'd have to chop the drive up into wee little pieces, keeping track of everything all of the time. Sounds wonderfully tedious.

As the OP pointed out, some intelligence agency might do it to find Osama bin Laden, but I really doubt the FBI is going to try this on some dimwitted pedophile.

Re:Last you checked you were wrong

[baboo_jackal]

Sure, a scanning tunneling EM might be able to read the sides of sectors and get an idea of the charge state of the material, but you have to do it bit by bit
Yeah, if I can remember correctly from a forensic computing presentation we gave to a bunch of high school kids (I obviously didn't give the physical media recovery part), the way it theoretically works is that when the charge of a magnetic domains on a hard disk platter is changed, it's not changed uniformly throughout the entire domain. If you were able to identify a domain that was consistently left unchanged by the drive head (in our example, we used the outermost portion of the domain - say the drive head was aligned so that it acted on the inner portion of each individual track), you could potentially figure out what the last bit written was by looking at it through an EM.

I think that maybe you could also theoretically look at the Bloch walls or something like that. But the real bottom line is that:

1) Is it even possible? I can't find a single example of anyone actually doing this.
2) If possible, who in the world would be able to do it?
3) And, do you really think your secret stash of shemale porno and The Anarchist's Cookbook are that important to them?
4) It's not, so just delete it and move on with your life.

Re:Last you checked you were wrong

[turbidostato]

"1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right."

Not to say you are wrong; I think you are overall right, in fact. But in an ideal world, a competent attorney can't have more than justice gives him (after all, if you can hope for a "competent defense attorney" you should expect for a "competent accusation attorney" too). It's true that telling one single bit to be a 0 or a 1 is "guessing", but a single bit doesn't tell anything. It's a hughe colletion of bits what holds info: if, by fair guessing any single bit to be a 0 or a 1 you end up with the literal text of the USA constitution, you must be pretty sure your guess is right (you can through some statistical analysis at it). If you guess a password and the password in fact gives you access to some protected data, you guess is OK. After all, even for the "true" data on a hard disk (the one coming from the last write), the reader just "guess" the bits on the platters to be 0s or 1s, why its "guess" is more "factical" than any other one you can through at it?

"However that isn't the kind of shit that flies in court"

On the contrary, my friend. There's nothing cualitatively different between this and DNA analysis, which is nothing more than statistics and guessing and you see it holds in court every day (for a very valid reason).

But, in the end, this completly goes out ot the article scope: the device is just a rugged PC that can extract low level data from the hard disks as fast as possible -by using the hard disk readers themselves, so its "sensibility" is just the one you get on "usual" read, so it's nothing more than a glorified dd.

Re:System memory? Torrentspy could use one

[Jah-Wren+Ryel]

I read the article, and it sounds like its "marketing" - we all know that system memory can't be read the way they claim - by plugging into the hard drives. Sure, you'll pick up what was in swap, but if a person is smart and worried about security, they don't have swap - turn it off, and all memory goes bye-bye. They plug into the firewire port and use the PC's own firewire controller to DMA from host memory out across the firewire bus.
That is a standard forensic operation nowadays.

However, some people have already postulated, if not actually implemented, protections against that sort of attack. The idea is that the host can reprogram the PCI bus controller to route all DMA requests from the firewire controller off into some user-specified range of memory. In theory the forensic tool could detect that the PCI controller has been programmed to do that, but it could not do anything about it.

doubtful

[crossmr]

does it create a read only image that can never be tampered with? Given the fact that anyone can do just about anything, most digital evidence always leaves me lacking.

Drive density

[Beryllium+Sphere(tm)]

I'd enjoy seeing (recent!) references on this, since hard drive technology has moved quite a bit since the Gutmann paper (the epilogue to which says "with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques").

The two best arguments I've seen among the speculation are

AGAINST: if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?
FOR: a read head in a lab doesn't have to be light, may not need to be fast, and definitely doesn't have to cost less than a good dinner. In other words, it's not subject to the limitations of the drive's read head.

Re:Drive density

[timmarhy]

"if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?"

what makes you think they would want to do that? it'd be dog slow, and it'd also be error prone. none of which helps to sell drives.

Anyone make a self distruct system for a PC?

[WarlockD]

Seriously, like some kind of bullet that shoots the hard drive (Maybe 22round, aimed toward the ground) and can be activated at a press of a button?

Re:Anyone make a self distruct system for a PC?

['Aikanaka]

I recommend a thermite disk eraser - http://www.metacafe.com/watch/599982/how_to_make_t hermite/ - which will provide a very quick method of creating a very non-recoverable hard disk. Thermite FTW!

Re:Anyone make a self distruct system for a PC?

[aliquis]

Yeah, just open an old HDD, remove the platters and heads and fill it with thermite, connect an electronic igniter (if one exist/works) to the molex-connector and you are good to go!

That will show them not to touch your data ;D

Or in your case put that drive on top of the other and light it yourself when they come knocking on your door.

Secure drives and erasure

[Barny]

Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)

As for the people talking about "safe methods for wiping drives", the only place I (personally) know of that has such requirements is DIGO http://www.defence.gov.au/digo/ they use a furnace, works damn well. The moral of the story is, new drives are cheap, why fuck around with "maybe".

Re:I'm Sure...

[RLiegh]

What about when you replace FAT (or NTFS) with another filesystem entirely? Would the format done by mkfs.ext2 (or whatever) overwrite the data, or would it simply set up a filesystem table and leave the previous data on the drive readily accessible (to anyone who wants to recover it)?

240 volts to usb/firewire ports

[timmarhy]

This makes me want to disconnect my usb/firewire cables and solder a 240 volt feed to them.

lets see their nifty device copy shit then.

Re:I love reporters

[Fourier]

The article mentions this being chose over sleuthkit, which makes me wonder just how much better (if at all) the software internals are on the TreCorder.

The key isn't so much the software as it is the hardware. The TreCorder uses hardware write blockers to provide a rather strong guarantee that the original data will not be corrupted even if the OS and the acquisition software happen to be written by idiots.

Modern magnetic media is tough

[Mathinker]

The Curie point of modern magnetic media is higher than the melting point of aluminum.

An unreliable source might have said..

[Gazzonyx]

I've heard from an unreliable source (perhaps it was on slashdot, I can't recall) that a good method for doing this is rather to write data streams randomly. Something like an MP3 or any binary you'd like.

I guess the theory was that if you do this a few times with random sources, the magnetic characteristics (shadows) have not all been changed by the same amount, so you can't apply a logarithmic algorithm to figure out the possible states that the disk could have been in and see if they make any sense.

I'm pretty sure that magnetic shadows work on an inverse square equation, where you are left with 1/2^n (where n is the iteration) of the original images strength after each iterative change. Meaning that if I know that the bank destroys hard drives from their computers with 10 iterations of straight 0s then straight 1s, I could 'play back' the formatting. I'm just pulling that out of thin air, but I think I've heard it somewhere. Please correct me if I'm wrong, along with the corresponding wiki link ;).

Reality check for you

[Burz]

re: live RAM acquisition - http://it.slashdot.org/comments.pl?sid=291981&cid= 20526915

Re:Backup Device

[Cheesey]

The job you are talking about is quite easy on Linux because the only file that requires a special post-copy procedure is the kernel image - and even then, you only have to rerun lilo or grub. In fact you can copy an entire disk image using just "cp -a", and it will still boot if you update lilo or grub. The best way to upgrade a Linux system to a new hard disk is to do a copy in that way, with the target disk mounted somewhere in the current system. Then swap the disks, boot from a live CD, and run lilo or grub. Then upgrade the OS if you want once you are up and running. But if you do want to start with a clean install, just copy /home and any parts of /etc that you've changed.

You can use dd and netcat, as another reply suggests, but I've done this many times, and I think it's much better (and easier) to recreate the file system, not least because this provides a really easy way to resize the disk in either direction. It's also faster (dead space is not copied) and defragments the file system too. You only have to use tools like dd, Ghost, PartImage or ntfsclone when the OS acts against easy cloning by having lots of special files that have to be at specific locations on disk. (Every version of Windows has this "feature".)