Slashdot Mirror
Forensic Computer Targets Digital Crime
coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."
I wouldn't mind seeing a source on that statistic. Because I'd be pretty comfortable betting my life savings that it's not true.
2gb/min isn't that fast.
Standalone devices like the Logicube Talon copy twice as fast. They also hash the drives and store audit trails to a CF card.
I can see the potential benefit to creating 3 mirrored drives at once, but it is extremely limited.
-R
You cannot read data overwritten even once unless you disassemble the hard drive. If you use a disk copy utility, any of them, you get nothing more than the current layer of data. That is simply all a hard drive reads. As such if you wished to get any overwritten data you'd have to take the platters out and put them under some other kind of analysis equipment.
As for the feasibility of that, well, there isn't. Sorry. Even if you have a setup to do that, the chances of getting anything useful are extremely low. What you are talking about doing is reading off the data in an analogue format. The theory is that the whole reason we use digital equipment is because of imprecision in storage. So rather than try to detect subtle changes, we simply say "Anything over magnetic level X is a 1, any thing under is a 0." Thus the drive head just mess with the state to change it, not caring about the precise state it is in. Well the theory is also then that there will be a residual of the last data written. If I have a 1 and make it a 0 it will be slightly higher than a 0 that was again made a 0. By analysing the analogue waveform, you are able to guess at what the previous data was.
Ok but there's two major problems with this, especially as applied to law enforcement:
1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right.
2) The amount of data on a modern hard drive is staggering, and the encoding extremely complicated. To try and do something like this, even for one level, could take months if not more, and that's assuming you had a streamlined process down. This isn't simple like "Just read the data." As I said it is "Look at the actual waveform and try to decode older pieces from small fluctuations below the normal 1/0 threshold."
Well this is the kind of stuff intelligence agencies likely dabble in, as they've got the resources and there's no standard of proof. They might well be willing to pour over a drive for years if it gets them information. Even if there are assumptions on the part of the analysts, that's ok. After all that's how code breaking was largely done back in the day: You made assumptions based on the language and known plain texts and such and started guessing at the rest.
However that isn't the kind of shit that flies in court, and not the kind of thing that they've got time for. You'll notice how they talk about copying the data and the importance of maintaining the evidentiary chain. You don't get that when it's some guy with an oscilloscope making guesses.
It may make for good movies and TV, but once something has been overwritten it's done basically. I fyou have evidence to the contrary, I'd love to see it but "I heard," or "Some guy who worked for the FBI said," isn't it. Show the product/method that is used. If it is something that is used in court, it has to be known.
Really, try to find an official source, you won't.
When information is power, privacy is freedom.
That is a standard forensic operation nowadays.
However, some people have already postulated, if not actually implemented, protections against that sort of attack. The idea is that the host can reprogram the PCI bus controller to route all DMA requests from the firewire controller off into some user-specified range of memory. In theory the forensic tool could detect that the PCI controller has been programmed to do that, but it could not do anything about it.
When information is power, privacy is freedom.
I'd enjoy seeing (recent!) references on this, since hard drive technology has moved quite a bit since the Gutmann paper (the epilogue to which says "with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques").
The two best arguments I've seen among the speculation are
AGAINST: if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?
FOR: a read head in a lab doesn't have to be light, may not need to be fast, and definitely doesn't have to cost less than a good dinner. In other words, it's not subject to the limitations of the drive's read head.
I keep seeing over and over posts that say that a "hardware" method would be the one that is totally secure, and the best example being a hammer.
You'd be surprised, however, how resistant drives can be do physical damage.
For those who know anything about hard drives (referring to regular platter drives, not solid state), you'd know that inside the rectangular case (made out of crappy soft aluminum) lie several plates connected to each other through a spinner in the middle, and they are made out of pretty strong steel.
When I took my data security course, we practiced destroying data physically. So I opened the hard drive, removed the platters and disconnected them. Then came the fun part, trying to destroy them.
First I tried several grades of sandpaper. All the lighter ones didn't leave a JACK SQUAT mark, no matter how hard I tried. The most heavy ones left _very_ small marks which were only visible in the direction of the strongest applied force. Sanding a whole drive this way would take days, and I wasn't sure it was strong enough to actually fully remove the magnetic cover. If anything, I damaged the sandpaper more than the drive.
Then I tried a metal file. The results were considerably better, with deep strong marks, but again, they only covered the path of the sharpest edge of the file, not the whole contact surface area. I filed away for 5 minutes straight, and I only managed to produce about 30% area of a single side of a single platter which I could say was destroyed with high probability of not being recoverable.
Finally, I tried a heavy hammer on another platter, having locked the platter in a vise. I wasn't impressed. The hammer, at best, produced bends across the drive. After another 5 minutes of hammering away, the drive was certainly not round anymore, but the total surface area actually destroyed by these bends was fairly minimal. Sure, it may prevent an easy automatic way of recovering data using regular means (spinning it against a magnetic reader the same way drives usually work), but I'd say at least 80% of that platter still had data on it. The manual work requiring to read the data piece by piece may indeed take weeks, but it would probably be possible, and having the mentality of "it'll take them too much work to read it" is akin to having the mentality of "nobody will hack me because I'm not a target of interest and they won't bother". From the point of view of a security specialist, it's wrong in principle.
The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.
Another common myth is that you can easily and securely permanently wipe the data with a magnet. The forces required to near-instantly and irrecoverably overwrite the magnetic stripe of the disk are ENORMOUS. During regular usage, a relatively weak magnet is used to read and write on the disk, but it only operates on a minuscule area of the disk (trivially, by writing a bit on an 4 (double sided)-platter 500GB drive, the magnetic edge only operates on 1/500,000,000,000th area of the platter. Now use the denominator to figure out the magnetic intensity required to fully overwrite the whole disk at once. It ain't pretty. Industrial-grade degaussers may do the trick, but not your average home magnet (which, of course, doesn't mean the magnet is not good enough to randomly corrupt a small part of the data which will screw your partition table and make your OS refuse the read the drive anyways). But I somehow doubt the folks in the NSA use Windows XP Home Edition to investigate hard drives.
The "true" way to destroy hard drives is to completely melt them in an incinerator, and t
Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)
As for the people talking about "safe methods for wiping drives", the only place I (personally) know of that has such requirements is DIGO http://www.defence.gov.au/digo/ they use a furnace, works damn well. The moral of the story is, new drives are cheap, why fuck around with "maybe".
...
I recommend a thermite disk eraser - http://www.metacafe.com/watch/599982/how_to_make_t hermite/ - which will provide a very quick method of creating a very non-recoverable hard disk. Thermite FTW!
lets see their nifty device copy shit then.
If you mod me down, I will become more powerful than you can imagine....
It appears possible to recover previously erased data on old drives, but haven't the drive mfrs used exactly the same technology that the forensic disk morticians used in past years to get at erased crud (if ever)? It seems with vertical recording and super mag heads, the slop, leftover sideband noise and measurable blips of 90's tech now store data. I'm not trying to be factious, drive builders are pushing a lot of boundaries and I doubt they would back off ( unlike the MPAA and DRM ) reducing capacity to retain info for the man. I am drunk.
upon the advice of my lawyer, i have no sig at this time
One of our LUG members recently did a presentation on computer forensics. I forgot the group that he took his classes through, but I remember a friend of mine saying they were one of the best. His comment on this was that the myth of data being retrievable after it has been written over is just that, these days: a myth. It seems that was a problem back in the earlier days of hard drives, but not with any recent equipment. It seems that once this became a "fact" it's stayed one for decades, even though there's been no evidence or proof of it being true with any hard drive designs for years.
I don't know how accurate that is, but I know a few others in the LUG started looking into it and nobody posted any links they felt were valid to back up the surviving data myth.
If you're not doing anything wrong, or using your computer to write or view anything wrong, or thinking anything wrong, or doing, writing, viewing or thinking anything that someone might construe to be wrong... ...then you have nothing to worry about.
You are welcome on my lawn.
Most people have little control of where the info gets cached on the system. You can *think* that it's only on the flash drive, but somehow an app sticks it into swap or a file in a temp folder.
Microsoft says legacy (serial/parallel) ports are bad. They don't obfuscate the hardware enough.
Dear God, when will the FUD stop??!!?? This silly meme has been making the rounds for a very long time, ever since Gutmann wrote that god-awful paper for USENIX '96. IT IS NOT TRUE!! There are no scientific or engineering papers that provide any evidence to suggest otherwise--NONE.
Here's the story: Back in 1996, Peter Gutmann published a paper where he described the theoretical possibility of reading small sections of overwritten data, in a largely unreliable fashion. Having gone back through the source he cites, I came to be of the opinion that his assertion was irresponsible, since he makes a very bold claim without pointing out how many qualifications and 'but's are attached to it:
1) The specific techniques he discusses address older hard drive platter recording technologies that were completely supplanted, throughout the industry, in 1996-1997. Newer hard drives changed recording techniques to cram more data onto the same platter area, which eliminated the specific properties that would have allowed Gutmann's proposed recovery method to work.
2) None of Gutmann's citations ever claimed to have made the recovery methods work in a practical fashion (as in, actually recovering a sector of data, let alone a whole file) on a real hard drive. There were a few lab experiments that were NOT performed on hard drives, and nobody was cited as actually implementing a real-world method.
3) Since the 1996 paper (in '99, I believe), Gutmann published a revised draft that really only changed the section talking about this issue, and he significantly backpedaled his claims. Supposedly, some of his colleagues pointed out that his assertion was scientifically unsupported and extremely inflammatory. Net result: In the newest version of that paper, he basically admits that recovery of overwritten data, on modern hard drives, is snake oil.
There's more, though. Having worked in forensics and specifically dealt with federal law enforcement agencies, I get a chuckle when people (usually, the same tinfoil-hat guys who believe in aliens at Roswell) talk like the FBI has secret recovery technology that the private sector doesn't. This is provable bullshit, for several reasons:
1) The FBI has no real engineering capacity, and they're not as good at stuff like this as you think. In data forensics, especially, their equipment, techniques, and training have never been as good as what the private sector has. The private sector has more money, which means it can buy the newest toys and do real R&D, and it can afford to pay the big-ass salaries that cutting edge engineers require. For comparison, go ask somebody at Hitachi or Segate who does hard drive research how much money they make. Then, ask the FBI how much their highest-paid experts make. It's going to be at least a 2:1 difference, maybe more.
2) Secret methodologies are useless to the FBI, because they would never hold up in court. Data forensics depends on its credibility under the standards of scientific evidence, otherwise it gets tossed out of court and the defense wins. The basic test of scientific evidence is "Does the scientific community have a consensus that this method is correct?" If it's a secret method, there can be no consensus in the community, and it can't be used in court.
3) There's a simple thought experiment that verifies this: If it were possible to read data that has been overwritten even once, doesn't that mean that your hard drive has an actual storage capacity is twice what the manufacturer is actually giving you. How much sense does that make? Those guys jump on every technology possible to cram more data into a smaller space, so even if it's space-alien-magic stuff, they'll have an enormous incentive to make it practical to mass-produce. And they usually do just that. There only a tiny bit more usable capacity on your drive (Let alone 12x worth!) than the manufacturer's label says, and that's replacement sectors for areas that develop problems--we know about that, and it's not useful in data forensics for other reasons.