Forensic Computer Targets Digital Crime

coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."

Re:System memory? Torrentspy could use one

[Jah-Wren+Ryel]

I read the article, and it sounds like its "marketing" - we all know that system memory can't be read the way they claim - by plugging into the hard drives. Sure, you'll pick up what was in swap, but if a person is smart and worried about security, they don't have swap - turn it off, and all memory goes bye-bye. They plug into the firewire port and use the PC's own firewire controller to DMA from host memory out across the firewire bus.
That is a standard forensic operation nowadays.

However, some people have already postulated, if not actually implemented, protections against that sort of attack. The idea is that the host can reprogram the PCI bus controller to route all DMA requests from the firewire controller off into some user-specified range of memory. In theory the forensic tool could detect that the PCI controller has been programmed to do that, but it could not do anything about it.

Re:how good is it?

[SamP2]

I keep seeing over and over posts that say that a "hardware" method would be the one that is totally secure, and the best example being a hammer.

You'd be surprised, however, how resistant drives can be do physical damage.

For those who know anything about hard drives (referring to regular platter drives, not solid state), you'd know that inside the rectangular case (made out of crappy soft aluminum) lie several plates connected to each other through a spinner in the middle, and they are made out of pretty strong steel.

When I took my data security course, we practiced destroying data physically. So I opened the hard drive, removed the platters and disconnected them. Then came the fun part, trying to destroy them.

First I tried several grades of sandpaper. All the lighter ones didn't leave a JACK SQUAT mark, no matter how hard I tried. The most heavy ones left _very_ small marks which were only visible in the direction of the strongest applied force. Sanding a whole drive this way would take days, and I wasn't sure it was strong enough to actually fully remove the magnetic cover. If anything, I damaged the sandpaper more than the drive.

Then I tried a metal file. The results were considerably better, with deep strong marks, but again, they only covered the path of the sharpest edge of the file, not the whole contact surface area. I filed away for 5 minutes straight, and I only managed to produce about 30% area of a single side of a single platter which I could say was destroyed with high probability of not being recoverable.

Finally, I tried a heavy hammer on another platter, having locked the platter in a vise. I wasn't impressed. The hammer, at best, produced bends across the drive. After another 5 minutes of hammering away, the drive was certainly not round anymore, but the total surface area actually destroyed by these bends was fairly minimal. Sure, it may prevent an easy automatic way of recovering data using regular means (spinning it against a magnetic reader the same way drives usually work), but I'd say at least 80% of that platter still had data on it. The manual work requiring to read the data piece by piece may indeed take weeks, but it would probably be possible, and having the mentality of "it'll take them too much work to read it" is akin to having the mentality of "nobody will hack me because I'm not a target of interest and they won't bother". From the point of view of a security specialist, it's wrong in principle.

The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.

Another common myth is that you can easily and securely permanently wipe the data with a magnet. The forces required to near-instantly and irrecoverably overwrite the magnetic stripe of the disk are ENORMOUS. During regular usage, a relatively weak magnet is used to read and write on the disk, but it only operates on a minuscule area of the disk (trivially, by writing a bit on an 4 (double sided)-platter 500GB drive, the magnetic edge only operates on 1/500,000,000,000th area of the platter. Now use the denominator to figure out the magnetic intensity required to fully overwrite the whole disk at once. It ain't pretty. Industrial-grade degaussers may do the trick, but not your average home magnet (which, of course, doesn't mean the magnet is not good enough to randomly corrupt a small part of the data which will screw your partition table and make your OS refuse the read the drive anyways). But I somehow doubt the folks in the NSA use Windows XP Home Edition to investigate hard drives.

The "true" way to destroy hard drives is to completely melt them in an incinerator, and t

Secure drives and erasure

[Barny]

Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)

As for the people talking about "safe methods for wiping drives", the only place I (personally) know of that has such requirements is DIGO http://www.defence.gov.au/digo/ they use a furnace, works damn well. The moral of the story is, new drives are cheap, why fuck around with "maybe".

240 volts to usb/firewire ports

[timmarhy]

This makes me want to disconnect my usb/firewire cables and solder a 240 volt feed to them.

lets see their nifty device copy shit then.

Re:how good is it?

[compro01]

well, as someone said in a previous discussion:

The only way to truely protect your data is to grind up your hard drive into powder, magnetize it all, then heat it into a liquid. Cool and grind it up again, scatter it into the wind, and just HOPE entropy does the rest.

Re:how good is it?

[TheWanderingHermit]

One of our LUG members recently did a presentation on computer forensics. I forgot the group that he took his classes through, but I remember a friend of mine saying they were one of the best. His comment on this was that the myth of data being retrievable after it has been written over is just that, these days: a myth. It seems that was a problem back in the earlier days of hard drives, but not with any recent equipment. It seems that once this became a "fact" it's stayed one for decades, even though there's been no evidence or proof of it being true with any hard drive designs for years.

I don't know how accurate that is, but I know a few others in the LUG started looking into it and nobody posted any links they felt were valid to back up the surviving data myth.

Re:how good is it?

[PopeRatzo]

If you're not doing anything wrong, or using your computer to write or view anything wrong, or thinking anything wrong, or doing, writing, viewing or thinking anything that someone might construe to be wrong... ...then you have nothing to worry about.