Forgot your password?
typodupeerror
Security Privacy The Internet IT

New Anti-Forensics Tools Thwart Police 528

Posted by CowboyNeal
from the knowing-thine-enemy dept.
rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."
This discussion has been archived. No new comments can be posted.

New Anti-Forensics Tools Thwart Police

Comments Filter:
  • by iminplaya (723125) <iminplaya.gmail@com> on Thursday May 31, 2007 @10:17PM (#19346881) Journal
    Simple! Just cut the disk open and count the rings.
  • Pfft. (Score:5, Funny)

    by RealGrouchy (943109) on Thursday May 31, 2007 @10:18PM (#19346895)
    This has got to be old news. Over 112% of Slashdotters have been using these programs for years, since at least 3 months from now!

    - RG>
    • Re:Pfft. (Score:5, Funny)

      by trolltalk.com (1108067) on Thursday May 31, 2007 @10:28PM (#19346967) Homepage Journal
      Gee, and I thought it was a free "feature" included with every version of Windows and DOS.

      FILE0001.CHK
      FILE0002.CHK
      FILE0003.CHK
      FILE0004.CHK
      FILE0005.CHK
      ...
      FILE9999.CHK
      Unable to find COMMAND.COM. Please insert system disk and press reset.

    • by Travoltus (110240) on Friday June 01, 2007 @12:09AM (#19347711) Journal
      Imagine a filesystem that is encrypted 3 times, in "headerless" fashion. What I mean by headerless is, whereas a zip file leaves reliable signatures identifying it as a zip file, this scheme would be a naked 128 or 256 or 1024 bit encrypted file (bear with me here) with no signature. There would be no way to even identify this file unless you managed to decrypt it with the right password and the exact corresponding decryption scheme. (It could be a zip file or a rar file or an arj file but you'd have to guess.)

      That's for the first layer. Then you use the same (or different) scheme to scramble that already encrypted file again. With the same or different password.

      Then you do it a third time.

      Granted this would take a hell of a lot of computing power and a single bit of data corruption would screw you royally (which calls for more advanced recovery techniques which leads to some weaknesses...), but the effect is this.

      First, you get the hard drive and the whole filesystem is encrypted. It's utterly garbage to you. You don't know which scheme was used to encrypt it. You certainly don't know the password. But you may know it's triple layer encrypted. Or double, or quad.

      What is certain is, if you get the correct encryption scheme AND the password for that first layer, the decrypted file is STILL GARBAGE. You don't really know if you got the correct information or not, because you're still looking at a "headerless" pile of garbage data. Good luck guessing that second layer because no matter what, you still get a pile of incoherent garbage.

      If you've done this to all your files on your hard drives, DVDs and CDs, this is where you demand your Constitutional right (in the United States) to a SPEEDY trial and then plead the Fifth Amendment in court when asked for your password/encryption schemes. Why? Because if I'm right, the police and their descendants down to the 7th generation will have died of old age before they figure out the 2nd layer, much less the 3rd.

      Mind you, the cops may have slapped a keylogger on your system ahead of time. If that's the case, you're screwed.

      Lawyers and hackers, please rip my idea to pieces and tell me what you think...
      • by Anonymous Coward on Friday June 01, 2007 @12:41AM (#19347873)
        You'd have to be careful about the choice of encryption algorithms when you do this. There are good reasons (which I can't cite off the top of my head; I'm no cryptographer) why triple DES, for example, has an encrypt-decrypt-encrypt pattern, rather than encrypt-encrypt-encrypt. Even then, all you achieve is a doubling of the effective key length, not a tripling (and remember that the actual key is three times as long - each step uses a different key).

        Cryptography is hard. I know enough to know that I know nothing about it, and that I'd screw the pooch on any crypto system I might implement. If you haven't a very solid maths background, and a lot of experience breaking cyphers (and I'm talking about more than just the simple Julius shift here), odds are extremely high that there's a flaw you've overlooked in your system.
        • Re: (Score:3, Informative)

          by ifoxtrot (529292)
          Well there is a good reason why it's implemented as encrypt-decrypt-encrypt, but it's not for cryptographic strength. Instead this has its roots in the hardware backwards compatibility.
          That is to say that if you create an encrypt-decrypt-encrypt box and feed it the same key for all the crypto operations, you get plain DES encryption.
          (i.e. encrypt m with x = c, decrypt c with x = m, encrypt m with x = c). If you want proper 3 DES you just feed it different keys.

          So instead of having to create a box that does
      • by mbstone (457308) on Friday June 01, 2007 @01:04AM (#19347983)
        To assert your Constitutional rights, you'll need ready access to $50K for lawyers (and perhaps expert witnesses); otherwise you'll get the Public Defender and it will be explained to you that your only option is to plead guilty, thereby avoiding being sentenced to 0xFF years in jail. IAAL.
      • Re: (Score:3, Funny)

        by zippthorne (748122)
        You should use ROT-9 followed by ROT-8 followed by ROT-9 again. ROT-13 is pretty weak, but if you use different numbers, apply encryption multiple times, your data will be much safer. TripleROT (9,8,9) is a standard by which all other methods are measured. All without requiring some fancy scheme concocted by guys with foreign-sounding names. Would you trust your security to a foreigner? with a beard?

        Oh, and IIRC, withholding the password would be obstruction of justice (assuming they obtained a warrant
        • by cbr2702 (750255) on Friday June 01, 2007 @02:49AM (#19348481) Homepage
          withholding the password would be obstruction of justice

          Couldn't you choose an incriminating password and plead the 5th?
          • by Damiano (113039) on Friday June 01, 2007 @11:08AM (#19351945)
            IAAL and no you can't. Try to be funny and what they'll do is grant you immunity for anything revealed in the password itself. Then they'll force you to reveal the password or sit in jail for contempt. Once you reveal the password they can decrypt the drive and use that data in court (even if it's the same as the password).

            The real key here is that the 5th amendment protects you from testifying against yourself. Your "papers" are not considered testimony and not protected.

            Not legal advice, not your lawyer.
      • Epically bad. (Score:5, Insightful)

        by rjh (40933) <rjh@sixdemonbag.org> on Friday June 01, 2007 @01:36AM (#19348147)
        I am an NSF–funded researcher in computer security, focusing on electronic voting. Data privacy and confidentiality is very important to us, as you can imagine.

        Your idea is quite terrible.

        First, what do you mean by a file "without signature"? Take a zip archive as an example--even if you strip off the zip header, any forensicist worth his or her salt can figure out it's a zip archive, just because of the way the data is structured. Encrypted filesystems have structure, too. A data forensicist can recognize an encrypted container on the basis of its structure. (Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want.)

        Second, you appear to not understand how crypto works. Two layers are better than one, right? So double ROT13 encryption is stronger than single ROT13, right? You're running smack into a major, well-known area of crypto. A lot of ciphers do not composite themselves well. You are almost always better off just picking one algorithm with a strong keysize than a composition of multiple algorithms.

        Third, how do you plan on managing all of your keys? Key management is a thorny enough problem in the best of times. By relying on multiple keys you're multiplying the problem immensely.

        You really need to do some basic research in crypto.
        • Re: (Score:3, Interesting)

          by Travoltus (110240)

          First, what do you mean by a file "without signature"? Take a zip archive as an example--even if you strip off the zip header, any forensicist worth his or her salt can figure out it's a zip archive, just because of the way the data is structured. Encrypted filesystems have structure, too. A data forensicist can recognize an encrypted container on the basis of its structure. (Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want.)

          That's true, I und

          • Re:Epically bad. (Score:5, Interesting)

            by rjh (40933) <rjh@sixdemonbag.org> on Friday June 01, 2007 @02:22AM (#19348325)

            Why do you think hidden-volume mode TrueCrypt is bogus?
            Let's imagine that you've got a TrueCrypt container on your hard drive. The FBI gets a tip that you're involved in child porn. You get arrested. The DA has a jailhouse snitch who'll testify that you have kiddie porn. The DA has a forensicist who will testify that you've got an encrypted container on your disk drive. You don't want to be doing 10-to-25 in federal pound-me-in-the-ass prison, because you're a scrawny pimply-faced geek and you don't want to get married off to the biker with the most cigarettes. You tell the DA "... look, okay, here's the passphrase to my TrueCrypt container. See? There's just porn in there I was hiding from my wife! But everyone involved is over 18! Let me go! It's bogus!"

            The DA just smiles at you and says... "I'd like to see the hidden container inside that TrueCrypt volume. My forensicist says oftentimes people do that with TrueCrypt."

            You say "umm... there isn't a hidden container... there's nothing more there..."

            The DA continues to smile. "Prove it to me."

            You say "umm... I can't... that's exactly what TrueCrypt means when they say it's hidden... you can't prove it exists and you can't prove it doesn't exist..."

            The DA rises from the table. "Say hi to your husband for me when you meet him."

            Moral of the story: it is very, very important that you be able to prove the existence or nonexistence of your data.

            Can you explain more of this please?
            I don't know how to make it any simpler. If compositing encryption functions makes things harder to break, we'd expect two applications of ROT13 to be stronger than one application of ROT13. It doesn't work that way. And in an exactly similar way, two levels of AES may or may not be any better than a single layer of AES. Or one layer of Blowfish and one layer of 3DES. Or...

            If you want to get more sophisticated than this, you need to take a collegiate math course focusing on group theory.
            • Re: (Score:3, Interesting)

              The DA continues to smile. "Prove it to me."

              You don't have to. It's HIS job to prove it IS there (e.g., you have to be proven GUILTY in a court of law, not NOT guilty. A subtle but important distinction). He can't strongarm you into giving up the hidden volume, if it exists, and if it doesn't exist, he especially can't.

              I was hoping you'd mention how the structured nature of the hidden volume is a dead giveaway. But you didn't say anything about that, leading me to think you don't believe it to be a pr

              • Re:Epically bad. (Score:5, Insightful)

                by rjh (40933) <rjh@sixdemonbag.org> on Friday June 01, 2007 @02:54AM (#19348509)
                What I love about Slashdot armchair lawyers is their naive faith in the criminal justice system.

                So you go to trial. So you're acquitted. But by the time you get acquitted, you're front page news in all the local newspapers. You're getting death threats. Your family is shunned. You get let go from your job because you're bringing too much controversy. Your life, not to put too fine a point on it, is fucked.

                You may want to look into Wen Ho Lee [wikipedia.org], Steven Hatfill [wikipedia.org], Richard Jewell [wikipedia.org] and John De Lorean [wikipedia.org], all of whom had this exact thing happen to them.

                Hatfill has never been charged. Jewell was totally exonerated, as was De Lorean. Wen Ho Lee pleaded guilty to a minor count just to make the madness stop, and received a profuse apology from the bench for how he was mistreated.

                Also, have you been following what happened in Durham, North Carolina recently with respect to prosecutorial misconduct in a rape case [blogspot.com]?

                You really, really need to acquaint your beliefs on how the law works with the reality of how the law works.
                • by vinn01 (178295) on Friday June 01, 2007 @06:16AM (#19349459)

                  Our justice system is run by elected officials (with media support). If you want fair treatment (justice) you had better hope that:

                  - it's not an election year
                  - the case has not generated a lot of media attention
                  - the case is not worthy of media attention when the DA holds a press conference
                  - the DA (and many others in the justice system) are not career building, and looking at your case as an opportunity to advance

                  The last one is the kicker. For every case there are dozens of people in the justice system that will get beneficial career advancement material from a successful conviction. That's my observation.
                • Re:Epically bad. (Score:5, Insightful)

                  by asninn (1071320) on Friday June 01, 2007 @07:15AM (#19349685)
                  But the law and the legal system *did* work in these cases; it was society, the media etc. that didn't. Not that it helps the victims, of course, but you need to recognise that this is a failure of society, not one of the criminal justice system, if you want to fix it.
                • Re: (Score:3, Informative)

                  by QCompson (675963)
                  So you go to trial. So you're acquitted. But by the time you get acquitted, you're front page news in all the local newspapers. You're getting death threats. Your family is shunned. You get let go from your job because you're bringing too much controversy. Your life, not to put too fine a point on it, is fucked.

                  And what does this have to do with hidden containers? Your life is fucked at the point that you are initially questioned or arrested. If the cops are going to be so underhanded as to pursue a convi
              • Indeed. (Score:4, Insightful)

                by Mr2001 (90979) on Friday June 01, 2007 @03:08AM (#19348571) Homepage Journal
                The "flaw" pointed out by the GP is only a flaw if you're being tried in a kangaroo court. I don't think our court system has gotten that bad.

                I mean, if you're dealing with a corrupt court where you're guilty until proven innocent, you don't even have to be using encryption to get screwed this way. The DA might just as well accuse you of using steganography to hide illegal photos in random files spread all across your hard drive, which is equally impossible to disprove.

                I'm not sure what you mean by the "structured nature of the hidden volume", though. TrueCrypt hidden volumes have no plaintext header, just like main volumes, and as long as the crypto methods in use are good ones, the encrypted data will be indistinguishable from random bytes, no matter how well-structured the plaintext is.

                There are attacks against hidden volumes, but they basically involve taking snapshots of the whole volume at separate points in time, then obtaining the main volume's key and checking whether any changes have been made to "unused" areas of the filesystem.

                That is, I could sneak into your house and copy the disk today (version A), then come back next month, seize the disk (version B), and force you to give up the main volume key. I can then mount both versions of the partition and look for differences between them. If there are any areas that contained random data in version A, and different-but-still-random data in version B, I can be pretty sure it means you were writing to a hidden partition located there.

                I think the best defense against that attack would be for TrueCrypt to randomly write chunks of new random data to the free space of mounted volumes, which would disguise the writes made to hidden volumes. (Of course you'd need to use both keys when mounting the main volume so it knew not to clobber your hidden data.)
                • Re: (Score:3, Informative)

                  by vux984 (928602)
                  I mean, if you're dealing with a corrupt court where you're guilty until proven innocent, you don't even have to be using encryption to get screwed this way.

                  If by Kangaroo court, you mean the DA already thinks he has enough on you between circumstantial evidence and a snitch.

                  The DA might just as well accuse you of using steganography to hide illegal photos in random files spread all across your hard drive, which is equally impossible to disprove.

                  You'd have a fairly strong defense against that accusation if
                  • Re: (Score:3, Insightful)

                    by Mr2001 (90979)

                    You'd have a fairly strong defense against that accusation if your hard drive contains no steganography tools. That's sort of the the issue with truecrypt - it doesn't prove you have child porn, or even a hidden volume, but its not unreasonable to suppose you might, if you have truecrypt, there is other circumstantial evidence, and a 'snitch' whose just reliable enough of a witness to sway a jury.

                    Luckily, in a criminal case, the standard is "guilty beyond a reasonable doubt", not "one could reasonably suppose you might be guilty".

              • Re: (Score:3, Insightful)

                you have to be proven GUILTY in a court of law, not NOT guilty.

                Unless you've been accused of a crime against Our Nations Most Precious Resource - The Children. Then you're guilty even after you prove you're not guilty.

            • You know nothing about the legal system. In our court system, you are innocent until proven guilty, the burden of proof is on the state. So you don't have to prove there isn't a hidden volume, they have to prove there is. Given that there seems to be no way to do this, they can't make their case. You can't speculate that something might be there. That's one of the most fundamental objections they teach lawyers "Objection, speculation." So all they have is that you have a volume of legal porn, and someone of
              • In our court system, you are innocent until proven guilty, the burden of proof is on the state.

                This is true for sufficiently high values of w, where w is your net worth. If you can't afford tens of thousands of dollars to fight a bogus charge, then you're effectively screwed, particularly if the charge is one of the very emotionally charged ones (child porn, rape, terrorism, etc.).

                You'd quickly end up in a situation where you'd be facing a team of prosecutors, working with virtually unlimited taxpayer funds (gotta protect the children, right?), against your fresh-out-of-lawschool public defender, whom if you're unlucky, you might have to share with half a dozen other defendants. And chances are, they're going to believe you're guilty and (consciously or not) treat you like it.

                There have been a lot of sociological studies and research done on the U.S. legal system. People who can't afford lawyers plead guilty at an astoundingly high rate, and the entire system is set up to "process" them as quickly as possible, from arrest through to prison.

                The system works like you describe in the best case scenario, but even then, it'll probably leave you bankrupt.
            • Re: (Score:3, Informative)

              by QuickFox (311231)

              Can you explain more of this please?
              I don't know how to make it any simpler. If compositing encryption functions makes things harder to break, we'd expect two applications of ROT13 to be stronger than one application of ROT13.
              I think your first explanation was quite clear to anyone who knows what ROT13 means, so my guess is that Travoltus needs to read this [wikipedia.org].
            • Re:Epically bad. (Score:5, Interesting)

              by davFr (679391) on Friday June 01, 2007 @07:23AM (#19349735)

              I don't know how to make it any simpler. If compositing encryption functions makes things harder to break, we'd expect two applications of ROT13 to be stronger than one application of ROT13.

              It is a cryptanalysis problem. Encryption scheme are designed so that your clear text will become close-to-random garbage when encrypted. Why? Because if it is not random, forensics can do statistical analysis on the crypted data 1/ to identify the encryption algorithm, 2/ to try to guess the encryption key (http://en.wikipedia.org/wiki/Cryptanalysis/ [wikipedia.org] for more details).

              If you crypt your text twice (or more) you modify the entropy of the encryption scheme, and the encrypted data will be not optimally close to random data. As a conclusion, encrypting twice made your data less robust to forensics.
            • The DA just smiles at you and says... "I'd like to see the hidden container inside that TrueCrypt volume. My forensicist says oftentimes people do that with TrueCrypt."

              You say "umm... there isn't a hidden container... there's nothing more there..."

              The DA continues to smile. "Prove it to me."


              You say "Actually, you have to prove to me that there's anything there to hide. You should know that I'm innocent until proven guilty."

              Then you walk away scott free. The DA continues to smile for some reason,
          • Re:Epically bad. (Score:5, Informative)

            by Anonymous Coward on Friday June 01, 2007 @03:16AM (#19348607)
            I'm not an NSA funded security researcher, but I'm also slightly less of an arrogant prick than "rjh". So to answer your question about layering encryption without getting into all the you're-not-even-worthy-to-be-asking-this-question crap, here's a brief layperson's answer:

            Essentially your idea is not a bad one, it's just a bit naive -- there are non-obvious subtleties which must be considered in order to make the idea work as well as you hope.

            One issue is that some encryption algorithms (called "groups") have the characteristic that when applied two consecutive times with different keys, the result is the same as if the algorithm was applied only once with some other third key. If this is the case for your favorite algorithm, then your plan adds no extra security compared to just encrypting once. And apparently it's not always easy to know whether this is the case for a complex algorithm, so you should assume the worst.

            Another issue is that if your adversary can guess some plaintext (e.g. by assuming it contains .doc or .jpg headers) they can use a technique that trades off storage for computation and break your multiple encryption much faster than you would have thought.

            One way to overcome these weaknesses is by applying your encryption in "EDE" (encrypt-decrypt-encrypt) mode, where you encrypt with one password, then "decrypt" with a second password (which is obviously not really decrypting but just making the scrambling that much more horrendous), and then encrypting again with a third password. Even this is not as secure as you might expect, but it's still pretty good.

            The well-known security and crypto expert Bruce Schneier has a great book called "Applied Cryptography" (Wiley, 2nd edition 1996, ISBN 0-471-11709-9) which is accessible to average smart, interested, non-NSA-funded Slashdot readers without advanced math degrees. It even has a brief chapter (15) on this exact topic. (Schneier has other great books too.)

            Despite his attitude, "rjh" is right in implying that our common sense is not trustworthy in the area of cryptography -- some of the world's smartest people devote their lives to this stuff and have come up with astonishing and often counterintuitive results. Smarter people than us have already studied this idea, which is basically a good one even though it has pitfalls. Don't let anyone make you make you feel stupid for having an idea or asking a good question.
      • http://www.truecrypt.org/hiddenvolume.php [truecrypt.org]

        Your welcome.
  • by Icarus1919 (802533) on Thursday May 31, 2007 @10:23PM (#19346929)
    I always just keep a few magnets handy... just in case....

    I prefer hardware solutions, rather than software ones.
  • a finger to fudge is just enough to ruin your time_t
  • by Trifthen (40989) on Thursday May 31, 2007 @10:27PM (#19346957) Homepage
    Timestomp? Now I've heard everything.

    Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.

    Of course, this says nothing of rootkits, which can be downright subversive, embedding themselves into kernel space where not even the OS knows they exist, where they can wreak untold havoc with historical system data or encryption. I bet there's even a script-kiddie version of anti-forensics tools out there, where it just cron-obfuscates anything trackable. Logs, timestamps, frequent automated sweeps of shred over unallocated disk blocks, inode reordering, and so on.

    Now that I think about it, that might be a good idea. I got some work to do. ;)
    • Speaking of rootkits, from TFA:

      Linux servers have become a favorite home for memory- resident rootkits because they're so reliable. Rebooting a computer resets its memory. When you don't have to reboot, you don't clear the memory out, so whatever is there stays there, undetected.

      I don't mean to sound like a moron or naive but are Linux rootkits really that prevalent? After doing a quick google search for "rootkits for linux", I found a few for the old 2.0 and 2.2 Linux kernels... Have updates that have

      • I don't mean to sound like a moron or naive but are Linux rootkits really that prevalent?

        Considering that rootkits originated in Unix (hence "root"), I imagine that they are as prevalent in Linux as they are in any operating system (the argument of uptime notwithstanding).

        Besides, a rootkit does not have to reside in kernel space to be very effective. Simply replacing many of the key binaries (init, bash, getty, ls, top, ps, etc depending on *nix flavor) will do wonders for probably 98% of systems out there. That said, I'm sure there are some which do reside in kernel space (a kernel module perhaps?) or maybe even some that are simply modified kernels (the source is available after all). How do you know that the kernel your system is running has not been compromised?

        After doing a quick google search for "rootkits for linux", I found a few for the old 2.0 and 2.2 Linux kernels...

        I tend to doubt you'll find the latest and greatest rootkit via Google. If you know the right people, I'm sure you can get whatever you need.
    • by _Sprocket_ (42527) on Thursday May 31, 2007 @11:09PM (#19347295)

      Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.


      And that seems to be the point - how many of these types actually know how to use touch or find... much less put together a perl script? By "hobbiest" they're not talking about our level of knowledge... they're talking average punk who thinks double-clicking a rootkit is advanced hacking. Criminals aren't always the sharpest crayons in the box.

      I met one of the FBI agents involved in the investigation of Zimmerman over PGP. After that case, she moved on to child pornography cases. I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.

      That basic precautions are showing up enough to give investigators a problem says something both about the attackers and the investigations.
      • by Kjella (173770) on Friday June 01, 2007 @12:46AM (#19347911) Homepage
        I met one of the FBI agents involved in the investigation of Zimmerman over PGP. After that case, she moved on to child pornography cases. I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.

        <advocate client="Devil">
        So that means one of two things:
        1. Smart people aren't trading in child pornography or
        2. Smart people weren't caught to begin with, and still aren't

        And it probably shows just how stillborn general encryption of mail is. If average people don't learn that under threats of years in prison, what could possibly make regular people do it?
        </advocate>
        • Re: (Score:3, Interesting)

          by _Sprocket_ (42527)

          So that means one of two things:
          1. Smart people aren't trading in child pornography or
          2. Smart people weren't caught to begin with, and still aren't

          Well - you've got to keep in mind the context of our discussion. We were going out to lunch and I'm not exactly sure how it started... but I was mentioning Zimmerman's woes over PGP and she said "oh yeah - I was one of the investigators on that one." We then talked a bit about the good and bad uses of PGP (she had always seen PGP as nefarious until coming to

    • by flyingfsck (986395) on Thursday May 31, 2007 @11:35PM (#19347445)
      Well, alternatively one could just use Windows ME on a FAT file system. That screws things up all by itself - no need for fancy tools.
  • So... (Score:5, Insightful)

    by X0563511 (793323) * on Thursday May 31, 2007 @10:31PM (#19346987) Homepage Journal
    The obvious message to law enforcement is that people don't like others going through their things.

    Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.

    Personally I'm a fan of disk encryption using algorythms and key-lengths that make it extremely impractical to get in once the system is powered down. If up however... you have three strikes at getting in and all future packets from your IP are silently dropped for several days. Local access isn't a problem either... open the case and power goes out... and after 10 minutes of idle-time the system locks (only way in is password or reboot... obviously reboot isn't helpful)

    Call me paranoid. I am. I also like my privacy. Yes, I DO have something to hide: MY LIFE! I don't want you in my stuff at all!!! It doesn't matter that there is nothing illegitimate or illegal on the damn things, I still don't care.
    • Re: (Score:3, Interesting)

      by Kjella (173770)
      Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.

      I was thinking more in direction of "non-destructive fuckup of compromised machine", like say a machine you've trojaned. Make it hell to figure out how and what you've done. If you want to prevent forensic investigation on your own machine, encryption is much better than obfuscation.
      • Re: (Score:3, Interesting)

        by cryptoluddite (658517)

        I was thinking more in direction of "non-destructive fuckup of compromised machine", like say a machine you've trojaned. Make it hell to figure out how and what you've done. If you want to prevent forensic investigation on your own machine, encryption is much better than obfuscation.

        Well lets see, Mr. Anderson has a huge encrypted file and his computer asks for his private key when it boots up vs. Mr. Anderson with a bunch of files with messed up timestamps. The formers says "I'm guilty" whereas the latter says "Poor me I got hacked.. and they put lots of bad stuff on my computer too!". Just because it's a jury of your peers doesn't mean they aren't incompetent boobs that will convict just because they feel like you probably did "something".

        Sure the fact that there is no actual evid

      • Re:So... (Score:4, Insightful)

        by misanthrope101 (253915) on Friday June 01, 2007 @07:06AM (#19349643)
        How hard can it be to make stuff, for all practical purposes, inaccessible? Truecrypt + VMplayer + keyfiles + good passphrases has to equal some pretty good security. Of course that only applies if they burst through the door, not if they came in quietly while you were shopping and installed keyloggers and screencap software ahead of time and then arrest you later. If they're that interested in you, and they have physical access to your system, you're toast anyway. But I somehow doubt the local PD is going to break a Truecrypt container or PGP key, unless your passphrase is written down...oh wait.
  • Print version (Score:4, Informative)

    by Anonymous Coward on Thursday May 31, 2007 @10:32PM (#19346991)
    http://www.cio.com/article/print/114550 [cio.com] - Print version so you don't have to go through ten pages to read it all.

    Anonymous coward so no Karma whoring today. :)
  • Macs... (Score:5, Interesting)

    by Wizard Drongo (712526) <wizard_drongo.yahoo@co@uk> on Thursday May 31, 2007 @10:33PM (#19346995)
    Hate to sound like a apple fanboi, but even for those with something to hide that don't know much about computers at all, and therefore lack the know-how required to use these tools, simply using Mac OS X and turning on File-Vault, sad as it sounds, is enough to confound the majority of law enforcement. Most of the contractors that the police in the UK use are windows only. I know for fact that any linux or 'specialist' computers get passed to a specialist data firm in Germany for decoding...
    Macs?
    Only in the most serious of cases are macs in the UK sent for hacking if File-Vault's on. They go to Canada and take upwards of a year to crack. If ever.
    Unless you've done something pretty fucking serious, and the police know the evidence is on the machine, just can't prove it, they usually won't go to the expense.
    Of course, only the most stupid and inept of morons would be doing illegal shit and storing it on their computer without using the most powerful encryption possible, and only storing that which absolutely must be stored. Mind you, criminals are not usually noted for their cunning and intelligence....

    It goes without saying that the above does not translate to across the pond, nor does it apply on Security operations with terrorists and the like. How MI5 & MI6 do things is completely different and tends to involve some 'specialist' people from the likes of the I-corps and in-house solutions....
    I could elaborate, but I'm not THAT dumb.....
    • Re:Macs... (Score:4, Insightful)

      by Anonymous Coward on Thursday May 31, 2007 @11:23PM (#19347389)
      Mind you, criminals are not usually noted for their cunning and intelligence....

      Well, you only hear about the ones that get caught.

  • by porkThreeWays (895269) on Thursday May 31, 2007 @10:34PM (#19347009)
    Let me let everyone in on a dirty little secret about 99% of police computer forensics experts... they are less skilled than most 9 year olds at recovering vital information. Many of them use bootable disks that just check the hard drive for IE's cached files and history, etc, etc. Simple stuff a child could do. These people aren't doing complex low level block analysis. They are doing the level of recovery parents do at the end of the night to see what websites their children went on. Does it surprise anyone then it's extremely easy to fool them? God forbid you use encryption, an OS they aren't familiar with, or hardware they've never seen. They'll never recover anything.
    • by Kjella (173770) on Thursday May 31, 2007 @11:09PM (#19347301) Homepage
      Don't underestimate the tools - many forensic experts couldn't find their way at all outside the tool, but the tools are rather good at three things:
      1) Point them to "interesting" catalogs on most operating systems
      2) Read pretty much any filesystem, including the odd Linux/BSD variants
      3) Scan for files (keywords, against a hash db etc.) without booting your OS

      Encryption is the only thing that'll stand any serious investigation. Though I suppose it'll get you past the "should be bother to check his computer just in case" checks, there is plenty support for not "IE/Windows" machines.

      Examples:
      Operating system Support: Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and
      above, Solaris 8/9 both 32 & 64 bit, AIX, OSX.
        File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
      (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
      NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
      TiVo® 1 and TiVo 2 file systems.
        EnCase software uniquely supports the imaging and analysis of RAID arrays, including hardware
      and software RAIDs. Forensic analysis of RAID sets is nearly impossible outside of the EnCase
      environment.
        Dynamic Disk Support for Windows 2000/XP/2003 Server.
        Ability to preview and acquire select Palm devices.
        Ability to interpret and analyze VMware, Microsoft Virtual PC, DD and SafeBack v2 image
      formats.

      Compound Document and File Analysis: Many files such as Microsoft Office documents, Outlook
      PSTs, TAR, GZ, thumbs.db and ZIP files store internal files and metadata that contain valuable
      information once exposed. EnCase automatically displays these internal files, file structures, data and
      metadata. Once these files have been virtually mounted within EnCase, they can be searched, documented
      and extracted in a number of different ways.

      File Finder: This feature automatically searches through the page file, unallocated clusters, selected files
      or an entire case, looking for predefined or custom file types. This feature differs from the standard
      search, because it looks through the defined areas for the file header information and sometimes the
      footer.

      Analysis: EnCase software has the ability to find, parse, analyze, display and document various
      types of email formats, including Outlook PSTs/OSTs ('97-'03), Outlook® Express DBXs, Lotus
      Notes NFS, webmail such as Hotmail, Netscape and Yahoo; UNIX mbox files like those used by
      Mac OS X; Netscape; Firefox; UNIX email applications; and AOL 6, 7, 8, 9. In some cases,
      EnCase can recover deleted files and depending on the email format, the status of the machine.

      Browser History Analysis: EnCase has powerful and selective search capabilities for Internet
      artifacts that can be done by device, browser type or user. EnCase can automatically parse,
      analyze and display various types of Internet and Windows history artifacts logged when websites
      or file directories are accessed through supported browsers, including Internet Explorer, Mozilla,
      Opera and Safari.
      • Re: (Score:3, Informative)

        by arth1 (260657)

        File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
        (Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
        NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
        TiVo® 1 and TiVo 2 file systems.

        Another good reason to use XFS then.

        In addition to it zeroing out any previously write-opened files when replaying the journal (which is why you get a bunch of files filled with NULL if you pull the plug on an XFS system -

  • A year ago... (Score:3, Interesting)

    by Lord Kano (13027) on Thursday May 31, 2007 @10:49PM (#19347117) Homepage Journal
    My girlfriend told me that her nephew was going to college for "Computer Forensics" and my immediate response was, when he's done all he'll be able to do is catch cheating spouses. People who are engaging in real criminal activity are already using strong crypto and it's getting easier every day.

    You just can't beat the numbers. If there is a 256 bit keyspace and a secure algorithm, you are not going to be able to crack the machine. I suppose that perhaps American and European law enforcement could take a page out of Israel's book and start using "strong persuasion" to get keys from suspects, but I don't imagine that happening any time soon.

    LK
    • Persuasion (Score:5, Insightful)

      by gillbates (106458) on Thursday May 31, 2007 @11:16PM (#19347357) Homepage Journal

      In 'Merica, we call it gitmo. Encrypshun don't fool us nohow, nosir.

      'fter all, if yah ain't guilty, watcha hidin' stuff fer? Dontcha know there's a war goin' on?

    • by Profane MuthaFucka (574406) * <busheatskok@gmail.com> on Thursday May 31, 2007 @11:49PM (#19347547) Homepage Journal
      Don't knock it. Catching cheating spouses is a great way to get laid. You've already established that they've got no problem sleeping with people other than their husbands, which is 90% of the battle usually.
    • Re:A year ago... (Score:4, Interesting)

      by Beryllium Sphere(tm) (193358) on Friday June 01, 2007 @12:17AM (#19347753) Homepage Journal
      Robert Morris Sr. gave a talk long ago about the two major rules of crypto. First, never underestimate how far someone will go to read your data (for example, hiring Alan Turing and inventing digital computers). Second, look for plaintext, which will pop up in unexpected places while you perfect the algorithm that create the ciphertext.

      If you typed a passphrase into a Windows machine, would you bet your freedom that the passphrase wouldn't show up in "strings /dev/hda", in a swap file, in an MRU list, or in the files of whatever spyware happened to infect that machine? Or that potentially incriminating file names wouldn't be tucked in the registry someplace?

      Hiding things on a general purpose computer is still hard, despite the availability of little-known but powerful techniques like the ATA commands to create an unreadable Host Protected Area, or simply to misreport available disk space (I'm waiting for the hack that takes advantage of the fact that a disk drive has tens of megs reserved for its own use, several megs of RAM, and a 32-bit processor: a 1990s desktop worth of machinery that nobody thinks of as a computer).

      Fearless prediction: technology will lose on both offense and defense. Successful police will flip accomplices, successful criminals will move to jurisdictions where they can form an under$tanding with the police, and anyone who tries to win a technological arms race will lose in the end.
  • Touch (Score:4, Interesting)

    by ShakaUVM (157947) on Thursday May 31, 2007 @10:57PM (#19347201) Homepage Journal
    >>Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator.

    Yes, yes.

    Five years ago (2002) there were five people (or less) that knew touch.

    Lol. The guy is a moron.

    I remember walking through a parking lot in college in 1996 and listening to a couple guys talk about how they would touch their files to make late homeworks appear as if they were done on time.

    About a year after that, UCSD switched to a turnin-based system. =)
    • Re: (Score:3, Funny)

      by dwater (72834)
      >>> ...on one hand...
      >
      >Yes, yes.
      >
      >Five years ago (2002) there were five people (or less) that knew touch.

      Er, assuming they're using 5 fingers (inc. thumb) then that should be *31* people or less...

      >
      >Lol. The guy is a moron.

      *He's* a moron?

      What's that strange gesture you're giving me with your hand? You trying to tell me '4' for some reason?? Hrm...odd.
  • Key quote (Score:3, Insightful)

    by gillbates (106458) on Thursday May 31, 2007 @11:03PM (#19347263) Homepage Journal

    They're using stego? Maybe we drop some stego on them.

    Yeah, cause my stego *ROCKS* yo!

    I'm thinking even the most avante-garde anti-forensics tool could fool this guy. Yeah, anti-forensics might be a problem for him, but last time I checked, having a future date on your warez or kiddie porn won't save you from prosecution. In fact, using something like Timestomp is more or less likely to convince the jury that you are indeed a criminal.

    And likewise, it takes a very *good* steganography tool to really hide things. Sure, you could fool your friends, but you aren't likely to fool a forensic investigator with a basic knowledge of statistics. Could I tell the difference between a good and mediocre steganography tool? Probably. Could the average criminal? Probably not. A mistake as simple as hiding your data in images gleaned from the web would be enough to trip someone up: Here's a hint - if the image looks the same as the one on the web, but the checksums don't match, something's up. I'm guessing a shell script could go through the hard drive and do most of the work for the investigator. 17 hours isn't so short anymore...

    If you don't want the cops to find it, use encryption. If you want deniability, use the double-xor technique mentioned in Bruce Shneier's Applied Cryptography. But don't bother thinking that bogus timestamps are going to foil any serious forensic investigator. The relative location of a file's blocks on the hard drive is going to give at least an approximate date of file creation, even if you do obliterate the timestamp, and every forensic investigator worth his salt knows this.

    • Re:Key quote (Score:4, Interesting)

      by arodland (127775) on Thursday May 31, 2007 @11:45PM (#19347521)
      Got a little something to hide? The point wasn't to provide deniability for your kiddie porn. The idea is more like, you rooted my machine, stole my data or did something evil with it, and now you want to cover your tracks. So you toast the logs as well as you can, you jumble up mtimes and permissions on files so that someone going back and doing forensics has a harder time establishing a pattern. The first step towards finding out who did something is figuring out when it was done, to find out who had access at that time, where to look in (non-compromised) logs, etc. So if you obscure that information you make it a little harder to trace things back to you. It's about hiding an identity, not data.
      • Ever since (Score:4, Insightful)

        by gillbates (106458) on Friday June 01, 2007 @12:35AM (#19347841) Homepage Journal

        I read Ken Thompson's Reflections on Trusting Trust [acm.org], it has always occurred to me that any computer crime is completely untraceable. It is only laziness on the part of the criminal which allows him to get caught. It is possible for someone to completely cover their tracks and leave no evidence of their actions.

        But it is also possible to log every action a hacker does. Erasing the logs doesn't do much when the compromised system is virtually hosted and every action recorded for later playback - on a system which isn't even visible to the hacker. And consider the possibility of tracing at the network level. It is possible to physically connect an ethernet chip to a network and capture all traffic on the network without ever joining the network. That is, the card can sniff the wire in a read-only mode without ever publishing its MAC address or responding to ARP queries. Even if the hacker does use encryption, can he really be sure that his machine hasn't been rooted and keylogged? Can today's hackers verify even the microcode inside their processors and BIOS? If he can cover his tracks, so can the FBI.

        How does a hacker know his rootkit isn't spying on him? Even if you have the source, a compromised compiler or assembler can still produce a compromised executable. Should you verify the executable by hand, you still have the possibility of a vulnerability in the processor's microcode. Something as simple as making any area of memory available to the NIC when a certain opcode sequence is executed could be hidden very well and provide a veritable back door to law enforcement.

        Unless you are willing to build your own computer from scratch and never connect it to a public network, you can never prove that you aren't compromised. Sure, we can talk statistics and likelihood and incentives and human factors and whatnot, but it doesn't change two fundamental aspects of the computer:

        1. Changing computer data at the most basic level can be done without leaving any evidence, and
        2. You can't prove the code you are running doesn't have security vulnerabilities without spending an inordinate and impractical amount of effort.

        Your averge user - heck, even most programmers and hackers - don't have the time to trace through every possible instruction path in the software they use. They aren't going to burn their own BIOS EEPROMs to be sure the BIOS isn't bugging them. They aren't going to surgically remove the processor's cover and verify the die pattern to be sure the microcode isn't compromised.

        Instead, they're going to trust the responses their computer shows them. Just like the rest of us - it's a gamble. Maybe the hacker compromised a bank - or maybe, the bank is in cahoots with the FBI, and he's just knocked over the honeypot. He won't know until he goes to the bank - and withdraws his cash, or gets arrested.

        Still a pretty big risk, imho.

        • Re: (Score:3, Insightful)

          by rtechie (244489)

          Even if the hacker does use encryption, can he really be sure that his machine hasn't been rooted and keylogged? Can today's hackers verify even the microcode inside their processors and BIOS? If he can cover his tracks, so can the FBI.

          Yeah, if you assume Orwellian powers on the part of the FBI. No, the FBI doesn't have secret backdoors in all the hardware and software because it would take a VERY short period of time before those backdoors became public knowledge, making them near-useless AND compromising everyone's security. This is exactly what has happened in the past and I don't see them repeating these mistakes. I can't think of a worse idea than the FBI distributing troyjan rootkits into the wild.

          Maybe the hacker compromised a bank - or maybe, the bank is in cahoots with the FBI, and he's just knocked over the honeypot. He won't know until he goes to the bank - and withdraws his cash, or gets arrested.

          I don't think you understand how

  • Tools (Score:4, Insightful)

    by Kythe (4779) on Thursday May 31, 2007 @11:11PM (#19347319)
    What would be interesting to me: a tool that deliberately modifies timestamps and/or creates ghost deleted files to tell a normal-looking story of computer use, when the actual history has been anything but.

    In other words, forensics tools can assemble the history of file use on a disk. If it's known that the disk was in use before a certain date, but no timestamps can be found before that date (on current or deleted files), one may suspect the disk was wiped at that point. Likewise, physical disk usage for a given file system type has known and studied statistical characteristics over time. If the statistics are off, if you don't find deleted file images where you expect them, you may suspect that the freespace was wiped, or that certain unused disk space that would normally contain deleted file images contained files that are now wiped.

    What happens when you have a tool that modifies timestamps on current and deleted files such that a normal distribution of them extend back before the date of disk wipe? Even worse, what happens if the tool can create "ghost" images of deleted files, in order to fool tools that look for normal statistical disk usage?

    Once you have such a tool, wiping a disk and starting over can literally be done undetectably. So much for worry about having to maintain disk drive evidence after being hit with a subpoena.
  • by flyingfsck (986395) on Thursday May 31, 2007 @11:31PM (#19347423)
    the modification date was'ntobe set the last time it shallhasbeen accessed...

    Uhh - got to work on my future imperfect past continuous tense.

To thine own self be true. (If not that, at least make some money.)

Working...