New Anti-Forensics Tools Thwart Police

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

Time Stamps?

[iminplaya]

Simple! Just cut the disk open and count the rings.

Pfft.

[RealGrouchy]

This has got to be old news. Over 112% of Slashdotters have been using these programs for years, since at least 3 months from now!

- RG>

Ah, the police...

[Icarus1919]

I always just keep a few magnets handy... just in case....

I prefer hardware solutions, rather than software ones.

deja vu

[Anonymous Coward]

Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified.

 
thats really odd, i seem to remember seeing something similar on our domain controller a few minu

Re:Pfft.

[trolltalk.com]

Gee, and I thought it was a free "feature" included with every version of Windows and DOS.

FILE0001.CHK
FILE0002.CHK
FILE0003.CHK
FILE0004.CHK
FILE0005.CHK
...
FILE9999.CHK
Unable to find COMMAND.COM. Please insert system disk and press reset.

Re:Time Stamps?

[iminplaya]

Yes, and notice how I modified the time stamp AND the comment number to make appear the parent is the first post.

Holy Crap

[stoneycoder]

They must be using some NSA type shit. From TFA:

He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio file while eating a sandwich on her lunch break.

Now thats what i want, a tool that can tell if someone was eating a sandwhich while downloading a particular file.

Willunwhen the file istobe created...

[flyingfsck]

the modification date was'ntobe set the last time it shallhasbeen accessed...

Uhh - got to work on my future imperfect past continuous tense.

Re:Never trust the computer!

[flyingfsck]

Well, alternatively one could just use Windows ME on a FAT file system. That screws things up all by itself - no need for fancy tools.

Re:A year ago...

[Profane MuthaFucka]

Don't knock it. Catching cheating spouses is a great way to get laid. You've already established that they've got no problem sleeping with people other than their husbands, which is 90% of the battle usually.

Re:Holy Crap

[alohatiger]

Come on, all you have to do is check the MEAL_BREAK_MENU_DESCRIPTION meta tag

Re:Ah, the police...

[Simon80]

Normally, I'd be inclined to dismiss this tactic, but hey, if it works for the attorney general of the US...

Re:Touch

[dwater]

>>> ...on one hand...
>
>Yes, yes.
>
>Five years ago (2002) there were five people (or less) that knew touch.

Er, assuming they're using 5 fingers (inc. thumb) then that should be *31* people or less...

>
>Lol. The guy is a moron.

*He's* a moron?

What's that strange gesture you're giving me with your hand? You trying to tell me '4' for some reason?? Hrm...odd.

Re:Here's a real good one

[zippthorne]

You should use ROT-9 followed by ROT-8 followed by ROT-9 again. ROT-13 is pretty weak, but if you use different numbers, apply encryption multiple times, your data will be much safer. TripleROT (9,8,9) is a standard by which all other methods are measured. All without requiring some fancy scheme concocted by guys with foreign-sounding names. Would you trust your security to a foreigner? with a beard?

Oh, and IIRC, withholding the password would be obstruction of justice (assuming they obtained a warrant for the data protected by the password, as per the 4th amendment)

Re:Here's a real good one

[RyuuzakiTetsuya]

just do some petty theft on top of that and overflow it back to 0x01.

withholding the password

[cbr2702]

withholding the password would be obstruction of justice

Couldn't you choose an incriminating password and plead the 5th?

Re:Here's a real good one

[mobby_6kl]

> I didn't think encrpyting data twice or more over increased it's level of security.

Well, it usually does. Unless, of cousre, you're using ROT-13 for your original encryption.

Re:Pfft.

[bentcd]

I say we take off and nuke the platters from orbit.

It's the only way to be sure.

Re:Working drive at 700+F?

[Anonymous Coward]

Sacrebleu!

An electric heater/oven should do the trick quite nicely.

Nonsense, ovens are for cooking croissants, bread and onion soup!

Re:withholding the password

[Fred_A]

It seems to me that the best approach to this problem might be to have a password that self-destructs when it detects that someone is about to physically break into your system. This way, there is no password to give them and whoever it is that is trying to do this (whether it's the Man or bin Laden) there's simply no way for them to succeed. Just watch out for those false positives ...

In that case isn't the best way just to not know the password ? Just use whatever comes from /dev/urandom at the time to encrypt your data and you can't incrinimate yourself.

Re:Pfft.

[WhatAmIDoingHere]

What the hell are you running? Windows 95?

"Infact, its the fastest running, most secure version of windows ever."

But, like you said, you can't run anything on it either!

Re:Never trust the computer!

[digitig]

Oy! Now none of my makefiles work properly!

Re:oh geez... the "police"

[Anonymous Coward]

Where's the .torrent?

Re:Here's a real good one

[Anonymous Coward]

Yes. Everyone knows that double ROT-13 gives you the original data. Don't be silly. That's why I quadruple it.

No..... No, Just No.

[HalAtWork]

The DA just smiles at you and says... "I'd like to see the hidden container inside that TrueCrypt volume. My forensicist says oftentimes people do that with TrueCrypt."

You say "umm... there isn't a hidden container... there's nothing more there..."

The DA continues to smile. "Prove it to me."

You say "Actually, you have to prove to me that there's anything there to hide. You should know that I'm innocent until proven guilty."

Then you walk away scott free. The DA continues to smile for some reason, probably too much crack this morning.

Re:Pfft.

[QuantumFlux]

[...] we had company restricted secrete data on the disks... I informed IBM of the dilemma [...]

You 'secreted' what data on the disks!? That's disgusting... no wonder you didn't want IBM to get at the disks...