New Anti-Forensics Tools Thwart Police

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

Print version

[Anonymous Coward]

http://www.cio.com/article/print/114550 [cio.com] - Print version so you don't have to go through ten pages to read it all.

Anonymous coward so no Karma whoring today. :)

Re:Pfft.

[the unbeliever]

Data can still be recovered. It may only be bits and pieces of files, but it can still be recovered. Clean room data recovery can do some pretty amazing things now.

The only "sure" way is to melt down the platters and make pretty jewelry with them.

But does it withstand rubberhose cryptoanalysis?

[Anonymous Coward]

Pages of interest: Rubber-hose cryptanalysis [wikipedia.org] & Deniable encryption [wikipedia.org]

Clearly you have quite a few problems if you're trying to hide something, and forensics can already read timestamps on your files!

What would be a breakthrough is plausibly deniable encryption which can build fake partitions which look "real" and "used". For instance, it can automatically install an operating system to a hidden partition (that is meant to be given out to forensics after a little bit of a fight). Then it can create normal operating system usage such as email, web access, instant messenger marks, installation of new software over time, etc.

The problem with deniable encryption at the moment is that the user can't justify the lack of activity on the open partition (and the lack of normal usage marks left behind), and therefore it is quite obvious to say that another hidden (and used) partition exists.

Thermite is not an answer either because then it becomes obvious you were hiding something using extreme paranoia measures.

Knowing that a user is playing anti-forensics tricks is quite easy. Proving it in court is most likely a different matter altogether.

Re:interesting

[enrevanche]

The date a track was written could possibly be analyzed by looking at how it was written at the microscopic level, but this would probably destroy the disk itself. It would be very expensive. As far as I know, this is only theory and has not actually been done. If somebody has a technique, it would hope that it would require a lot of peer reviewed research to verify it's validity. Anyway, the date a track was written may have nothing to do with the age of the data (file), as the OS may move files around for efficiency. This will not effect the timestamps of a file. The fact is that these timestamps are simply data written on the disk and can easily be changed.

Re:oh geez... the "police"

[Kjella]

Don't underestimate the tools - many forensic experts couldn't find their way at all outside the tool, but the tools are rather good at three things:
1) Point them to "interesting" catalogs on most operating systems
2) Read pretty much any filesystem, including the odd Linux/BSD variants
3) Scan for files (keywords, against a hash db etc.) without booting your OS

Encryption is the only thing that'll stand any serious investigation. Though I suppose it'll get you past the "should be bother to check his computer just in case" checks, there is plenty support for not "IE/Windows" machines.

Examples:
Operating system Support: Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and
above, Solaris 8/9 both 32 & 64 bit, AIX, OSX.
  File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
(Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
TiVo® 1 and TiVo 2 file systems.
  EnCase software uniquely supports the imaging and analysis of RAID arrays, including hardware
and software RAIDs. Forensic analysis of RAID sets is nearly impossible outside of the EnCase
environment.
  Dynamic Disk Support for Windows 2000/XP/2003 Server.
  Ability to preview and acquire select Palm devices.
  Ability to interpret and analyze VMware, Microsoft Virtual PC, DD and SafeBack v2 image
formats.

Compound Document and File Analysis: Many files such as Microsoft Office documents, Outlook
PSTs, TAR, GZ, thumbs.db and ZIP files store internal files and metadata that contain valuable
information once exposed. EnCase automatically displays these internal files, file structures, data and
metadata. Once these files have been virtually mounted within EnCase, they can be searched, documented
and extracted in a number of different ways.

File Finder: This feature automatically searches through the page file, unallocated clusters, selected files
or an entire case, looking for predefined or custom file types. This feature differs from the standard
search, because it looks through the defined areas for the file header information and sometimes the
footer.

Analysis: EnCase software has the ability to find, parse, analyze, display and document various
types of email formats, including Outlook PSTs/OSTs ('97-'03), Outlook® Express DBXs, Lotus
Notes NFS, webmail such as Hotmail, Netscape and Yahoo; UNIX mbox files like those used by
Mac OS X; Netscape; Firefox; UNIX email applications; and AOL 6, 7, 8, 9. In some cases,
EnCase can recover deleted files and depending on the email format, the status of the machine.

Browser History Analysis: EnCase has powerful and selective search capabilities for Internet
artifacts that can be done by device, browser type or user. EnCase can automatically parse,
analyze and display various types of Internet and Windows history artifacts logged when websites
or file directories are accessed through supported browsers, including Internet Explorer, Mozilla,
Opera and Safari.

Re:So...

[RobertM1968]

I'm not sure what parent is using, but I own a Netfinity, and it can be set up so that

• Opening the case triggers some action (shut-down, lock-up, email/network/pager/phone alert, etc)
• changing hardware in the machine triggers some action (shut-down, lock-up, email/network/pager/phone alert, etc)
• a device failing triggers some action (shut-down, lock-up, email/network/pager/phone alert, etc)
• Powering off the machine (via the soft-power through mobo switch) triggers some action (lock-up next start, email/network/pager/phone alert, etc)
• shutting down the power supply (using the switches on the power supplies) triggers some action (lock-up next start, email/network/pager/phone alert even with no power, etc)
• physically unplugging all 3 power cords triggers some action (lock-up on next start, email/network/pager/phone alert, etc even with no power)
• cutting the power to the location instantaneously triggers some action (lock-up on next start, email/network/pager/phone alert, etc)
• and on many models, trying to remove the unplugged unit from a building triggers some action (email/network/pager/phone alert, etc) - with the appropriate RFID station in said building.

Parts of the machine stay on for a very long time without power, and the whole machine itself can take up to 30 seconds to power down with no power connected. The System Management board has it's own internal power (though minimal), and most every hardware or power related issue gets logged into the hardware's system log - even with no power to the machine (ie: pulling all plugs or hitting the circuit breaker will make the machine log a "No AC Power" with Time & Date stamp; and send out a notification - even though it has no AC power - before the machine drains what is stored internally).

Pretty neat piece of machinery - and at 130lbs and a ridiculously high "guaranteed uptime" I guess such functions arent much to expect. Even so, many far lower end Netfinity's and their Intellistation brethren have (had) at least a few of the same features/capabilities).

I am presuming the replacement i Series e-Servers do as well - though that is just a presumption, and reality may be far different.

-Robert

PS: Making a home brew solution is very easy [though I think some boards natively support this through their "Case Tamper" pins which just need to be wired to a case intrusion switch (standard roller arm switch)]

Re:Tools

[Anonymous Coward]

How about this idea:

Let's say you have 24 hours to hand in your PC for evidence. What you could do is re-install it from scratch after wiping the disk clean, and then use it for several hours doing many things that you would normally do (browse the web, install apps and things etc) and then use a script to back-date the dates on all files on your system spreading them out several weeks. Then you can say 'no I re-installed my PC about 3 weeks ago' and actually have it look like you used it for about an hour a day each day.

Re:oh geez... the "police"

[arth1]

File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
(Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
TiVo® 1 and TiVo 2 file systems.

Another good reason to use XFS then.

In addition to it zeroing out any previously write-opened files when replaying the journal (which is why you get a bunch of files filled with NULL if you pull the plug on an XFS system -- it's by design). And it having a defragmenter (xfs_fsr), which prevents dirty extents with confidential data to stick around "forever".
Oh, and it being fast and mature doesn't hurt either, nor does the support for security labels and alternate streams.

Regards,
--
*Art

Re:Here's a real good one

[Anonymous Coward]

And just to prove my point: it's not the encrypt-decrypt-encrypt that matters in triple DES, it's the fact that there's three rounds, not two. With two rounds, assuming a known plaintext attack, you can decrypt in one direction with all possible keys, encrypt in the other with all possible keys, and when you get a match, there's your keypair - reducing the search to a doubling of the original space, at the cost of some storage along the way.

That's why (simplifying greatly) double DES is considered no more secure than single round DES, and why triple DES is only a doubling of the key length instead of tripling. There's no guarantee of increased security by layering encryption ...

Re:Pfft.

[buysse]

Eh, I hate feeding trolls. Hey, anonymous weaselnuts? Disk crash is a valid, and descriptive, term for a disk failure. The heads don't touch the disk -- this ain't your fscking vinyl record. If they touch, or *crash*, into the disk surface, bad things happen. It's a crash. Valid term. More correct would be head crash. I've opened up a disk after the distinctive sound to see the beautiful half-millimeter deep groove in the surface of the platter and little strings of metal littering the inside. I've also sent disks that made the same distinctive sound to a data recovery service and gotten back data.

Re:Epically bad.

[QuickFox]

Can you explain more of this please?

I don't know how to make it any simpler. If compositing encryption functions makes things harder to break, we'd expect two applications of ROT13 to be stronger than one application of ROT13.

I think your first explanation was quite clear to anyone who knows what ROT13 means, so my guess is that Travoltus needs to read this [wikipedia.org].

Re:Epically bad.

[Anonymous Coward]

I'm not an NSA funded security researcher, but I'm also slightly less of an arrogant prick than "rjh". So to answer your question about layering encryption without getting into all the you're-not-even-worthy-to-be-asking-this-question crap, here's a brief layperson's answer:

Essentially your idea is not a bad one, it's just a bit naive -- there are non-obvious subtleties which must be considered in order to make the idea work as well as you hope.

One issue is that some encryption algorithms (called "groups") have the characteristic that when applied two consecutive times with different keys, the result is the same as if the algorithm was applied only once with some other third key. If this is the case for your favorite algorithm, then your plan adds no extra security compared to just encrypting once. And apparently it's not always easy to know whether this is the case for a complex algorithm, so you should assume the worst.

Another issue is that if your adversary can guess some plaintext (e.g. by assuming it contains .doc or .jpg headers) they can use a technique that trades off storage for computation and break your multiple encryption much faster than you would have thought.

One way to overcome these weaknesses is by applying your encryption in "EDE" (encrypt-decrypt-encrypt) mode, where you encrypt with one password, then "decrypt" with a second password (which is obviously not really decrypting but just making the scrambling that much more horrendous), and then encrypting again with a third password. Even this is not as secure as you might expect, but it's still pretty good.

The well-known security and crypto expert Bruce Schneier has a great book called "Applied Cryptography" (Wiley, 2nd edition 1996, ISBN 0-471-11709-9) which is accessible to average smart, interested, non-NSA-funded Slashdot readers without advanced math degrees. It even has a brief chapter (15) on this exact topic. (Schneier has other great books too.)

Despite his attitude, "rjh" is right in implying that our common sense is not trustworthy in the area of cryptography -- some of the world's smartest people devote their lives to this stuff and have come up with astonishing and often counterintuitive results. Smarter people than us have already studied this idea, which is basically a good one even though it has pitfalls. Don't let anyone make you make you feel stupid for having an idea or asking a good question.

Re:Here's a real good one

[tomatensaft]

Fifth Amendment protections apply wherever and whenever an individual is compelled to testify. The U.S. Supreme Court has ruled that the privilege against self-incrimination applies whether the witness is in Federal or state court (see Malloy v. Hogan, 378 U.S. 1 (1964)), and whether the proceeding itself is criminal or civil (see McCarthy v. Arndstein, 266 U.S. 34 (1924)).

http://en.wikipedia.org/wiki/Fifth_Amendment_to_th e_United_States_Constitution [wikipedia.org] Read on. :)

Re:oh geez... the "police"

[Anonymous Coward]

EnCase sucks at true forensic data recovery. Local police outfits might try and use this, but it really the low-end of true forensics work. It is ok for basic imaging and sifting through non-corrupt files, but hasn't got any advanced features such as finding a leftover 200msec portion of a movie file that was deleted 2 months ago (of which all file table/sector structure records are missing).

More advanced agencies use something called iLook Investigator [ilook-forensics.org] which is only available for particular authorized agencies (around the world) to use.

Or there are more listed on Wikipedia [wikipedia.org] (and some of them are free/open source).

Re:Here's a real good one

[ifoxtrot]

Well there is a good reason why it's implemented as encrypt-decrypt-encrypt, but it's not for cryptographic strength. Instead this has its roots in the hardware backwards compatibility.
That is to say that if you create an encrypt-decrypt-encrypt box and feed it the same key for all the crypto operations, you get plain DES encryption.
(i.e. encrypt m with x = c, decrypt c with x = m, encrypt m with x = c). If you want proper 3 DES you just feed it different keys.

So instead of having to create a box that does plain DES and triple DES, you can get plain DES using the same algorithm as the triple DES -- cheaper for the hardware manufacturers.

Um, it's called TrueCrypt.

[Gordo_1]

http://www.truecrypt.org/hiddenvolume.php [truecrypt.org]

Your welcome.

Re:Indeed.

[vux984]

I mean, if you're dealing with a corrupt court where you're guilty until proven innocent, you don't even have to be using encryption to get screwed this way.

If by Kangaroo court, you mean the DA already thinks he has enough on you between circumstantial evidence and a snitch.

The DA might just as well accuse you of using steganography to hide illegal photos in random files spread all across your hard drive, which is equally impossible to disprove.

You'd have a fairly strong defense against that accusation if your hard drive contains no steganography tools. That's sort of the the issue with truecrypt - it doesn't prove you have child porn, or even a hidden volume, but its not unreasonable to suppose you might, if you have truecrypt, there is other circumstantial evidence, and a 'snitch' whose just reliable enough of a witness to sway a jury.

Re:Working drive at 700+F?

[Magada]

The short and curly of
this paper is that the Curie temp for Fe(2)Nd is 250 degrees Celsius. An electric heater/oven should do the trick quite nicely. Dunno what happens to the platters at that temp, though.

Re:Pfft.

[Anonymous Coward]

I thought you were full of it, but, http://www.hitachigst.com/hdd/library/whitepap/gla ssdisk/whiteglass.htm [hitachigst.com]. Interesting.

Re:Epically bad.

[QCompson]

So you go to trial. So you're acquitted. But by the time you get acquitted, you're front page news in all the local newspapers. You're getting death threats. Your family is shunned. You get let go from your job because you're bringing too much controversy. Your life, not to put too fine a point on it, is fucked.

And what does this have to do with hidden containers? Your life is fucked at the point that you are initially questioned or arrested. If the cops are going to be so underhanded as to pursue a conviction based on a possible hidden container premise, why do you think they would necessarily stop if you tried to "prove the existence of all your data"? What's to stop them from claiming you were hiding encrypted illegal files in the slack space, that they must have been recently erased, or even planting some? Why would these hypothetical corrupt evil policemen suddenly be your friend if you weren't using encryption?

Besides, that is all irrelevant. You're discussing a strict liability crime. It doesn't matter how many tips or witnesses the prosecution may have against you. It's the possession that matters. The only thing worse than slashdot armchair lawyers are slashdot armchair legal scholars.

Re:Disk Wiping

[ajs318]

No. For that matter, it's gone for good after one time. You don't even have to make sure all the most recent state transitions are the same direction (which would necessitate 2 passes unless all you're doing is EORing whatever's already there with 1; this is time-efficient, but also trivially reversible).

Once upon a time, heads didn't track so precisely as they do today, and there were sometimes minute traces of data either side of the track; and once upon a time, magnetic media had a wide hysteresis loop that showed an obvious difference between, say, a 1 that used to have been a 0 and a 1 that had always been a 1. Since the Gutmann paper was written, data densities have increased by almost four orders of magnitude. Side traces are almost invisible, and each tiny dot of oxide is driven so far into saturation that it's next to impossible to tell whether it has been changed. The single thing most likely to frustrate the authorities' efforts to recover overwritten data by surface analysis would be the sun exploding before they got halfway -- that's the kind of timescale we're talking about. There has never been a documented case of overwritten data being successfully recovered.

If the magnetic remanence effect were reliable, it would almost certainly have been exploited commercially to increase storage density. Until the advent of cheap solid-state RAM in the mid-1970s, all computer storage was magnetic; and every component in a computer system has fluctuated wildly in price. At some point in the past, such a storage device would definitely have been economically attractive. It never materialised, apart from a "trick recording" function on some reel-to-reel tape recorders, allowing you to shut off the current in the erase head {remember energised erase heads?} and superimpose one recording over another. Perhaps to add vocals to an instrumental track you had already laid down. Since (1) you couldn't listen to the old recording as you were making the new one and (2) it sounded like shite anyway, the feature was discontinued. Anybody sufficiently bothered by its omission could always plumb in their own trick-recording switch.

On the other hand, there are several groups with a vested interest in making people believe the fallacy that data is recoverable after multiple overwrites. These include governments (because they want to give enemy governments the fear), intelligence agencies (because they don't want to admit to how they really found the data), data recovery specialists (because they don't want to admit defeat -- more often than not, there are old versions of data kicking around, since Windows only begins overwriting deleted files as a last resort, when it runs out of virgin disk space), HDD manufacturers (because persuading people to destroy perfectly good used HDDs means they will sell more new ones) and Jerry Bruckheimer (because it looks good on CSI).

Re:Consider your attacker

[xtracto]

The only thing i believe it is a good idea is that if you encrypt it only once, they can try the different standard algorithms via "trial and error" until they get some plain text. Whereas if you put a second layer of encryption, they might not know they got the right algorithm/password as they will at most get the random-like bytes produced by your first encryption layer.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:withholding the password

[Damiano]

IAAL and no you can't. Try to be funny and what they'll do is grant you immunity for anything revealed in the password itself. Then they'll force you to reveal the password or sit in jail for contempt. Once you reveal the password they can decrypt the drive and use that data in court (even if it's the same as the password).

The real key here is that the 5th amendment protects you from testifying against yourself. Your "papers" are not considered testimony and not protected.

Not legal advice, not your lawyer.

Re:It might......

[tinkerghost]

Please provide some links for this; it sounds deeply wrong to me. How would re-encrypting the already encrypted plaintext allow you to observe data shifting, when the point of encryption is to obscure the relationship between the plaintext and the ciphertext?

Here is the wiki for Fourier Transformations [wikipedia.org]. The rough gist for our purpose is that when you composit elements (multiple encryption schema) you get a new schema with identifiable characteristics that can be reversed back to the original elements. IE FTIR works by using a FT to de-convolute a broad spectrum scan into individual frequency components. The math was ugly when I took it 15 years ago & entirely beyond me now.

The same principles should apply to double encrypted systems - artifacts (elements introduced by the encryption algorythm itself & not part of the original file) from the first encryption should be identifyable by re-encrypting with a known encryption algorythm & masking against the known artifacts of double encrypting with differing base algorythms in combination with the known 2nd encryption schema.

To look at it another way, you're not looking for the data, you're looking for the artifacts of the first encryption method. By applying a new function to the result of the first function, you're hoping to improve the signal/noise ratio & show those artifacts. At the proper scale, sin(x),cos(x),x=0.5 all appear to be a flat lines, however the tan(sin(x)) clearly shows the variance at any scale. The same process applies to the encryption process - you should be able to identify the pseudo part of the random appearance of the encrypted data by reprocessing it in a given method. Note that it may take a specific algorythm for each encryption method to make the signal/noise ratio high enough to identify it as a match without actually decrypting the contents.

Note that this still leaves you without a key, but at least you would know which decryption algorythm to be trying to match keys against.

Re:Epically bad.

[ge]

DES does not form a group, i.e. there is no key K3 such that for all keys K1, K2, and all x DES(K2,DES(K1, x)) == DES(K3, x). If it was Triple-DES would be pointless. I believe the same is true for AES.

EDE mode was used for Triple DES to make it backwards compatible with DES. By setting all three keys to the same value you effectively end up with single DES, a useful feature in some contexts. There's nothing particularly magical about EDE over EEE.

Re:In the case of US cops

[Danga]

The one and only tool I've ever heard of them using is Encase. If Encase can't find it, it doesn't exist in their world. It does do OS-X though.

You are incorrect. I work as a software developer for a US company that specializes in computer forensic software and I work with investigators all over the world as well as the US. Encase definitely is the most widely used tool but it is most definitely not the only one, other tools similar to it are FTK (also widely popular) and something called iLook.

Nearly all of the investigators I have talked to mainly use Encase for it's case management capabilities which it is really good at. It does have many other capabilities such as searching but if Encase doesn't find what they are looking for they can and will use other tools that are available. For instance, Encase does not handle optical media well if the discs contain more than one track and/or has its file system(s) set up in a funny way among other things. By just using Encase data could be overlooked and that is where the software I work on comes into play because it is specialized just for optical media. There are also many other specialized forensic tools available and any decent investigator would look into them.

Another thing I will mention is many people think if they use linux and/or OS-X that they are safe from many of the forensic tools and that is complete bullshit (even though it is true a lot of the forensic software is Windows only). It does not matter at all what OS you are running because standard operating procedure is to image all disk drives, seal up the drives, and then use forensic tools on the images and nearly all of the standard file systems are supported by some tool and even if you did use some obscure file system they could search the binary data (as long as it was not encrypted of course).

I just thought I would straighten your perception out because while it did used to be true years ago it is not the case anymore. Computer forensics is a HUGE field that has been having HUGE growth for quite some time.