New Anti-Forensics Tools Thwart Police

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

Macs...

[Wizard Drongo]

Hate to sound like a apple fanboi, but even for those with something to hide that don't know much about computers at all, and therefore lack the know-how required to use these tools, simply using Mac OS X and turning on File-Vault, sad as it sounds, is enough to confound the majority of law enforcement. Most of the contractors that the police in the UK use are windows only. I know for fact that any linux or 'specialist' computers get passed to a specialist data firm in Germany for decoding...
Macs?
Only in the most serious of cases are macs in the UK sent for hacking if File-Vault's on. They go to Canada and take upwards of a year to crack. If ever.
Unless you've done something pretty fucking serious, and the police know the evidence is on the machine, just can't prove it, they usually won't go to the expense.
Of course, only the most stupid and inept of morons would be doing illegal shit and storing it on their computer without using the most powerful encryption possible, and only storing that which absolutely must be stored. Mind you, criminals are not usually noted for their cunning and intelligence....

It goes without saying that the above does not translate to across the pond, nor does it apply on Security operations with terrorists and the like. How MI5 & MI6 do things is completely different and tends to involve some 'specialist' people from the likes of the I-corps and in-house solutions....
I could elaborate, but I'm not THAT dumb.....

oh geez... the "police"

[porkThreeWays]

Let me let everyone in on a dirty little secret about 99% of police computer forensics experts... they are less skilled than most 9 year olds at recovering vital information. Many of them use bootable disks that just check the hard drive for IE's cached files and history, etc, etc. Simple stuff a child could do. These people aren't doing complex low level block analysis. They are doing the level of recovery parents do at the end of the night to see what websites their children went on. Does it surprise anyone then it's extremely easy to fool them? God forbid you use encryption, an OS they aren't familiar with, or hardware they've never seen. They'll never recover anything.

Re:So...

[Kjella]

Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.

I was thinking more in direction of "non-destructive fuckup of compromised machine", like say a machine you've trojaned. Make it hell to figure out how and what you've done. If you want to prevent forensic investigation on your own machine, encryption is much better than obfuscation.

Re:interesting

[Anonymous Coward]

By physically examining the disk you could better determine the age of the data -- but this is not how digital evidence is usually collected.

In fact, this just exposes how ludicrous courts' treatment of digital "evidence" is. The information they accept as evidence can be trivially faked. Think it sounds far-fetched to be framed for a crime? That's not so difficult when someone can just flip a few bits on your hard drive, maybe via a memory-resident-only exploit, then call in an anonymous tip to the police. There will be nothing on the drive to exonerate you. You could then easily spend years in prison for nothing.

It's like the situation we face now with electronic voting, but easier to defraud than even that. The people making these laws and procedures seem to have no idea how computers actually work.

Touch?

[mattfata]

TimeStomp? ...can't `touch` and a bash script accomplish the same thing?

A year ago...

[Lord Kano]

My girlfriend told me that her nephew was going to college for "Computer Forensics" and my immediate response was, when he's done all he'll be able to do is catch cheating spouses. People who are engaging in real criminal activity are already using strong crypto and it's getting easier every day.

You just can't beat the numbers. If there is a 256 bit keyspace and a secure algorithm, you are not going to be able to crack the machine. I suppose that perhaps American and European law enforcement could take a page out of Israel's book and start using "strong persuasion" to get keys from suspects, but I don't imagine that happening any time soon.

LK

Touch

[ShakaUVM]

>>Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator.

Yes, yes.

Five years ago (2002) there were five people (or less) that knew touch.

Lol. The guy is a moron.

I remember walking through a parking lot in college in 1996 and listening to a couple guys talk about how they would touch their files to make late homeworks appear as if they were done on time.

About a year after that, UCSD switched to a turnin-based system. =)

Re:Never trust the computer! (even a Linux box?)

[DownWithTheMan]

Speaking of rootkits, from TFA:

Linux servers have become a favorite home for memory- resident rootkits because they're so reliable. Rebooting a computer resets its memory. When you don't have to reboot, you don't clear the memory out, so whatever is there stays there, undetected.

I don't mean to sound like a moron or naive but are Linux rootkits really that prevalent? After doing a quick google search for "rootkits for linux", I found a few for the old 2.0 and 2.2 Linux kernels... Have updates that have since come out made life that much harder for the hacking community? Anyone have an idea of what's going on here, because I'm really surprised to see them make the claim that Linux servers are a new favorite home for rootkits...

Re:So...

[X0563511]

It is. Hell, if people get sick of it all and the shit hits the wall, I'll be right up there with the 'enemy' pushing for real freedom.

Yes, I don't care If I get flagged for that. I care for my liberty.

Re:A year ago...

[taoman1]

Well, they can do a little more than that. Child porn collectors are busted every day using Encase [guidancesoftware.com].

Re:Key quote

[arodland]

Got a little something to hide? The point wasn't to provide deniability for your kiddie porn. The idea is more like, you rooted my machine, stole my data or did something evil with it, and now you want to cover your tracks. So you toast the logs as well as you can, you jumble up mtimes and permissions on files so that someone going back and doing forensics has a harder time establishing a pattern. The first step towards finding out who did something is figuring out when it was done, to find out who had access at that time, where to look in (non-compromised) logs, etc. So if you obscure that information you make it a little harder to trace things back to you. It's about hiding an identity, not data.

Re:Pfft.

[andy_t_roo]

actually, that's a bit extreme, all you need to do is to heat it above the curie temperature (300-380 for Fe-Nd alloys) at this point the magnetic properties become completely dependent on the applied magnetic field, so as it cools down again, the only magnetization left is due to the earths magnetic field. Below this temperature you need to apply a strong magnetic field to reverse *most* of the magnetization (thats how normal recording works). As an added bonus if you do this in such a way as there are not dust contaminants (inductive heating of the platters in a vacuum) you still have a working drive.

Re:interesting

[dwandy]

The people making these laws and procedures seem to have no idea how computers actually work.

It continues to amaze me how the same people that accept that their computer crashes for no reason also accept anything printed by a computer is pure truth.

Here's a real good one

[Travoltus]

Imagine a filesystem that is encrypted 3 times, in "headerless" fashion. What I mean by headerless is, whereas a zip file leaves reliable signatures identifying it as a zip file, this scheme would be a naked 128 or 256 or 1024 bit encrypted file (bear with me here) with no signature. There would be no way to even identify this file unless you managed to decrypt it with the right password and the exact corresponding decryption scheme. (It could be a zip file or a rar file or an arj file but you'd have to guess.)

That's for the first layer. Then you use the same (or different) scheme to scramble that already encrypted file again. With the same or different password.

Then you do it a third time.

Granted this would take a hell of a lot of computing power and a single bit of data corruption would screw you royally (which calls for more advanced recovery techniques which leads to some weaknesses...), but the effect is this.

First, you get the hard drive and the whole filesystem is encrypted. It's utterly garbage to you. You don't know which scheme was used to encrypt it. You certainly don't know the password. But you may know it's triple layer encrypted. Or double, or quad.

What is certain is, if you get the correct encryption scheme AND the password for that first layer, the decrypted file is STILL GARBAGE. You don't really know if you got the correct information or not, because you're still looking at a "headerless" pile of garbage data. Good luck guessing that second layer because no matter what, you still get a pile of incoherent garbage.

If you've done this to all your files on your hard drives, DVDs and CDs, this is where you demand your Constitutional right (in the United States) to a SPEEDY trial and then plead the Fifth Amendment in court when asked for your password/encryption schemes. Why? Because if I'm right, the police and their descendants down to the 7th generation will have died of old age before they figure out the 2nd layer, much less the 3rd.

Mind you, the cops may have slapped a keylogger on your system ahead of time. If that's the case, you're screwed.

Lawyers and hackers, please rip my idea to pieces and tell me what you think...

Re:A year ago...

[Beryllium Sphere(tm)]

Robert Morris Sr. gave a talk long ago about the two major rules of crypto. First, never underestimate how far someone will go to read your data (for example, hiring Alan Turing and inventing digital computers). Second, look for plaintext, which will pop up in unexpected places while you perfect the algorithm that create the ciphertext.

If you typed a passphrase into a Windows machine, would you bet your freedom that the passphrase wouldn't show up in "strings /dev/hda", in a swap file, in an MRU list, or in the files of whatever spyware happened to infect that machine? Or that potentially incriminating file names wouldn't be tucked in the registry someplace?

Hiding things on a general purpose computer is still hard, despite the availability of little-known but powerful techniques like the ATA commands to create an unreadable Host Protected Area, or simply to misreport available disk space (I'm waiting for the hack that takes advantage of the fact that a disk drive has tens of megs reserved for its own use, several megs of RAM, and a 32-bit processor: a 1990s desktop worth of machinery that nobody thinks of as a computer).

Fearless prediction: technology will lose on both offense and defense. Successful police will flip accomplices, successful criminals will move to jurisdictions where they can form an under$tanding with the police, and anyone who tries to win a technological arms race will lose in the end.

Re:Pfft.

[Daniel Dvorkin]

When I suffered a bizarrely bad disk crash (i.e., it crashed in an odd way that was much more destructive, and made the data much harder to recover, than most crashes; I've forgotten most of the details, but I remember that) a few years ago, I took my disk to a recovery specialist that does, among other things, contract work for the FBI. I got a brief glimpse inside their clean room. They had disks that had been pounded with hammers, run over with trucks, immersed in salt water ... you name it, these guys could get data off it.

Re:Ah, the police...

[Shads]

I think you're making a big assumption there, I've worked for the government and with the police on several occasions... thus far I wouldn't consider most of them competent beyond a first year systems administrator, they have a lot of books that explain processes to them that were written by someone far more intelligent but often have to consult with someone who knows their shit to even complete the more difficult processes. If you do something that falls far outside their realm of commonly available and used encryption, knowledge, etc... you stand a fair chance of them not being able to break it *IF* you're not someone they consider a big fish. If you're someone they consider a big fish, they'll keep calling in bigger guns until they do get someone who can do whatever needs done to get into your data. Keep a nice sized tub of thermite on top of your pc that runs the full length with a magnesium strip in it and connect it to something that can ignite it... if you see them coming and can ignite it before they get to you, there won't be a pc and potentially a standing room by the time it finishes burning out... shy that, if they got undamaged physical hardware... they can get the data eventually if you're important enough.

Re:So...

[cryptoluddite]

I was thinking more in direction of "non-destructive fuckup of compromised machine", like say a machine you've trojaned. Make it hell to figure out how and what you've done. If you want to prevent forensic investigation on your own machine, encryption is much better than obfuscation.

Well lets see, Mr. Anderson has a huge encrypted file and his computer asks for his private key when it boots up vs. Mr. Anderson with a bunch of files with messed up timestamps. The formers says "I'm guilty" whereas the latter says "Poor me I got hacked.. and they put lots of bad stuff on my computer too!". Just because it's a jury of your peers doesn't mean they aren't incompetent boobs that will convict just because they feel like you probably did "something".

Sure the fact that there is no actual evidence against you *should* get the case dismissed right away, but I doubt it would. I bet the prosecutor would be even more inclined to prosecute since he 'knows' you must have done something and you aren't going to get a plea because they know you have something they want, so they'll club you over the head with a life sentence so they can get the key. Or just keep you in jail indefinitely until you give the key, which they can do... although jail is a lot better than prison from what I understand.

Best not to do something convictable... but in today's world it's pretty hard to know what could be a crime. The police seem to just arrest first and then figure out if there's any crime because even they don't know. Hell they just arrested somebody for paying with $2 bills for Christ's sake. Welcome to the land of the free.

Re:Here's a real good one

[Travoltus]

Ok you've got me thinking... speaking of stored passwords, what if you've entered the passwords and they're still stored in RAM when the cops nab your machine?

The problem here is if you do not store the passwords in RAM, you'll be asked for the password every time you, say, access a jpg file or delve into the webcache. That potentially means retyping in 3 passwords a million bajillion times. If you do store it in volatile RAM, you could leave open a narrow window of opportunity for the cops which becomes a gaping fjord of opportunity if they bring forensics with them to obtain a ramdump.

Leaving the machine running when you're gone, drastically exponentiates the risk, and I pity the rocket scientist who puts their PC in hibernate mode (thereby freezing all data in RAM onto a virtual file on the disk which means even if you delete it, forensics can come and recover the dump). D'oh!!!

Re:Epically bad.

[Travoltus]

First, what do you mean by a file "without signature"? Take a zip archive as an example--even if you strip off the zip header, any forensicist worth his or her salt can figure out it's a zip archive, just because of the way the data is structured. Encrypted filesystems have structure, too. A data forensicist can recognize an encrypted container on the basis of its structure. (Some people have recommended to you TrueCrypt in hidden volume mode. This is bogus. I'll explain that if you want.)

That's true, I understand your point about how encrypted filesystems have structure. Why do you think hidden-volume mode TrueCrypt is bogus?

Second, you appear to not understand how crypto works. Two layers are better than one, right? So double ROT13 encryption is stronger than single ROT13, right? You're running smack into a major, well-known area of crypto. A lot of ciphers do not composite themselves well. You are almost always better off just picking one algorithm with a strong keysize than a composition of multiple algorithms.

Can you explain more of this please? I'm not sure I agree with this.

Third, how do you plan on managing all of your keys? Key management is a thorny enough problem in the best of times. By relying on multiple keys you're multiplying the problem immensely.

I for one put my passwords on a sticky note by the monitor.

Just kidding. Sorry, couldn't help that!

No, really, I'm good at keeping those "three keys" in my head. :)

Re:Epically bad.

[rjh]

Why do you think hidden-volume mode TrueCrypt is bogus?

Let's imagine that you've got a TrueCrypt container on your hard drive. The FBI gets a tip that you're involved in child porn. You get arrested. The DA has a jailhouse snitch who'll testify that you have kiddie porn. The DA has a forensicist who will testify that you've got an encrypted container on your disk drive. You don't want to be doing 10-to-25 in federal pound-me-in-the-ass prison, because you're a scrawny pimply-faced geek and you don't want to get married off to the biker with the most cigarettes. You tell the DA "... look, okay, here's the passphrase to my TrueCrypt container. See? There's just porn in there I was hiding from my wife! But everyone involved is over 18! Let me go! It's bogus!"

The DA just smiles at you and says... "I'd like to see the hidden container inside that TrueCrypt volume. My forensicist says oftentimes people do that with TrueCrypt."

You say "umm... there isn't a hidden container... there's nothing more there..."

The DA continues to smile. "Prove it to me."

You say "umm... I can't... that's exactly what TrueCrypt means when they say it's hidden... you can't prove it exists and you can't prove it doesn't exist..."

The DA rises from the table. "Say hi to your husband for me when you meet him."

Moral of the story: it is very, very important that you be able to prove the existence or nonexistence of your data.

Can you explain more of this please?

I don't know how to make it any simpler. If compositing encryption functions makes things harder to break, we'd expect two applications of ROT13 to be stronger than one application of ROT13. It doesn't work that way. And in an exactly similar way, two levels of AES may or may not be any better than a single layer of AES. Or one layer of Blowfish and one layer of 3DES. Or...

If you want to get more sophisticated than this, you need to take a collegiate math course focusing on group theory.

Re:interesting

[tbo]

Disclaimer: I am a physicist.

As far as I know, there has not been one scrap of evidence showing that past disk writes can be examined through microscopy, or any other kind of direct physical examination.

The most powerful technique I know of would be Magnetic Force Microscopy (MFM), which is essentially a variant of AFM (Atomic Force Microscopy [veeco.com]) that uses a magnetized tip. When I was an undergraduate, I used AFM to image surface features as small as 50 nm, which a quick calculation shows to be comparable to the square root of the physical area used to store a bit on a modern hard drive. Presumably, somebody with more experience or better equipment could do better; it's not a difficult technique if you just want to learn the basics. To actually scan a hard drive in a reasonable amount of time would require a very specialized MFM machine, but I see no reason why such things wouldn't be available to various three-letter agencies.

Now, I don't know whether there is any residual information to get from an overwritten bit, but it would surprise me if there wasn't, and if there is, it can probably be gotten with MFM, if not an easier technique.

Re:Epically bad.

[BalanceOfJudgement]

The DA continues to smile. "Prove it to me."

You don't have to. It's HIS job to prove it IS there (e.g., you have to be proven GUILTY in a court of law, not NOT guilty. A subtle but important distinction). He can't strongarm you into giving up the hidden volume, if it exists, and if it doesn't exist, he especially can't.

I was hoping you'd mention how the structured nature of the hidden volume is a dead giveaway. But you didn't say anything about that, leading me to think you don't believe it to be a problem. Right?

Guess for all you know about crypto

[Sycraft-fu]

You know nothing about the legal system. In our court system, you are innocent until proven guilty, the burden of proof is on the state. So you don't have to prove there isn't a hidden volume, they have to prove there is. Given that there seems to be no way to do this, they can't make their case. You can't speculate that something might be there. That's one of the most fundamental objections they teach lawyers "Objection, speculation." So all they have is that you have a volume of legal porn, and someone of questionable reputation claiming you have more , assuming they could even get the testimony in (the CI would have to have firsthand knowledge, otherwise it's hearsay). That doesn't meet the standard of beyond a reasonable doubt, doesn't even come close. It is perfectly reasonable to believe that someone might want to encrypt their porn. I'm sure many people do, simply because most people are somewhat embarrassed about it and don't want others to see.

DA's don't get to send people to jail just because they think there is a crime being committed. Hell it takes more than that just to get a warrant and to get past pretrial. You have to prove it beyond a reasonable doubt to land someone in jail. Saying "Well they MIGHT have hidden data!" doesn't cut it and, as I said, isn't even admissible in court. When you get down to it, you can never prove beyond any doubt that you've no hidden data. Maybe you've a really great steganography program and it is hidden as noise in music files. No way to prove or disprove that. However as a defendant you don't have to disprove it, it is the prosecution's responsibility to prove it and if they can't, well then you go free.

Why do you think there are so many people, who are known to be criminals to the police, that walk free? Because knowing and being able to prove it in court are two real different things. Cops may know someone is a drug dealer, but that won't even get a warrant, much less a conviction. They've got to have enough evidence to prove it beyond a reasonable doubt.

Re:Never trust the computer!

[_Sprocket_]

So that means one of two things:
1. Smart people aren't trading in child pornography or
2. Smart people weren't caught to begin with, and still aren't

Well - you've got to keep in mind the context of our discussion. We were going out to lunch and I'm not exactly sure how it started... but I was mentioning Zimmerman's woes over PGP and she said "oh yeah - I was one of the investigators on that one." We then talked a bit about the good and bad uses of PGP (she had always seen PGP as nefarious until coming to work for our group). And when the conversation progressed to what she was doing after the PGP investigation she mentioned her years of investigating child pornography rings. I couldn't help linking the two parts of our conversation together with the question of how many of the badguys she investigated used encryption... and how many specifically used PGP. That's when she noted that the guys she investigated weren't very advanced when it came to information technology ("They just weren't that smart.").

I'm sure there are "smart" purveyors of kiddie porn. Almost any crime involves at least a small percentage of knowledgeable, intelligent criminals. Maybe her group just didn't catch any. But that's not the point. The important thing to consider is that for this particular criminal culture, encryption wasn't a part of the standard tool set. And one of the assumed evils of PGP hadn't come to pass.

And it probably shows just how stillborn general encryption of mail is. If average people don't learn that under threats of years in prison, what could possibly make regular people do it?

How many criminals believe they're going to get caught? And how many people (who aren't even criminals) have the right mindset to handle security issues? I would say the answer to both are "very few". Having said that... my impression is that encryption is much more commonplace among kiddie porn rings. I don't track criminal cases involving child pornography. But I do occasionally discuss cases where a system has been compromised and used for trafficking illicit data (child porn, warez, financial information, etc.). It is becoming more and more common to find that data in encrypted archives.

Re:Pfft.

[Gordonjcp]

Yeah, but at what point does recovering the data become prohibitively expensive?

At the point where the disk has been entirely overwritten *once* with data. In theory, someone with very specialised equipment could pick out the residual flux transitions from the new ones. However, modern (or rather, disks larger than tens of gigabytes) use a different modulation scheme similar to QAM, and once that is overwritten the old data is irretrievably gone.

Re:Pfft.

[networkBoy]

That drive you opened was old then eh?
Most current drives are glass platters. I found this out when I had a batch of DeathStars go bad. IBM wanted the drives back for RMA, but we had company restricted secrete data on the disks... I informed IBM of the dilemma and that I would be drilling a pair of holes in the platters. When I did I heard a crunch sound, followed by broken shards of glass coming out the holes.
Got replacement drives in no problem.
-nB

Re:Disk Wiping

[Opportunist]

It's usually quite possible, it depends generally on what you overwrite with, how you do it and how often you do it.

Just filling the blanks with zeros, it's quite trivial to recover the data underneath. Filling it with random static makes it harder. Filling it 3 times makes it even harder. Filling it 30 times adds another layer of hardship.

Generally, though, you can assume this to be a lim 1/x function. It gets harder and harder to recover anything, to the point where you would really have to warrant the expense (in time and money), but the chance never becomes zero. Even after a hundred random static overwrites, there is still a chance.

The reason for this lies in the way HDs work (someone with more knowledge about the physical properties of HDs should probably explain that rather than me). In general, though, you may assume that 3-7 overwrites with static is good enough for almost any application, unless you're a top level terrorist and they know you deleted Osama's current address and phone number.

Re:Working drive at 700+F?

[CurlyG]

I believe the parent poster was speaking in terms of removing the platter from the drive and heating it in some sort of induction heater [wikipedia.org]. This allows precise control of temperature and only directly heats conductive materials. Building one requires only some fairly simple electronics [richieburnett.co.uk] (scroll down for action shots).

Re:Epically bad.

[davFr]

I don't know how to make it any simpler. If compositing encryption functions makes things harder to break, we'd expect two applications of ROT13 to be stronger than one application of ROT13.

It is a cryptanalysis problem. Encryption scheme are designed so that your clear text will become close-to-random garbage when encrypted. Why? Because if it is not random, forensics can do statistical analysis on the crypted data 1/ to identify the encryption algorithm, 2/ to try to guess the encryption key (http://en.wikipedia.org/wiki/Cryptanalysis/ [wikipedia.org] for more details).

If you crypt your text twice (or more) you modify the entropy of the encryption scheme, and the encrypted data will be not optimally close to random data. As a conclusion, encrypting twice made your data less robust to forensics.

Re:Ever since

[Anonymous Coward]

How does a hacker know his rootkit isn't spying on him?

This has happened in the past at least once that I know of, with t0rnkit [wired.com], a precompiled script-kiddy friendly (and not very good) kit for Linux. Being precompiled made it trivial to use (just run the install script), but also hid the fact it was backdoored and sent an alert packet back to its creator upon install ... it got used in the payload for the L1on worm, presumably they didn't know about the backdoor either. T0rnkit's creator eventually got arrested (don't know if he was convicted though.)

Nearly any data can be recovered...

[curlynoodle]

Nearly any data can be recovered given enough time and budget (much like cracking encryption). I read awhile back that forensics can use an electron microscope to read bit-for-bit from severly damaged platters.

The platter must be liquified or shredded to ensure no recovery.

Re:Pfft.

[Gibbs-Duhem]

For those that are interested/know what this means, the curie point for iron-cobalt alloys is around 930C. Platters are typically made of SiO2, which melts at 1830C. I'm pretty sure if you brought your disk to 930C, the data would be irrecoverable. Naturally, if you brought it up to 1830C, there won't even be a disk left.

Both are readily achievable in an induction furnace. You can build your own for a few hundred dollars, provided you can give it enough current and provide a ceramic insulator.

Re:Pfft.

[Wolfrider]

Back it up anyway; maybe you can reproduce teh results with another prog. ;-)

Karma Whore/Comment Jacking

[RedCard]

Article on one page (as opposed to *10* seperate pages...)

http://www.cio.com/article/print/114550 [cio.com]

Re:Pfft.

[LiquidCoooled]

Not a bad idea!
I've been treating the machine like its a cripple when all along its the wonder cure.

I think it will work with anything, I just stopped fixing it when I managed to get to a desktop and sims running.
It really is just a shell of a system, there are over 1000 fileXXXX.chk files still sitting there.

All this talking has made me guilty anyway I think I'm gonna repair it properly over the weekend.
I'll just switch out the drive leaving the anomaly intact (!?) and reinstall from scratch.

Re:It might......

[mattpalmer1086]

That sounds almost plausible, but I still don't believe it. I've spent a year or two studying cryptanalysis. Fourier transforms on encrypted data have never featured in any modern cryptanalytic approaches I've heard of.

The whole point of encryption is to minimise those statistical artifacts. By encrypting a ciphertext again, you are only applying more entropy to data that already appears quite random. If you don't already have any idea of the underlying plaintext, comparing one ciphertext with a re-encrypted version of the same ciphertext should not reveal anything at all about the original encryption scheme.

I'm afraid I need some links to real papers about using fourier transforms in cryptanalysis to accept this. I've googled for them myself, but I can't find any.

Re:Here's a real good one

[click2005]

Unless you use 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0 (or any code/sequence that you're not supposed to have) as your password/key. Now you can use the 5th to not incriminate you right?