Linux and Forensic Discovery 260
Max Pyziur writes "Found this on cryptome.org where Linux is cited in a DOJ document against Moussaoui (sometimes referred to as the "20th man"). FBI: Moussaoui E-mail Not Recoverable - January 1, 2003." An interesting read which gives some insight into how computer evidence is handled in court.
This is a great example... (Score:4, Informative)
Heh, this seems to be a discussion about whether they used "approved methods" of retrieving a deleted email. According to one person, the LinuxGNU was the only one approved by NIST (national institute of standards and technologies). This of course, is wrong...NIST doesn't "approve" software, they just test it and declare whether or not it works.
". . . lawyers will argue over anything. " (Score:2, Funny)
KFG
Re:This is a great example... (Score:2)
In saying that, I was trying to convey the message that my comments were a summary of a portion of the discussion added to provide relevance to my comments. Sorry if this was confusing.
At least... (Score:3, Funny)
Secure File Deletion (Score:5, Informative)
Re:Secure File Deletion (Score:2)
From the man page: shred delete a file securely, first overwriting it to hide its contents
It comes with the fileutils package (on RedHat anyway). Can't see any differences between wipe and shred. Apart from the fact that one comes already installed. Is there any difference?
shred obsolescence (Score:3, Informative)
Re:shred obsolescence (Score:3, Informative)
Re:shred obsolescence (Score:3, Informative)
Re:Secure File Deletion (Score:4, Informative)
It seems that journaling filesystems like ext3 cause hell for secure deletions, because changes aren't always committed as the application level assumes and requires. Has anyone suggested a kernel/filesystem hook to make secure media deletions possible?
Re:Secure File Deletion (Score:3, Informative)
The hook is already there. The chattr can set a "secure delete" extented attribute on a file or directory which will make a subsequent normal rm perform a secure delete. However the man page says it's not implemented yet, but said man page hasn't been updated since kernel version 2.2.
Re:Secure File Deletion (Score:3, Informative)
Re:Secure File Deletion (Score:3, Interesting)
A little knowledge is a dangerous thing
0xff is the value for a string of all 1's and 0x00 is the value for a string of all 0's, but harddrives actually record entirely different bit sequences. And different harddrives use different encodings. Without knowing the specific encoding the current drive uses your best bet is probably to write random values.
-
Re:Secure File Deletion (Score:3, Interesting)
The only way to be sure is to nuke the hard drive from orbit. ;-)
Re:Secure File Deletion (Score:2, Insightful)
Re:Secure File Deletion (Score:5, Informative)
Re:How is wipe overkill? (Score:3, Informative)
The dude is in our local lug, http://www.sslug.dk/ and his name is Ole "perl" Tange.
You can get the program here
http://www.linux-kurser.dk/secure_harddisk_
Re:Secure File Deletion (Score:3, Interesting)
Re:Secure File Deletion (Score:2)
Check out secure delete [freshmeat.net].
Re:Eraser is the best for windows (Score:3, Informative)
At the current state of the art, your best bet is to buy a new disk, and make sure that you never put any unencrypted bits on it: use a cryptographic filesystem such as CFS, and make sure your swap is encrypted also. As Gutmann notes, you may also want to take measures to make sure that sensitive data doesn't sit in RAM too long (!).
Once data is in clear on disk, there's really no way to be sure it's gone except to physically destroy the platter.
Re:This is stupid (Score:2, Insightful)
Breaking News! (Score:4, Funny)
Oh Please! (Score:5, Interesting)
Re:Oh Please! (Score:3, Informative)
Re:Oh Please! (Score:2)
In fact dd is even overkill for this purpose. The same could be achieved by cat or something even simpler. This task is so simple that we shouldn't really care how they did it. I could have written a 42 line Turbo Pascal program under DOS that could do it.
Re: (Score:2)
Well said! (Score:3, Interesting)
This is not news, and the idea we should be getting all excited over this suggests that *nix is such a desperatly useless pos as to warrant mass praise whenever anyone actually finds a use. Is that really the message
NIST Computer Forensics Tool Testing (Score:5, Informative)
The test reults are abailable here:
http://www.ojp.usdoj.gov/nij/sciencetech/cftt.htm [usdoj.gov]
Re:NIST Computer Forensics Tool Testing (Score:2, Informative)
http://www.ncjrs.org/pdffiles1/nij/196352.pdf [ncjrs.org]
Re:NIST Computer Forensics Tool Testing (Score:2)
http://www.ncjrs.org/pdffiles1/nij/196352.
Wow, 62 pages for an evaluation of "dd". The whole source code of the program is just 20 pages.
Re:NIST Computer Forensics Tool Testing (Score:2, Funny)
electron microscopes (Score:4, Interesting)
The document states that image files were generated fo the contents of the hard drives. I do not have confidence that an image would also display latent data.
I know myself that when I do a data recovery on a system, I can get many more megs of recovered data from file fragments, deleted folders, etc than can fit on the drive. Most of this extra stuff ias junk data, but you get the idea.
There is no substitue for the original.
Recovery can require a minimum of specialized software or be as complicated as looking at the platters under an electron microscope. I see nothing here that indicates use of such specialized technology, and yet this is supposed to be a national security matter.
Re:electron microscopes (Score:4, Interesting)
It's pretty clear what "dd" images: the entire content of the hard disk drive as it is readable by its disk controller. It won't image residual data that has been erased.
I know myself that when I do a data recovery on a system, I can get many more megs of recovered data from file fragments, deleted folders, etc than can fit on the drive. Most of this extra stuff ias junk data, but you get the idea.
Unless your recovery efforts involve custom hardware, the disk image obtained with "dd", together with bad block information and drive geometry, contains every bit of information you are ever going to get out of that drive. Any software-based recovery working on that image is going to be equivalent to recovery working on the original drive.
Trying to recover data that has been physically overwritten, using analog methods or imaging, is so expensive and time consuming that it is feasible only in special cases.
Deep wizardry Re:electron microscopes (Score:2)
Unless your recovery efforts involve custom hardware, the disk image obtained with "dd", together with bad block information and drive geometry, contains every bit of information you are ever going to get out of that drive. Any software-based recovery working on that image is going to be equivalent to recovery working on the original drive.
Not so! Remember, when you're using dd, you're still using a relatively high level protocol to talk to the drive. If you can get the drive into a "test" mode, where you can talk to the actual registers on the drive, there's a heck of a lot more you can do. For example, on some drives, you could tweak the positional calibration registers and move the head fractional tracks, reading the data at each step, and maybe pick up some data at the edges of the track that wouldn't be picked up in the center. (You're hoping that there was a slight positional drift from when the data was written to when the data was erased).
Now actually getting the drive into "test" mode, talking to the registers, and knowing what the hell the registers actually do is very difficult; you're basicallly talking about documentation that only an engineer working at a drive manufacturer would have. (And of course, this stuff is all non-standard, since it's never supposed to be directly accessed...so each model or family of drives would have different capablilties) This is pretty much the definition of "deep magic." But for the select few who have access to that documentation, some amazing tricks are possible.
More info at Cryptome (Score:3, Informative)
19. The Initial September 2001 Inquiry at the Eagan, MN Kinkos: On October 17, 2002, I spoke with Minneapolis FBI Special Agent David Rapp. At that time, SA Rapp told me that, to the best of SA Rapps unrefreshed recollection, on or about September 19, 2001, SA Rapp went to the Kinkos store in Eagan, Minnesota, to inquire about a receipt found on the person of Zacarias Moussaoui at the time of his arrest. At that time, SA Rapp met with a person who represented himself as a Kinkos employee responsible for managing and maintaining customer computer workstations. At that time, the Kinkos employee informed SA Rapp, in substance, as follows:
(A) The Kinkos receipt did indicate that a computer workstation had been utilized;
(B) It could not be determined from the copy of the Moussaoui receipt alone which computer workstation was used;
(C) In response to SA Rapps inquiry about the possibility of acquiring any information from the computer workstations regarding the use of the computers by Moussaoui, the Kinkos employee stated that, since the date of the receipt, all computers had been wiped clean/formatted and started with a fresh install; and,
(D) The computer workstations were generally wiped weekly or bi-weekly approximately, even though Kinkos policy called for weekly wipings. At a minimum, the Eagan Kinkos store wiped the computers at least once per month.
[....]
21. Eagan Follow-up: On October 11, 2002, I requested that the Minneapolis FBI Field Office contact Kinkos personnel at the Eagan store and determine if, as alleged by the defense, the Kinkos computer could still maintain evidence of defendant Zacarias Moussaouis use from August 2001. On or about October 15, 2002, Special Agents Brendan Hansen and Christopher Lester visited the Eagan Kinkos and interviewed Brian Fay, who, as of August 11, 2001, was one of two Kinkos employees who knew how to restore an image onto the six computers with internet access designated for customer use. Mr. Fay stated that the six computers presently at the store are the same computers (with the same hard drives) that were present in August of 2001. These six computers are leased and scheduled to be replaced at the end of this year.
The computers are maintained by formatting the computers hard drives and reloading an image using Norton Ghost whenever business is slow and time allows. There are no logs recording the dates or frequency of loading images on to the computers and Fay could not estimate how frequently they were imaged. Although Fay was not personally familiar with the exact details of the formatting and imaging process he administers to the computers, Fay had been advised by Kinkos that the formatting and restoration process destroyed all files associated with previous users.
ouch
CRC/SHA-1/MD5 (Score:1, Interesting)
Are they saying that two different files can't have the same hash value? That's a load of crap! It's not hard at all to modify data to create any hash value that you want, especially when you're including "deleted space" in the CRC calculations... It's good at telling you if there were any random modifications caused by errors during copying, but not that the files are identical.
Easy? I don't think so... (Score:3, Insightful)
That kind of depends on the strength of the hash algorithm, wouldn't you say?
Re:CRC/SHA-1/MD5 (Score:2)
Re:CRC/SHA-1/MD5 (Score:3, Funny)
(The last post wasn't a mistake--it was my intentional FUD to keep the terrorist from figuring out RSA. Shhhh!)
Re:CRC/SHA-1/MD5 (Score:2)
Sorry if the over-the-top emphasis on the letters made your eyes hurt. I'm sure that a couple asprin will make the headache go away by morning.
Re:CRC/SHA-1/MD5 (Score:2)
Sorry, not even close.
MD5 has been compromised in a paper by Hans Dobbertin of the German Ministry of Information. The compromise is less than a total break but it is also now 8 years old.
MD5 uses only operations on 32 bit integers, addition, rotation and booleans. It does not use large integers of prime numbers.
Re:CRC/SHA-1/MD5 (Score:5, Informative)
From http://www.itl.nist.gov/fipspubs/fip180-1.htm [nist.gov]:
So yes, two different files can have the same hash, but it's infeasible to do this. That's why hashing methods like SHA are used in cryptography; SHA-1 is used in DSA signatures.Re:CRC/SHA-1/MD5 (Score:2)
CRC-32, sure. CRC is meant to check for small random transmission errors, not to function as a secure hash algorithm. But if you've figured out a way to force data to match a given SHA-1, you better get a press agent and a secretary because every crypto nut in the world is gonna call bullshit. And no, "trying lots of combinations" doesn't count.
Re:CRC/SHA-1/MD5 (Score:2)
If you *don't care* what the contents of the original disc are, as is the case with forensic investigation, only that the dupe acurately reflects it, than checking the hash value of both against each is a perfectly valid test.
What they're testing for here *is* random errors in the copy process, not intentional tampering.
KFG
Re:CRC/SHA-1/MD5 (Score:3, Informative)
There are no known examples of two files that have the same MD5 (or SHA-1) hash values, so I think you should reevaluate your statement. While it certainly is true that such files do exist (2^128 MD5 values, > 2^128 possible files, pigeon-hole principle, etc...), that does not mean that finding them is computationally easy or even possible.
A brute force search of files would require ~2^128 files to be search to find a match. If 2^32 computers each processed 2^16 files a second on average per year (60*60*24*365 20^30 seconds), then it would take greater than 2^50 years to find a match. Equivalently, the odds that any of the files that have ever been produced by humans have the same MD5 are pretty bad.
It might be possbile that a cryptographic flaw in MD5 exists that could be exploited to reduce the number of files that needed to be searched. I believe no such flaw is known. If one does exist, I'm quite sure it doesn't provide dramatic benefits.
Re:CRC/SHA-1/MD5 (Score:3, Interesting)
Sorry, my original message was kind of weak
The programs that the government uses to do the copy use CRC32, which is very easy to get around. The CRC32 values are listed in section 13 of the expert's affadavit. The government says that this is enough to authenticate the data.
SafeBack and the Logicube SFK-000A incorporate reliable internal CRC verification techniques, CART procedures do not require examiners to generate separate MD5 or SH-1 hashes for computers imaged using SafeBack or Logicube SFK-000A disk duplicator....All hard drives in this case were imaged by one of the three programs used by the FBI, all of which are recognized by the scientific community as reliable imaging programs. Thus, there should be no question about the authenticity of any of the hard drives.
In terms of autenticating evidence for use in court, shouldn't the government be using something stronger than CRC? If I were on the defense's side, I would tear this apart - the MD5 hash that they eventually received was taken well after the original image was created, leaving plenty of time to alter any data. There was ample opportunity for somebody (whether as part of a "government conspiracy" or as an overzealous investigator/prosecutor) to alter both the image and the original hard drive before taking the MD5 hash, and before the image was delivered to the defense as part of discovery. There's no use in having an MD5 hash if all it is doing is verifying that you have an exact copy of data that has been tampered with. The government should, as standard practice, take the MD5 hash before they even make the first image, and preserve that record along with other evidence. This would make it much more difficult for the defense to claim that the data presented in discovery or at trial is not authentic.
Re:CRC/SHA-1/MD5 (Score:2)
Actually, there are well known issues with MD5 that make it susceptible to collission searches, see:
H. Dobbertin, "The Status of MD5 After a Recent Attack", RSA Labs' CryptoBytes, Vol. 2 No. 2, Summer 1996.
http://www.rsa.com/rsalabs/pubs/cryptobytes.html
dont think that URL works anymore. This one does, in which Robshaw gives an overview of the problems:
ftp://ftp.rsa.com/pub/pdfs/bulletn4.pdf
Basically, it has been demonstrated by Dobertin in 1996 that data with a colliding hash can be found with 10 odd hours of processing from a (by now very low powered) PC. Admittedly only for the compression round of MD5, not for the full set of rounds specified by MD5, however it is feared that existing techniques (ie those used to break MD4) can be applied to MD5. (indeed this is what Dobertin demonstrated). TTBOMK there is no known collision attack against the full MD5 algorithm. (least not public knowledge anyway
So your assertion is incorrect with respect to MD5.
SHA-1 is currently considered to be safe from hash collission attacks. However, that is not really relevant as the FBI specifically are using CRC-32 and MD5.
However, presuming that the question is not one of the FBI having deliberately modified the images, it does not
Re:CRC/SHA-1/MD5 (Score:2)
I disagree.
Part of the MD5 algorithm is analytically weak, but that falls far short of an actual working attack for the whole thing. Researchers suspect that this weakness MIGHT eventually lead to an analytic attack against the whole of MD5, but as yet, no such attack exists. As Robshaw said: "While the existence of pseudo-collisions is significant on an analytical level, it is of less practical importance."
Moreover...
"Note that existing signatures that were generated using MD5 are likely to remain safe from compromise since it seems that current techniques used to cryptanalyze MD5 do not offer any advantage in finding a second preimage. Existing signatures should not be considered as being at risk of compromise at this point."
Re:CRC/SHA-1/MD5 (Score:2)
Re:CRC/SHA-1/MD5 (Score:2)
You only need to do 2^64 calculations if you share the results among the participating computers, including storing the original files. I did not posit any such abiilty.
Since there are ~2^80 atoms in the known universe, I think it unlikely that any such storage mechanism will ever be built.
Obvious Solitaire remark (Score:2)
I thought Solitaire only duplicated wasted work hours!
Ohhh, ohhhh.... (Score:2, Insightful)
Re:Ohhh, ohhhh.... (Score:2)
Hey, this is Slashdot. News for Nerds. Stuff that matters.
A lot of us are interested in things such as Linux and computer security. I found this document to be an interesting read, and I am glad it was posted on Slashdot.
email from his pc (Score:4, Funny)
Sept. 10, 2001
Zach,
We're going off flying tommorrow, hope to see you on the other side. Last one there gets the 70 ugliest virgins!
M. Atta
Re:email from his pc (Score:2, Funny)
So who did wind up getting the Slashdot editors?
FBI HQ originally denied e-mail search request (Score:4, Interesting)
(Recall that Massaoui was already in jail before Sep. 11. These pre-Sep. 11 e-mail search requests were rebuffed, according to FBI whistleblower Colleen Rowley.)
Privacy irony & national security (Score:4, Interesting)
You can't win -- bungling cuts both ways.
Anyone wonder why the heck the Minnesota FBI office went to Washington for a piddly search warrant, instead of their friendly local court? Because this was not an ordinary warrant, but a national security warrant designed to investigate suspected terrorists who might not have committed any crime to provide probable cause for a regular warrant. (You know, like Minority Report. OK, it's not that bad.
It will be interesting to see who gets blamed once all of the finger-pointing is over.
From NYT [missouri.edu] by James Risen*:
* Another little note -- James Risen with Jeff Gerth were the NYT reporters blamed with stoking the fire over Wen Ho Lee debacle. Of course, lots of people were blamed [fas.org] -- sound familiar?
Re:Privacy irony & national security (Score:2)
Re:Privacy irony & national security (Score:2)
Applications for this special warrant are only granted by a special "secret" court that sits in Washington, per the Foreign Intelligence Surveillance Act, and apparently the FBI central office has veto authority.
Moussaoui is the exception that proves the rule (Score:3, Insightful)
You say that the FBI was "too cautious" -- do you have any evidence that that was the motive?
I see no irony in being a privacy advocate while decrying FBI supervisors for denying the request to search Moussaoui's e-mail.
P.S. In another related story [underreported.com], the FBI supervisor who thwarted Rowley's investigation recently got a big cash bonus.
Re:Moussaoui was a goof (Score:2)
This will all be easier to judge once the 9/11 commission issues its report. What? There's no 9/11 commission? But it's been more thann a year! How could that be? (shock, outrage) My point is that the facts are there for the taking but a certain administration is actively resisting unearthing them. Not a conspiracy, just politics as usual.
Irony -- I meant it is ironic they didn't search when they should have, whereas elsewhere they have searched where they should not.
No, it's not (Score:2)
My own personal security is not enhanced in the least by an organization representing millions of heavily armed enforcers watching my every move. Quite the opposite, really: if I do something that gets on the nerves of some frustrated jerk in the Department of Ugly Euphemisms, he can most likely direct some men with guns to emphatically worsen the state of my world.
Government needs reasonable resource allocation first (I know, let's let murderers out early so we have more room to imprison pot smokers!), greater competence second, and maybe, just maybe, more investigative power last.
Re:No, it's not (Score:2)
'dd' isn't _quite_ an image (Score:3, Insightful)
The contents any LBA that is in the drive's remap table (i.e. blocks that the drive electronics have previously determined either to be bad or going bad) aren't captured by dd - the drive instead sends the data payload corresponding to the LBA's remapped physical address. The bad/bad-ish block remains, and its data is quite possibly still valid (or perhaps valid but for a couple of localised errors). These blocks thus hold tiny slivers of data stored on the drive sometime in the past (the last thing written before the block went bad).
Although this missed data represents a microscopic fraction of the total data on the disk it could, at least in theory, contain recoverable data of an evidenciary nature. The only way to see this is a drive-vendor specific low-level read - I don't know much about the other two tools the article describes, but it doesn't sound like those do that either.
Given that there's only a handful of drive manufacturers left, and the (non-servo) parts of the firmware on their drives doesn't vary hugely between models, it really wouldn't be too hard for law-enforcement types to have proper physical-level imaging tools for any drive they're likely to encounter.
Re:'dd' isn't _quite_ an image (Score:4, Informative)
Now, the document says the examiner determined that there was only one partition, and that he used a "a Linux Boot CD" - this implies (it's not terribly clear what that actually is) that he used linux's fdisk command (or diskdruid or something) to determine that there was indeed only one partition - by examining the current contents of the drive's partition table.
Doing this doesn't capture any space not currently assigned to a partition - in particular, if another partition were present but was then deleted, or if the extant FAT32 partition were resized (say with partition magic).
Infact it's rather unusual for a windows laptop to only have one FAT32 partition - many (most?) vendor-created laptops ship with a sleep-to-disk partition on the disk as well (Dell seems to always to this on windows systems).
In a non-forensic setting, these gripes would be beyond pedantic, but given the seriousness of the crime concerned, and the alleged technical skill of the terrorist groups implicated, these omissions are not immaterial. I do hope that they're omissions only in this document and that the examiners actual procedure did properly image, checksum and examine _all_ of the disk's contents.
Re:'dd' isn't _quite_ an image (Score:2)
It's tough for me to think of a case that's higher-stakes than this one.
and if they can get what they need from a dd image, why bother?
That's a totally egregious misstatement of proper evidence gathering - the investigator is not trying to "get what they need". Instead the investigator should capture as much information as is possible. Its for a prosecutor to cherry-pick the body of devidence in order to build their case, and for defence counsel to likewise pick out exculpatory evidence.
Sure, in practice it's highly unlikely that a remapped LBA contains the only copy of an incriminating or exculpatory email, but given the huge stakes here it shouldn't be too much "bother".
That seems pretty low tech (Score:3, Interesting)
Given the weight of the issue and the evidence that could be contained on the disks therein, and given that the US government has an unlimited budget whenever anyone says "terrorism", why they went with dd (or the equivalent ) to copy a disk is beyond me.
I've seen doughnut shops have their hard disks worked on with more advanced technology.
Shouldn't they have taken the hard disk to a clean room, removed the platters from the disk and painstaking recorded every nanometer of them? I wouldn't trust a suspect's hard disk to make a copy of itself.
And in completely unrelated news... (Score:3, Interesting)
Kjella
Misconceptions about data forensics (Score:5, Informative)
First, it is NOT realistically possible to recover data that has been overwritten ONE time. Yes, yes--I've read all the white papers on magnetic force microscopy (MFM) and I understand that a theory exists about recovery of overwritten data. In practice, nobody actually does it. Maybe one time, six years ago, some dude at NASA or MIT actually made this work conditions on an older disk with a lower bit density, but anyone telling you that old patterns can be read in the real world is full of shit. And yes, it's been tried. Millions have been spent on this, and nobody can do it. Anybody selling you software that claims under laboratory to be "more secure" because it overwrites more than once is being silly. It's not even paranoia, just lacking a clue.
That's why forensic examiners don't need to have the original media. In fact, one of the big tenets of the job is to never, ever, ever perform analysis on the originals. You make a bitstream copy of the perp's (excuse me, "client's") disk, and you work with that.
Oh, and electron microscopes have nothing to do with this theorized recovery process. MFM is a related but very different technology.
Second, Linux versus Windows versus LogicCube versus ImageMasster (another brand) is utterly beside the point. Forensic shops use what they find to be cost effective, fast, and convenient. The dd command is great, and all, and many examiners use it on Linux platforms for their disk imaging needs, but it's not an analytical tool.
Let me put it this way: do you actually think that a forensic examiner sits down, opens
Last, a good forensic examiner is less constrained by his/her knowledge of computers than by his/her investigative skills. I know more about operating systems, file allocation, and troubleshooting than any of the 30-50 year old former cops/feds/spooks that I work with, but they're capable of far more effective work than I am. Why? Because once you have a few basic computer operations taken care of, the work has as much to do with computers as Computer Science does.
The folks that put the child pornographers, embezzlers, script kiddies, and the rest of the computer criminals in jail generally know much, much less than you about computers, Slashdotters. They also don't give a rat's ass about Linux, Windows, Bill Gates, RMS, or any of it.
Re:Misconceptions about data forensics (Score:4, Informative)
One reason why security software is overdesigned is that it has to deal with improvements in technology. To take your point about older low density drives, any drive more than five years old falls into that category.
The other reason is that forensics rarely deals with information that is deliberately concealled and the fact that information that may become available in 10 or 20 years time is rarely relevant. This is not the case with intelligence where the activities of ten or even twenty years ago might be of major interest.
The folks that put the child pornographers, embezzlers, script kiddies, and the rest of the computer criminals in jail generally know much, much less than you about computers, Slashdotters. They also don't give a rat's ass about Linux, Windows, Bill Gates, RMS, or any of it.
Probably right there, but they are not the main customer for the technology we provide and even if they do buy it, it is not that likely to do them a major amount of good. The main customers for computer security are commercial interests, banks and major corporations. There are many documented instances of national security organizations being used for commercial espionage, the French openly boast about it. The people who commit major wire fraud are typically well funded and backed by significant organized crime, at the moment the Russian mafia are the main players.
There arn't that many investigations into that type of crime because it is amazingly rare. But the level of attack is very sophisticated and very real.
Re:Misconceptions about data forensics (Score:3, Insightful)
The most often cited source of opinions on MFM-related data recovery techniques is a paper from 1996 entitled "Secure Deletion of Data from Magnetic and Solid-State Memory", by Peter Gutmann. It's pretty readable if you have a good grounding in physics and hard drive operation, so I'd recommend checking it out:
http://www.usenix.org/publications/library/proc
Notice, though, that Gutmann isn't the actual first-person researcher. His paper is a compilation of data gleaned from other sources. I spent six weeks tracking down (among other things) his bibliography, and found out that MFM techniques had been used in laboratory tests to recover overwritten data, in the early 1990s. These tests were not field-usable. It amounted to "write a regular pattern on the disk, overwrite it with another regular pattern, and look for evidence of the first pattern." Furthermore, these papers all referred to disks which had been manufactured about 10 years ago.
I'll bet that someone HAS used this to a practical effect, somewhere, but just try finding out who, where, and (most importantly) how. There are no commercial vendors of this kind of technology--just try calling up OnTrack, or any of their competitors, and you'll hear the same thing. Desperate people in lawsuits and other dire straits have thrown millions of dollars down this hole (and that's just in the last few years, that I'm aware of), and gotten nothing for it.
To hear Gutmann describe it, though, any halfway competent lab technician could make this process work. Where are the papers describing those operations, done on actual post-1993 hard drives, describing their methodologies?
I personally watched a not-so-reputable data recovery firm tell a judge and some attorneys that they could recover single-pass deleted data if they had $750,000 in R&D and six months. They came up empty handed.
This kind of data recovery is PIXIE DUST. It's an urban legend of the tech industry, one that everybody knows is true but nobody can ever prove.
Can I prove to you that some spook lab buried ten miles beneath Ft. Meade, MD hasn't done this, and isn't buying computers thrown out by French businesses and reading every old secret? No, I can't, I don't work for the government and don't plan to start. But last I checked, it wasn't considered good logic to require absolute proof of a negation, when no proof has been shown of the posited statement.
So, sure. You can MAYBE read data from pre-1993 hard drives, and maybe in 10 years the examination technology will have advanced enough to read today's drives (if hard drive technology stands perfectly still, eh?). The only people who need protection, then, are folks whose adversaries are incredibly wealthy AND willing to spend gobs of money on getting to them, and who would still be harmed if their ten-year old data is read.
This does not include businesses--who cares what your business plan was ten years ago? This does not include common criminals--the government won't spend millions of dollars just to recover one piece of evidence. This certainly does not include you and I.
This include ONE type of entity: sovereign governments. Are you selling your disk wiping utilities to governments, or to businesses and consumers?
Re:Misconceptions about data forensics (Score:2)
That is why you will stay on the recovery side while most people who want real security will go to people who think like I do and cover cases that are at the edge of the possible.
In fact the data wipe programs are pretty useless but for a completely different reason, the wipe procedure can't work unless it is used before the disk is scrapped. The only reliable way to secure data is to use encryption. It is quite practical to completely wipe crypto keys from memory.
This include ONE type of entity: sovereign governments. Are you selling your disk wiping utilities to governments, or to businesses and consumers?
Both.
Re:Misconceptions about data forensics (Score:2)
It is the usual practice of law enforcement and goverments to instill a sense of superpowers in their abilities, just to keep people in line. Computer crime fighters might not be able to recover overwritten data, but they don't at all mind that you think they can, and probably won't correct anybody's misconception about it. It's part of their "if you commit a crime, we'll always get you!" hubris. As long as most people think that even deleted & overwritten data can be retrieved, they'll be less inclined to wrongdoing.
That is, they WANT you to think the big bro' is always watching
Uh, September 11? (Score:3, Interesting)
Ask your self: How the hell did they know to image his laptop on September 11th? This means they already knew he was part of the attack, and they were already on to him. Funny how we, the people, were never warned.
Re:Uh, September 11? (Score:3, Informative)
Have you been living in a Cave for the past year?
You've never heard of Moussaoui? [washingtonpost.com]
Re:Uh, September 11? (Score:2)
For more background, see this [opinionjournal.com]. It's an opinion piece, but the facts in the case are indisputable. Long story short, they had good cause to search his PC before 9/11, but judges brainwashed by that other "PC" wouldn't allow it. The FBI was like "lemme, Lemme, LEMME" and then when 3000 people got killed the judge finally said "OK".
Re:Uh, September 11? (Score:2)
He was just another illegal alien at the time - I'm sure he didn't come out and tell them "Oh, BTW I'm a terrorist". It wasn't until Sept 11th that the FBI and CIA took interest in him, and of course they already had his possessions (including said laptop) confiscated by then.
Do a bit of homework before posting, will ya?
Re:Uh, September 11? (Score:2)
But in order to realize that you need to go to the effort of confirming statements made by Limbaugh, and most people who listen to the show are too lazy to know how to think for themselves.
Block size limitation in dd noted (Score:3, Informative)
When copying, dd only copies entire blocks. If there is an incomplete block of information remaining at the end of the disk, for example, dd will not copy that last block at all.
Since dd defaults to a block size of 1024 bytes, and PC hard drives use a sector size of 512 bytes, this could happen. In this case, dd will not copy the final sector of the hard disk, as it is an incomplete block.
Because of a stupid decision made decades ago, traditional PC hard disk addressing uses 63 sectors per track, not 64. Therefore, odd total numbers of sectors are common. Modern addressing does away with CHS and just numbers all sectors from 0 to the end of the disk (many millions, in most cases). Still, because of the legacy of having 63 sectors per track, many disks have an odd total number of sectors.
It would be nice if dd had an option to correctly copy a partial block at the end of the source. If there is an incomplete block, it should simply copy one byte at a time until there are no more bytes to copy.
This would be easy to add to dd. Has it been done already? If so, it should be documented. Making it the default behaviour might break existing applications, so have it as an option that is highly recommended.
Re:Block size limitation in dd noted (Score:4, Interesting)
dd does copy incomplete blocks. Try this: See that? We created a 1023-byte file (test), and then dd'ed it to test2 with a block size of 512. Guess what? dd copied the file in its entirety, even though it didn't line up on a block boundary.
Re:Block size limitation in dd noted (Score:2)
If it's truly a bug in Linux itself, instead of a bug in dd, then it should be even easier to fix. I hope this gets fixed in 2.5!
Am I stupid, or.... (Score:2, Informative)
It's easy to defeat CRC - just add empty space to the end of each file until you get the result you want. SHA-1 or MD-5 is safe(ish), but a straight CRC is too easy to forge.
I wouddn't trust these disk copies with a bargegepole.
Re:Why not a windows tool (Score:2)
dd
Yep. That would be much simpler under Windows.
Re:Why not a windows tool (Score:2)
dd <
Re:Why not a windows tool (Score:2)
Wrong in what way?
Are you suggesting that < and > won't substitute for if= and of=? Or perhaps you are suggesting that one must specify specific partitions to dd?
In either case, I'm not wrong. GNU dd, as provided by Linux distributions accepts < and >. And specifying a device rather than a partition is accepted, and works as expected. Everyone has used this same command form to make boot floppies, right?
And where are you getting the bit about a boot CD? I didn't say anything about a boot CD, nor did the parent to my post. The two issues are entirely orthogonal. Strange post all-around...or maybe just more subtle trolling.
Re:Why not a windows tool (Score:2, Informative)
Re:Why not a windows tool (Score:3, Informative)
You may assume anything you wish. . . (Score:5, Funny)
At its heart it's just a simple copy command.
In fact, the dd tool is so simple, and simple minded, that it would be easier to write a simple graphical front end for it than to learn the GUI of exiting Windows apps designed to do the same thing.
I don't know quite how to break this to you, but *sometimes* language is the simpler, more powerful and more *intuitive* means of getting something across than pointing at a picture and grunting.
Unless, of course, your intellect hasn't yet advanced to that level of sophistication.
KFG
Re:You may assume anything you wish. . . (Score:2)
So hey, I like Linux as much as the next guy, but I always get a little nervous when I use dd to copy a disk. I'll stare at the command for a good ten seconds before hitting "enter".
Can you imagine being the FBI agent who has to explain how he typed dd of=/dev/hda1 if=/dev/hdc1 when he really meant dd if=/dev/hda1 of=/dev/hdc1 -- and /dev/hda just happens to be the suspect's original drive?
Re:Why not a windows tool (Score:2)
P.S. good troll
Re:Why not a windows tool (Score:3, Insightful)
Well, that is primarily indicative of your ignorance of Linux and your willingness to buy into Microsoft propaganda.
i mean it must be easier to find the tool under windows thebn setup a linux machine
There is nothing to set up. Linux can boot and run from CD, with all software installed (check for DemonLinux and Knoppix, for example). That's one of the many reasons Linux is so good at this sort of thing.
How easy is it?
For forensic applications, you might want to make sure that you hardware write-protect the source drive first, just to avoid accidents.
These people know what they are doing and how to reduce their workload. That is why they are using Linux.
Re:Why not a windows tool (Score:2)
Not only is dd on various *nixes, bsd's, etc, it is also available on windows. It is called cygwin, and it has dd also.
Re:Why not a windows tool (Score:2)
Re:Hotmail and Privacy in this article: (Score:2, Informative)
Re:Hotmail and Privacy in this article: (Score:2)
Re:Hotmail and Privacy in this article: (Score:2)
Re:Hotmail and Privacy in this article: (Score:2)
Re:So does this mean... (Score:2)
It doesn't mean anything if you don't read the affidavit. Linux dd was used (is used) as one of 3 methods by the FBI CART to image disks during discovery. That's all it means.
Linux is made in America and other places, too.
RIAA Math (Score:2)
Re:Stallman says: (Score:2)
So, it's GNU dd.