×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

File System Forensic Analysis

timothy posted more than 8 years ago | from the bits-in-which-order dept.

Data Storage 225

nazarijo writes "The field of investigative forensics has seen a huge surge in interest lately, with many looking to study it because of shows like CSI or the increasing coverage of computer-related crimes. Some people see a career opportunity there, and are moving toward computer forensics, marrying both law enforcement and investigations with their interest in things digital. Central to this field is the study of data storage and recovery, which requires a deep knowledge of how filesystems work. Brian Carrier's new book File System Forensic Analysis covers this topic with clarity and an uncommon skill." Read on for the rest of Nazario's review.

It's easy to think that computer filesystems are relatively simple things. After all, if 'dir' or 'ls' don't show what you're looking for, maybe an undelete program will work. Or will it? To be a decent, trustworthy expert in forensics (a requirement if you plan to participate in any criminal investigations), you'll have to learn how filesystems really operate, how tools like undelete and lazarus work, and how they can be defeated.

Carrier's book isn't a legal book at all, and it doesn't pretend to offer much insight into the law surrounding forensics. Instead it focuses on technical matters, and is sure to be the gold standard in its field. This is important, because it comes at you expecting you to have some knowledge, even if only informal, of what a filesystem contains. With a basic understanding of data structures, you'll get a wealth of information out of this book, and it will be a good reference long after you've first studied it.

File System Forensic Analysis is divided into three sections. These are arranged in the order that you'll want to study them to maximize the benefit you can hope to achieve, namely an understanding of how to examine filesystems for hidden or previously stored data. The first three chapters cover a fundamental series of topics: Digital Investigation Foundations, Computer Foundations, and an introduction to Hard Disk Data Acquisition. While they start at a basic level (e.g. what hexadecimal is), they quickly progress to more developed topics, such as the types of interfaces (SATA, SCSI, IDE), the relationship of the disk to the computer system as a whole, and how data is stored in a file and filesystem at a basic level. A lot of examples given use Linux, due to the raw, accessible nature of UNIX and UNIX-like systems, and the availability of tools like 'dd' to gather data.

Part 2 covers "Volume Analysis," or the organization of files into a storage system. This introduces the basics of things like partition tables (including how to read one). The next few chapters cover PC-based partitions (DOS and Apple), server-based partitions (BSD, Solaris and GPT partitions), and then multiple disk volumes like RAID and logical volumes. With this introduction, the final chapter of the section covers how to use these filesystem descriptions in practice to look for data during analysis. Filesystem layouts, organization, and things like journals and consistency checks are covered with a clarity and exactness that's refreshing for such a detailed topic.

Having covered the basics of filesystems, Part 3 covers the bulk of the book and material. Several chapters follow that specifically show you how to analyze particular filesystems by using their data structures to direct your reads. A range of filesystems are covered, including FAT, NTFS, EXT2 and EXT3, and the BSD types UFS1 and UFS2. Each filesystem has two chapters, one devoted to concepts and analysis, another entirely about data structures. Dividing each filesystem type like this lets Carrier focus first on the theory of each filesystem and its design, and then the practical use of its design to actually understand how to pull data off of it.

The real strength of File System Forensic Analysis lies in Carrier's direct and clear descriptions of the concepts, the completeness of his coverage, and the detail he provides. For example, a number of clear, well-ordered and simple diagrams are peppered throughout the book, explaining everything from allocation algorithms to NTFS alternative data streams. This use of simple diagrams makes the topics more easily understood, so the book's full value can be appreciated. This is the kind of thing that sets a book apart from its peers and makes it a valuable resource for a long time.

Finally, Carrier brings it all together and shows us how many aspects of filesystems can be examined using his "sleuth kit" tools, freely available and easy to use. Without appearing to hawk this tool at the expense of other valuable resources, you get to see how simple and direct filesystem manipulations can be done using a direct approach. This kind of presentation is what makes File System Forensic Analysis a great foundation.

Overall I'm pleased with File System Forensic Analysis, I think that Carrier has achieved what few technical authors do, namely a clear explanation of highly technical topics which retains a level of detail that makes it valuable for the long term. For anyone looking seriously at electronic forensics, this is a must have. I suspect people who are working on filesystem implementations will also want to study it for its practical information about NTFS. Overall, a great technical resource.


You can purchase File System Forensic Analysis from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

225 comments

First post (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13438182)

flame on.

STEP ONE (5, Funny)

jos3000 (202805) | more than 8 years ago | (#13438201)

Don't forget to mount the drive as read only!

Re:STEP ONE (1)

Janitha (817744) | more than 8 years ago | (#13438284)

Don't forget to mount the drive (physically) first.

Re:STEP ONE (1)

Tackhead (54550) | more than 8 years ago | (#13438373)

> Don't forget to mount the drive (physically) first.

And if you can't securely delete or deniably encrypt your pictures of that step, you deserve whatever punishment the geeks in the forensic lab can nail you with. Dude, sick!

STEP ZERO: (5, Informative)

abb3w (696381) | more than 8 years ago | (#13438376)

Make sure by ordering the right adapter [wiebetech.com] for doing forensic's work that Your Young Apprentice (or PFY) can't screw this up. A read-only adapter means the drive can't be mounted rewritably. No, it's not cheap. But what's $500 to the assurance that your evidence chain is prevented from fuckup at the hardware level?

And no, I don't work for these people. I just think they make some nifty geek toys.

No, that's not why I have SCSI drives on my home server. Honest; it's for the RAID performance....

Re:STEP ZERO: (4, Interesting)

pegr (46683) | more than 8 years ago | (#13438667)

Make sure by ordering the right adapter for doing forensic's work that Your Young Apprentice (or PFY) can't screw this up.
 
Well, instead of using an OS that does what it damn well wants (like mount all drives read/write by default), why don't you use Linux and simply create a drive image straight from the raw device without mounting at all? Gen an MD5 on the fly to ensure integrity. Use DCFLDD instead of dd for that trick...
 
Funny story: I was in a training class and the topic turned to forensic analysis. I mentioned that the Air Force wrote a wonderful tool, the previously mentioned DCFLDD. Well, this math geek that I was certain worked for some three-letter outfit turned around and looked at me like I was spewing nuclear launch codes! After I assured him that the Air Force open sourced it (and brought up a download URL on his laptop), he seemed to get the clue...
 
Since he's also a likely slashdot reader, "Hi Dave!" ;)

Re:STEP ZERO: (1)

nester (14407) | more than 8 years ago | (#13439090)

Uh, most drives have a write-protect jumper on them. There's no reason to spend $500 just for write protection. The first thing you should do, after setting that jumper, is copy it to another drive (or dd it to a file), anyway, unless you're going to send it ata read-long cmds or something.

Re:STEP ONE (0)

Anonymous Coward | more than 8 years ago | (#13438478)

Mounting a filesystem changes (meta)data on the disk. Step TWO, watch more CSI TV to figure out what Setp ONE should be....

Your rights online? (-1, Offtopic)

xmorg (718633) | more than 8 years ago | (#13438217)

Shouldnt this be catagorized as your rights online? I would say a book on how to snoop on people hard drives and see what they deleted is pretty privacy invasive? I could be wrong....

Re:Your rights online? (3, Insightful)

hal9000(jr) (316943) | more than 8 years ago | (#13438239)

I would say a book on how to snoop on people hard drives and see what they deleted is pretty privacy invasive? Most legal investigations are invasive by their very nature.

Re:Your rights online? (1)

Gnpatton (796694) | more than 8 years ago | (#13438283)

The idea is that the information is on the hard drive no matter how you are able to get at it. Handing someone your hard drive after you've deleted and emptied the recycle bin is equivalent to handing them your privacy.

Ignorance is not a defense.

Wrong (0)

Anonymous Coward | more than 8 years ago | (#13438352)

Information wants to be free!

Re:Your rights online? (1)

vettemph (540399) | more than 8 years ago | (#13438456)

I would like to see the compliment to this book.
"How to keep your thoughts and PC data yours and yours alone."

How do you know if your encrypted volume is really as secure as you think it is?

Complement not Compliment (1)

Anonymous Coward | more than 8 years ago | (#13438485)

You get a "compliment" when someone tells you you're pretty. When something COMPLEtes another it is called a "complement".

Re:Your rights online? (1)

MoralHazard (447833) | more than 8 years ago | (#13438501)

Shouldnt this be catagorized as your rights online?

Slashdot has a separate category for books, smart guy. That's why it's in the "books" category and not the "your rights online" category. If Slashdot reviewed a book about civil rights, British history, how to grow your own pot, Microsoft's dealing with Satan, or ANY topic, it would go under "books".

I would say a book on how to snoop on people hard drives and see what they deleted is pretty privacy invasive?

Join the 21st century... I mean, join the 1990s. Hard disk forensic analysis has been a booming field in the last 10 years. It's a crucial part of most computer forensic investigations.

Do you also think that biology books on DNA testing, or texts on explosives chemistry fingerprinting, are "privacy invasive"?

More to the point, are you now, or have you ever been, a member of the Tinfoil Hat Brigade?

I could be wrong....

NOW you're on to something...

That is just great (1, Troll)

crow_t_robot (528562) | more than 8 years ago | (#13438222)

"...marrying both law enforcement and investigations with their interest in things digital"

Now there is going to be a profession where wannabe cops get to play wannabe hacker. Fucking lame. Here is a better idea: if you want to play pig go be a mall security guard because then you can at least look at the young girls that hang out there.

Re:That is just great (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13438247)

Mmmmm young girls...

Re:That is just great (2, Funny)

hoggoth (414195) | more than 8 years ago | (#13438602)

> Mmmmm young girls...

You'd better hope nobody does a forensic analysis of YOUR filesystems.

CSI (5, Insightful)

Seumas (6865) | more than 8 years ago | (#13438234)

Why in the hell would you choose a dull career like forensic investigation based on a TV show? That would be like becoming a cop because you want to be like Dirty Harry. How many of these gits go into college for this kind of career, because they think it's going to be exciting and they're going to discover the case-cracking evidence in a few hours, grab their gun and go make an arrest?

Here is an even better question (4, Interesting)

crow_t_robot (528562) | more than 8 years ago | (#13438273)

How long will it be before there are a million "IT Forensics" certification mills out there advertising on the radio to knuckle-dragging GEDs to come get certified and make $$$ in this "HOT, NEW, EXCITING INDUSTRY!!!"

Re:Here is an even better question (3, Insightful)

Seumas (6865) | more than 8 years ago | (#13438369)

Will they have to have wavy blonde hair and wear pink polo shirts and go to Brown College? :P

That's probably one of my bigger pet peeves. People in technology jobs who are not passionate about technology. You see it all the time, unfortunately. You don't have to be passionate about your current job - but you should be passionate about tech.

I mean, you wouldn't go into teaching if you didn't care about teaching, right? (At least, initially).

Re:Here is an even better question (2, Funny)

MrAnnoyanceToYou (654053) | more than 8 years ago | (#13438975)

The computer industry could use an infinite number of women with wavy blonde hair, pink polo shirts, and a good education, as far as I'm concerned.

Re:CSI (4, Funny)

Brento (26177) | more than 8 years ago | (#13438298)

That would be like becoming a cop because you want to be like Dirty Harry.

Or becoming a hacker because I wanted to meet Sandra Bullock. Man, what a time-waster this has turned out to be.

Re:CSI (1)

garcia (6573) | more than 8 years ago | (#13438488)

Or becoming a hacker because I wanted to meet Sandra Bullock. Man, what a time-waster this has turned out to be.

Too bad your mom wouldn't let you buy that motorcycle [wikipedia.org] eh?

Re:CSI (2, Insightful)

abb3w (696381) | more than 8 years ago | (#13438400)

Why in the hell would you choose a dull career like forensic investigation based on a TV show?

Or engineering? After all, if ya canna change the laws of physics, where's the fun in it?

Monkey see, monkey do....

Re:CSI (1)

smashin234 (555465) | more than 8 years ago | (#13438458)

Fact is, lots of people choose careers because of how they are portrayed in the media.

Why do so many people try to become actors or professional athletes?

I am sure if all the professional waitors in LA saw what their life was really going to be like, they would have chosen a different field.

Or how about computer science? How many of us computer nerds saw hackers the movie when we were young and turn out to really like it and want to do it as a career? I actually know some people who did that and to this day still work with computers.

Now they aren't hackers, but most people who watch CSI are not going to be technicians who solve every crime and work with beautiful women. I mean, in CSI, even the nerdy technician is cooler then most people I know.

Re:CSI (0)

Anonymous Coward | more than 8 years ago | (#13438577)

I don't know about actors but I'd imagine the desire to be a professional athlete has just a little something to do with the mega-million dollar contracts that are constantly discussed on ESPN.

Re:CSI (1)

MogNuts (97512) | more than 8 years ago | (#13438629)

The only beautiful woman on any of the CSI's is the latin one on Miami. The rest are barely cute. The only hot ones are some of the extras who get killed, play hookers, etc.

Then again, this is slashdot and standards for nerds are a bit different (sorry had to say it) ;-)

Having done forensic work... (5, Informative)

bradleyland (798918) | more than 8 years ago | (#13438751)

Honestly, this job is probably the coolest I've done. We get the run of any joint we enter. We get to crack people's passwords, read their stuff, and pry into the details that they're trying to hide.

Outside of the unreal timeframe, it is a bit like television. I've been on location at 1 AM acquiring hard drives so that the debtor principles didn't know what we were doing. Walking through the data center with my mag light at that hour of the morning comes pretty close to that feeling you get when you watch CSI on TV. Most of the time, we tell the people on location we're making "backups" of the data so that we can preserve the data in the event of a crash. There's definitely a social element to forensic work (at least in bankruptcy cases).

A typical acquisition may go something like this:

You set up, pull your forms, start noting observations, pull the drives, hook them up to the little black box connected to your laptop's firewire port (a write-blocker), and start having a look at the data. If you've got what you're looking for, you acquire the drive and put everything back together. Boot it all up and be on your way.

You may be doing this in the CEO's office, or in the data center looking for a mail server. The top officers are usually the most important, since they have the most important correspondence and data.

It's a fun job. It's every bit as exciting as what you see on television (for once).

Re:Having done forensic work... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13439000)

You're a friggin repo man. What a friggin waste of space. Do everyone a favor and GO TO HELL.

Re:CSI (1)

globalar (669767) | more than 8 years ago | (#13438879)

It's almost like choosing a president based on what you see on TV...

But seriously, imagination is an important part of human life. I've made a lot of important choices based on my perceptions and ideals that were pretty ignorant and idyllic. Of course real life is boring. I will probably stay within the same 50 mile radius for most of my life. I will eat the same things over and over again. I will only really know a handleful of people. I will pass by the same strangers everyday. And my job doesn't really account for much.

But I still keep those stupid notions that there is an exciting and fulfilling part of life hidden, just beneath the commonality. Maybe what I do is really important, and I just don't notice. Or something. Yeah, it's a myth. No more "real" than most of TV. It's just another way to "escape" without leaving the trappings of what we know. To each his own.

Re:CSI (2, Informative)

That's Unpossible! (722232) | more than 8 years ago | (#13438889)

Why in the hell would you choose a dull career like forensic investigation...

As opposed to an exciting career, like computer programming?

Seriously, I do a lot of programming as part of my job, and perhaps the most fun I have at work is when some luser decides to fuck with us and I get assigned to track down as much information as possible about this person's activity on our network.

If I ever had to find another job, I'd seriously consider getting into computer forensics, or the FBI computer investigation division.

Just because you don't go make an arrest doesn't mean your discoveries won't directly lead to an arrest. And usually the best kind ... when the loser is least expecting it, because they didn't think anyone was sharp enough on the other end of the line.

I might get this (5, Insightful)

L. VeGas (580015) | more than 8 years ago | (#13438307)

This sounds really interesting. I've been fascinated for a while with how the file / folder metaphor has become so entrenched that people have a difficult time imagining any other way of thinking about it.

As the OS has become more sophisticated, most computer users now never see things like a disk defrag. They really think that there is a file, all in one spot in their computer, that sits literally next to other files in the same folder. The idea that you can recover a file that has been "deleted" seems like deep wizardry, with no thought to the more impressive wizardry that makes "files" out of pieces of metal with a magnet.

Re:I might get this (1)

FireFlie (850716) | more than 8 years ago | (#13438378)

My question, however, is what type of audience this book is for (I know the reviewer said what the book expected of you prior). The type of people that you are describing (and there are millions of them out there) would probably be mistified by this book (and many would probably believe they understood the contents).

The review makes it sound like someone that has taken a college level class on operating systems would not gain much from reading this book.

Re:I might get this (1)

garcia (6573) | more than 8 years ago | (#13438461)

I was more interested in a story that recently appeared on CourtTV's Forensic Files. It was about the first known (at least what they claim as such) forensic analysis of computer disks that had been cut (with pinking shears).

From their website [courttv.com] :

"Shear" Luck"

When the wife of an Air Force Sergeant is found dead on a Philippines air base, investigators are baffled. With no leads and no new suspects, they are forced to re-examine the man they suspected all along. Using a pioneering technique in computer forensics, authorities are able put together the pieces of a chilling puzzle. TV-14 V


Basically they used "post-it-note" like glued Scotch tape to piece the 5 1/4" floppy back and read it. What they originally believed would take 1+ million dollars to do ended up costing less than $150 -- $50 of which was a blown/tossed floppy drive head due to a poorly reconsructed disk.

Needless to say Tivo has been nabbing every one of these episodes and I'm hopelessly hooked.

Me, too.. I have done some of this work.. (2, Interesting)

Tikicult (901090) | more than 8 years ago | (#13438914)

It's really profitable... I was charging $200 an hour. Spent a ton of time digging around on a bunch of CDs, a hard drive and thru a couple of email inboxes. Plus my client had a key logger.

cool stuff.

The "How To Destroy Your HD" Thread (-1, Offtopic)

TubeSteak (669689) | more than 8 years ago | (#13438339)

I'll kick it off with my favorite choice:
A nice gob of thermite over the drives

Re:The "How To Destroy Your HD" Thread (4, Funny)

Gnpatton (796694) | more than 8 years ago | (#13438377)

Install an old version of windows, unpached with no firewall protection.

Re:The "How To Destroy Your HD" Thread (1)

joelsanda (619660) | more than 8 years ago | (#13438573)

Install an old version of windows, unpached with no firewall protection.

Install Windows XP and turn off auto update.

Re:The "How To Destroy Your HD" Thread (0)

Anonymous Coward | more than 8 years ago | (#13438435)

microwave ;)

Re:The "How To Destroy Your HD" Thread (1, Informative)

Anonymous Coward | more than 8 years ago | (#13438839)

actually if you microwave a CD, it is still about 30% readable which is enough to bust you. I'd expect similar performance from hard drive patters.

Re:The "How To Destroy Your HD" Thread (4, Funny)

abb3w (696381) | more than 8 years ago | (#13438471)

A nice gob of thermite over the drives

Custom built 5.25" bay metal box, front side key locked switch controlling 12v powered spark igniter for magnesium primer charge; remainder of the box filled with thermite. Install in the computer's top bay. You can generally get all the way through at least eight drives that way, but if you have vertical mount drives, you'll want a second kaboom bay in the lowest 5.25 bay. Have a good UPS, and have a metal-bottomed water tank below the computer (camoflage as an overclock device), because that much thermite does NOT stop quickly.

They can pry my PGP key from my computer's cold dead... um, slag. =)

Re:The "How To Destroy Your HD" Thread (0)

Anonymous Coward | more than 8 years ago | (#13438589)

"Custom built 5.25" bay metal box, front side key locked switch controlling 12v powered spark igniter for magnesium primer charge; remainder of the box filled with thermite. Install in the computer's top bay."....

Sounds like one of those "Build a nuclear bomb" anarchy bullshit articles.

Did you lift that word for word from Phrack.

Re:The "How To Destroy Your HD" Thread (2, Informative)

hoxford (94613) | more than 8 years ago | (#13438703)

You'll want more than a water tank below the computer since water doesn't stop a thermite reaction. Try a couple of layers of firebrick or some other ceramic that won't shatter due to exteme heat.

Re:The "How To Destroy Your HD" Thread (0)

Anonymous Coward | more than 8 years ago | (#13438757)

The reaction for thermite using iron(III) oxide:

Fe2O3 + 2Al ? Al2O3 + 2Fe; ?H = -851.5kJ/mol

(source: Wikipedia [wikipedia.org] )

Re:The "How To Destroy Your HD" Thread (2, Interesting)

ResQuad (243184) | more than 8 years ago | (#13438803)

defenetly a little extreme, but as the other replier stated that water wont stop thermite very quickly. In reality you dont need that much distructive power to distroy a harddrive.

If I had my way, I'd just put a small shapped charge ontop of the harddrive. Small enough to distroy the harddrive (and probably some other stuff in the machine w/ fragmentation) but not big enough to blow up the entire machine. Cases are preety well built now adays, and with some re-enforcement they could take a small shapped explosion (that was not pointed at them). But this is all under the guise that you can get your hands on all this stuff.

What can the real person do to protect themselves is a better question. What quick/distructive meathods are there for the real person.

Re:The "How To Destroy Your HD" Thread (1)

DarthVain (724186) | more than 8 years ago | (#13438912)

That seems a bit over the top, and I bet thermite is probably kinda hard to get your hands onto. I simpler, low tech, cheaper alterative (unless it keeps going up like this) is simple gasoline. I mean HD's arn't that durable anyway, a simple device to open a container (located at the top of your HD bay) full of gas, and another time delayed (say 3 seconds), to ignite (maybe reverse one of those silly USB cigerette lighters I have seen around), or a simple switch off the PSU would probably get the same result. If you have one of those cases with all the fans.... just imagine the kind of blaze you could get going with the air intake! Not to mention this thing is going to set off sprinklers or be doused by fire retandant foam, etc... neither of which is probably very HD friendly.

Re:The "How To Destroy Your HD" Thread (2, Insightful)

Seraphim1982 (813899) | more than 8 years ago | (#13439214)

I bet thermite is probably kinda hard to get your hands onto

Do you really think that aluminum and iron oxide are that hard to get a hold of? Anyone who has passed high school chemistry could make it.
In my experience it is harder finding a way to light the thermite then it is to acutally make the stuff.

Actually (2, Informative)

DnemoniX (31461) | more than 8 years ago | (#13439209)

You DO NOT want a water tray at the bottom. What makes you think a little bit of water will stop thermite? You need a tray full of sand. The thermite is hot enough to seperate the hydrogen out of water, not a great move.

2 other great books I have used... (2, Informative)

Anonymous Coward | more than 8 years ago | (#13438388)

I suggest getting: Incident Response (Kevin Mandia and Chris Prosize) and also Computer Forensics (Warren G. Kruse and Jay G. Heiser). Both are an excellent read, and the Mandia book has some wonderful documents to use for real-life situations.

Forensics? Wouldn't know it from the review (4, Informative)

Red Flayer (890720) | more than 8 years ago | (#13438389)

In all, a good review of the book. However, the focus on forensics is left out of the review -- just wanted to point out that the book is more than a text on file system management, search, and data recovery.

Although, of course, the book does a very good job of being that as well.

What about encryption? (5, Insightful)

tacokill (531275) | more than 8 years ago | (#13438512)

I know that encryption is a topic unto itself but it is becoming more and more common for people to create PGP Disks or DriveCrypt disks.

How do those things fit into this topic? I mean, the filesystem stuff is great and interesting but it doesn't seem to do any good if all you can recover is a PGP Disk file*.

Can someone much smarter than me tell me how data forensics deals with that????



* PGP Disk: a pgp encrypted file that can be mounted as a drive letter. It is, literally, a file just sitting there on your harddrive. You mount the file (after providing the secret passphrase) and voila! - you now have an encrypted drive to copy files in and out of.

Re:What about encryption? (0)

Anonymous Coward | more than 8 years ago | (#13438698)

Any encryption will do. Government and Corporations are getting more invasive and I can see encryption become a big thing in the future for general PC users & for those whole value their privacy. The "What do you have to hide" people can just simply go jump off a cliff.

Re:What about encryption? (0)

Anonymous Coward | more than 8 years ago | (#13438775)

Forensics addresses it like this: if your application
to run your encryption (i.e. bcrypt, etc.) leaves the
password in cache (which, actually a number of
encryption programs really do this) then retrieving
the passphrase is trivial work. Here is an instance
where having a corporate image that does not empty the
memory on reboot is helpful for forensics. Just even
having tools that are not authorized for use can be
grounds for termination. Of course, encrypted data
would not get you the answer of WHAT was encrypted,
but it could make that employee be watched (i.e.
installing a keylogger for further evidence in a
criminal case). Understand, though, that merely having
these apps on a PC does not mean that the user even
knows they are there (someone could be storing the
apps there, for use on a different system).

Re:What about encryption? (2, Funny)

jonadab (583620) | more than 8 years ago | (#13439263)

> tell me how data forensics deals with [a PGP Disk file]?

First you recover the PGP Disk file, using the sorts of techniques discussed in the book this review covers. Then you apply cryptanalysis, using the sorts of techniques discussed in cryptography and cryptanalysis books.

I do this sometimes... (4, Interesting)

MarcQuadra (129430) | more than 8 years ago | (#13438513)

I do 'forensics' sometimes. I was freelance fixing computers for a while when one of my clients asked me to find out what her husband was doing online. For a princely sum I began doing 'stealth' missions for many distressed spouses. I uncovered a lot of dirt and presented it with the understanding that I never be named or asked to testify.

Morally, it's a dark-grey zone, but it payed well and I provided the hard evidence needed to end a few broken marriages. All my former clients are better off after they found the truth.

It was odd explaining to the ladies that the VAST majority of men on the web look at porn, and that it's not anything to worry about. I was looking for personal ads, dating sites, child or extreme porn, and S&M personals sites.

It's exciting to get the call at 8am to come and clone a drive on-site. I then take it home and get what I can from it however I can, from mounting and browsing to hexdumping and grepping.

Re:I do this sometimes... (5, Funny)

Dogtanian (588974) | more than 8 years ago | (#13438666)

I was looking for personal ads, dating sites, child or extreme porn

What the heck is 'extreme porn'?!

People f*****g on snowboards at 120MPH? Some naked chick with massive fake breasts doing skateboard stunts on a halfpipe while guys standing at the top on each side try to bukakke her while she's paused in mid-air?

"It's not XXX rated.... it's XXXTREME rated!"

Re:I do this sometimes... (1)

rufusdufus (450462) | more than 8 years ago | (#13438706)

Don't get to uptight about explaining to the ladies that men look at porn online, they have a darker secret.

The fact most men are blind to is that the ladies have online boyfriends they chat with all day long.

Re:I do this sometimes... (1)

redelm (54142) | more than 8 years ago | (#13438968)

True. Infidelity is hardly a male-only activity. Females indulge about 2/3rds as often (odd disparity--with whom?), but are always more careful because of larger consequences.

Re:I do this sometimes... (2, Interesting)

Johnny Mnemonic (176043) | more than 8 years ago | (#13438795)


For a princely sum I began doing 'stealth' missions for many distressed spouses.

I'm glad that I use OS X's encrypted home directory, then. I guess you won't be reading my files. You could change my pass by booting to CD (and then I'd know!) but you still couldn't get to my home dir.

Seriously, you ever run into a Mac that had more than a passing effort made at security, and if so were you able to get around the safeguards? Or did you just sub that out?

fwiw, I guess if they wanted you to testify you wouldn't have much of a leg to stand on--a subpoena is a subpoena, and you would either have to ignore it, respect it but stay silent, or 'fess. All would involve legal fees, and I think it could be construed as not legally admissible evidence. In any event, if I was the husband's divorce lawyer, I would ask you some sharp questions.

Re:I do this sometimes... (1, Funny)

Anonymous Coward | more than 8 years ago | (#13438840)

> fwiw, I guess if they wanted you to testify you wouldn't
> have much of a leg to stand on--a subpoena is a
>subpoena, and you would either have to ignore it, respect it
>but stay silent, or 'fess.

You unwittingly have stumbled across the reason why we don't worry too much about encryption. Dorks can wrap their goods in layers of encryption, but at the end of the day it becomes worth their time to hand over the passphrases. The loudest, most flamboyant who post "I'll n3v3r h4nd 1t 0v3r 2 th3 f3ds!!!" are typically the ones who end up writing it on a tear-soaked interview form. :)

I love how that works out.

Re:I do this sometimes... (1)

GoatPigSheep (525460) | more than 8 years ago | (#13438930)

yeah but if you are being investigated and they have enough evidence against you already, having your personal files encrypted is a big sign of guilt. Personally, unless you have something REALLY big to hide, it's not worth wasting all the cpu cycles on encryption. If you really are serious about encryption, then you want something like IBM's corporate laptops with hardware encryption.

Even then, unless you are in some sensitive field, you SHOULDN'T have anything to hide

Re:I do this sometimes... (1)

karmatic (776420) | more than 8 years ago | (#13438956)

Ok, fine. Boot to CD, Modify the Kernel [apple.com] (log the first 5 minutes of keystrokes, perhaps?), and come back in a few days.

Depending on your state's laws, there is a very good chance that if you are married, the computer is just as much hers as yours.

Morality of Privacy (2, Interesting)

redelm (54142) | more than 8 years ago | (#13438898)

You may be concerned that you violated someone's privacy. I would not be. You did not get anything that wouldn't be discoverable during divorce proceedings.

On a more fundamental level, privacy is a conditional right. A person has to behave in order to enjoy it. It is not a shield for wrongdoing. Moreover, in a marriage it is patently obvious that both are willingly giving up privacy. I have fewer qualms with spousal snooping than that on kids or employees.

But beware, the discoveries hurt!

Re:Morality of Privacy (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13439045)

But beware, the discoveries hurt!

Yep... and if you go snooping yourself instead of hiring it out also be prepared to get hurt. I had an extremely rocky marriage, suspected my newlywed wife of wrongdoing and started spooling off copies of all her email conversations.

What started as a "what can I learn that will help me save this marriage" quickly turned into a nightmare when I discovered how bad things really were... cheating, backstabbing, outright plots against me, etc. It hurt, but it also gave me the leverage I needed to get out of the situation before it got immeasurably worse.

Personally, I say "good for you" to anyone who uncovers this kind of thing for spouses. If they have reason to suspect things, they are probably valid and it can be just the push they need to get out of a really bad situation before it gets worse.

Re:Morality of Privacy (1)

redelm (54142) | more than 8 years ago | (#13439160)

Yes, data is data. Denial may feel good in the short-term, but it has a steep longterm costs. What is, is. You'd best know it.

Re:I do this sometimes... (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13438933)

"Morally, it's a dark-grey zone, but it payed well and I provided the hard evidence needed to end a few broken marriages. All my former clients are better off after they found the truth."

Is that what you tell yourself? How the hell can you make a bald assertion like that? On what evidence?

Me too (2, Interesting)

ari_j (90255) | more than 8 years ago | (#13439110)

For a law firm, I investigated a drive that had been stolen by a former employee. The drive had been recovered, and my task was to determine what he had done with it and whether he had taken or tampered with any of the intellectual property on the drive. It paid very handsomely for the amount of work involved, and it was an intellectual challenge. That said, this book may have made it easier (I didn't read the review in-depth or the book itself, but I assume it wouldn't make the task more difficult).

In this case, I determined that the employee had mounted each partition on the drive to a separate mount point, not in the original structure (such as /, /usr, /home, and so forth; he had mounted it on /mnt1, /mnt2, /mnt3, and such).

It's not as glamorous as extreme porn or personal ads, but it was still interesting.

Re:I do this sometimes... (2, Interesting)

techno-vampire (666512) | more than 8 years ago | (#13439137)

...and S&M personals sites.

Did you ever find one and have the wife respond, "If I'd known earlier he liked that, I'd have given him all the S&M he wants. No need for him to look elsewhere."

Where's my hammer? (1)

jeweekes (833112) | more than 8 years ago | (#13438542)

If you don't want anyone to find out what you have been doing on your computer, then a hammer is the best choice. Works for NSA, and it'll work for you too!

MC (2, Funny)

Dogtanian (588974) | more than 8 years ago | (#13438770)

If you don't want anyone to find out what you have been doing on your computer, then a hammer is the best choice.

I found that too... I got Hammer to defend my computer, and any time someone tries to take the drive away for forensic examination Hammer stops them by saying "You can't touch this!"

Related Links (3, Informative)

jkitchel (615599) | more than 8 years ago | (#13438588)

Related links:
Digital Forensic Tool Testing Images [sourceforge.net]
Brian's Tools [digital-evidence.org] - Includes links to SleuthKit and Autopsy
Forensic Tool Kit free trial [accessdata.com]

FTK is a nice tool to play around with for Windows users, especially with the testing images. The free trial does have a limit of 5,000 files per image so if you create or work on testing images you may have to get rid of extraneous junk and leave the good stuff. SleuthKit and Autopsy are great for the *nix environment. After you get those tools working you might give Scan of the Month challenges 24 [honeynet.org] and 26 [honeynet.org] from The Honeynet Project [honeynet.org] a shot. They're both pretty fun and challenging. Don't worry if you don't know what you're doing. Both of the challenges have writeups done on how to accomplish the tasks and what tools were used if you need guidance.

Re:Related Links (2, Informative)

Stibidor (874526) | more than 8 years ago | (#13438819)

Another nifty tool from AccessData that plugs nicely into the FTK is the Registry Viewer [accessdata.com] . Using the FTK you can find all the Windows registry files on the drive. The Registry Viewer (obviously) will open them and allow you to view just about any key/value including encrypted keys like the Protected Storage (Internet Explorer autofill and Outlook/Outlook Express saved passwords).

Since I enjoy tooting my own horn from time to time, the information referenced in this article [whitecanyon.com] was obtained by me and my co-worker (I shamelessly admit to working for WhiteCanyon) using AccessData's FTK and Registry Viewer. It was quite a bit of fun to see our results hit national T.V. :)

Crooks are going to read-only + encryption (3, Informative)

davidwr (791652) | more than 8 years ago | (#13438644)

Crooks who are "smart" are going to encrypted systems and making darn sure there's no unencrypted writable storage lying around. This, plus tamper-evident computer including tamper-evident keyboard and keyboard-connectors and a faraday cage makes it very hard on the police.

Can you say "boot with Suse Live CD and encrypt /dev/hda"? I knew you could.

This only works in jurisdictions that can't force you to reveal your passphrase. In those jurisdictions, smart crooks outsource thier IT to North Korea :).

That still leaves plenty of forensics work for criminals using other people's computers such as white-collar crooks and the 99% of crooks who aren't smart.

"Not Hard Enough" Drives (1)

Doc Ruby (173196) | more than 8 years ago | (#13438702)

Is anyone still in the business of data recovery for badly crashed hard drives? Like after a headcrash, or being repeatedly smashed inside a notebook during a botched mugging? I used to use a few companies in Manhattan's Financial District, but they're all gone. First they moved to Jersey, now there's no trace. I guess their Financial biz customers all decided, after years of paying $500 per recovery, several times a week, to take out the "backup insurance" their IT was always recommending. So demand dried up. Is there any service available for recovery from drives in worse condition than "sticktion", for under $1000?

Save SEVEN BUCKS (0, Informative)

Anonymous Coward | more than 8 years ago | (#13438711)

Save yourself SEVEN BUCKS by buying the book here: File System Forensic Analysis [amazon.com]

Re:Save SEVEN BUCKS (1)

MikeURL (890801) | more than 8 years ago | (#13438972)

" Save yourself SEVEN BUCKS by buying the book here: File System Forensic Analysis"

(Amazon link not carried over) This MAY be flame bait (I don't think so) but it IS accurate.

NTFS (1)

Digital Pizza (855175) | more than 8 years ago | (#13438748)

So, was the author somehow able to get more in-depth documentation on NTFS than the Linux NTFS driver developers have?

I'd love to see reliable and fast NTFS writing capability in Linux without having to use Captive-NTFS. Maybe the developers should buy a copy of this book.

Re:NTFS (0)

Anonymous Coward | more than 8 years ago | (#13439056)

Data forensics is all about reading. Writing needs to be avoided at all costs, lest you bork up what you're trying to find out.

So, no, data forensics research will not get you NTFS writing.

Re:NTFS (1)

dougmc (70836) | more than 8 years ago | (#13439282)

So, was the author somehow able to get more in-depth documentation on NTFS than the Linux NTFS driver developers have?
Why would he need it? The current Linux NTFS driver already has was he needs -- reading.

When you're doing any sort of analysis or data recovery of a disk, the first rule is you don't write to the disk. You copy everything somewhere else, preferably bit by bit, then disconnect the original, and then mount the copy of the original, read only and work on it, copying what you recover to another disk.

As for the devices that explicitly prevent writing to the disk, the only real need I see for those would be if you needed to PROVE to a court that you didn't write to a disk. For data recovery (not looking for criminal evidence) you probably don't need that -- just make sure you don't write to the disk and you're fine.

Bigger questions (3, Insightful)

cpu_fusion (705735) | more than 8 years ago | (#13438994)

Rather than being so worried about what is there or not, the deeper and far more difficult question is: why is it there?

With the existence of zero-day exploits, spyware-zombies-for-sale, broadband, etc., how can anyone convince a jury beyond a reasonable doubt that someone put the bits there THEMSELF without a confession or video of them actually putting the content there?

People are going to jail because of this shit. Digital evidence is an oxymoron.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...