Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Anti-Forensics Tools Thwart Police

CowboyNeal posted more than 7 years ago | from the knowing-thine-enemy dept.

Security 528

rabblerouzer writes "Antiforensic tools have slid down the technical food chain, from Unix to Windows, from something only elite users could master to something nontechnical users can operate. 'Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator. 'Now it's hobby level.' Take, for example, TimeStomp. Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."

cancel ×

528 comments

Sorry! There are no comments related to the filter you selected.

Time Stamps? (5, Funny)

iminplaya (723125) | more than 7 years ago | (#19346881)

Simple! Just cut the disk open and count the rings.

Re:Time Stamps? (5, Funny)

iminplaya (723125) | more than 7 years ago | (#19347069)

Yes, and notice how I modified the time stamp AND the comment number to make appear the parent is the first post.

Pfft. (5, Funny)

RealGrouchy (943109) | more than 7 years ago | (#19346895)

This has got to be old news. Over 112% of Slashdotters have been using these programs for years, since at least 3 months from now!

- RG>

Re:Pfft. (5, Funny)

trolltalk.com (1108067) | more than 7 years ago | (#19346967)

Gee, and I thought it was a free "feature" included with every version of Windows and DOS.

FILE0001.CHK
FILE0002.CHK
FILE0003.CHK
FILE0004.CHK
FILE0005.CHK
...
FILE9999.CHK
Unable to find COMMAND.COM. Please insert system disk and press reset.

Re:Pfft. (0)

ZakuSage (874456) | more than 7 years ago | (#19346993)

My favorite app for all this is a painfully simple one: hammer and a nail. Drive that through your HDD and even the best forensic work won't be able to bring your data back.

Re:Pfft. (4, Informative)

the unbeliever (201915) | more than 7 years ago | (#19347089)

Data can still be recovered. It may only be bits and pieces of files, but it can still be recovered. Clean room data recovery can do some pretty amazing things now.

The only "sure" way is to melt down the platters and make pretty jewelry with them.

Re:Pfft. (1)

ZorinLynx (31751) | more than 7 years ago | (#19347549)

Yeah, but at what point does recovering the data become prohibitively expensive?

I'd think driving a nail through the disk would get there. Unless we're talking national security here, I doubt anyone would pony up the dough to get your data.

I generally hit old disks hard with a hammer before throwing them out. Trashes at least some of the platters and ensures no one can read them. That's usually enough.

-Z

Re:Pfft. (5, Interesting)

andy_t_roo (912592) | more than 7 years ago | (#19347597)

actually, that's a bit extreme, all you need to do is to heat it above the curie temperature (300-380 for Fe-Nd alloys) at this point the magnetic properties become completely dependent on the applied magnetic field, so as it cools down again, the only magnetization left is due to the earths magnetic field. Below this temperature you need to apply a strong magnetic field to reverse *most* of the magnetization (thats how normal recording works). As an added bonus if you do this in such a way as there are not dust contaminants (inductive heating of the platters in a vacuum) you still have a working drive.

Here's a real good one (4, Interesting)

Travoltus (110240) | more than 7 years ago | (#19347711)

Imagine a filesystem that is encrypted 3 times, in "headerless" fashion. What I mean by headerless is, whereas a zip file leaves reliable signatures identifying it as a zip file, this scheme would be a naked 128 or 256 or 1024 bit encrypted file (bear with me here) with no signature. There would be no way to even identify this file unless you managed to decrypt it with the right password and the exact corresponding decryption scheme. (It could be a zip file or a rar file or an arj file but you'd have to guess.)

That's for the first layer. Then you use the same (or different) scheme to scramble that already encrypted file again. With the same or different password.

Then you do it a third time.

Granted this would take a hell of a lot of computing power and a single bit of data corruption would screw you royally (which calls for more advanced recovery techniques which leads to some weaknesses...), but the effect is this.

First, you get the hard drive and the whole filesystem is encrypted. It's utterly garbage to you. You don't know which scheme was used to encrypt it. You certainly don't know the password. But you may know it's triple layer encrypted. Or double, or quad.

What is certain is, if you get the correct encryption scheme AND the password for that first layer, the decrypted file is STILL GARBAGE. You don't really know if you got the correct information or not, because you're still looking at a "headerless" pile of garbage data. Good luck guessing that second layer because no matter what, you still get a pile of incoherent garbage.

If you've done this to all your files on your hard drives, DVDs and CDs, this is where you demand your Constitutional right (in the United States) to a SPEEDY trial and then plead the Fifth Amendment in court when asked for your password/encryption schemes. Why? Because if I'm right, the police and their descendants down to the 7th generation will have died of old age before they figure out the 2nd layer, much less the 3rd.

Mind you, the cops may have slapped a keylogger on your system ahead of time. If that's the case, you're screwed.

Lawyers and hackers, please rip my idea to pieces and tell me what you think...

Ah, the police... (4, Funny)

Icarus1919 (802533) | more than 7 years ago | (#19346929)

I always just keep a few magnets handy... just in case....

I prefer hardware solutions, rather than software ones.

Re:Ah, the police... (1)

TheCarp (96830) | more than 7 years ago | (#19346981)

I dunno...

if its the gummint comming after me, I would prefer not to have to rely on magnets. Too time consuming to do right, and, well... I guess in the end it matters how much they want it.

For my laptop, I just keep the hard drive encrypted. Entire file system (ok, cept for /boot). Very simple, and no worries. Obviously it comes down to the question of whats worst, decrypting the hard drive for them, or being accused of withholding evidence?

Then, if its someone who can't threaten me with violence (aka big armed men dragging me away under threat of escalating violence until I am dead or comply, off to jail)

Well... someone like that is just screwed. (ok if they were pretty smart and could trojan my initramfs.... they coul dprobably scrape my passphrase... but they would have to know to do that before they tip their hand to me)

-Steve

Re:Ah, the police... (1)

Courageous (228506) | more than 7 years ago | (#19347391)

Obviously it comes down to the question of whats worst, decrypting the hard drive for them, or being accused of withholding evidence?

One would think one would argue that one could not be compelled to produce evidence against oneself.

Course, if they really want to get you, they plant keystroke loggers on your box and get your cipher codes that way. Silly, these self-styled masterminds who think that they can defeat a group of talented law enforcement officers who know enough to know they need to take you down...

C//

Re:Ah, the police... (0)

Anonymous Coward | more than 7 years ago | (#19347629)

Someone hasn't read the latest Phrack.

Re:Ah, the police... (1)

Nossie (753694) | more than 7 years ago | (#19347689)

I realise that encrypting your whole machine might suggest you were withholding evidence. What if however, you only encrypted 1 partition and then said you'd honestly forgotten the decryption key. IANAL but I have to wonder if anyone can do you for being human and forgetting a password?

Re:Ah, the police... (2, Funny)

Simon80 (874052) | more than 7 years ago | (#19347731)

Normally, I'd be inclined to dismiss this tactic, but hey, if it works for the attorney general of the US...

Re:Ah, the police... (0)

Anonymous Coward | more than 7 years ago | (#19346983)

Me too. I moved to http://en.wikipedia.org/wiki/Yucca_Mountain [wikipedia.org] . My hard drive routinely fails on a monthly basis. I'd like to see the RIAA keep any evidence intact until trial.

Re:Ah, the police... (1)

NeverVotedBush (1041088) | more than 7 years ago | (#19347411)

Actually, sumitting the platters to magnetic fields powerful enough to warp them doesn't make the data unreadable. The simplest and best way is still the ubiquitous hammer applied generously. And/or a drill press.

Re:Ah, the police... (1)

FishWithAHammer (957772) | more than 7 years ago | (#19347613)

Simple ways are no fun.

You don't get to use the shotgun when doing it the "simple way."

Or the thermite.

Re:Ah, the police... (1)

kaizokuace (1082079) | more than 7 years ago | (#19347619)

yes hardware solution is for sure. A thermite charge would be way cooler and more dramatic than a magnet tho ;p

sing to an obvious tune (1)

pytheron (443963) | more than 7 years ago | (#19346945)

a finger to fudge is just enough to ruin your time_t

interesting (1)

wizardforce (1005805) | more than 7 years ago | (#19346951)

Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified."
I blame timetravel. but seriously, does this software modify every single read/write time stamp or do they need to set it to do the work because if it is the latter I bet they will find a few that weren't modified right. Is there no other way to date these tracks- I mean they surely found a difference between a track on the disk written 10 years ago and one written within the year right?

Re:interesting (3, Interesting)

Anonymous Coward | more than 7 years ago | (#19347097)

By physically examining the disk you could better determine the age of the data -- but this is not how digital evidence is usually collected.

In fact, this just exposes how ludicrous courts' treatment of digital "evidence" is. The information they accept as evidence can be trivially faked. Think it sounds far-fetched to be framed for a crime? That's not so difficult when someone can just flip a few bits on your hard drive, maybe via a memory-resident-only exploit, then call in an anonymous tip to the police. There will be nothing on the drive to exonerate you. You could then easily spend years in prison for nothing.

It's like the situation we face now with electronic voting, but easier to defraud than even that. The people making these laws and procedures seem to have no idea how computers actually work.

Re:interesting (4, Interesting)

dwandy (907337) | more than 7 years ago | (#19347643)

The people making these laws and procedures seem to have no idea how computers actually work.
It continues to amaze me how the same people that accept that their computer crashes for no reason also accept anything printed by a computer is pure truth.

Re:interesting (4, Informative)

enrevanche (953125) | more than 7 years ago | (#19347249)

The date a track was written could possibly be analyzed by looking at how it was written at the microscopic level, but this would probably destroy the disk itself. It would be very expensive. As far as I know, this is only theory and has not actually been done. If somebody has a technique, it would hope that it would require a lot of peer reviewed research to verify it's validity. Anyway, the date a track was written may have nothing to do with the age of the data (file), as the OS may move files around for efficiency. This will not effect the timestamps of a file. The fact is that these timestamps are simply data written on the disk and can easily be changed.

Re:interesting (1)

Kythe (4779) | more than 7 years ago | (#19347297)

As I understand it, the physical magnetic characteristics of data written to a hard drive change over time, such that very old data tends to be tougher to erase than newer data. Of course, you'll not find many hard drives in continual use for 10 years :)

At any rate, determining the magnetic remnance of a given domain on a hard drive may be pretty difficult, and surely the effort would be far beyond what a normal forensics investigation would devote to a case.

Never trust the computer! (4, Insightful)

Trifthen (40989) | more than 7 years ago | (#19346957)

Timestomp? Now I've heard everything.

Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.

Of course, this says nothing of rootkits, which can be downright subversive, embedding themselves into kernel space where not even the OS knows they exist, where they can wreak untold havoc with historical system data or encryption. I bet there's even a script-kiddie version of anti-forensics tools out there, where it just cron-obfuscates anything trackable. Logs, timestamps, frequent automated sweeps of shred over unallocated disk blocks, inode reordering, and so on.

Now that I think about it, that might be a good idea. I got some work to do. ;)

Re:Never trust the computer! (2, Insightful)

iminplaya (723125) | more than 7 years ago | (#19347049)

Subject says it all. We give the damn things way too much power. Beware of the ATM!

Re:Never trust the computer! (even a Linux box?) (2, Interesting)

DownWithTheMan (797237) | more than 7 years ago | (#19347221)

Speaking of rootkits, from TFA:

Linux servers have become a favorite home for memory- resident rootkits because they're so reliable. Rebooting a computer resets its memory. When you don't have to reboot, you don't clear the memory out, so whatever is there stays there, undetected.

I don't mean to sound like a moron or naive but are Linux rootkits really that prevalent? After doing a quick google search for "rootkits for linux", I found a few for the old 2.0 and 2.2 Linux kernels... Have updates that have since come out made life that much harder for the hacking community? Anyone have an idea of what's going on here, because I'm really surprised to see them make the claim that Linux servers are a new favorite home for rootkits...

Re:Never trust the computer! (4, Insightful)

_Sprocket_ (42527) | more than 7 years ago | (#19347295)

Any hacker/script-kiddie with a working knowledge of touch and a 'find' command could wreak equal havoc. Combined with a quick filter and another perl script to generate random timestamps, all launched regularly from cron? Forget it. Forensics folks would be better off scouring logs for a non-tainted timestamp and counting directory inode entries for approximate age.


And that seems to be the point - how many of these types actually know how to use touch or find... much less put together a perl script? By "hobbiest" they're not talking about our level of knowledge... they're talking average punk who thinks double-clicking a rootkit is advanced hacking. Criminals aren't always the sharpest crayons in the box.

I met one of the FBI agents involved in the investigation of Zimmerman over PGP. After that case, she moved on to child pornography cases. I asked her how many times they ran in to PGP being used by people trading in kiddie porn. Not a single one. She noted that the folks they were busting just weren't smart enough to understand that kind of thing.

That basic precautions are showing up enough to give investigators a problem says something both about the attackers and the investigations.

Re:Never trust the computer! (4, Funny)

flyingfsck (986395) | more than 7 years ago | (#19347445)

Well, alternatively one could just use Windows ME on a FAT file system. That screws things up all by itself - no need for fancy tools.

deja vu (2, Funny)

Anonymous Coward | more than 7 years ago | (#19346965)

Forensic investigators poring over compromised systems where Timestomp was used often find files that were created 10 years from now, accessed two years ago and never modified.

 
thats really odd, i seem to remember seeing something similar on our domain controller a few minu

"Criminals attempt to thwart police" (0)

Anonymous Coward | more than 7 years ago | (#19346971)

The police should be getting with the times then so they can fight the criminals.

So... (4, Insightful)

X0563511 (793323) | more than 7 years ago | (#19346987)

The obvious message to law enforcement is that people don't like others going through their things.

Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.

Personally I'm a fan of disk encryption using algorythms and key-lengths that make it extremely impractical to get in once the system is powered down. If up however... you have three strikes at getting in and all future packets from your IP are silently dropped for several days. Local access isn't a problem either... open the case and power goes out... and after 10 minutes of idle-time the system locks (only way in is password or reboot... obviously reboot isn't helpful)

Call me paranoid. I am. I also like my privacy. Yes, I DO have something to hide: MY LIFE! I don't want you in my stuff at all!!! It doesn't matter that there is nothing illegitimate or illegal on the damn things, I still don't care.

Re:So... (2, Interesting)

Kjella (173770) | more than 7 years ago | (#19347073)

Personally, I'm all for it! The timestomp tool they mentioned seemes more for oh-shit scramble-the-evidence rather than general usage... that kind of timestamp manipulation can really frig up a system.

I was thinking more in direction of "non-destructive fuckup of compromised machine", like say a machine you've trojaned. Make it hell to figure out how and what you've done. If you want to prevent forensic investigation on your own machine, encryption is much better than obfuscation.

Re:So... (0)

Anonymous Coward | more than 7 years ago | (#19347175)

"Yes, I DO have something to hide: MY LIFE!"

You say that as if your life was your own property.

Re:So... (4, Interesting)

X0563511 (793323) | more than 7 years ago | (#19347229)

It is. Hell, if people get sick of it all and the shit hits the wall, I'll be right up there with the 'enemy' pushing for real freedom.

Yes, I don't care If I get flagged for that. I care for my liberty.

Re:So... (1)

KermodeBear (738243) | more than 7 years ago | (#19347291)

What are you using that turns the power off when the case is opened? Is this a home brew solution, or something off the shelf?

Thanks!

Re:So... (1)

Lehk228 (705449) | more than 7 years ago | (#19347365)

"corporate" motherboards have a case intrusion switch, which can be set to do different things.

Re:So... (3, Informative)

RobertM1968 (951074) | more than 7 years ago | (#19347459)

I'm not sure what parent is using, but I own a Netfinity, and it can be set up so that
  • Opening the case triggers some action (shut-down, lock-up, email/network/pager/phone alert, etc)
  • changing hardware in the machine triggers some action (shut-down, lock-up, email/network/pager/phone alert, etc)
  • a device failing triggers some action (shut-down, lock-up, email/network/pager/phone alert, etc)
  • Powering off the machine (via the soft-power through mobo switch) triggers some action (lock-up next start, email/network/pager/phone alert, etc)
  • shutting down the power supply (using the switches on the power supplies) triggers some action (lock-up next start, email/network/pager/phone alert even with no power, etc)
  • physically unplugging all 3 power cords triggers some action (lock-up on next start, email/network/pager/phone alert, etc even with no power)
  • cutting the power to the location instantaneously triggers some action (lock-up on next start, email/network/pager/phone alert, etc)
  • and on many models, trying to remove the unplugged unit from a building triggers some action (email/network/pager/phone alert, etc) - with the appropriate RFID station in said building.

Parts of the machine stay on for a very long time without power, and the whole machine itself can take up to 30 seconds to power down with no power connected. The System Management board has it's own internal power (though minimal), and most every hardware or power related issue gets logged into the hardware's system log - even with no power to the machine (ie: pulling all plugs or hitting the circuit breaker will make the machine log a "No AC Power" with Time & Date stamp; and send out a notification - even though it has no AC power - before the machine drains what is stored internally).

Pretty neat piece of machinery - and at 130lbs and a ridiculously high "guaranteed uptime" I guess such functions arent much to expect. Even so, many far lower end Netfinity's and their Intellistation brethren have (had) at least a few of the same features/capabilities).

I am presuming the replacement i Series e-Servers do as well - though that is just a presumption, and reality may be far different.

-Robert

PS: Making a home brew solution is very easy [though I think some boards natively support this through their "Case Tamper" pins which just need to be wired to a case intrusion switch (standard roller arm switch)]

Re:So... (1)

X0563511 (793323) | more than 7 years ago | (#19347591)

Remove the side panel and it pulles apart a connector that passes the "power-good" signal from motherboard to power supply (its one of the ATX conenctor pins), and the power supply kills the output.

Re:So... (1)

X0563511 (793323) | more than 7 years ago | (#19347649)

Specifically this signal: See page 19 of http://www.formfactors.org/developer [formfactors.org] \specs\ATX12V_ 1_3dg.pdf

If it doesn't actually power down, the system does end up resetting...

Re:So... (1)

X0563511 (793323) | more than 7 years ago | (#19347685)

Er, WTF... make that page 24 of THIS [formfactors.org]

Re:So... (1)

devilspgd (652955) | more than 7 years ago | (#19347709)

A case intrusion switch, a few minutes of electrical work to run the power-supply's "power-good" signal through the switch would do the trick.

Re:So... (0)

Anonymous Coward | more than 7 years ago | (#19347323)

"...that kind of timestamp manipulation can really frig up a system."

Please excuse my ignorance and explain how? I am unaware of many processes that are timestamp-dependent. I believe the obvious "patches" are version-dependent... am I mistaken?

Print version (4, Informative)

Anonymous Coward | more than 7 years ago | (#19346991)

http://www.cio.com/article/print/114550 [cio.com] - Print version so you don't have to go through ten pages to read it all.

Anonymous coward so no Karma whoring today. :)

Macs... (5, Interesting)

Wizard Drongo (712526) | more than 7 years ago | (#19346995)

Hate to sound like a apple fanboi, but even for those with something to hide that don't know much about computers at all, and therefore lack the know-how required to use these tools, simply using Mac OS X and turning on File-Vault, sad as it sounds, is enough to confound the majority of law enforcement. Most of the contractors that the police in the UK use are windows only. I know for fact that any linux or 'specialist' computers get passed to a specialist data firm in Germany for decoding...
Macs?
Only in the most serious of cases are macs in the UK sent for hacking if File-Vault's on. They go to Canada and take upwards of a year to crack. If ever.
Unless you've done something pretty fucking serious, and the police know the evidence is on the machine, just can't prove it, they usually won't go to the expense.
Of course, only the most stupid and inept of morons would be doing illegal shit and storing it on their computer without using the most powerful encryption possible, and only storing that which absolutely must be stored. Mind you, criminals are not usually noted for their cunning and intelligence....

It goes without saying that the above does not translate to across the pond, nor does it apply on Security operations with terrorists and the like. How MI5 & MI6 do things is completely different and tends to involve some 'specialist' people from the likes of the I-corps and in-house solutions....
I could elaborate, but I'm not THAT dumb.....

Re:Macs... (0)

Anonymous Coward | more than 7 years ago | (#19347259)

If it takes only a year to crack an encryption scheme, then I would call it pretty shitty.

Re:Macs... (1)

Wizard Drongo (712526) | more than 7 years ago | (#19347431)

Note my use of the term "ever".
They sometimes get lucky, and may leave it running for a year, but to my knowledge (which isn't complete in this area admittedly), there hasn't been a case where a properly secured Mac's data has actually been cracked. The only case that I've heard of was a drugs bust case where a lot of important evidence, both from a prosecutory as well as intel side, was located on the "Mr Big's" mac (contacts, delivery timetables, meeting points, even accounting stuff). They got it not through hacking but by offering a reduced sentence to a minion who had access.

Re:Macs... (4, Insightful)

Anonymous Coward | more than 7 years ago | (#19347389)

Mind you, criminals are not usually noted for their cunning and intelligence....

Well, you only hear about the ones that get caught.

Re:Macs... (1)

devilspgd (652955) | more than 7 years ago | (#19347723)

Sure, Macs just aren't used enough in the real world to devote much in the way of resources to them.

Yes, well (0)

Anonymous Coward | more than 7 years ago | (#19347007)

Thankfully I still have the right to have the data on MY computer not keep tabs on me if I don't want it to. Sorry.. but the timestamps on files weren't there so the police could use them later.. they were there for my convenience.

oh geez... the "police" (5, Interesting)

porkThreeWays (895269) | more than 7 years ago | (#19347009)

Let me let everyone in on a dirty little secret about 99% of police computer forensics experts... they are less skilled than most 9 year olds at recovering vital information. Many of them use bootable disks that just check the hard drive for IE's cached files and history, etc, etc. Simple stuff a child could do. These people aren't doing complex low level block analysis. They are doing the level of recovery parents do at the end of the night to see what websites their children went on. Does it surprise anyone then it's extremely easy to fool them? God forbid you use encryption, an OS they aren't familiar with, or hardware they've never seen. They'll never recover anything.

Re:oh geez... the "police" (4, Informative)

Kjella (173770) | more than 7 years ago | (#19347301)

Don't underestimate the tools - many forensic experts couldn't find their way at all outside the tool, but the tools are rather good at three things:
1) Point them to "interesting" catalogs on most operating systems
2) Read pretty much any filesystem, including the odd Linux/BSD variants
3) Scan for files (keywords, against a hash db etc.) without booting your OS

Encryption is the only thing that'll stand any serious investigation. Though I suppose it'll get you past the "should be bother to check his computer just in case" checks, there is plenty support for not "IE/Windows" machines.

Examples:
Operating system Support: Windows 95/98/NT/2000/XP/2003 Server, Linux Kernel 2.4 and
above, Solaris 8/9 both 32 & 64 bit, AIX, OSX.
  File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
(Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
TiVo® 1 and TiVo 2 file systems.
  EnCase software uniquely supports the imaging and analysis of RAID arrays, including hardware
and software RAIDs. Forensic analysis of RAID sets is nearly impossible outside of the EnCase
environment.
  Dynamic Disk Support for Windows 2000/XP/2003 Server.
  Ability to preview and acquire select Palm devices.
  Ability to interpret and analyze VMware, Microsoft Virtual PC, DD and SafeBack v2 image
formats.

Compound Document and File Analysis: Many files such as Microsoft Office documents, Outlook
PSTs, TAR, GZ, thumbs.db and ZIP files store internal files and metadata that contain valuable
information once exposed. EnCase automatically displays these internal files, file structures, data and
metadata. Once these files have been virtually mounted within EnCase, they can be searched, documented
and extracted in a number of different ways.

File Finder: This feature automatically searches through the page file, unallocated clusters, selected files
or an entire case, looking for predefined or custom file types. This feature differs from the standard
search, because it looks through the defined areas for the file header information and sometimes the
footer.

Analysis: EnCase software has the ability to find, parse, analyze, display and document various
types of email formats, including Outlook PSTs/OSTs ('97-'03), Outlook® Express DBXs, Lotus
Notes NFS, webmail such as Hotmail, Netscape and Yahoo; UNIX mbox files like those used by
Mac OS X; Netscape; Firefox; UNIX email applications; and AOL 6, 7, 8, 9. In some cases,
EnCase can recover deleted files and depending on the email format, the status of the machine.

Browser History Analysis: EnCase has powerful and selective search capabilities for Internet
artifacts that can be done by device, browser type or user. EnCase can automatically parse,
analyze and display various types of Internet and Windows history artifacts logged when websites
or file directories are accessed through supported browsers, including Internet Explorer, Mozilla,
Opera and Safari.

Re:oh geez... the "police" (1)

Lehk228 (705449) | more than 7 years ago | (#19347383)

EnCase doesn't read .7z files? not even my old chat logs will show up if i get a visit from the party van.

Re:oh geez... the "police" (2, Informative)

arth1 (260657) | more than 7 years ago | (#19347573)

File systems supported by EnCase software: FAT12/16/32, NTFS, EXT2/3 (Linux), Reiser
(Linux), UFS (Sun Solaris), AIX Journaling File System (JFS and jfs) LVM8, FFS (OpenBSD,
NetBSD and FreeBSD), Palm, HFS, HFS+ (Macintosh), CDFS, ISO 9660, UDF, DVD, and
TiVo® 1 and TiVo 2 file systems.

Another good reason to use XFS then.

In addition to it zeroing out any previously write-opened files when replaying the journal (which is why you get a bunch of files filled with NULL if you pull the plug on an XFS system -- it's by design). And it having a defragmenter (xfs_fsr), which prevents dirty extents with confidential data to stick around "forever".
Oh, and it being fast and mature doesn't hurt either, nor does the support for security labels and alternate streams.

Regards,
--
*Art

Re:oh geez... the "police" (1)

hamster_nz (656572) | more than 7 years ago | (#19347333)

Ah, that makes me feel better... I'll just clear my Browser's cache next time I am planning a crime. By the way how are things going down at the station's computer forensic lab? do many suckers fall for your misinformation?

It is like ten lines of code to do this anyways. (0)

Anonymous Coward | more than 7 years ago | (#19347013)

We had a build tool once that kept over writing over some files we did not want it to because the timestamps were older for some reason. It took me ten minutes to write an app that ran through the directory, opened up the file meta data in every file and manually altered the timestamps of every file.

Holy Crap (2, Funny)

stoneycoder (1020591) | more than 7 years ago | (#19347077)

They must be using some NSA type shit. From TFA:

He learned quite a bit through forensics. He learned, for example, that an aquarium employee had downloaded an audio file while eating a sandwich on her lunch break.
Now thats what i want, a tool that can tell if someone was eating a sandwhich while downloading a particular file.

Re:Holy Crap (1)

Kythe (4779) | more than 7 years ago | (#19347353)

More than that: a tool that will tell you whether it was turkey, ham or PBJ.

Re:Holy Crap (2, Funny)

alohatiger (313873) | more than 7 years ago | (#19347599)

Come on, all you have to do is check the MEAL_BREAK_MENU_DESCRIPTION meta tag

And with Slashot (1)

drDugan (219551) | more than 7 years ago | (#19347103)

And with a Slashdot story, TimeStomp just migrated down from hobby to script-kiddie. Ahhh, you gotta just love free open information exchange.

Re:And with Slashot (1)

Lehk228 (705449) | more than 7 years ago | (#19347451)

back when i used windows 98 i had some tool that added an edit field to the properties dialog on every file, it would also run recursively on directories.

i used it mostly for fixing messed up file sthat came to the top of searches incorrectly (find newest text files... oops there are a bunch created in 2050 so good luck finding actual new files)

Touch? (2, Interesting)

mattfata (1038858) | more than 7 years ago | (#19347111)

TimeStomp? ...can't `touch` and a bash script accomplish the same thing?

Re:Touch? (1)

flyingfsck (986395) | more than 7 years ago | (#19347487)

That is probably what timestomp is - a bash script.

Re:Touch? (1)

arth1 (260657) | more than 7 years ago | (#19347501)

It's better done by a shell script, due to incompatibilities between Windows and Unix/Linux time stamps.

The ctime in Windows is not the same as ctime in Unix/Linux. In Windows, it's the creation time. In Unix, it's the change time.

This causes great confusion when using a file copying or archiving tool made by Windows users and which foolishly sets the ctime to the Windows create time. Which means files won't be backed up in incremental/differential backups, cause the ctime is older than the last backup, and caching web servers continue to serve the cached content because the ctime hasn't changed.
Some $$$$$ or even $$$$$$ apps do this, and as a Unix admin, it's damn fine annoying, so writing shell scripts to fix bogus time stamps is all part of the job.

Re:Touch? (0)

Anonymous Coward | more than 7 years ago | (#19347513)

Not on windows, there is a Entry timestamp that requires the Timestomp magic to overwrite

A year ago... (3, Interesting)

Lord Kano (13027) | more than 7 years ago | (#19347117)

My girlfriend told me that her nephew was going to college for "Computer Forensics" and my immediate response was, when he's done all he'll be able to do is catch cheating spouses. People who are engaging in real criminal activity are already using strong crypto and it's getting easier every day.

You just can't beat the numbers. If there is a 256 bit keyspace and a secure algorithm, you are not going to be able to crack the machine. I suppose that perhaps American and European law enforcement could take a page out of Israel's book and start using "strong persuasion" to get keys from suspects, but I don't imagine that happening any time soon.

LK

Re:A year ago... (0)

Anonymous Coward | more than 7 years ago | (#19347169)

perhaps American and European law enforcement could take a page out of Israel's book and start using "strong persuasion" to get keys from suspects, but I don't imagine that happening any time soon.

Don't bet on it....
Alberto Gonzoles

Re:A year ago... (0)

Anonymous Coward | more than 7 years ago | (#19347257)

hopefully you're talking about eliptical curve cryptography, otherwise 256bits would last a few minutes.

Re:A year ago... (0)

Anonymous Coward | more than 7 years ago | (#19347583)

Public-key, yes. Symmetric key (which is what you'd use in this case), not a chance --- even 128 bit would take years at best, barring some undiscovered shortcut.

Persuasion (4, Insightful)

gillbates (106458) | more than 7 years ago | (#19347357)

In 'Merica, we call it gitmo. Encrypshun don't fool us nohow, nosir.

'fter all, if yah ain't guilty, watcha hidin' stuff fer? Dontcha know there's a war goin' on?

Re:Persuasion (4, Insightful)

Mr2001 (90979) | more than 7 years ago | (#19347683)

That's what packages like TrueCrypt [truecrypt.org] with hidden volume support are good for. The Man tortures you, you give up a key, and he finds some fake secret files, while your real secret files are still safely hidden.

Re:A year ago... (2, Interesting)

taoman1 (1050536) | more than 7 years ago | (#19347483)

Well, they can do a little more than that. Child porn collectors are busted every day using Encase [guidancesoftware.com] .

Re:A year ago... (0)

Anonymous Coward | more than 7 years ago | (#19347575)

Only stupid or careless ones. As the GP says, good luck doing anything with 256-bit encryption.

Re:A year ago... (5, Funny)

Profane MuthaFucka (574406) | more than 7 years ago | (#19347547)

Don't knock it. Catching cheating spouses is a great way to get laid. You've already established that they've got no problem sleeping with people other than their husbands, which is 90% of the battle usually.

Re:A year ago... (1)

Eli Gottlieb (917758) | more than 7 years ago | (#19347611)

I hate to derail the thread, but are you saying Israel tortures people for their encryption keys? Damn, why do I get stuck with all the lousy countries?

Re:A year ago... (1)

devilspgd (652955) | more than 7 years ago | (#19347745)

Even "strong persuasion" is trivial to solve at a technical level, you simply need multiple the ability to store multiple sets of data in the same file, with different versions being revealed depending on the key/passphrase/whatever in use.

Re:A year ago... (3, Interesting)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#19347753)

Robert Morris Sr. gave a talk long ago about the two major rules of crypto. First, never underestimate how far someone will go to read your data (for example, hiring Alan Turing and inventing digital computers). Second, look for plaintext, which will pop up in unexpected places while you perfect the algorithm that create the ciphertext.

If you typed a passphrase into a Windows machine, would you bet your freedom that the passphrase wouldn't show up in "strings /dev/hda", in a swap file, in an MRU list, or in the files of whatever spyware happened to infect that machine? Or that potentially incriminating file names wouldn't be tucked in the registry someplace?

Hiding things on a general purpose computer is still hard, despite the availability of little-known but powerful techniques like the ATA commands to create an unreadable Host Protected Area, or simply to misreport available disk space (I'm waiting for the hack that takes advantage of the fact that a disk drive has tens of megs reserved for its own use, several megs of RAM, and a 32-bit processor: a 1990s desktop worth of machinery that nobody thinks of as a computer).

Fearless prediction: technology will lose on both offense and defense. Successful police will flip accomplices, successful criminals will move to jurisdictions where they can form an under$tanding with the police, and anyone who tries to win a technological arms race will lose in the end.

really? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19347125)

you faggots still using linux? i guess so if you're still sucking them dicks.
 
filthy fucking faggots.

Oh no! (1)

iminplaya (723125) | more than 7 years ago | (#19347173)

You don't think they'll start messing with this clock [wikipedia.org] , do you? That graph looks like we're too late...or too early?

But does it withstand rubberhose cryptoanalysis? (1, Informative)

Anonymous Coward | more than 7 years ago | (#19347179)

Pages of interest: Rubber-hose cryptanalysis [wikipedia.org] & Deniable encryption [wikipedia.org]

Clearly you have quite a few problems if you're trying to hide something, and forensics can already read timestamps on your files!

What would be a breakthrough is plausibly deniable encryption which can build fake partitions which look "real" and "used". For instance, it can automatically install an operating system to a hidden partition (that is meant to be given out to forensics after a little bit of a fight). Then it can create normal operating system usage such as email, web access, instant messenger marks, installation of new software over time, etc.

The problem with deniable encryption at the moment is that the user can't justify the lack of activity on the open partition (and the lack of normal usage marks left behind), and therefore it is quite obvious to say that another hidden (and used) partition exists.

Thermite is not an answer either because then it becomes obvious you were hiding something using extreme paranoia measures.

Knowing that a user is playing anti-forensics tricks is quite easy. Proving it in court is most likely a different matter altogether.

Re:But does it withstand rubberhose cryptoanalysis (2, Insightful)

siddesu (698447) | more than 7 years ago | (#19347277)

look up truecrypt. it has had that plausible deniability thing for years now ;)

Touch (3, Interesting)

ShakaUVM (157947) | more than 7 years ago | (#19347201)

>>Five years ago, you could count on one hand the number of people who could do a lot of these things,' says one investigator.

Yes, yes.

Five years ago (2002) there were five people (or less) that knew touch.

Lol. The guy is a moron.

I remember walking through a parking lot in college in 1996 and listening to a couple guys talk about how they would touch their files to make late homeworks appear as if they were done on time.

About a year after that, UCSD switched to a turnin-based system. =)

Stupid fucks (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19347207)

What a bunch of idiots these so-called forenesic experts are. Gee, who'dda thunk that machine readable/writable stuff could be manipulated to give false results?

Idiots. Idiots. Idiots. All of them.

Key quote (2, Insightful)

gillbates (106458) | more than 7 years ago | (#19347263)

They're using stego? Maybe we drop some stego on them.

Yeah, cause my stego *ROCKS* yo!

I'm thinking even the most avante-garde anti-forensics tool could fool this guy. Yeah, anti-forensics might be a problem for him, but last time I checked, having a future date on your warez or kiddie porn won't save you from prosecution. In fact, using something like Timestomp is more or less likely to convince the jury that you are indeed a criminal.

And likewise, it takes a very *good* steganography tool to really hide things. Sure, you could fool your friends, but you aren't likely to fool a forensic investigator with a basic knowledge of statistics. Could I tell the difference between a good and mediocre steganography tool? Probably. Could the average criminal? Probably not. A mistake as simple as hiding your data in images gleaned from the web would be enough to trip someone up: Here's a hint - if the image looks the same as the one on the web, but the checksums don't match, something's up. I'm guessing a shell script could go through the hard drive and do most of the work for the investigator. 17 hours isn't so short anymore...

If you don't want the cops to find it, use encryption. If you want deniability, use the double-xor technique mentioned in Bruce Shneier's Applied Cryptography. But don't bother thinking that bogus timestamps are going to foil any serious forensic investigator. The relative location of a file's blocks on the hard drive is going to give at least an approximate date of file creation, even if you do obliterate the timestamp, and every forensic investigator worth his salt knows this.

Re:Key quote (0)

Anonymous Coward | more than 7 years ago | (#19347381)

Defrag would take care of that and any computer geek keeps his hard disk defragged.

Re:Key quote (1)

Lehk228 (705449) | more than 7 years ago | (#19347401)

by flattening out timestamps in your questionable folders it's harder to argue a pattern of access and use. if every file was created in a single day, and last modified that same day, it's harder to argue that it's legitimately a collection rather than a dump sent by a virus/trojan/worm

Re:Key quote (3, Interesting)

arodland (127775) | more than 7 years ago | (#19347521)

Got a little something to hide? The point wasn't to provide deniability for your kiddie porn. The idea is more like, you rooted my machine, stole my data or did something evil with it, and now you want to cover your tracks. So you toast the logs as well as you can, you jumble up mtimes and permissions on files so that someone going back and doing forensics has a harder time establishing a pattern. The first step towards finding out who did something is figuring out when it was done, to find out who had access at that time, where to look in (non-compromised) logs, etc. So if you obscure that information you make it a little harder to trace things back to you. It's about hiding an identity, not data.

of course they take the easy answer (1)

spacerodent (790183) | more than 7 years ago | (#19347313)

Of course they blame it on computer utilites! Otherwise they'd have to start trying to catch clever timetraveling bandits!

Tools (3, Insightful)

Kythe (4779) | more than 7 years ago | (#19347319)

What would be interesting to me: a tool that deliberately modifies timestamps and/or creates ghost deleted files to tell a normal-looking story of computer use, when the actual history has been anything but.

In other words, forensics tools can assemble the history of file use on a disk. If it's known that the disk was in use before a certain date, but no timestamps can be found before that date (on current or deleted files), one may suspect the disk was wiped at that point. Likewise, physical disk usage for a given file system type has known and studied statistical characteristics over time. If the statistics are off, if you don't find deleted file images where you expect them, you may suspect that the freespace was wiped, or that certain unused disk space that would normally contain deleted file images contained files that are now wiped.

What happens when you have a tool that modifies timestamps on current and deleted files such that a normal distribution of them extend back before the date of disk wipe? Even worse, what happens if the tool can create "ghost" images of deleted files, in order to fool tools that look for normal statistical disk usage?

Once you have such a tool, wiping a disk and starting over can literally be done undetectably. So much for worry about having to maintain disk drive evidence after being hit with a subpoena.

Re:Tools (1, Informative)

Anonymous Coward | more than 7 years ago | (#19347497)

How about this idea:

Let's say you have 24 hours to hand in your PC for evidence. What you could do is re-install it from scratch after wiping the disk clean, and then use it for several hours doing many things that you would normally do (browse the web, install apps and things etc) and then use a script to back-date the dates on all files on your system spreading them out several weeks. Then you can say 'no I re-installed my PC about 3 weeks ago' and actually have it look like you used it for about an hour a day each day.

TimeStomp 2.0! (1)

krunk7 (748055) | more than 7 years ago | (#19347417)

find / -type f | touch -t 201705311200

Willunwhen the file istobe created... (2, Funny)

flyingfsck (986395) | more than 7 years ago | (#19347423)

the modification date was'ntobe set the last time it shallhasbeen accessed...

Uhh - got to work on my future imperfect past continuous tense.

Dictionary definition of forensics (1)

nbauman (624611) | more than 7 years ago | (#19347551)

May 31, 2007 -- CSO -- Forensic investigations start at the end. Think of it: You wouldn't start using science and technology to establish facts (that's the dictionary definition of forensics) unless you had some reason to establish facts in the first place.
Actually the dictionary definition of forensics is, "of, characteristic of, or suitable for a law court, public debate, or formal argumentation." (Collins New World Dictionary, 2nd ed.)

One word (1)

GrEp (89884) | more than 7 years ago | (#19347579)

RAMdisk

Two words (0)

Anonymous Coward | more than 7 years ago | (#19347747)

Volatile RAM.

still playing with yourselves? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19347667)

what a bunch of linux fags, sucking them dicks.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?