×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Forensic Computer Targets Digital Crime

kdawson posted more than 6 years ago | from the taking-a-byte-out-of-it dept.

Security 212

coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

212 comments

how good is it? (2, Interesting)

thatskinnyguy (1129515) | more than 6 years ago | (#20525847)

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.

Re:how good is it? (1)

omeomi (675045) | more than 6 years ago | (#20525865)

the FBI can see data that has been overwritten 12 times.

The FBI publishes this information?

Re:how good is it? (1, Insightful)

Harmonious Botch (921977) | more than 6 years ago | (#20525899)

One of their experts has probably testified to it under oath.

Re:how good is it? (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20525927)

m0d p4r3nt up!!1!!one!oneeleventy!!1

Re:how good is it? (2, Informative)

thatskinnyguy (1129515) | more than 6 years ago | (#20526035)

An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

Re:how good is it? (4, Funny)

compro01 (777531) | more than 6 years ago | (#20526685)

well, as someone said in a previous discussion:

The only way to truely protect your data is to grind up your hard drive into powder, magnetize it all, then heat it into a liquid. Cool and grind it up again, scatter it into the wind, and just HOPE entropy does the rest.

Re:how good is it? (3, Insightful)

dclocke (929925) | more than 6 years ago | (#20525935)

I wouldn't mind seeing a source on that statistic. Because I'd be pretty comfortable betting my life savings that it's not true.

Re:how good is it? (2, Informative)

deftcoder (1090261) | more than 6 years ago | (#20525989)

Agreed, considering the NSA standard for data wipes is 7 random passes...

I'm more comfortable using this though: http://en.wikipedia.org/wiki/Gutmann_method [wikipedia.org]

Re:how good is it? (3, Informative)

Jah-Wren Ryel (80510) | more than 6 years ago | (#20526075)

Agreed, considering the NSA standard for data wipes is 7 random passes...
The NSA has no such standard.
Really, try to find an official source, you won't.

Re:how good is it? (1)

jimmydevice (699057) | more than 6 years ago | (#20526153)

NSA Standard? The NSA didn't exist publicly until sometime in the 60's. Whatever "standards" they have are red herrings, back doors or secret.

Re:how good is it? (1)

duck0 (1073338) | more than 6 years ago | (#20526551)

...which states in several places that for any remotely modern drive, a few random passes is just as good. duh?

Re:how good is it? (1)

Nullav (1053766) | more than 6 years ago | (#20526605)

I'm more comfortable just hitting the thing with something heavy or melting it all together with thermite. If you're serious about wiping the thing so absolutely no one can read it, you should either write complete nonsense on the disk 30-40 times (maybe something innocuous on the last few passes) or physically destroy it and swap it out.

Re:how good is it? (1, Insightful)

Remik (412425) | more than 6 years ago | (#20525979)

It doesn't matter how many times, it only matters which methods are used. If you're just using a Windows format (or worse, quick format), you can run it 100 times and the data will still be accessible.

That said, the DoD standard for "wiping" a drive is also excessive in what it requires to declare the media clean. (All 0s, then all 1s, then 010101..., then all 0s again...blah blah blah)

My somewhat expert opinion is that a program that writes the drive to all 0s or all 1s is all you need.

-R

Re:how good is it? (1)

thatskinnyguy (1129515) | more than 6 years ago | (#20526027)

Actually, DoD and NSA spec is 7 times. Google it.

Re:how good is it? (0)

Anonymous Coward | more than 6 years ago | (#20526139)

For classified data, they shred the drives.

Moral of the story? If it's really important to keep the data secret, buy a new drive and run the old one through a grinder.

Re:how good is it? (0)

Anonymous Coward | more than 6 years ago | (#20526995)

"For classified data, they shred the drives."

They likely only do so because even if the software method for wiping works, human incompetence is probably less for just throwing the drive in a shredder in comparison to having someone run software programs over it without power outages, forgetting etc.

Re:how good is it? (1)

dclocke (929925) | more than 6 years ago | (#20526071)

It does matter how many times. It also matters what methods are used. There is a big difference between formatting and wiping.

Re:how good is it? (1)

Remik (412425) | more than 6 years ago | (#20526133)

What matters how many times? As you say, there's a big difference between formatting and wiping.

I don't believe there's any conclusive evidence that data can be recovered from a drive that has been written entirely to 0s or 1s once. In other words, the DoD/NSA standard is over-kill.

I'm less (but still pretty) certain that repeated Windows formats will not make data any less accessible. The only way to make sure data can't be recovered from unallocated space or carved out of file slack is to overwrite those sectors, which a Windows format does not do.

-R

Re:how good is it? (3, Insightful)

jimmydevice (699057) | more than 6 years ago | (#20526563)

It appears possible to recover previously erased data on old drives, but haven't the drive mfrs used exactly the same technology that the forensic disk morticians used in past years to get at erased crud (if ever)? It seems with vertical recording and super mag heads, the slop, leftover sideband noise and measurable blips of 90's tech now store data. I'm not trying to be factious, drive builders are pushing a lot of boundaries and I doubt they would back off ( unlike the MPAA and DRM ) reducing capacity to retain info for the man. I am drunk.

Re:how good is it? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#20525987)

From the description, it doesn't sound to me like it is recovering data sectors that have been overwritten on the disk, but is only recovering the raw data sectors as read by the disk interface. So it can recover data that has been deleted, but not data that has been wiped (written over with something else). Of course if you really want to prevent someone from reading data off your disk the best option is a hardware solution. A ten pound sledge hammer usually does a good job.

Re:how good is it? (1)

imemyself (757318) | more than 6 years ago | (#20526097)

Would the sledge-hammer actually destroy the platters themselves though? Obviously the drive as a whole would not work, but even if the platters were physically broken into a few pieces, I assume that a lot of the data itself would be intact on the disk. I doubt that there's any off-the-shelf tech that local law enforcement has that would be able to do it, but it wouldn't entirely surprise me of FBI/CIA/NSA/etc, have some sort of capability. Does anyone know any more about this sort of thing out of curiosity?

Re:how good is it? (1)

JanneM (7445) | more than 6 years ago | (#20526163)

The platters are often glass nowadays. We opened a failed drive a year ago (slow day at work), and the platters themselves, when they break they tend to shatter into multiple small sharp shards. I would hazard that if you can beat the drive well enough that the platters break, you can do a really good job with just three or four whacks.

Reformat != Overwrite (2, Insightful)

Nymz (905908) | more than 6 years ago | (#20526017)

I have to wonder, after how many overwrites can this system detect data?

I'm thinking zero overwrites. From the article it appears that the system is a portable solution that only plugs into hard drives, and not a reader of the platters themselves. Software alone can analyze deleted files and a reformated file table, but it cannot use the orignal drive to read information that was overwritten.

Last you checked you were wrong (3, Informative)

Sycraft-fu (314770) | more than 6 years ago | (#20526053)

You cannot read data overwritten even once unless you disassemble the hard drive. If you use a disk copy utility, any of them, you get nothing more than the current layer of data. That is simply all a hard drive reads. As such if you wished to get any overwritten data you'd have to take the platters out and put them under some other kind of analysis equipment.

As for the feasibility of that, well, there isn't. Sorry. Even if you have a setup to do that, the chances of getting anything useful are extremely low. What you are talking about doing is reading off the data in an analogue format. The theory is that the whole reason we use digital equipment is because of imprecision in storage. So rather than try to detect subtle changes, we simply say "Anything over magnetic level X is a 1, any thing under is a 0." Thus the drive head just mess with the state to change it, not caring about the precise state it is in. Well the theory is also then that there will be a residual of the last data written. If I have a 1 and make it a 0 it will be slightly higher than a 0 that was again made a 0. By analysing the analogue waveform, you are able to guess at what the previous data was.

Ok but there's two major problems with this, especially as applied to law enforcement:

1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right.

2) The amount of data on a modern hard drive is staggering, and the encoding extremely complicated. To try and do something like this, even for one level, could take months if not more, and that's assuming you had a streamlined process down. This isn't simple like "Just read the data." As I said it is "Look at the actual waveform and try to decode older pieces from small fluctuations below the normal 1/0 threshold."

Well this is the kind of stuff intelligence agencies likely dabble in, as they've got the resources and there's no standard of proof. They might well be willing to pour over a drive for years if it gets them information. Even if there are assumptions on the part of the analysts, that's ok. After all that's how code breaking was largely done back in the day: You made assumptions based on the language and known plain texts and such and started guessing at the rest.

However that isn't the kind of shit that flies in court, and not the kind of thing that they've got time for. You'll notice how they talk about copying the data and the importance of maintaining the evidentiary chain. You don't get that when it's some guy with an oscilloscope making guesses.

It may make for good movies and TV, but once something has been overwritten it's done basically. I fyou have evidence to the contrary, I'd love to see it but "I heard," or "Some guy who worked for the FBI said," isn't it. Show the product/method that is used. If it is something that is used in court, it has to be known.

Re:Last you checked you were wrong (0)

thatskinnyguy (1129515) | more than 6 years ago | (#20526079)

Re:Last you checked you were wrong (0)

Anonymous Coward | more than 6 years ago | (#20526267)

Reread the parent - you obviously missed something.

Re:Last you checked you were wrong (2)

ColdWetDog (752185) | more than 6 years ago | (#20526423)

Not sure what your point is. Sure, a scanning tunneling EM might be able to read the sides of sectors and get an idea of the charge state of the material, but you have to do it bit by bit. The STEMs don't have very large sample chambers so you'd have to chop the drive up into wee little pieces, keeping track of everything all of the time. Sounds wonderfully tedious.

As the OP pointed out, some intelligence agency might do it to find Osama bin Laden, but I really doubt the FBI is going to try this on some dimwitted pedophile.

Re:Last you checked you were wrong (1)

garompeta (1068578) | more than 6 years ago | (#20526199)

And you forgot to mention that they must have a slight idea of what they are looking for to know the pattern or the format to find or rebuild.

If they don't know what they are looking for, it is almost impossible to discern among all the junk in the hard drive, and this if it is not wiped. If it is overwritten, forget it.

Re:Last you checked you were wrong (0)

timmarhy (659436) | more than 6 years ago | (#20526273)

Should have done a basic google before going off on a big rant, it would have stopped you looking so stupid. There's lots of software out there to recover data from formatted disks.

i've personally used one to recover data from an ext2 parition after i reformatted it as nfts.

lastly, you have NO CLUE if you think a few months or even years of work is any barrier to law enforcment. what, you think they will say to themselfs "oh that kiddie porn ring over wrote their drive, it's going to take 6 months to disect the information, guess we better let them off the hook!"

Re:Last you checked you were wrong (0)

Anonymous Coward | more than 6 years ago | (#20526323)

Not talking about formatting the drive.

Re:Last you checked you were wrong (1)

ORBAT (1050226) | more than 6 years ago | (#20526367)

Oh the irony.

Reformat != overwrite. It's trivial to recover a reformatted drive since most data is, in fact, not overwritten.

How on earth you got modded up to 2 is completely beyond me.

Re:Last you checked you were wrong (0)

Anonymous Coward | more than 6 years ago | (#20526679)

It seems you are the one looking so stupid.

Re:Last you checked you were wrong (1)

AmiMoJo (196126) | more than 6 years ago | (#20526487)

Furthermore, the idea that it can copy what is in the computers memory is rubbish too.

Aside from anything, Windows and Linux both have memory protection which prevents programs reading any memory except their own, which is cleared before it is given to them. Sure, on Windows if they happened to catch the PC booted up and logged in as an administrator they could install a driver to copy the contents of the PCs RAM, but then they would have tampered with the evidence and it would be worthless anyway.

I wonder how they can prove that the images of the HDD are genuine and have not been altered? Checksums? SH-1 is breakable. Sadly that sort of things tends not to matter. Take the case of , a man convicted of murder based on a single spec of gunpowder found on his clothes which the police admitted was stored in an environment containing firearms residue.

Re:how good is it? (2, Interesting)

Jah-Wren Ryel (80510) | more than 6 years ago | (#20526061)

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.
Possible, but highly unlikely and certainly expensive if they were able to pull it off.

Read this, including the epilogue:
Secure Deletion of Data from Magnetic and Solid-State Memory [auckland.ac.nz]

Re:how good is it? (1)

thatskinnyguy (1129515) | more than 6 years ago | (#20526101)

Mod parent up! I said STM in a previous reply to someone else. And as for the expense part, you think the Federal Government cares about expense? Now that would be a first!

Re:how good is it? (2, Insightful)

Jah-Wren Ryel (80510) | more than 6 years ago | (#20526135)

Expensive in time too. If it takes 3 years to extract the information, it isn't going to be useful at trial (which is presumably why they are doing forensic analysis in the first place).

Re:how good is it? (1)

Beryllium Sphere(tm) (193358) | more than 6 years ago | (#20526117)

If it doesn't involve cracking the disk's case open in a cleanroom (and this is just a hot PC with write blockers), then it's at the mercy of the drive's read head and every bit it gets will be what the drive natively believes is a bit.

Recovering overwritten information isn't the big deal in forensics, anyway. Organizing, managing and documenting the mountain of evidence is. If you're dealing with well written malware, worry that it's not on the disk at all and is strictly RAM-resident.

Re:how good is it? (0)

Anonymous Coward | more than 6 years ago | (#20526173)

So you are saying that we should:
1) alias rm to 'shred -uz' (shred's default setting is 25 rewrites)
2) alias RIAA to 'sudo find -L / -type f -exec shred -uz {} \;'
3) ???
4) Profit!

Drive density (3, Interesting)

Beryllium Sphere(tm) (193358) | more than 6 years ago | (#20526181)

I'd enjoy seeing (recent!) references on this, since hard drive technology has moved quite a bit since the Gutmann paper (the epilogue to which says "with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques").

The two best arguments I've seen among the speculation are

AGAINST: if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?
FOR: a read head in a lab doesn't have to be light, may not need to be fast, and definitely doesn't have to cost less than a good dinner. In other words, it's not subject to the limitations of the drive's read head.

Re:Drive density (2, Insightful)

timmarhy (659436) | more than 6 years ago | (#20526285)

"if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?"

what makes you think they would want to do that? it'd be dog slow, and it'd also be error prone. none of which helps to sell drives.

Re:how good is it? (5, Interesting)

SamP2 (1097897) | more than 6 years ago | (#20526187)

I keep seeing over and over posts that say that a "hardware" method would be the one that is totally secure, and the best example being a hammer.

You'd be surprised, however, how resistant drives can be do physical damage.

For those who know anything about hard drives (referring to regular platter drives, not solid state), you'd know that inside the rectangular case (made out of crappy soft aluminum) lie several plates connected to each other through a spinner in the middle, and they are made out of pretty strong steel.

When I took my data security course, we practiced destroying data physically. So I opened the hard drive, removed the platters and disconnected them. Then came the fun part, trying to destroy them.

First I tried several grades of sandpaper. All the lighter ones didn't leave a JACK SQUAT mark, no matter how hard I tried. The most heavy ones left _very_ small marks which were only visible in the direction of the strongest applied force. Sanding a whole drive this way would take days, and I wasn't sure it was strong enough to actually fully remove the magnetic cover. If anything, I damaged the sandpaper more than the drive.

Then I tried a metal file. The results were considerably better, with deep strong marks, but again, they only covered the path of the sharpest edge of the file, not the whole contact surface area. I filed away for 5 minutes straight, and I only managed to produce about 30% area of a single side of a single platter which I could say was destroyed with high probability of not being recoverable.

Finally, I tried a heavy hammer on another platter, having locked the platter in a vise. I wasn't impressed. The hammer, at best, produced bends across the drive. After another 5 minutes of hammering away, the drive was certainly not round anymore, but the total surface area actually destroyed by these bends was fairly minimal. Sure, it may prevent an easy automatic way of recovering data using regular means (spinning it against a magnetic reader the same way drives usually work), but I'd say at least 80% of that platter still had data on it. The manual work requiring to read the data piece by piece may indeed take weeks, but it would probably be possible, and having the mentality of "it'll take them too much work to read it" is akin to having the mentality of "nobody will hack me because I'm not a target of interest and they won't bother". From the point of view of a security specialist, it's wrong in principle.

The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.

Another common myth is that you can easily and securely permanently wipe the data with a magnet. The forces required to near-instantly and irrecoverably overwrite the magnetic stripe of the disk are ENORMOUS. During regular usage, a relatively weak magnet is used to read and write on the disk, but it only operates on a minuscule area of the disk (trivially, by writing a bit on an 4 (double sided)-platter 500GB drive, the magnetic edge only operates on 1/500,000,000,000th area of the platter. Now use the denominator to figure out the magnetic intensity required to fully overwrite the whole disk at once. It ain't pretty. Industrial-grade degaussers may do the trick, but not your average home magnet (which, of course, doesn't mean the magnet is not good enough to randomly corrupt a small part of the data which will screw your partition table and make your OS refuse the read the drive anyways). But I somehow doubt the folks in the NSA use Windows XP Home Edition to investigate hard drives.

The "true" way to destroy hard drives is to completely melt them in an incinerator, and that's what is used by the military/intelligence when you absolutely, unconditionally, no-shit-I-wasn't-kidding-when-I-said-so, must destroy data on a hard drive which will never be recovered again. As for the commonly suggested "solution" of frantically hammering several times on top of a hard drive's aluminum case cover when you see the FBI at your door going after all your pirated MP3s, I'd just say don't bet on it to work.

Re:how good is it? (2, Interesting)

Hex4def6 (538820) | more than 6 years ago | (#20526241)

Why not just dip the platters in a some corrosive? I'm sure even some like drano might do the trickk.

Or perhaps how about holding the platters up to a propane torch? you wouldn't need to melt them, just get them hot enough that they lose their magnetic field.

Modern magnetic media is tough (2, Informative)

Mathinker (909784) | more than 6 years ago | (#20526787)

The Curie point of modern magnetic media is higher than the melting point of aluminum.

Re:how good is it? (2, Informative)

TooMuchToDo (882796) | more than 6 years ago | (#20526325)

I always though the best poor man's magnetic eraser would be an old MRI machine. Keep your storage array near the center suspended by a strong, non-metallic material. Someone busts in the door? Just push the breaker on for that MRI machine.

That, my friend, should be enough electromagnetic energy to wipe the entire drive at once.

Re:how good is it? (2, Interesting)

DMUTPeregrine (612791) | more than 6 years ago | (#20526573)

Pulsed-power. coin shrinkers [delete.org] are an easy solution. Just use the coil around the HDD instead of a coin. I generally just use a grinding wheel. It's hard to read platters once they are dust.

Re:how good is it? (1)

ophix (680455) | more than 6 years ago | (#20526347)

I use an arc welder. Probably one of the most enjoyable ways of destroying old hard drives that guarantees a lack of data recovery.

Old backup tapes get torched .... literally. My employer lets me use an acetylene torch to burn them.

Hammers are overrated ;}

Arc welders and acetylene torches are where it's at

True and permanent data destruction (1)

DrkShadow (72055) | more than 6 years ago | (#20526521)

Use an IBM Deskstar hard drive:

http://www.astro.ufl.edu/~ken/crash/index.html [ufl.edu]

Seriously, though, if you use a _power_ sander to sand a platter, it will die. Just like wood, just like metal. Once you get rid of the shine, nothing will be recovered -- assuming you got rid of it mechanically/chemically and not just by covering it.

-DrkShadow

Re:how good is it? (1)

zakezuke (229119) | more than 6 years ago | (#20526547)

The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.
What's funny is older drives which have had some bad sectors on them, I opened them up and discovered pitting. Whatever managed to get in the drive managed to eat a away at a few small holes.

Anyhow, rather than using brute force to destroy platters, or heat, why not try electrolysis. Sodium carbonate solution, attach to a strong 12V supply, + to platter - to an electrode, and the ferrite layer erode.

Re:how good is it? (0)

Anonymous Coward | more than 6 years ago | (#20526581)

I destroyed several hard drives. A sledge hammer to get the platters out (1 whack) and a propane flame (plumbing supply or home depot $10 for small propane tank and twist on control knob) do the trick. Years back, the platters melted readily, indicating a pot metal construction. Recently, they were tougher, I had to use a special jeweler's ceramic dish to deflect heat back at the drive - perhaps adding an oxygen tank and/or using a hotter burning gas may be the order of the day now.

I'm pretty sure if someone were to want a quick way to destroy data (in case big brother comes), they would look up "thermite" on youtube, and perhaps put a small packet of it on top of their drives in case with a detonator triggered by a wireless call and code:)

Re:how good is it? (1)

cjanota (936004) | more than 6 years ago | (#20526585)

When I was destroying drives for my company, the platters were made differently depending on model. Some would bend tip-to-tip without breaking and others would shatter with a single blow.

Re:how good is it? (1)

The Lone Badger (626938) | more than 6 years ago | (#20526635)

How about using an oxy-torch to heat the surface of the platter to a nice cherry-red? From what I know of magnetism that should scramble it pretty thoroughly.

Re:how good is it? (1)

Omnedon (701049) | more than 6 years ago | (#20526653)

On a chat board someone posted pictures of a few hard drives that had "encountered" a couple of large caliber rifles. They had holes clean through the drives. I think it was a case of the hard drives being dead and the fun of playing with large caliber rifles more than a desire to "secure erase" data, but someone else commented "ain't no data coming off them drives".

I made a comment, while not as eloquent as the parent above, that a suprising amount of data would still be recoverable. This was greeted by various iterations of "ain't no data...", etc.

A couple of days later I got a message from the original poster. Apparently he had emailed the pictures to his son who was (vaguely) in "law enforcement data recovery" and his son had told him that I was right.

Now what lengths "they" would go to depends on what they thought was on there. Your pirated mp3 collection might be safe. If they were convinced that those drives had been used be Osama bin Laden you can bet that every bit that could be recovered, would be.

Regarding the "old MRI" machine suggested a few posts down... I seem to recall reading (not that my memory is all that great) that MRI machines are kept on a 'warm' standby. To completely power down or power up is not an instantaneous operation. They also weigh several tons and consume an enormous amount of power. It probably wouldn't work, certainly would not be "cost effective" to erase your mp3 collection, and the very fact that you went to such lengths to attempt to erase data would be enough convince them that you had something far more "valuable" to erase than mp3s.

And data can be recovered after fires if someone wants it bad enough. "Incinerate" probably equates to something along the lines of a smelting furnace or thermite.

Re:how good is it? (1)

garompeta (1068578) | more than 6 years ago | (#20526691)

What about Thermite? Cheap, easy and fast.
If I were a serious paranoid, I would:
1) Use Whole Hard Drive Encryption. Even in the case that the hard drive is not destroyed, once I turn the computer off the data is not accessible for anybody.
2) If the police bust in, ignite the Thermite, and forget about it. The proper volume of iron oxide will melt down the whole hard drive or at least fusion it in a unique chunk of metal. Try to recover that.
3) If I am worried that the police may come in when I am absent, then rewire the home alarm system to the thermite fuse. Nothing really hard. If someone gets to the room the alarms goes off, and instead of the siren going off, it ignites the fuse initiating the thermite reaction... melting it down, while the feds are still searching in the house for people and the computer.

4) If I were a über-paranoid, then I would build a faraday cage in my room and all of above.

Re:how good is it? (1)

hcmtnbiker (925661) | more than 6 years ago | (#20526213)

Last i checked, they really don't check past 1 overwrite unless its a matter of national security. Anything beyond 1 overwrite takes special equipment, to read, and even then there's an accuracy issue. Also, the DoD uses a 7 pass for most classified data, so I would be surprised if you could read 12 overwrites in any reasonable amount of time.

Note to self: (0)

Anonymous Coward | more than 6 years ago | (#20525857)

Don't buy a computer with a Firewire port

Re:Note to self: (1)

Tuoqui (1091447) | more than 6 years ago | (#20526179)

It uses the FireWire high-speed serial bus to connect the host computer and provides support for IDE, SATA and SCSI hard disks, Hermann said in a statement. Ultimately the goal of the TreCorder and forensics products similar to it is to provide companies and law-enforcement agencies digital forensic tools that can gather evidence to trap the criminals that will stand up in court.

Of course they are assuming the data coming out of the firewire port can be trusted... If a machine was already compromised it is likely to send junk data to these ports to help conceal itself.

Re:Note to self: (1)

Technician (215283) | more than 6 years ago | (#20526203)

Don't buy a computer with a Firewire port

I prefer encrypted external storage which uses a non-standard filesystem.

My NAS uses an encrypted reiser FS. The filesystem is non-standard. Users have removed the internal HD and attempted to mount it in a Linux PC, but the PC could not find the partition table.

Even if they can mount the drive, without the encryption key, it will take them quite a while to crack the key to the encrypted volume. This is not a connect and copy drive.

It does not matter! (1)

Burz (138833) | more than 6 years ago | (#20526915)

Firewire ports are hot-pluggable DMA with bus mastering. With the right program, any FW device plugged into your system can suck out the plaintext RAM contents (including your keys), install and run rootkits without even touching the disk, etc.

Discovery of the FW exploit [23.nu] from several years ago.

Recent commentary: [matasano.com]

Physical memory acquisition over Firewire is a trendy tactic for snapshotting suspsect systems without the interference of malware. Recall that Firewire, which is basically a glorified DMA controller with a funky cable coming out of it, has presumptively unmediated access to physical memory; your CPU may initialize the Firewire peripheral, but it doesn't get between the peripheral and the memory controller.


I am seeing mention around the web that this kind of access can be done with a PCI card (plugging it into a live system??).

System memory? Torrentspy could use one (1)

mysteryvortex (854738) | more than 6 years ago | (#20525887)

System memory too? Sounds like Torrentspy could use one of these. [slashdot.org]

Re:System memory? Torrentspy could use one (1)

tomhudson (43916) | more than 6 years ago | (#20526047)

I read the article, and it sounds like its "marketing" - we all know that system memory can't be read the way they claim - by plugging into the hard drives. Sure, you'll pick up what was in swap, but if a person is smart and worried about security, they don't have swap - turn it off, and all memory goes bye-bye.

Re:System memory? Torrentspy could use one (4, Interesting)

Jah-Wren Ryel (80510) | more than 6 years ago | (#20526119)

I read the article, and it sounds like its "marketing" - we all know that system memory can't be read the way they claim - by plugging into the hard drives. Sure, you'll pick up what was in swap, but if a person is smart and worried about security, they don't have swap - turn it off, and all memory goes bye-bye.
They plug into the firewire port and use the PC's own firewire controller to DMA from host memory out across the firewire bus.
That is a standard forensic operation nowadays.

However, some people have already postulated, if not actually implemented, protections against that sort of attack. The idea is that the host can reprogram the PCI bus controller to route all DMA requests from the firewire controller off into some user-specified range of memory. In theory the forensic tool could detect that the PCI controller has been programmed to do that, but it could not do anything about it.

Re:System memory? Torrentspy could use one (1)

Beryllium Sphere(tm) (193358) | more than 6 years ago | (#20526151)

The actual site for the Trecorder doesn't make any claims about making a copy of RAM, that seems to have appeared in the article by spontaneous generation.

But I wonder if it would be possible over a Firewire connection, given that Firewire allows direct memory access [security-assessment.com] .

Does this mean I get to keep my PC? (1, Troll)

twitter (104583) | more than 6 years ago | (#20525957)

I doubt searches will become any less abusive because of this, but hope is eternal. Investigators are used to taking everything, right down to commercial DVDs and I don't think they are going to stop doing that. At least RIAA show trials shake down and some warrantless searches are getting shut down. In a country where trumped up evidence is good enough to justify invasions of countries, Korean war veterans end up on terrorist watch lists and airports are installing virtual strip search equipment, both privacy and justice have been sorely abused.

Not so fast... (3, Informative)

Remik (412425) | more than 6 years ago | (#20525961)

2gb/min isn't that fast.

Standalone devices like the Logicube [logicube.com] Talon copy twice as fast. They also hash the drives and store audit trails to a CF card.

I can see the potential benefit to creating 3 mirrored drives at once, but it is extremely limited.

-R

Re:Not so fast... (1)

wodon (563966) | more than 6 years ago | (#20526731)

The logicube hand held devices do show some pretty fast imaging speeds, but they do not take into account the various device manufacturers drive controllers. In the field, often the best way to get an image is using the suspect's hardware.
These also require you to image RAID arrays as separate drives and reassemble them later.
IXImager http://www.ilook-forensics.org/iximager.html/ [ilook-forensics.org] can image internally, can image arrays whole and boots from a CD (law enforecement only though).
I have got 4 gig a minute out of it in the field.

Anyway, these boxes just look like a new model of the FREDDIE http://www.dataduplication.co.uk/details/freddie.h tml/ [dataduplication.co.uk]

No big news there.
For an imaging box you don't need that high spec a machine, your source disk drives are going to be the bottleneck, not RAM or processor.

I love reporters (1)

DaftShadow (548731) | more than 6 years ago | (#20526041)

"The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min. The same transfer would take 30 to 60 minutes using alternative equipment said Martin Hermann, general director of MH-services..."

And, don't forget this gem:"...eliminates any possibility of falsification in the process."

Although, I must be honest... A pre-configured dual-boot XP/Linux forensics box, 4GB RAM, 2TB internal HD, and a 3TB external backup system, seems like a fairly capable system to drop into the hands computer forensics persons. The article mentions this being chose over sleuthkit, which makes me wonder just how much better (if at all) the software internals are on the TreCorder.

- DaftShadow

Re:I love reporters (1)

Remik (412425) | more than 6 years ago | (#20526093)

There's some pretty good FUD coming from the developers here, as well..

They make it seem like a huge problem that EnCase isn't entirely secure against potential attacks from the target machine. Well...the only time I'd use a software acquisition method is when a hardware acquisition is strictly out of the equation (i.e. live & critical servers that cannot under any circumstances be shut down). How likely are the servers for an airline's ticketing system to be booby-trapped?

They're creating problems and foisting them on the software when the exisitng software is far less likely to ever be used in such situations.

-R

Re:I love reporters (1)

dgatwood (11270) | more than 6 years ago | (#20526531)

FireWire hardware can be set up to allow or disallow DMA requests depending on the device on the other end of the wire. Most OSes now only allow it if the device on the other end looks like a hard drive for security reasons. You can lock them down further if you want:

http://matt.ucc.asn.au/apple/ [ucc.asn.au]
http://rentzsch.com/macosx/securingFirewire [rentzsch.com]

Linux also has security features [linux1394.org] in recent versions of its kernel to protect against arbitrary DMA attacks. (Search for firewire-ohci.) Windows does the same thing. With the right tweaks, disabling FireWire DMA is completely within the realm of possibility if you're that paranoid.

Unfortunately. once you have FireWire DMA access, there is no way to actually fake the data in RAM, but you could theoretically require the user to take some action to enable FireWire devices, and upon detecting an unexpected DMA-capable device on the bus, use the power management hardware to power down the PHY for a few seconds, causing a bus reset and a stall for just long enough for you to page everything out to disk and replace the entire contents of RAM with naked pictures of Janet Reno [wikipedia.org] , then reenable the PHY just before you overwrite the page that the wiper code occupies. :-D

Of course, this is very nearly undeniable proof that you are guilty of something. Nobody would do anything REMOTELY that insane if they didn't have something really MAJOR to hide.

Re:I love reporters (2, Interesting)

Fourier (60719) | more than 6 years ago | (#20526473)

The article mentions this being chose over sleuthkit, which makes me wonder just how much better (if at all) the software internals are on the TreCorder.

The key isn't so much the software as it is the hardware. The TreCorder uses hardware write blockers [tableau.com] to provide a rather strong guarantee that the original data will not be corrupted even if the OS and the acquisition software happen to be written by idiots.

Copy the World! (0)

Anonymous Coward | more than 6 years ago | (#20526105)

If only it had an ethernet port :( I could copy the internet.........infinite pr0n, yeah!

Seriously, copy 2GB within the confines of your own PC. See how long it takes. This is like saying "I can travel up to 200MPH on my own power (if I'm falling)"

doubtful (2, Insightful)

crossmr (957846) | more than 6 years ago | (#20526131)

does it create a read only image that can never be tampered with? Given the fact that anyone can do just about anything, most digital evidence always leaves me lacking.

Probably a bogus writeup abt being tamper evident (1)

Beryllium Sphere(tm) (193358) | more than 6 years ago | (#20526361)

If it's like everything else in that space it generates a secure hash of the source material as it's being acquired. Write that down and store it someplace, and you can prove later that the data haven't changed, barring a mathematical breakthrough or the most amazing coincidence in world history.

Re:Probably a bogus writeup abt being tamper evide (1)

ColdWetDog (752185) | more than 6 years ago | (#20526455)

Or you could just print the data out and drive the defense lawyers insane. Nice and low tech. Not digital at all.

I'm Sure... (1)

Nom du Keyboard (633989) | more than 6 years ago | (#20526193)

I'm sure that the RIAA is in line for the first dozen.

But how can it read reformatted data? I was always of the impression that to read more than the most recent data required removing the platters and using special equipment on the naked disc surface. If the original disc heads were reading all these previous layers, they'd never be able to accurately read the current data on the hard drive.

Re:I'm Sure... (1)

Remik (412425) | more than 6 years ago | (#20526231)

Depends what you mean by "reformatted".

Usually:

Deleting only updates the FAT. The data is all still there.

Formatting only deletes the FAT. The data is all still there.

What you're referring to with "reading all the previous layers" is quasi-theoretical ways of getting at data that has been completely overwritten.

Unless your deleting/formatting process actually overwrites the data, it is all still there.

-R

Re:I'm Sure... (2, Interesting)

RLiegh (247921) | more than 6 years ago | (#20526425)

What about when you replace FAT (or NTFS) with another filesystem entirely? Would the format done by mkfs.ext2 (or whatever) overwrite the data, or would it simply set up a filesystem table and leave the previous data on the drive readily accessible (to anyone who wants to recover it)?

Re:I'm Sure... (1)

aliquis (678370) | more than 6 years ago | (#20526649)

I have no idea what it does but considering how fast most formats are done I'm very confident it doesn't overwrite all data atleast. I guess it atleast overwrites the data on the blocks where it stores superblock backups.

This makes the argument for... (1)

Nom du Keyboard (633989) | more than 6 years ago | (#20526207)

This makes the argument for keeping all your important data on a drive with an interface so old and obscure that this new box can't interface to it.

Backup Device (1)

Doc Ruby (173196) | more than 6 years ago | (#20526217)

I wish I had one of those, but not "secure" (and so much cheaper) that can just clone one existing HD I'm replacing onto a larger one with which I'm replacing it. Even 1Gbps would be good.

Maybe there's a dead-simple Linux app that will do this across a Gb-ethernet. Not just "network tar", but which reloads a new drive that's got only a new install of the OS (eg. Ubuntu) with only the non-OS data, plus OS configs (eg. /etc), from the old one.

Anyone make a self distruct system for a PC? (2, Interesting)

WarlockD (623872) | more than 6 years ago | (#20526219)

Seriously, like some kind of bullet that shoots the hard drive (Maybe 22round, aimed toward the ground) and can be activated at a press of a button?

Re:Anyone make a self distruct system for a PC? (3, Insightful)

'Aikanaka (581446) | more than 6 years ago | (#20526435)

I recommend a thermite disk eraser - http://www.metacafe.com/watch/599982/how_to_make_t hermite/ [metacafe.com] - which will provide a very quick method of creating a very non-recoverable hard disk. Thermite FTW!

Re:Anyone make a self distruct system for a PC? (2, Interesting)

aliquis (678370) | more than 6 years ago | (#20526883)

Yeah, just open an old HDD, remove the platters and heads and fill it with thermite, connect an electronic igniter (if one exist/works) to the molex-connector and you are good to go!

That will show them not to touch your data ;D

Or in your case put that drive on top of the other and light it yourself when they come knocking on your door.

Re:Anyone make a self distruct system for a PC? (0)

Fulcrum of Evil (560260) | more than 6 years ago | (#20526545)

A measured amount of thermite should do the trick. Of course, the other trick is to make it work without burning the house down.

Secure drives and erasure (4, Interesting)

Barny (103770) | more than 6 years ago | (#20526373)

Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)

As for the people talking about "safe methods for wiping drives", the only place I (personally) know of that has such requirements is DIGO http://www.defence.gov.au/digo/ [defence.gov.au] they use a furnace, works damn well. The moral of the story is, new drives are cheap, why fuck around with "maybe".

240 volts to usb/firewire ports (4, Funny)

timmarhy (659436) | more than 6 years ago | (#20526453)

This makes me want to disconnect my usb/firewire cables and solder a 240 volt feed to them.

lets see their nifty device copy shit then.

Re:240 volts to usb/firewire ports (1)

WindowsIsForArseWipe (990338) | more than 6 years ago | (#20526811)

You may not realise it but it is actually quite simple to provide protection from direct mains connection to a particular port. It dosen't even cost that much.

What about flash (1)

SkinnyKid63 (1104787) | more than 6 years ago | (#20526567)

Can overwritten data on a flash hard drive be recovered? I suppose if you're really paranoid you could store data in ram and have it set to randomly overwrite it self if it were about to be compromised.

Degauss it (1)

LuminaireX (949185) | more than 6 years ago | (#20526603)

Easy enough to foil - don't format your drive. Run it through a degausser a few times; that data's unreadable and the drive can never be used again

So what does it help them... (1)

fluch (126140) | more than 6 years ago | (#20526899)

...if they copy my hard drive (after they have managed to get pass the hard drive password) if they find most of the partitions encrypted with 256bit AES and the swap partition with 64bit blowfish? Anything usefull there for them?
Cheers,
- Martin
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...