Forensic Computer Targets Digital Crime

coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."

how good is it?

[thatskinnyguy (1129515)]

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.

Re:

[omeomi (675045)]

the FBI can see data that has been overwritten 12 times.

The FBI publishes this information?

Re:

[Harmonious Botch (921977)]

One of their experts has probably testified to it under oath.

Re:

[thatskinnyguy (1129515)]

An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

Re:how good is it?

[compro01 (777531)]

well, as someone said in a previous discussion:

The only way to truely protect your data is to grind up your hard drive into powder, magnetize it all, then heat it into a liquid. Cool and grind it up again, scatter it into the wind, and just HOPE entropy does the rest.

Re:how good is it?

[PopeRatzo (965947)]

If you're not doing anything wrong, or using your computer to write or view anything wrong, or thinking anything wrong, or doing, writing, viewing or thinking anything that someone might construe to be wrong... ...then you have nothing to worry about.

Re:

[gweihir (88907)]

An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

But the magnetic landscabe is noisy and there is a smalles stable magnetic intensity. After one overwrite it is very likely that the residual magnetisation from the eralier data vanishes in the noise and is too small to be stable, at least fo current disks. Remember that the HDD manufacturers have benn storing very close to the material limits for some time now.

Re:

[GPL Apostate (1138631)]

Most people have little control of where the info gets cached on the system. You can *think* that it's only on the flash drive, but somehow an app sticks it into swap or a file in a temp folder.

Re:

[dclocke (929925)]

I wouldn't mind seeing a source on that statistic. Because I'd be pretty comfortable betting my life savings that it's not true.

Re:

[deftcoder (1090261)]

Agreed, considering the NSA standard for data wipes is 7 random passes...

I'm more comfortable using this though: http://en.wikipedia.org/wiki/Gutmann_method [wikipedia.org]

Re:

[Jah-Wren Ryel (80510)]

Agreed, considering the NSA standard for data wipes is 7 random passes...

The NSA has no such standard.
Really, try to find an official source, you won't.

Re:

[Remik (412425)]

It doesn't matter how many times, it only matters which methods are used. If you're just using a Windows format (or worse, quick format), you can run it 100 times and the data will still be accessible.

That said, the DoD standard for "wiping" a drive is also excessive in what it requires to declare the media clean. (All 0s, then all 1s, then 010101..., then all 0s again...blah blah blah)

My somewhat expert opinion is that a program that writes the drive to all 0s or all 1s is all you need.

-R

An unreliable source might have said..

[Gazzonyx (982402)]

I've heard from an unreliable source (perhaps it was on slashdot, I can't recall) that a good method for doing this is rather to write data streams randomly. Something like an MP3 or any binary you'd like.

I guess the theory was that if you do this a few times with random sources, the magnetic characteristics (shadows) have not all been changed by the same amount, so you can't apply a logarithmic algorithm to figure out the possible states that the disk could have been in and see if they make any sense.

Re:

[Remik (412425)]

I never said otherwise; you replied to the wrong post.

-R

Re:

[Remik (412425)]

What matters how many times? As you say, there's a big difference between formatting and wiping.

I don't believe there's any conclusive evidence that data can be recovered from a drive that has been written entirely to 0s or 1s once. In other words, the DoD/NSA standard is over-kill.

I'm less (but still pretty) certain that repeated Windows formats will not make data any less accessible. The only way to make sure data can't be recovered from unallocated space or carved out of file slack is to overwrite tho

Re:

[jimmydevice (699057)]

It appears possible to recover previously erased data on old drives, but haven't the drive mfrs used exactly the same technology that the forensic disk morticians used in past years to get at erased crud (if ever)? It seems with vertical recording and super mag heads, the slop, leftover sideband noise and measurable blips of 90's tech now store data. I'm not trying to be factious, drive builders are pushing a lot of boundaries and I doubt they would back off ( unlike the MPAA and DRM ) reducing capacity to

Re:how good is it?

[TheWanderingHermit (513872)]

One of our LUG members recently did a presentation on computer forensics. I forgot the group that he took his classes through, but I remember a friend of mine saying they were one of the best. His comment on this was that the myth of data being retrievable after it has been written over is just that, these days: a myth. It seems that was a problem back in the earlier days of hard drives, but not with any recent equipment. It seems that once this became a "fact" it's stayed one for decades, even though there's been no evidence or proof of it being true with any hard drive designs for years.

I don't know how accurate that is, but I know a few others in the LUG started looking into it and nobody posted any links they felt were valid to back up the surviving data myth.

Reformat != Overwrite

[Nymz (905908)]

I have to wonder, after how many overwrites can this system detect data?

I'm thinking zero overwrites. From the article it appears that the system is a portable solution that only plugs into hard drives, and not a reader of the platters themselves. Software alone can analyze deleted files and a reformated file table, but it cannot use the orignal drive to read information that was overwritten.

Last you checked you were wrong

[Sycraft-fu (314770)]

You cannot read data overwritten even once unless you disassemble the hard drive. If you use a disk copy utility, any of them, you get nothing more than the current layer of data. That is simply all a hard drive reads. As such if you wished to get any overwritten data you'd have to take the platters out and put them under some other kind of analysis equipment.

As for the feasibility of that, well, there isn't. Sorry. Even if you have a setup to do that, the chances of getting anything useful are extremely lo

Re:

[turbidostato (878842)]

"1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right."

Not to say you are wrong; I think you are overall right, in fact. But in an ideal world, a competent attorney can't have more than justice gives him (after all, if you can hope for a "competent defense attorney" you should expe

Re:

[ColdWetDog (752185)]

Not sure what your point is. Sure, a scanning tunneling EM might be able to read the sides of sectors and get an idea of the charge state of the material, but you have to do it bit by bit. The STEMs don't have very large sample chambers so you'd have to chop the drive up into wee little pieces, keeping track of everything all of the time. Sounds wonderfully tedious.

As the OP pointed out, some intelligence agency might do it to find Osama bin Laden, but I really doubt the FBI is going to try this on some

Reality check for you

[Burz (138833)]

re: live RAM acquisition - http://it.slashdot.org/comments.pl?sid=291981&cid= 20526915 [slashdot.org]

Re:

[Jah-Wren Ryel (80510)]

I have to wonder, after how many overwrites can this system detect data? The last I checked, the FBI can see data that has been overwritten 12 times.

Possible, but highly unlikely and certainly expensive if they were able to pull it off.

Read this, including the epilogue:
Secure Deletion of Data from Magnetic and Solid-State Memory [auckland.ac.nz]

Re:

[Jah-Wren Ryel (80510)]

Expensive in time too. If it takes 3 years to extract the information, it isn't going to be useful at trial (which is presumably why they are doing forensic analysis in the first place).

Re:

[Beryllium Sphere(tm) (193358)]

If it doesn't involve cracking the disk's case open in a cleanroom (and this is just a hot PC with write blockers), then it's at the mercy of the drive's read head and every bit it gets will be what the drive natively believes is a bit.

Recovering overwritten information isn't the big deal in forensics, anyway. Organizing, managing and documenting the mountain of evidence is. If you're dealing with well written malware, worry that it's not on the disk at all and is strictly RAM-resident.

Drive density

[Beryllium Sphere(tm) (193358)]

I'd enjoy seeing (recent!) references on this, since hard drive technology has moved quite a bit since the Gutmann paper (the epilogue to which says "with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques").

The two best arguments I've seen among the speculation are

AGAINST: if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?
FOR: a read head in a lab doesn't have to be light, may not need to be fast, and definitely doesn't have to cost less than a good dinner. In other words, it's not subject to the limitations of the drive's read head.

Re:

[timmarhy (659436)]

"if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?"

what makes you think they would want to do that? it'd be dog slow, and it'd also be error prone. none of which helps to sell drives.

Re:how good is it?

[SamP2 (1097897)]

I keep seeing over and over posts that say that a "hardware" method would be the one that is totally secure, and the best example being a hammer.

You'd be surprised, however, how resistant drives can be do physical damage.

For those who know anything about hard drives (referring to regular platter drives, not solid state), you'd know that inside the rectangular case (made out of crappy soft aluminum) lie several plates connected to each other through a spinner in the middle, and they are made out of pretty strong steel.

When I took my data security course, we practiced destroying data physically. So I opened the hard drive, removed the platters and disconnected them. Then came the fun part, trying to destroy them.

First I tried several grades of sandpaper. All the lighter ones didn't leave a JACK SQUAT mark, no matter how hard I tried. The most heavy ones left _very_ small marks which were only visible in the direction of the strongest applied force. Sanding a whole drive this way would take days, and I wasn't sure it was strong enough to actually fully remove the magnetic cover. If anything, I damaged the sandpaper more than the drive.

Then I tried a metal file. The results were considerably better, with deep strong marks, but again, they only covered the path of the sharpest edge of the file, not the whole contact surface area. I filed away for 5 minutes straight, and I only managed to produce about 30% area of a single side of a single platter which I could say was destroyed with high probability of not being recoverable.

Finally, I tried a heavy hammer on another platter, having locked the platter in a vise. I wasn't impressed. The hammer, at best, produced bends across the drive. After another 5 minutes of hammering away, the drive was certainly not round anymore, but the total surface area actually destroyed by these bends was fairly minimal. Sure, it may prevent an easy automatic way of recovering data using regular means (spinning it against a magnetic reader the same way drives usually work), but I'd say at least 80% of that platter still had data on it. The manual work requiring to read the data piece by piece may indeed take weeks, but it would probably be possible, and having the mentality of "it'll take them too much work to read it" is akin to having the mentality of "nobody will hack me because I'm not a target of interest and they won't bother". From the point of view of a security specialist, it's wrong in principle.

The moral of the story is that hard drives are a pretty tough nut and not as easily physically destroyed as you may think. To all those rambling away about how unreliable hard drives are and how easy they break down, I'd say that in the vast, vast majority of cases what breaks down is the engine, the magnetic mechanism, or something else that would prevent the drive from being readable by tools built in the drive box, but not the platters with the data itself.

Another common myth is that you can easily and securely permanently wipe the data with a magnet. The forces required to near-instantly and irrecoverably overwrite the magnetic stripe of the disk are ENORMOUS. During regular usage, a relatively weak magnet is used to read and write on the disk, but it only operates on a minuscule area of the disk (trivially, by writing a bit on an 4 (double sided)-platter 500GB drive, the magnetic edge only operates on 1/500,000,000,000th area of the platter. Now use the denominator to figure out the magnetic intensity required to fully overwrite the whole disk at once. It ain't pretty. Industrial-grade degaussers may do the trick, but not your average home magnet (which, of course, doesn't mean the magnet is not good enough to randomly corrupt a small part of the data which will screw your partition table and make your OS refuse the read the drive anyways). But I somehow doubt the folks in the NSA use Windows XP Home Edition to investigate hard drives.

The "true" way to destroy hard drives is to completely melt them in an incinerator, and t

Re:

[TooMuchToDo (882796)]

I always though the best poor man's magnetic eraser would be an old MRI machine. Keep your storage array near the center suspended by a strong, non-metallic material. Someone busts in the door? Just push the breaker on for that MRI machine.

That, my friend, should be enough electromagnetic energy to wipe the entire drive at once.

Re:

[DMUTPeregrine (612791)]

Pulsed-power. coin shrinkers [delete.org] are an easy solution. Just use the coil around the HDD instead of a coin. I generally just use a grinding wheel. It's hard to read platters once they are dust.

Re:

[arminw (717974)]

..... when you see the FBI at your door going after all your pirated MP3s, I'd just say don't bet on it to work...........

I think a disk drive tossed into our hot wood stove the moment an unknown knock came to the door, would be useless to the FBI/KGB/CIA/NSA or anyone else of equal expertise. The stove works well on old papers and credit cards also. Everybody with deep dark secrets needs a good wood stove. As a side benefit, it'll keep the house nice and warm for cheap.

Re:

[toddestan (632714)]

Why not just dip the platters in a some corrosive? I'm sure even some like drano might do the trickk.

Harddrives platters are commonly coated with DLC (diamond like coating). The Drano is not going to get through that to the metal. The DLC is also why the parent poster had no luck with sandpaper, as the DLC is likely harder than the grit. (the purpose of the DLC is to protect the platters from accidental contact with the heads - it's tough stuff)

However, your idea could work if the chemical was particular

Re:how good is it?

[MoralHazard (447833)]

Dear God, when will the FUD stop??!!?? This silly meme has been making the rounds for a very long time, ever since Gutmann wrote that god-awful paper for USENIX '96. IT IS NOT TRUE!! There are no scientific or engineering papers that provide any evidence to suggest otherwise--NONE.

Here's the story: Back in 1996, Peter Gutmann published a paper where he described the theoretical possibility of reading small sections of overwritten data, in a largely unreliable fashion. Having gone back through the source he cites, I came to be of the opinion that his assertion was irresponsible, since he makes a very bold claim without pointing out how many qualifications and 'but's are attached to it:

1) The specific techniques he discusses address older hard drive platter recording technologies that were completely supplanted, throughout the industry, in 1996-1997. Newer hard drives changed recording techniques to cram more data onto the same platter area, which eliminated the specific properties that would have allowed Gutmann's proposed recovery method to work.

2) None of Gutmann's citations ever claimed to have made the recovery methods work in a practical fashion (as in, actually recovering a sector of data, let alone a whole file) on a real hard drive. There were a few lab experiments that were NOT performed on hard drives, and nobody was cited as actually implementing a real-world method.

3) Since the 1996 paper (in '99, I believe), Gutmann published a revised draft that really only changed the section talking about this issue, and he significantly backpedaled his claims. Supposedly, some of his colleagues pointed out that his assertion was scientifically unsupported and extremely inflammatory. Net result: In the newest version of that paper, he basically admits that recovery of overwritten data, on modern hard drives, is snake oil.

There's more, though. Having worked in forensics and specifically dealt with federal law enforcement agencies, I get a chuckle when people (usually, the same tinfoil-hat guys who believe in aliens at Roswell) talk like the FBI has secret recovery technology that the private sector doesn't. This is provable bullshit, for several reasons:

1) The FBI has no real engineering capacity, and they're not as good at stuff like this as you think. In data forensics, especially, their equipment, techniques, and training have never been as good as what the private sector has. The private sector has more money, which means it can buy the newest toys and do real R&D, and it can afford to pay the big-ass salaries that cutting edge engineers require. For comparison, go ask somebody at Hitachi or Segate who does hard drive research how much money they make. Then, ask the FBI how much their highest-paid experts make. It's going to be at least a 2:1 difference, maybe more.

2) Secret methodologies are useless to the FBI, because they would never hold up in court. Data forensics depends on its credibility under the standards of scientific evidence, otherwise it gets tossed out of court and the defense wins. The basic test of scientific evidence is "Does the scientific community have a consensus that this method is correct?" If it's a secret method, there can be no consensus in the community, and it can't be used in court.

3) There's a simple thought experiment that verifies this: If it were possible to read data that has been overwritten even once, doesn't that mean that your hard drive has an actual storage capacity is twice what the manufacturer is actually giving you. How much sense does that make? Those guys jump on every technology possible to cram more data into a smaller space, so even if it's space-alien-magic stuff, they'll have an enormous incentive to make it practical to mass-produce. And they usually do just that. There only a tiny bit more usable capacity on your drive (Let alone 12x worth!) than the manufacturer's label says, and that's replacement sectors for areas that develop problems--we know about that, and it's not useful in data forensics for other reasons.

Re:

[imemyself (757318)]

Would the sledge-hammer actually destroy the platters themselves though? Obviously the drive as a whole would not work, but even if the platters were physically broken into a few pieces, I assume that a lot of the data itself would be intact on the disk. I doubt that there's any off-the-shelf tech that local law enforcement has that would be able to do it, but it wouldn't entirely surprise me of FBI/CIA/NSA/etc, have some sort of capability. Does anyone know any more about this sort of thing out of curio

Not so fast...

[Remik (412425)]

2gb/min isn't that fast.

Standalone devices like the Logicube [logicube.com] Talon copy twice as fast. They also hash the drives and store audit trails to a CF card.

I can see the potential benefit to creating 3 mirrored drives at once, but it is extremely limited.

-R

Re:

[Tuoqui (1091447)]

It seems geared for servers where you'd have 3+ drives in RAID configs

I love reporters

[DaftShadow (548731)]

"The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min. The same transfer would take 30 to 60 minutes using alternative equipment said Martin Hermann, general director of MH-services..."

And, don't forget this gem:"...eliminates any possibility of falsification in the process."

Although, I must be honest... A pre-configured dual-boot XP/Linux forensics box, 4GB RAM, 2TB internal HD, and a 3TB external backup system, seems lik

Re:

[Remik (412425)]

There's some pretty good FUD coming from the developers here, as well..

They make it seem like a huge problem that EnCase isn't entirely secure against potential attacks from the target machine. Well...the only time I'd use a software acquisition method is when a hardware acquisition is strictly out of the equation (i.e. live & critical servers that cannot under any circumstances be shut down). How likely are the servers for an airline's ticketing system to be booby-trapped?

They're creating problems an

Re:

[Fourier (60719)]

The article mentions this being chose over sleuthkit, which makes me wonder just how much better (if at all) the software internals are on the TreCorder.

The key isn't so much the software as it is the hardware. The TreCorder uses hardware write blockers [tableau.com] to provide a rather strong guarantee that the original data will not be corrupted even if the OS and the acquisition software happen to be written by idiots.

doubtful

[crossmr (957846)]

does it create a read only image that can never be tampered with? Given the fact that anyone can do just about anything, most digital evidence always leaves me lacking.

Anyone make a self distruct system for a PC?

[WarlockD (623872)]

Seriously, like some kind of bullet that shoots the hard drive (Maybe 22round, aimed toward the ground) and can be activated at a press of a button?

Re:

['Aikanaka (581446)]

I recommend a thermite disk eraser - http://www.metacafe.com/watch/599982/how_to_make_t hermite/ [metacafe.com] - which will provide a very quick method of creating a very non-recoverable hard disk. Thermite FTW!

Re:

[aliquis (678370)]

Yeah, just open an old HDD, remove the platters and heads and fill it with thermite, connect an electronic igniter (if one exist/works) to the molex-connector and you are good to go!

That will show them not to touch your data ;D

Or in your case put that drive on top of the other and light it yourself when they come knocking on your door.

Secure drives and erasure

[Barny (103770)]

Ahh just in time then is Seagates announcement of FDE series of drives, they use a small linux based boot sector to allow or disallow access to the drives decoding hardware, of course without that hardware enabled and with the right key it will all be useless :)

As for the people talking about "safe methods for wiping drives", the only place I (personally) know of that has such requirements is DIGO http://www.defence.gov.au/digo/ [defence.gov.au] they use a furnace, works damn well. The moral of the story is, new drives are cheap, why fuck around with "maybe".

240 volts to usb/firewire ports

[timmarhy (659436)]

This makes me want to disconnect my usb/firewire cables and solder a 240 volt feed to them.

lets see their nifty device copy shit then.

Re:

[tomhudson (43916)]

I read the article, and it sounds like its "marketing" - we all know that system memory can't be read the way they claim - by plugging into the hard drives. Sure, you'll pick up what was in swap, but if a person is smart and worried about security, they don't have swap - turn it off, and all memory goes bye-bye.

Re:System memory? Torrentspy could use one

[Jah-Wren Ryel (80510)]

I read the article, and it sounds like its "marketing" - we all know that system memory can't be read the way they claim - by plugging into the hard drives. Sure, you'll pick up what was in swap, but if a person is smart and worried about security, they don't have swap - turn it off, and all memory goes bye-bye.

They plug into the firewire port and use the PC's own firewire controller to DMA from host memory out across the firewire bus.
That is a standard forensic operation nowadays.

However, some people have already postulated, if not actually implemented, protections against that sort of attack. The idea is that the host can reprogram the PCI bus controller to route all DMA requests from the firewire controller off into some user-specified range of memory. In theory the forensic tool could detect that the PCI controller has been programmed to do that, but it could not do anything about it.

Re:

[Beryllium Sphere(tm) (193358)]

The actual site for the Trecorder doesn't make any claims about making a copy of RAM, that seems to have appeared in the article by spontaneous generation.

But I wonder if it would be possible over a Firewire connection, given that Firewire allows direct memory access [security-assessment.com].

Re:

[RLiegh (247921)]

What about when you replace FAT (or NTFS) with another filesystem entirely? Would the format done by mkfs.ext2 (or whatever) overwrite the data, or would it simply set up a filesystem table and leave the previous data on the drive readily accessible (to anyone who wants to recover it)?

Re:

[Cheesey (70139)]

The job you are talking about is quite easy on Linux because the only file that requires a special post-copy procedure is the kernel image - and even then, you only have to rerun lilo or grub. In fact you can copy an entire disk image using just "cp -a", and it will still boot if you update lilo or grub. The best way to upgrade a Linux system to a new hard disk is to do a copy in that way, with the target disk mounted somewhere in the current system. Then swap the disks, boot from a live CD, and run lilo or