Forensic Computer Targets Digital Crime 212
coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."
Not so fast... (Score:4, Informative)
Standalone devices like the Logicube [logicube.com] Talon copy twice as fast. They also hash the drives and store audit trails to a CF card.
I can see the potential benefit to creating 3 mirrored drives at once, but it is extremely limited.
-R
Re:how good is it? (Score:3, Informative)
I'm more comfortable using this though: http://en.wikipedia.org/wiki/Gutmann_method [wikipedia.org]
Re:how good is it? (Score:2, Informative)
Last you checked you were wrong (Score:3, Informative)
As for the feasibility of that, well, there isn't. Sorry. Even if you have a setup to do that, the chances of getting anything useful are extremely low. What you are talking about doing is reading off the data in an analogue format. The theory is that the whole reason we use digital equipment is because of imprecision in storage. So rather than try to detect subtle changes, we simply say "Anything over magnetic level X is a 1, any thing under is a 0." Thus the drive head just mess with the state to change it, not caring about the precise state it is in. Well the theory is also then that there will be a residual of the last data written. If I have a 1 and make it a 0 it will be slightly higher than a 0 that was again made a 0. By analysing the analogue waveform, you are able to guess at what the previous data was.
Ok but there's two major problems with this, especially as applied to law enforcement:
1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right.
2) The amount of data on a modern hard drive is staggering, and the encoding extremely complicated. To try and do something like this, even for one level, could take months if not more, and that's assuming you had a streamlined process down. This isn't simple like "Just read the data." As I said it is "Look at the actual waveform and try to decode older pieces from small fluctuations below the normal 1/0 threshold."
Well this is the kind of stuff intelligence agencies likely dabble in, as they've got the resources and there's no standard of proof. They might well be willing to pour over a drive for years if it gets them information. Even if there are assumptions on the part of the analysts, that's ok. After all that's how code breaking was largely done back in the day: You made assumptions based on the language and known plain texts and such and started guessing at the rest.
However that isn't the kind of shit that flies in court, and not the kind of thing that they've got time for. You'll notice how they talk about copying the data and the importance of maintaining the evidentiary chain. You don't get that when it's some guy with an oscilloscope making guesses.
It may make for good movies and TV, but once something has been overwritten it's done basically. I fyou have evidence to the contrary, I'd love to see it but "I heard," or "Some guy who worked for the FBI said," isn't it. Show the product/method that is used. If it is something that is used in court, it has to be known.
Re:how good is it? (Score:3, Informative)
Really, try to find an official source, you won't.
Re:how good is it? (Score:3, Informative)
That, my friend, should be enough electromagnetic energy to wipe the entire drive at once.
Modern magnetic media is tough (Score:2, Informative)
Reality check for you (Score:3, Informative)
Re:how good is it? (Score:4, Informative)
Here's the story: Back in 1996, Peter Gutmann published a paper where he described the theoretical possibility of reading small sections of overwritten data, in a largely unreliable fashion. Having gone back through the source he cites, I came to be of the opinion that his assertion was irresponsible, since he makes a very bold claim without pointing out how many qualifications and 'but's are attached to it:
1) The specific techniques he discusses address older hard drive platter recording technologies that were completely supplanted, throughout the industry, in 1996-1997. Newer hard drives changed recording techniques to cram more data onto the same platter area, which eliminated the specific properties that would have allowed Gutmann's proposed recovery method to work.
2) None of Gutmann's citations ever claimed to have made the recovery methods work in a practical fashion (as in, actually recovering a sector of data, let alone a whole file) on a real hard drive. There were a few lab experiments that were NOT performed on hard drives, and nobody was cited as actually implementing a real-world method.
3) Since the 1996 paper (in '99, I believe), Gutmann published a revised draft that really only changed the section talking about this issue, and he significantly backpedaled his claims. Supposedly, some of his colleagues pointed out that his assertion was scientifically unsupported and extremely inflammatory. Net result: In the newest version of that paper, he basically admits that recovery of overwritten data, on modern hard drives, is snake oil.
There's more, though. Having worked in forensics and specifically dealt with federal law enforcement agencies, I get a chuckle when people (usually, the same tinfoil-hat guys who believe in aliens at Roswell) talk like the FBI has secret recovery technology that the private sector doesn't. This is provable bullshit, for several reasons:
1) The FBI has no real engineering capacity, and they're not as good at stuff like this as you think. In data forensics, especially, their equipment, techniques, and training have never been as good as what the private sector has. The private sector has more money, which means it can buy the newest toys and do real R&D, and it can afford to pay the big-ass salaries that cutting edge engineers require. For comparison, go ask somebody at Hitachi or Segate who does hard drive research how much money they make. Then, ask the FBI how much their highest-paid experts make. It's going to be at least a 2:1 difference, maybe more.
2) Secret methodologies are useless to the FBI, because they would never hold up in court. Data forensics depends on its credibility under the standards of scientific evidence, otherwise it gets tossed out of court and the defense wins. The basic test of scientific evidence is "Does the scientific community have a consensus that this method is correct?" If it's a secret method, there can be no consensus in the community, and it can't be used in court.
3) There's a simple thought experiment that verifies this: If it were possible to read data that has been overwritten even once, doesn't that mean that your hard drive has an actual storage capacity is twice what the manufacturer is actually giving you. How much sense does that make? Those guys jump on every technology possible to cram more data into a smaller space, so even if it's space-alien-magic stuff, they'll have an enormous incentive to make it practical to mass-produce. And they usually do just that. There only a tiny bit more usable capacity on your drive (Let alone 12x worth!) than the manufacturer's label says, and that's replacement sectors for areas that develop problems--we know about that, and it's not useful in data forensics for other reasons.
Re:how good is it? (Score:3, Informative)
Harddrives platters are commonly coated with DLC (diamond like coating). The Drano is not going to get through that to the metal. The DLC is also why the parent poster had no luck with sandpaper, as the DLC is likely harder than the grit. (the purpose of the DLC is to protect the platters from accidental contact with the heads - it's tough stuff)
However, your idea could work if the chemical was particularly corrosive - just compromise the DLC somewhere (use a file or something) then let the chemistry do its thing.
Re:how good is it? (Score:1, Informative)