Forensic Computer Targets Digital Crime

coondoggie writes "A European consortium has come up with a high-speed digital forensic computer dedicated to the task of quickly offloading and analyzing computer records. The TreCorder is a rugged forensic PC able to copy or clone up to three hard disks simultaneously, at a speed of up to 2 Gb/min., far faster than alternative equipment. The PC not only provides a complete mirror image of the hard disk and system memory — including deleted and reformatted data — but also eliminates any possibility of falsification in the process, meaning that the evidence it collects will stand up in court."

Re:how good is it?

[Harmonious Botch]

One of their experts has probably testified to it under oath.

Re:how good is it?

[dclocke]

I wouldn't mind seeing a source on that statistic. Because I'd be pretty comfortable betting my life savings that it's not true.

Re:how good is it?

[Remik]

It doesn't matter how many times, it only matters which methods are used. If you're just using a Windows format (or worse, quick format), you can run it 100 times and the data will still be accessible.

That said, the DoD standard for "wiping" a drive is also excessive in what it requires to declare the media clean. (All 0s, then all 1s, then 010101..., then all 0s again...blah blah blah)

My somewhat expert opinion is that a program that writes the drive to all 0s or all 1s is all you need.

-R

Re:how good is it?

[Anonymous Coward]

From the description, it doesn't sound to me like it is recovering data sectors that have been overwritten on the disk, but is only recovering the raw data sectors as read by the disk interface. So it can recover data that has been deleted, but not data that has been wiped (written over with something else). Of course if you really want to prevent someone from reading data off your disk the best option is a hardware solution. A ten pound sledge hammer usually does a good job.

Reformat != Overwrite

[Nymz]

I have to wonder, after how many overwrites can this system detect data?

I'm thinking zero overwrites. From the article it appears that the system is a portable solution that only plugs into hard drives, and not a reader of the platters themselves. Software alone can analyze deleted files and a reformated file table, but it cannot use the orignal drive to read information that was overwritten.

doubtful

[crossmr]

does it create a read only image that can never be tampered with? Given the fact that anyone can do just about anything, most digital evidence always leaves me lacking.

Re:how good is it?

[Jah-Wren Ryel]

Expensive in time too. If it takes 3 years to extract the information, it isn't going to be useful at trial (which is presumably why they are doing forensic analysis in the first place).

Re:Drive density

[timmarhy]

"if it were possible to read under 12 layers of overwriting, wouldn't the drive manufacturers boost density by writing the same spot 12 times?"

what makes you think they would want to do that? it'd be dog slow, and it'd also be error prone. none of which helps to sell drives.

Re:Anyone make a self distruct system for a PC?

['Aikanaka]

I recommend a thermite disk eraser - http://www.metacafe.com/watch/599982/how_to_make_t hermite/ [metacafe.com] - which will provide a very quick method of creating a very non-recoverable hard disk. Thermite FTW!

Re:how good is it?

[jimmydevice]

It appears possible to recover previously erased data on old drives, but haven't the drive mfrs used exactly the same technology that the forensic disk morticians used in past years to get at erased crud (if ever)? It seems with vertical recording and super mag heads, the slop, leftover sideband noise and measurable blips of 90's tech now store data. I'm not trying to be factious, drive builders are pushing a lot of boundaries and I doubt they would back off ( unlike the MPAA and DRM ) reducing capacity to retain info for the man. I am drunk.

Re:how good is it?

[GPL Apostate]

Most people have little control of where the info gets cached on the system. You can *think* that it's only on the flash drive, but somehow an app sticks it into swap or a file in a temp folder.

Re:Backup Device

[Cheesey]

The job you are talking about is quite easy on Linux because the only file that requires a special post-copy procedure is the kernel image - and even then, you only have to rerun lilo or grub. In fact you can copy an entire disk image using just "cp -a", and it will still boot if you update lilo or grub. The best way to upgrade a Linux system to a new hard disk is to do a copy in that way, with the target disk mounted somewhere in the current system. Then swap the disks, boot from a live CD, and run lilo or grub. Then upgrade the OS if you want once you are up and running. But if you do want to start with a clean install, just copy /home and any parts of /etc that you've changed.

You can use dd and netcat, as another reply suggests, but I've done this many times, and I think it's much better (and easier) to recreate the file system, not least because this provides a really easy way to resize the disk in either direction. It's also faster (dead space is not copied) and defragments the file system too. You only have to use tools like dd, Ghost, PartImage or ntfsclone when the OS acts against easy cloning by having lots of special files that have to be at specific locations on disk. (Every version of Windows has this "feature".)

Re:Last you checked you were wrong

[turbidostato]

"1) You are, in fact, guessing. You are looking at imprecise data and trying to figure out what was there. Any competent defense attorney would tear such a thing apart. Just because the technician assumes a string of bits corresponds to a given waveform, doesn't mean they are right."

Not to say you are wrong; I think you are overall right, in fact. But in an ideal world, a competent attorney can't have more than justice gives him (after all, if you can hope for a "competent defense attorney" you should expect for a "competent accusation attorney" too). It's true that telling one single bit to be a 0 or a 1 is "guessing", but a single bit doesn't tell anything. It's a hughe colletion of bits what holds info: if, by fair guessing any single bit to be a 0 or a 1 you end up with the literal text of the USA constitution, you must be pretty sure your guess is right (you can through some statistical analysis at it). If you guess a password and the password in fact gives you access to some protected data, you guess is OK. After all, even for the "true" data on a hard disk (the one coming from the last write), the reader just "guess" the bits on the platters to be 0s or 1s, why its "guess" is more "factical" than any other one you can through at it?

"However that isn't the kind of shit that flies in court"

On the contrary, my friend. There's nothing cualitatively different between this and DNA analysis, which is nothing more than statistics and guessing and you see it holds in court every day (for a very valid reason).

But, in the end, this completly goes out ot the article scope: the device is just a rugged PC that can extract low level data from the hard disks as fast as possible -by using the hard disk readers themselves, so its "sensibility" is just the one you get on "usual" read, so it's nothing more than a glorified dd.

Re:how good is it?

[gweihir]

An electron microscope can pick up even the faintest of magnetic fields. The weaker the field, the more times it's been overwritten.

But the magnetic landscabe is noisy and there is a smalles stable magnetic intensity. After one overwrite it is very likely that the residual magnetisation from the eralier data vanishes in the noise and is too small to be stable, at least fo current disks. Remember that the HDD manufacturers have benn storing very close to the material limits for some time now.