Tech Forensics Take Center Stage in Manning Pre-Trial 172
smitty777 writes with some updates from Bradley Manning's Article 32 hearing: "Wired has been reporting all [yester]day on the prosecution's technological evidence against Bradley Manning. The first is on the technology and techniques used by Manning. In the second, the examiners admit they didn't find any matching cables on Manning's computer. And finally, evidence that Manning chatted directly with Assange himself."
The prosecution was able to access chat logs and other bits of evidence (which had been deleted, but not scrubbed from the disk) thanks to PFC Manning's use of the same password for his OS login and encryption passphrase. Oops.
Re:Military vs. Civilian Justice (Score:5, Informative)
Re:Info Doesn't Add Up (Score:4, Informative)
Somehow you missed the very next line of the article ....
All the data that Johnson was able to retrieve from un-allocated space came after that overwrite, he said.
Re:Not so fast... (Score:3, Informative)
Overwriting with zeros could leave some evidence of the previous data eg (w/ a 1/100th retention: 0.010031 and 0.0073).
Amplify those by 100 and you get back your 1.0031 and 0.073. It takes a very sensitive head, multiple reads, and a totally different drive enclosure, but you get the basic idea.
So, what if you write over the data with pseudo random noise? That's better, but not quite good enough. The problem is that we know what the "top layer" of data is, so we can subtract out that layer of noise.
Eg: Let's say we have a multiple zero written surface, we're starting from scratch, and we write: 1010
1.0
0.0
1.0
0.0
Now, let's say that we overwrite this with 1100
1.01
1.00
0.01
0.00
We can read back the 1100 and subtract the noise from our signal.
0.01
0.00
0.01
0.00
Amplify the signal by a gain of 100.
1.0
0.0
1.0
0.0
With VERY sophisticated and sensitive gear you could even read back data after multiple writes. The best part is that the CRC checksums of the sectors will help you verify the data is correct. It's best to overwrite multiple times with a good source of (pseudo)randomness, like a cipher in CBC mode with a strong key and pseudo-random data stream. I'd say 3 times would be more than enough to obfuscate the data, but what do I know?
Now, a factor of 100 is a gross simplification for example purposes only. This was a bigger concern with older hard drives; Modern hard drives store the magnetic fields in such a way that it's even harder to recover, but the truth is it's not digital. It's still analog underneath, and subject to the same type of retrieval practices with very good gear.
SSDs use ware leveling, so over writing data does nothing but place the new data somewhere else, leaving the old data intact.
In any event, if you want the data really gone, just hit it with a hammer a few times... Thermite may attract more attention than its worth.
Re:Not so fast... (Score:4, Informative)
Yeah, there are lots of ways to screw up, but swap is one of the easiest things to get right. Since the user doesn't need to know a key, the machine can pick a totally random one (256 real bits, no guessable passphrase with less actual entropy) for it at every boot. Swap can be as solid as your best symmetric cipher, and that's pretty damn good. All the PK used on the internet will fail long before this level of tech does. Set things up right and swap may be the #1 safest place on your disks, the catch being that your lose it every time your reboot. ;-)