Question about "forensic software".

  • Thread starter Thread starter Frank Martin
  • Start date Start date
F

Frank Martin

I read in the papers how police have a division dedicated to
the investigation of computer HDDs.

This seems to involve the taking of an "image" of the hard
drive which is then analysed for sensitive info.

Evidently there is also specialist software dedicated to
this task.

My questions are:

How good are these procedures?
Can they extract passwords from the HDD?
Can they detect virtual partitions on the HDD?
Is there any overall defence against these procedures?

Please help, Frank
 
Frank said:
I read in the papers how police have a division dedicated to
the investigation of computer HDDs.

This seems to involve the taking of an "image" of the hard
drive which is then analysed for sensitive info.

Evidently there is also specialist software dedicated to
this task.

My questions are:

How good are these procedures?
Click to expand...

Very good.
Can they extract passwords from the HDD?
Absolutely.

Can they detect virtual partitions on the HDD?
Absolutely.

Is there any overall defence against these procedures?
Click to expand...

A good attorney/barrister/lawyer (criminal, divorce, or otherwise).
 
Most anything can be extracted from a hd, depending what resources you want
to throw at it
Data has even been recovered from physically smashed disk fragments
Encryption can cause them problems
 
I am at a loss for want of a solution. Even encryption
requires a password which must exist in some form or other
on the HDD.

Can a password for encryption be stored on some other
separate media without any trace of it evident on the HDD?

Desperate.
Frank
 
Yes, it's called a piece of paper kept in a safe.

Aside from legal considerations, there are two issues with respect to
data security:
1. Is data that is to be available for your use secure if the computer
is physically in the hands of someone else?
2. Is data that is no longer useful securely erased?

The latter case is far easier. The most secure method of data disposal
is to physically destroy the disk. If you are concerned that someone may
extract data from shards of a broken disk (remember what the Iranian
students did to shredded documents), then the disks should be
melted/burned in an appropriate furnace.

The former case requires encryption. These days, encryption is available
that *probably* is not crackable by most means, although no one really
knows what the NSA is capable of. See
http://en.wikipedia.org/wiki/Pretty_Good_Privacy

What's more likely, however, is poor key managment technique will reveal
the key or poor encryption discipline will result in the presence on the
disk of some non-encrypted version of encrypted material. The latter is
how many historical encryptions were broken.
 
Thank you. My concern is that any password will be stored
on my machine, in some form, which may be cracked by some
latest method.

Clearly the password must be stored on my computer for the
password entry to be validated.

From Wikipedia:
***
A common approach stores only a "hashed" form of the
plaintext password. When a user types in a password on such
a system, the password handling software runs through a
cryptographic hash algorithm, and if the hash value
generated from the user's entry matches the hash stored in
the password database, the user is permitted access. The
hash value is created by applying a hash function (for
maximum resistance to attack this should be a cryptographic
hash function) to a string consisting of the submitted
password and, usually, another value known as a salt. The
salt prevents attackers from easily building a list of hash
values for common passwords. MD5 and SHA1 are frequently
used cryptographic hash functions.
***

So now I ask a question:

Can encryption software of my choice be utilized from
removable media, such as a flash drive, which can also store
the password for later validation?

In other words only the encrypted files are on the computer,
and not the encryption software nor the hashed or plaintext
password.

I regularly use "East-Tec Eraser 2008" to wipe the HDD
once/week of all free space. This takes about 8 hours.

Regards, Frank
 
Frank said:
Thank you. My concern is that any password will be stored
on my machine, in some form, which may be cracked by some
latest method.

Clearly the password must be stored on my computer for the
password entry to be validated.

From Wikipedia:
***
A common approach stores only a "hashed" form of the
plaintext password. When a user types in a password on such
a system, the password handling software runs through a
cryptographic hash algorithm, and if the hash value
generated from the user's entry matches the hash stored in
the password database, the user is permitted access. The
hash value is created by applying a hash function (for
maximum resistance to attack this should be a cryptographic
hash function) to a string consisting of the submitted
password and, usually, another value known as a salt. The
salt prevents attackers from easily building a list of hash
values for common passwords. MD5 and SHA1 are frequently
used cryptographic hash functions.
***

So now I ask a question:
Can encryption software of my choice be utilized from
removable media, such as a flash drive, which can also store
the password for later validation?

In other words only the encrypted files are on the computer,
and not the encryption software nor the hashed or plaintext
password.

I regularly use "East-Tec Eraser 2008" to wipe the HDD
once/week of all free space. This takes about 8 hours.
Click to expand...

Either you work in some high-security job and your IT department sucks or
you are into some massively illegal activities and you should take some of
those ill-gotten gains and get better IT support. ;-)

If you type it on your computer - there is likely a way to retrieve it
(either in real-time or cached someplace/not erased.) You can use
encryption tools like TrueCrypt to protect your data. If you want more
information, it is obvious you have the time to do a little research in what
can/cannot be done and how to protect your data safely (meaning you don't
lose access to your own data.)

Other than encryption (and even there - nothing is definite) - if someone
obtains physical access to your machine with time/effort they can get all
sorts of information no matter how careful you think you have been...

Truthfully - I have to ask what you might have that is so delicate as to
warrant such extreme measures and why - if you have such information - your
IT department is unavailable to assist you?

There is no completely safe method on a computer (or otherwise really) to
protect information other than not having it or only having it in your
head - and depending on your limits - that may be extracted as well. ;-)
 
Frank said:
I read in the papers how police have a division dedicated to
the investigation of computer HDDs.

This seems to involve the taking of an "image" of the hard
drive which is then analysed for sensitive info.

Evidently there is also specialist software dedicated to
this task.

My questions are:

How good are these procedures?
Click to expand...

Quite good
Can they extract passwords from the HDD?
Yes

Can they detect virtual partitions on the HDD?
Click to expand...

One doesn't need any special software for that.
Is there any overall defence against these procedures?
Click to expand...

Destroy the hard drive (shredding or melting it) before the police can
acquire it.


--

Bruce Chambers

Help us help you:


http://support.microsoft.com/default.aspx/kb/555375

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin

Many people would rather die than think; in fact, most do. ~Bertrand Russell

The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot
 
Thank you. My concern is that any password will be stored
on my machine, in some form, which may be cracked by some
latest method.

Clearly the password must be stored on my computer for the
password entry to be validated.
Click to expand...

Not necessarily. The decryption algorithm can decrypt the encrypted
data using the password provided regardless of the password's
validity. But an invalid password should result in the decrypted data
being no more intelligible than the encrypted data it came from.
From Wikipedia:
***
A common approach stores only a "hashed" form of the
plaintext password. When a user types in a password on such
a system, the password handling software runs through a
cryptographic hash algorithm, and if the hash value
generated from the user's entry matches the hash stored in
the password database, the user is permitted access. The
hash value is created by applying a hash function (for
maximum resistance to attack this should be a cryptographic
hash function) to a string consisting of the submitted
password and, usually, another value known as a salt. The
salt prevents attackers from easily building a list of hash
values for common passwords. MD5 and SHA1 are frequently
used cryptographic hash functions.
***

So now I ask a question:

Can encryption software of my choice be utilized from
removable media, such as a flash drive, which can also store
the password for later validation?
Click to expand...

Depends on which software you choose. There is probably some brain
dead application available for download which will run only if it is
on your C drive. There may even be some that are USB intolerant. If
the USB tolerant software is installed on your flash drive, it is your
responsibility to insure that your flash drive always has the same
drive letter. And storing the password may not be necessary.
In other words only the encrypted files are on the computer,
and not the encryption software nor the hashed or plaintext
password.
Click to expand...

Have you considered putting the encrypted data on the flash drive. As
noted below, keeping the password off the drive may not be possible
but it would be useless without the data to decrypt.

Anything that is input to the computer will go through some system
memory buffer. Windows uses a virtual memory model and memory can be
swapped out to the page file "randomly." There is a (hopefully) small
non-zero probability that the password you entered has been written to
the page file.
 
Why would you look on a public newsgroup for XP about forensic software?
Got a couple truckloads of trashed computers (PCs & Macs) you want to
pull SSNs , ccs and other info from?

You aren't FBI for F-anything or you wouldn't ask such a question in a
specific OS and public newsgroup. You're not part of some large company
with a full blown IT department or you wouldn't come here for the same
reasons. As expensive as forensic software is, you are VERY unlikely to
find anyone who has the "real thing" on a public newsgroup. You need to
go to the companies that produce and support such software as there are
many different sorts. There will, BTW, be proof of Identity necessary
in order to purchase such ware unless you can find a warez or other type
of contact. If you know anyone in Quantico or VA you might have a very
slight chance of getting it but be prepared to pay cash and lots of it.
You also have no worries you mentioned about the many types of
encryption that exists legally and illegally, so I must assume from that
you are looking to do forensics on the joe-blow types of machines.

For all the reasons above, I wouldn't give any more information than is
already there and mentioned. It IS possible, depending on how deep your
pockets are and how illegal you want to get and whether you want to be
associated with that sort of person. If it's joe-blow's data you want,
there are many ways. If it's protected data of any kind, it's all a big
"depends" thing.

Since I'm pretty sure you're no more than a joe-blow yourself, the first
thing you need to do is learn how to research a subject. You don't do
it by asking an off-topic question on a public newsgroup where three
simple subponeas for the chain would reveal who you were very quickly.
So rather than waiting for someone to hand you the answser, go get it
yourself in the right way. It's called research.

Twayne`
 
Frank said:
Thank you. My concern is that any password will be stored
on my machine, in some form, which may be cracked by some
latest method.

Clearly the password must be stored on my computer for the
password entry to be validated.
Click to expand...
<much snippage>

Actually, no, the password need not be stored on the computer. Read up
on public key cryptography.
http://en.wikipedia.org/wiki/Public-key_cryptography

But you have made a lot of us (and this newsgroup is publicly available
to *anyone* with a connection to the Internet including, no doubt, the
authorities in Melbourne, Australia), curious about what you're doing.
 
Frank Martin said:
I read in the papers how police have a division dedicated to the
investigation of computer HDDs.

This seems to involve the taking of an "image" of the hard drive which is
then analysed for sensitive info.

Evidently there is also specialist software dedicated to this task.

My questions are:

How good are these procedures?
Can they extract passwords from the HDD?
Can they detect virtual partitions on the HDD?
Is there any overall defence against these procedures?

Please help, Frank
Click to expand...

The only really likely reason I can think of for needing help
on an individual basis with this issue is being, knowing or
abetting a child-porn collector and distributor. But I'll be
charitable and assume a legal need.

Anyone with a serious security need who keeps decryption
passwords on the same drive as the encrypted material
has not thought the problem through. The best place for
storing a password is in a human brain. First problem:
brains forget, so you need a backup in a secure place.
Someone suggested a piece of paper in a safe. Fine,
so long as the forensic software user doesn't know where
the safe is or has no power to have it opened. A piece of
paper in a _really_ unlikely place could be better. For
paper-haters, a flash drive can be hidden or safe-deposited
too, and some are so small they need virtually no space
to store in. Assuming a safe or safety deposit box could
be opened under warrant, and "unlikely place" storage is
opted for, the location used should be known only in the
aforementioned human brain.

Then comes the second problem, that money, sex or
"implemented interrogation" can be used to retrieve the
information in a human brain, depending on the
serious-mindedness of those wanting to do the retrieval.
 
Frank said:
Thank you. My concern is that any password will be stored
on my machine, in some form, which may be cracked by some
latest method.

Clearly the password must be stored on my computer for the
password entry to be validated.

From Wikipedia:
***
A common approach stores only a "hashed" form of the
plaintext password. When a user types in a password on such
a system, the password handling software runs through a
cryptographic hash algorithm, and if the hash value
generated from the user's entry matches the hash stored in
the password database, the user is permitted access. The
hash value is created by applying a hash function (for
maximum resistance to attack this should be a cryptographic
hash function) to a string consisting of the submitted
password and, usually, another value known as a salt. The
salt prevents attackers from easily building a list of hash
values for common passwords. MD5 and SHA1 are frequently
used cryptographic hash functions.
***

So now I ask a question:

Can encryption software of my choice be utilized from
removable media, such as a flash drive, which can also store
the password for later validation?

In other words only the encrypted files are on the computer,
and not the encryption software nor the hashed or plaintext
password.

I regularly use "East-Tec Eraser 2008" to wipe the HDD
once/week of all free space. This takes about 8 hours.

Regards, Frank
Click to expand...

It depends on how determined an opponent is, and how much money
they have to spend, as to how easily they can get to your data.
Say, for example, you have the world's best encryption technology.
Now, I enter your premises, and place a wireless webcam with
battery pack, above your work area. You type the password
into your keyboard, while I'm watching you on video. Doesn't
matter where the password is stored or not stored, now I have
your password. I'll be kicking in the door any moment now...
3.. 2.. 1..

You should be more paranoid.

The FBI has used a Trojan program, sent in an email, to get
information from a suspect. If they log all your keypresses,
they get the password(s). Presumably, the mechanism used, is
not detected by common AV programs. (Since the Trojan is not
used that often, is not propagated, there is no reason
for the AV companies to have a copy of it.)

http://blog.misec.net/2007/07/31/3/

Maybe the sensitive information simply shouldn't be stored on
a computer.

Paul
 
Frank said:
Thank you. My concern is that any password will be stored
on my machine, in some form, which may be cracked by some
latest method.
Click to expand...

Passwords are never stored in the clear. They are encrypted just like the
data they protect. If the authorities could crack the password, they could
crack the protected material, and, therefore, wouldn't NEED the password.

That, however, will not save you. You can be compelled to provide the
password (or stay jailed in contempt of a court order) until you do.
 
HeyBub said:
Passwords are never stored in the clear. They are encrypted just like the
data they protect. If the authorities could crack the password, they could
crack the protected material, and, therefore, wouldn't NEED the password.

That, however, will not save you. You can be compelled to provide the
password (or stay jailed in contempt of a court order) until you do.
Click to expand...

Well, I brought up sex, money or violence. But yeah, legal
compulsion would crack quite a few people (as would
blackmail or its government-implemented equivalent).
However, there's a small matter, assuming this is happening
in the US, of the Fifth Amendment -- or in other countries,
the right not to testify against oneself or otherwise supply
information just because the state wants it. Not that I've
faced the actual problem, but I think my response to being
asked what the password is would be either silence or "no
comment" -- I'd avoid any form of words which amounted to
an actual refusal, to avoid complications.
 
Anthony said:
Well, I brought up sex, money or violence. But yeah, legal
compulsion would crack quite a few people (as would
blackmail or its government-implemented equivalent).
However, there's a small matter, assuming this is happening
in the US, of the Fifth Amendment -- or in other countries,
the right not to testify against oneself or otherwise supply
information just because the state wants it. Not that I've
faced the actual problem, but I think my response to being
asked what the password is would be either silence or "no
comment" -- I'd avoid any form of words which amounted to
an actual refusal, to avoid complications.
Click to expand...

You make, on its face, a good point. However, this particular issue has
percolated up to the federal courts. The courts hold that compelling a
password is no different from compelling a combination to a safe, access to
numbered Swiss accounts, and similar.

It's not like "Where's the body?" They've already GOT the body (the
computer). It's more like "Hand me the shovel."

See Fisher v. U.S.
http://supreme.justia.com/us/425/391/

And directly on point, Boucher II
http://federalevidence.com/pdf/2009/03-March/InreBoucherII.pdf
 
HeyBub said:
You make, on its face, a good point. However, this
particular issue has percolated up to the federal courts.
The courts hold that compelling a password is no different
from compelling a combination to a safe, access to
numbered Swiss accounts, and similar.

It's not like "Where's the body?" They've already GOT the
body (the computer). It's more like "Hand me the shovel."

See Fisher v. U.S.
http://supreme.justia.com/us/425/391/

And directly on point, Boucher II
http://federalevidence.com/pdf/2009/03-March/InreBoucherII.pdf
Click to expand...

It's all so complicated. I think I'll go with the
removable extra HDD that I will use only when needed, and
then hide it (heavily encrypted) in the doghouse.
 
Twayne said:
Why would you look on a public newsgroup for XP about
forensic software? Got a couple truckloads of trashed
computers (PCs & Macs) you want to pull SSNs , ccs and
other info from?

You aren't FBI for F-anything or you wouldn't ask such a
question in a specific OS and public newsgroup. You're
not part of some large company with a full blown IT
department or you wouldn't come here for the same reasons.
As expensive as forensic software is, you are VERY
unlikely to find anyone who has the "real thing" on a
public newsgroup. You need to go to the companies that
produce and support such software as there are many
different sorts. There will, BTW, be proof of Identity
necessary in order to purchase such ware unless you can
find a warez or other type of contact. If you know anyone
in Quantico or VA you might have a very slight chance of
getting it but be prepared to pay cash and lots of it. You
also have no worries you mentioned about the many types of
encryption that exists legally and illegally, so I must
assume from that you are looking to do forensics on the
joe-blow types of machines.

For all the reasons above, I wouldn't give any more
information than is already there and mentioned. It IS
possible, depending on how deep your pockets are and how
illegal you want to get and whether you want to be
associated with that sort of person. If it's joe-blow's
data you want, there are many ways. If it's protected
data of any kind, it's all a big "depends" thing.

Since I'm pretty sure you're no more than a joe-blow
yourself, the first thing you need to do is learn how to
research a subject. You don't do it by asking an
off-topic question on a public newsgroup where three
simple subponeas for the chain would reveal who you were
very quickly. So rather than waiting for someone to hand
you the answser, go get it yourself in the right way.
It's called research.

Twayne`
Click to expand...


I'm on top of it. I have a copy of "Evidence Eliminator"
and I am studying it assiduously.

So far I have turned off the hibernation facility and
deleted the file "hiberfil.sys".
 
Back
Top