Re: Are computer forensics people as stupid as they seem?


A contagious block of "statistically random" data such as a truecrypt
volume is trivially easy to discern from free space overwritten with
"statistically random" bits. The math behind "statistically random" has
nothing to do with it. The two things are very different. If you have
any doubts about this you are of course free to step up to the plate,
meet the challenge, and provide samples for people to examine.

If it is trivially easy to determine, I would be interested in how it is
done. I imagine that the NSA (or some sort) know how to do this, but
I figured that it was carefully guarded information.

You're missing the obvious, as well as the point. The poster's "scheme"
is trivial to discern from a random wiping because one is a file and
the other is free space, for one. :)


Oh, I reread and see what you are getting at. I think you are assuming
that his method is using a file and trying to hide data in what is
already a contiguous file on disk. Well, I can't say that it's not since
I don't know exactly how he is doing it. I do know the way *I* do it with
DCPP and think that it is similar. The final step of my method is to
use DD (or whatever direct-disk data writer preferred) and take a totally
clean OS copy and write it to disk all the way from the beginning of disk
down to around 1 Gig away from the start of DCPP's hidden OS. Since the
"dummy" OS uses fat32 it seems to be valid to any forensic software I've
tried (EnCase and Access Data's FTK) and doesn't point to any hidden OS
since, ideally, it was made before any encryption software was installed.

I don't think any encryption is unbreakable. Eventually we'll have quantum
computers sitting around that would make quick work of any encryption that
we have now. And I'm sure that the NSA and similar orgs. have greater
abilities than we know. However, if we need to pick apart a "hidden"
encryption system then feel free to pick apart mine. I don't like to say
anything is totally hidden or unbreakable but I will make these claims
about mine:

1. I fully document how to do it with DCPP, people have tried it and I
have refined the procedure to make it clearer.

2. There is no known way to *prove* that there is anything but a
normal, unencrypted OS on disk (unless they video tape you getting
into it and typing in your password of course).

3. There are no encryption or security tools on disk since LEAs' maintain
hash databases of known encryption/security/hacking software and flag
them immediately if they come up in an investigation.

4. There is no known way to *prove* that the boot disk you have is used
to access a hidden OS on disk (unless you have been observed doing just
that).

The procedure is on my site but I will attach it here for everyone's
edification ;):

Two Sandals
http://twosandals.wordpress.com

----------------
Fully Hidden Drive Crypt Plus Pack Installation

DCPP, which lets you encrypt your entire HD (except for the boot sector
of course), also has the ability to install a second "hidden" OS in the
free space of another, "outer", DCPP installation. How this is supposed
to work is that you keep all sensitive data off of the outer
installation and only use your inner, "hidden" installation for
sensitive work. The theory is that if you are forced to reveal your
password, you can give them the outer, fake, password and they shouldn't
be able to tell you have a second hidden OS since encrypted data in
freespace should appear to be random. You could have random data from
using a disk wiping program for instance.
The problem I have with this is that even though you have a "safe"
password to give out, any govt' investigator worth their salt will know
about DCPP's hidden OS function. If they think that this is what is
happening, I wouldn't put it past them to try to muscle/intimidate/trick
you into revealing this is the case or giving out your real password.
After working with it a while, I now have a method to have a actual DCPP
hidden OS in freespace with these features

* Actual, non password protected, bootable OS
* No trace of encryption software on the HD, including boot sectors
* Bootable only through rescue floppy/CD

Now, you can have an outer OS that can be scanned freely and should not
turn up any "red flags" except random data in freespace. But, like I
said, a disk wiping program can cause that. Many companies and savvy
individuals are routinely wiping their HDs before getting rid of them,
so this shouldn't be that unusual.
To do this, I have used two drives: the one I am preparing and another
one that contains the tools I use to prepare the first. This way,
sensitive tools (Encase, WinHex, DCPP) are never present in the "fake"
OS. Also, I am using DCPP 3.0. There are newer versions of DCPP, and
when I get a hold of them I will try to test this procedure out and make
sure it still works right.. Ready? Here goes:

1. Get your target drive and wipe it. I used Darik's Boot and Nuke
(DBAN). I had two problems with DBAN: It zeroed out the drive on
it's final pass, I wanted it to leave random-ish data. And second,
it didn't get the boot sector of the HD (first 63 sectors). The
drive I used was used previously for DCPP and so, had the special
boot sector. I finally just copied the boot sector from a
non-encrypted computer and used that. Verify all of this with
EnCase or WinHex
2. Format with *FAT32* (<- Very important and we can change this for
your real OS) and install Windows and all programs that you might
use and that wouldn't be suspicious. No encryption software, no
security stuff, nothing like that. Just a basic Windows
installation. If you want to make it look even more realistic then
use the system for a couple of weeks. This will be the system that
people will see when inspecting your HD.
3. Install this drive as a secondary and run a defrag. program from
another drive on this one. I used O&O Defrag (in the tools section
below) and was very impressed. You have to make sure that *no*
data gets positioned too far down the disk: everything needs to be
at the top of the drive to make the largest amount on contiguous
free space possible.
4. Copy your clean boot sector with DD like this (I have Windows DD
in the forensics acquisition tools file in the tools section below):
dd ibs=512 count=63 if=\\.\\physicaldrive1 of=winbs.bin
That reads in the first 63 blocks of 512 bytes on your hard drive
and saves it in the file *winbs.bin*. This should be your boot
sector. Verify this with Encase or WinHex.
5. On your defragmented HD find the last sector that has data on it.
For a regular XP installation this should be around the 2 to 3 Gig
mark. Note the sector number in Encase (If you are using WinHex
make sure you don't get this number in HEX). Add a little to it
and then copy your entire "fake" os with a command like this.
dd ibs=512 count=YOURCOUNT if=\\.\\physicaldrive1 of=origos.bin
Where *YOURCOUNT* is the last block you want to copy. Don't be
afraid to give your self a little extra room when you copy. Note
that this is the command line for a secondary HD, your primary
should be *physicaldrive0.*
6. Now reboot with the drive you are preparing and install DCPP as a
Hidden OS. Give yourself lots of extra space when starting your
hidden OS, I did 800Megs. This way, if your real OS takes up
2.5Gigs, then your hidden OS will start at approx. the 3.3Gig
point on your disk. Read DCPP's docs on hidden OS creation but
here it is in broad strokes:
* Install DCPP on a FAT32 installation of Windows.
* Create 2 key stores in two *different* files with two
*different* keys and *different* passwords (real and fake)
* Install BootAuth (the DCPP bootsector) and encrypt the drive
with your fake keystore/key
* Reboot, log into your fake keystore with DCPP and select the
FAT32 drive. You will see the *Hidden OS* button enable,
click it:
* Give it the path to your real keystore and your real
password. As I said before give yourself lots of space
before the real OS start point. Also, you can tell it to use
NTFS and the file system for the real OS. Click "Create
Hidden OS"
* It will create a hidden OS. After it finished reboot using
your *real* password
* In DCPP, log into your real keystore and select your current
drive. You will have to re-encrypt at this point as the
hidden OS is created unencrypted
* Reboot and if it works, make yourself a few rescue disks as
this is how you will have to boot your system when we are
finished. Note that if you use floppies, you will need to
write protect them since if you don't then the accessed
times are modified on the disk, exposing when you last used it.

7. Make sure you have a few good boot disks. This is how you will
always have to start your real OS.
8. Reboot, using the drive used to copy the boot sectors and OS. Copy
your boot sector on your DCPP drive again. You will want to save a
copy of this boot sector in case you ever need it. For instance,
you will have to re-install it to make more DCPP boot disks, and
then re-install your "clean" boot sector.
9. Copy your clean OS back onto your DCPP drive with:
dd ibs=512 count=YOURCOUNT of=\\.\\physicaldrive1 if=origos.bin
Make sure YOURCOUNT is the same as before
10. Done! That was easy huh >;->

Boot your fake OS (without your boot disk) to make sure it works.
However, you should try to not use it much at this point. You should
have a good bit of space before you would start stomping on your hidden
OS's data but it is something you shouldn't risk too often.
So at this point you should have what looks like normal HD, free from
encryption tools or anything that would arouse suspicion, that boots
without a password and can be freely inspected (though I would use a
BIOS password to prevent curious people from starting your fake OS up
and mucking around in it). Double check your boot sector with Encase or
WinHex to make sure it contains only the Windows default boot sector. If
you see the string "DCPPBOOT" or "DCPP" you aren't completely clean. Enjoy!
~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.eu.org
for abuse and hashcash info.



.