Re: Are computer forensics people as stupid as they seem?
- From: Ari <arisilverstein@xxxxxxxxx>
- Date: Fri, 15 Jun 2007 22:08:12 -0400
On Wed, 13 Jun 2007 15:50:01 -0700, linuxtestscompleted@xxxxxxxxxxxxxx
wrote:
Okay, I finally got my hands on the necessary hardware and ran a
series of tests based on some of the complaints I received. I realize
I said I wouldn't post again, but I had to address the one outstanding
issue.
1. I took 2 modern hard drives. I zeroed both out before I ran any
tests. I encrypted one with TC under Windows XP. I selected
"Harddisk1" or "Harddisk2" (devices) not the partitions (such as
\Device\Harddisk1\Partition1, etc). If you select a partition and not
a device, it won't work properly. Note that there is no requirement to
encrypt with TC under a linux platform. You can use any platform to do
the encryption, and I chose the most popular OS of all time, XP. You
can use any OS you want to create the volume (but since I've only used
Windows XP, I would suggest anyone wanting to test this use the same),
but you should use both linux and Windows to test the hard drives
after the data is written.
I wiped the other with DBAN 1.0.7, set to "prng" and stopped it after
the first round. There's no need to go beyond that.
2. I retested the drives under Windows and there were no partitions.
When I went to "Disk Management" (right click "My Computer", click on
"Manage", then click on "Disk Management"), it asked me if I wanted to
initialize the disk for both disks.
3. I tested both drives under a linux platform, and both drives showed
as "raw", unpartitioned. I did this to appease the critics who stated
that Windows may be hiding info, but I'll get back to this.
4. I tested both drives with a forensics boot CD called Helix (which
is based on Linux). I ran the Autopsy forensics browser. Both disks
appeared as "Raw" and no partition info was detected. I examined the
contents of the disks, and both showed every sector overwritten, from
sector 0 (where partition info is actually stored, in the MBR) to the
last sector.
5. I then rebooted to Windows XP, and fired up Diehard and the
Statistical Test Suite from the NIST. They are both considered the
gold standards for examining the statistical randomness of a
particular data set. If TC and DBAN data sets did not match, then you
cannot use TC and claim it was DBAN. It would be readily detected. I
took numerous samples from each of the DBAN and TC hard drives (using
the dd command). I tested each with diehard and the STS. Both showed
complete statistical randomness. More about this later.
6. Then I examined both hard drives with my all time favorite hex
editor/forensics software, Winhex. It can do things no other software
can even dream of. Both hard drives showed every sector overwritten
(remember I zeroed them out before testing), from sector 0 to the last
sector of the drive. Remember that sector 0 holds the partition info.
If it's overwritten, there's no way a drive can be partitioned.
Neither drive was partitioned in any way.
Okay, now for some background knowledge:
If you're interested in this topic, please read
http://forums.truecrypt.org/viewtopic.php?t=3337 . It is handled by
far more competent individuals than in this forum.
1. Windows does not hide partitioning info from you, regardless of
people here will tell you. I strongly recommend that anyone interested
in this topic use Winhex. Go to "Tools", then "Open Disk" to examine
any drive. As a caveat, always select drives that are listed under
"Physical Media" if you want to examine what the encrypted data looks
like. If you want to examine the unencrypted data, pick the drives
under "Logical Drives". If you don't do it this way, I promise you
you'll be confused as to why you're seeing unencrypted data on a drive
that you know is encrypted. And you can only see unencrypted data in
Winhex if the encrypted data is mounted.
2. Read this thread for more info about statistical randomness
http://forums.truecrypt.org/viewtopic.php?t=3337 . It's pretty
detailed, but it'll give those with some doubts some reassurance that
this has all been tested before, again, by competent individuals. It's
far more detailed than anything you'll see in this thread.
3. I also want to state that this procedure has little to do with my
technique for a hidden OS (that I might have shared had it not been
for the regulars in this group). This is just a proof of concept.
Now more about this group:
Ladies and gentlemen, I think you should demand better from the
regulars in this newsgroup. I, again, apologize that I sunk to their
level, but keep in mind I'm not a regular, and I probably won't be
back for a good long while. This type of behavior will scare away
people that have something to contribute. There are many extremely
knowledgable people (I don't consider myself one of them) that may
want to share something but simply won't put up with this. It's bad
for this newsgroup and it's bad for the state of privacy in the world.
This type of behavior is anti-knowledge.
Thx for the effort.
.
- References:
- Re: Are computer forensics people as stupid as they seem?
- From: puffies
- Re: Are computer forensics people as stupid as they seem?
- From: Nomen Nescio
- Re: Are computer forensics people as stupid as they seem?
- From: Nomen Nescio
- Re: Are computer forensics people as stupid as they seem?
- From: linuxtestscompleted
- Re: Are computer forensics people as stupid as they seem?
- Prev by Date: Re: secureix.com question
- Next by Date: Re: How Snake OIl Peddlers Can Look "legit".
- Previous by thread: Re: Are computer forensics people as stupid as they seem?
- Next by thread: Re: Are computer forensics people as stupid as they seem?
- Index(es):
Relevant Pages
|
