Schneier on Security
A blog covering security and security technology.
« Man-in-the-Middle Attacks |
| Congratulations to our Millionth Terrorist! »
July 15, 2008
Using a File Erasure Tool Considered Suspicious
By a California court:
The designer, Carter Bryant, has been accused by Mattel of using Evidence Eliminator on his laptop computer just two days before investigators were due to copy its hard drive.
Carter hasn't denied that the program was run on his computer, but he said it wasn't to destroy evidence. He said he had legitimate reasons to use the software.
But the wiper programs don't ensure a clean getaway. They leave behind a kind of digital calling card.
"Not only do these programs leave a trace that they were used, they each have a distinctive fingerprint," Kessler said. "Evidence Eliminator leaves one that's different from Window Washer, and so on."
It's the kind of information that can be brought up in court. And if the digital calling card was left by Evidence Eliminator, it could raise some eyebrows, even if the wiper was used for the most innocent of reasons.
I have often recommended that people use file erasure tools regularly, especially when crossing international borders with their computers. Now we have one more reason to use them regularly: plausible deniability if you're accused of erasing data to keep it from the police.
Posted on July 15, 2008 at 1:36 PM
• 67 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Now we have one more reason to use them regularly: plausible deniability if you're accused of erasing data to keep it from the police."
So why not just store the data in a hidden volume in TrueCrypt?
Even when the outer volume is mounted, it is impossible to prove
whether there is a hidden volume within it or not, because free space on any TrueCrypt volume is
always filled with random data when the volume is created and no part of the (dismounted) hidden
volume can be distinguished from random data.
No need to erase anything.
Well, the article says that, depending on the progam (or on the program's name) he would face different consequences. That is the disturbing part.
Best hopes for that being just a case of bad journalism.
:) it's not too big of a deal though if you have nothing to hide from the police...
If use of an eraser is suspicious, then so is use of TrueCrypt.
Just have a legitimate reason to store some big files, enough to fill the disk. Kind of gives new meaning to the phrase "in the clear".
For bonus points, forge some saved email, then delete it: love notes from a pop star, a discreet message from the opposing attorney (first name only) soliciting/offering a bribe, heartfelt thanks and a pledge of indebtedness from a local mob boss for that thing with the guy, be creative!
@FDHY: Or if you practice good security by using the programs and the police THINK you have something to hide.
@1915b0nd: So why not just store the data in a hidden volume in TrueCrypt?
Because even if the file is stored in a hidden volume, if you open it in almost any program temporary files and other traces containing its contents may be left on the main volume of the hard drive. You still need to get rid of those.
You also need to get rid of any file histories that include paths ("Mr. Smith, can you explain this file, deepsecrets.doc, and where this drive z: is that the file is listed on?").
I'm more interested in the traces the file erasers leave on the machine. Is there a good summary of this issue anywhere?
If you're going to use a file eraser tool, and you don't want to look suspicious, how about NOT using the one called "Evidence Eliminator."
I wonder what kind of fingerprint would it leave if I simply DBAN the whole disk?
But if this continues, soon they will jail everyone who uses Linux - it's a hacker tool, anyway.
You think they will stop at Linux? They won't be happy until we all bow down or are all in jail. The sad thing is that "they" are us.
You don't have to use it regularly, you just have to say you do when you do it at a suspicious moment in time.
remember, this is "You destroyed evidence 2 days before the subpoena arrived".
So unless you already have a well maintained history, of course it will be suspicious.
It seems that if they found traces of EE on the machine, it means the guy ran and then uninstalled EE. Otherwise they would have just said EE was on the machine.
Someone needs to write a program called "EE Eliminator", to remove all traces that EE has been on the machine...
I vote sloppy reporting, on both the technical and legal issues.
1. This is a civil case still in discovery, not a criminal case. No one is going to jail here.
2. It looks like the plaintiff has accused a defendant's witness of failing to produce documents under a discovery motion. If so, at this point the plaintiff can go to the judge and get an order compelling disclosure of the data if they can convince the judge that such an order is warranted.
3. The judge has wide latitude in determining whether the defendant's witness has deliberately interfered with discovery. If the judge believes the witness used the wipe program *because of* the discovery motion, it is perfectly appropriate for the judge to sanction the defendant or the witness.
4. Similarly, should this go to trial, the judge may choose to allow the litigants to argue the importance of this event and let a jury decide whether it matters, and if so, how much.
It would be helpful if the article said specifically what phase this trial is in, and what the judge said about the wipe, instead of just reporting the plaintiff's allegations.
A good way to create and read encrypted communications is to transfer the cypher text (only cypertext) back and forth from your windows (e-mail) computer to a DOS computer (dos 3.3 was a good solid one).
I wonder if the next version of Windows (Windows 7 ?) will remove the ability to read and write to the FAT file-system which will prevent people from doing this?
DOS does not write these temp files and swap files like Windows & Linux do.
So what is the difference between me wiping my financial files or a company purchasing a shredder and shredding unneeded office documents? This is ridiculous.
Won't it be enough if you just download a big chunk of 'harmless' data just to fill the space (like all the movie trailers in the apple site, or a GNU/Linux repository, or all the free apps from a download site, etc...)?
I mean, the empty space is effectively overwritten with that data, isn't it?, How much data can a recovery tool recover from the empty space if there is no free space to look at? (and if there is some kind of memory effect on the magnetic disk surface, well: rinse and repeat with different data).
And that's it, no trace of bad data, neither evidence of the use of a file erasure tool.
I periodically zero free space on my hard drives. I develop software (primarily for my own use), and have occasionally shot myself in the foot.
By zeroing free space at a "known good" point, I have been able to recover (otherwise unrecoverable) data, while minimizing false positives. This reduces the recovery process from days to hours.
I started using the technique about 10 years ago. I have benefited from it twice in the intervening years.
Considering the use of this type of tool suspicious, is like considering the possession of a scalpel by a surgeon suspicious. In other words, it's a lowest common denominator type of thinking: "I don't understand/need this, so you don't either".
Bruce - is there any file erasure tool you'd recommend?
Evidence Eliminator doesn't do a very good job eliminating evidence. Had a memory failure mess up a drive master file table here and had to get the Ontrack Data recovery tool. The file names recovered would have been good enough evidence to fire the guy for misappropiating company time in addition to not making proper backups after he had adamantly requested a CD-RW drive for that supposed purpose and then proceeded to not use it for such.
It is suspicious specifically because of its timing. If there is a documented procedure of "wiping certain files and free space every Friday" or something like that, then he has no problems at all.
Otherwise, it will be up to the courts to determine his intent.
"So why not just store the data in a hidden volume in TrueCrypt?"
Because I don't trust the security of their deniable encryption feature.
The linked article does not actually say that the court itself considers the choice of software suspicious. It sounds merely like the plaintiff has presented evidence that the guy's hard disk has been wiped, in an attempt to convince the judge/jury that foul play has been afoot.
We don't know yet whether the attempt has been successful; the jury trial is still ongoing according to the website of the U.S. District Court for the Central District of California (case no CV04-09049-SGL, presided over by the presumedly honorable Stephen G. Larson).
Without anything pointing to the contrary, it seems unlikely that the court has yet commented on the strength of the file-wiping evidence.
This all relates to data on hard drives, but how about solid state devices such as those that can be fitted in the MacBook Air and other sub-notebooks?
"So what is the difference between me wiping my financial files or a company purchasing a shredder and shredding unneeded office documents? This is ridiculous."
Not a lot, apparently: http://findarticles.com/p/articles/mi_m0DTI/...
"WHEN THE ENRON SCANDAL WAS heating up, two accountants at Arthur Andersen worried about memos and records that could implicate the firm. Suspecting a coming investigation, they geared up an existing company policy of destroying all documents not directly related to the final audit report. Soon, the company was shredding documents and deleting e-mails right and left.
That was a phenomenally bad idea. Investigators didn't buy the explanation that the firm was merely following its own document-retention policy. Whatever trouble the firm might have faced over turning a blind eye to the financial shell games played by its biggest client, destroying evidence made it far worse. The Justice Department indicted the firm for obstruction of justice. Clients fled, and one of the five biggest accounting firms in the world essentially died. There's a lesson in this for businesses large and small."
i know i'm wrong, but it feels to me like being forced to provide a laptop one works with day to day is the same as being forced to waive one's 5th amendment right to not incriminate yourself, since a laptop, to many, is an extension of themselves.
1. OS X comes with Secure Empty Trash (an overwriting program) built in. Does possession of a Mac mean intent to conceal a crime?
2. Does possession of a paper shredder mean intent to conceal a crime? Fine, then let's start with the White House, the Justice Department, and the Department of Defense. I bet we can roll up a vast interconnected network of at least 1,000,000 criminal conspirators.
"So what is the difference between me wiping my financial files or a company purchasing a shredder and shredding unneeded office documents? This is ridiculous."
There is no difference. That's the point. If I am being investigated for something and suddenly and unexpectedly purchase a shredder, shred a bunch of stuff, and then sell the shredder, there is going to be a lot of "intent" questions on the legal side. This case is no different.
"2. Does possession of a paper shredder mean intent to conceal a crime?"
No, if you have one and regularly use it. But if you suddenly purchase one, in the middle of an investigation that you know about, there are going to be a lot of questions.
I think this is a classic case of an idiot reporter talking about technology and law, when he knows nothing about either. (I'm not saying that I know much about law, but I know enough about it to realize that it operates differently from technology)
I often wonder with the American Justice system of plea bargining just how much the process effects the investigation...
For instance I think most here would agree that, although wiping files, defraging etc are legitimate activities and some consider them a sensible policy to maintain system stability etc, it would be very easy for a prosecutor to "bambozol" a jury into beliving it is suspicious activity.
As most of us have found out in the past it is difficult to prove a "negative" to our peers let alone those not of our field of endevour. And a jury is almost certainly not going to be sufficiently clued up to make a proper value judgment.
Therefor a prosecutor can use it as a method to bring pressure on a defendant be they technicaly knowledgeable or not. The prosecuter just has to point out that the jury will belive that it was an attempt to destroy evidence as there is no proof otherwise, and there for the defendent should take an offer...
That's why I only use Rainbow-Pony Fun Delete, to erase my files. That doesn't sound suspicious at all!
Real simple, I use Evidence Eliminator, PurgeIE, PurgeFox, CCleaner, EasCleaner, Unlocker, and a couple others every day, several times a day. Not only do they do an excellent job they keep my computers running well, fast, and free of anyone's prying eyes. I believe we all have an absolute to privacy. I do not hide anything, all my links to software are on my desktop.
"Not only do these programs leave a trace that they were used, they each have a
Not so with the free DBAN boot and nuke floppy or CDROM image in .iso form which you burn onto CD and boot from the CDROM or install to floppy and boot from floppy. DBAN is available for free at Sourceforge.net. Even so, the disk could then be overwritten with random data or a few installs of several Linux distros, format, random data, reinstall, etc.
Anyone failing to use encryption today to keep their data safe, especially on laptops, is a fool.
Truecrypt - free (Windows users may even encrypt entire drive and OS)
DBAN - free
GPG - free
Tor & Privoxy - both free
SSH - free
with more free options available
Seems like slashdot crowd is here.
bad blocks can be created.
digital - analog, hey I got a sound card and other electrical stuff. NEET huh?
Encoding patterns of disk.
File system type, how put 1 and 0 on.
Wear leveling might always leave a calculation...
Rootkits, if X hash, then leave a mark or bad block...
ETC, etc, ETC.
keep your info close, and your data closer...
By the time the prosecutor has gotten the case, the investigation is over, the trial has already begun.
The prosecutor can't "bamboozle" the jury, he only gets to talk directly to the jury twice, during opening and closing arguments. Other than those two times, the only thing he can do is ask questions of witnesses and experts. He can ask loaded questions to get one-sided answers, but remember that any witness/expert can be cross-examined and testimony rebutted. If the jury is "bamboozled", it's probably the fault of the defense for not doing a good enough job "unbamboozling" the jury.
The prosecutor isn't going to offer a plea deal unless there is a risk that the jury is going to vote to acquit. If a prosecutor comes up to you, in the middle of the trial, and says the jury will find you guilty of the crime... but we can make a deal ... then you should laugh and decline because you know their case is falling apart. It makes no sense for the prosecution to offer a deal if they are sure the jury will convict.
Now, before the trial, the District Attorney's office can offer a deal to a suspect. But note that at this point, there is no prosecutor and no defendant since the trial has not yet begun.
Are there any erasure tools that will clear the unused space in a Windows swap file? I've tried simply writing zeroes to it from a dual-booted operating system -- the next time you boot, Windows will say the swap file is corrupt and you have to rebuild it.
If I were the investigator, that swap file is the first place I'd look, since even PGP and its imitators can't help leaving traces there.
A comment to TrueCrypt: While it is impossible to ID it from the data found on this, it is actually very easy to itdentify strong randomness. It is a bit more difficult to identify it as cryptographically strong. Some non-crypto generators are pretty good. So unless you use a wipe software that uses cryptographically strong randomness in its last write, there will be pretty good evidence of encrypted data on your drive and you may have trouble explaining that.
On the other hand, here is the procedure I use for wiping disks: Mount under Linux with dm-crypt and a random password. Then overwrite with random data from a fast PRNG (non-crypto). This is indistinguishable from an encrypted volume without breaking the crypto. Guess I have some suspicuous disks lying around now....
TrueCrypt leaves lots of hints in your registry. For instance, if you mount your TC volume to the same drive letter every time, say X:, search your registry for X:/ entries. There will be recent files lists, AV messages, executable paths, etc. Your Event Viewer messages may also refer to the X:/ drive, as well as the AV logfiles. And those are three places you can easily look. I'm sure there are others less obvious.
"If you used an external harddrive, would that work?"
Not for hiding the clues. Your registry still records the drive letter you use to mount the drive. You *could* use a different drive letter every time and really send them looking, but the recent file names will still be visible as will the anti-virus logfiles.
You could also use something like Deep Freeze on your OS and keep your data on an external drive. Once you've done whatever to your files, unmount the TC drive or partition and then reboot, letting Deep Freeze set everything back to square one in the OS. But I wouldn't want to run a serious production workstation that way.
want to Eliminate traces use aSquared free which eliminates any traces
Running a disk eraser tool is exactly like using a document shredder. It's simply good business, unless you're an Andersen accountant, in which case you go to jail.
A possible problem with using TrueCrypt is if you keep image backups of the encrypted volume. A comparison of a backup with the current volume will show that some of the apparently unused blocks filled with random-seeming info have changed and have different random seeming info. This indicates that a hidden volume is in use i.e. it is not hidden any more.
I have not checked this. A countermeasure would be for TrueCrypt to change unused blocks anyway - but this would require knowing if a hidden volume were in place, so the hidden volume would have to be mounted *every* time you used the TrueCrypt volume, which may not be what you want.
TrueCrypt is not the panacea some people think it is.
IIRC, it is now a crime in the UK to forget the passwords to your encrypted data, in a situation where the legal system wants to see it. (Yes, I know that's ridiculous.) This is an advantage of the plausibly deniable encrypted filesystems.
@ Washer Woman
An open-source program called eraser, available from SourceForge, claims to sanitize the Windows swap file (you might have to run it from DOS).
Now everything's suspicious! delete a file means you (bad guy) want to hide something then DBAN your whole disk and probably you win a pass for Guantanamo! (@david : sorry ;-)
I do use Linux, GPG, SSH and DBAN. Sure I'am a very bad guy... Actually, I don't know EE but I wonder how it's possible to install such a tool on Mattel's Laptop, especially if the system is hardened to be compliant with internal security policy.
> "2. Does possession of a paper shredder mean intent to conceal a crime?"
> No, if you have one and regularly use it. But if you suddenly purchase one, in the
> middle of an investigation that you know about, there are going to be
> a lot of questions.
This is a very good reason to always use a secure file eraser.
For people worried about swap partitions under Unix, note that OpenBSD automatically (& completely transparently) encrypts the swap partition. (The encryption keys are kept in kernel memory, and periodically rotated.) This feature has existed as an option for many years, and has been turned on by default for about 3 years now. See http://www.openbsd.org/papers/swapencrypt.ps for details.
The 5th Amendment does not apply in civil cases, unless there's also a criminal case. This sounds like a simple matter of someone destroying evidence.
Truecrypt encrypted disk
Mounting a truecrypt hidden volume
Hides my po^h^h financial files well enough. But now the BOFH wants to know what I'm doing with a 100GB encrypted file on my work laptop.
You can tell Windows (XP anyway) to clear the page file on shutdown. Control Panel->Administrative Tools-> Local Security Policy->Local Policies->Security Options->Shutdown: Clear Virtual Memory Pagefile ... enable it
There's also Sdelete by Mark Russinovich of Microsoft, formally of SysInternals. It's a Microsoft provided tool and a little more nicely named... secure delete. We all want to be secure. Personally I think one of these erasure tools should change their name to "Identity Theft and Privacy Protector." Who wouldn't have a reason to run that?
Quote: Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program.
" "So why not just store the data in a hidden volume in TrueCrypt?"
Because I don't trust the security of their deniable encryption feature."
Oooh - that's interesting. Could you go into any more detail?
drawing a conclusion this would probably mean that every unix-like OS (i.e. Linux, Mac OS X,...) could be suspicious ;-)
You can easily overwrite unused disk space simply reading from /dev/random or /dev/zero
--> cat /dev/random > /path/to/your/volume
This creates a steadily growing file (until all free space is used up) with either '0's or random data.
Well, this just reminds me of the outcome of the Arthur Anderson ruling:
"As a result of the faulty instructions, the justices ruled, the firm was convicted without proof that its shredding of documents was deliberately intended to undermine a looming Securities and Exchange Commission inquiry in fall 2001. U.S. District Judge Melinda Harmon should have instructed the jury that the law required the government to prove that Andersen knew it was breaking the law, the court ruled."
Apparently if you want to destroy a suspect, charge them with shredding or wiping...
Sorry, should have included this bit from the article cited above
"Indeed, it is striking how little culpability the [judge's] instructions required," Chief Justice William H. Rehnquist wrote in the opinion for the court. "For example, the jury was told that, 'even if [Andersen] honestly and sincerely believed that its conduct was lawful, you may find [it] guilty.' "
Sounds familiar, no?
Anderson --> Andersen
Unfortunately I am unable to wipe my mistakes in the comments...
I'd just point out that cleaning your car can be considered incriminating under suitable circumstances - e.g. if the cleaning occured between 2am, when a car very much like yours was seen fleeing a murder scene, and 4am, when the police turned up at your place with a search warrant.
Here's a useful tip. I've used this tool many times since it's integrated into Windows XP and probably on Vista too. I'm talking about cipher.exe. The tool can be used to securely overwrite random data on the disk on those areas that are marked as empty on the file allocation table. The pros:
-Exists on most windows platforms and can be used with normal user access rights (no admin required)
-Very secure, overwrites empty space three times with 0000's FFFF's and pseudorandom data
-Intended to be used when a deleted data should stay deleted
-Does not clean your registry, empty your trash can, clean windows page file, do your dishes or take out the trashes. It's not magic but it's still good.
From command prompt, type:
The program is called "evidence eliminator". If would be far less troublesome if it was called windows washer (which is cheaper).
And the trouble with all plausible deniabilty always is that they can always accuse you of doing something bad.
Just like running a tor exit node does not make you responsible for the child pron that is transferring through it, you might have spend some time in jail before they understand that.
Carter should had gone on a flight with laptop in luggage.
It will disappear and you'll have an alibi.
Pimp the system.
"Posted by: PasiK at July 17, 2008 2:24 AM"
Interesting, never had a deeper look into this and didn't expect such a feature. Free space wiping by MS.
Your PC is very likely to contain one or more of the following:
Personal data about your friends, colleagues, clients etc
Data belonging to your work, friends, etc
Porno files that you don't want your wife/girlfriend/kids to see.
You have a duty to keep a tidy computer. tell the cops that you take that duty seriously. Decide to do it now. delete trash encrypt files and wipe up the mess.
@washer woman: Installing the latest version of True Crypt disables the paging file, unless you tell it not to. Solves the issue.
Look, people; it's so easy:
"Why yes, I do use file-erasure technology on my laptop -- daily, automatically -- and so should everybody who travels. For example, you get one of those spam emails with a picture of a naked lady doing things to herself with a battery-operated device. Now, imagine, for instance, that this email was sitting in your inbox when you computer is examined at the airport of some Islamic country where you could go to jail for for smuggling pornography and "corrupting morals" or whatever excuse the corrupt flunkies need to just seize another sweet, late-model laptop.
Even if you delete the email, the picture is still sitting on your hard-drive and will remain there until it is overwritten by new data. But if you have a 500gb hard-drive, and only use about 100gb of it -- that could take a long, long, long time. Anybody running a sector-scanning file-recovery tool could find it weeks, months, maybe years later."
Hello, Mr. Schneier!
May I humbly ask you to elaborate on your concerns regarding the security of TrueCrypt's hidden volumes?
I am deeply interested in all things cryptographic, though I neither work in the field nor directly depend on products involving cryptography (well, except maybe for an occasional SSL session). I may even call cryptography my "hobby".
Because of this interest I would like to educate myself on some of the less obvious (not described in the pretty detailed TrueCrypt documentation file) potential vulnerabilities that might be present in TC's hidden volume feature.
Your help in this endeavor would be very appreciated.
File erasure in the "news." See www.law.com on March 25, 2009. Title: Busting the Multipath Erasure Myth.
Wiping is critical, incentives matter. Enough said.
Misc ramblings: Would be interesting to read about wiping with the step of using highly fragmented writes. Such a nice tool exists for some.
Gone are the days when hard drives had stickers with easy access to the platters, for custom add ons.
The rusting of a hard drive platter, sounds like drive activity, little popping sounds. Makes you think of these platters as speakers. Considering the recent Schneier article on keyboards and lasers, I wonder if a soundcard/mic on a hard drive to be another unique hollywood style exploit.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.