More on the French Bank Hack

A year ago, I blogged about a bank hack at the center of a French national scandal.

Well, the case has taken an interesting turn. Law enforcement experts managed to retrieve incriminating evidence from the hard disk of senior intelligence General Rondot after about a year of work.

Wouldn't we all like to know the technical details of both the data shredding and forensic technologies?

Posted on July 31, 2007 at 1:10 PM • 37 Comments

Comments

J. RobertsonJuly 31, 2007 2:02 PM

Sarkozy was incriminated by files hacked out of a bank by a bogus hacker that had ties with the intelligence services. Now Chirac is incriminated by files recovered from some laptop by computer experts. Oh, and these files get leaked to the press too.

The credibility of this last event is not all that different of the credibility of the previous one, and there is way too much spin going on to know for sure. Sarkozy has ways too many buddies in the various services not to have the possibility to organize such a trick.

Before assuming that the French deployed technical wonders in order to recover these files, or that they have technology to break whatever encryption their military use (after all, this Rondot dude is a general, right?), let's first consider that the entire thing may just be made up: very convenient things often are.

VoldemortJuly 31, 2007 2:22 PM

@Bruce

"Wouldn't we all like to know the technical details of both the data shredding and forensic technologies?"

Uhmm, sorry if I'm missing the point but surely General Rondot's problem here is that he did not "shred" or otherwise properly destroy incriminating data - quite an embarrassment for a ex-spy, I'd say.

My very limited understanding of forensic detection is that if you overwrite data on modern hard disks (

I'm just guessing but I presumed that the forensic investigators obtained the evidence by something as simple as undeleting files on an NTFS volume using commercial data recovery tools.

Jean-Marc LiotierJuly 31, 2007 3:13 PM

I second J. Robertson's comment : the whole Clearstream affair is a complex web of lies and manipulations that will take a long time to unravel, if ever it is wholly understood. So let's take anything about it with a huge grain of salt.

BretDavisJuly 31, 2007 4:13 PM

Chirac belongs in jail.
Villepin belongs in jail.

Get to it, France. You have work to do.

DSJuly 31, 2007 5:09 PM

@BretDavis please don't start with that, we could find something to say about your nice government...

The general wasn't techie at all, he asked his niece to write on a computer his handwritten notes.
So a standard data recovery tool was probably enough.

king haroldJuly 31, 2007 6:02 PM

@Voldemort:
As I understand standard recovery tools, all they do is find the pointers that deleting removes. In practice, if you've rewritten data after deleting, then and only then has the original file (or parts of it) been overwritten. Then and only then is it difficult with COTS software.

Even if you don't believe in seven-pass wiping, at least one record-over pass would be needed to make it difficult for someone using such recovery software.

Carlo GrazianiJuly 31, 2007 6:11 PM

Is there any particular reason that filesystems don't actually delete (as in overwrite with zeros) data at unlink time, as a security feature? Or rather, are there filesystems that do this?

quickJuly 31, 2007 6:19 PM

@Carlo:
They don't overwrite at delete time because overwriting takes forever.

Carlo GrazianiJuly 31, 2007 6:33 PM

@quick:

I'm not sure that's still as true as it used to be, although admittedly files have gotten larger too. In any event, it would seem at least possible to manage it in background, at low priority, or on a deferred basis (managed by a cron job, for example).

I can well imagine that there would be people and applications for whom trading performance for secure deletion would be an acceptable tradeoff.

JessJuly 31, 2007 6:48 PM

@Carlo

Most people don't need such behavior, so it doesn't exist by default in most systems.

Stuart YoungJuly 31, 2007 9:40 PM

@Carlo

For a start, people have gotten to the "Recycle Bin" mentality of "Oh I didn't want to delete that". Add to this that when you really delete something, you might be deleting it to make room for something else, and it suddenly becomes a bit of a tracking nightmare. You would need to track to see if the deleted data you want to overwrite is now occupied by a new file.

To make this more difficult, many operating systems allow you to create "sparse" files that have large blank sections (extents - think pre-allocating space that you know you'll use - useful in video, databases, etc, where speed, particularly of reading, is important). The space isn't actually written to (hey, it's currently blank, we know it's blank), it's just allocated at the filesystem level. Any previous data just might be there in that space on disk (direct read-write to the disk blocks), but the filesystem headers for the disk block will say the block is "blank"!

That's not to say background stuff like you suggest can't be done. It's just not simple, and requires a lot of hooks (eg: knowing where the extents are in sparse files, parsing data writes and removing them from the "to be cleaned" list, etc). And anything difficult that people can get away with not doing (for the most part) is most likely not going to get done.

Try a quick format vs a full format on a spare disk sometime. All the full format does is write blank blocks over the disk, and checks that there wasn't a write error returned, whereas the quick format just writes the fs header records. A full format takes a MUCH longer time.

Disks are woefully slow compared to memory and CPU, and even most newer disks are slower by ratio compared to older machines (CPU vs Disk, Memory vs Disk).

ForensicsJuly 31, 2007 11:54 PM

I work at a high tech law firm. We have a group of people who specialize in data forensics. After talking with them on numerous occasions, here are my take aways.

Windows writes files in chunks. If your file size modula the chunk size is > 0, then the extra space is written to using the current contents of RAM. Forensics may be able to access this RAM data to determine what you were doing at the time.

Both FAT and NTFS don't automatically overwrite. The chance of overwrite is inversely proportional to the amount of remaining space on your hard disk. With the size of modern hard disks, even deleted data can stick around for years.

Tools like eraser or OS X's secure delete aren't perfect, but will most likely render the data useless to easy-to-use data forensic tools. There are more advanced ways to extract the data after using a program like eraser, but it is very slow and very expensive. However, in a court case, the fact you have a tool like eraser installed may be used as evidence against you.

Oh, one fun fact. Most pop-up blockers (especially the IE ones) don't actually prevent the downloading of images in the pop-ups. They just prevent their display. As such, nearly every computer has porn on its hard drive.

Safe Computing TipsAugust 1, 2007 1:09 AM

Hello Bruce Schneier,

I am new here and have found your blog on computer security very informative, helpful and interesting. Thank you for sharing. as this is my first comment I just want to say hi then I will start my journey.

Dan.

RatusAugust 1, 2007 2:11 AM

Hi,
we're talking about forensic tools but what about logs ? If a such of document that has been printed or sent, they could be stored it and encrypted. In case of investigation, they can decrypt documents and soo...

French Ratus

John DaviesAugust 1, 2007 2:53 AM

@Carlo Graziani

Mac OS X has a feature called "Secure Erase Trash" which suggests that it does something similar to what you're suggesting.

Note that I don't know what it actually does - whatever it is it takes a *long* time and I don't bother using it!

stevoAugust 1, 2007 5:49 AM

to Mrs T.D. Gaines-Crockett , shelleytherepublican.com is a nutjob to say the least! Do a search on her post(s) about Linux and how its a terrorist helper and OBL uses it.... yeah she's a wacko.

VoldemortAugust 1, 2007 7:10 AM

@Forensics

"There are more advanced ways to extract the data after using a program like eraser, but it is very slow and very expensive."

Interesting. Can you give any examples of cases when this has happened?

"... in a court case, the fact you have a tool like eraser installed may be used as evidence against you."

I presume that you are referring to American law. Again, can you give any examples?

I'd like to stress that I don't want an argument - I'm just curious about this.

DaveAugust 1, 2007 8:11 AM

@Voldemort

>There are more advanced ways to
>extract the data after using a program
>like eraser, but it is very slow and very
>expensive.

"Interesting. Can you give any examples of cases when this has happened?"

If he's talking about magnetic resonance imaging, there aren’t any cases. MRI requires that the source drive be dismantled, and the platters dissected. It has to be the original drive – not a forensic copy. Suffice to say that any evidence gleaned would not be admissible in court.

gregAugust 1, 2007 10:50 AM

@Dave

Once you get into drive dismantling, you don't need MRI. Laser magnetic pickups or you can do your own read heads with higher movement accuracy. Its all thats needed for most methods. in fact i can't see MRI being useful at all, except for wiping the drive properly (>1T fields!). Its really expensive but even a few overwrites won't work. I didn't think of the court angle. I belive you can even get commercial services for this type of data recovery.. Again very expensive...

jayAugust 1, 2007 11:41 AM

Well you could always zip the files.. encrypt it..and then shred it!..that way it will be really hard to recover!

mAugust 1, 2007 11:48 AM

For the whole debate about a feature to automatically securely erase the disk - running sfill (a companion to secure delete that writes to empty HD disk space) now and then, maybe as a cron job, prefferably overnight, could help. But what about "blank spaces" in files, that fall over certain sensitive data? I'm clueless here.

If you don't want to shred or Gutman your whole disk every now and then, a tool that keeps track of the writes to harddisk a certain program does (like the GIMP you use to layout that flyer that the cops aren'T supposed to see) so you have a convenient list of files to erase once you are done with a certain project would help.

BrianSAugust 1, 2007 12:22 PM

Rather than worrying about securely deleting files from drives, why not just use full disk encryption technologies such that what ever is there (deleted or not) is resisttant to discovery via the strength of the encryption?

timAugust 1, 2007 1:54 PM

The easiest way to make sure that your once-deleted data gets overwritten is to... overwrite it. Fill the disk to capacity, and there isn't anywhere left for the original data to be stored. It also does not require any specialized "erase" tools or any "suspicious" activity.

AnonymousAugust 1, 2007 3:45 PM

I (obviously) don't know the specifics but the forensic expert supposedly worked 1 year to recover the files. I'd very much doubt that all he did was NTFS restore...

@J. Robertson

It is certainly a complex case but as far as I have heard there is no denial from Villepin / Rondot about the existence of those computer files...

VoldemortAugust 1, 2007 4:31 PM

@Dave

"MRI requires that the source drive be dismantled, and the platters dissected."

This sounds like a futile method of attack. Most modern disks have multiple platters bolted very firmly together. If the platters are moved out of alignment by almost any amount then an attempt to read the data (never mind overwritten data) will fail because the data tracks on different platters are out of sync. Modern drives write data at such extreme density that virtually any misalignment of the platters causes a failure.

@tim

"The easiest way to make sure that your once-deleted data gets overwritten is to... overwrite it. Fill the disk to capacity, and there isn't anywhere left for the original data to be stored"

A good idea but there are still some potential problems. Assuming that you are using Windows NTFS with default cluster size (4096 bytes) there may still be lots of overwritten data left behind in the "slack space" between the end of a file and the end of the cluster used to store the file. Windows tends to create lots of small files. If you really want to wipe the drive by totally overwriting unused space, I suggest the following:
1. Install Eraser (http://sourceforge.net/projects/eraser/)
2. Clear the web browser cache and recently used file links in the user profile
3. Set the page file to wipe at shutdown and reboot.
4. Delete temporary files, kernel dump files and user dump files.
5. Delete all hidden streams files (see http://www.securityfocus.com/infocus/1822 for info)
6. Delete all thumbs.db files
7. Boot from a Bart's PE disk (http://www.nu2.nu/pebuilder/) and use Eraser to wipe all free space and slack space (*)
Remember that there may be deleted entries in the registry hives that are still recoverable.

* Eraser can be invoked from a Bart's PE session. The simplest way to do this is to copy the files from C:\Program Files\Eraser to B:\, copy the C:\WINDOWS\system32\eraser.dll to B:\ then start B:\eraser.exe. The reason for using Eraser this way is that it can wipe the slack space on all system files, whereas Eraser normally skips a large number of slack space areas on system files because they are in use.

@anonymous

"I (obviously) don't know the specifics but the forensic expert supposedly worked 1 year to recover the files."

Now that's scary. The question that keeps bugging me: can these forensic experts really recover overwritten data on modern hardware?

Area 42August 2, 2007 7:19 AM

“Now that's scary. The question that keeps bugging me: can these forensic experts really recover overwritten data on modern hardware?��?

That’s a question that seems to be asked regularly, and yet no one can provide a definitive answer. Personally, I think it’s an urban myth. As soon as data gets overwritten just once, getting the previous (or deeper layers) of data would involve so much time, money, and expertise, it’s just not going to happen. Unless you’re at the top of the FBI’s most wanted list…

But here’s an even scarier thought. It wouldn’t surprise me if, in a few years time, mechanical hard disks are superseded by hard drives composed only of copious amounts of non-volatile flash memory. It is highly likely that these drives will employ ‘wear-leveling’ to extend the lifetime of the drive. Therefore, even if an application repeatedly writes data to the same logical sector, the data is distributed evenly across the medium (logical sectors are remapped to different physical sectors). In other words you won’t be able to overwrite ‘in situ’ anymore. This of course will make ‘data sanitization’ (at least on a file-by-file basis) more of a headache than it is now, but will be a gift to the computer forensics industry.

funkyjAugust 2, 2007 12:13 PM

@Area 42:

Thanks for bringing up the risk of flash memory disks! I agree that the leveling issue is a concern.

Presumably it would be easy to modify the flash filesystem to do an actual overwrite (or N-overwrites for the paranoid) when freeing up blocks. This would, of course, reduce the useful life of the flash but it should eliminate your concerns about wear leveling preventing true overwrites.

DSAugust 2, 2007 3:40 PM

"I (obviously) don't know the specifics but the forensic expert supposedly worked 1 year to recover the files. I'd very much doubt that all he did was NTFS restore"

You know in France we have lots of holidays :)
Maybe 1 year wasn't just to recover this file, but maybe to extract and read carrefuly all the files (transcripts of written notes of daily activity) of a 120Go hard drive...

AnonymousAugust 2, 2007 4:11 PM

@Voldemort

"'... in a court case, the fact you have a tool like eraser installed may be used as evidence against you.'

I presume that you are referring to American law. Again, can you give any examples?"

The only example that comes to mind involved a criminal charge of child pornography. The prosecution had evidence the defendant traded child pornography to undercover agents on-line. A search of his computer found no child porn, but did turn up a tool designed to securely erase files. The court instructed the jury to presume that the defendant had child porn.

What was really at play was a combination of courts hating child porn (rightfully, I believe) and a rule in many American jurisdictions that if a party destroys evidence, there is a presumption that they destroyed the evidence because it was bad.

moonglumAugust 3, 2007 10:31 AM

the general needed to fallow proper HD decomishoning procedures. low level format, open the disk and take a large magnet to the platters, then drive some nailes through the whole mess.

I did data recovery for a few years....its amazing what we can get back given a clan room adn soem tools, the tiem consumeign part is shiftign through the bits of binary files to find usefull information in them.

moonglumAugust 3, 2007 10:31 AM

the general needed to fallow proper HD decomishoning procedures. low level format, open the disk and take a large magnet to the platters, then drive some nailes through the whole mess.

I did data recovery for a few years....its amazing what we can get back given a clan room adn soem tools, the tiem consumeign part is shiftign through the bits of binary files to find usefull information in them.

joseAugust 4, 2007 3:11 PM

You are preocuped by this bank and pgp,truecrypt are backdoored by the secrets agencys , and it was discovered by one good guy called ADONIS from safehack.com . How many years you were sleeping with false sensations of peace. But all your secrets were readed by one person in one chair in some secrets installations...
Please twofish is already cracked please...

AnkushAugust 9, 2007 3:19 AM

How about encrypting the entire disk with a strong encryption key, and then reducing the secure deletion problem to the problem of losing the key?

If the data can still be recovered, either the algorithm, or the key wasn't good enough.

Ankush

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..