Computer Forensics Case Study

This is a report on the presentation of computer forensic evidence in a UK trial.

There are three things that concern me here:

  1. The computer was operated by a police officer prior to forensic examination.
  2. The forensic examiner gave an opinion on what files construed "radical Islamic politics."
  3. The presence of documents"in the "Windows Options" folders was construed as evidence that that someone wanted to hide those documents

In general, computer forensics is rather ad hoc. Traditional rules of evidence are broken all the time. But this seems like a pretty egregious example.

Posted on August 31, 2007 at 6:13 AM • 45 Comments

Comments

jamesAugust 31, 2007 6:40 AM

"The presence of documents"in the "Windows Options" folders was construed as evidence that that someone wanted to hide those documents"

Not a very good place to hide them!

PriitAugust 31, 2007 6:52 AM

"He said the material was placed in a Windows folder where it would be difficult for anyone who did not know anything about computers to find."

Who are those people who do not know anything about computers? Clearly those peplole are NOT law enforcement. So what's the point of this argument?

KennethAugust 31, 2007 7:06 AM

"send them what descends from the skies" and "make hurricanes a constant for them"...

Is he talking about global warming, caused by the use of oil from the Middle East region?
More rain, more storms ?
Could we accuse the oil producing countries for causing terrorism on eco system scale, by letting the western countries burn so much of the oil that they're producing?
;-)

Btw. their "computer expert" seems like a moron, or at least someone who lacks the scientifically humble mindset that should be required for "expert witnesses" in trial situations...

MikeAugust 31, 2007 7:14 AM

Look at the actual government plans in Germany for their so called "remote forensic software". This is even weird.

AttendeeAugust 31, 2007 7:20 AM

I've previously attended a talk by Russell May (bio below). I can't find the slides from the talk I attended but there's some notes http://coventry.bcs.org/resources/encase.htm

##############QUOTE##########

Basic Principles of Forensic Analysis
=======================
3 years ago [2000?] the Association of Chief Police Officers (ACPO) set four simple guidelines on Computer Evidence. These establish the basic principles of acquiring evidence from computer systems and are now accepted by the courts in the United Kingdom (and elsewhere).

* Principle 1: No action taken by the Police or their agents should change the data held on a computer or other media.
-Where possible computer data must be ‘copied’ and that version examined.

* Principle 2: In exceptional circumstances it maybe necessary to access the original data held on a target computer.
-However it is imperative that the person doing so is competent and can account for their actions

* Principle 3: An audit trail must exist to show all the processes undertaken when examining computer data.

* Principle 4: The onus rests with the person in charge of the case to show that a computer has been correctly examined in accordance with the law and accepted practice.


#############################


Russell May bio:
28 years as a Police Officer
20 years involvement with computer technology
17 years in the procurement of
computer evidence;

Retired April 2002 as head of West Midlands Police Hi-tech Crime Unit
Joined Guidance Software, Inc. as a part-time instructor in November 1999

R...August 31, 2007 7:22 AM

2 and 3 are really not a big deal.

For #2 the story said:

The video proclaimed "victory for the mujahideen" and showed images of Osama Bin Laden followed by the Twin Towers in New York exploding after the attacks of September 2001.

Seems like radical Islam to me!

For #3, you can't reward someone for not knowing how to encrypt or hide incriminating evidence. The fact that he stored it somewhere other than the documents folder can be explained by the fact that he didn't want anyone to stumble on it.

Matt from CTAugust 31, 2007 7:38 AM

Were is the balance point?

Principle #1 is a classic Heisenberg situation if the computer is turned on when the warrant is served.

Going to take a look at the computer in it's present state, or are you going to turn it off **destroying all the data in memory**, so you can duplicate the hard drive?

"Hey look, this guy was using an encrypted partition with two factor authentication...gosh, wish we had looked at the PC when we arrested him sitting at it...now all we can do is hope for digital crumbs in the swaps files and such."

xreyAugust 31, 2007 7:42 AM

I'm less disturbed by the "mishandling" of evidence than the fact that there is no evidence he is a terrorist other than the (publically-available?) videos on his computer.

The implication of police "mishandling" is that someone may have added incriminating files. However, nothing from the description seems that incriminating to me.

Isn't someone who hates bin Laden with a passion just as likely to download one of his videos as someone who sympathizes with bin Laden? In either case, that person might store the video in a place where another person is less likely to stumble upon it?

Most of the people who post here are interested in computer security. Don't you all have "incriminating" information about how to crack computers?

KarellenAugust 31, 2007 8:04 AM

Matt > In nearly all OSs these days, nearly all memory is backed by disk somewhere. This is so that in order to load a new page into memory you don't necessarily have to save the old one first.

Yes, recently modified memory won't have been flushed to disk yet, but the number of pages should be relatively small compared to the total amount of memory available. On top of that, I think it would be highly unlikely that all the incriminating evidence on a computer would only be in memory. Yes, an email half-way through being composed might be lost if you kill the power, but what are the chances that that one unfinished email is the only bit of evidence to find? That would weaken your case somewhat anyhow.

Whereas if you start poking around the computer when it's turned on, you start changing file last access times, adding to logs which might now no longer be considered 'clean', etc... You change the state of the system in hard to predict ways.

If the bad guys have daemons designed to monitor the typing "fist" of someone at the keyboard and challenge them if something funny is detected, with an eye to wiping the system if the challenge is not authenticated, you're really going to be screwed.

Kill the power. Copy the HD. Reconstruct as much as possible from there.

Yes, strong crypto makes that hard. Well, no-one ever said fighting crime was easy.

Fred X. QuinbyAugust 31, 2007 8:12 AM

"Well, no-one ever said fighting crime was easy."

Convicting people for having dangerous ideas seems nearly as hard, too.

Michael AshAugust 31, 2007 9:10 AM

@R "Seems like radical Islam to me!"

So next time I get curious and download such a video, then my computer gets seized by the police, I become a radical Muslim too?

EditorAugust 31, 2007 9:18 AM

Just a couple language nitpicks on Bruce's concern numbered "2."
a. "opinion" is doubled
b. perhaps this "construed" should be "constituted" instead?

FPAugust 31, 2007 9:21 AM

@R...: "Seems like radical Islam to me!"

Bruce's point is that, while the forensics expert may in this case have judged appropriately, that is not her or his job. When forensics experts are called in to collect fingerprints, it is not their job to determine which prints are relevant or not.

About the "Windows options" folder -- when you open XP's explorer and go to c:\Windows, it tells you that those are system files that you should not be looking at. So, to an average user, files in its subdirectories can well be considered "hidden."

GetRealAugust 31, 2007 9:35 AM

When I first read that article, I thought it may have been a reprint from "The Onion".

Let's see, some guy has media (video, pictures, sound) that ' "seemed to be concerned with radical Islamic politics" '. Since when is it a crime to look at this type of media? I certainly hope my children don't have to fear being accused of a crime for learning about the events and people that have or will shape our world. What's next, book burning?

Also, you have some bungling idiot calling himself a "forensic analyst". This guy clearly doesn't have a clue.

What evidence does he have that the accused even put the files in that directory? Can he prove they weren't placed their by some other program, like the downloader, a media player, or perhaps even some poorly written ActiveX control?

Anyone that knows anything about computers (clearly this "forensic analyst" doesn't), knows that different programs (dowloaders, media players, ActiveX, etc.) tend to put files in all sorts of oddball, unobvious, and unexpected locations in the filesystem, especially older programs. I know of several programs (some old, some new) that download data files into the Program Files directory, and some programs even put data files into various folders in the Windows directory. Is someone running one of these programs "hiding" data, since it is not in some other "more obvious" data directory? Get Real!

MikeAugust 31, 2007 10:11 AM

Do you guys even bother to read these articles? The evidence on the laptop is not the only evidence against him.

"He has been accused of possessing suspicious terrorism-related items including CDs and videos of weapons use, guerrilla tactics and bomb-making.

He has also been accused of collecting terrorist-related information, setting up websites showing how to make and use weapons and explosives, and circulating inflammatory terrorist publications.

A further charge of breach of the peace relates to claims that he showed students at Glasgow Metropolitan College images of suicide bombers and terrorist beheadings.

This charge also includes the allegation that he threatened to become a suicide bomber, and claimed to be a member of al-Qaeda."

Matt from CTAugust 31, 2007 10:41 AM

>If the bad guys have daemons
>designed to monitor the typing "fist" of
>someone at the keyboard

If someone is sophisticated enough to have such a daemon, and taken the time to "train" it and themselves what to detect as an unusual pattern...

And they did not disable caching memory to disk...they deserve to be mocked and ridiculed.

skateAugust 31, 2007 10:41 AM

So, isn't all that "forensic Imaging" wholesale copyright infringement?

I suppose police/prosecuters/courts may have some sort of legal doctrine of exemption, but what about forensic imaging by private forensic examiners in audits, pre-trial discovery in civil suits and in, snigger, copyright infringement law suit discovery?

GetRealAugust 31, 2007 10:42 AM

@Mike

I think that Bruce's original point and that made by the posters here have less to do with whether the accused is innocent or guilty, and more to do with the "evidence" (or lack thereof) which was found on his laptop, as well as the way that "evidence" was found and apparently (mis)handled and (mis)interpreted.

In particular, a) was the media incriminating, not likely based on the information in the article, despite the "computer expert / forensic analyst" giving his opinion, and b) was the location of the media relevant, again not really, despite the "computer expert / forensic analyst" not having a clue about how the media might have gotten to its supposedly "hidden" location.

jayAugust 31, 2007 10:43 AM

"He said the material was placed in a Windows folder where it would be difficult for anyone who did not know anything about computers to find."

Probably its the Windows System folder... the reporter who did the editorial might have dropped the "system".

"National Hi-Tech Crime Unit, told the court that he had made a copy of the hard drive of the laptop and examined it."

Now that is the correct procedure to conduct a forensic test. Always make a ISO of the whole disk. Helix is a great open source project if anyone is interested. After making the ISO u keep the rest of the machine in a safe place until its required again.

TranslatorAugust 31, 2007 11:32 AM

@Mike:

In today's world, there exists a communications tactic called spin, where true statements are made, but presented in a way that biases the audience to an incorrect conclusion. Maybe this is spin, and maybe this is how one could unspin it.

> possessing ... CDs and videos of
> weapons use, guerrilla tactics and
> bomb-making.

Translation: Media Center had recorded Modern Marvels from the History Channel.

> collecting terrorist-related
> information,

Translation: Read about terrorist attacks online.

> setting up websites showing how to
> make and use weapons and
> explosives, and circulating
> inflammatory terrorist publications.

Posted the most interesting stuff on his own website.

> he showed students ... suicide
> bombers and terrorist beheadings.

Grisly and in poor taste, perhaps, but showing pictures is no crime.

> he threatened to become a suicide
> bomber, and claimed to be a member
> of al-Qaeda.

Never mind. I guess he is a terrorist. Certainly I am terrorized. Hang him high.

Bruce SchneierAugust 31, 2007 11:33 AM

"For #2 the story said:

"The video proclaimed 'victory for the mujahideen' and showed images of Osama Bin Laden followed by the Twin Towers in New York exploding after the attacks of September 2001.

"Seems like radical Islam to me!"

That's not the point. This isn't an after-dinner conversation; it's a courtroom. What matters is what an expert in that particular topic thinks, not you nor I nor some computer forensics person.

bobAugust 31, 2007 11:49 AM

"The presence of documents"in the "Windows Options" folders was construed as evidence that that someone wanted to hide those documents"

Dang - he's lucky they didnt find the drivers for TrueCrypt on the system; thats probably proof enough to convict him of the Great Train Robbery AND the Brinks Job! Maybe even the assassination of JFK!

pegrAugust 31, 2007 12:10 PM

Um, after acquiring the forensic image, the drive should have been "bagged and tagged", that is, protected from alteration. It sounds like the examiner used the suspect's own computer to acquire the image. That's a hugh no-no, as the suspect's computer cannot be trusted...

pegrAugust 31, 2007 12:11 PM

Um, after acquiring the forensic image, the drive should have been "bagged and tagged", that is, protected from alteration. It sounds like the examiner used the suspect's own computer to acquire the image. That's a hugh no-no, as the suspect's computer cannot be trusted...

Matthew SkalaAugust 31, 2007 1:11 PM

What are the implications of "Trusted Computing" for forensics? One of the goals of that technology seems to be for media files to routinely be locked to individual computers in such a way that they can't be played on other computers. If a suspect's terrorism videos, child pornography videos, and so on can only be played on the suspect's own computer - which as pegr rightly points out, the police shouldn't be using - what happens to the investigation? These technologies can no doubt be defeated, but if they're legally protected, then the police (and their contractors, and the people who make the tools used by the contractors) will need an exception to the law to allow them to circumvent the protection. Or will the parties controlling the trusted computing keys be brought into the loop (contact Disney to get them to extract the video from the suspect's hard drive...) and if so, will they be held to the same standards of trustworthiness as the police?

Stefan WagnerAugust 31, 2007 1:18 PM

I downloaded a german law to /opt, not $HOME.
Clear evidence: I appreciate that law. And I want to hide it.

But hide from whom?
My wife? My boss? Police?

MikeAugust 31, 2007 2:02 PM

@GetReal:

My comment was directed at: "I'm less disturbed by the "mishandling" of evidence than the fact that there is no evidence he is a terrorist other than the (publically-available?) videos on his computer." and "So next time I get curious and download such a video, then my computer gets seized by the police, I become a radical Muslim too?" These people did not read the article.

As for your own comments, you call the analyst a "bungling idiot", clueless, and unknowledgable about computers, which indicates to me you are a) either privy to some further article or knowledge about this analyst's professional competency or b) indulging in some hyperbole.

Consider in Bruce's concern #1, that "Earlier in his evidence, Mr Dickson said useful evidence may have been destroyed when the laptop was switched on by a Special Branch detective before being passed to analysts, against standard police procedure." So here we have the analyst himself pointing out Bruce's concern *right there in the article*. I simply don't see where you are extrapolating his incompetence from.

As a computer user with reasonable competency, *I'd* find a cache of terror-related files in the hidden windows system directories a little on the suspicious side if I were on the jury - particularly when that minor, possibly innocent evidence is then bolstered by a pile of evidence of possession of terrorist-related CDs, the how-to bomb manuals, the publications he distro'd, the websites he set up, the personal claims of terrorist group membership, etc. It may not be direct evidence of a crime but it certainly contributes to the sizable pile of circumstantial evidence pointing to a terrorist wannabe sitting in the dock.

I think Bruce's #1 and #3 points are valid (#2 I don't understand since the file evidence is being played to the court for their own judgement), and furthermore they need to link those files somehow to the defendant (the Achilles heel of all computer forensics, IMHO), but I think its important to take what they're actually trying to accomplish with those files, in that trial, into context.

PaulAugust 31, 2007 2:32 PM

R...
"The fact that he stored it somewhere other than the documents folder can be explained by the fact that he didn't want anyone to stumble on it."

I have literally thousands of work and personal related files on my computer. Not one of them is in the My Documents folder and the reason has nothing to do with concealing them, it has to do with organization and a desire to be able to find them when I need to. Also redundant backup. I know many others with the same situation.

daveAugust 31, 2007 2:37 PM

does point two really concern you? ...a lexus nexus search reveals the appropriate quote is: "Mr Dickson, 42, agreed When Mr McConnachie asked if the material "seemed to be concerned with radical Islamic politics". -- guess what, thats what happens in examinations -you are asked to answer questions. its the duty of the opposing counsel to attack those answers and/or questions. all sorts of witnesses are asked to agree or not agree to questions posed by counsel. its not the investigator agreeing to content that should concern us rather its the *possibility* (we don't know from the report) that the opposing counsel let this question/answer go un-attacked.

AVAugust 31, 2007 4:06 PM

I've probably fixed about 5,000 personal computers in my life - back when I worked at a computer store as a teenager. I definitely ran across videos, word documents, etc in places where they shouldn't be. It's usually someone who doesn't understand Windows well, gets frustrated, and just clicks madly around in frustration - moving objects into folders, creating new ones, clicking past any dialog prompt, etc...

WRT just pulling the power plug: The police/detectives will (among other things) take a photograph of what is on the screen. They are told to turn on the monitor if it is off to try and do this before unplugging. They are also told that if they see what appears to be a screensaver running that they are to _very slightly_ move the mouse and if the screensaver goes away they can get their picture.
That is all they are allowed to do before pulling the power.

This is all based on a document I read describing the procedure - but that may well have been just one department's. I don't remember. I'm not sure if there is a single standard that all investigative units follow (probably not I imagine).


So anyway - I would protect my system like this:

- install a small UPS inside the system
- install a small magnetic degausser next to the hard drive

When the power supply looses power you degauss the drive using the power from your UPS. There's a billion variations on the theme

But this is what I think would be the 'ultimate' protection: Use a cryptographically secure stegonographic file system. But that's not all. You have stegonography layers. The first layer is not hidden at all. It contains the operating system, etc. You don't store your jihad videos there. The second layer in is where you put gay porn videos (or something similarly 'embarressing'. The third layer contains what you are really hiding.

This is all about plausable denyability. When the system is analysed they will see that you are using crypto. A judge may demand you to provide the key. If you don't you're in contempt and can get in big trouble. You give them the key to 'layer 2'. They find the gay porn. Now they 'know' what you were hiding. You 'admit' that yes you like watching gay porn and this is so embarressing, etc... They're satisfied right? You provided them the key and the found your gay porn stash - those clever detectives!

antibozoAugust 31, 2007 8:07 PM

Karellan> In nearly all OSs these days, nearly all memory is backed by disk somewhere.

That is not correct. Modern systems have so much RAM it's actually quite common for them not to page memory to disk at all.

For example: the three-year-old desktop I'm writing this on has 2GB of RAM and a 4GB swap partition. On it, I'm running a browser with around 35 open tabs, a mail client connected to two separate mail servers, a PDF reader with eight open documents, and around 30 terminal windows. The system has been running in this condition for more than a week. Swap utilization: 0.

That isn't to say that incriminating information would typically be found in memory but not on disk. But the theory that most memory gets paged to disk "in nearly all OSs these days" has it approximately backwards.

xreyAugust 31, 2007 10:06 PM

@Mike: "These people did not read the article."

Actually, I did read the article, and found nothing mentioned that would convince me that the man is a terrorist.

"When he opened the folder he found videos, pictures and sound files which he agreed with prosecutor Brian McConnachie QC "seemed to be concerned with radical Islamic politics"."
=> The question is, did he download these from Al Jazeera, or were they emailed to him from Osama bin Laden's inner circle? Every time OBL releases a new video, it gets downloaded by millions of people and shown everywhere from CNN to FOX news. Should they arrest everyone who watches it?

"...CDs and videos of weapons use, guerrilla tactics and bomb-making."
=> Who doesn't like to watch things go boom? Any teenage boy or weekend fireworks afficianado might have such videos.

Not living in the U.K., I don't know any more about this suspect other than what is written in the article. Maybe there is a smoking gun that I don't know about. The jury should require a lot more *non-circumstantial* evidence to convict.

Unfortunately, even if there was an email from OBL to the suspect, that evidence is now in question due to the lack of proper forensic practices.

a tenoristSeptember 1, 2007 8:08 AM

"The presence of documents"in the "Windows Options" folders was construed as evidence that that someone wanted to hide those documents"

What is this "Windows Options" folder ? I couldn't find it on any windoze machine I looked at.
And of course there is no way he could have drag'n'dropped the files in question to this folder by mistake ?
I remember a few times when I moved the mouse slightly before releasing the button and windoze "cleverly" understood that I "want" to move a whole folder to somewhere else instead of opening the other folder.
May be I'm a terrorist ?

DigitalCommandoSeptember 1, 2007 11:31 AM

@ AV Using a degausser as you suggest would not work. It MIGHT make the disk cause read errors, but would offer no defense againt forensic analysis
especially where techniques like "tunnel force microscopy" are applied. If you want real protection, you should place your CPU that's connected to a UPS inside of a good quality safe, store all of your sensitive data on a second, small hard drive (40 gigs or less) and use a hot-key command on your keyboard to activate a "Gutmann 35 pass overwrite" wipe of the second hard drive, and at the same time disables the keyboard and mouse. By the time the clowns get to your CPU, they'll be left with a wiped drive even the NSA couldn't recover. Of course, leaving a wiped drive only, wouldn't be any fun, so you will want to have 1 large encrypted file on your main drive. Using a friends computer (not yours) find a text document around 10 megs in size. Using 3 different encryption programs, run your file through each one in succession and save it usb key or floppy disk. Return home and install the new file under "top secret". You will have now provided your interlopers with hours of useless fun.
P.S. If your safe has an electronic keypad REMOVE THE SERIAL NUMBER sticker which is located on the door! All electronic keypad safes have a backdoor factory installed code used by safe techs, locksmiths (and the cops) to get in and it can be obtained from the safe manufacturer, but they must have that serial number to get it. No number, no code.

antibozoSeptember 2, 2007 1:38 PM

DigitalCommando> Using a degausser as you suggest would not work. It MIGHT make the disk cause read errors, but would offer no defense againt forensic analysis

Nonsense. Degaussing *may* not work against a forensics lab with unlimited resources (How much do a tunnel force microscope, the cleanroom, and the personnel to operate it cost? Have you ever heard of one being used in a criminal investigation?) and time (What do you think the recovery bandwidth of a TFM is?), but it will stymie the efforts of most labs, and move the drive out of the "throw it on Encase and read the evidence" pile into the "well, maybe we can send it off to a recovery lab and get something out of it" pile.

The Gutmann wipe is okay, but it takes quite a while to wipe a disk effectively that way, so it's not for emergencies. If you want privacy, just use an encrypted filesystem in the first place.

mr_happySeptember 3, 2007 5:13 AM

#1: No excuse, and the officer concerned admitted his inexcusable mistake in his evidence.

#2: The article says 'videos, pictures and sound files which he agreed with prosecutor Brian McConnachie QC "seemed to be concerned with radical Islamic politics".' This sounds to me as if the barrister asked him 'and would you describe these items as seeming to be concerned with radical Ismalic politics?' as a way of bringing this concept into the trial. Also, how else are you going to describe a collection of material like this without referring to radical Islam? You've got to identify it as something if you're bringing it up.

#3 I'm not sure what the Windows Options folder refers to, but what's clearly being said is that they were put in a folder other than the default, so someone wouldn't stumble on it.

Reporting of the detail of a trial rarely if ever bears more than a vague resemblence to the actual detail.

Steve DaviesSeptember 3, 2007 8:45 AM

Which subdir in c:\WINDOWS ?
e.g. where these files in WINDOWS\Temp
or WINDOWS\Media or some application specific subfolder ?

This sounds very much like 'shaded' evidence IMV especially when you add the forensics guy giving opinion and not just factual evidence.

CGomezSeptember 4, 2007 7:56 AM

Defense attorneys and judges need to become better educated about computers. Ridiculous rulings about computing come down all the time from all over the world.

I think if such forensic analysis is presented, most competent defense attorneys would put on their own computer analyst who would give a differing opinion. The jury would then be armed to choose between the opinions, or decide to look at other evidence altogether.

supersnailSeptember 4, 2007 8:18 AM

I cannot help feeling the old country is setting itself up for another "Guilford Four" tragedy.

Well meaning Police, Forensic Scientists and Prosection lowers encourged by press and public hysteria railroaded four completely innocent people into jial for most of thier adult lives.

The truly sad thing about it was no one person set out to frame them. Everybody involved assumed thier guilt and that somebody else had the conclusive evidence against them. Corners were cut, due diligence was not followed, contradictory leads were left to go cold, alibis were not fully investigated etc. etc.

It is only a matter of time before the whole sad saga is repeated with eastern accents.

derfSeptember 5, 2007 11:25 AM

Just because a file is on a computer doesn't mean you put it there.

How do you know it was "he" who did the storing, viewing, or manipulating of those files? Did anyone actually see him put the files on his PC? Did someone catch him in the act of playing the videos and get his reaction on camera?

On a windows PC, it's fairly easy to get unwanted files on it just by putting it on the internet and doing some browsing. We have documented cases of government spyware being used to trap keystrokes, how do we know there isn't a government utility to copy files to our PCs?

I think there needs to be more than just "we found these files on the PC in question" to make the case that this is "evidence" of anything.

DigitalCommandoSeptember 7, 2007 1:26 AM

@ antibozo If you were to read Peter A. Gutmanns "Secure deletion of magnetic media" you would be more educated on the subject than 99% of the people in the business. You would also understand the fallacy of degaussing as a secure method of data destruction for sensitive or secret data.

antibozoSeptember 7, 2007 2:01 AM

DigitalCommando> If you were to read Peter A. Gutmann's "Secure deletion of magnetic media"...

I'm quite familiar with Peter Gutmann's work, and I use his wipe tool regularly. But if you think law enforcement personnel have access to the equipment needed to reconstruct data from a degaussed disk in anything but the highest priority investigation imaginable, I suggest you go and talk to some of them about their budget and resources. And if you think that Gutmann's wipe is a suitable tool for erasing a disk in a short time frame, such as when a system is about to be seized, you must never have used it.

And you didn't answer my questions. How much does a TFM lab cost? Have you ever heard of one being used in a criminal investigation? What do you think the recovery bandwidth of an TFM is?

EZIGHTSeptember 21, 2007 5:02 PM

Oh if people ever learn to use live linux CD's like the hacks do--computer forensics will be out the door.

Puppy linux
Slax linux
Knoppix
Helix

Keychain devices.
Iram cards.
Ramdisk cards.
live CD's
Bootble OS's on USB.

Ya really don't need a HD anymore.

Many many distros out there.

There even is a distro that allows for XP to be installed on a keychain device.

Hard drives are a thing of the past...

Sorry--aint got no HD........

SpecialEdOctober 4, 2007 5:52 AM

@GetReal

> Is someone running one of these programs "hiding" data, since it is not in some other "more obvious" data directory? Get Real!


You're absolutely right! Besides, what the hell, can't we just store our files wherever we like??? Are we all supposed to be dumb win-users who don't even know how to copy/move files or make new folders? Holy cow, what would happen to someone storing their files on an encrypted OpenBSD partition in folder "/boot/i_aint_no_root/now_you_see_me_now_you_dont" if they were caught by the police? ;-)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..