Silk Road forums

Discussion => Security => Topic started by: alonetraveler on October 09, 2012, 03:45 am

Title: Computer Forensics Investigator here - any questions?
Post by: alonetraveler on October 09, 2012, 03:45 am
I've been in the Information Security and Digital Forensics fields for almost 15 years, both federal and private sectors. I would like to know what burning questions or concerns you have when someone like me has access to your computers and/or mobile devices.

The first piece of advice I can give you is to always do your business off of a live, linux-based CD. For those in the US, buy a laptop off of Craigslist, remove the hard drive and exclusively use boot CDs. You will also want to regularly change the MAC address of the network device you are using. Also, NEVER use a wifi hotspot that has cameras. In the offhand chance that we are able to track down your activities to a specific place, we have and will use the business's security cameras to identify you if you're a suspect.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Nightcrawler on October 09, 2012, 03:57 am
I've been in the Information Security and Digital Forensics fields for almost 15 years, both federal and private sectors. I would like to know what burning questions or concerns you have when someone like me has access to your computers and/or mobile devices.

The first piece of advice I can give you is to always do your business off of a live, linux-based CD. For those in the US, buy a laptop off of Craigslist, remove the hard drive and exclusively use boot CDs. You will also want to regularly change the MAC address of the network device you are using. Also, NEVER use a wifi hotspot that has cameras. In the offhand chance that we are able to track down your activities to a specific place, we have and will use the business's security cameras to identify you if you're a suspect.

Good advice, although all of this has been discussed previously.  Just out of curiosity, what brings you to this neck of the woods?

Title: Re: Computer Forensics Investigator here - any questions?
Post by: alonetraveler on October 09, 2012, 04:07 am
Good advice, although all of this has been discussed previously.  Just out of curiosity, what brings you to this neck of the woods?

Thanks for asking. I see a lot of people relying on a bootable USB drive but the ultimate is a harddrive-less laptop running a boot CD. The reason is as a digital forensics investigator, we are able to produce a list of all USB or external hard drives (for microsoft operating systems, we can even get the serial number and insertion dates, for apple os's, we can get the insertation dates and name of the drive) that were once attached to a computer if we get the computer before it's been wiped. So if you're using the hard drive in your laptop legitimately but maybe plugged in your bootable USB device, we will know the device exists and from there is a game between your attorney and us.

There's a couple of reasons why I decided to venture into this neck of the woods. First is that the computer forensics field is stagnant and it relies heavily on myth. The other is that I am very security freedom conscious and have been thinking of doing this for awhile.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: AliBabba on October 09, 2012, 04:09 am
Q: Would a program like TrueCrypt, or any other disc encryption software, keep your data safe and out of the wrong hands? Apologies if this is a dumb question... I'm old, dammit.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: alonetraveler on October 09, 2012, 04:21 am
Q: Would a program like TrueCrypt, or any other disc encryption software, keep your data safe and out of the wrong hands? Apologies if this is a dumb question... I'm old, dammit.

The most legitimately secure disk encryption software we come across is TrueCrypt. Some major commercial encryption software or devices have been decrypted by us once the federal government gets involved. I can't say what specific commercial brands or products without compromising my identity, but you can trust TrueCrypt. As for keeping it safe, it depends on how secure your encryption password key is. General rule is more than 16 characters (alpha-numeric with some symbols sprinkled in) will keep it safe. Anything else beyond that is almost pointless padding unless you have great memory. TrueCrypt covers this extensively but you'll also want plausible deniability, so learn to keep your sensitive data trim. I say this because it's very obvious to find an encrypted volume if we see large blocks of random data. We can tell the difference from day to day data randomly placed on the drive to actual randomized/encrypted data. There are also several algorithms available to us to determine if an encrypted volume exists on the hard drive once we seize it. From that point on it's a matter from building dictionary lists from the seized drive and brute-forcing the volume or from leaning heavily on you for it.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Nightcrawler on October 09, 2012, 04:29 am
Good advice, although all of this has been discussed previously.  Just out of curiosity, what brings you to this neck of the woods?

Thanks for asking. I see a lot of people relying on a bootable USB drive but the ultimate is a harddrive-less laptop running a boot CD.

I think that's what Jake Appelbaum runs.. at least his machine has no hard drive... the last time he went through U.S. Customs, it gave the officers fits.

The reason is as a digital forensics investigator, we are able to produce a list of all USB or external hard drives (for microsoft operating systems, we can even get the serial number and insertion dates, for apple os's, we can get the insertation dates and name of the drive) that were once attached to a computer if we get the computer before it's been wiped. So if you're using the hard drive in your laptop legitimately but maybe plugged in your bootable USB device, we will know the device exists and from there is a game between your attorney and us.

That's actually a good point -- I'm not sure that one has been raised before.

There's a couple of reasons why I decided to venture into this neck of the woods. First is that the computer forensics field is stagnant and it relies heavily on myth.

There is no question that hard infomation is tough to come by. That one of the reasons that the IACIS mailing list leak was _so_ helpful. :-)  (There wasn't a lot in there that I didn't know, but it was nice to be able to confirm some things.)

One of the questions that has come up on here on occasion relates to SSDs (solid state drives).  Are there any proven methods for wiping these the same way that there are proven methods for wiping magnetic media, so that any data cannot feasibly be recovered?

The other is that I am very security freedom conscious and have been thinking of doing this for awhile.

Welcome to the dark side <g>   There is no question that a lot of freedom and privacy have been lost, particularly since 9/11.  I just saw an article that stated that the U.S. government knows more today about the average American than the Stasi knew about the average East German -- that's a frightening prospect.

Title: Re: Computer Forensics Investigator here - any questions?
Post by: Nightcrawler on October 09, 2012, 04:47 am
Q: Would a program like TrueCrypt, or any other disc encryption software, keep your data safe and out of the wrong hands? Apologies if this is a dumb question... I'm old, dammit.

The most legitimately secure disk encryption software we come across is TrueCrypt. Some major commercial encryption software or devices have been decrypted by us once the federal government gets involved. I can't say what specific commercial brands or products without compromising my identity, but you can trust TrueCrypt. 

The Feds tried cracking Sebastien Boucher's PGPDisk encrypted volume for about 2 years, without success.  That said, I would still prefer TrueCrypt.

As for keeping it safe, it depends on how secure your encryption password key is. General rule is more than 16 characters (alpha-numeric with some symbols sprinkled in) will keep it safe. Anything else beyond that is almost pointless padding unless you have great memory. 

I disagree. The FSB instructed their agents to use 26 characters; 16 characters mixed-case + numerics give you about 95 bits of entropy... throw in a few more for using symbols, let's give it 100, say.  I'd go with 9 or 10 Diceware words -- 10 will yield 129 bits of entropy, and they're not that hard to memorize. Given that the words are chosen using a random physical process (dice) the only possible attack is brute force -- with a sufficiently long passphrase, good luck with that.

TrueCrypt covers this extensively but you'll also want plausible deniability, so learn to keep your sensitive data trim. I say this because it's very obvious to find an encrypted volume if we see large blocks of random data. We can tell the difference from day to day data randomly placed on the drive to actual randomized/encrypted data. There are also several algorithms available to us to determine if an encrypted volume exists on the hard drive once we seize it. From that point on it's a matter from building dictionary lists from the seized drive and brute-forcing the volume or from leaning heavily on you for it.

If you've used Diceware, a dictionary list is useless. The procedure you're describing is the same one employed by the U.S. Secret Service, i.e. using Access Data's Distributed Network Attack (DNA).  A 9 or 10 word Diceware passphrase makes that all superfluous, from a technical point of view. Your only option then is to sweat it out of the suspect, and if they're smart they'll listen to their lawyer and keep their mouth shut.

Title: Re: Computer Forensics Investigator here - any questions?
Post by: alonetraveler on October 09, 2012, 04:52 am
Quote
One of the questions that has come up on here on occasion relates to SSDs (solid state drives).  Are there any proven methods for wiping these the same way that there are proven methods for wiping magnetic media, so that any data cannot feasibly be recovered?

Depends on the make and model of the SSD drive. The majority of them flip bits, some to say this volume is available and leaving everything intact or by changing the encryption key of the drive to something else. I don't trust SSD drives at all for my sensitive info, to say the least.

Your best bet is to practice trimming down your sensitive data; the smaller your footprint, the hard it is for us to detect it.

I remember the IACIS leak and from my brief experience with the list, it's inhabited by a bunch of cops who showed they're pretty handy with computers and took a lot of basic computer forensic courses. They majority of them are button pushers.

And yes, the U.S. does archive a crazy amount of info on you. As the cliche goes, follow the money, see where all these tech companies get part of the funding from.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: alonetraveler on October 09, 2012, 05:00 am
I disagree. The FSB instructed their agents to use 26 characters; 16 characters mixed-case + numerics give you about 95 bits of entropy... throw in a few more for using symbols, let's give it 100, say.  I'd go with 9 or 10 Diceware words -- 10 will yield 129 bits of entropy, and they're not that hard to memorize. Given that the words are chosen using a random physical process (dice) the only possible attack is brute force -- with a sufficiently long passphrase, good luck with that.

Quote
If you've used Diceware, a dictionary list is useless. The procedure you're describing is the same one employed by the U.S. Secret Service, i.e. using Access Data's Distributed Network Attack (DNA).  A 9 or 10 word Diceware passphrase makes that all superfluous, from a technical point of view. Your only option then is to sweat it out of the suspect, and if they're smart they'll listen to their lawyer and keep their mouth shut.

I concede both points to you. Even with the advent of rainbow cracking and tuned-up GPU machines, using a diceware'd phrase is fairly secure. Although they are not truly entropic algorithms, researchers are closing in fast on the algorithms Diceware and other similar services use. This is where a lot of people screw up, they get lazy and are not vigilant with their passphrases. Also, if you're in the U.S., keep your mouth SHUT. If you're in a place where no such option exists, plausible deniability and lean data is your best bet.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Nightcrawler on October 09, 2012, 05:30 am
Quote
One of the questions that has come up on here on occasion relates to SSDs (solid state drives).  Are there any proven methods for wiping these the same way that there are proven methods for wiping magnetic media, so that any data cannot feasibly be recovered?

Depends on the make and model of the SSD drive. The majority of them flip bits, some to say this volume is available and leaving everything intact or by changing the encryption key of the drive to something else. I don't trust SSD drives at all for my sensitive info, to say the least.

That's basically what I've been recommending; avoid 'em like the plague.


Your best bet is to practice trimming down your sensitive data; the smaller your footprint, the hard it is for us to detect it.

Common-sense advice.

I remember the IACIS leak and from my brief experience with the list, it's inhabited by a bunch of cops who showed they're pretty handy with computers and took a lot of basic computer forensic courses. They majority of them are button pushers.

You left out the words "uniformed" and "arrogant" before button pushers. I must have spent a week going through the dump; it was amazing. Their ignorance was exceeded only by their arrogance.  Apparently there is a caste system of sorts in IACIS, with with the sworn officers being the Brahmins, and the civilians being the Dalits (Untouchables). Some of the sworn officers literally slagged their civilian colleagues, looking down their noses with complete disdain much as a Brahim would look down their nose at a Dalit.  Those forensic examiners working for the defense came in for even greater scorn than their civilian colleagues.

Speaking of caste systems, it is my understanding that, in the United States, in order to do work for the government, you have to be a member of a particular professional association, membership in which is denied to those who do work for the defense.  Given that there is a plethora of government forensics work, and to some degree, a dearth of defense work, there is a strong incentive to avoid working for the defense, as this can severely affect one's prospects (not to mention income).  My understanding is that it is therefore difficult to find competent forensics people willing to work for the defense.  Is this correct?

And yes, the U.S. does archive a crazy amount of info on you. As the cliche goes, follow the money, see where all these tech companies get part of the funding from.

Facebook, anyone?

Title: Re: Computer Forensics Investigator here - any questions?
Post by: Nightcrawler on October 09, 2012, 05:42 am
I disagree. The FSB instructed their agents to use 26 characters; 16 characters mixed-case + numerics give you about 95 bits of entropy... throw in a few more for using symbols, let's give it 100, say.  I'd go with 9 or 10 Diceware words -- 10 will yield 129 bits of entropy, and they're not that hard to memorize. Given that the words are chosen using a random physical process (dice) the only possible attack is brute force -- with a sufficiently long passphrase, good luck with that.

Quote
If you've used Diceware, a dictionary list is useless. The procedure you're describing is the same one employed by the U.S. Secret Service, i.e. using Access Data's Distributed Network Attack (DNA).  A 9 or 10 word Diceware passphrase makes that all superfluous, from a technical point of view. Your only option then is to sweat it out of the suspect, and if they're smart they'll listen to their lawyer and keep their mouth shut.

I concede both points to you. Even with the advent of rainbow cracking and tuned-up GPU machines, using a diceware'd phrase is fairly secure. Although they are not truly entropic algorithms, researchers are closing in fast on the algorithms Diceware and other similar services use. This is where a lot of people screw up, they get lazy and are not vigilant with their passphrases. Also, if you're in the U.S., keep your mouth SHUT. If you're in a place where no such option exists, plausible deniability and lean data is your best bet.

Diceware is not algorithmic, per-se; rather it is a list of specially-chosen words--  7,776 in all -- paired with dice-rolls.  One rolls 5 dice, reads the result, and looks up the corresponding word in the Diceware list. One repeats the process until the desired passphrase length/strength is achieved.  There is no algorithm to crack -- because the word order is based on a random physical process, it cannot be predicted (assuming the dice are fair, of course.)
See: http://www.diceware.com/

Here is a short excerpt from the Diceware word list:

 16655 clause
 16656 claw
 16661 clay
 16662 clean
 16663 clear
 16664 cleat
 16665 cleft
 16666 clerk
 21111 cliche
 21112 click
 21113 cliff
 21114 climb
 21115 clime
 21116 cling
 21121 clink
 21122 clint
 21123 clio
 21124 clip
 21125 clive
 21126 cloak
 21131 clock

The complete list contains 7776 short English words, abbreviations and easy-to-remember character strings. The average length of each word is about 4.2 characters. The biggest words are six characters long. The list is based on a longer word list posted to the Internet news group sci.crypt by Peter Kwangjun Suk. An alternative list, edited by Alan Beale, contains fewer Americanisms and obscure words. And there are lists for several other languages. You can also download the Diceware word list in PDF format or in PostScript format.

Title: Re: Computer Forensics Investigator here - any questions?
Post by: quietgirl79 on October 09, 2012, 06:20 am
Thank you for alonetraveler for your input, I hope you are here for benevolent reasons...  Thank you too Nighthawk, this gal knows very little but believes in freedom (privacy, use of one's body, and otherwise).

So here is a question, well several really.

What is the safest way to get bitcoins?  And by that I suppose I mean anonymous?

Is using bitinstant->blockchain->instawallet->BTCWallet safe?

And finally, how risky do ya'll think it is for a person to order small amounts of illicit things for personal use?  I'm hoping SR will be a safer place than the streets..
Title: Re: Computer Forensics Investigator here - any questions?
Post by: alonetraveler on October 09, 2012, 07:23 am
Nightcrawler - thanks for the clarification, I confused diceware with a different service. The main weakness in all of these is the passphrase. You have to commit them to memory because convenience and laziness will get you caught.

What is the safest way to get bitcoins?  And by that I suppose I mean anonymous?
Is using bitinstant->blockchain->instawallet->BTCWallet safe?

I would say your method is sound for now :-) Obviously, you just have to distance your initial transactions from anything that you can link to you IRL. Do this all from a secured computer as well.

And finally, how risky do ya'll think it is for a person to order small amounts of illicit things for personal use?  I'm hoping SR will be a safer place than the streets..

Just like in real life, you inherit all the risk. With SR, you have to have the material shipped to a secure location you have access to. Although it is definitely safer than the streets, I am very wary of purchasing consistently from this site due to its popularity and the huge target it has on its back from U.S.. There are other places that are not as clean as SR, but I won't divulge that info just yet.

Also, I am here for benevolent purposes :-)

From an PM I received:
Quote
hi, Could you have use truecrypt partition that has a linux image that you could load thru windows, that you use to access SR?

This way you dont have to boot into a USB drive every time you want to use SR?

First of all, I thoroughly suggest you sacrifice convenience by using a linux boot CD. With a boot CD, you're greatly minimizing the risk of leaving anything on your hard drive (which I also recommend removing when doing your business). You have to adjust your mindset which is another process in itself.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: quietgirl79 on October 09, 2012, 07:41 am
Lions, tigers, and bears..seems like there is danger everywhere when all I'd like to do is live my life in peace, without even a need to defend myself or hurt others..

Thanks for your post though,alonetraveler..I suppose I will just have to research and learn to protect myself..  SR is a wild place I've come to find..I spent a solid month just lurking around before even daring to make a post.  I definitely could use some friends...but I am afraid and also making one's footprint small means not having a presence I suppose..which means maybe I shouldn't even be posting @_@

I'll do some poking around about other sites with less negative attention..though as I have found all new exploration seems to come with risk and some loss, until you learn the rules or what have you.. :\

Title: Re: Computer Forensics Investigator here - any questions?
Post by: quietgirl79 on October 09, 2012, 07:51 am
I do hope benevolent experts will stick around though, as I always have questions..

Like..does spamming "switch tor identity" every so often actually do anything to help safety..?  Or am I sticking out whenever I do that? 

I have heard that it is suspicious to some that one is running tor at all, which doesn't seem fair as I have some geeky friends that like to run tor or mess around with computer security stuff as a hobby..
Title: Re: Computer Forensics Investigator here - any questions?
Post by: quietgirl79 on October 09, 2012, 08:00 am
Just like in real life, you inherit all the risk. With SR, you have to have the material shipped to a secure location you have access to. Although it is definitely safer than the streets, I am very wary of purchasing consistently from this site due to its popularity and the huge target it has on its back from U.S.. There are other places that are not as clean as SR, but I won't divulge that info just yet.

Also, I am here for benevolent purposes :-)

Yeah..I suppose it wouldn't be right to lie to someone and tell them they'll be okay, when the really might not..I guess what I mean is..what size "fish" would I need to be for it not worth it to catch me?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Methylparaben on October 09, 2012, 11:00 am
I boot Liberte from a usb onto a netbook with no OS on the hard drive.  Is that as good as having no hard drive?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: johnmtl on October 09, 2012, 11:50 am
Lets say I use a normal laptop....(please keep in mind i am not computer guy when answering)

Is there any way to mess up my laptop in case of a raid?

Will throwing it in a river help??

can i pour bleach all over it?

smash it with a hammer??

what can I do to make sure my shits safe is basically what I'm asking. I use this computer for many things tor related and not and dont want to go to jail because my computer put me away.   ;)

Also if I cant make it safe,.. thats ok too.. I will take what i need from it and it will end up 100 feet deep in a river in a few days....

But...

Once that's done... what then.. I need a way to be safe?!?!?

Please help..
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Errl_Kushman on October 09, 2012, 01:04 pm
I've been in the Information Security and Digital Forensics fields for almost 15 years, both federal and private sectors. I would like to know what burning questions or concerns you have when someone like me has access to your computers and/or mobile devices.

The first piece of advice I can give you is to always do your business off of a live, linux-based CD. For those in the US, buy a laptop off of Craigslist, remove the hard drive and exclusively use boot CDs. You will also want to regularly change the MAC address of the network device you are using. Also, NEVER use a wifi hotspot that has cameras. In the offhand chance that we are able to track down your activities to a specific place, we have and will use the business's security cameras to identify you if you're a suspect.

If in the event you or your friends come to pay me a visit, if I'm able to get dban (dban.org) booted and running before you can touch my machine... Provided that's my only dirty machine, will you have any success?

Maybe I'm wrong about "you or your friends" paying me a visit. Do you pay me a visit or do the local cops come grab  stuff and hand it over to you?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: ChemicalFreedom on October 09, 2012, 02:27 pm
alonetraveller, thanks so much for sharing your knowledge.

I currently run a clean version of TAILS with no persistence off a bootable USB.
Q. What are the advantages to running off a CD instead (I would assume it's not writable?)? I do prefer the USB as it's small, fits in my pocket and has no information on it...just TAILS

I store all my sensitive information on a micro-sd card, encrypted within a hidden Truecrypt volume and with a bunch of homosexual midget porn on the non-hidden portion. I am under the imp[ression this gives me plausible deniability...and worst comes to worst if I was in a country where the rubber-hose is more popular than the rubbery arms of justice...I can eat it! :)
Q. Assuming I have a strong passphrase (And I do: entropy = 210)...and assuming I was going down for pretty serious crimes, (let's say plotting to blow up the parliment guy fawkes style)...how long would a forensic team spend attempting to brute-force until they gave up? Theoretically how long would it take to crack?

Much appreciated and cheers for your contribution to a freer world!!

Chamical Freedom
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Errl_Kushman on October 09, 2012, 02:44 pm

Q. Assuming I have a strong passphrase (And I do: entropy = 210)...and assuming I was going down for pretty serious crimes, (let's say plotting to blow up the parliment guy fawkes style)...how long would a forensic team spend attempting to brute-force until they gave up? Theoretically how long would it take to crack?

And as somewhat of a follow up -- what type of "cases" did you see? Were you being called in NCIS style to crack the encryption of foreign states, or were you being utilized as a "Star witness" used to testify that so and so  used their computer to search for a victim on craigslist prior to killing them?

I'm trying to get a better understanding of exactly when a guy like you gets involved. Assuming you're not a free resource, there must be some level of threat/importance met before you're involved?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: ChemicalFreedom on October 09, 2012, 04:09 pm

Q. Assuming I have a strong passphrase (And I do: entropy = 210)...and assuming I was going down for pretty serious crimes, (let's say plotting to blow up the parliment guy fawkes style)...how long would a forensic team spend attempting to brute-force until they gave up? Theoretically how long would it take to crack?

And as somewhat of a follow up -- what type of "cases" did you see? Were you being called in NCIS style to crack the encryption of foreign states, or were you being utilized as a "Star witness" used to testify that so and so  used their computer to search for a victim on craigslist prior to killing them?

I'm trying to get a better understanding of exactly when a guy like you gets involved. Assuming you're not a free resource, there must be some level of threat/importance met before you're involved?

Good point. There seems to be a balance between anonymity and practicality. While I'd like to have a dedicated harddriveless laptop strapped to a thermite block...such behaviour is likely to keep you less anonymous in real life (my housemates would probably wonder why I'm rigging explosives up to my desk). Online, I try and keep myself as anonymous as possible...while offline I try and blend in as much as possible. Regular laptop...used for both private and public lives...not ideal, but I enjoy my life a hell of a lot more.

Also, on occasion I back up my encrypted files to a cloud service (I tend to lose things regularly so enjoy a bit of redundancy). Not ideal from a security viewpoint, but more practical.

I'm not blowing up parliments...but if I did, I'd no doubt be a shitload more security concious.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: kmfkewm on October 10, 2012, 06:02 am
I think SSD is perfectly safe as long as you encrypt it before putting any sensitive information on it. Throwing a laptop in the river, pouring bleach on it or smashing it up will not help you in the event of a raid. Your best option is to power it off, and have it fully encrypted.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: painbow on October 10, 2012, 06:54 am
Having drug mailed to you is not illegal itself unless you accept and sign for the package i assume. 

Let's say one of your package get intercepted. The package comes to your house but you do not accept it or sign for it.   It's a relatively small amount of drug but LE still manages to get search warrant for your house. 

After searching through your house, they don't find any drugs but they do find your Linux Live-CD with a laptop that has no harddrive.  They also find some digital scales.  They could also get a court order for your ISP to release your internet activity and find out that you've been using Tor quite a lot.

Is that enough evidence to proscute you in court? 
Title: Re: Computer Forensics Investigator here - any questions?
Post by: landmark on October 10, 2012, 07:05 am
How do make it look like you not using tor?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: spegrodomous on October 10, 2012, 07:08 am
signing to keep up.

---
Title: Re: Computer Forensics Investigator here - any questions?
Post by: mrgrey on October 10, 2012, 07:12 am
can you rate my setup

i use a tap into a wpa2 wifi,  then a vpn, then use proxifier, to get to tor. 

i run this on a truecrypted laptop, inside the truecrypt is a nother truecrypt container and inside that is another container,  inside all this stuff is my TOR, proxifier, etc...

any suggestions?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: shiznit on October 10, 2012, 10:55 am
AdvOR or TOR+ vidalia etc......
Title: Re: Computer Forensics Investigator here - any questions?
Post by: sourman on October 10, 2012, 11:44 am
Is EnCase still the software of choice for LE digital forensics? I'd love to get my hands on the latest version, even though it's probably still just a glorified disk editor with speshul case building features.

I'd also like to get your opinion on EFS encrypted files. Is there a point to using EFS in Windows XP/7 if the partition is already encrypted? Assuming the password to the account that the EFS keys were derived from is strong and all basic exploits are closed (syskey, SAM file copies) is this windows file encryption still reasonably secure? EFS encrypted files can be a huge pain in the ass to get at via remote network exploits, at least in my experience. It's not a solution but IMO it's an easily implemented deterrent.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: kmfkewm on October 10, 2012, 11:53 am
AdvOR or TOR+ vidalia etc......

All of the Tor devs suggest avoiding AdvOR like the plague .
Title: Re: Computer Forensics Investigator here - any questions?
Post by: drdroopy on October 10, 2012, 06:33 pm
Question: I stupidly used TOR and went on the road using my regular windows PC for the first month i was on the road, i have since learned more secure ways of doing so and deleted all files associated with TOR and the road from my computer and i also ran file shredder on the drive, should that clean up any left over data for the most part or should i do more?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: modziw on October 10, 2012, 06:53 pm
I sure hope he comes back... Seems like such a nice fellow.

Modzi
Title: Re: Computer Forensics Investigator here - any questions?
Post by: DayDreamer on October 11, 2012, 08:01 am
maybe he got busted by his LE buddies for leakin sensitive information?
although considering he is a computer forensics expert, he should have been able to secure himself pretty well against such things..
Title: Re: Computer Forensics Investigator here - any questions?
Post by: shiznit on October 11, 2012, 08:07 am
maybe he got busted by his LE buddies for leakin sensitive information?
although considering he is a computer forensics expert, he should have been able to secure himself pretty well against such things..

your first sentence was funny as hell.

the second sentence ruined it :(
Title: Re: Computer Forensics Investigator here - any questions?
Post by: DayDreamer on October 11, 2012, 09:52 am
maybe he got busted by his LE buddies for leakin sensitive information?
although considering he is a computer forensics expert, he should have been able to secure himself pretty well against such things..

your first sentence was funny as hell.

the second sentence ruined it :(


 ;D ;D ;D
Title: Re: Computer Forensics Investigator here - any questions?
Post by: alonetraveler on October 11, 2012, 09:24 pm
Still here, just checking in and looks like I have to set aside some time to answer these questions. One thing I will answer now in this brief moment is that DBAN/eraser/any other disk wiping software is great if you have a small storage device and regularly use it, otherwise when they knock on that door and you start running DBAN on your hard drive, it will take several hours to completely wipe it even if it's just a single pass run. The mantra is KEEP YOUR DATA LEAN.

I've been on hiatus, work related, but will be back to answer these questions. As for as how to best do your business anonymously, there are several ways to do so that have already been thoroughly discussed in different threads. I will re-read those threads to address some concerns, mainly that we have been able to recover info from the swap space on Liberte drives recently if we catch it in time. Anything that writes to a disk is risky and is why I advocate for a boot CD, which is read-only.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: sourman on October 12, 2012, 12:33 am
^^Thanks for taking the time to address our concerns!

Yeah, wiping a modern HDD takes hours and will not help during a police raid. You might destroy the file tables and partition information, but that will only piss them off. Booting from read-only media is the way to go for sure.

I'd even go one step further and recommend that one use a separate PC without any storage at all. Just a DVD-ROM or USB and some RAM. No hard drives or anything else. Set a CMOS password and disable quick POST so that BIOS will automatically begin to "wipe" the RAM on every reboot.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Errl_Kushman on October 12, 2012, 12:57 am
Set a CMOS password and disable quick POST so that BIOS will automatically begin to "wipe" the RAM on every reboot.

Thats another good tidbit. Thats one of those real quick changes now that could save your ass in the future.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: modziw on October 12, 2012, 02:02 am

Still here, just checking in and looks like I have to set aside some time to answer these questions ... but will be back to answer these questions.


We all really appreciate your tie and efforts. Please do revisit us again and again.

Set up a bitcoin wallet in your sig so we can donate you beer every now and again!

The one in-a-thousand souls as brave as you make me feel that liberty can survive.

:)


Modzi
Title: Re: Computer Forensics Investigator here - any questions?
Post by: L0Ki on October 12, 2012, 02:50 am
Buy an old DirectTV or DishNetwork satellite dish of eBay or Craigslist and build yourself a nice Bi-Quad Wifi antenna! Attach this antenna to a compatible wireless adapter. Now using your HDDless laptop.... boot your Linux LiveCD! (Try BackTrack5). If you aren't familiar or comfortable with using the terminal, or are just new to network exploitation, then just open up Gerix.  Proceed to crack all the WEP networks available! WPA2 requires a bit more work, but with your awesome looooooonnnnggggg range antenna you can just switch between networks as you please ;) Try adjusting the dish and monitor how a networks signal strength increases or degrades based on line of sight / distance factors. This will give you a good idea as to the general direction where these networks located, but without knowing the build quality of your Bi-Quad it is difficult to give a decent estimate on the farthest distance some of the networks may be. Your ideal / safest targets should be mid range to low strength (not too low that you cant connect!) signals since they will tend be quite a bit farther away,. Make sure to alter the dish to see if its just a network that had poor signal strength due to being an outlier of antennas line of sight. Remember, they most likely will not notice you utilizing their network connection (especially if they are still using WEP ;) ), but you don't want to be in a visible range of the location as to not bring unnecessary attention to your sketchy looking satellite dish.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: oxa101 on October 12, 2012, 06:23 am
Upon reading this information, I now know I need a new computer setup like the one you listed.  This isn't easy for someone that isn't great with computers.  I should simply buy a brand new computer and get it set up this way right off the bat.  Any brands/models you'd recommend? 

Also, I have a Macbook Pro that I've been using.  Should I trash it (make sure hard drive is destroyed) or can I COMPLETELY wipe it clean somehow?  It works fine, but I really don't want information to be able to be accessed against my will if something were to happen sometime in the future. 

This is a great thread and it's definitely lit a fire under me to get on top of this.....thanks
Title: Re: Computer Forensics Investigator here - any questions?
Post by: thebakertrio on October 12, 2012, 06:43 am
Just marking this thread to read later  :o Thanks alonetraveler
Title: Re: Computer Forensics Investigator here - any questions?
Post by: aliveandstillhere on October 12, 2012, 08:39 am
How about the slack space in the computers hard drive and in the static memory.  If wiping your drive can't get rid of the slack space what good is it to wipe it.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: sourman on October 12, 2012, 11:07 am
Wiping an entire partition will get rid of all data, including slack space.

The only time slack comes into play is during a free space wipe. Not all disk wiping software allows you to clear slack space during a free space wipe. Eraser is a good freeware app that takes care of that.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: NotMe123 on October 12, 2012, 01:06 pm
^^Thanks for taking the time to address our concerns!

Yeah, wiping a modern HDD takes hours and will not help during a police raid. You might destroy the file tables and partition information, but that will only piss them off. Booting from read-only media is the way to go for sure.

I'd even go one step further and recommend that one use a separate PC without any storage at all. Just a DVD-ROM or USB and some RAM. No hard drives or anything else. Set a CMOS password and disable quick POST so that BIOS will automatically begin to "wipe" the RAM on every reboot.

Would placing your laptop on top of a subwoofer magnet wipevthevdrive enough to make it useless to LE? If so, will this also wipe and chips and make the laptop unusable?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: waynegretski on October 12, 2012, 05:10 pm
Okay so it has been expressed quite a few times that the best way to protect yourself would be to run a laptop with no hard drive and run liberte linux off of a liveCD. It has been further suggested that enabling a bios password and disabling "quick" boot could be beneficial as well.

Therefore, we can conclude that if you are not running the configuration listed above then you are not protecting yourself as much as you could possibly be. (With the exception for those confident in computer security who are qualified to make decisions that may impact their freedom in the future).
Title: Re: Computer Forensics Investigator here - any questions?
Post by: raven92 on October 12, 2012, 06:30 pm
^^Thanks for taking the time to address our concerns!

Yeah, wiping a modern HDD takes hours and will not help during a police raid. You might destroy the file tables and partition information, but that will only piss them off. Booting from read-only media is the way to go for sure.

I'd even go one step further and recommend that one use a separate PC without any storage at all. Just a DVD-ROM or USB and some RAM. No hard drives or anything else. Set a CMOS password and disable quick POST so that BIOS will automatically begin to "wipe" the RAM on every reboot.

Would placing your laptop on top of a subwoofer magnet wipevthevdrive enough to make it useless to LE? If so, will this also wipe and chips and make the laptop unusable?

Quite unlikely, but you can get a nice powerful magnet by taking your hard drive apart. Be-careful though you could easily hurt yourself quite badly if you get something pinched by it.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: kmfkewm on October 12, 2012, 06:35 pm
Okay so it has been expressed quite a few times that the best way to protect yourself would be to run a laptop with no hard drive and run liberte linux off of a liveCD. It has been further suggested that enabling a bios password and disabling "quick" boot could be beneficial as well.

Therefore, we can conclude that if you are not running the configuration listed above then you are not protecting yourself as much as you could possibly be. (With the exception for those confident in computer security who are qualified to make decisions that may impact their freedom in the future).

That is a pretty big jump you just made to that conclusion. There are all kinds of secure configurations. I feel confident enough in cryptography and my ability to deny knowing a passphrase. Shortly after the power is cut a fully encrypted hard disk with a live CD in the drive  is just as good as a hard disk that has been wiped with randomness with a live CD in the drive.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: 1100101 on October 12, 2012, 07:12 pm
signing
Title: Re: Computer Forensics Investigator here - any questions?
Post by: modziw on October 12, 2012, 08:14 pm
Okay so it has been expressed quite a few times that the best way to protect yourself would be to run a laptop with no hard drive and run liberte linux off of a liveCD. It has been further suggested that enabling a bios password and disabling "quick" boot could be beneficial as well.

Therefore, we can conclude that if you are not running the configuration listed above then you are not protecting yourself as much as you could possibly be. (With the exception for those confident in computer security who are qualified to make decisions that may impact their freedom in the future).

That is a pretty big jump you just made to that conclusion. There are all kinds of secure configurations. I feel confident enough in cryptography and my ability to deny knowing a passphrase. Shortly after the power is cut a fully encrypted hard disk with a live CD in the drive  is just as good as a hard disk that has been wiped with randomness with a live CD in the drive.


Until you've stared down a double barreled grand jury, you don't know whether or not you'll give up that passphrase.

modzi
Title: Re: Computer Forensics Investigator here - any questions?
Post by: johnmtl on October 12, 2012, 08:21 pm
I want to thank this thread and the OP for the info provided here...

after much deliberation i have decided to pull an applebaum..

I will be signing off tonight for the last time from this computer and when I come back in a week or so I will be running my own 100% harddrive-less laptop.

See you guys soon, and THANKS once again.

John  8)
Title: Re: Computer Forensics Investigator here - any questions?
Post by: waynegretski on October 12, 2012, 08:42 pm
Okay so it has been expressed quite a few times that the best way to protect yourself would be to run a laptop with no hard drive and run liberte linux off of a liveCD. It has been further suggested that enabling a bios password and disabling "quick" boot could be beneficial as well.

Therefore, we can conclude that if you are not running the configuration listed above then you are not protecting yourself as much as you could possibly be. (With the exception for those confident in computer security who are qualified to make decisions that may impact their freedom in the future).



That is a pretty big jump you just made to that conclusion. There are all kinds of secure configurations. I feel confident enough in cryptography and my ability to deny knowing a passphrase. Shortly after the power is cut a fully encrypted hard disk with a live CD in the drive  is just as good as a hard disk that has been wiped with randomness with a live CD in the drive.


Until you've stared down a double barreled grand jury, you don't know whether or not you'll give up that passphrase.

modzi
Exactly, if there is no encrypted data its cut and dry, there is nothing to give up there is nothing to talk about or charge you with. They will have less on you. In some vendor cases encryption is most likely 100% necessary but I am just a buyer so I do not need to save anything I can keep it all in my head.



Respect to kmfkewm
Title: Re: Computer Forensics Investigator here - any questions?
Post by: modziw on October 13, 2012, 03:40 am
[quote author=johnmtl link=topic=49334.msg519489#msg519489 date=1350073308
after much deliberation i have decided to pull an applebaum.. I will be signing off tonight for the last time from this computer and when I come back in a week or so I will be running my own 100% harddrive-less laptop.
[/quote]

Ahhh the soothing salve of the AppleBalm.


Modzi
Title: Re: Computer Forensics Investigator here - any questions?
Post by: kmfkewm on October 13, 2012, 09:00 am
Okay so it has been expressed quite a few times that the best way to protect yourself would be to run a laptop with no hard drive and run liberte linux off of a liveCD. It has been further suggested that enabling a bios password and disabling "quick" boot could be beneficial as well.

Therefore, we can conclude that if you are not running the configuration listed above then you are not protecting yourself as much as you could possibly be. (With the exception for those confident in computer security who are qualified to make decisions that may impact their freedom in the future).

That is a pretty big jump you just made to that conclusion. There are all kinds of secure configurations. I feel confident enough in cryptography and my ability to deny knowing a passphrase. Shortly after the power is cut a fully encrypted hard disk with a live CD in the drive  is just as good as a hard disk that has been wiped with randomness with a live CD in the drive.


Until you've stared down a double barreled grand jury, you don't know whether or not you'll give up that passphrase.

modzi

Considering that they wont even be able to tell if there is a passphrase, and since giving up the passphrase could only possibly hurt me, I am pretty confident that I would not give up the passphrase lol.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: qudoze on October 13, 2012, 11:07 am
So if the whole hard drive is encrypted and there's no unencrypted partitions on it like a boot partition, it's not possible to tell whether it has encrypted data or it was wiped?
Is Truecrypt capable of this?

OP wrote:
We can tell the difference from day to day data randomly placed on the drive to actual randomized/encrypted data. There are also several algorithms available to us to determine if an encrypted volume exists on the hard drive once we seize it. From that point on it's a matter from building dictionary lists from the seized drive and brute-forcing the volume or from leaning heavily on you for it.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Errl_Kushman on October 13, 2012, 11:14 am
Okay so it has been expressed quite a few times that the best way to protect yourself would be to run a laptop with no hard drive and run liberte linux off of a liveCD. It has been further suggested that enabling a bios password and disabling "quick" boot could be beneficial as well.

Therefore, we can conclude that if you are not running the configuration listed above then you are not protecting yourself as much as you could possibly be. (With the exception for those confident in computer security who are qualified to make decisions that may impact their freedom in the future).

That is a pretty big jump you just made to that conclusion. There are all kinds of secure configurations. I feel confident enough in cryptography and my ability to deny knowing a passphrase. Shortly after the power is cut a fully encrypted hard disk with a live CD in the drive  is just as good as a hard disk that has been wiped with randomness with a live CD in the drive.


Until you've stared down a double barreled grand jury, you don't know whether or not you'll give up that passphrase.

modzi

Considering that they wont even be able to tell if there is a passphrase, and since giving up the passphrase could only possibly hurt me, I am pretty confident that I would not give up the passphrase lol.

Correct me if I am wrong but, not divildgeing your password is about as illegal as contempt of court. If someone were to give out the password, the  decrypted data could and probably would be far more legal trouble than refusing to talk.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: dreamxweaver on October 13, 2012, 11:27 am
Ok, so after reading this thread I decided I needed a laptop with no HD and liberte on a USB stick with read only (which makes it identical to a bootable read only cd, right?).

Then I went to a website to check my stealth. Well, the ip address is not mine ofcourse, but it sais that the tcp and udp are not stealthed.

Does this matter? I can not find a firewall within liberte which seems weird to me since it's supposed to be ultra stealthy? Wouldn't my mac address be tracable this way?
Then again I am confused as to why this is better, since using the tor network alone is supposed to be anonymous. Or is it pseudo anonymous? If so, why?


I also wonder about when computer forensics investigators are called in to do a job. What is the minimum of criminal activity a person had to commit before they get watched? And if they do get watched, what gets watched? Browsing history? Email like gmail or hotmail? Facebook? Entered mobile numbers and phones?
Is it possible to get caught with something by using tor on windows, if so, how? And how is it when one uses different identities all the time?

I guess a person like yourself, aloneinthedark, would be a perfect candidate to be a target for spreading information?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: johnmtl on October 13, 2012, 12:33 pm
[quote author=johnmtl link=topic=49334.msg519489#msg519489 date=1350073308
after much deliberation i have decided to pull an applebaum.. I will be signing off tonight for the last time from this computer and when I come back in a week or so I will be running my own 100% harddrive-less laptop.

Ahhh the soothing salve of the AppleBalm.


Modzi
[/quote]

Its really the only option for me that makes any sense. I wish there was another way but being a vendor on here just makes me extra paranoid.
I dont want to put me or any of my clients at risk and the only real way of doing that is using a usb drive.

 just some heads up... for anyone out here who may be reading this and decide to go get one of those cheap 200$ harddrive-less  laptops think again... those do indeed have a small hard drive that will keep cashes of what you do and where you go...

This new setup is gonna cost me over a 2 grand easy with the cost of the new laptop and all but better safe then sorry!

 anyways... STAY SAFE PPL!.

Title: Re: Computer Forensics Investigator here - any questions?
Post by: kmfkewm on October 13, 2012, 01:57 pm
So if the whole hard drive is encrypted and there's no unencrypted partitions on it like a boot partition, it's not possible to tell whether it has encrypted data or it was wiped?
Is Truecrypt capable of this?

OP wrote:
We can tell the difference from day to day data randomly placed on the drive to actual randomized/encrypted data. There are also several algorithms available to us to determine if an encrypted volume exists on the hard drive once we seize it. From that point on it's a matter from building dictionary lists from the seized drive and brute-forcing the volume or from leaning heavily on you for it.

Encrypted data is indistinguishable from random data, unless there is a flaw in the encryption software being used it is impossible to tell the difference between a fully encrypted drive and a drive that has been wiped with random data. Encrypting a drives entire contents with a random key is equivalent to wiping it with a PRNG (of course you actually need to encrypt the entire drives contents, not just encrypt new data). 
Title: Re: Computer Forensics Investigator here - any questions?
Post by: kmfkewm on October 13, 2012, 02:00 pm
Although you do bring up a good point, you still need a boot partition somewhere.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: GiveItASniff on October 13, 2012, 07:45 pm
And yes, the U.S. does archive a crazy amount of info on you.

Could you please elaborate on this? What kind of info are they collecting?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: GiveItASniff on October 13, 2012, 08:39 pm
Has everyone read about the "Utah Data Center"?

SCARY SHIT

Search it on google!
Title: Re: Computer Forensics Investigator here - any questions?
Post by: qudoze on October 13, 2012, 11:23 pm
Although you do bring up a good point, you still need a boot partition somewhere.

Like a Live CD that you already mentioned isn't that enough? A legit system can be kept on an other drive, so the lonely "empty" drive won't raise any questions, the illegal system can be booted from Live CD and the fully encrypted drive can be used as persistent storage.

So is Truecrypt capable of doing an FDE like this?
Does it matter which algorithm is used?
Any other things to do or is this a simple FDE with the usual options, the only difference being there is no boot sector or other unencrypted partitions on the disk?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: sourman on October 13, 2012, 11:28 pm
Although you do bring up a good point, you still need a boot partition somewhere.

Some users opt to clear their Full Disk Encryption boot loaders and store them on a CD. Either that or they simply use the recovery CD generated during the encryption process as the boot loader for that partition. As long as one has encrypted backups of the CD, it's not a bad idea. They will still contain data exclusive to your partition but I'm not sure if there's a practical way to prove it without the passphrase and thus the master key.

Quote
Like a Live CD that you already mentioned isn't that enough? A legit system can be kept on an other drive, so the lonely "empty" drive won't raise any questions, the illegal system can be booted from Live CD and the fully encrypted drive can be used as persistent storage.

The Live CD will contain everything you need, including a boot loader. K was referring to FDE partitions that have the boot loader--the only unencrypted area of the partition--stored on a separate medium so that the FDE drive cannot easily be distinguished from random data.

If you're using a CD you will have to encrypt the hard drive first (as a regular partition not a system partition) and then copy truecrypt or whatever software onto the new CD along with any keys. Then you can access the drive from said Live CD and it will look like random data to everyone else (no boot loaders). Personally, I recommend taking out the hard drive completely and just using a flash drive instead of a CD to host the confidential OS. That way you can permanently store a nice amount of data and not worry about your adversary trying to modify a few bits on the HDD in an attempt to "mark" you.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: comatose on October 14, 2012, 03:09 am
You mention knowing when a USB key is used, which I know is possible in windows, but is this true of linux as well? Is this also true when booting from a USB? You can't reasonably expect to find and analyze all USB keys used on that system. Are you just looking for recently used drives?

How effective are software based cleaners at wiping useful information off of a Windows system?

Perhaps anyone can chime in on this one, when law enforcement wants a password to something of interest, what if I legitimately have forgotten the password? No amount of "heat" will jog my memory, so what then? It seems like this is a plausible way to refuse giving up a password. Is there any case-law regarding this?

As others have asked, at what point are your services used? I'd imagine that as a seller, by the time I'm being investigated this closely that they've already gotten a great deal of evidence against me, even being able to identify me as such would mean they know far more than they should.

Looking forward to your answers, I have many more questions to follow as time allows.

On behalf of many, thank you!
Title: Re: Computer Forensics Investigator here - any questions?
Post by: GiveItASniff on October 14, 2012, 09:46 am
Can you track inkjet printers back to the owner the way you can track documents printed from color laser printers?

They absolutely can. It's called analytical chemistry.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: sweetbro on October 14, 2012, 09:57 am
three questions..


1.) ARE ANY "EVIDENCE ELIMINATOR" SOFTWARE PRODUCTS TOTALLY GARBAGE?
2.) IF TOR WAS INSTALLED ON A COMPUTER WITH WINDOWS ON THE HARDDRIVE CAN IT BE EASILY BE DISCOVERED WHAT YOU WERE LOOOKING AT?
3.) ARE THOSE "TOTAL NUKE" STYLE HARDDRIVE FORMATTING SOFTWARE EFFECTIVE?
4.) IF YOU HAD A HARDDRIVE AND YOU HEARD THE COPS WERE COMMING IF YOU SMASHED THE CRAP OUT OF THE HARDDRIVE WITH A HAMMER  OR THREW IT IN A FIREPLACE TO BURN WOULD THEY BOTHER GOING TO THE EXPENSE OF LABORATORY DATA RETRIEVAL? FOR WHAT CRIMES WOULD THEY BOTHER AND HOW EFFECTIVE WOULD A FEW HOURS IN A HOT FIRE/50 WHACKS WHITH A HAMMER DO TO THE CHANCES OF RETRIEVAL?


sorry about caps
Title: Re: Computer Forensics Investigator here - any questions?
Post by: kmfkewm on October 14, 2012, 12:50 pm
1.) ARE ANY "EVIDENCE ELIMINATOR" SOFTWARE PRODUCTS TOTALLY GARBAGE?
Quote

MOST OF THEM ARE

Quote
2.) IF TOR WAS INSTALLED ON A COMPUTER WITH WINDOWS ON THE HARDDRIVE CAN IT BE EASILY BE DISCOVERED WHAT YOU WERE LOOOKING AT?

IF YOU USE THE TBB AND HAVE RANDOM TEMPORARY KEY ENCRYPTED SWAP YOU SHOULD BE GOOD

Quote
3.) ARE THOSE "TOTAL NUKE" STYLE HARDDRIVE FORMATTING SOFTWARE EFFECTIVE?

SOME OF THEM ARE, I SUGGEST USING ATA SECURE ERASE

Quote
4.) IF YOU HAD A HARDDRIVE AND YOU HEARD THE COPS WERE COMMING IF YOU SMASHED THE CRAP OUT OF THE HARDDRIVE WITH A HAMMER  OR THREW IT IN A FIREPLACE TO BURN WOULD THEY BOTHER GOING TO THE EXPENSE OF LABORATORY DATA RETRIEVAL? FOR WHAT CRIMES WOULD THEY BOTHER AND HOW EFFECTIVE WOULD A FEW HOURS IN A HOT FIRE/50 WHACKS WHITH A HAMMER DO TO THE CHANCES OF RETRIEVAL?

IT WILL NOT HELP YOU AT ALL TO SMASH THE PLATTER WITH A HAMMER OR THROW IT INTO A FIREPLACE

sorry about all caps.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: a1eph on October 14, 2012, 02:11 pm
IT WILL NOT HELP YOU AT ALL TO SMASH THE PLATTER WITH A HAMMER OR THROW IT INTO A FIREPLACE

Because 1000-1500 degree temperatures won't destroy hard drives!!!
Title: Re: Computer Forensics Investigator here - any questions?
Post by: kmfkewm on October 14, 2012, 04:41 pm
IT WILL NOT HELP YOU AT ALL TO SMASH THE PLATTER WITH A HAMMER OR THROW IT INTO A FIREPLACE

Because 1000-1500 degree temperatures won't destroy hard drives!!!

Actually you are right if you heat the drive that much it will probably wipe it. Initially I was thinking the melting point for aluminum is 1220F and for glass it can be much higher, but in reality the drive only needs to be heated until the magnetic substrate reaches its curie temperature, at which point it should be equivalent to having randomly wiped it magnetically. But 1000-1500 might not be enough to melt a given platter, I know aluminum has a melting point of 1220F not sure the melting point of the glass sometimes used for drive platters but a quick search shows glass melting points as ranging from about 1500F-4200F depending on the specific type.

I just did a bit of research on this though, and it doesn't matter if the platter melts because once something magnetic reaches its curie temperature it is randomized. Wikipedia claims that '; the effect is reversible' but doesn't appear to detail how. So I guess my final answer is that perhaps raising the drive to that temperature will be enough to wipe it, I did a little research and found the curie points of the magnetic substrates on platters as being a bit under 1000F so unless that randomization can indeed be reversed somehow it seems like it would be secure.

Personally I would just use ATA secure erase or dban though.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: a1eph on October 14, 2012, 07:05 pm
Actually you are right if you heat the drive that much it will probably wipe it. Initially I was thinking the melting point for aluminum is 1220F and for glass it can be much higher, but in reality the drive only needs to be heated until the magnetic substrate reaches its curie temperature, at which point it should be equivalent to having randomly wiped it magnetically. But 1000-1500 might not be enough to melt a given platter, I know aluminum has a melting point of 1220F not sure the melting point of the glass sometimes used for drive platters but a quick search shows glass melting points as ranging from about 1500F-4200F depending on the specific type.

I just did a bit of research on this though, and it doesn't matter if the platter melts because once something magnetic reaches its curie temperature it is randomized. Wikipedia claims that '; the effect is reversible' but doesn't appear to detail how. So I guess my final answer is that perhaps raising the drive to that temperature will be enough to wipe it, I did a little research and found the curie points of the magnetic substrates on platters as being a bit under 1000F so unless that randomization can indeed be reversed somehow it seems like it would be secure.

Personally I would just use ATA secure erase or dban though.

Indeed. It wouldn't be ideal but in a situation where it is your only choice,  it would do enough unrecoverable damage.
Title: <removed>
Post by: StExo on October 14, 2012, 08:23 pm
<removed>
Title: Re: Computer Forensics Investigator here - any questions?
Post by: k141 on October 14, 2012, 10:59 pm
Damn you guys are making it too hard on yourself. If it's encrypted then dismount the thing, smash it to pieces with a hammer, maybe burn the thing and continue to smash it. Then, once that is done, take the little pieces and scatter them (easy, go to a bridge and throw them over, or take a long ride across the motorway and scatter a few pieces every minute or so, or attack them in a small bag to a firework, send it up and watch the thousands of pieces spread for miles).

this.

it's the only realistic solution for when the feds kick your door down and it's a few seconds till your face meets the floor.

i think at this point i'll just stick with tails and hopefully employ that no-hdd laptop idea. i'd rather have no saved data on my person if shit hits the fan, rather than have a bunch of encrypted data to fight over.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: sourman on October 15, 2012, 12:19 am
Data recovery firms have no problem restoring HDDs that survived fires, 100ft drops, and deliberate attempts at smashing them. Not one has been able to recover an overwritten file from a modern hard drive, and I'm talking a single overwrite of zeros. As of today, a single-pass overwrite of any kind (the more random the better) is enough to effectively destroy data on a HDD.  The whole "Gutmann wipe" and the 7-pass "DoD standard" are overkill to the extreme.

Can the NSA recover such info in their hypothetical secret labs? Maybe, but that goes beyond the scope of most criminal investigations. Not only is the standard of proof too high for dirty, pieced-together data to be accepted at trail, but the government is not going to use secret technology to go after internet drug dealers, unless of course there are some extraordinary circumstances involved. By the time it gets that serious, the person being watched has wayyy more shit to worry about than the recovery of overwritten files.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Bungee54 on October 15, 2012, 05:29 pm
We know from the EFF  about the yellow tracking dots which are left by laser and inkjet printers.

What are the new technologies we dont know about & how to defeat/recognize them..? ( besides buying 2nd hand what we do)

are the even really used or is this only the "terrorist & national security" domain.

Is this done worldwide?  and the data exchanged?

Title: Re: Computer Forensics Investigator here - any questions?
Post by: FriendlyStranger on October 16, 2012, 03:49 am
What stupid mistakes can someone make to get them noticed by Federal Agencies?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: dreamxweaver on October 16, 2012, 09:22 am
How to make it so that when using a liberte usb stick, a stealth check does not show that the tcp/udp ports are not secure?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: GiveItASniff on October 30, 2012, 07:59 am
Soooooo where did this guy go? Was he just LE looking to find some weaknesses?
Title: Re: Computer Forensics Investigator here - any questions?
Post by: yodude420 on November 01, 2012, 03:57 pm
Correct me if I'm wrong but it would be hard or not worth it to go after small time buyers on SR b/c of the use of TOR, bitcoins, and PGP encryption for addresses right?  It seems that even if your package was picked off in customs or whatever there would be little evidence of you placing the order other than maybe on your own computer, since even if they intercepted your PGP encrypted address it wouldn't do them any good without the vendors private key.  I'm still pretty new to the world of computer security so I apologize if this is a stupid question.
Title: Re: Computer Forensics Investigator here - any questions?
Post by: Questionmark321 on November 01, 2012, 04:31 pm
Few questions here :)

If you restore your computer back to factory settings is all your old data really removed?

Where should we make the live USB? If we do it on our machine afterwards it can be seen
that one was made right?

And can you see how many times windows was installed on a harddrive?

And when having a harddrive in your computer, but plug in your USB exclusively when booting
is that a problem?

Thank you for your time!


Title: Re: Computer Forensics Investigator here - any questions?
Post by: bigbasia on November 01, 2012, 10:36 pm
hi lonetraveller

i am new here and have found this thread to be very informative, you mentioned using laptop without hard drive to access silk road.  This should be done with boot cd, any chance u can explain how to do this, i would of thought that without a hard drive on ur pc or laptop that the said pc or laptop is useless and could not access internet if u wanted to. 

I apologize in advance if this is stupid question( i thought i was semi computer savvy before joining silk road but am learning that i dont know s#@t when it comes to pc security)

Any help here would be greatly appreciated
Title: Re: Computer Forensics Investigator here - any questions?
Post by: NotMe123 on November 02, 2012, 12:12 pm
hi lonetraveller

i am new here and have found this thread to be very informative, you mentioned using laptop without hard drive to access silk road.  This should be done with boot cd, any chance u can explain how to do this, i would of thought that without a hard drive on ur pc or laptop that the said pc or laptop is useless and could not access internet if u wanted to. 

I apologize in advance if this is stupid question( i thought i was semi computer savvy before joining silk road but am learning that i dont know s#@t when it comes to pc security)

Any help here would be greatly appreciated

if you go to https://tails.boum.org/ you can follow the instructions and download tails.

Regarding the laptop with no hard drive, once you instal tails on a CD(or USB stick but CD is better as it's not rewritable), and boot from it the laptop is told not to use the hard drive but instead to write all the info to the RAM(Memory). This is deleted when you shutdown the lappy and all your browsing history goes with it. The fact that there is no hard drive makes it safer because there is nothing for programs to save any info to. the opeerating system is all on the CD\USB Stick