Computer security: Snapshots of our secret lives

hamba

Inactive User
Joined
May 24, 2005
Messages
8,704
Reaction score
1,345
Location
Down Here
Computer security: Snapshots of our secret lives

Pete Warren explains how a forensic specialist can retrieve data from your hard drive - even if you think you've deleted everything - that reveals a great deal about you

The first time that I really became aware of computer forensics was around eight years ago when I arranged for some hard drives I had bought from a boot fair to be examined by Professor Neil Barrett, an expert in the field. The results were memorable. When Barrett rang me to say that he had found account details for a Paul McCartney - on a hard drive discarded by a merchant bank - I was prepared for the inevitable teasing.

"Sure, Neil, I suppose there must be quite a few Paul McCartneys." "Yes, I suppose there are," he replied. "Not too many called 'Sir', though."

Spy in the machine

Your hard drive is watching you: it's the spy in the machine. It records all you do online - where you go, what you look at, what you read and write. And that data can live on even if you think you've wiped it away. Like a traitor, your hard drive could reveal far more about you than you ever wanted it to.

The machine I use to inspect hard drives is a purpose-built computer with a reasonably powerful processor and a hard drive of its own with 1 terabyte of storage. It cost £2,000 and it's the equivalent of a custom car, with quick-release sliding panels and drive cases for easy loading of the hard drives I am asked to look at. Most importantly, it has computer forensic software - which cost another £2,000. Mine was supplied by Access Data, a company which believes that computer forensics will be one of new growth areas of computing.

Since we found the drive with McCartney's details on it, I have worked with BT, Sims Lifecycle Services and Glamorgan University (where I'm doing an MSc) to alert people to the risks of disposing of drives with valuable data on them - such as company records, personal emails, the complete personal lives of families - and even enough on people's sexual interests for them to be blackmailed (Dead disks yield live information).

I pick drives to examine - acquired at car boot sales or dumps - randomly. The first task is to connect a write-blocker, which prevents any data being written to the drive. This ensures that the investigator cannot be accused of putting anything on a disk that could be a crime scene. That's not melodramatic. In each of the past four years we have conducted our survey, we have found drives containing paedophile information, which have been turned over to the police and have resulted in prosecutions.

The next task is to image the drive - simply, copying it on to your own drive so you can start to go through it. Another task is to make an MD5 hash of the original drive, a unique number generated from its bits and bytes. This is to verify that the image is the same as the original: the two should have the same MD5 hash.

The Access Data software ignores the operating system, instead talking directly to the drive's file allocation system and master boot records. It sorts everything into groups - by type, category and extension. Email is extracted and lumped together, as are graphics. You can search for specific data such as a date or name.

"It's like The Sims," says Dr Andrew Jones, head of computer security at BT Exact. "Instead of going through the front door, you take the roof off and you look down on the drive from above."

Then it's a laborious process going through each file. It's a boring and painstaking process - until you start to unearth the gems. I start with the graphics files and documents, but the real pros go to the slack space - where all of the odds and ends of files end up, a dustbin of half-files and bits of data that people think they have deleted. These can help you get an idea of what the computer has been used for and where other data - the stuff people want to hide - might be.

Good riddance?

Most people think the delete key gets rid of those files, but it doesn't - it simply tells the computer that that space is available to be written over again. The file often is still all there, waiting to compromise its former owner.

If the drive is not encrypted, the software opens up the computer easily. I can order everything by date and time; I can see the email that provoked a web search, the item that was then bought. It feels like being able to see inside the mind of the former owner of the drive. And don't think that you can erase your tracks by deleting the browser history: even if you wiped the cache: a hexadecimal editor can help the investigator decode the traces left behind even after you've deleted it.

You start to recognise other people who are using the computer. On one drive I quickly identified the owner from her email. But there was someone else searching the web for clothes for Barbie dolls. I soon identified the most likely person making those web searches - there were pictures of a small girl on the drive. A closer look told me her name. Other details followed: soon I knew her age and what school she goes to.

Inside her mind

By this time I knew her mother's name too, and what her interests are, what her fascinations are and what goes on in the secret recesses of her head. All this was revealed to me by her web searches - and her visits to websites of a sexual nature. She has been deceitful: I can see lies in the emails that she has sent, because she has been trying to sell something to a lot of people at the same time and told each that she was only dealing with them.

People are using computers without realising that their computers are constantly taking snapshots of their lives. The information could compromise them financially as well as personally: on drives we found two years ago were the social security numbers of most of the employees of the UK branch of a multinational company. We could have stolen each person's financial identities.

Some tribes in Africa do not like people taking their photos because they think that the camera takes a part of their being. A computer does much the same. When you work in computer forensics, and when you hold a hard drive in your hands, you hold someone's life in your hands.

How to secure your disk

1 Use encryption. Vista Ultimate has BitLocker; Mac OSX has FileVault. There is also TrueCrypt, which is free and cross-platform.

2 Use secure erase programs such as blancco; for a list, see howtowipeyourdrive.com.

3 When you've finished with your computer, securely wipe it and then reinstall the operating system from scratch. Or remove the hard drive and smash it with a hammer.




Pete Warren
Wednesday August 13 2008 00:01 BST
guardian.co.uk © Guardian News and Media Limited 2008
 
I worked for a large multi-national company a few years ago.

They were scrapping a lot of the older PC's, so I asked if I could take a couple of drives home to fit in a system I was building.

I was told by facilities that the drives were being removed, smashed up with a sledge hammer, ground down into metal filings, and then shot into the North Sea. :)
--
I usually make clocks from the platters (using the mechanishm from cheap battery clocks), and give the magnets to my kids.

I posted THIS LINK a couple of years ago, but I haven't got around to making one yet.

A good warning there Hamba.:Cheers:
 
I was told by facilities that the drives were being removed, smashed up with a sledge hammer, ground down into metal filings, and then shot into the North Sea. :)

i suppose thats one way of stopping people finding anything on them lol
 
or u could zero fill the drive

then format and install os

which should do the trick as when u zero fill a drive u simply write zeros to it
 
or u could zero fill the drive

then format and install os

which should do the trick as when u zero fill a drive u simply write zeros to it

Because of the way modern drives work simply writing with zero's isn't enough. Specialists can often detect the underlying data from at least 2 or 3 writes previously.

In order to reliably erase a drive you need to overwrite it at least five times with random data or patterns of alternating 1's & 0's
 
Because of the way modern drives work simply writing with zero's isn't enough. Specialists can often detect the underlying data from at least 2 or 3 writes previously.

In order to reliably erase a drive you need to overwrite it at least five times with random data or patterns of alternating 1's & 0's

Thanks for that info. I've sold a few old HD's using the write zero method.

Can you recommend any software that can do this new method that you mention?
 
Can you recommend any software that can do this new method that you mention?

What you need to look for it software which performs a "Government Wipe".

Government Wipe is a 7-pass procedure that conforms to the Sanitization procedure specified in DoD document 5220-22-M, National Industrial Security Program Operating Manual.
 
Thank you gents.

I use Cryptainer for my encryption needs and it's very good.
 
I use this on hdd's I am passing on.

http://www.killdisk.com/ i use the pro version it has the US, Russian and German data destroyer algorithms takes a while but supposed to be good.

If the drive is faulty and out warranty then I use the hammer method :)
 
go down to a local scrappy and whack it under an industrial electromagnet.

Although good enough for most circumstances a real specialist can still recover data in this scenario due to flip bits leaving a different molecular signature than bits that haven't changed. To work properly you need to use an electromagnet that has an AC field that continuously changes polarity.
 
Although good enough for most circumstances a real specialist can still recover data in this scenario due to flip bits leaving a different molecular signature than bits that haven't changed. To work properly you need to use an electromagnet that has an AC field that continuously changes polarity.

i was only kidding, but when i was replacing pc's for the police they employed a firm to shred the drives. I think that was literal.
 
i was only kidding, but when i was replacing pc's for the police they employed a firm to shred the drives. I think that was literal.

You'd be suprised at what can be done with drive data reconstruction !

I've seen information recovered from drives that have been hit with hammers, shredded, been in a fire and even had the platters rubbed with sandpaper. If there is information on a drive worth the effort then someone may just make that effort !

Whilst most people think physically mutilating a drive is the most effective way to purge data its usually much more effective to simply use a cleaning program to overwrite the original data (many programs with DoD algorithms or better are freely available).

Of course, its doubtful that most of us will have anything on our PC's to warrant this kind of very expensive attention.
 
Last edited:
for hard drive data destruction check out dban - its free and does every thing:Clap:
 
Of course, its doubtful that most of us will have anything on our PC's to warrant this kind of very expensive attention.

you would be supprised at what people might need to hide......

i for 1 would melt the hard drive up rather than sit here knowing someone could get at my personal details!
 
Back
Top