Re: [Full-disclosure] Disk wiping -- An alternate approach?
No you don't understand, your premise is shit. Research what's already being done instead of trying to improve what you don't understand. lol @ ddos. On Jan 26, 2010 11:09 PM, Bipin Gautam bipin.gau...@gmail.com wrote: Enough noise, Lets wrap up: Someone said: Forensics requires more than merely finding a phrase or file on a hard drive - it requires establishing the context. If a court accepts evidence without that context, then the defendant should appeal on the basis of having an incompetent lawyer. So, any evidence/broken-text/suspicious phrases etc found in a computer without meta-data maybe USELESS... REMEMBER. Having a normal OS with forensic signature ZERO would be a simple yet powerful project. Programmers??? it isnt difficult work. few months, 1 person project. Worm defense is smart as well as deadlock at times, the prospective i presented can be used as a FALLBACK at times. Maybe something like Alice/chatterbox run through the free/slack/etc... space of your 1 TB harddisk is a intellectual dDoS! ___ Full-Disclosure - We believe in it. Charter: http:/... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
McGhee T Biehn ! Thankyou for putting up your best argument sadly that is the BEST technical thing you happen to pick. in this topic to comment about -bipin On 1/27/10, McGhee, Eddie eddie.mcg...@ncr.com wrote: and also lol @ maybe USELESS, try making the MAYBE in caps.. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of T Biehn Sent: 27 January 2010 12:28 To: Bipin Gautam Cc: full-disclosure Subject: Re: [Full-disclosure] Disk wiping -- An alternate approach? No you don't understand, your premise is shit. Research what's already being done instead of trying to improve what you don't understand. lol @ ddos. On Jan 26, 2010 11:09 PM, Bipin Gautam bipin.gau...@gmail.commailto:bipin.gau...@gmail.com wrote: Enough noise, Lets wrap up: Someone said: Forensics requires more than merely finding a phrase or file on a hard drive - it requires establishing the context. If a court accepts evidence without that context, then the defendant should appeal on the basis of having an incompetent lawyer. So, any evidence/broken-text/suspicious phrases etc found in a computer without meta-data maybe USELESS... REMEMBER. Having a normal OS with forensic signature ZERO would be a simple yet powerful project. Programmers??? it isnt difficult work. few months, 1 person project. Worm defense is smart as well as deadlock at times, the prospective i presented can be used as a FALLBACK at times. Maybe something like Alice/chatterbox run through the free/slack/etc... space of your 1 TB harddisk is a intellectual dDoS! ___ Full-Disclosure - We believe in it. Charter: http:/... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
You made the argument against youself; apparently you didn't comprehend the points made in 90% of the on-topic responces to this thread. On Jan 27, 2010 9:34 AM, Bipin Gautam bipin.gau...@gmail.com wrote: McGhee T Biehn ! Thankyou for putting up your best argument sadly that is the BEST technical thing you happen to pick. in this topic to comment about -bipin On 1/27/10, McGhee, Eddie eddie.mcg...@ncr.com wrote: and also lol @ maybe USELESS, try making ... bipin.gau...@gmail.commailto:bipin.gau...@gmail.com wrote: Enough noise, Lets wrap up: ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
and also lol @ maybe USELESS, try making the MAYBE in caps.. From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of T Biehn Sent: 27 January 2010 12:28 To: Bipin Gautam Cc: full-disclosure Subject: Re: [Full-disclosure] Disk wiping -- An alternate approach? No you don't understand, your premise is shit. Research what's already being done instead of trying to improve what you don't understand. lol @ ddos. On Jan 26, 2010 11:09 PM, Bipin Gautam bipin.gau...@gmail.commailto:bipin.gau...@gmail.com wrote: Enough noise, Lets wrap up: Someone said: Forensics requires more than merely finding a phrase or file on a hard drive - it requires establishing the context. If a court accepts evidence without that context, then the defendant should appeal on the basis of having an incompetent lawyer. So, any evidence/broken-text/suspicious phrases etc found in a computer without meta-data maybe USELESS... REMEMBER. Having a normal OS with forensic signature ZERO would be a simple yet powerful project. Programmers??? it isnt difficult work. few months, 1 person project. Worm defense is smart as well as deadlock at times, the prospective i presented can be used as a FALLBACK at times. Maybe something like Alice/chatterbox run through the free/slack/etc... space of your 1 TB harddisk is a intellectual dDoS! ___ Full-Disclosure - We believe in it. Charter: http:/... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Really? How much do you know of computer forensics? Care to Double clicked a few forensic tools first I bring up this issue here because as you can see the laws are different in different country and at places just possession of a questionable content is a crime, without much analysis from where did it come from. Such a logic doesnt hold much water from a technical prospective, that is what i was trying to discuss. (but you were so much concerned about my english lol ) We were talking on a NEW topic, But if truecrypt is all you know, then download truecrypt and add a custom cascade of ciphers to your truecrypt source code... so that your truecrypt hidden volume will be very hard to bruteforced with off the self tools (which is what most forensic examiners do, they are tool dependent). (i wish to make fun of you, but maybe another email! ;) -bipin On 1/27/10, T Biehn tbi...@gmail.com wrote: You made the argument against youself; apparently you didn't comprehend the points made in 90% of the on-topic responces to this thread. On Jan 27, 2010 9:34 AM, Bipin Gautam bipin.gau...@gmail.com wrote: McGhee T Biehn ! Thankyou for putting up your best argument sadly that is the BEST technical thing you happen to pick. in this topic to comment about -bipin On 1/27/10, McGhee, Eddie eddie.mcg...@ncr.com wrote: and also lol @ maybe USELESS, try making ... bipin.gau...@gmail.commailto:bipin.gau...@gmail.com wrote: Enough noise, Lets wrap up: ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Do I smell smoke? Go on, prove me right. On Wed, Jan 27, 2010 at 5:18 PM, Bipin Gautam bipin.gau...@gmail.comwrote: Really? How much do you know of computer forensics? Care to Double clicked a few forensic tools first I bring up this issue here because as you can see the laws are different in different country and at places just possession of a questionable content is a crime, without much analysis from where did it come from. Such a logic doesnt hold much water from a technical prospective, that is what i was trying to discuss. (but you were so much concerned about my english lol ) We were talking on a NEW topic, But if truecrypt is all you know, then download truecrypt and add a custom cascade of ciphers to your truecrypt source code... so that your truecrypt hidden volume will be very hard to bruteforced with off the self tools (which is what most forensic examiners do, they are tool dependent). (i wish to make fun of you, but maybe another email! ;) -bipin On 1/27/10, T Biehn tbi...@gmail.com wrote: You made the argument against youself; apparently you didn't comprehend the points made in 90% of the on-topic responces to this thread. On Jan 27, 2010 9:34 AM, Bipin Gautam bipin.gau...@gmail.com wrote: McGhee T Biehn ! Thankyou for putting up your best argument sadly that is the BEST technical thing you happen to pick. in this topic to comment about -bipin On 1/27/10, McGhee, Eddie eddie.mcg...@ncr.com wrote: and also lol @ maybe USELESS, try making ... bipin.gau...@gmail.commailto:bipin.gau...@gmail.com wrote: Enough noise, Lets wrap up: ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Bipin. I am familiar with LUKS (DMCRYPT), SecurStar's DCPP, TrueCrypt, PGP Desktop, Windows EFS and all manners of configurations of those products, including the hidden container features of DCPP and TC. I am familiar with computer forensics, computer forensic methods, and anti-forensics. Furthermore I have working knowledge of the various one-way hashes, symmetric and asymmetric encryption algorithms. Working knowledge of the various block-cipher modes and what the differences are between them. From firsthand experience with the courts I am familiar with their tool dependence and what they can and cannot grab and why. From simple logic it is plain to see that filling a drive with content from wikipedia, some n-gram algorithm or other source would be worthless. A waste of time and effort. This is because a drive full of zeros, a drive full of random bits and a drive full of random word garbage are equivalent. Some obfuscating filesystem that does -not- use encryption is as worthless as a generic F-S. If the content on your drive is worth grabbing the investigating authorities can and will reverse engineer it. As everyone has told you, encrypt with a FDE product from the start or simply wipe your drive to nulls or garbage. If you are very paranoid use my solution of a hidden container containing a VM that you use for anything 'private.' Make sure your host OS has a ream of malware running on it preferably pointed to non-existent CC channels, or using PKI where which nobody has the private key. -Travis On Wed, Jan 27, 2010 at 11:18 AM, Bipin Gautam bipin.gau...@gmail.com wrote: Really? How much do you know of computer forensics? Care to Double clicked a few forensic tools first I bring up this issue here because as you can see the laws are different in different country and at places just possession of a questionable content is a crime, without much analysis from where did it come from. Such a logic doesnt hold much water from a technical prospective, that is what i was trying to discuss. (but you were so much concerned about my english lol ) We were talking on a NEW topic, But if truecrypt is all you know, then download truecrypt and add a custom cascade of ciphers to your truecrypt source code... so that your truecrypt hidden volume will be very hard to bruteforced with off the self tools (which is what most forensic examiners do, they are tool dependent). (i wish to make fun of you, but maybe another email! ;) -bipin On 1/27/10, T Biehn tbi...@gmail.com wrote: You made the argument against youself; apparently you didn't comprehend the points made in 90% of the on-topic responces to this thread. On Jan 27, 2010 9:34 AM, Bipin Gautam bipin.gau...@gmail.com wrote: McGhee T Biehn ! Thankyou for putting up your best argument sadly that is the BEST technical thing you happen to pick. in this topic to comment about -bipin On 1/27/10, McGhee, Eddie eddie.mcg...@ncr.com wrote: and also lol @ maybe USELESS, try making ... bipin.gau...@gmail.commailto:bipin.gau...@gmail.com wrote: Enough noise, Lets wrap up: ... -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
download truecrypt and add a custom cascade of ciphers to your truecrypt source code... so that your truecrypt hidden volume will be very hard to bruteforced with off the self tools (which is what most No off-the-shelf tool exists for cracking any of the existing ciphers used in TrueCrypt beyond those that speed up a brute-force attack (like the Tableau TACC1441), but those tools just speed up the password-key generation process .. they aren't even attempting a true keyspace attack. Cheers, Michael Holstein Cleveland State University PS: as for custom ciphers, I hear 2 rounds of ROT13 is pretty good, 4 is even better, and with 6 rounds, it's practically invincible. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
This topic has pretty much run its course. You shared what you thought was an interesting idea, and most of the responses have been along the lines of interesting, but it does nothing to support your goal. You are free to hold onto your ideas, but there is no reason to continue to try to make others agree with you. I run into this all the time - one should just speak one's mind and move on. You've spoken your mind, now move on ;) Your pretense of without much analysis to where it came from is incorrect. People are not (typically) arrested and jailed for garbage on their drives; if they are, there is probably some ulterior motive on the part of LE. If you look at the cases where people are serving time, particularly in child pornography cases, the prosecution has a volume of evidence against the accused, and it is typically accompanied by other physical evidence (photos, toys, magazines, etc). Having crap on your drive does not give you plausible deniability. Period. Wipe zeros and be done. T. Biehn's recommendation to TC's hidden drive feature is spot on. It is a very functional feature, and I use it all the time, particularly when travelling to other countries. In some countries (like the UK) if you DON'T give up your keys, you will be arrested on that basis alone. With a hidden volume within an encrypted volume, you can give up your phrase to the one volume and it is impossible to know of the existence of the other. Trying to position TC as being weak in some way via your very hard to brute force with off the shelf tools is silly - as if it's NOT very hard with super secret gov brute force tools. A properly created TC drive would take a billion years (with today's tech) to brute force (or whatever the actual time is). The fact that you've been on FD talking about how you want to attempt to create an environment of plausible deniability has done far worse to weaken your position than anything else you could have done. When you cry it wasn't me, it was the one armed man! while on the stand, the prosecutor will simply hand over all these publically available emails where you've gone on about how you are explicitly trying to cover illegal activity with Wiki-blithe and the next thing you know you'll be singing doot doot doot, lookin' out my back door in prison. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of Bipin Gautam Sent: Wednesday, January 27, 2010 8:19 AM To: T Biehn Cc: McGhee, Eddie; full-disclosure Subject: Re: [Full-disclosure] Disk wiping -- An alternate approach? Really? How much do you know of computer forensics? Care to Double clicked a few forensic tools first I bring up this issue here because as you can see the laws are different in different country and at places just possession of a questionable content is a crime, without much analysis from where did it come from. Such a logic doesnt hold much water from a technical prospective, that is what i was trying to discuss. (but you were so much concerned about my english lol ) We were talking on a NEW topic, But if truecrypt is all you know, then download truecrypt and add a custom cascade of ciphers to your truecrypt source code... so that your truecrypt hidden volume will be very hard to bruteforced with off the self tools (which is what most forensic examiners do, they are tool dependent). (i wish to make fun of you, but maybe another email! ;) -bipin On 1/27/10, T Biehn tbi...@gmail.com wrote: You made the argument against youself; apparently you didn't comprehend the points made in 90% of the on-topic responces to this thread. On Jan 27, 2010 9:34 AM, Bipin Gautam bipin.gau...@gmail.com wrote: McGhee T Biehn ! Thankyou for putting up your best argument sadly that is the BEST technical thing you happen to pick. in this topic to comment about -bipin On 1/27/10, McGhee, Eddie eddie.mcg...@ncr.com wrote: and also lol @ maybe USELESS, try making ... bipin.gau...@gmail.commailto:bipin.gau...@gmail.com wrote: Enough noise, Lets wrap up: ... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok its time to move on. :) Thanks Mr. Biehn, Mr. Thor and Mr. Michael . with best regards, -bipin ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I think you're confusing legal theory with legal practice. Yes, in theory, you're presumed innocent, and therefore the jury is required to consider whether your box could have been infected with a virus or worm, leading to the incriminating evidence planted on your system. In practice, most such theories fail Occam's razor. What's less complex: incriminating words or phrases are evidence of incriminating activity, or incriminating words and phrases are planted as a way to cover up activity that wasn't incriminating. Even after reading this discussion, I'd have a hard time believing that the latter was the case. Its true that the legal system (in the USA) should find you not guilty if there's any reasonable doubt about your guilt. In practice, however, people tend to think not guilty == innocent, and will convict you unless you can make a case that is equally as strong as the prosecutor's. Planting large amounts of other evidence that may be incriminating, in an effort to cover up the small amount of actually incriminating evidence does not strengthen your case, and in fact weakens it in many ways. -- Rohit Patnaik On Tue, Jan 26, 2010 at 10:08 PM, Bipin Gautam bipin.gau...@gmail.comwrote: Enough noise, Lets wrap up: Someone said: Forensics requires more than merely finding a phrase or file on a hard drive - it requires establishing the context. If a court accepts evidence without that context, then the defendant should appeal on the basis of having an incompetent lawyer. So, any evidence/broken-text/suspicious phrases etc found in a computer without meta-data maybe USELESS... REMEMBER. Having a normal OS with forensic signature ZERO would be a simple yet powerful project. Programmers??? it isnt difficult work. few months, 1 person project. Worm defense is smart as well as deadlock at times, the prospective i presented can be used as a FALLBACK at times. Maybe something like Alice/chatterbox run through the free/slack/etc... space of your 1 TB harddisk is a intellectual dDoS! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
This discussion is getting weirder and weirder. If an examiner finds evidence on YOUR computer / cell phone / usb disks / whatever, please do tell me how it's not necessarily yours? By claiming your computer has been hacked? You do know an examiner usually knows how to double-check your story for malicious code right? Or what are you guys talking about? My experience is that when I find the evidence, the person/s being investigated confesses quite rapidly. Cheers! On 1/26/10 4:31 AM, Bipin Gautam bipin.gau...@gmail.com wrote: So to the point, the techniques of forensic examiners were flawed from day one given that any text/evidence found on your computer is NOT NECESSARILY yours! Does that break digital forensics? oops. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
If the police or spies look for determined words or sentences (presumed not encryptered), at an unknown point on an unknown layer of the disk, it will be much easier for them to find it if the rest was random data (or video or whatever) than if it was random text that can have a meaning when looking with a program, but not in front of a Court. You're forgetting that most such work is either done by salaried government employees or contractors paid by the hour .. neither of which care how long it takes. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Entropy vs zeros vs random content. Plausible deniability will only be there if there is legitimate data that looks like it's been used and the prosecutor cannot construe any of your data as that used for wiping or otherwise obscuring the data on your drive. If you don't have this you better request a trial by judge rather than jury. Now; Your best solution is to use an exterior OS on FDE, then, in a TC Hidden Disk container have a VM image that you use for 'hidden works.' You can hand over your FDE's PW and location of TC disk including the exterior password for great fed win. -Travis On Tue, Jan 26, 2010 at 10:08 AM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Oh yeah, another note: If you use a chaining block cipher than you only need to wipe the first block to make the rest of your data unrecoverable. Most FDE's actually use a pw to decrypt the actual decryption key, that block functions much the same, if you can wipe that then the rest of the data is unusable. Note, anyone who has pulled your key from memory via trojan or other means at an earlier time will be able to recover your data unless the first block of the stream has been wiped. This might be common practice in sneak and peek routines. -Travis On Tue, Jan 26, 2010 at 11:04 AM, Christian Sciberras uuf6...@gmail.com wrote: I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Overwritten files require analysis with a 'big expensive machine.' I doubt they ever recover the full file. -Travis On Tue, Jan 26, 2010 at 11:04 AM, Christian Sciberras uuf6...@gmail.com wrote: I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
It would be a part of the algorithm, to make sure the overwritten file is readable. But if those machines get any smaller, I guess these would be the next generation of storage media take bluerays vs dvds for example. On Tue, Jan 26, 2010 at 5:11 PM, T Biehn tbi...@gmail.com wrote: Overwritten files require analysis with a 'big expensive machine.' I doubt they ever recover the full file. -Travis On Tue, Jan 26, 2010 at 11:04 AM, Christian Sciberras uuf6...@gmail.com wrote: I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
2010/1/26 Michael Holstein michael.holst...@csuohio.edu: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. Agreed, if I want to delete one file : the file will be unlinked and the zeroes will be written somewhere else. But what if I zero the whole memory, with something like dd if=/dev/zero of=/dev/disk/by-id/my_flash_device? Whatever the order and places the zeroes are written, in the end there should be zeroes everywhere. Unless there is more blocks on the chip than it reports having, or some compression is used where instead of 00...0 it would write 0 from adress 1 to last address. I'm just speculating... The only way to completely wipe a flash disk is with a hammer. That's the only reliable way, but a convenient way to erase data before lending a usb key would be nice. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Are you suggesting that consumer magnet-based storage solutions use the same technology that the recovery machines use to store more than one bit in what you consider a 'single bit location' ? I think it would be cost and space prohibitive, not dependent on any algorithm. If I'm thinking correctly, and I have no real idea how the recovery process works, the recovery machines measure minute variance in the analog magnetic signal directly pulled from the platters to figure out what bits 'used' to be on the disk in that location. I sincerely doubt that anything consumer accessible would be able to work with that. I also doubt that it is exact, and protocols probably use probabilistic methods for extraction of a given content; text for example. Given a block of bits, the signal variance from 'clean' on those bits (eg if never written) is x. x is matched with a dictionary of known text. Anyone know to confirm? -Travis On Tue, Jan 26, 2010 at 11:15 AM, Christian Sciberras uuf6...@gmail.com wrote: It would be a part of the algorithm, to make sure the overwritten file is readable. But if those machines get any smaller, I guess these would be the next generation of storage media take bluerays vs dvds for example. On Tue, Jan 26, 2010 at 5:11 PM, T Biehn tbi...@gmail.com wrote: Overwritten files require analysis with a 'big expensive machine.' I doubt they ever recover the full file. -Travis On Tue, Jan 26, 2010 at 11:04 AM, Christian Sciberras uuf6...@gmail.com wrote: I was thinking, since all this (reasonable) fuss on wiping a disk over 10 times to ensure non-readability, how come we're yet very limited on space usage? If, for example, I overwrote a bitmap file with a text one, what stops the computer from recovering/storing both (without using additional space)? Just a couple curiosities of mine. On Tue, Jan 26, 2010 at 4:08 PM, Michael Holstein michael.holst...@csuohio.edu wrote: By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Tue, 26 Jan 2010 11:11:52 EST, T Biehn said: Overwritten files require analysis with a 'big expensive machine.' Assuming a disk drive made this century, if the block has actually been overwritten with any data even *once*, it is basically unrecoverable using any available tech. Proof: In a decade of looking, I haven't found a *single* data-recovery outfit that claimed to recover from even a single overwrite. Blown partition table? No problem. Metadata overwritten, data not? We can scavenge the blocks. Disk been in a fire? Flood? Run over by truck? Sure. We can go in and scavenge the individual intact bits with big expensive machines. Overwritten? crickets. Seriously - lot of companies can recover data by reading the magnetic fields of intact data. But anybody know of one that claims it can recover actual over-writes, as opposed to damn we erased it or damn the first part of the disk is toast? No? Nobody knows of one? I didn't think so. 20 or 25 years ago, it may still have been feasible to use gear to measure the residual magnetism in the sidebands after an over-write. However, those sidebands have shrunk drastically, as they are the single biggest problem when trying to drive densities higher. You can't afford a sideband anymore - if you have one, it's overlapping the next bit. There *may* be some guys inside the spook agencies able to recover overwrites. But you don't need to worry about any evidence so recovered ever being used against you in a court of law - as then they'd have to admit they could do it. Just like in WWII we allowed the German U-boats to sink our convoys rather than let them figure out we had broken Enigma, they'll let the prosecution fail rather than admit where the data came from. pgpYWsqcJIQfl.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Hi, Am 26. Januar schrieb Michael Holstein: No, wear-leveling (done at the memory controller level) will dynamically re-map addresses on the actual flash chip to ensure a relatively consistent number of write cycles across the entire drive. The only way to completely wipe a flash disk is with a hammer. Yes, but what if I overwrite the device with random data from the very first to the very last byte? Suppose the size of the device hasn't decreased I'd think that wear-levelling has no chance to spare blocks in this case. kind regards Stefan -- make -it ./work GnuPG-Key: B96CF8D2 s...@tanis.toppoint.de Fingerprint: D8AC D5E7 6865 19B1 385F 8850 2AB7 6A82 B96C F8D2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Yes, but what if I overwrite the device with random data from the very first to the very last byte? Suppose the size of the device hasn't decreased I'd think that wear-levelling has no chance to spare blocks in this case. Research paper on forensics for flash media : http://www.ssddfj.org/papers/SSDDFJ_V1_1_Breeuwsma_et_al.pdf In any case, provided you take a factory-new drive and immediately install an encrypted filesystem on it, any such orphan data would be essentially random. Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I should have brought up the increased density problem Valdis, excellent points. -Travis On Tue, Jan 26, 2010 at 1:26 PM, valdis.kletni...@vt.edu wrote: On Tue, 26 Jan 2010 11:11:52 EST, T Biehn said: Overwritten files require analysis with a 'big expensive machine.' Assuming a disk drive made this century, if the block has actually been overwritten with any data even *once*, it is basically unrecoverable using any available tech. Proof: In a decade of looking, I haven't found a *single* data-recovery outfit that claimed to recover from even a single overwrite. Blown partition table? No problem. Metadata overwritten, data not? We can scavenge the blocks. Disk been in a fire? Flood? Run over by truck? Sure. We can go in and scavenge the individual intact bits with big expensive machines. Overwritten? crickets. Seriously - lot of companies can recover data by reading the magnetic fields of intact data. But anybody know of one that claims it can recover actual over-writes, as opposed to damn we erased it or damn the first part of the disk is toast? No? Nobody knows of one? I didn't think so. 20 or 25 years ago, it may still have been feasible to use gear to measure the residual magnetism in the sidebands after an over-write. However, those sidebands have shrunk drastically, as they are the single biggest problem when trying to drive densities higher. You can't afford a sideband anymore - if you have one, it's overlapping the next bit. There *may* be some guys inside the spook agencies able to recover overwrites. But you don't need to worry about any evidence so recovered ever being used against you in a court of law - as then they'd have to admit they could do it. Just like in WWII we allowed the German U-boats to sink our convoys rather than let them figure out we had broken Enigma, they'll let the prosecution fail rather than admit where the data came from. -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Tue, Jan 26, 2010 at 00:11, Charles Skoglund charles.skogl...@bitsec.se wrote: This discussion is getting weirder and weirder. If an examiner finds evidence on YOUR computer / cell phone / usb disks / whatever, please do tell me how it's not necessarily yours? By claiming your computer has been hacked? You do know an examiner usually knows how to double-check your story for malicious code right? Or what are you guys talking about? My experience is that when I find the evidence, the person/s being investigated confesses quite rapidly. Cheers! I must suggest your experience is quite limited - the case below is not unique: http://en.wikipedia.org/wiki/State_of_Connecticut_v._Julie_Amero Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Unknown malware? Infections recently deleted by A/V? The realm of data ownership is ridiculous. If I run an wifi AP with WEP or no auth, my router keeps no logs, and my computer is a host to malware then I would imagine that I cannot be convicted of a computer crime without verification by physical surveillance. If given the choice by a lawyer between pleading guilty and receiving a lenient punishment and pleading not-guilty to certain loss for severe punishment in the face of 'irrefutable' evidence most people will choose to plead guilty. Prosecutors, Lawyers, and defendants are largely either ignorant or apathetic to the issues around proving culpability in computer-crime. And case law would back me up. -Travis On Tue, Jan 26, 2010 at 3:11 AM, Charles Skoglund charles.skogl...@bitsec.se wrote: This discussion is getting weirder and weirder. If an examiner finds evidence on YOUR computer / cell phone / usb disks / whatever, please do tell me how it's not necessarily yours? By claiming your computer has been hacked? You do know an examiner usually knows how to double-check your story for malicious code right? Or what are you guys talking about? My experience is that when I find the evidence, the person/s being investigated confesses quite rapidly. Cheers! On 1/26/10 4:31 AM, Bipin Gautam bipin.gau...@gmail.com wrote: So to the point, the techniques of forensic examiners were flawed from day one given that any text/evidence found on your computer is NOT NECESSARILY yours! Does that break digital forensics? oops. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehnop=indexfingerprint=on http://pastebin.com/f6fd606da ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I must suggest your experience is quite limited - the case below is not unique: Yes it is. Rarely do you get a group of 28 computer scientists to volunteer their time/money in a criminal case. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Enough noise, Lets wrap up: Someone said: Forensics requires more than merely finding a phrase or file on a hard drive - it requires establishing the context. If a court accepts evidence without that context, then the defendant should appeal on the basis of having an incompetent lawyer. So, any evidence/broken-text/suspicious phrases etc found in a computer without meta-data maybe USELESS... REMEMBER. Having a normal OS with forensic signature ZERO would be a simple yet powerful project. Programmers??? it isnt difficult work. few months, 1 person project. Worm defense is smart as well as deadlock at times, the prospective i presented can be used as a FALLBACK at times. Maybe something like Alice/chatterbox run through the free/slack/etc... space of your 1 TB harddisk is a intellectual dDoS! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
hahaha! Ok, let a Alice/chatterbox run through your harddisk! :P [1] http://alice.pandorabots.com/ On 1/25/10, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Mon, 25 Jan 2010 01:09:40 +0545, Bipin Gautam said: So, plausible deniability solution for disk wiping?: Let, disk wiping tools LOAD the whole WIKIPEDIA in nxn matrices and mix ALL the words phrases in a random pool continuously and use THIS as the Wiping passes and patterns while they wipe the disk-space (instead of using random-pass or zero) and let the people who dont need-to-know make sense of whatever they want to pull up from the 'patterns' generated from the ENCYCLOPEDIA OF KNOWLEDGE unlimited keywords and phrases and counter the same? The problem is that although using Markov chains to generate pseudo-random text, it's usually pretty obviously pseudo-random text. And in fact, they're usually so random that it's pretty obvious it's just random words and doesn't prove anything more or less than acres of zeros. http://en.wikipedia.org/wiki/Dissociated_press The problem is that every once in a while, those things actually generate short chunks of intelligible text (especially when using a longer chain length). So now, instead of being able to say to the district attorney The disk was full of zeros, and you can't prove what was on it before. you're now saying to him: What do you mean, you found the phrase 'Drop the cocaine and kiddie porn off at my place around 9PM' on block 239349 of my hard drive? Generally a bad idea. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
- The absence of evidence 9 times out of 10 is just as bad as the evidence itself in court. In what court? - What you type text or email can, and will, be used against you in a court of law. Only if obtained by correct process of law and you resist the temptation to explain yourself to the police. So, plausible deniability solution for disk wiping?: Let, disk wiping tools LOAD the whole WIKIPEDIA in nxn matrices and mix ALL the words phrases in a random pool continuously and use THIS as the Wiping passes and patterns while they wipe the disk-space (instead of using random-pass or zero) You're forgetting that you aren't required to explain yourself in court (5th Ammendment). It's the job of the prosecution to connect the dots and prove you're guilty. Smart defendants hire their own expert to refute the testimony of of the prosecution's expert. As to Wikipedia, I think a random overwrite pattern would be way better than them finding fragments of the following (just two examples) : http://en.wikipedia.org/wiki/Nuclear_weapon_design http://en.wikipedia.org/wiki/Child_prostitution Practically every illegal act has an article on Wikipedia .. why deliberately seed your hard disk with them? Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, i extract wikipedia in my computer... then latter delete the html... @hdd level the place is marked freespace. then i copy a few videos, write a few emails and by then if most of the things gets deleted and by bad luck if any such content is left unoverwritten partially producing questionable and surprising patterns UNKNOWINGLY of just a few phrases, then basically someone is screwed just like that, even without GUILT ?! So, copying dictionary, webpages, encyclopaedia, research paper etc in your computer can really be harmful sometimes !!!? Anything on the internet if its a webpage can land on anyones computer while browsing, searching online, following links and with a lot of coincidences etc AND NOT NECESSARILY whatever text chunks found in your hdd is content OF YOUR OWN. YOU READ TO BLOGS OF PEOPLE, VISIT FORUMS, joke around in FD etc... (get the idea) and it can be saved in disk cache and IF be leftover in disk as broken chunks of texts you are screwed ? How does law see all that. So, if a questionable content is found it doesnt mean the laptop owner is responsible for it. We even keep on skipping text while reading in forums online and anyone can say anything online and it can land in your hdd as TROJAN HORSE of OPINIONS to screw you latter in life !!!? Think about it? Maybe then Alice/chatterbox run through the free/slack/etc... space of your harddisk idea is better? It would be intellectual uphill challenge for the EXAMINERS given that someone may have to shift 1 terabyte of data (how many bytes?:) mostly by HUMAN RESOURCE in hope for a ___ in the haystack.. bty, how many BOOKS is that? :P -bipin [1] http://alice.pandorabots.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Mon, 25 Jan 2010 23:07:57 +0545, Bipin Gautam said: It would be intellectual uphill challenge for the EXAMINERS given that someone may have to shift 1 terabyte of data (how many bytes?:) mostly by HUMAN RESOURCE in hope for a ___ in the haystack.. You *do* realize that there exist numerous tools to automate this scanning, so human resource means select the search terms, hit enter, and check back after lunch. http://www.microsoft.com/industry/government/solutions/cofee/default.aspx http://www.guidancesoftware.com/computer-forensics-fraud-investigation-software.htm That's the sort of stuff your disk will most likely be hit with. The state of the art is stuff like find all erased e-mail from X to Y regarding the McClellan situation. pgpvWbYJGlYSB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, then why not encode the same keywords that these TOOLS look for with your Markov chains idea and mix it to wipe a 1 TB hdd with alice chatter-bot idea ? Again this is all theory :P On 1/25/10, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Mon, 25 Jan 2010 23:07:57 +0545, Bipin Gautam said: It would be intellectual uphill challenge for the EXAMINERS given that someone may have to shift 1 terabyte of data (how many bytes?:) mostly by HUMAN RESOURCE in hope for a ___ in the haystack.. You *do* realize that there exist numerous tools to automate this scanning, so human resource means select the search terms, hit enter, and check back after lunch. http://www.microsoft.com/industry/government/solutions/cofee/default.aspx http://www.guidancesoftware.com/computer-forensics-fraud-investigation-software.htm That's the sort of stuff your disk will most likely be hit with. The state of the art is stuff like find all erased e-mail from X to Y regarding the McClellan situation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, i know the obvious things Michael! Modern forensic tools are good enough to find your needle in that haystack in short order, regardless of how well you try to hide it in plain sight among the contents of wikipedia, et.al. You are telling me Modern forensic examiners DRAW CONCLUSIONS without look it ALL possible evidence and by shifting just a few bytes of possible related keywords and draw insufficient conclusions? Isnt it like, when an forensic incident happens you take fingerprint from the whole house skipping a few rooms thinking there are so many rooms to look for.? On top of that, the keywords they fish-out that way is by no guarantee belonging to the OWNER OF THE COMPUTER instead as leftover chunks from the internet written by someone and lands on your computer's in disk-fragments as free-space as browser cache is flushed ? Dont miss the main point! On top of that FAT32/NTFS fs has high fragmentation rate than EXT*. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, then why not encode the same keywords that these TOOLS look for with your Markov chains idea and mix it to wipe a 1 TB hdd with alice chatter-bot idea ? How do you know what they'd search for, and if you did, why would you want to fill your drive with a bunch of related information? Modern forensic tools are good enough to find your needle in that haystack in short order, regardless of how well you try to hide it in plain sight among the contents of wikipedia, et.al. If you truly desire to hide in plain sight, consider Steganography [*1*]. If you want to create plausible deniability, consider TrueCrypt's hidden volumes [*2*]. [*1*]: http://en.wikipedia.org/wiki/Steganography [*2*]: http://www.truecrypt.org/docs/plausible-deniability Regards, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
You are telling me Modern forensic examiners DRAW CONCLUSIONS without look it ALL possible evidence and by shifting just a few bytes of possible related keywords and draw insufficient conclusions? No, they find the keyword in a file (or fragment thereof) and examine the resulting file or reconstruct the fragments to see if it's relevant to their investigation. Putting YOUR bomb plot amidst thousands of news articles about OTHER bomb plots won't fool them, and it'll make you look sufficiently guilty that you'll sit in jail while they waste their time. it like, when an forensic incident happens you take fingerprint from the whole house skipping a few rooms thinking there are so many rooms to look for.? Depends on what they're trying to prove. In a burglary case, they might see prints on the stereo cabinet and lift those. No need to fingerprint the entire house when they've got a clear print, although they usually grab a few others just to be sure. Apparently you've never sat through a trial .. find an interesting case and go attend, it's highly educational. Basically a jury is 12 people of the general population (in actuality, an in-depth knowledge of the subject matter at hand is likely to get you dismissed as a juror by one or both sides). The jury, having watched CSI and such will listen with utter fascination at the State's expert in computer forensics talk about how he extracted the data and it will paint a VERY convincing picture for 12 people that know nothing about computers. On top of that, the keywords they fish-out that way is by no guarantee belonging to the OWNER OF THE COMPUTER instead as leftover chunks from the internet written by someone and lands on your computer's in disk-fragments as free-space as browser cache is flushed ? Possession is 9/10ths of the law. You can try and float your wikipedia did it theory at trial, but ultimately it's a matter of which theory sounds more plausible to the jury : 1. defendant had illegal stuff on his computer. 2. defendant says illegal stuff on his computer was an effort to hide any potential illegal stuff by putting articles about related illegal stuff he didn't do on there. Quit trying to re-invent the wheel and get your crypto on and lawyer up when asked about it. Cheers, Michael Holstein Cleveland State University ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, thanks Michael ! I call off all the theories, except: As you told Possession is 9/10ths of the law BUT the texts they find can very likely come from the internet while you browse the internet and not your own possession and someone typed it from online and it lands on your disk while you browse it? DONT MISS THIS MAIN POINT! How does the law sees such a situation? (and except the possibility of linguistic analysis to prove guilty) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Mon, 25 Jan 2010 23:44:23 +0545, Bipin Gautam said: Ok, then why not encode the same keywords that these TOOLS look for with your Markov chains idea and mix it to wipe a 1 TB hdd with alice chatter-bot idea ? Again this is all theory :P You still haven't explained how this has any advantages over using an encrypted filesystem and wiping space with all-zeros. pgp0NP5rEe2dE.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
A few phrases and surprising patterns are a lot more suspicious than a hard drive full of zeroes, especially if there's evidence that other data has been overwritten or erased. If you present a hard drive full of zeroes or random numbers, there's nothing to charge you with. If most of your data is random gibberish but there are a few telling phrases here and there, then there might be enough for the prosecution to bring charges, even if they aren't able to get a conviction. Remember, innocent until proven guilty is nice in theory, but not so nice in practice. While you're under investigation, the prosecution can do many things to disrupt your business and personal life. The best thing to do if there's any question is to simply clam up and sit still until you get to speak with a lawyer. Remember, prosecutors are judged on their conviction rate, not on their accuracy rate. They have no incentive to look for exonerating evidence - that's your responsibility. They'll only look for evidence that'll prove you guilty. As such, its best to leave nothing at all that would arouse suspicion, especially if you've done nothing wrong in the first place. --Rohit Patnaik On Mon, Jan 25, 2010 at 11:22 AM, Bipin Gautam bipin.gau...@gmail.comwrote: Ok, i extract wikipedia in my computer... then latter delete the html... @hdd level the place is marked freespace. then i copy a few videos, write a few emails and by then if most of the things gets deleted and by bad luck if any such content is left unoverwritten partially producing questionable and surprising patterns UNKNOWINGLY of just a few phrases, then basically someone is screwed just like that, even without GUILT ?! So, copying dictionary, webpages, encyclopaedia, research paper etc in your computer can really be harmful sometimes !!!? Anything on the internet if its a webpage can land on anyones computer while browsing, searching online, following links and with a lot of coincidences etc AND NOT NECESSARILY whatever text chunks found in your hdd is content OF YOUR OWN. YOU READ TO BLOGS OF PEOPLE, VISIT FORUMS, joke around in FD etc... (get the idea) and it can be saved in disk cache and IF be leftover in disk as broken chunks of texts you are screwed ? How does law see all that. So, if a questionable content is found it doesnt mean the laptop owner is responsible for it. We even keep on skipping text while reading in forums online and anyone can say anything online and it can land in your hdd as TROJAN HORSE of OPINIONS to screw you latter in life !!!? Think about it? Maybe then Alice/chatterbox run through the free/slack/etc... space of your harddisk idea is better? It would be intellectual uphill challenge for the EXAMINERS given that someone may have to shift 1 terabyte of data (how many bytes?:) mostly by HUMAN RESOURCE in hope for a ___ in the haystack.. bty, how many BOOKS is that? :P -bipin [1] http://alice.pandorabots.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
So to the point, the techniques of forensic examiners were flawed from day one given that any text/evidence found on your computer is NOT NECESSARILY yours! Does that break digital forensics? oops. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
2010/1/26 Rohit Patnaik quanti...@gmail.com: A few phrases and surprising patterns are a lot more suspicious than a hard drive full of zeroes, especially if there's evidence that other data has been overwritten or erased. If you present a hard drive full of zeroes or random numbers, there's nothing to charge you with. If most of your data is random gibberish but there are a few telling phrases here and there, then there might be enough for the prosecution to bring charges, even if they aren't able to get a conviction. [snip] The point is that they never get a hard-drive full of zeroes or random numbers, but a hard-drive that have pieces of other data under the zeroes or random numbers. That's why programs like wipe fills more than 20 times the hard-drive with data. But filling 20 times a whole disk can be very, very long, expecially if it's a 2TB USB drive. A quick wipe filling a drive only 4 times, is often enouth, but... If the police or spies look for determined words or sentences (presumed not encryptered), at an unknown point on an unknown layer of the disk, it will be much easier for them to find it if the rest was random data (or video or whatever) than if it was random text that can have a meaning when looking with a program, but not in front of a Court. I don't find Bipin's idea so bad, but I'm not sure it adds significant security. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
ok, this all adds nothing but another layer of plausible deniability to ANY data found in your computer ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
It depends entirely on how you define flawed. As I stated earlier, the goal of the prosecutor is not some abstract ideal of justice. It is a conviction. Anything they can do within the law to convict you is fair game. Using statements that you put on your hard drive certainly falls under those rules, regardless of what the original intent was. -- Rohit Patnaik On Mon, Jan 25, 2010 at 9:31 PM, Bipin Gautam bipin.gau...@gmail.comwrote: So to the point, the techniques of forensic examiners were flawed from day one given that any text/evidence found on your computer is NOT NECESSARILY yours! Does that break digital forensics? oops. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Sorry for the double post, but I forgot to add this to my last message: From the prosecutor's perspective, everything your hard drive is yours. It doesn't matter whether it was part of the original data that was on the drive or whether it came from a data set used to overwrite the original data. You possess it, so its yours. --Rohit Patnaik On Mon, Jan 25, 2010 at 9:31 PM, Bipin Gautam bipin.gau...@gmail.comwrote: So to the point, the techniques of forensic examiners were flawed from day one given that any text/evidence found on your computer is NOT NECESSARILY yours! Does that break digital forensics? oops. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Rohitji, Before: From the prosecutor's perspective, everything your hard drive is yours I just proved : everything your hard drive is NOT NECESSARILY YOURS. DOES THAT CHANGE ANYTHING? LOGIC MAYBE??? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
It depends on what you define plausible deniability as. Sometimes it just doesn't matter. At an industry event here in Seattle, a guy working for the state prosecutors office was speaking on this very subject - that of forensic collection of data on a system and the presumption of guilt. I posed the question of how do you know that the data actually originated from actions of the user as opposed to someone who could have been using the system for their own means, or someone trying to plant false data? How do you prevent one from impugning your findings? He said, Well, we're not stupid. I'm serious. I was extremely disappointed in that answer, and it basically said, it doesn't really matter what we find on the system- we're not stupid, and if the data is there, it means you did it. I was appalled. All you have is deniability. This method doesn't make it plausible to anyone but you, which doesn't matter. If you want any level of meaningful plausible deniability then leave your wireless open and have your system riddled with bots. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of Bipin Gautam Sent: Monday, January 25, 2010 7:42 PM To: E. Prom Cc: full-disclosure Subject: Re: [Full-disclosure] Disk wiping -- An alternate approach? ok, this all adds nothing but another layer of plausible deniability to ANY data found in your computer ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Well, if its not yours, Bipin, how did it get onto your drive? Was your computer hacked? -- Rohit Patnaik On Mon, Jan 25, 2010 at 10:25 PM, Bipin Gautam bipin.gau...@gmail.comwrote: Rohitji, Before: From the prosecutor's perspective, everything your hard drive is yours I just proved : everything your hard drive is NOT NECESSARILY YOURS. DOES THAT CHANGE ANYTHING? LOGIC MAYBE??? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Yep, that's precisely what I was trying to get across. If the data is on your machine, its presumed to be yours unless you can prove that there's cause to believe that someone else put it there. This dovetails nicely with what I was saying above, i.e. the prosecutor is out to convict you. He or she is going to whatever data he or she can find in order to do that. The solution do this is not to plant more incriminating data, but to wipe out as much data as possible, giving the prosecutor no hooks to hang a case on. --Rohit Patnaik On Mon, Jan 25, 2010 at 10:27 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: It depends on what you define plausible deniability as. Sometimes it just doesn't matter. At an industry event here in Seattle, a guy working for the state prosecutors office was speaking on this very subject - that of forensic collection of data on a system and the presumption of guilt. I posed the question of how do you know that the data actually originated from actions of the user as opposed to someone who could have been using the system for their own means, or someone trying to plant false data? How do you prevent one from impugning your findings? He said, Well, we're not stupid. I'm serious. I was extremely disappointed in that answer, and it basically said, it doesn't really matter what we find on the system- we're not stupid, and if the data is there, it means you did it. I was appalled. All you have is deniability. This method doesn't make it plausible to anyone but you, which doesn't matter. If you want any level of meaningful plausible deniability then leave your wireless open and have your system riddled with bots. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full- disclosure-boun...@lists.grok.org.uk] On Behalf Of Bipin Gautam Sent: Monday, January 25, 2010 7:42 PM To: E. Prom Cc: full-disclosure Subject: Re: [Full-disclosure] Disk wiping -- An alternate approach? ok, this all adds nothing but another layer of plausible deniability to ANY data found in your computer ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Could DIGITAL FORENSICS be fundamentally FLAWED ( and they dont explain more?) Think : http://en.wikipedia.org/wiki/Chain_of_custody Main Point: The keywords and texts found in a suspects harddisk is by NO guarantee belonging to the OWNER OF THE COMPUTER instead it could be leftover chunks from the internet written by someone and lands on your computer's in disk-fragments as found dormant on your free-space as browser cache is flushed ? On top of that FAT32/NTFS fs has high fragmentation rate than EXT*. The problem is: Possession is 9/10ths of the law -- but ANY texts they find, if questionable can also very likely come from the internet while you browse online and NOT your own possession and someone typed it from online,webpage you viewed etc and it lands on your disk while you browse it and is left as fragments? How does the law sees such a situation? (and except the possibility of linguistic analysis to prove guilty) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
Ok, this is the best i can explain you all. so it looks like sometimes just browsing online is as bad/good as Getting Infected from Plausible deniability prospective? How is it any different? :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Tue, Jan 26, 2010 at 04:26:08AM +0100, E. Prom spake thusly: The point is that they never get a hard-drive full of zeroes or random numbers, but a hard-drive that have pieces of other data under the zeroes or random numbers. That's why programs like wipe fills more than 20 times the hard-drive with data. But filling 20 times a whole disk can be very, very long, expecially if it's a 2TB USB drive. A quick wipe filling a drive only 4 times, is often enouth, but... Fortunately, so many rewrites are not necessary and have not been for a long time. I destroy drives containing credit card and other personal data with just one wipe (assuming the drive is operational) and if not I drill a few holes in it. While investigating how to best destroy such data I happened across some postings with some actual experimental results from trying recover overwritten data: http://blogs.sans.org/computer-forensics/2009/01/15/overwriting-hard-drive-data/ And some analysis of modern techniques for recovering data and their effectiveness: https://blogs.sans.org/computer-forensics/2009/01/28/spin-stand-microscopy-of-hard-disk-data/ Executive summary: Data overwritten once is unrecoverable on any drive made in the last 10 years. So do a single write pass from /dev/random on working drives. For non-functional drives or where overwriting is not possible drilling holes is very sufficient for any business and personal data. For top secret data wanted by an enemy with millions to spend and you cannot overwrite the data just once then recovery via Spin Stand Microscopy from undamaged areas of the platter is possible at great expense and weeks of constant work. Shattering the platter makes this technique much harder rendering perhaps 80% of the data unrecoverable. You are still best off with a cheap one time write of the whole drive. And as far as data recovery from failed drives goes this is rather amusing: http://blogs.sans.org/computer-forensics/2009/09/30/the-failed-hard-drive-the-toaster-oven-and-a-little-faith/ -- Tracy Reed http://tracyreed.org pgpdCGNzAtk6m.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
2010/1/26 Tracy Reed tr...@ultraviolet.org (short extract): Executive summary: Data overwritten once is unrecoverable on any drive made in the last 10 years. So do a single write pass from /dev/random on working drives. Thanks for all this information. By the way, does somebody knows about the flash memory? Is zeroing a whole usb key enough to make the data unrecoverable? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
No, look: wear-levelling and error correction... http://en.wikipedia.org/wiki/Flash_memory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
I've resisted getting involved in this and suspect that this may be a misguided attempt to clarify (??) a few things, but... Bipin Gautam wrote: Before: From the prosecutor's perspective, everything your hard drive is yours I just proved : everything your hard drive is NOT NECESSARILY YOURS. This need not matter. In several (many, most and increasing) Western jurisdictions _just possessing_ certain kinds of material is a criminal offense. This is typically child pornography and/or beastiality but often includes other more or less specific things. For example, writing as I am from New Zealand right now, I would almost certainly be committing an indecency offense by including the words golden and shower run together into a single phrase in this Email. Within such jurisdictions, the issue of knowledgable possession or intent to possess are technically irrelevant to the issue of did you breach this law, for as written, the offence is possession (and/or production, etc, etc) with no elaboration. DOES THAT CHANGE ANYTHING? LOGIC MAYBE??? I guess to assess that, we have to first decide whether you know what you're talking about or not... And have you not heard of the Trojan Horse defense? Kinda the legal opposite of the dog ate my homework and already successfully used a few times. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Disk wiping -- An alternate approach?
Dear all, (I need some feedbacks/insights/comments? on this design concept) Problem: - The absence of evidence 9 times out of 10 is just as bad as the evidence itself in court. - What you type text or email can, and will, be used against you in a court of law. But: Digital Communication has been the our part of life 24x7 and as in advertisement we the netizens these days tend to instantly communicate as with the flow of our thought without thinking all the time in every mood state, and even when drunk! Our communication are as fluid as thoughts nothing more and seriously influenced by day to day activities and a lot of things. Because as in one-to-one communication people fake, joke, write to check a response, simply scare etc in electronic communication too. but sadly it gets recorded and people with big equipments and schizophrenia tent to take it all seriously! Internet records a blur picture of who we are in real nothing more. Even evidence suggest people tend to think freely? and to any extreme at privacy of your desktop asif you are talking to yourself instantly. How does a court sees all that? Sadly, today we have technology to record it all. If you judge someone 24x7 you may find all evidenced to support all ends of extremes and anything ? So, plausible deniability solution for disk wiping?: Let, disk wiping tools LOAD the whole WIKIPEDIA in nxn matrices and mix ALL the words phrases in a random pool continuously and use THIS as the Wiping passes and patterns while they wipe the disk-space (instead of using random-pass or zero) and let the people who dont need-to-know make sense of whatever they want to pull up from the 'patterns' generated from the ENCYCLOPEDIA OF KNOWLEDGE unlimited keywords and phrases and counter the same? Is any such software feature allowed by law or is it called Material Falsification ? [0] Think : http://en.wikipedia.org/wiki/Bible_code [1] http://en.wikipedia.org/wiki/Plausible_deniability ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Disk wiping -- An alternate approach?
On Mon, 25 Jan 2010 01:09:40 +0545, Bipin Gautam said: So, plausible deniability solution for disk wiping?: Let, disk wiping tools LOAD the whole WIKIPEDIA in nxn matrices and mix ALL the words phrases in a random pool continuously and use THIS as the Wiping passes and patterns while they wipe the disk-space (instead of using random-pass or zero) and let the people who dont need-to-know make sense of whatever they want to pull up from the 'patterns' generated from the ENCYCLOPEDIA OF KNOWLEDGE unlimited keywords and phrases and counter the same? The problem is that although using Markov chains to generate pseudo-random text, it's usually pretty obviously pseudo-random text. And in fact, they're usually so random that it's pretty obvious it's just random words and doesn't prove anything more or less than acres of zeros. http://en.wikipedia.org/wiki/Dissociated_press The problem is that every once in a while, those things actually generate short chunks of intelligible text (especially when using a longer chain length). So now, instead of being able to say to the district attorney The disk was full of zeros, and you can't prove what was on it before. you're now saying to him: What do you mean, you found the phrase 'Drop the cocaine and kiddie porn off at my place around 9PM' on block 239349 of my hard drive? Generally a bad idea. pgpoEKgtNhyYN.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/