Path: news.nzbot.com!spool1.sonic-news.com!news-out.sonic-news.com!not.news-service.com!not.alt.net!not.highwinds-media.com!s02-b45!textbe01-phx!hwmnpeer02.phx!hw-filter.phx!hwmnpeer01.phx!hwmnpeer01.lga!hwmnpeer01.ams!news.highwinds-media.com!news.astraweb.com!border2.a.newsrouter.astraweb.com!xlned.com!feeder1.xlned.com!newsfeed.freenet.de!news.osn.de!diablo1.news.osn.de!feeder.erje.net!aioe.org!not-for-mail
From: floppy <floppy@flop.com>
Newsgroups: alt.fan.utb.naughty-boy
Subject: Re: meat plow you are such a retard
Date: Fri, 14 Mar 2008 14:30:52 -0500
Organization: Aioe.org NNTP Server
Lines: 70
Message-ID: <frdr7t$397$1@aioe.org>
References: <4cqbt3dd0ns5tn6hduu4if6dbltt3a5ktm@4ax.com> <47d62592$0$13891$8f2e0ebb@news.shared-secrets.com> <1n33b6.cf7.17.1@news.alt.net> <47d79044$0$13871$8f2e0ebb@news.shared-secrets.com> <1n5pnu.5ra.17.1@news.alt.net> <fr9rdo$ti0$1@aioe.org> <ipfht3h51jc91jtn7vvm13iq8b77md35oq@4ax.com>
NNTP-Posting-Host: aaQRHF4GT+txeO0PBS/vmA.user.aioe.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: abuse@aioe.org
X-No-Archive: Yes
Xref: news.nzbot.com alt.fan.utb.naughty-boy:1302
X-Received-Date: Sat, 17 Oct 2009 21:02:28 UTC (s02-b45)
On Thu, 13 Mar 2008 05:42:13 +0000, HMS Victor Victorian wrote:
> A quick perusal of this wonderful synopsis provided me with more
> information ..
Disclaimer: bear in mind I have not had any kind of computer forensic
training, unlike the other esteemed poster. Others might have better
information, especially about the actual status and costs of serious
data recovery from overwritten drives. I'm guessing there - it might have
got a lot cheaper and tools may have got more sophisticated.
The scramdisk and privacy groups used to be sources of information of
variable quality but I think those may have dried up or been largely
"kooked out".
Note the recent paper on recovery of data from ram (google for "cold boot
attack") may turn out to be a threat. At present it's only a threat if a
pc is physically seized by an attacker while powered on or within a short
time of being shutdown (certainly within hours - in all probability, my
guess is it will need to be seized immediately after shutdown). If they
can spray -50C freeze the ram immediately they may be able to keep
whatever data was in there before, which could include both your
encryption keys and whatever files and applications you had open (jpegs).
Drive encryption programs need to pay much more attention to what happens
to plaintext keys held in RAM. In fture these will need to be well
overwritten in ram immediately after finishing using the drive. I imagine
the developers of these programs will be looking hard at this paper.
Wiping unused ram altogether after a session with sensitive data might be
a good idea. Not sure what Windows programs can do this.
Watch out for software suspend etc also. Better not to use it.
Watch out for Windows and closed source programs. Get friendly with open
source. Some security programs have admitted, or refused to deny, that they have
backdoored or weakened capabilities deliberately merely at the request of
LEA.
Don't trust commercial disk scrubbers. A lot of these do a sloppy job.
EastTec Eraser used to have a good rep, based on posters in
I think scramdisk who were running it and then trying to recover files
with EnCase, but this is old and probably out of date information.
Encrypted filesystems are more prone to corruption. Grant+'s scenario
keeps systen and data separate and allows you to run filesystem checking
and repair programs (eg Norton) over an encrypted container while it is
open.
Also bear in mind that ordinary optical media like dvds can go bad over
time, too. For this reason these are not used for long term archiving by
eg governments. I can't remember the details (google).
Also note there were fake copies of EnCase on p2p and full copies of the
scripts (for identifying and recovering particular types of files) and
doumentation had to be found separately.
I seem to recall there was a commercial company providing the hashes of
known illegal images for forensic use (google). These are probably
available somewhere.
People who know more than I should post or point to sources of info.
|
|