Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
News

Salon On Computer Forensics 138

splorf writes "Salon has a good new article on computer forensics, focusing on Lee Tydalska, a guy in Southern California who started collecting old computers and peripherals as a hobby, and now has a nice business doing data recovery from weird and obsolete media for investigators (or normal users who just need media conversion). "It hardly needs saying why this craft has grown in importance", the article says, "but if one word sums it up, it's 'Enron-itis'". Oh yes, the #1 outfit in the field is apparently a UK firm called Vogon International. You've got to love this stuff."
This discussion has been archived. No new comments can be posted.

Salon On Computer Forensics

Comments Filter:
  • by bourne ( 539955 ) on Monday April 22, 2002 @09:21AM (#3387119)
    I was suprised to see an @Stake employee bring a Mac to a presentation, but he explained that they used Mac because the greater FireWire support meant they could do forensic imaging onto external disks a hell of alot faster.
  • by Atilla ( 64444 ) on Monday April 22, 2002 @09:22AM (#3387120) Homepage
    "we can recover any data, even punch cards from a planet blown to pieces to make a path for a new hyperspace bypass"
    • Wow.. they sure have a good website..

      Vogon International Data Recovery [vogon-data-recovery.com]
    • Or, if they can't recover the data: "Your data was lost over 15 years ago, and it's far too late to start making a fuss about it now."
    • Time to dig out that old Commodore 64, BBC Micro (with 5 1/4" disks), and assorted Amigas to make a killing in the "Oh no all our data's gone and we've been too stingy to upgrade for 10 years market!". But on a serious point does anyone know how I can recover a 540Mb Western Digital 2.5" hard drive with data under the FFS (Fast File System) - Amiga data format? Western Digital's tools only cover MS-DOS formats & it's been unreadable now for about 15 months.
      • What do you mean by recover? Is the drive damaged or just unreadable because you don't have anything that understands FFS?

        If the later is true, Linux can read Amiga file systems very well. Before I retired my A500, I mounted the drive (80MB Connor :) on my Linux box and archived everything.

        • Over a period of a few months - more and more errors appeared which I fixed with Disksalv - when the drive finally was not only unreadable by the OS (and DOS) - but invisible too I replaced it with a new one - both replacements suffered the same fate within a few days - and I've been mainly using the PC ever since. The drive was 4 1/2years old - so I suppose it was just its time to die & I should've backed it up when it started giving me warning signs!
    • The price for data recovery: you must listen to 1 sec. of recited vogon poetry per Kb of recovered data.
  • I recently came across a box of these strange little plastic things. I'm fairly sure they are some sort of computer medium. They are about 3.5" square and various colors. On one side there is a silver circle toward the center, a little less than an inch in diameter.

    Anyone know what they might be and how I could go about reading them them?

    • Hah! You think you've got problems, I've got one that looks very similar, only it's between 5 and 6 inches across! Oh, and there's no silver parts at all, but it does have a shiny black cut-out...

      Anyone seen one of these? Should I just fold it in half and put it in my CD burner? Or maybe I have to take the plastic coating off the outside... hmm.
    • open the cup holder, stick them in, and then close it. The box should read it immediately.
    • by Anonymous Coward
      From your description I can only assume that the storage devices which you have are a little old... it sounds like they have deteriorated over time

      In order to restore these disks for use in a modern computer system, may I suggest that you carefully take apart the disk, ensuring you dont loose the little spring
      Once you have removed the black bit from inside, it needs to be renovated
      a coating of nail varnish works quite well
      scatter ground up matchstick heads over the top of the disk and put it back together

      Your computer should then be able to read it
      if it still doesnt work, try a more expensive computer

      • Dear God, I wish I had some mod points today... moderators, please mod this up!

        What's it been, six years since I looked over my old Anarchist's Cookbook files? Too bad this is an AC post; it shot me straight down memory lane... I'm off to do some "data recovery" now ;).

    • Wonder if I could use them to get some data off of the old 8" Syntran disks that I used to use in my college days on an old Norsk Data ND100 minicomputer :)
    • I love those, they stay crunchy, even in milk.

      For a light snack, I eat a bowl of tape (you used to be able to play Frogger on the Timex Sinclair 1000 with a audio cassette player... good times, good times...) with some soya sauce and crushed red pepper sprinkled on top.

      They are tastier than punch cards with cheese and little slices of pepperoni on them

  • Of course, somewhere out there there might be someone who specializes in preloading systems with mis-directing and/or mis-incriminating evidence and planting them in places that investigators are sure to "find"...

    sPh


    • preloading systems with mis-directing and/or mis-incriminating evidence and planting them in places that investigators are sure to "find"

      Slightly OT...
      I recall reading a /. poster a while back who opened several web e-mail accounts in the names of known criminals and terrorists.
      He sent random crap encrypted with PGP between them all :-)

      And no, dont critisise me for doing this!

  • Obsolete Computers (Score:2, Interesting)

    by teslatug ( 543527 )
    Here's an interesting site [obsoleteco...museum.org] about old computers. It has pictures of most of models. Brings back memories...
    • better resource (Score:3, Interesting)

      by fons ( 190526 )

      I used to visit the obsoletecomputermuseum and it's a great site.

      But recently i discovered http://www.old-computers.com [old-computers.com] and now i'm addicted.

      This site is like a community. Everybody can add a piece to the museum, write reviews,... There are polls, links et. It's just a great site and it's al lot more updated and lively than the (olso great!) obsolutecomputermuseum.

  • "Awareness of computer security as a whole is kind of on the upswing," says Laura Koetzle, an analyst with Forrester Research. "As mainstream companies get more interested in computer security and realize that they don't know very much about it, there's more of a market for it."

    You would think that watching their software products get constantly infected by viruses would have brought this about?

    Oh well, maybe with a heightened sense of security they might get their software patched more often or perhaps switch to an operating system that isn't such a target to script kiddies.

  • Yes! (Score:1, Funny)

    by xamel ( 567605 )
    So, does this mean that the government will pay me to use my old Commodore64 machines (3 of em) to read all those old criminal records disk? Time to cash in!
  • by realdpk ( 116490 ) on Monday April 22, 2002 @09:40AM (#3387215) Homepage Journal
    Data recovery is one of the most expensive [overture.com] search results on Overture that I've seen.
  • These guys provide a valuable if expensive service. On the other hand, companies are becoming so paranoid about liability, because of this that they have started clearing all email from servers after 3 months (mine does) Once, I got lazy about saving stuff elsewhere, and I lost my contact inforamtion for someone. I still haven't found that guy. I hope he doesn't hate me.


    • What all these companies who have time delayed deletion of historical email seem to fail to catch onto is that they usually have a long term backup methodology in place.

      I've raised this issue with one operation who have a 60 day deletion policy for company security reasons only to be looked at blankly by the HR manager and board directors and then asked, "does anyone doing data recovery ever ask for that sort of thing?".

      At that point I nearly cracked up in hysterics myself.
  • by 8127972 ( 73495 ) on Monday April 22, 2002 @09:45AM (#3387238)
    Now that we know that companies like this exist, how do you as a person who is responible for dumping old equipment ensure that your company erases sensitive data so that it cannot be recovered by anyone. You have to believe that there have to be one or two people out there who are looking to do something "bad" with the data they find on disposed computers.
    • by bourne ( 539955 ) on Monday April 22, 2002 @10:04AM (#3387325)

      how do you as a person who is responible for dumping old equipment ensure that your company erases sensitive data so that it cannot be recovered by anyone.

      I'll give you the 5-second summary:

      • You can't erase it so that it can never be recovered.
      • But you can make it expensive/impractical to recover.

      Previous /. threads have gone on at length on the various creative ways people who care (gov't, military) destroy the hardware utterly. If you overwrite each bit on the disk several times, though, it'll require expensive hardware analysis to recover anything - which is beyond most criminals.

      It's the same old issue - risk equals value times danger. The danger that someone will send your disk to hardware analysis isn't that great for most people, so wiping it a few times is probably good enough.

      One good way to wipe - stick a bootable Linux CD in (I like Bootable Business Card [lnx-bbc.org] myself) and 'dd if=/dev/random of=/dev/hda'. Lather, rinse, repeat - or better yet, put it in a bash 'for' or tcsh 'foreach' loop. It takes a while.

      Want to verify you're wiping everything? Use /dev/zero instead of /dev/random for one pass, then do 'hexdump /dev/hda' which should run for a while and then report that it found nothing but 0's on the disk.

      • Want to verify you're wiping everything? Want to be really sure? take the platters out of your hard disk and grind them into powder, then mix them into cement blocks and drop them off a pier

      • >lnx-bbc
        I really like that idea - Major kudos to a tech support dude that goes out and fixes a multitude of computer problems - using nothing except their knowledge and a business card =)
      • For these purposes, you don't need a complete stream of cryptographically secure random data, you just need to make certain that the various passes are sufficiently different from each other.

        For that, /dev/urandom will do the trick, and you won't have to wait for your entropy pool to be rebuilt every few thousand bytes. Of course, it'll still take a long time (nothing can speed up that physical disk access), but you can also then let it run unattended on a machine that's disconnected from the rest of the world (and therefore isn't refilling its entropy pool through randomness)

        Oh, and be certain that you do a "sync" between passes. That may not be an issue on a hard drive, but with smaller media (like, say, a zip disk), you want to make certain that the computer doesn't cache the writes.
    • by dmaxwell ( 43234 ) on Monday April 22, 2002 @10:08AM (#3387343)
      I once had to retire a Mac LC II was the building fileserver. This thing had financials, the private records of students; you name it. I low-leveled the drive and wrote 0's to it. Once that was done, I drilled several holes through the platters. I broke the bit off the drill in the process. The drive with drill bit stub stuck in it looks like Count Datatula with a spike through his heart. We keep the spiked carcass around to show people how to make sure that sensitive data gets destroyed.
    • The way that my company handles confidential data is to take the tapes out to the parking lot and run over them with a car. That tends to really do the trick. CDs are similarly broken into multiple pieces.
      • At the first place i ever worked, we used to take sensitive CDs and write "Frisbee" on them. We then used them as such until they weren't readable anymore. Which was kind of stupid, cause now I've got a nice inchlong scar from June's email backup. After that we'd just go up on the roof and use them for bottle-rocket target practice.
    • Gasoline. Lots and lots of gasoline. :)

  • by ltsmash ( 569641 ) on Monday April 22, 2002 @09:53AM (#3387275)
    I'd be interested to hear what the Lee Tydalska has to say about secure deletion of data (i.e. how can you be sure you have destroyed data on a harddrive/cd-rom/floppy/etc). Peter Gutmann wrote a paper [auckland.ac.nz] on how to destroy data. In the paper, he argues that by overwriting your harddrive multiple times with highly sophisticated patterns, it will be almost impossible to recover the data. I wonder if industry people agree with him.
    • how can you be sure you have destroyed data on a harddrive/cd-rom/floppy/etc

      Physically shred it and then incinerate it. If I had something I didn't want ANYONE to be able to get, that's the only method I'd trust. If you want to talk about people going to ANY extreme to recover your erased data, you can do microscopic analysis of the residual magnetic fields. You're talking thousands of hours and possibly millions of dollars to recover the data on a portion of a hard drive, but that's the only way to be SURE.

      • That's true. It won't protect you from the CIA and the NSA or any other member of @tla. But then, if they care about you, they'll spend whatever it takes, or just use Van Eck or torture you for the information.

        What overwriting 35 times with pseudorandom data does do is make your computer pretty much invulnerable to the ex-cop who "learned computers" that'll run Encase over an image of your disk if Scientology decides to sue you.

    • Nope, won't do it. I remember reading a master thesis on data recovery and retention a couple years ago from an anapolis grad that was going into the upper echelon's of the militaries infosec group. Basically with a SEM and some time he could ALWAYS recover some data even after 20 passes with multiple types of data, eg patterns, all 0's, all 1's, and psudorandom noise. He also used a degaussing coil that they use on ship hulls, still able to retrieve some data. His conclusion was that for anything topsecret or above the only viable method to dispose of the hdd was incineration.

      p.s.
      sorry can't find the link right now =(
    • So does anyone have any hard evidence that Peter Gutmann's method does not work? For example many people use the program Eraser or another which utilizes this method, is this a waste of time?

      I agree that this topic has been discussed, but I personally have never seen a story where someone has proved it does or does not work. Eveyone just says physical destruction is the only way...or I've "heard" of overwrite patterns in the 20s not being secure. So any have anything that is not heresay??
  • need help (Score:2, Funny)

    by Anonymous Coward
    Can these guys help me recover a term paper I made on my old Coleco ADAM computer? Its on the a cassette tape. My paper was due July 1984 perhaps I can still get partial credit!
  • by Raetsel ( 34442 ) on Monday April 22, 2002 @10:06AM (#3387338)

    And I love him for it. Geek hobby success -- truly, qualities to aspire to...
    • (Second page, first paragraph)
    • Tydlaska is prone to gloating about his sometimes invaluable skill. "People go into audit a company and they need to see its 'hysterical data,' as I like to call it -- 'hysterical' because of the prices they pay me to see it. They say, 'But there's nothing wrong with the tape! If I had the equipment I could restore the data myself.' And I say, you're right! If you had it, you could! But you can't buy it, and you can't reproduce it, so it's either worth my exorbitant fee or not. I mean, let the IRS believe you've got the data!"

    I've got it, you need it, now pay up! Ha!

    I've got some old tape drives... an Exabyte 8mm, a few DAT (Wang, I think...) drives, a couple circa-1995 pre-Travan QIC plugs-into-the-floppy-controller anachronisms. I even have a one-piece combo 5¼- and 3½-inch floppy drive! Perhaps I ought to start "Joe's Cut-Rate Data Recovery and Money Removal Service."

    Hmmm....

    • huhu, add to your list the more esoteric 3" floppy drive, which you can get for instance of some old amstrad computers (664,6128,pcw) or the 8" floppy you can get of a trs80 and a nice proggie called 22dsk [demon.co.uk] and you're even more in business...

      eventhough chances to recover data from floppy get slimmer by the year (sigh). oh! some inventive cabling [euronet.nl] required ;-)

  • by antonsthlm ( 123603 ) on Monday April 22, 2002 @10:24AM (#3387441)
    ... but basically the same problem sphere is Public Archiving, which just as it happens is my current field of temp work as I sleaze my way through university.

    Riksarkivet (National Archives of Sweden) [www.ra.se] is by law required to obtain, store and display for the public all documents and other entities produced by governmental agencies in Sweden, as well as committees and such since 1618 (some older, as well) for all future time. As the latest 30 years or so has seen a large surge in computerized documents/-ation this gives quite a few spectacular and very interesting examples of deliveries from agencies present or extinct with odd hardware requirements and zillions of different software solutions originally used, many homegrown.

    Not only is the archive responsible for 'old' data, its is also responsible for migrating non-computerized material onto a computerized from for future public display, which is no easy process since there is a goal of course not to lock the information onto media, hardware or software designs that are extremely short-term.
    In short, it's an area of a heck of a many problems, lots of questions, few people and little interest from the field (I mean, how interesting can it be to design excel spreadsheets for bank applications? Really?)


    As for Vogon International, I'm sure that it's a company full of geniuses, but I would prefer if they answered the calls we make for ordering and requesting features promised in the manual in their software, which we need ASAP! It's no fun being stuck in a dos/windows95 edition of software for the sole reason of not getting replies from a genius/vendor.

    Forensics anyone?

  • by BigJimSlade ( 139096 ) on Monday April 22, 2002 @10:28AM (#3387464) Homepage
    I love old computers too, but I lean more in the direction of the home/hobbyist computers (old Macs, Atari 8/16 bit computers, Amigas and other Commodores, etc) I found something called "The Catweasle" [jschoenfeld.com] a while back. It plugs into an ISA slot (remember those? of course you do :) and has floppy controller ports for two drives. This thing reads *everything*. Check out the link for the full specs. Think there's a market for getting data off an Amiga 1200 disk?

    The other cool "recovery" project I've seen is CAPS [caps-project.org], which is a project to preserve exact copies of Amiga games. It's a typical abandonware project, except they are going out of their way to keep all copy protection intact. They are even going so far as to reverse engineer the copy-protection so they can make an exact copy of the original disk!
  • Did anyone else get a flash-based ad for MS that covered most of their browser window.

    I'm just wondering how prevelent these invasive ads are in Salon.
  • Did anyone notice this near the end of the article: "We see everything from floppy disks to small tapes to the old-style 24-inch reel tapes you see in the movies..." I used to work with those tapes and they definitely were not 24 inches in diameter! More like 24 millimeters. A tape 24 inches across would be the size of a large pizza.
  • IBAS (Score:1, Interesting)

    by Anonymous Coward
    IBAS is another company that offers data recovery.

    http://www.ibas.com [ibas.com]

    These guys have some severely cool toys!
  • Would you trust your data to a company called Vogon International?

    Gee, i hope they don't do poetry...

  • I still have 2 working Bernulli drives a 9 track tape reader(and ISA card interface) a magneto-optical drive AND to top it off a 8 inch floppy drive with a standard floppy drive interface adapter scabbed onto it.

    Why? because I have made over $1000.00 over the past year alone on them. (2 jobs, data recovery)
    This is why I also have other older drives that were popular 15-20 years ago.

    Yes 99.7% of the time it takes up space in my heated storage room.... but all it takes is ONE person to need it and then I get big $$$. The best part is data-recovery from working media is easier now cince linux supports most every filesystem and partition known to be in popular use..

    Basically, if you can get working old-stuff like that for free, GRAB IT.. but dont pay for it, that would be silly.
  • Strong magnets don't erase floppies, zip disks, etc..

    Radio Shack's Tape demagnetizer doesn't erase floppies and zip disks.

    CRT Degaussing coils screw up zip disks but I can't tell whether everything is erased. So I don't trust it. I haven't tried hexdump. This coil didn't erase the floppy I tried so I don't have confidence that it will reliably erase media.

    • Strong magnets don't erase floppies, zip disks, etc..

      I have some rather large neodimium magnets and I'd be more than happy to demonstrate how they can. ;-)
      • I have some rather large neodimium magnets and I'd be more than happy to demonstrate how they can. ;-)

        You'd think ... I've tried big speaker magnets and some really strong ones I found at a Hamfest. Neither erased floppies or zip disks. I was surprised. I thought sure they would. They were both strong enough to pick up big hammers 'n shit. The deguassing coil screwed up a zip disk such that I couldn't read it but I'm not convinced the data is unrecoverable. One guy suggested writing zeros with dd and I think that is probably going to be the most effective way for me.
        • The big reason why the data is so resilient though is (if things haven't changed from the C64) that the magnetic transitions are what hold the data. So you really need to flaten it out magnetically to erase it.

          Oh, and I think while most speaker magnets have nice range they don't have the intensity of the neodymiums I have. I wouldn't be surprised if my largest one could pick me up 'n shit. :-)
  • by Splat ( 9175 ) on Monday April 22, 2002 @12:38PM (#3388362)
    They will never make fun of my QIC-120 tape drive mounted below my 24x burner again ..

    Case in point:

    Friend of mine used to run a very successful BBS (gasp?! A BBS?!) in this area I helped out with. At it's peak we had 48 telephone lines, an office, and 600 or some users.

    Not to bore you with the details but a partnership was formed, dissolved, and eventually he basically ran out of money.

    Fast forward 5 years later:

    I'm at his house on an unrelated matter. We start talking about the BBS. He mentions how he's got backups of it somewhere but they're on old 120 meg tapes. So I convince him to ransack his room (and we literally do). Eventually we come up with 5 QIC-120 tapes. What to do? Nobody owns one of these drives anymore.

    Ah - but I do! Being a geek who collects old obscure, out of date hardware pays off. I slap the tape drive into my system, collect it to the floppy interface (bleck!) and proceed to load the Coloraod Restore software.

    Tape 1 - Bad
    Tape 2 - Bad
    Tape 3 - Bad
    Tape 4 - Good

    I restored the data to my hard drive, burned it onto a CD-R, copied the system to another computer, tweaked the broken backup until it worked, and brought it up.

    Let's do the timewarp, again - a BBS from 1997 was up in the year 2002 via telnet. I was a god among the users :)

    Moral of the story is data mediums age faster then you think! We're only talking 1997 technology here and no one around me had the capabilities to restore it!

A sine curve goes off to infinity, or at least the end of the blackboard. -- Prof. Steiner

Working...