Mystery Writers Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

MWF is on Twitter. Follow @MystryWrtrs for forum tweets. See who we're following.

collapse collapse
* Search



* User Info
 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

* Who's Online
  • Dot Guests: 57
  • Dot Hidden: 0
  • Dot Users: 0

There aren't any users online.

Pages: [1]   Go Down

Author Topic: A question about computer forensics  (Read 10515 times)

0 Members and 1 Guest are viewing this topic.

James

  • Scribbler
  • **
  • Karma: 11
  • Offline Offline
  • Posts: 53
A question about computer forensics
« on: September 16, 2010, 09:43:02 AM »

Anyone with knowledge of computers help me here? I have a bomber who wants to eradicate all traces of certain websites he has accessed on his computer. He doesn't want to wipe the memory clean - just those websites that may incriminate him. How would he go about this so that a forensic examination of his computer by the police shows nothing inciminating? Can it be done?
Logged

Lance Charnes

  • Ink Slinger
  • ****
  • Karma: 32
  • Offline Offline
  • Posts: 354
    • Wombat Group
Re: A question about computer forensics
« Reply #1 on: September 16, 2010, 10:55:01 AM »

It's hard to get rid of all traces everywhere -- if, for instance, he has to log in to a bulletin board (like this one), there will be a record at the server end. If he works from a computer with a fixed IP address (such as at work), he may be traceable if the site keeps records of accesses by IP. That's how SiteMeter and its ilk work.

On the client side, he can do something like the following:

  • Clean the browser's cache (Tools --> Internet Options in IE V6, Safety --> Delete Browsing History in IE8), then...
  • Run a program such as Eraser, which overwrites deleted files and unused space with random, repeated patterns of 1s and 0s. DoD uses Eraser-like tools to decommission magnetic media that held classified information. After a three- or seven-pass treatment with Eraser, any residual data is pretty much gone.
  • If he's extremely paranoid, he can then run a defrag (Accessories --> System Tools --> Disk Defragmenter in WinXP), which rearranges the files on a drive so they occupy contiguous space. This ends up overwriting formerly unused areas on the disk (such as those occupied by deleted files) with live data.

Will this absolutely, positively get rid of every last scrap? Maybe. It will certainly force anyone who's interested to work really, really hard to find anything useful. Even then, they may not. If your malefactor is religious about this process, there may not be anything left to find. In that case, those interested parties will likely turn to the server and ISP end of the equation.
Logged
DOHA 12
On Kindle and Nook
Paperback: Amazon | B&N

Twitter | Facebook

Lance Charnes

  • Ink Slinger
  • ****
  • Karma: 32
  • Offline Offline
  • Posts: 354
    • Wombat Group
Re: A question about computer forensics
« Reply #2 on: September 16, 2010, 11:42:36 AM »

I thought of another thing -- if your evildoer uses a modern browser (IE8 or the latest versions of Firefox or Opera), he'd use InPrivate browsing (IE8 name, don't know the name for the others). This creates a temporary cache for downloaded files, cookies, and so on, then deletes it at the end of the session. This eliminates step 1 in the list I posted before. The other steps are still valid.
Logged
DOHA 12
On Kindle and Nook
Paperback: Amazon | B&N

Twitter | Facebook

wonderactivist

  • Scribbler
  • **
  • Karma: 8
  • Offline Offline
  • Posts: 71
Re: A question about computer forensics
« Reply #3 on: September 16, 2010, 02:16:33 PM »

I'm not so great with electronics myself, but my son is a complete whiz. Friends call him to fix their computers and he built our new computer for $250.  It's more powerful that the one we paid over $800 for. 

I'll ask him to review this tonight. 

Lucie
Logged

wonderactivist

  • Scribbler
  • **
  • Karma: 8
  • Offline Offline
  • Posts: 71
Re: A question about computer forensics
« Reply #4 on: September 16, 2010, 10:20:50 PM »

According to my son, when you delete something, it's actually still there. The computer simply removes it from the file system, but the block of data is still there until it is overwritten. (in my own non-computer lingo that means it can re-use that spot on the disk).  The info is still there and experts at the FBI or some police departments could definitely get to it. 

File shredders attempt to overwrite data but aren't particularly effective.  If the CIA, FBI or a large-city police department gets into them, the stuff IS STILL THERE.  The only way to get rid of it is to wipe the disc--reformatting it hundreds of times--to be certain. 

Sam says, "the best way would be to take a hammer to the hard drive...after reformatting hundreds of times."

FUN!

Lucie
Logged

Lance Charnes

  • Ink Slinger
  • ****
  • Karma: 32
  • Offline Offline
  • Posts: 354
    • Wombat Group
Re: A question about computer forensics
« Reply #5 on: September 17, 2010, 01:24:57 AM »

Single-pass overwrites don't do a very good job, true. Multiple-pass overwrites do progressively better work. Three passes with randomized patterns are more-or-less standard for DoD media used to store unclassified information; seven passes are used for media storing up to Top Secret. We had a seven-pass utility we used at HQ CENTCOM for blanking magnetic media before copying new files for internal transfer. Eraser does both three- and seven-pass DoD overwrite, as well as a 35-pass (!) Gutmann routine.

In essence, multiple-pass overwrites are like reformatting the medium in a controlled manner. After seven passes, not even the CIA is going to get anything out of it (that's why they use it on their own media). Data isn't that persistent except in the movies.
Logged
DOHA 12
On Kindle and Nook
Paperback: Amazon | B&N

Twitter | Facebook

wonderactivist

  • Scribbler
  • **
  • Karma: 8
  • Offline Offline
  • Posts: 71
Re: A question about computer forensics
« Reply #6 on: September 17, 2010, 10:28:50 AM »

Typical teenager--exaggerating!   ::)
Logged

James

  • Scribbler
  • **
  • Karma: 11
  • Offline Offline
  • Posts: 53
Re: A question about computer forensics
« Reply #7 on: September 23, 2010, 08:09:30 AM »

Thanks everyone. From what you've told me, I guess that if my bomber erased everything, the police would know he had got rid of something or other. But they'd still need proof that he was accessing bomb-making sites, so I guess I'll have him wiping the hard disk over and over again.

What if the police broke in just as he was completing a final wipe, but were too late? Might work. I'll think about it.
Logged

Lance Charnes

  • Ink Slinger
  • ****
  • Karma: 32
  • Offline Offline
  • Posts: 354
    • Wombat Group
Re: A question about computer forensics
« Reply #8 on: September 28, 2010, 01:15:39 AM »

If he wipes the entire drive, he'll have to reinstall his operating system and software over and over again. That takes too much time and renders the computer useless for most of it. It's also an obvious red flag.

It's much more effective for him to be scrupulous about using private mode on his browser and going through one of the anonymous-browsing services (such as Anonymizer) when he's looking at the sketchy stuff, then cleaning up after himself using the steps above. He can do his browsing of I Can Has Cheezburger and the like using normal mode on his browser. This way, he (or his lawyer) can show he only uses his computer for normal things and isn't hiding anything.

Alternately, he can go to the public library for his, ahem, professional browsing. Most libraries don't keep track of who uses which computer when, so there'd be no way to link him to the bombmaking sites.
Logged
DOHA 12
On Kindle and Nook
Paperback: Amazon | B&N

Twitter | Facebook

Leon

  • Scribbler
  • **
  • Karma: 15
  • Offline Offline
  • Posts: 94
Re: A question about computer forensics
« Reply #9 on: September 28, 2010, 09:53:36 PM »

Lance,

If it can be done, few people know how to do it.

However,
Even if a hard drive is destroyed, info may reside on one or more severs.

Hope this is of some help.

Leon
Logged

B L McAllister

  • Ink-Stained Wretch
  • *****
  • Karma: 32
  • Offline Offline
  • Posts: 2,390
Re: A question about computer forensics
« Reply #10 on: October 28, 2010, 12:38:32 PM »

... He doesn't want to wipe the memory clean - just those websites that may incriminate him. How would he go about this so that a forensic examination of his computer by the police shows nothing inciminating? Can it be done?
I have to hope not.
Logged
Byron Leon McAllister.
Books by Byron and Kay McAllister can most easily be obtained as e-books or in print from the publisher at http://www.writewordsinc.com/ For "Undercover Nudist," the print version is an improved version of the ebook version. The others are the same in both formats.

fleamailman

  • Cub
  • *
  • Karma: -1
  • Offline Offline
  • Posts: 5
Re: A question about computer forensics
« Reply #11 on: October 30, 2010, 05:28:41 AM »


repost from elsewhere

Quote
Anyone with knowledge of computers help me here? I have a bomber who wants to eradicate all traces of certain websites he has accessed on his computer. He doesn't want to wipe the memory clean - just those websites that may incriminate him. How would he go about this so that a forensic examination of his computer by the police shows nothing incriminating? Can it be done?

and then the goblin showed, explaining "...the way they retrieve deleted pictures and folders, can be by using a windows data recovery program, yes, but mostly the authorities use a linux live CD booting up onto the ram, then transferring any retrieved stuff to a harddrve, because it doesn't leave a trace on the harddrive, meaning they one can't counter claim that the data has been planted by them then, so the answer if clearly no as they can still trace your deleted internet history of stuff and identify your computer and you by it...", in fact, when the goblin thought about it, linux seemed to be the key to everything here, continuing "...hats use linux for various reasons then, first off the ip address is fluid, the mac address behind the ip address is a clone too, and there is no reporting to central control the moment one has logged on like in the case of windows operating system where one license number tells them which computer and straight off who you are too...", simply, two things became clear by this, one that if one wanted to be on the internet anonymously one used a linux live CD to do so, and if one wanted to store private stuff one stored it to a USB key directly from the live CD session, where the harddrive of the computer is not used in either case, simply one uses the way of the authorities back at them,  and ones harddrive one leave as a paragon of virtue for them then, at which point the goblin just smiled "...welcome to world of internet creatures then..."



« Last Edit: October 30, 2010, 05:45:01 AM by fleamailman »
Logged
Pages: [1]   Go Up
 


* Calendar
March 2024
Sun Mon Tue Wed Thu Fri Sat
1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 [29] 30
31

No calendar events were found.

Paying the bills...

* Forum Staff
admin Bob Mueller
Administrator
admin MWF Bot
Administrator
gmod MysteryAdmin
Global Moderator
gmod laurihart
Global Moderator

Page created in 0.024 seconds with 46 queries.

SimplePortal 2.3.3 © 2008-2010, SimplePortal