This morning, on Tuesday, fourteen new arrests and around 40 search warrants were served by the FBI. These raids are likely being conducted from logs that PayPal and or VISA handed over after the DDoS attacks. There was a lot of discussion generated from the previous Hunting Anonymous article relating to disk wiping, encryption, and even some mention of the Trojan Defense on places like Reddit.com and Digg.com.
I wanted to briefly expand on some topics related to privacy and FBI raids.
The Raid
If you have a lot of digital media lying around, it will be seized in a raid. This list includes but is not limited to:
- Optical Media (CDs, DVDs, etc.)
- Hard Drives
- Thumb or Flash Drives
- Gaming Consoles
- PCs, Laptops, and so on
Sometimes, if you’re a smart ass, they even take your computer monitors and printers just to ensure that they’ve maximized the damage done to you. Other times, pheds are just dipshits and will grab anything with a blinking light.
Interrogation
When you are interrogated by the FBI, they will sometimes threaten you if you do not cooperate with them. This can include threats of terrorism charges or child pornography charges. CP charges are often drummed up when a phederal examiner finds adult porn with young looking actresses in your porn stash. If you cannot hire your own private examiner to refute these claims, then you might be out of luck.
Mitigation
There are certain things any pirate, hacktivist, or swashbuckler can do beforehand to lessen the pain that can come from a raid. This includes destroying any digital media that you do not use. If you have an old non-working laptop from 6 years ago in your closet, take the hard drive out and either wipe it or destroy it. If you destroy your hard drives, be sure to get the magnets out of them. They’re pretty awesome and you can probably hack them into some other future project. Like a wardriving antenna for your car or something.
If you have a legitimate porn stash, get rid of it. The pheds can use it as leverage against you if they start throwing around CP claims. If you want to look at porn and sail the seven proxseas in a battleship, then get porno magazines or only let your porn browsing hit RAM.
To be honest, if I was really worried, I’d wipe all hard drives and re-install because hey, I picked up the newest miley virus and heard that was the only way to get rid of it. I’d then proceed with my normal Internet activities and play the My Little Pony MMORPG. Once I’ve farted enough rainbows, I’d browse on over to Government Propaganda Online by You’re a Slave Media Productions for all of the latest and greatest news and tips on how to turn your neighbor in at the Department of Homeland Security for being different than everyone else.
Use a Linux Live CD when you’re in your battleship or a hard drive with full disk encryption. Just be sure you’re not in a country where they’ll beat you with a rubber hose or clamp jumper cables to your balls. The UK and US hold their own risks as well. More than likely you will face some prison time or strong-arming if you do not give up your passphrase or keys.
Realize that if you have an open WIFI network, that anyone can access it. This is sort of a variation of the Trojan defense but hell, if you didn’t do it and there’s no evidence of it on your computers, it must have been the neighbor.
Full Disk Wiping Utilities
Full disk wiping applications allow you to wipe an entire hard drive.
DBAN – Darik’s Boot and Nuke
Be sure you back up your family photos before booting up the DBAN CD and writing over your hard drives.
Linux GNU Coreutils “dd” application, or the “dcfldd” application
Find this application in any GNU/Linux distribution and you can use it to safely wipe secondary media connected to your machine. I wrote an article on dcfldd as well.
File and Artifact Wiping
CCleaner
http://www.piriform.com/CCLEANER
CCleaner has support to wipe a variety of artifacts. Such as recently opened links and browsing history. Make sure you go through all of the program options to enabled a single pass wipe (default is to just delete) and disabled the 24 hour limit on browsing artifacts. Otherwise any under 24 hours old it will not touch.
Eraser
Eraser is a great tool for wiping unallocated/free space as well as some artifacts and files.
Linux Live CDs
If you’re familiar with Linux, you’ve probably experienced many flavours but for those who haven’t, here is a short list below. The purpose of using a Live CD like these, is so that all of the actions you, the OS, or applications take never touch a hard disk and only reside in RAM.
Ubuntu
Very popular and you can download it in Live CD flavour. Probably your best bet on out-of-box support for WIFI and other drivers.
Knoppix
http://www.knopper.net/knoppix/index-en.html
Another popular, more old school distro.
Verifying Wiped Drives
You can verify wiped media by opening the media with a hex editor. The software that computer forensics examiners use are simply glorified hex editors. There may be scripts which help them find images, sort through logs, and so on, but in the end, it’s just a glorified hex editor. So using a hex editor, scan the sectors of the media for any data that should not be there.
For example, if you performed a full disk wipe with a single pass of zeros (writing 0×00 over every sector), then you should only see 0×00 from sector zero/one all the way to the last sector on the disk. If you see other data, it’s possible that the disk wiping software malfunctioned and you should perform the wipe again.
A quicker method of verifying large disks is by using dcfldd and piping the output to hexedit in the terminal on a Linux system. This will show you exactly where there are non zero bytes on the disk.
Refer to this previous article:
http://www.anti-forensics.com/disk-wiping-with-dcfldd
As always, write in with your tips, ideas, rantings, confusion or hate in the comment form below. Anti-Forensics.com does not log blog commentor IP addresses but this should not stop you from using proxies, VPN, or your neighbors WiFi to post your comments. Also, check out the forums because there are quite a few good tips on there from other posters.
Further Additions to Article
7/23/11
Another thing I should add about browsing porn is that it might be better to do it via VPN located out of your country. It is possible that if you are a suspect that they want to gather intel on, that the feds will “tap” your connection at your ISP and collect web browsing data.
Regardless of the reason they are monitoring your web traffic, they will look for visits to porn sites and just as I mentioned before, they can bring these logs up in the future as leverage. Even access to porn data with suspect names, regardless of content will be kept in their bribe bag.
If you don’t give in to their threats and they do actually move forward with prosecution for CP so as to punish you for not cooperating, you will have to hire a private firm to review all of the images and videos (if any even exist) so that those charges can be dropped. If the charges are federal and not state within the US, then the firm will be forced to review the media the government took from you at an FBI office, usually in a spare interrogation room. On top of the FBI treating you like shit, they often treat private examiners like shit and force strict regulations on the equipment they can bring in to do an examination of the media.
Related posts:
- Hunting Anonymous Sure, the install date on my OS might be from...
- Anonymous Domain Registration and Web Hosting Does your presence and activities on the Internet require that...
12 Comments
Leave a Reply
Related Posts
Five New Arrests Related to the Online Protests Regarding Operation Payback
The BBC reports that five new people have been arrested in connection to the DDoS attacks on businesses such as PayPal and Amazon. more
Hunting Anonymous
Sure, the install date on my OS might be from a week ago and you can't recover anything from before that date but it's because I had to reinstall. 'cause I was going to my favorite Justin Beiber fan blog and got a virus. Fuck you Beiber. more
FBI Spyware CIPAV (Computer and Internet Protocol Address Verifier)
CIPAV or the Computer and Internet Protocol Address Verifier first came to light in 2007 when it was used during an investigation of a teen who had made bomb threats against his high school. more
Anonymous Domain Registration and Web Hosting
Does your presence and activities on the Internet require that you need to avoid a computer forensics investigation altogether? more
I just wanted to say thanks for sharing so much knowledge, I’ve been visiting your website for quite a while now, I don’t know if reading your website has made me more paranoid or smarter, I guess the second one applies better, thank you!
Hopefully a bit of both
I think this is why some people use TC’s Hidden OS option. Make it look like you are cooperating but in reality you are showing nothing. This does work as advertised and holds up against police investigation (I know first hand). Unless you are dealing with someone that works out side of the law you are fine with this method.
Except when they see that you’re not utilizing the entire free space on your OS install. Be cautious with that; especially when “anon” guarantees it.
Not true. The free space is completely random data on the decoy OS The other partition (hidden OS) has an outer volume you can reveled as well without showing the Hidden OS which is in a Hidden volume on that second partition. Since the partitions are encrypted the free space is just random data and thus no evidence of a hidden OS and no way to prove on exists.
I’m surprised more people don’t use the open wifi excuse.
This warrant for an fbi raid connected to the anon ddos on the aging foo Gene Simmons, shows one of the first things the feds did was check to see if the wifi was open or not.
http://www.thesmokinggun.com/file/gene-simmons-fbi?page=3
And yeah, if you’re going to do things that have afk consequences learn some basic ass covering techniques.
Excellent find and example with that search warrant.
wouldnt the easyest and safest way be to just do some disk wipe tool like dban and then say hello to the sledgehammer and goodbye to hard disk then ditch it and go buy a new one?
Ya if you are ever questioned then just say the last one failed and you threw it out. Be sure to destroy the platters or perform a wipe though like you suggest. I know of a situation where a person poured some sort of acid on his hard drive and then discarded it in a pond. The platters were never wiped or damaged as they were still mostly protected by the case. So the disk was acquired in a clean room.
Only thing you’re doing there is making it a bit more expensive to retrieve the unencrypted data. He would have been better off tossing the drive out on garbage day.
I do not even use a Hard drive any more.
I use an external SSD to boot Puppy Linux.
BTW this post is being typed up on a LIVE puppy Linux CD.
No HD in the Laptop.
If i hear loud bangs at the door the SSD goes into the microwave and gets hit with 1000 watts of microwave energy blowing out all CMOS and TTL devices on that board.
The government is quite afraid of SSD’S because it’s so easy for data to be destroyed on them VS a Disk that has data on using a magnetized medium.
http://computer-forensics.sans.org/blog/2011/03/03/digital-forensics-case-leads-ssd-drives-auto-destroy-forensic-evidence
Haha, I love your microwave method, so long as it works as planned. Also I love SSD’s for the reason you link as well. I couldn’t find what they were specifically mentioning but I bet it is the TRIM function which zero’s out unused space on most modern OS to keep the SSD functioning at optimal speeds as data is written and later deleted through normal use.
Nice article and very informative website. I love it but you should inform people about disk cryptor which is a FREE disk encryption application for windows and is miles ahead of Truecrypt. The only downside of dc is that it doesn’t support file containers at this time. http://www.diskcryptor.net.