tag:blogger.com,1999:blog-21633793.post8848786520936486144..comments2023-12-12T03:19:42.467-05:00Comments on CYB3RCRIM3: "Evidence Elimimator" and PossessionSusan Brennerhttp://www.blogger.com/profile/17575138839291052258noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-21633793.post-34232579942556657902009-09-20T18:34:04.360-04:002009-09-20T18:34:04.360-04:00I use Evidence Eliminator. The guy must not have ...I use Evidence Eliminator. The guy must not have been using his correctly or often enough if files were recovered from his free space. Good habits make for good security. That's another reason why I use PGP Whole Disk Encryption; in case my data wiping habits get sloppy I have a back-up protecting me. And, no, I just don't have it because of child porn. I have a law practice and you just cannot be too careful with data these days. Old or thrown out hard drives have a way of turning up at inconvenience times.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-66879675180579526712009-09-19T00:11:50.861-04:002009-09-19T00:11:50.861-04:00Just another $0.02.
The original statement,
&q...Just another $0.02.<br /><br />The original statement, <br /><br /><i> "The unallocated section of a hard drive is considered the “free space” of the hard drive and is the area to which computer data or images are sent, sometimes automatically, by the Web site the user is visiting."</i><br /><br />is a fairly severe oversimplification of the process.<br /><br />It omits the heavy lifter doing the work, namely the operating system (Craig's dog). Any description of a process that omits the operating system can be dangerously flawed because of the many hacks, options and other wrinkles that could be added.<br /><br />For example, the cache could be redirected off of the hard drive. Or the browser could have the cache turned off. The original statement implies that the website has some control over these actions. It does not. Cache contents are controlled on the client end.<br /><br />Admittedly, most users allow the OS and browser to operate with default settings which makes the original statement fairly descriptive of the process. But the devil often resides in the details.Professor Donhttps://www.blogger.com/profile/16267677947700230734noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-39354621294751853132009-09-18T11:17:02.698-04:002009-09-18T11:17:02.698-04:00Mr. Schwartz:
In computer forensics, I suppose I&...Mr. Schwartz:<br /><br />In computer forensics, I suppose I'd rather be thought hypertechnical than resort to the metaphysical to try to make true that which simply is not. <br /><br />Part of what we deal with in forensics is the link between human behavior and electronically stored information. Whether an event occurs as a consequence of an automatic process locally, remotely or initiated by the user or another actor is important. Sometimes it's the heart of the issue.<br /><br />It's simply wrong to state that a website sends or stores data to unallocated clusters. That is my point now, and has been my point all along. Other readers can judge for themselves.<br /><br />Here's an example of a more accurate statement for, say WinXp and IE, so others can see the distinction:<br /><b>The computer's file system, working in conjunction with a web browser, stores data retrieved from a web site in an active file area called Temporary Internet Files. When a user empties their Temporary Internet File area, the contents are deleted and typically reside in the unallocated clusters until overwritten. In addition, the oldest items in the file cache may be automatically deleted and reside in the unallocated clusters when the space allocated to Temporary Internet Files exceeds a limit defined by the user or by the browser's default configuration.</b><br /><br />People's liberty, property and reputation hinge on our being precise and accurate in computer forensics. Stating that 'a web site sends data to the unallocated clusters' is inaccurate and imprecise. It wrongly elides over the roles of the file cache, browser settings and user intervention.<br /><br />If I were forced to put this difference in the context of your "Jack called my desk phone" analogy, it would be like saying "Jack urinated on my rug" when what you really mean is that the ringing phone startled the dog who soiled the rug.Craig Ballhttps://www.blogger.com/profile/02193426311242185309noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-72834173680182296682009-09-17T17:11:42.503-04:002009-09-17T17:11:42.503-04:00Craig, you're refuting your own understanding ...Craig, you're refuting your own understanding of what was said and now what was actually said. Again, what was said was:<br /><br />"The unallocated section of a hard drive is considered the “free space” of the hard drive and is the area to which computer data or images are sent, sometimes automatically, by the Web site the user is visiting."<br /><br />The sending process is done by the web site. Yes, the web site doesn't choose the ultimate end point, but the suggestion neither says nor implies that it does.<br /><br />The statement is just as correct as saying "Jack called my desk phone" even though the number Jack dialed is for a company whose internal phone system routed the call to your desk phone.<br /><br />"In fact, nothing "stores" data in unallocated clusters (we can debate shadow volumes, but that's not at issue here)."<br /><br />By that logic, you can't store something in an empty box, because if there was something stored in it, it wouldn't be empty. But in fact, empty boxes are precisely where people store things, which then become something other than empty boxes.<br /><br />You are hyper-technically parsing something that is perfectly correct in common usage, and if there's some mistake in the reasoning, you haven't pointed it out.JoelKatzhttps://www.blogger.com/profile/09840865938897877532noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-79812800886896072482009-09-17T11:51:40.408-04:002009-09-17T11:51:40.408-04:00When the computer saves a file, it allocates some ...When the computer saves a file, it allocates some previously unallocated space, and saves the file there. There is little use in arguing over whether that constitutes "saving the file in unallocated space" or not.<br /><br />The point is that "temporary internet cache" is not a particular space on the drive, but a designation for what it's used for at a particular time. When the file is erased, the space may be used for some other computer purpose.<br /><br />It's not clear to me that if an examiner finds a fragment of .jpg in unallocated space whether he can tell it was previously in internet cache, or saved email cache, or user folder.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-10268353820204214322009-09-17T09:19:19.514-04:002009-09-17T09:19:19.514-04:00Mr. Schwartz:
I'm not incorrect. You need to...Mr. Schwartz:<br /><br />I'm not incorrect. You need to check your facts. No web site <i>stores</i> data in the unallocated clusters. Not possible. Data and images are not "sent" to unallocated clusters <b>by the website the user is visiting.</b> It's an important distinction.<br /><br />Yes, emptied cache content, old data or data in excess of quota will rotate out of the temporary Internet file cache to the unallocated clusters, but that is not the same thing as suggesting that <b><i>web sites</i></b> store or send data to the UAC. They do not do so, and they cannot do so.<br /><br />In fact, nothing "stores" data in unallocated clusters (we can debate shadow volumes, but that's not at issue here).Craig Ballhttps://www.blogger.com/profile/02193426311242185309noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-4830806067306278782009-09-16T17:36:51.766-04:002009-09-16T17:36:51.766-04:00Craig Ball: You are incorrect. Data and images are...Craig Ball: You are incorrect. Data and images are sent to the unallocated area. They *can't* be sent to the temporary Internet file cache because that contains files *already* cached.<br /><br />"If data were stored in the unallocated area, that area would be allocated space (i.e., active data)." Correct. The data is not stored in the unallocated area yet. That's why that's where it gets stored when it is stored.<br /><br />"When temporary Internet file cache is emptied, or when parts of cache are rotated out because time or size limits are exceeded, the areas where the data was stored are released for reuse and, thus, their content becomes part of the unallocated space."<br /><br />Exactly. So finding data in the unallocated space supports the claim that it was once part of the Internet cache.JoelKatzhttps://www.blogger.com/profile/09840865938897877532noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-42472977978188373412009-09-16T02:28:51.813-04:002009-09-16T02:28:51.813-04:00The quote from People v. Scolaro contains a glarin...The quote from <i>People v. Scolaro</i> contains a glaring factual error.<br /><br />The quote:<br />"The unallocated section of a hard drive is considered the “free space” of the hard drive and is the area to which computer data or images are sent, sometimes automatically, by the Web site the user is visiting." <br /><br />The quote confuses the unallocated clusters with the temporary Internet file cache. No web site "sends" data or images to the unallocated clusters. If data were stored in the unallocated area, that area would be allocated space (i.e., active data). It's not a trivial distinction.<br /><br />When temporary Internet file cache is emptied, or when parts of cache are rotated out because time or size limits are exceeded, the areas where the data was stored are released for reuse and, thus, their content becomes part of the unallocated space. <br /><br />Unfortunately, even many forensic examiners have a spotty appreciation of how data is really stored on computers, especially those who rely too heavily on forensic suites that allow them to think it's all done with a click and a script. The quote may be an example of technobabble being trotted out to mask confusion.Craig Ballhttps://www.blogger.com/profile/02193426311242185309noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-37450970301675833552009-09-16T01:43:14.787-04:002009-09-16T01:43:14.787-04:00Actually, XP routinely "destroys evidence&quo...Actually, XP routinely "destroys evidence" and good practice calls defragging hard drives which also "destroys evidence". <br /><br />Although not specifically used for erasing deleted data, defragmentation can destroy much of the deleted data on a hard drive.<br /><br />Good practice also calls for the "destruction of evidence" when a computer or hard drive is taken out of service. At such times, low level formats (which replace all data with 0's) are done to insure that private information (HIPPA, FERPA and the rest of the alpahbet soup) aren't compromised.<br /><br />This is sorta reminiscent of Oliver North's comment about his paper shredder when he said that the government bought him the shredder for a reason.Professor Donhttps://www.blogger.com/profile/16267677947700230734noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-33202237257223092462009-09-15T13:31:14.057-04:002009-09-15T13:31:14.057-04:00A page of child pornography blows out of your neig...A page of child pornography blows out of your neighbor's trash and sticks in your rosebush, exposing you to the possibility of a felony charge. And the state wants to infer that since you have a box of matches and a fireplace, you had them for the purpose of destroying evidence. <br /><br />In this case, the state wants it both ways. The statute refers to "sufficient time to be able to terminate his or her possession", but wants to draw an incriminating inference from possession of the tool necessary to "terminate possession."Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-81669558163417658192009-09-14T18:44:04.566-04:002009-09-14T18:44:04.566-04:00Good post.
IANL, but I think there might be some ...Good post.<br /><br />IANL, but I think there might be some ground for rebuttal, though not quite what you proposed.<br /><br />The 'eraser' doesn't actually free up any more space, it overwrites data on the disk, already in a position to be overwritten by new data. So, the space is actually unaffected.<br /><br />What is left is a potentially unreadable data trace.<br /><br />That the tool he used was called <i>Evidence</i> Eliminator does not help his argument, though. It channels all further thoughts, as you suggest, in one, unfavorable direction.<br /><br />There are plenty of similar program that emphasize the security of the erasure. They're touted as tools for business and businesses have all sorts of legitimate reasons to securely erase data from hard drives.<br /><br />Had he argued that he used the program to remove, say, his income tax filings, he could have made a stronger argument.<br /><br />But, as they say, the totality of the evidence was really stacked against him.John Burgesshttps://www.blogger.com/profile/11979918255430186425noreply@blogger.com