Results 1 to 1 of 1

Thread: Anti-Forensics via DD (Blazingly Faster than the MAN page)

  1. #1
    Senior Member
    Join Date
    Jul 2011
    Posts
    236

    Default Anti-Forensics via DD (Blazingly Faster than the MAN page)

    Disclaimer: Currently deployed to Afghanistan and therefore incapable of downloading the newest Backtrack

    Rig:

    Toshiba Netbook 32-bit
    3 Partition (Logical) 500GB HD
    -sda1 --> BT4 r2 (ext2)
    -sda2 --> Ubuntu (ext3) (Natty) Original release (8..... I believe) (Can't update, whatever...)
    -sda3 --> Windows 7 (NTFS) (don't remember my service pack, not really important for this context)


    Over the past 2 weeks I have been playing with different implementations on the usage of DD. I began this when I came across an article somewhere on the net regarding shred/sdelete and its ineffectiveness at wiping data; sadly I don't remember the link or I would post it. However, I decided to do a file backup on my laptop, and came across the fact that I saved the webpage. It is as follows.


    This illustrates the problem with "srm". To follow you'll need "sleuthkit" and "secure-delete".
    Create a file called data. "ls -Fhli" shows the inode numbers on the left.
    Code:
    private@host:~$ echo "this is data, data, data" > data
    private@host:~$ cat data
    this is data, data, data
    private@host:~$ ls -Fhli
    total 16K
    802821 -rw-rw---- 1 private private   25 2008-02-26 11:54 data
    802824 drwxrwx--- 2 private private 4.0K 2008-02-26 11:43 docs/
    802827 drwxrwx--- 2 private private 4.0K 2008-02-26 11:43 etc/
    802818 drwxrwx--- 2 private private 4.0K 2008-02-26 11:43 files/
    Now, using Sleuthkit's "istat" command with the inode from "data". At the bottom, istat shows the allocated blocks. "/dev/hda6" is my /home partition, run "df" to find your own device.
    Code:
    private@host:~$ istat /dev/hda6 802821
    inode: 802821
    Allocated
    Group: 49
    Generation Id: 1770472290
    uid / gid: 1001 / 1001
    mode: -rw-rw----
    size: 25
    num of links: 1
    
    Inode Times:
    Accessed:       Tue Feb 26 11:54:47 2008
    File Modified:  Tue Feb 26 11:54:38 2008
    Inode Modified: Tue Feb 26 11:54:38 2008
    
    Direct Blocks:
    1619968
    Code:
    Next, we run "dd". "bs=4096" refers to the block size. "skip=1619968" refers to the direct block (given by istat).
    private@host:~$ dd if=/dev/hda6 bs=4096 skip=1619968 | xxd | less 0000000: 7468 6973 2069 7320 6461 7461 2c20 6461 this is data, da 0000010: 7461 2c20 6461 7461 0a00 0000 0000 0000 ta, data........ 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ ...
    We run "srm data" to "securely" delete the file 'data'. A subsequent call to 'istat' shows the file is unallocated. Is the file 'data' gone?
    Code:
    private@host:~$ srm data 
    private@host:~$ istat /dev/hda6 802821
    inode: 802821
    Not Allocated
    Group: 49
    Generation Id: 1770472290
    uid / gid: 1001 / 1001
    mode: -rw-rw----
    size: 0
    num of links: 0
    
    Inode Times:
    Accessed:       Tue Feb 26 11:54:47 2008
    File Modified:  Tue Feb 26 12:03:44 2008
    Inode Modified: Tue Feb 26 12:03:44 2008
    Deleted:        Tue Feb 26 12:03:44 2008
    
    Direct Blocks:
    Look below. The data was supposedly cleared. However, running 'dd' again, on the same block as before, shows the data still lingers. 'srm' hasn't cleared the block.
    Code:
    private@host:~$ dd if=/dev/hda6 bs=4096 skip=1619968 | xxd | less
    
    0000000: 7468 6973 2069 7320 6461 7461 2c20 6461  this is data, da
    0000010: 7461 2c20 6461 7461 0a00 0000 0000 0000  ta, data........
    0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
    ...
    To clear the block you need to run 'sfill' or use 'dd' with if=/dev/zero or if=/dev/urandom to fill up the filesystem.


    I then tried my own method using dd as root; and it worked.

    The above experience really got me into thinking how quickly DD could overwrite freespace on a device, and if it was "cross-platform" enough for me in the sense of different file sytem architectures (ext2, ext3, ext4, NTFS, etc....). So, I did what any good true hacker would do and I started experimenting on my own, not just taking the articles on the net at face value. About 3 nights ago I happened to be booted into Ubuntu when I decided to try an implementation of DD using a method that translated the /dev/zero output to all 1s


    All of my commands are issued as root


    My commands are as follows:
    Code:
    mkdir mt
    mount /dev/sda1 mt
    cd mt
    dd if=/dev/zero count=1 | tr '\0' '\49' > foo
    Good link for ascii reference is: http://web.cs.mun.ca/~michael/c/ascii-table.html

    This made me a file 512 bytes in size (512 is the default byte-size unless specified otherwise with bs=) that was filled with 1s for characters. A subsequent: "hexdump -C < foo" confirm the output of 1s. At this point I started trying various implementations of bs & count combinations to come up wih the quickest method for filling a certain device. I made the following observations.
    All these were done on different partitions than the operating system in which i tested it. ie.... I filled /dev/sda2 while operating from /dev/sda1, and /dev/sda1 while operating /dev/sda2, /dev/sda3 was windows so i just choose the ubuntu to wipe from.

    To see the current speed and progress of a dd operation you simple need to: "ps aux | grep dd", then note the process ID, then issue "kill -USR1 <pid>. This will make a progress dump on the screen doing the DD. The average speed for writing to ext2 & ext3 was found to be around: 22MB/second. The average speed for writing to my NTFS partition averaged out around 5MB a second, it started strong around 20MB a second, but averaged out to the 5 after roughly 1GB of writing.

    It was when I happened to have missed a keystroke that the thought for the whole article came up! I was in ubuntu (/dev/sda2) and i had mounted (/dev/sda1) to my home directory ie (mount /dev/sda1 ~/mt)

    I then changed to the mt directory (/dev/sda1) and started typing, but I was careless and I typed: "dd if=dev/zero | tr '\0' '\49' > foo". I then issued my kill -USR1 command to see how the progress was coming along and it was at a whopping 48MB/sec! Couldn't believe it...., So, I killed the original process and tried to figure out what had happened. In looking at my syntax I noticed that I did not include a "/" in front of the dev for the if= option. I was now using the (/dev/sda1) partitions /dev/zero file to write to foo.

    So, here are some questions I have regarding my experience I hope the community can chime in on:

    1) I wonder if anyone else has used dev/zero vs /dev/zero before.

    2) Why is if=dev/zero double the speed of if=/dev/zero (Something bout it not being the active O/S?)

    3) Help me to improve the following syntax please; the goal of which being able to background DD command that uses pipes and issue kill -USR1 to a variable versus parsing the running processes.

    - Example 1:
    Code:
    dd if=/dev/zero of=foo & pid=$!
    the user is then able to type
    Code:
    kill -USR1 $pid
    and see the results

    - Example 2:
    Code:
    dd if=/dev/zero of=foo | tr '\0' '\123' > foo & $pid=$!
    The problem here is that it issues the pid to the tr command and not dd, I've tried various implementations placing the ampersand right after dd and such, but it all fails......And yes, I am aware that I could simple issue a test expr to make the value of $pid=$pid-1 so to speak, but I would like to learn to proper syntax so that I can understand why it doesnt work. The goal is to background DD so that I dont have to open another screen, while at the same time piping DDs output to a customized command so that I can make it something other than a "null" filled file.

    V/r,
    Snafu
    Pffbt..

    I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass..
    Last edited by snafu777; 10-08-2011 at 06:36 PM. Reason: I found a saved copy of the webpage (Lucky!)

Similar Threads

  1. Darik's Boot And Nuke (Anti-Forensics)
    By firebits in forum Tool Requests
    Replies: 4
    Last Post: 02-01-2011, 07:12 AM
  2. SDelete v1.51 (Anti-Forensics)
    By firebits in forum Tool Requests
    Replies: 0
    Last Post: 01-28-2011, 07:27 AM
  3. more APs = faster speed
    By zemen in forum OLD General IT Discussion
    Replies: 7
    Last Post: 01-12-2009, 05:56 PM
  4. Crunch on bt3 faster than bt2?
    By johnyt in forum OLD BT3beta General
    Replies: 6
    Last Post: 01-15-2008, 03:12 AM
  5. Cracked wep in 20 min,need help to go faster
    By Pyro_kitten in forum OLD Wireless
    Replies: 8
    Last Post: 11-30-2007, 03:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •