File Systems for Electronic Surveillance Devices? 136
An anonymous reader asks: "A friend recently discovered that her vehicle had been bugged by the police (for reasons I won't go into here). It seems the set-up had been wired into the car's electronics, so that whenever the car was going the microphones were recording the occupants' conversations. Unfortunately I didn't get to see everything she recovered, as she was a bit exuberant in her removal and disposal. However, I have been given a 20G Fujitsu notebook hard drive and some kind of audio processing chip from a manufacturer by the name of Topoint, and have been asked if I can examine the contents. You can read on to hear about my efforts so far, but I have several questions: If the surveillance device came from a vendor, what kind of file system might they use, and if - as I suspect - it is encrypted, do I have any options other than writing zeros over the drive and putting it to less controversial use?"
"Not knowing what to do with the audio chip, I focused on the notebook hard drive. I got an adapter, connected it as master on my desktop and booted up. After checking the BIOS to see if the drive was recognised (it was), I was presented with a full-screen simple line diagram showing the floppy drive slot, a floppy with an arrow in front of it and across the bottom, the F keys with the F1 key depressed. Hitting F1 with or without entering a disk resulted in 'Non-system disk error...' So much for the direct approach.
Next I set the drive as slave and booted Linux (Mandrake and then a few Live CDs), but the drive contents weren't recognised due to the lack of a partition table. So, I kept it as slave and ran a few forensic and data recovery tools in Windows: DFSee and tools from Mare Software and Runtime Software. I couldn't recognize the file system or recover anything from the drive with these, so I figure it isn't formatted with any of the standard FAT, FAT32, HPFS, NTFS, JFS, EXT2/3 or REISER file systems. I've kind of reached the limit of my abilities here, but my curiosity has been stoked.
Does anyone have any suggestions or comments - useful or otherwise? To anticipate a few in advance: Yes, listening devices might well run Linux. We're not in the US and are more interested in human rights than terrorism. My friend obviously knows most of what has been recorded, but wants to figure out how long the bug was in place."
Interesting...could it be that there isn't a FS? (Score:5, Interesting)
I would try grabbing the data off of the drive as an image, then "playing" the image as if it were one large audio file.
Re:Interesting...could it be that there isn't a FS (Score:3, Interesting)
Two things to try (assuming you have the drive as hdb.
1. strings
2. cat
You never know, they may have been that lazy.
Re:Interesting...could it be that there isn't a FS (Score:1)
Yah, drag it to iTunes!
Let me get this straight: (Score:1, Insightful)
I smell bullshit.
Either way, what you are doing is a aiding and abetting. You should give it back to her after wiping your prints off it.
Re:Let me get this straight: (Score:2)
If this cat's on the level, I forsee a nice, government-paid vacation soon...
How is this tampering and stealing? (Score:2, Interesting)
Re:Let me get this straight: (Score:2)
Re:Let me get this straight: (Score:3, Insightful)
Why? A bug has to store its recordings somewhere. Despite what you see on The Sopranos, radio links are unreliable and do not produce quality recordings. There are alternatives for storage such as Flash ROM, but none of them have any really compelling advantages. A notebook drive is small enough to conceal easily amongst all the hardware under the hood of a car. 20 GB is probably overkill, but nowadays it's hard to buy hard drives smaller
Re:Let me get this straight: (Score:3, Insightful)
If you were designing a car bug, what would you use for storage?
Something without moving parts.
Re:Let me get this straight: (Score:3, Funny)
I wish the police would put a large flash device in my car!
Re:Let me get this straight: (Score:2)
Keep looking
Re:Let me get this straight: (Score:2, Insightful)
Last time I checked it still isn't a crime to disassemble your own property, despite what Lexmark says.
Sounds like the dipshits who can't even spy on people without being discovered lost the right to their harddrive.
Re:Let me get this straight: (Score:2)
Last time I checked it still isn't a crime to disassemble your own property
In the Land of Free and Home of Brave® it could be a crime. My limited understanding of the DMCA suggests I can't use DeCSS in my own house in the USA to look at the DVD I just bought with my own money because it would "circumvent a copyright protection device".
[I wish they'd just concentrate on enforcement of actual instances of copyright infringment such as copying and distributing for a profit or, better, on reforming copy
Re:Let me get this straight: (Score:2)
Re:Let me get this straight: (Score:1, Insightful)
Re:Let me get this straight: (Score:2)
It sounds to me more like somebody lying to inflate her ego.
But that chip is weird.
http://64.233.167.104/search?q=cache:h7sCqBKO0YEJ: www.topoint.cc/eng_topoint/profile.htm+Topoint&hl= en [64.233.167.104]
Hey, they're "inglorious in plagiarizing"
Re:Let me get this straight: (Score:1)
But to answer your original question "What car's electronics include microphones?"
A: Any car with OnStar or similar mobile service.
Re:Let me get this straight: (Score:2)
You'd be surprised.
For example, the Porsche Boxster has a microphone built-in to simplify the installation of a handsfree phone kit.
Hmm (Score:1, Offtopic)
So then you go and post on Slashdot about how best to hack the hardware you have in hand.
I think you have bigger probems than the technical ones you are facing. Get a lawyer.
Re:Hmm (Score:2)
If that's the case, then impeding the investigation could well be the least of your worries.
Re:Hmm (Score:1)
Aside - Toppoint appears to be a Chinese manufacturer, according what turned up on google [topoint.cc].
Re:Hmm (Score:5, Informative)
Any/all numbers on the chip would probably be more useful than the manufacturer's name.
Also, and perhaps a red herring, could the device in question be the product found here [gpevergrowth.com]?
It is a GPS tracker with audio recording capability. It also happens to take 20G drives and uses a SOIC for control.
It may be a jump, but Toppoint could have been the board builder.
Re:Hmm (Score:4, Interesting)
That may not be true, but it's such a gray area, how am I supposed to know what it is, or why it's there. I mean for all I know it could be part of my car, in which case I can do what I want with it.
But yes, I'd agree that telling the world via slashdot that I want to foil the police's efforts to find a "criminal" is pretty dumb.
Re:Hmm (Score:1, Interesting)
Except the submitter assumes it was placed by the police, so we have to trust him that he knows it's government property. Anyway, all that's mute. If this is real, it's probably likely the police don't worry too much about following the
Re:Hmm (Score:1)
mute != moot
Re:Hmm (Score:2)
Re:Hmm (Score:2)
Re:Hmm (Score:2)
2) w.r.t. "airmchair fascist", you seem to be a bigger idiot than I am.
Re:Hmm (Score:2)
A competent attorney should be able to get that charge tossed, because there's no proof that it's gov't property.
Re:Hmm (Score:2)
Furthermore, if the bug was put there with a court order, it has every legal right to be there. It is not legally speaking trespassing on the bugee's private property.
Re:Hmm (Score:2)
Who the hell is Bushie?
Re:Hmm (Score:1, Funny)
I think you have bigger probems than the technical ones you are facing. Get a lawyer.
Or better yet, dd the HD contents into a file and put it up on bittorrent.
Re:Hmm (Score:2)
What I'd really like to know... (Score:2, Interesting)
Re:What I'd really like to know... (Score:1, Flamebait)
Does the car actually still work? Is your friend blonde?
Re:What I'd really like to know... (Score:1)
Neat, but you might want to talk to a lawyer... (Score:4, Interesting)
Perhaps I should start a pool as to when
I would find it a hard choice to make myself -- just on the coolness factor, but use some common sense before you find yourself in hot water!
Re:Neat, but you might want to talk to a lawyer... (Score:3, Insightful)
If it isn't marked, who's to know who it belongs to or who installed it? We can make educated assumptions, but unless it says "Property of XYZ Police Department", who knows? And even than, it's in your car, without your permission, what the hell do you know why it's there?
But, I think this post is a load of shit from someone who wants to see s
Stolen laptop? Gimme a break. (Score:2)
First, make a copy! (Score:5, Informative)
(assuming you have free 20G on your HDD)
Then try file
used just to dump data, you might as well see that it is a WAV file.
Then try strings
Paul B.
Re:First, make a copy! (Score:5, Insightful)
Re:First, make a copy! (Score:2)
Paul B.
Re:First, make a copy! (Score:2)
Re:First, make a copy! (Score:2, Informative)
For example, they refuse to allow the use of credit cards with a billing address outside the US, require a copy of the front and back of the card to be sent to them by snailmail, charge absolutely exorbitant shipping rates (I'm talking $US40 for non-express shipping on a $US100 item that's no bigger than a hardback book), and that sort of thing.
Re:First, make a copy! (Score:3, Informative)
Don't forget customs brokerage and the occasional secondary shipping charge for customs to intercept, find nothing and send it on its way.
Re:First, make a copy! (Score:2)
Re:First, make a copy! (Score:2)
"Data Recovery" (Score:2, Insightful)
Whose property is it? (Score:2, Interesting)
If the police bug your car, do they still own the bug, or have they abandoned the property? Anyone know any precedent for that one?
Re:Whose property is it? (Score:3, Insightful)
eh, any precedent would be country-specific anyway. and he ain't tellin' which country, for obvious reasons.
Re:Whose property is it? (Score:1)
eh, any precedent would be country-specific anyway. and he ain't tellin' which country, for obvious reasons.
Obvious reasons? Like 'cause then it limits down his identity to one of a few million people?
Anyway, pick a country, doesn't matter if it's his or not. I'd be interested in hearing about it, because it's a strange legal situation.
Re:Whose property is it? (Score:1, Funny)
Obvious reasons? Like 'cause then it limits down his identity to one of a few million people?
Um, I would hope that there aren't that many countries that are targeting "a few million people". Or heck, even targeting enough people so that they and each of a dozen of their closest friends adds up to "a few million people".
A better idea (Score:5, Funny)
Format the whole thing with fat32
Fill the entire drive with gay porn.
Reinstall in car.
Re:A better idea (Score:5, Funny)
As the recording gets longer, make the conversations get more and more outrageous. One person tells the other that he used to be a she who, in turn, used to be a he. Another goes into a tirade about how his father beat him, so now he feels like he should beat his children... except that he doesn't have children, so he beats up random children on the playground instead. At some point, the line "I'm not your Uncle, I'm your father" appears. "But wait, that would make me your brother." "Eww.... You married your sister?"
By the end, everybody is sleeping with everyone, family trees are intertwined in amusing ways, the priest is having an affair with the school nurse, and the horny schoolgirl talks about how she once had sex with the governor/president/whatever. It all culminates with someone deciding to off him/herself, not because he/she did anything wrong, but because he just found out that his sister had become a prostitute to raise money to help pay for his cancer treatment while he sold his cancer drugs to help pay for her AIDS treatment. Be sure to accurately simulate the sound of a gunshot through the roof of a car.
Watch the amusement as the police A. try to find the blood stains, B. try to find the bullet hole, C. try to figure out who the heck all those people are, and D. arrest a senior government official for underage sex. If you pull it off without getting caught, it would be the prank of the century....
Investigate the audio chip first (Score:5, Insightful)
A reasonable first step would be to try to take the entire contents of the drive and send it out your sound card... (dd
If it really is encrypted, then you'd have to do some sort of cryptanalysis, and I have no idea how to even begin cryptanalysis on audio data. At that point, I say open the HD up and scrape the platters until they're shiny silver instead of shiny brown.
Re:Investigate the audio chip first (Score:1, Informative)
Not airtight (Score:2)
Not so. If they were airtight, they wouldn't have the little filter holes, and they wouldn't have a maximum operating altitude.
But they do have sharp edges
Re:Not airtight (Score:1)
Re:Investigate the audio chip first (Score:2)
Fucking knuckle?
Re:Investigate the audio chip first (Score:1)
Investigate the [BS] first (Score:1, Funny)
This story, and most of the comments.
Things to try (Score:5, Interesting)
Next, as another poster suggested, use dd to get a copy of the disk. Make a few copies while you're at it, and write them to DVDs, DLTs, or some other media.
Finally, do the processing. Here are some ideas:
Write all zeros to the drive, then put it back in the car. Drive around for set intervals of time (100 minutes, 200 minutes, etc.) then pull the data from the drive to see how much was filled up. (Hint: it's from the start of the drive to where the long string of zeros starts.) Try it with minimal noise, try it with talking, and try it with music.
Run 'file' or 'strings' on the image. Try catting it to your sound device. Plot the data in both 2D and 3D and look for any patterns. (Encrypted data shouldn't have any.)
Re:Things to try (Score:1, Informative)
Re:Things to try (Score:1)
Plot the data and look for patterns, yes. (Score:4, Interesting)
Grab a few megs from the start of the disk and use sox, the sond exchange [sourceforge.net] to tack audio headers onto it, and try various codec conversions, endian swaps, etc.
There's every chance that the audio chip was interfaced to the drive very simply, as you theorized, without a filesystem. I'm aware of a product which lets you access an ATA device via RS232, it's called the StampDrive [star.net]. As far as I can tell, it's a PICmicro that's been taught a basic subset of the ATA spec, and it acts as a storage broker for any device that can speak async serial.
People who build their own dataloggers have lots of experience with this sort of dirt-cheap interfacing. Your audio bug is, after all, just a specialized datalogger. A few minutes with a search engine should find plenty of info on the subject.
Post back with any success stories.
might not work... (Score:2)
Exact same thing happened to me. (Score:4, Informative)
No, really.
Re:Exact same thing happened to me. (Score:4, Funny)
only how long? (Score:2)
Check for UFS... (Score:1)
Destroy it! (Score:2)
Personally I would physically destroy it. As in place it in a crucible and turn it into a sculpture of something else.
The FBI can read disks after being erased 7 times. (Or so they have admitted. Technology has changed since then so I don't know what the current abilities are) SRM (secure rm, google it) might be able to do something, but when the police are after me I wouldn't trust it.
Note when I say destroy it, I don't mean you do it. I mean she should do this. You don't want to be charged with
Re:Destroy it! (Score:2)
B) Assuming they can, destroy it in some other way.
Re:Destroy it! (Score:1)
Re:Destroy it! (Score:2)
When you overwrite data, it flips the majority of the molecules, but not all of them. If you read the drive at a higher resolution then the drie head uses, you can determine the sectors and also what may have been previously written due to statistical analysis of the ratios of orientations.
I coul
Re:Destroy it! (Score:1)
Re:Destroy it! (Score:2)
Thus using special hardware, they could technically recover not only data written previously... but data written onto the disk many times before that.
Re:Destroy it! (Score:2)
If you apply a consistent effect (say, erasing) to a magnetic disk, the patterns that were there before might still be distinguishable with the proper technology. If the effect is randomized, this becomes much harder.
Writing random data 7 times on a 20GB drive should be a pretty easy process, and not even too time-c
Re:Destroy it! (Score:1)
for pass in 1 2 3 4 5 6 7; do dd if=/dev/urandom of=/dev/hda; done
It's an overnight job at least, and the CPU will run quite hot..
Re:Destroy it! (Score:2)
Is it really audio? (Score:3, Insightful)
Maybe it is some sort of location/gps recorder. The car should not move when turned off, so wiring it to the ignition/accessories circuits makes more sense and the "microphone(s)" were actually gps antennae. Plus, maybe the name on the chip is really "Topo Int" as in short for "topographic intelligence."
I want to know more about how she discovered it. Where was it exactly and what made her decide to look in the first place?
Re:Is it really audio? (Score:2)
Some ideas. (Score:5, Interesting)
Most filesystems store data at the lowest level in a more-or-less raw format on the disk for performance reasons. (on-the-fly compression or encryption is CPU intensive) Even something like ReiserFS would have chunks of recognizable (though perhaps out-of-order) raw audio file visible on the drive. Try feeding the output to your sound card. A good way to do this would be with "SoX" (Sound eXchange, an audio conversion tool for linux... "apt-get install sox"). SoX comes with "play" a command which basically just sends data to the sound card, and for raw data allows you to specify what format (8 bit or 16 bit? 22khz or 48khz?) it should play the audio at. Also if you suspect something other than 8 or 16 bit, try bitshifting the sample a couple times so that the first sample begins on a byte boundry.
Another useful tool is called "ent", which applies a number of entropy tests to a sample. True raw audio data should have only some entropy. Blank filesystem structure should have almost no entropy. Encrypted or very highly compressed data will appear to be almost entirely entropy. ("apt-get install ent" on Debian or Knoppix)
You could anylise the drive in chunks to see how much is filled with medium entropy (uncompressed audio), how much is high entropy (encrypted or compressed data) and how much has almost no entropy (empty space), and using this statistic in conjunction with any info you can find on the sample rate and number of bits from the chip, calculate how much audio is stored on the drive, and thus how long it has been installed.
I've seen that "line-drawing" before. It is probably just your BIOS telling you it can't find a boot sector on the drive. (which isn't terribly supprising) But if the people who made the device were particularily nefarious, it could be a fake splash screen which only *looks* like your BIOS, at which you must enter the secret code to proceed into the true playback application. (But that's almost too far-fetched to be a possibility. almost...) If you really wanted to eliminate that possablity, you would use hexedit (apt-get install hexedit) to look at the first sector for the magic number. it should be at the end of the sector (offset of 512k minus 4 I think), but I can't remember off the top of my head what the magic number is supposed to be for bootable i386 media. If the magic number is not there, that splash screen is just your BIOS. (Also a good way to check for stealth-boot-sector viruses. >:-} )
Anyway, good luck, and I hope you have firm legal ground to stand on where you are. Be careful. Angry Feds are not a pleasant thing.
Re:Some ideas. (Score:2)
Lo-Jack (Score:1, Funny)
Does your car start anymore? (Score:2)
When the dealer gets the flag based on your VIN, then he proceeds to replace it.
Failed due process on Computing Forensic (Score:4, Interesting)
Never power up a suspected drive. Always treat it as a computing forensic evidence and process it accordingly.
Boot partition checkout (try all 18 of them). If that fails, entropy is the first stage of resolution.
Partition identification will take you a long way.
Only google on Topoint is in mainland China,
Check out http://www.topoint.com.cn/
wouldn't it follow... (Score:1)
You might want to be looking more places than those small platters right now....
Get a lawyer. (Score:3, Insightful)
No, no, not later. Not in a couple of days. Close your browser window right now and go talk to a lawyer before you wind up spending five-to-ten in Federal pound-me-in-the-ass prison.
What are you, mental?
Do you have any idea how few eavesdropping devices are planted each year? Do you have any idea how much legal rigamarole law-enforcement has to do to actually do a B&E and plant bugs? We already know law-enforcement cares enough about the situation to do God knows how much paperwork: do you think they'll just say "oh, good catch, you got us, don't worry, you can go free"?
And then, to make matters worse, you post on Slashdot where you acknowledge that you know the material is evidence in an ongoing investigation and ask for help in tampering with it?
Let me say this one more time: you are not 1337. You are not too cool for school. You are not immune to prosecution.
At some point they're going to want that information. They're going to discover that it's been removed from the car. At that point, they know they don't need to be subtle--someone already knows they were bugging. So they're going to haul in your friend and point out just how long five years in a Federal penitentiary is, and they're going to ask her--probably her, directly, since if she's anything like you she's dumb enough not to want a lawyer present--what she did with it. If she cooperates, they'll play nice. If she doesn't, well... hey. One more conviction in the old win-loss book is always a good thing.
And then they're going to come after you. And when they get to you, you're not going to have anyone you can rat out on. You're going to be left holding the Fuck-Me-Harder bag.
Get a lawyer right now. Not later. Not in an hour. RIGHT. NOW.
And grow up, while you're at it.
Re:Get a lawyer. (Score:1)
"Federal penitentiary"
THEY'RE NOT IN THE US!
Re:Get a lawyer. (Score:2)
Somehow I don't think "right now" is really a suitable option...
Re:Get a lawyer. (Score:2)
They are not in the US (Score:2)
Or did you think that the entire world was on EST?
Re:They are not in the US (Score:2)
Re:Get a lawyer. (Score:2)
Re:Get a lawyer. (Score:2)
You're the worst type of citizen: you find something unknown and unlabelled on your property, and you assume your own lack of rights and the need to pay money to consult legal advice. What kind of society does that build?
Honestly, you find something in your house, in/on your property, etc, and it is unlabelled, unmarked -- there's absolutely no reason to assume, or defer, to the fact that it may be official.
What the poster should do is not tamper with it: simply take it off, and store it somewhere (prefer
Re:Get a lawyer. (Score:3, Insightful)
Now let's say that the AC posting this story lives in an enlighted country, he will end up in front of a judge and jurry here before long. You don't screw around with investigations.
Do /. editors understand English??? (Score:1)
Billy
Nobody So Far Has Asked The Right Question (Score:2)
WHY WAS YOUR FRIEND BEING BUGGED?
Getting something done like this is not easy and whoever planted the listening device in your friends car went to a load of trouble just to hear her conversations. Government authorities do not bug people just for fun, so what is it that your friend has done to make the Feds (or whoever they are) notice h
Play the contents of the disk as raw data... (Score:3, Interesting)
The ear and brain are very good at hearing patterns and extracting information.
In the days of analog "scrambling" it turned out that it was extremely difficult to scramble speech in such a way as to make it unrecognizable; all sorts of plausible-sounding signal transformations could be interpreted by ear with practice.
It's worth a try. At the beginning, don't spend a lot of time trying to figure out whether you're decoding it properly. Just do _something_ that will get data off the disk and into a speaker _quickly_ and listen to samples.
Re:Thankfully this was a non-US bug . . . (Score:2)
Actually - it is about circumventing copy control.
He's looking to 'decrypt' what is probably encrypted audio or an encrypted filesystem entirely. Skylarov merely 'decrypted' ROT13 and was thrown in prison for it. Im sure the fuggin POLICE and/or their sneaky-ass surveillance contractor OEM would have no problem doing the same to someone who broke their tap's encryption and posted directions on how to do it. I dont't agree with the DMCA on this (if it's yo