PDA

View Full Version : OT: Pinging computer experts



RPease
04-16-2010, 11:13 PM
I got into this "discussion" with a guy the other day about how forensic scientists (like on CSI Miami) solve crimes that pertain to computers. Crimes like software theft, internet porn, hacking, etc.

We got on the subject of "storing data" on disks and he claims that "if" you save a video file (photo, video, or even a "data" file) to a disk (CD or DVD) from "any computer", that someone (say a forensic scientist or other computer expert) can "analyze" the disk and determine what computer that file came from.

This would be based on the premise that each computer puts some type of "code" or "identifier" onto storage media whenever data is saved to that storage device.

The disk wouldn't have "any" external identifier.......like a name........or fingerprints on it to identify the person or source. The storage device would somehow have to be traced back to a particular computer..........and based on the fact that the computer was located in the "perpetrators" home the "good guys" would obtain sufficient evidence to tie the crime to that person and ultimately "nail the guy".

Like they always seem to do on TV............:D

I agreed (with this guy) that our computer technology was probably advanced enough to do something like that..........but I doubted that it would be "legal" (from a personal privacy standpoint) for that to be allowed. Why would the computer manufacturers want to allow such a "tag" to be automatically deposited on every disk that was used on their computer........even IF it was possible??

Anyone have any knowledge on this subject?? Do I need to tell this guy that he's correct?? If he is.............he's sure to "gloat" for at least a week.

BTW..........I bet a coffee and donut on the deal.........So this is "real" important to me..........LOL

Thank much.............Rodg

Ken_Shea
04-16-2010, 11:20 PM
Interesting,
With out knowing, my suspect is that it is true or partially true and will be increasingly true over time.

Some printers now print ID code on every page printed that is traceable back to a manufacturer, then traceable to the distributor and finally to the end user, much like serial numbers on firearms.

Ken

dp
04-16-2010, 11:24 PM
It is possible and for the same reason a Microsoft Word document can be traced to a particular system. Each modern system has a hardware unique identifier in it and that can be included in saved files if the software vendor chooses to include it. Here's a site that shows how unique ID's can be collected from hardware: http://www.vcskicks.com/hardware_id.php

Disks have a WWID (world wide id) in them that is guaranteed unique in the world. We use them to match large storage area network array devices to specific system using a method called zoning. Zoning builds a table between WWID's on the system and the array to complete a logical connection. Rather similar to the IP address each network node has. http://en.wikipedia.org/wiki/World_Wide_Name

Liger Zero
04-16-2010, 11:35 PM
If I blow up a former employer with my giant invisible robot and kill everyone who escapes with ninjas... then I take pictures of the crime with my camera... and I put those pictures on an SD card... can they look at the SD card, discover it was inserted into XXX camera that was purchased at Walmart with my card... whole also determining it was used on my laptop as well (where I uploaded the photos to Practical Machinist)?

Can they determine that all from me dropping the SD card at the crime scene and reading some unique code embedded in the data?


If so, I might not be on for awhile. :o

rkepler
04-16-2010, 11:37 PM
If systems put any sort of ID in the file it would only apply to the first system and not to any subsequent systems, else the files would not compare as identical by software not removing the ID. That being said images from cameras often have a lot of additional data (see EXIF) that will allow you to identify the camera and settings used - but if the camera is not held by the original owner who registered the camera that's not going to help a lot.

Many digital printers and copiers embed a code in the printed image that can be tracked back to the printer/copier. Again, registration would be a problem.

So, given a file without any supporting data (browser history, logs, etc.) the answer is no, you can't figure out what system it came from. Nor can you infinitely expand a digital image to read a license plate that was a single pixel in the original image. DNA data takes several days to generate, mtDNA doesn't describe an individual, striations on a bullet can change significantly over even a dozen shots.

Tony Ennis
04-16-2010, 11:38 PM
(say a forensic scientist or other computer expert) can "analyze" the disk and determine what computer that file came from.

False in general. Some software, like Microsoft Office if memory serves, stamp a code in the files that allows Microsoft to know the license with which the creating software was registered. This doesn't exactly identify a person or a computer. But other identifying information is in the file - author, date, etc. That being said, I receive a Word file and don't open it, it's hard to see how it would be stamped with some sort of an ID that identifies me.

While it is certainly possible, security watchdogs would be all over this.

In short, files made with registered software probably have the license key slammed in it somewhere. Other files such as text documents and images, do not.

-=-=-
I don't know that computers have immutable numbers on them. The MAC address might be pretty close however. Every so often, to reduce your traceability, you'd throw your network card in the dumpster and install a new one.

dp
04-16-2010, 11:39 PM
If I blow up a former employer with my giant invisible robot and kill everyone who escapes with ninjas... then I take pictures of the crime with my camera...

If the camera also has a gps (like a cell phone camera) they can put your phone at the crime scene, too. I'd be inclined to claim Barney Frank stole it.

Ken_Shea
04-16-2010, 11:40 PM
If I blow up a former employer with my giant invisible robot and kill everyone who escapes with ninjas... then I take pictures of the crime with my camera... and I put those pictures on an SD card... can they look at the SD card, discover it was inserted into XXX camera that was purchased at Walmart with my card... whole also determining it was used on my laptop as well (where I uploaded the photos to Practical Machinist)?

Can they determine that all from me dropping the SD card at the crime scene and reading some unique code embedded in the data?



If so, I might not be on for awhile. :o

Depends on the company, what company was it that you work for :D

dp
04-16-2010, 11:42 PM
I don't know that computers have immutable numbers on them. The MAC address might be pretty close however. Every so often, to reduce your traceability, you'd throw your network card in the dumpster and install a new one.

The Apple Mac (not MAC) hardware ID is used by the OS to identify if the machine the Mac OS is running on is Apple hardware. If not the OS won't run. There's hacks to get around that, of course.

Intel CPU's also have unique ID's that can be extracted.

EDIT: This information can be extracted and used in a theft tool. This is simple software that runs at each startup, uses the machine's camera if one is available, gathers the IP, a traceroute from where it is to some specified target, and any other information that is forensically useful, bundles it up and sends it via email to where ever you like. That you hand over to the police and wait for the arrest and recovery.

RPease
04-16-2010, 11:53 PM
So far.......I'd say my coffee and donut are "safe". Afterall, I agreed with the guy that it "might be possible".............I just didn't accept the fact that it's currently being done.

I think he's going to have to prove (to me) that computers are currenty set up to leave the ID on a disk...........

I still like CSI Miami.............especially the tall brunette Natalia (Eva La Rue)..........now that's a "forensic scientist"........Calleigh isn't bad either......;)

Rodg

dp
04-17-2010, 12:04 AM
I think he's going to have to prove (to me) that computers are currenty set up to leave the ID on a disk...........


Have a look at this:

http://office.microsoft.com/en-us/products/FX101153491033.aspx?mode=print

Pete F
04-17-2010, 12:07 AM
The MAC address might be pretty close however.


The Mac hardware ID is used by the OS to identify if the machine the Mac OS is running on is Apple hardware.

I think you are talking about two different things. MAC address (Media Access Control) doesn't have anything to do with Macintoshes, except that Macs have MACs.

Dennis, you probably already know this, in which case I'm just pointing out that your response is a bit confusing.

-Pete

dp
04-17-2010, 12:24 AM
I think you are talking about two different things. MAC address (Media Access Control) doesn't have anything to do with Macintoshes, except that Macs have MACs.

Dennis, you probably already know this, in which case I'm just pointing out that your response is a bit confusing.

-Pete

The Mac I refer to is the Mac computer from Apple. The network hardware has a MAC (media access control) address. All Macs have a MAC but also have a chip on the mother board that is a unique hardware identifier. My OS X server will install only on the Mac Mini Server and it polls the hardware to enforce this. It won't even install on the Mac Mini Server as a virtual machine.

I tweaked the original post to hopefully clear up the confusion with Mac and MAC.

danlb
04-17-2010, 01:26 AM
Almost nothing that you see on TV works as well or as easy as they make it seem. The tracking you mention is just a rumor. It's good for convincing folks to confess.


While there are hardware ID's such as the mac address for your ethernet card, and CPU serial numbers, these things are not commonly stored in files.

When you copy a file from one system to another the file has to remain the same. That's the beauty of digital copies. They remain the same no matter how many times you copy it. The whole concept of checksums is to verify that the file is unchanged.

There are some programs that may leave tracks, but they do that when you use it to change a file. Photo editors, word processors and others may change the file contents.

I've copied thousands and thousands of files from unix systems to windows to mac and back. I've verified the files are the same after the transfer, and none (assuming proper transfer) have ever had extra information added.

BTW, mac addresses can often be changed. It's just written to the eprom. You can change a disk id when you flash it too. I'm not sure about the cpu id, but you can turn it off in some OSes.



Dan

dp
04-17-2010, 02:30 AM
Almost nothing that you see on TV works as well or as easy as they make it seem. The tracking you mention is just a rumor. It's good for convincing folks to confess.

Yeah, right. Just a rumor.

http://www.philly.com/philly/news/20100415_Lawyer__Laptops_took_thousands_of_photos. html

Astronowanabe
04-17-2010, 03:33 AM
even if true for bloated formats from MS or Adobe that squirrel away bits of data unrelated to what you are doing
in real life, they haven't got "plain text" working right yet.
i.e. we still see funny chars and question marks in what should be regular text

you can also bet you cuppa if some big company thinks it will do something
half clever like that there are hundred thousand smelly adolescents in their parents basements and instead of building things with lathes & mills some will be figuring out ways to defeat it.

the creativity has not *all* gone away, just found new outlets

cuemaker
04-17-2010, 07:56 AM
I happen to know a computer forensics technician that works for some governmental office...I cant remember who he works for, State or Fed.... His exact job is to recover information.

I will ask him.

Tony Ennis
04-17-2010, 08:20 AM
Data recovery is a different issue. When a file is deleted, it isn't really deleted, usually. Instead, for the sake of efficiency, it is thrown on the "available disk space" heap. The OS doles it out in chunks when we use more disk space. While not often whole, data can be recovered trivially by cruising this data structure. In addition, common actions (such as reading an email) can cause a file to be copied many times. This leaves copies of itself throughout the 'available space' heap, increasing the chances that the file can be "recovered."

In some cases truly overwritten data can still be read by special equipment. Apparently some residual magnetization remains.

Liger Zero
04-17-2010, 10:55 AM
Depends on the company, what company was it that you work for :D

Actually the one in question, that we're discussing on PM... If something was to happen to them hundreds of former disgruntled workers would arrive on scene with buckets of petrol to throw on the flames... never mind that it's over $3 a gallon. :D

Anyway back to the discussion... Stuff like this that "might" be possible is enough to keep me honest (that and my inherent sense of right and wrong.) It's like the RFID/magnatags they use at Walmart. Less than 1% of merchandise is tagged but you honestly don't KNOW what is tagged at any given point. That pair of socks... might be tagged. Better to spend $3 and enjoy them honestly then to go to prision and get laughed at by the other criminals.

lazlo
04-17-2010, 11:07 AM
Unless the creator puts information in the file properties (which is completely optional), there's absolutely no way to track where the file came from.

Yes, there's a meta-data field on jpeg files where you can store Geotag data, user comments, etc, but presumably if you're taking pictures of something you're not supposed to, you wouldn't fill in those entries :)

Intel learned the hard way with the Processor Serial Number debacle on the Pentium 3's that consumers do not want to be uniquely identified. That's why Microsoft has to go through back-flips with hashing all the hardware id's in your system to associate that hardware with that license.

Dennis is correct that the TPM chip on the Mac motherboards contains a unique identifier. But unless Jerry Bruckheimer convinced Apple to tag every document/image on OSX with the TPM root key, you're safe :D

RPease
04-17-2010, 10:18 PM
Thanks all............I'll still wait for the guy to prove that computers have that ability...........I'll probably bring in donuts anyway..........just to show my "good will".

Cuemaker..........If you do find out something, I'd appreciate a note........I'm still curious. Not to the extent or ambitions of Liger Zero..........but then I've never been that ambitious...........;)

Thanks again..........

Rodg

dp
04-17-2010, 10:51 PM
Dennis is correct that the TPM chip on the Mac motherboards contains a unique identifier. But unless Jerry Bruckheimer convinced Apple to tag every document/image on OSX with the TPM root key, you're safe :D

Microsoft was actually doing that (Win98 era) and the world raised such a stink they rewrote the privacy section of the EUAL for Office swearing they don't track "specific" hardware. But they do know, somehow, if you've exceeded your acceptable number of product activations.

Paul Alciatore
04-18-2010, 03:20 AM
I can't say if this is so for any type of file, but it is certainly not true for some. Just yesterday I examined some text files with a program called "Tiny Hexer". It displays the entire contents of a file, of any file, byte by byte, in both hexadecimal and ASKII. A text file created by Notepad has exactly what you type, no more and no less. Not even any header information. I would assume that there is an "end of file" character to let the reading program know when to stop. But that's it.

If you want to see exactly what is in a file, try "Tiny Hexer", it is free.

Your Old Dog
04-18-2010, 08:35 AM
If I blow up a former employer with my giant invisible robot and kill everyone who escapes with ninjas... then I take pictures of the crime with my camera... and I put those pictures on an SD card... can they look at the SD card, discover it was inserted into XXX camera that was purchased at Walmart with my card... whole also determining it was used on my laptop as well (where I uploaded the photos to Practical Machinist)?

Can they determine that all from me dropping the SD card at the crime scene and reading some unique code embedded in the data?


If so, I might not be on for awhile. :o

Yea, they can do it. In fact they did it last week on CSI Los Vegas. Marge Helgenberger did that very thing in two minutes time on her Blackberry while standing over the victims. Does she look good or what? Worth every penny of the $350.000 per episode she gets :D

andy_b
04-18-2010, 09:47 AM
Unless the creator puts information in the file properties (which is completely optional), there's absolutely no way to track where the file came from.

Yes, there's a meta-data field on jpeg files where you can store Geotag data, user comments, etc, but presumably if you're taking pictures of something you're not supposed to, you wouldn't fill in those entries :)



Look in the Properties tab of any file created in any MS software, and it will have several items identifying the original hardware the file was created on or modified on. And this is the info that MS makes it EASY for you to find, not the hidden crap. It is even possible to pull out previous revisions to the file (especially in Word) that do not show up anywhere unless you know how to look for them. Believe me, it is entirely possible to trace a file back to the hardware it was created on. That is why you want to create your "Anarchy Manifesto" on your local public school's computer in their library or common area, and not at home on your PC. :)

Oh, and color printers have been printing their serial numbers on printouts for almost as long as color printers have been around. The serial number is encoded in a series of colored dots that again, are only there in the printout if you know what to look for.

The most secure method of communication is the same as it has been for 1000s of years, in person and verbal. Anything else is traceable.

andy b.

lazlo
04-18-2010, 11:26 AM
Look in the Properties tab of any file created in any MS software, and it will have several items identifying the original hardware the file was created on or modified on.

Just because you're paranoid doesn't mean they aren't after you. :p

I just created a Word document, Office 2007 was nice enough to add a "Privacy Inspector" to see meta-data that's unique to this document:

http://i164.photobucket.com/albums/u15/rtgeorge_album/Windows2007Properites.png

...and here are the document properties. If I want CSI to find me, I'd have to fill out my address :)

http://i164.photobucket.com/albums/u15/rtgeorge_album/Word2007PropertiesII.png

Like Paul says, if you're truly paranoid, open up the file in a hex editor and inspect the document. Unless you specifically tag the file yourself, a document is untraceable.

Then again, you can't scan all the fingerprint databases in North America in 30 seconds. In fact, the FBI, Federal, state and local fingerprint databases aren't even joined.

BobWarfield
04-18-2010, 11:41 AM
LOL, this is a good one. And yes, its a myth they can track any file with "fingerprints".

One thing to remember is there are a heck of a lot of computer nerds that are seriously paranoid. They have the tools to get in and look at what's going on and they will tell the whole world if they see something out of whack that fits a conspiracy theory.

Doesn't mean there isn't a conspiracy, but it's unlikely to be as broadly available without being discovered.

BTW, the data recovery stuff works great. DAMHIK!

Cheers,

BW

gnm109
04-18-2010, 12:28 PM
This may not be exactly on point but I recall seeing a case on the Forensic show where a fellow was captured with information that traced his computer using the IP address.

He was a murderer and he emailed the police to taunt them with the location of a missing person, a young woman that he had killed. He got a map online, Yahoo or MapQuest - I don't recall exactly, and sent an image of the map to the police along with the email as an attachment.

The police contacted the map company and got a list of IP addresses that had called up a view of the particular area. His IP was the only one that matched the map image that he had sent the police.

Somehow, with the IP, they were able to trace the comptuter location and the police obtained a search warrant and the man was arrested. I wondered at the time that I saw the show whether that was possible or not. I wouldn't bet that it can't be done.

My personal feeling is that most anything can be traced online if the authorities so desire.

danlb
04-18-2010, 01:32 PM
This may not be exactly on point but I recall seeing a case on the Forensic show where a fellow was captured with information that traced his computer using the IP address.



That only works in a limited number of instances...

In this case, the guy used email. SMTP email (the most common) DOES leave a record of each system that the mail traverses from sender to recipient. It's part of the design. That record is included in the headers as the mail is moved between servers. But that record does not get forwarded when you forward a joke to friends.

In the instance listed above, the IP address was a real one (not a private one), and it remained assigned to the same computer long enough for the authorities to convince the ISP to find someone knowledgeable enough to look up the customer information for the person currently assigned that address. I doubt that they could find someone at Comcast who understood their system well enough to look it up.

They also had to convince the map company to look though their log files to find the search in question. The fact that they logged that information is not too surprising. The fact that they were able to sift through the logs and find that particular query is a surprise.

There are many ways that forensic guy lucked out. If the murder had done any of the following, he would have gotten away with it.
1) use a public wireless hot spot like starbucks.
2) use an ISP that uses a proxy( a relay) like AOL, Charter, etc.
3) Use an anonymizer for browsing (another proxy, usually off-shore)
4) Use a dial-up (usually dynamic address assignment)
5) Not include a map, or at least edit it so that it loses the meta-information.
6) used an anonymous remailer.

In addition, if the companies involved did not do a good job of logging information, the trail would have ended. If the ISP's DHCP server was set to reuse addresses aggressively, it might also have thwarted the scientists.


Dan

gnm109
04-18-2010, 02:57 PM
That only works in a limited number of instances...

In this case, the guy used email. SMTP email (the most common) DOES leave a record of each system that the mail traverses from sender to recipient. It's part of the design. That record is included in the headers as the mail is moved between servers. But that record does not get forwarded when you forward a joke to friends.

In the instance listed above, the IP address was a real one (not a private one), and it remained assigned to the same computer long enough for the authorities to convince the ISP to find someone knowledgeable enough to look up the customer information for the person currently assigned that address. I doubt that they could find someone at Comcast who understood their system well enough to look it up.

They also had to convince the map company to look though their log files to find the search in question. The fact that they logged that information is not too surprising. The fact that they were able to sift through the logs and find that particular query is a surprise.

There are many ways that forensic guy lucked out. If the murder had done any of the following, he would have gotten away with it.
1) use a public wireless hot spot like starbucks.
2) use an ISP that uses a proxy( a relay) like AOL, Charter, etc.
3) Use an anonymizer for browsing (another proxy, usually off-shore)
4) Use a dial-up (usually dynamic address assignment)
5) Not include a map, or at least edit it so that it loses the meta-information.
6) used an anonymous remailer.

In addition, if the companies involved did not do a good job of logging information, the trail would have ended. If the ISP's DHCP server was set to reuse addresses aggressively, it might also have thwarted the scientists.


Dan

I agree with your take on it. The fact that a computer was used without the items you mention was the key to catching the fool. He wasn't a very smart fellow, however. Most murderers are lacking in some of their understanding of things. In this case, it was computer knowledge.

As to convincing the ISP and the Map company, that would be a piece of cake. They used a subpoena. That will generally work. Had they not responded, the prosecutor could have made a motion to respond and hauled them into court. Most companies don't like to fight too awfully hard when a crook is involved.

Anyway, the fool who sent the Map believed that he was going to be invisible to the recipients and it turned out that he wasn't for the reasons noted.

It will be interesting to see which computer programs the gummint will be using against us when they attempt to start up their "net neutrality" agenda.......

lazlo
04-18-2010, 04:07 PM
It will be interesting to see which computer programs the gummint will be using against us when they attempt to start up their "net neutrality" agenda.......

The Net Neutrality lawsuit has nothing to do with politics. It was a complex case to decide whether the FCC had the authority to require Comcast to provide equal bandwidth to Bittorrent, which is a popular piracy service. The Federal Court ruled that the FCC didn't have authority over Internet services:


Court rules for Comcast over FCC in 'net neutrality' case (http://www.washingtonpost.com/wp-dyn/content/article/2010/04/06/AR2010040600742.html)

A federal appeals court ruled Tuesday that the Federal Communications Commission lacks the authority to force Internet service providers to keep their networks open to all forms of content, throwing into doubt the agency's status as watchdog of the Web.

The FCC has long sought to impose rules requiring Internet providers to offer equal treatment to all Web traffic, a concept known as network neutrality. But in a unanimous decision, the U.S. Court of Appeals for the D.C. Circuit found that the agency lacked the power to stop cable giant Comcast from slowing traffic to a popular file-sharing site.

"Today's ruling is destabilizing, as it could effectively free broadband service providers from FCC regulation over broadband," said Rebecca Arbogast, head of research at Stifel Nicolaus.

The court's decision could prompt the FCC or Congress to write new rules or laws to more concretely establish the agency as a regulator of Internet services. The FCC has intentionally kept its authority over broadband vague, in hopes that looser regulation might spur growth in the market for Internet services. Tighter oversight -- which consumer groups have urged -- would be strongly opposed by companies that operate Internet networks.

The FCC's predicament stems from a 2008 sanction against Comcast for violating the agency's open Internet guidelines, which were meant to force broadband providers to treat all network traffic equally, so as not to put any Web site at a disadvantage. In a 3 to 2 vote, the FCC found that Comcast had improperly slowed traffic to the BitTorrent file-sharing site and urged the company to halt the practice. It did not impose a fine.

In any event, the NSA has been mass scanning everyone's email since 9/11, by Presidential decree:

AT&T Assisting NSA Surveillance (http://www.schneier.com/blog/archives/2006/04/att_assisting_n.html)

dp
04-18-2010, 04:13 PM
The Net Neutrality lawsuit has nothing to do with politics. It was a complex case to decide whether the FCC had the authority to require Comcast to provide equal bandwidth to Bittorrent, which is a popular piracy service. The Federal Court ruled that the FCC didn't have authority over Internet services:

Sometimes they get it right. If the FCC told me I have to support (for example) Bit Torrent as part of my services or even give it equal priority to other services I'd shut my servers down and walk away.

lazlo
04-18-2010, 04:16 PM
Agree completely Dennis.