Clone proof hard drive

Is there anything simple that I can do to a hard drive to make it difficult to clone?

Ideally something hidden, so the hard drive works for the end user, but when they try to make a copy it gives a boot error or similar.

Is it possible to hide files or partitions from Acronis/Ghost?

Thanks.

 

Truecrypt 5.0 has system partition encryption. If you use that it would be stupid for someone to clone it, because the clone they get is useless. Thats the only way, anything else can be bypassed easily.

 

But then, an attacker may want to clone it expecting vulnerabilities in current encryption algorithms to be discovered in a few decades.

 

My younger brother is a policeman in the narcotics/gangs unit and has told me that there are very sophisticated software (s) that dealers use on their machines.

His unit's policy is to have the experts in explosives, first X-ray (or whatever) and check out the machine before disconnecting the computer and have it transferred to the computer forensics lab where very dedicated machines can copy a hard drive even with "super' hidden partitions/files ect.

The lab is a "clean room" with 'white coats' that can carefully and painstakingly check for the most cleaver/devious methods of automatically destroying the entire machine and/or/drives/memory ect.

If a governmental entity wants to get info from your hard drive/machine the odds are in their favor as they can out spend even very wealthy users willing to spend thousands ( and even potentially kill) anyone wanting access to their computers/hard drives.

As for encrypting the contents of a hard drive I imagine that depending on how much they want to "get" you it is just a matter of shipping an image to the appropriate agency to find a "defeat" if possible.

 

Actually, practically any software can copy a hard drive, complete with hidden partitions etc. Its just a matter of doing a sector level copy of the drive, which I think the software even comes with some HDs to help you move data from one drive to another. Its actually being able to do something with those "super hidden partitions/files" etc that comes the challenge, and where things like TrueCrypt come in handy.

And something I discovered, I had 9gb in 4 files in my Temp Directory... Thats definitely given me a new idea for where to hide something if I need to, since a temp directory is practically a Gibson Garbage file. If they find something there that makes no sense, it doesn't necessarily mean its encrypted, just was used for dumping data too.

 

Just make sure that you don't use Windows' Disk Cleanup tool or any cleanup software (like CCleaner) that deletes any files in the Temp folder.

Getting back to the original question, copying a disk is analogous to reading from it - so there is no way to prevent copying without rendering the disk unusable.

 

I tried a few different suggestion, but I still don't have a good solution.

Does anybody know of a good software that can marry the hdd to the laptop?
Some kind of hardware authentication software.

Thanks in advance.

 

There isn't software for it. Its hardware, a TPM.. (Trusted Platform Module).

Most likely, to get it, you'll need to be purchasing a new Laptop.

I stand by the first respondent, TechWG. Encrypt the drive. There should be a updated version of TrueCrypt out soon(hopefully) to fix the problems found in 5.0 with regards to full disk encryption.

 

I recall recently reading a news article about a guy here in the US who was refusing to give up his password for some encrypted file (or files). They were trying to force him to give up his password. He had legal representation and they were fighting it as a freedom of speech or privacy issue. Anyway, if they could decrypt anything that they wanted, why were they so desparate to get his password?

 

I'm sure the <Choose alphabet agency of your choice> doesn't want to give up the knowledge that they can defeat <insert choice of encryption method here>. I'm starting to side with the "We just don't know" crowd, meaning I no longer think they can, but I don't think they can't. I'm just resisting the urge to fill the vacuum of information with pure speculation. Hope for the best, plan for the worst.

Also, right now the best legal defense of not surrendering passwords is the 5th Amendment. This only works however if there is no written record of the password. You can claim that answering the question of "what is your password" could or could not potentially incriminate yourself, which is constitutionally protected. Providing your not standing somewhere that the constitution has more holes in it than a block of swiss cheese.

 

There's no realistic way to protect data from being copied. Even with the money the entertainment industry has, they can't prevent ordinary people from copying and playing copywrited material. If big money can't stop ordinary people from playing and copying digital media, there's no way anyone can prevent a government agency or powerful organization from copying data. The best you can do is make the data unreadable.

Strong encryption is your best option to protect data from unauthorized access. Cloning an encrypted drive only gives them an unreadable copy.

It isn't likely that the better encryption algorithyms will be found vulnerable in the near future. It would be more likely to find the password cached somewhere on the OS or that the owner would be "persuaded" to surrender it. I can't think of too many instances where it would be necessary to conceal data for several decades. If it's really necessary to keep data that long, there needs to be several copies and a plan for renewing them. Hardware usually fails in that length of time.
Rick

 

Hi,

I guess that some question on this Privacy area are not always innocent: in some cases, what intention is hidden behind the question?
In forensic investigation, it's necessary to make a copy of the disk (write protect the disk during this phase) because the original disk must not be modified (this is the copy that will be analyzed).
And without a copy...more defense possibilities.
It would not be responsible to give here more "career opportunities "for potential criminals visiting this board.

A few comments:

-Yes it's possible to hide a full OS withing another one, and a partition in another one.
This is here a strategy often used by children raptors: they hide low level risk content in a partition or container, and hide high level risk content ("photos made at home", without hashes database) in another container.
When they're arrested, then give only the key for the first partition, and by this way mitigate risk of being jailed.

-Ghost and Acronis are considered as backup software, and are not used in forensic: a ghost image is not a perfect copy of the original.
Hardware imager are mostly used, like Deepsar disk imager:
http://www.deepspar.com/products-ds-disk-imager-forensic.html

But for private use and students/light wallets, no need Ghost!
Some free softwares can do reliable copy for free:

-SelfImage: http://selfimage.excelcia.org/

-Easeus Disk Copy (ISO): http://www.easeus.com/disk-copy/

-HDClone: http://www.miray.de/products/sat.hdclone.html

And many others, Unix open source based or not.

Regards

 

Welcome back kareldjag

 

Keep in mind that when local/state law enforcement is out there trying to bust criminals (child pornographers, drug traffickers etc), they do not have access to, or assistance from, the technology of most of the 'three letter' agencies. At best, if the case is high profile enough, they will get some assistance from the law enforcement Feds, but forget about the intel guys. They are focused on a completely different type of mission.
Once the capability to defeat a certain type of technology (or maybe even encryption) is achieved, it takes years before that capability is transferred to the state/local enforcement officials. Unfortunately, they are always at the bottom of the totem pole. The Feds will keep it classified and use it as much as they can before they've either discovered something newer and thus it becomes obsolete, or it becomes compromised by the general public finding out about it. Then, the other 'subordinate' agencies will acquire the hand-me-downs.
The Feds always possess the most knowledge/expertise, hence the reason there are so many joint cases where, if it's high profile enough, they'll call in the big boys to help them out.
Something like finding a laptop suspected of having a few encrypted illegal pictures on it, is just not high enough priority for most federal law enforcement agencies. All this excludes customs, which operates on a federal level, but, in my modest opinion, lacks the capability the others have.

Now, if you're a high profile drug trafficker or some type of launderer, you can bet your butt they will come after you and expend the resources to access your information. That being said, remember that the gov't operates on a budget as well. While it seems like they have unlimited resources (in the name of the war on terror), it would be hard to justify expending a lot of dedicated man hours to cracking open a laptop. Much easier to sick the lawyers on them and intellectually defeat the suspect (by way of the law). Hence the 'you have to tell us the password, it's the law'.

Also, companies are willing to spend money to seek retribution from software pirates because they pursue a civil case (monetary damages). The government doesn't have nearly the amount of resources to chase down pirates and present it in a criminal case (which I believe would be the only approach/interest they would have..criminal, that is).
I digress.

 

Wanting data to be protected well enough that government forensics can't access it does not necessarily imply criminal intent. Encryption has also been used to conceal records of human rights violations by dictators, evidence of government corruption, election fraud, info collected by undercover informants, etc, things you wouldn't want anyone to be able to access, especially the offending party. It's not our place to judge the intent of another based on a post.

Acronis correctly identifies my encrypted partition as Scramdisk encrypted but has failed to correctly copy it. It has not detected encrypted containers in my file system.

Rick

 

Hi,

I was deliberately vague ("some questions") and prudent ("it would be") to mitigate risk of judgement about someone in particular
Since you have studied computer forensics (that's my case) or involved in a computer forensic police department, some questions just sounds a little bit curious...
And I've just pointed out the dark side of a question and its possible answer.
But of course, nothing in the first post refers to the real motivation behind the question.
So let's forget black sunglasses and "suspicious minds" (thanks to Elvis)...

With a physical access to a machine (public computers, at office etc), drive cloning is a real security risk, more than a privacy risk.
Once the drive cloned, and quietly at home, an ill-intentioned person can find what he wishes: credit card number (no need specialized soft, just to know the Luhn algorithm), mail and contacts, logins, history browsing, photos, connected devices (id of USB, IPOD etc)...

A very simple way to mitigate risk of drive cloning is to lock physically the computer, as it is done by public libraries and universities (specific storage furniture).
Off course this is not enough: with an internet connection and enough rights, it's possible to clone what we want to a remote server.
But is drive cloning prevention a way to protect its privacy? I really doubt it.
The simplest way to protect an information (political activist, columnist source etc) on a computer is to never store this information on this computer!
And the market of privacy business is full of reliable solutions (software and hardware)...

It's currently possible to write on a drive and to leave no exploitable trace, making the drive forensic analysis totally lapsed.
Off course, in case of police forensic investigation,even if the drive can't be cloned, it's possible to query a requisition of the machine: the drive can be sent to a specialized laboratory: since data can be accessed, extracted and exploited; drive cloning problems is not a limitation for finding digital evidences (even if the drive is silent as a carp, printers, usb devices, visited web servers or mobile phone can be as talkative as a parrot).

But as drive cloning is circumscribed by the law (often in a vague way), any "incident" during the procedure can be exploited by the lawyer of the potential criminal, who can try to make the proof unusable.
In this case, drive cloning prevention might be considered as a justice obstruction (the law may be different in each country off course).


So is there really a way to prevent drive cloning?

Off course yes! Just take the drive with you!
No drive; no clone isn't it?

Regards.