[Dshield] WP: DNA Key to Decoding Human Factor

Kenneth Coney superc at visuallink.com
Tue Mar 29 19:35:33 GMT 2005


A surprisingly well written article for that paper.  If asked, I will be 
happy to rent out the usage of my unused PCs for their DNA program (much 
better than having them collect dust). 

I am bemused that they are taking only that approach.  (Although perhaps 
they simply haven't told the reporter of other approaches to the 
problem.)  From examining seized computers I have personal knowledge of 
how people leave dumb things on their PC.  In the early windows 3.1 and 
95 days I knew of husbands who stored graphic emails from mistresses in 
their home PC, drug dealers who made Rolodex files of contacts, etc and 
worse.  It only makes sense that more and more cases involve and will 
involve encrypted files.  In the "early" days many commercial software 
packages contained pre installed back doors and decrypting was often a 
simple matter of contacting the producer and learning the back door and 
default codes for each package.  Some early packages simply stored the 
password  in the clear as a text file and checked to see if what was 
entered by a user matched what was in the file.  Knowing of this often 
saved hours.  Swapping file name labels in DOS with a byte writer was 
not unknown.  Del became unerase, unerase became format, etc.  There was 
at least one password protected machine on the market to which access by 
all users was denied without a password, however simply removing and 
replacing the little itty bitty watch battery on the mother board 
eliminated the requirement for a password.  Likewise that early crude 
protection did not do anything to stop one from removing the HD and 
putting it in a different machine.  That company did go bankrupt.  Home 
and office child pornography users would sometimes save a jpg or bmp 
file as something else such as file type .doc or .wp5 or .txt.  This 
fooled bosses and wives but not many others.  Finding a folder full of 
150+ Kbyte .txt files was an obvious indicator for a different appendage 
being required and time to check with the hex viewer.   (I shudder at 
the thought of doing a byte by byte printout or review of todays 100 
gigabyte hard drive and analyzing it by hand, but back in the days when 
hard drives did not exceed 40 megs that was a standard technique before 
doing anything (as well as cloning, experiments are done on a clone, not 
the original.  Sometimes we would need ten or twenty clones before we 
hit on something that worked without destroying.).  Probably by now 
there is a program designed to automate the process and flag for review 
byte sequences of interest while rejecting known .dll and other files 
which match comparison files (although in this version 4.56 and 
1.00.2.5c world the comparison file would itself be at least a gig in 
size.)   Let's not forget unerasing.  Much supposedly hidden by deleting 
was recovered by file identification or drive analysis.  Many who 
encrypted for transmission forgot (or didn't know) to erase those draft 
~ilename.txt cleartext files and left them behind for comparison, 
analysis or discovery.  One of the best non commercial trapdoor 
encryption routines I ever saw was itself encrypted and incorporated as 
part of the file to be decrypted and it allowed three wrong entries then 
it deleted the hard drive and began writing zeros.  Ow, that ate some 
clones, until a girlfriend gave up a password.  I remember an agent 
showing me a van designed to park in a subject's neighborhood and by 
interception of stray RF, display and record on PCs and other equipment 
inside the van what someone was typing in their home PC.  Dunno what the 
range was, but the need for shielding was impressed on me by that 
demonstration.  Early v1 PGP was a nuisance for a year or two but it too 
was put to rest.  Later versions and other algorithms became challenges 
a contractor could work on to retirement.  I am pretty sure that some 
earlier encrypted emails from the early to late 90s 386, 486 and Pentium 
I days are rapidly giving up their secrets in the Pentium IV world.  
When you are a government, or government funded, a ten year effort to 
decrypt something with newer and faster chips every six months or so is 
a doable and worthwhile task.  Todays encrypted files and transmissions 
will no doubt be read, printed and analyzed by 2015.  There are no 
secrets, just lots of files, with slow awareness and reaction.






More information about the list mailing list