There’s a very effective way of lifting dusty fingerprints from the field, or in a lab. It’s called an Electrostatic Dust Print Lifter — but as you can imagine, it is rather expensive from a forensic supply store. [Bradley VanZee] — from the Iowa Division for International Association for Identification — realized how simple a tool it was, and made his own for just over $50.
But first, how does it work? Electrostatic print lifting is a non-destructive process where you develop an electrostatic field on a sheet of “lifting film” which attracts the dust particles to stick to the film. It’s capable of recovering impressions from both porous and non-porous surfaces — even ones not visible to the naked eye.
Commercial versions of the tool cost upwards of $600-$800 + lift film. The first hack they realized is that instead of using proprietary lift film, it is just as effective to use car window tint instead! The second hack is even more clever — using a 80,000V tazor, some electrical leads, and some tinfoil you can create your own version of the tool. The aluminum foil acts as a ground, and the object you are inspecting is sandwiched between it and the lifting film. Holding the tazor with one electrode to the foil, you can trace the film using the other electrode at a distance, which induces an electrostatic charge in the film, attracting and capturing the dusty fingerprints. Allow the static to discharge, and store the film in a safe place to be digitized later!
Now obviously this is only really effective for flat objects, but it’s still a brilliant hack — especially to save your budget!
A coworker approached us today with a corrupted SD card. It was out of her digital camera, and when plugged in, it wasn’t recognized. This looked like the perfect opportunity to try out [Christophe Grenier]’s PhotoRec. PhotoRec is designed to recover lost files from many different types of storage media. We used it from the command line on OSX, but it works on many different platforms.
It’s a fairly simple program to use. We plugged in the card and launched PhotoRec. We were prompted to select which volume we wanted to recover. We selected “Intel” as the partition table. PhotoRec didn’t find any partitions, so we opted to search the “Whole disk”. We kept the default filetypes. It then asked for filesystem type where we chose “Other” because flash is formatted FAT by default. We then chose a directory for the recovered files and started the process. PhotoRec scans the entire disk looking for known file headers. It uses these to find the lost image data. The 1GB card took approximately 15 minutes to scan and recovered all photos. This is really a great piece of free software, but hopefully you’ll never have to use it.
Helix 2.0 has been released. Helix is a collection of various tools for electronic forensics. Just like on TV, you can use this to find all kinds of information on a computer. Some of the useful tools added were Winlockpwn a tool for breaking windows security, Volitility which processes data out of the raw memory, and several other tools that are beyond our comprehension.
You’ve undoubtedly noticed that the title says Helix V2.0, but the image and header of the Helix site say 3. We have no idea why. Look at the download info to see that it says V2.0.
[Via Midnight Research labs]
This is unfortunately another story we missed out on while we were trying to keep things from burning down. We told you that [Jonathan Zdziarski] was going to demonstrate iPhone lock code bypassing in a webcast. The real surprise came when he pointed out that the iPhone takes a screenshot every time you use the home button. It does this so it can do the scaling animation. The image files are presumably deleted immediately, but as we’ve seen before it’s nearly impossible to guarantee deletion on a solid state device. There’s currently no way to disable this behavior. So, even privacy conscious people have no way to prevent their iPhone from filling up storage with screenshots of all their text message, email, and browsing activities. Hopefully Apple will address this problem just like they did with the previous secure erase issue. O’Reilly promises to publish the full webcast soon.
AppleInsider is reporting that iPhone Software v2.0 will add a secure wipe feature. The screenshot above shows the text “This will take about an hour.” added to the normal erase feature. This time is used to overwrite data to the disk multiple times. The need for secure phone erasure came to light after a researcher was able to recover personal information from a refurbished iPhone using forensic tools. Since then, a few people have published techniques for obliterating personal data using either the GUI or the more thorough command line method. Remote wipe has also been added to the new firmware in case the phone is stolen. We’re happy to see security being made easily accessible to nontechnical users and expect that remote wipe will become standard on laptops in the future.
InformationWeek has great article on open source data recovery tools. What type of tools you use will depend on the severity of the situation. You can use live Linux distros designed for recovery like SystemRescueCD or Partedmagic (the latter being more user friendly). Security tools distrubutions like BackTrack can also be helpful; Helix in particular was designed for forensics work. dd is a standard *nix tool for imaging drives, but something like TestDisk can help you repair partition tables for whole disk recovery. Most deletion operations don’t overwrite the data which means you can use file carving to capture the lost files. PhotoRec is able to find files in a number of common formats. Finally, if you’ve got some serious forensic work ahead of you there’s The Sleuth Kit and many other command line tools.
As an addendum, OStatic put together a list of 5 freeware tools for protecting your system.
In your zeal to delete your data, you may have accidentally deleted files that you wanted to keep. Lifehacker has posted this handy list of data recovery tools to help you get those files back.
As you may know, whenever you delete a file, the only thing that changes is the file system. The data of the deleted file is still on the hard drive, but the file system sees the space containing the file as “blank” writable space. Data recovery software typically looks into the directory where the file was stored and scans it, finding any files not listed in the file system.
The program you choose for this task will not only be determined by your OS, but also by the specifics of your recovery needs. Do you need to recover a single file? Many files? A whole hard drive? An unbootable drive? A really scratched optical disk? Specialized tools for all of these needs are available, and this article will help you find the right program for yours.