Sign in with
Sign up | Sign in
Your question
Closed

UK Tried to Stop Snowden Stories by Smashing Hard Drives

Last response: in News comments
Share
August 21, 2013 1:47:34 AM

Destroying HDDs is not pointless if you want to completely destroy files, it depends on how you handle the process. There are ways to check if certain files have been previously copied to other devices. If forensic experts checked for that prior to smashing the drives, then it was a smart move. It's the only way to make sure the data is actually gone. If they didn't check, it was stupid because they have no idea how many copies might exist.

Of course there may be a way to make copies undetected, but I suppose that would take an expert also...

I remember reading a digital video camera manual, that actually said something similar. If you want to delete videos and be sure that the data is destroyed, no method of deleting/formatting etc. is 100% safe. The manufacturer said that if you really want to be sure, you should take the HDD out of the camera and physically destroy it with something like a hammer. No joke, they actually proposed a hammer.
August 21, 2013 2:24:42 AM

fixxxer113 even a hammer isnt an asured way of destroying a hard drive unless it is opened up and the actual disk inside is destroyed. There are infact professional machines with extremely powerful magnets that are the best chance of destroying them.
August 21, 2013 2:56:33 AM

joneb said:
fixxxer113 even a hammer isnt an asured way of destroying a hard drive unless it is opened up and the actual disk inside is destroyed. There are infact professional machines with extremely powerful magnets that are the best chance of destroying them.


That's the point, smashing the platters to bits. Strong magnets work also, although they are harder to find. Large mechanical shredders are also a very satisfying way :p 
August 21, 2013 2:56:44 AM

Not at all surprising that the involved governments are going to great lengths to keep the extent of their domestic spying programs out of public view.
It would be nice if there was some legal recourse that could be taken against these nanny states; changing politicians alone never seems to help >.<
August 21, 2013 3:09:41 AM

antiglobal said:
Snow den, Wikileaks,... All psychological operations of the CIA.

Nice show for stupid public...


Be careful, if you never see an end to the conspiracy layers, if you think the rabbit-hole has no bottom, you might go nuts. We might never find out who pulls the strings. But we can use the information we get to decide how we're going to live. The fact is that there are a lot of people that are absolutely clueless about these things. Even if Wikileaks and Snowden are not selfish idealists, at least through them, some people learn and are a bit more informed on issues like the existance of actual privacy in information.
August 21, 2013 3:39:11 AM

@Fixxxer

Until there are dozens of other copies of those files in various countries around the world. Then it's really pointless.
August 21, 2013 3:47:59 AM

@fixxxer

How would you check if a certain file on the HDD has been copied? Or if it itself is a billionth copy?
August 21, 2013 3:55:08 AM

Chetou said:
@fixxxer

How would you check if a certain file on the HDD has been copied? Or if it itself is a billionth copy?


If you find out that certain files on the HDD have been copied to another location or device even once, then it's safe to assume that there are many copies already on the Internet. There are methods a forensics expert can use to find out what happened. There are logs that he has access to and tools that normal users don't have. You'd be suprised how much info there is about what happened in the past, on a storage device or even in a file itself.
August 21, 2013 3:57:57 AM

Someone Somewhere said:
@Fixxxer

Until there are dozens of other copies of those files in various countries around the world. Then it's really pointless.


That's what I said. Read the whole post. In any case, you will want to destroy the files on that device too, so smashing it to bits is the only certain way.
August 21, 2013 5:03:46 AM

Quote:
There are ways to check if certain files have been previously copied to other devices.

Umm, not really. You check if I've booted off a live USB, mounted the drive in read only mode, and cloned it?

The point was that when there are other copies you have no hope of removing, removing one is pointless.

When you actually read the Guardian's article, they chose to destroy it themselves instead of handing it over. Not a case of being told to destroy it; it was 'give it to us', then 'we can't give it to you if it's non-existent'.
August 21, 2013 5:34:05 AM

Did they really destroy whole computers? All they had to do was destroy the disks, memory cards, and memory sticks. If they think they need to destroy the whole computer then they are dangerously stupid. That can work in our favour if they are trying to do something bad to us, but can work against us if they try to do something good to us. It's worrying how stupid the people, who take care of us, are. Also what about all the other indisputably legitimate work that was destroyed in the process?
August 21, 2013 5:54:34 AM

"GHCQ" I think you meant GCHQ.
August 21, 2013 6:20:54 AM

The title of this article should've been "UK Gov Doesn't Understand How Computer Files Work"
August 21, 2013 7:10:35 AM

firstly - what good does destroying those harddrives do? was anyone dumb enough to think those drives contained the only copy? the second something hits the web (especially stuff like nude photos and leaks like this) there are thousands of copies spread across the globe in seconds.
second - "the truth will set you free". show me a government that doesn't want you to know the truth and i'll show you a government that doesn't want you to know freedom.
August 21, 2013 8:29:43 AM

@fixxxer113

In the circumstances outlined in this article the destruction of the HDDs WAS pointless.
August 21, 2013 8:44:43 AM

fixxxer113 has a vacuous knowledge of this subject.
"Destroying HDD's" is pointless since the files on most networked computer systems are 'backed up' regularly, usually to a different computer or the 'cloud'.
There is no "way to check if certain files have been previously copied" unless you know they were copied, or find them in a temp cache where copied files reside since the head of the drive leaves no change in the file itself. As those cache files are deleted and overwritten by new temp files, the history of this activity is removed. In either case, destroying the hardware would have no effect on the copies.
I doubt that fixxxer113 knows what a 'forensic expert' may or may not know.
fixxxer113 appears to be no smarter than a digital camera manual that he sort of remembers reading. (Something "actually said" is not "something similar" except with regards to your interpretation, which, in the case of fixxxer113, would appear to encompass quite a lot of misunderstanding and ignorance.)
"deleting/formatting" in this case are not methods of destroying data, but merely reusing previously unavailable disk space. To destroy data, it must be overwritten with new data, and the more times it is overwritten, the less magnetic 'residue' remains from which any subsequent analysis may be made to reveal what was there before. This is similar to what you could expect when you reused the same ink cartridge in old typewriters - the ink would be strongest where the tape had only been used once, and become weaker as each new character reused the tape where a previous character had been typed. The difference is that the magnetic 'imprint' where a character appears doesn't reveal the previous character if overwritten enough times. The level of sophistication of the forensic equipment, and the trained technicians to use it, needed to attempt to retrieve overwritten information is well beyond the budget of anyone other than a large corporation or government agency. A typical hard drive head can't 'read' what was stored in a given location before it was overwritten, so a single overpass is sufficient.
Ultimately, smashing equipment, microwaving CD/DVD's, burning documents, and killing witnesses are the caveman's approach to information removal, and in this case, the UK's lauded British Intelligence Agency displayed a pathetic level of understanding regarding digital information storage. It was more likely meant as a demonstration of the threatened financial cost in equipment to anyone attempting to thwart their authority.
August 21, 2013 11:17:29 AM

Seems like fixxxer113 has been watching CSI
August 21, 2013 11:20:49 AM

Reporters are now considered terrorists under British Law? What a dangerous time we live in. At any rate, the documents will never be snuffed out at this point. But it's scary to think about the lengths these criminal governments will go to to censor information.

The information Snowden leaked exposed not only lies from the world's most powerful intelligence agency, but also the fact that they are breaking the US constitution.

If it is a crime to expose the illegal actions of governments, there is no hope for us. This must be addressed now, in the heat of the moment. We won't get another chance after this.
August 21, 2013 2:05:13 PM

As long as there are still so many people in these governments that are stupid enough to think that gayness should still be persecuted or even prosecuted, then certainly we should not allow them to invade privacy. Furthermore we should not allow governments or anyone to commit industrial espionage to steal trade secrets which will then put science companies into debt and cause the retardation of scientific progress. Hopefully the spying hasn't gone that far yet. However I believe Chinese organisations have been doing this to USA and European organisations for ages now, and it is possibly a major reason why the Chinese economy is superior right now while the others are failing, and is also possibly a major reason that many Republicans seem to be trying to halt R&D spending.
August 21, 2013 3:06:41 PM

Assuming you don't want to use a hammer, maybe even reuse the HDD afterwards but really want to ensure the data is dead, I have 4 letters for you - DBAN - read that and stop getting all your tech knowledge from the user manual of a cheap camcorder
August 21, 2013 4:33:30 PM

This might sound a little nerdy, but isn't going around breaking hard drives like a digital 21st century version of burning books?

August 21, 2013 5:24:09 PM

The UK is definitely beating us in the race to see who can reach a totalitarian government the fastest.
August 22, 2013 2:10:16 AM

Ddram Bo said:
There is no "way to check if certain files have been previously copied"


The following is taken from Windows Event viewer on my PC. A tool available to any user, not even remotely comparable to forensic tools. I've removed the computer name and filename:

- System
- Provider
[ Name] Microsoft Office 14 Alerts
- EventID 300
[ Qualifiers] 0
Level 4
Task 0
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2013-03-14T15:43:03.000000000Z
EventRecordID 6432
Channel OAlerts
Computer ##########
Security
- EventData
Microsoft Excel
Do you want to save the changes you made to '#######.xlsm'?
100216
14.0.6029.1000

Also, you can check Windows Registry entries, to see if any external storage devices where connected to the PC and if you export these entries to .txt files, you even get the date and time they were created, giving you the actual time the USB drive was plugged in.

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_HTC&Prod_Android_Phone&Rev_0100\7&1d1638a1&0&HT09EPY03591&0\Device Parameters
Class Name: <NO CLASS>
Last Write Time: 26/5/2013 - 11:21 pm"

This is also from my PC, showing the connection of a smartphone as a USB disk some months ago. Inside the registry key, is even more info on the device.

So, if I was investigating for this specific filename and saw this log (and cross-reference it with registry entries at the same date and time), I woud assume that if there was an attempt to alter or save the file, it would very likely be on another device. Get it? The file seems like it was COPIED. I'm certain that there are other more sofisticated methods of coming to the same conclusion. You'd be surprised how much info you can get just from system event logs. Even if nothing is explicitly mentioned, just by studying the user's behaviour you can see a lot of things. I found these entries manually and copied them but there is software that can scan the registry and other system logs, parsing information depending on specific criteria.

About the whole "HDD smashing" thing... English is not my native language but really, I don't think my post was that hard to understand. I know what formatting actually does, so do the manufacturers (hence the hammer suggestion in the camera manual). It IS a caveman approach but it's the easiest and chepest. Don't forget, apart from the actual files, you also destroy all that other "incriminating data" from your system logs... I've also done my share of data recovery, so i'm not talking completely out of my ass here :) 

I know that in this day and age, files copies (especially if they go online) almost never go away. What I said was that it is not always pointless to destroy a drive. It depends on how each case is handled and how much info you get about what happened, before you destroy the drives. As I said, destroying the drive before a thourough investigation is almost certainly a stupid move.
August 22, 2013 2:15:12 AM

LiveUSB leaves no traces. You're taking info from Windows, and if I wanted to get files without anyone noticing, windows wouldn't even be running.

It's trivial to clone a disk with absolutely no change in the original. I've done it many times before.

EDIT: There is actually a minor change - the read counters on the HDD's SMART info would go up by however much you read. Unless you cloned the whole disk though, you'd have to read it right before and right after to tell that it's changed. Plus that's simply a measure of how much has been read, not what.

EDIT 2:
Quote:
you also destroy all that other "incriminating data" from your system logs

If you wipe the drive fully, windows no longer exists. The logs are part of windows - where did you think they were stored?

Therefore, if you wipe the drive, you wipe the logs.
August 22, 2013 2:43:56 AM

Someone Somewhere said:
LiveUSB leaves no traces. You're taking info from Windows, and if I wanted to get files without anyone noticing, windows wouldn't even be running.

It's trivial to clone a disk with absolutely no change in the original. I've done it many times before.

EDIT: There is actually a minor change - the read counters on the HDD's SMART info would go up by however much you read. Unless you cloned the whole disk though, you'd have to read it right before and right after to tell that it's changed. Plus that's simply a measure of how much has been read, not what.

EDIT 2:
Quote:
you also destroy all that other "incriminating data" from your system logs

If you wipe the drive fully, windows no longer exists. The logs are part of windows - where did you think they were stored?

Therefore, if you wipe the drive, you wipe the logs.


We're talking about users with not particularly advanced knowledge of these things. I doubt all reporters are that experienced with untraceable file copying. Besides, If you were an investigator, what would you say? "Bah, no use in searching, they probably already made thousands of copies using LiveUSB..." No, you would cover all you bases.

Research almost never works like "CSI" as someone mentioned. Very rarely do you get something that points straight to a conclusion. You study evidence, no matter how trivial or unrelated they might seem. In this case, you look for everything you can on the PC itself, maybe talk with the IT department (they also keep track of what users are doing inside the office network), even collaborate with ISPs, to get even more info about shat the user was doing on the Internet at the time.
August 22, 2013 2:58:34 AM

They already told them there were other copies available.

Besides, when your reporters are the ones dealing with spying info, they probably are reasonably good.

You don't even need to use linux. You just pull the drive, plug it into another PC, and copy from there.

It's not difficult.
August 22, 2013 6:02:01 PM

fixxxer113:
You do realize more secure kernels like Linux can be configured to leave no trace of copied files.

You seem to be lacking knowledge of how digital data works.
August 22, 2013 11:47:00 PM

smeezekitty said:
fixxxer113:
You do realize more secure kernels like Linux can be configured to leave no trace of copied files.

You seem to be lacking knowledge of how digital data works.


And some of you seem to be lacking knowledge of how language works,... or investigative work for that matter. Read my post a few times more in case you ever realize what I was saying. If you do this kind of work, you never assume anything. If that was the case, every cyber-crime unit in the world should just close shop and go home. "Well there's nothing we can do here, from their faces i conclude that everyone working in this newspaper/magazine is an experienced hacker... I'm sure there won't be any trace left..."

@Someone Somewhere

"They already told them there were other copies available. " - What I said... NEVER ASSUME

"You just pull the drive, plug it into another PC, and copy from there." - If I wanted to be extra thourough, I would take it for granted that you had attempted this. So, I would search every computer you own or maybe had contact with recently, for traces of you plugging in an extra drive. You see where I'm going with this?? I realize that maybe 99% of the things I would try would be pointless in hindsight, but I would have to try anything if it was my job.
August 23, 2013 4:55:08 AM

Um, no. Seriously, there's nothing stopping me SneakerNetting a (encrypted) clone of the drive to somewhere else.
!