This claim from the Seattle Police puzzles me.
Seattle police detectives investigating Saturday's Capitol Hill shootings have been unable to open Kyle Huff's computer but are not optimistic it will provide a motive for the mass killing.
Police confiscated two computer hard drives, one installed recently, from Huff's North Seattle apartment, but computer viruses have prevented police from retrieving data, said Capt. Tag Gleason, head of the violent-crimes unit.
But I am not an expert on computer viruses. Can someone who knows more about them than I do explain how computer viruses could do this? Or, if they can't, can you speculate on what the real problem is? (Simple encryption seems more likely than viruses, at least to me.)
Posted by Jim Miller at March 30, 2006
04:27 PM | Email This
I doubt it's encryption. From what I've read about the creep, he doesn't seem like much of a cypherpunk.
I'd guess it's just a case of imprecisely-applied jargon. Makes for a great headline, though.
Posted by: John A. on March 30, 2006 05:09 PMI suppose Huff could have contracted some particularly nasty virus that tries to delete data, but few do that anymore (most viruses/worms these days are written in the hope of *controlling* a computer, not destroying it).
Even if the operating system on those disks was hosed by a virus or worm, there would be absolutely nothing preventing the investigators from mounting the drive on a working system, and getting at the data on the drive. That's especially true for things like images, text, and browser caches.
Most likely, some techie told the investigators that it would take more time to do something, and the investigators simply had no idea what the techies were saying, and miscommunicated the concept to an equally technically-inept reporter.
Posted by: A Moderate on March 30, 2006 05:15 PMI know this much. Evidence HD you handle once. Connect and do a block by block copy onto another HD. Then examine the HD copy. Viruses affect a computer OS, not a slave drive. If your running OS is clean you can examine the slave.
Now it sounds more like Huff encrypted the HD. If it's 128 or 256 bit encryption brut force (trying every combination) will take too long. You have to know where the encryption software lives. It could be on the HD or on a USB flash drive. If you find that you can look for the key. The software has to match the input to the key, and the key is stored somewhere on the HD or another HD or device. He might have had a finger print ID dongle, which
the key is is finger print.
Bottom line is a virus simple can't prevent you from examining a HD, only encryption can do that.
Posted by: JCM on March 30, 2006 06:18 PMThe fact is that unless the file allocation tables are messed up or the drives are mechanically damaged, either one should be able to be attached as a slave drive to a protected computer and any files should be accessible to view.
As a slave on a computer with up to date virus protection, any boot virus would very likely be detected and neutralized without further damage or issues. Any spyware, adware, or malware that may inhibit the drive when it was booted directly on Huff's computer, wouldn't be able to launch from the drive automatically as a slave either.
If, on the other hand, Huff had installed the "new drive recently" in an attempt to recover data from a damaged primary hard drive and was unable to because the primary drive had completely failed, then there may be little or nothing on the new drive and the primary drive may need to be sent to a recovery specialist to have the disks removed and analyzed professionally.
More speculating now; if that was the case, and Huff did have a total drive failure resulting in the apparent loss of everything on his computer, as anyone who has had a drive fail and lost everything on it would know, that could itself have been a very upsetting situation that could have added to his state of mind leading to the attacks.
If that was the case, speculating now into the realm of paranoia and distrust, there would be some incentive to keep that from the public so as to avoid damage to the computer industry and our powerful friends with the rather large Redmond campus.
How do you like that speculation spiral into conspiracy?
Posted by: MJC on March 30, 2006 08:44 PMUnless the platters are physically destroyed, the data is accessible. A block by block copy is completely independent from the target drives master boot blocks, FAT or NTSF, HFS for Mac, our UFS for linux or unix, allocation tables.
Pulling the platters out of damaged drive mechanism and getting them put into a new one is pricey, around a thousand buck. It has to be done in a clean room.
Wiping a drive, overwriting the entire disk with 0s and 1s, might do it but you've got to do a bunch of writes. Commercial recovery software can recovery back to about 7 writes.
A big magnet would do the most damage and most likely render the drive unreadable.
The only way to make sure no one can recover the data is to physically pulverize the platters.
Like I said SPD needs a forensic computer geek, the article just sounds like a cop with some computer experience not someone with data recovery experience.
Posted by: JCM on March 30, 2006 09:04 PMhttp://pnwllcthingie.org/?p=43
I guess the raver community is going to build some kind of temple in honor of the people killed in the shooting.
But that isn't what caught my attention. What caught my attention was the agenda for the meeting that they had to discuss the details regarding putting the project together.
"AGENDA
6 PM House open. Come on over. If no one is here that means I’m in the shower. Just come in. Ignore the chihuahua."
Now, if no one is there because the guy is in the shower and can't hear the doorbell ring, how can people just come on in?
Of course the answer must be that he is leaving the door open.
Gosh, will these people ever learn? He is just going to leave his door unlocked in an urban environment like Seattle? Make me wonder how he has survived this far.
You would think after an incident like what happned last Saturday, these people would at least take the common sense step of locking their doors.
But some people never learn, do they.
Posted by: J.J. on March 30, 2006 09:50 PMhttp://tinyurl.com/ovx2r
The raver community is getting together to help the survivors of the shooting. The ones who lived in the house but were not shot. In and of itself, great. Right.
Well here is some of the stuff they want to have people contribute to help the survivors.
"### ENTERTAINMENT ###
Weed. Beer. Wine. Hard liquor. Smokes, black American Spirits are their faves. Did I mention that they could really use some weed?
After all, if there has ever been a time to enjoy Initiative 75, this is it. "
--
Hello SPD, are you out there? This seems like a perfect time for a drug bust since they practically announced it to the whole world by putting it in their Google group.
### DIRECTIONS ###
Drop your stuff off at 1122 Broadway Ave E at Broadway and Prospect,
one block West of 10th Ave E. Here's a map:
http://tinyurl.com/b36yk
1 - An improper description, or even understanding, of what is going on.
2 - Instead of attaching the "drive, or drives" of the suspect computer to a difference computer as "data/slave drives" they instead attempted to access the drives by booting the suspect computer.
I have been saying the same thing since this happened. Of course, I've been told what an ass I am for pointing this out.
This issue keeps getting brushed under te table. Unfortunately had the parents been responsible and the adults at this party had not been hanging out with Junior high school kids, this tragedy would have had two less victims.
Posted by: someguy on March 31, 2006 11:12 AMSo someone can post on the internet that he wants people to donate their "weed" to these guys and the Seattle Police won't do anything about it?
Even though he literally drew them a map?
http://tinyurl.com/ovx2r
Seattle sure is in a sad state indeed.
Posted by: J.J. on March 31, 2006 03:57 PM