I know its for use by trained professionals and all but good lord, there's hot wires just hanging out all over the place. In the "advanced methods" they actually advocate disassembling the wall plug and cutting hot leads while the building wiring is still live.
If I were the forensics guy, I'd want hazard pay to use this thing. Is the "evidence" gathered by this method even valid after you've stuck thumb drives in it and driven it around in your van while its still running in read/write mode?
Edit: I've just thought of a wonderful addition to truecrypt involving the accelerometer... Anyone involved in the TrueCrypt Foundation here? Icanhazplz?
good lord, there's hot wires just hanging out all over the place
No there's not. There's one hot (exposed) plug which is only exposed while you plug it into the power strip. There's another hot plug which is only exposed when you unplug it from the wall and isn't exposed anymore when you plug it into the UPS.
For someone who works with electronics for a living and just stormed a building with the SWAT team, I can't imagine that this is an unbelievable amount of risk. Get some rubber gloves and you're good.
(I'll also note that opening an original Macintosh was about 100x more dangerous.)
Edit: I've just thought of a wonderful addition to truecrypt involving the accelerometer... Anyone involved in the TrueCrypt Foundation here? Icanhazplz?
4 years ago when openbsd got a driver for the thinkpad accelerometers, i wrote a little utility that would watch the values and if it detected a sudden movement, it would run a script to lock the screen, remove ssh key passphrases from memory, etc.
i had an irrational fear of someone running into my office and stealing my laptop but i'd always forget it was running and would get up with the laptop and end up locking everything.
it would be useful in a server or desktop system since they should never move (and thus it could do something more drastic like a fast shutdown and power off) but since they never move they probably don't have accelerometers built in anyway.
ialertu is an GPL'd app for the macbook that, stupidly, sounds an alarm when the built-in accelerometer indicates that the macbook was moved. You could modify it to do something worthwhile instead, like lock the screen and shut down.
Edit: On downvote. No, I'm serious, sometimes you just shouldn't do some things despite the technical possibility because they can't be done safely in a practical real-world setting.
There's probably very few ways to ride an elephant to the airport as well, but a taxi might be a better choice. Now I'll admit that I can't think of a better way to "seize a running computer" off the top of my head but ripping open the wall and hacking at live wires just doesn't strike me as the very best way. Lets be sure we're not riding elephants here.
It is perfectly possible to do safe work on live wiring, although health and safety regulations generally require that this is done only as a last resort. It does occur quite regularly, though, and as long as it's done properly the risk is minimal.
Considering government usually has an exemption clause to health and safety anyway, I don't think the FBI are going to be worrying about it that much.
Can you name one common instance of where working on live wires is done quite regularly. I'm not talking about the guys flying around in helicopters inspecting HV lines. Firemen don't even do that. They go straight to the breaker and kill it for the building.
So where else is handling live wiring done. I'm honestly curious.
Seems pretty straightforward, conceptually. Sense the presence of AC voltage, and when the AC voltage goes below a certain threshold (e.g., it goes away), close some switches to connect an alternate AC supply in less time than it takes for the computer's power supply caps to completely discharge.
If they were powering it from a DC source, like a battery, that would be the way to go. However, it looks like they are powering the device with a separate AC supply. Connecting one AC supply to another -- synchronizing voltage, frequency, and phase -- turns out to be difficult.
The most practical method of doing so is by first converting to DC before converting back to AC. In fact, the interconnects that link the regional power grids in the US are high-voltage DC, because, among other reasons, that allows the grids to be unsynchronized.
The advantage of the simple sensor-and-switch approach is that one need not worry about synchronizing the replacement AC source with the original AC source. The downside is that the window for the switchover is pretty small.
Synchronizing phase, and/or hitting that switchover window is trivial for even the cheapest microcontroller. One cycle at 60Hz seems fast but its an eternity for a 20Mhz uC.
I'm going to guess "detects the drop and hits the window" simply because this is how cheap UPS units work and I'd bet a month of lattes that its made of cheap UPS guts.
Yes, 20 MHz is a higher frequency than 60 Hz. While that would help for the sensor version of the design, it would not directly help for the synchronization of the AC sources. It might help you while building a switching supply to do the AC to DC conversion, and it could help when approximating a sine wave on the DC to AC conversion.
Still, all of that is quite a bit more complicated than just quickly switching in a new source when the other source drops out.
(Credentials: I'm an electrical engineer and have designed and built power supplies.)
can you explain how synchronizing phase is trivial? the previous post made sense to me. it is hard to shift phase.
i agree that you could not try, and instead "hit the gap" (in which case synchronizing phase isn't important), but if you don't do that, and instead want to connect two supplies at once, how does a microcontroller make that easy?
Firstly, you don't need to phase shift here, because you'll need to generate AC from DC (battery), so you may as well generate it in phase with the signal from the outlet.
Secondly, if you need a phase shifting device (for something else), depending on the requirements, there are a number of options starting with something as simple as an RC unit.
Thirdly, generating "AC" [periodically changing signal] of a given voltage and an (approximate) frequency in sync with some other signal is what CRT TVs did (for the CRT).
> it is hard to shift phase.
Not to the engineers building these kinds of devices
(I'm explaining high school to freshman Physics here)
maybe instead of explaining the obvious you should read the original comments. the comment i was defending was about converting ac to ac. their conclusion was that it would need to go through dc (which no-one, including me, has disagreed with).
I think you don't understand the basic physics of electricity. There is no need to detect a drop in the voltage. If you connect two sources of electricity of the same voltage (whether DC or AC in phase), the resulting voltage is still the same. (Secondly, if you don't have access to the insides of the machine, you can only feed it with AC)
> synchronizing voltage, frequency, and phase -- turns out to be difficult.
In my real life as an electrical engineer designing power supplies, I learned that you can't just hook in a second unsynchronized AC source to a circuit and expect everything to be peachy. Frequency, phase, peak voltage, waveform shape (and therefore RMS voltage) -- all of these things are important if you're going to have multiple AC sources. Yes, the math becomes much simpler if all of those parameters (except for voltages, of course) are identical, but conditioning the sources to achieve that state is far from trivial. That gets back to my earlier comment about how in the real world, a trip through DC is often required.
If we were simply adding another DC supply in parallel with an existing DC supply, things would be much simpler. Assuming that the voltages of the supplies were identical, assuming that the resistance of the wires between the supplies, and assuming that the supplies remained linear for the expected load, then sure, just hook the new one in, disconnect the old one, and call it a day. The big difficulty is that, as you mentioned, the machines are designed to consume AC. I suppose that one could crack open the case and start hooking into the DC lines after the power supply, but the number of required voltages would make that rather difficult.
This is a problem that has been solved many times and is (relatively) inexpensive. It is called a "grid tie" power inverter, commonly used with solar panels.
I feel kind of obligated to mention that you can also solve the same problem if the machine is sitting around fully unlocked (not idle and thus cluing the disk encryption in) with a cold-boot attack -- http://citp.princeton.edu/memory/ .
The short version: the contents of RAM are preserved pretty well during power loss if you cool the RAM chips, e.g. by dunking in liquid nitrogen or even just spraying with an inverted air duster, and the encryption key is stored in RAM so that the intended user can access the disk, so you can later recover the key from the frozen RAM.
This technology has been around for quite a while. I was able to attend a High Technology Crime Investigation Association meeting because I was helping with the computer forensics coursework at a local college (featuring a police academy and administration of justice program) and I got to use this very device.
They've made it about as safe as can be. You just can't be a complete moron. As long as the data has been handled properly, yes it's still valid as evidence. Hooking a computer up to a UPS in-situ, then plugging in the equivalent of a USB mouse will not invalidate the evidence.
This would probably cause a lot of trouble for evidence being admissible if it was required for court. Using it would almost certainly cause lots of head scratching and WTF moments.
To be perfectly honest WDE is not a wide spread as people think - and probably 80% of the time it does crop up keys are usually willingly given up.
In a corporate scenario situations where you need to find the WDE key usually occur after someone shut the machine down anyway... ;)
(also: Health and Safety would have a fit: you'd almost certainly need to be a qualified electrician for them to let you do it..)
2) Trigger encryption upon disconnect from your particular network
3) GPS
4) Very simple one: re-route AC power inside the machine chassis through a SPST momentary switch glued to the underside. When the machine is lifted, power is cut.
5) More, that I won't list here, because they will end up in the swines' handbooks. Use your imagination.
If I were the forensics guy, I'd want hazard pay to use this thing. Is the "evidence" gathered by this method even valid after you've stuck thumb drives in it and driven it around in your van while its still running in read/write mode?
Edit: I've just thought of a wonderful addition to truecrypt involving the accelerometer... Anyone involved in the TrueCrypt Foundation here? Icanhazplz?