Edit---> I figured out how to insert paragraph brakes through the proxy I have to sign in with. Since it was so hard to read my original post without paragraph brakes, I decided I would fix it for anyone who stumbles across this thread looking for a similar answer.
So, I'm getting ready to head back to the US, and I'm preparing my electronics for US Customs. As many of you know, the Ninth Circuit has ruled that it's OK tor US officials to seize any electronic device from travelers entering the US. They can keep the devices, without a time limit, forensically examine the data, and share it with other agencies and/or entities. No probable cause or even suspicion of any sort of wrongdoing is needed to confiscate a travelers electronics. Customs can, and have, simply taken electronic devices, for however long they like, without giving any reason. I understand that some electronic devices have never been returned at all, and no reason has been given. Setting aside any debate about the 4th Amendment, my concern is how to protect my privacy and freedom.
I use TrueCrypt full disk encryption, which may or may not include hidden partitions. The OS I travel with will be restored from a clean image I have prepared for this purpose. All the info on the data partition- visible with the normal passphrase- has been sanitized to ensure there is no confidential material. If I have normal images to recover too, or any confidential data on the drive(s), all of that would be hidden inside the normal encrypted partitions. Since the OS will never access any hidden partitions, if there are any, it is impossible to prove whether a hidden partition does in fact exist. This part I'm not concerned with, and am quite comfortable. If hidden data does in fact exist, it is not possible to prove that existence before the Sun burns out- or at least not in my life time. Yes, I understand it is a crime, in it's own right, to lie to law enforcement officials. If an official thinks I'm lying, I would be comfortable seeing their evidence in a court of law.
Before using a partition, I encrypt it with a very strong password string, without saving the string. I then delete the partition, create a new one in it's place, and only then encrypt it with my normal password string. Because the first password string is not recorded, and is unrecoverable, any data that was on the partition from an earlier time is lost forever in random noise. Without brute forcing the lost password, even unallocated space is scrambled, and unrecoverable.
I am willing to supply my normal passphrase to US officials to prevent them from seizing my equipment if required. However, this is no guarantee that they will not take it, since they don't actually need a reason. My concern is that the chain of custody will be out of my control, and anyone in the extended chain COULD insert some illegal data, such as child pornography, a message from Bin Laden, or (take your pick) onto my disk(s). Needless to say, this event would be a life changer, and not a good one.
Perhaps one might think I've got my tinfoil hat pulled just a little too far down over my ears. While I agree the likelihood of the above scenario is low, the consequences to my freedom, livelihood, and my reputation are so severe, that I believe some practical attempts to mitigate the risk is warranted .
I thought one way would be to calculate the hash of each encrypted partition, and upload those hashes for later retrieval. These hashes would be proof that my disks were or were not tampered with, should CPB decide the best way to save the world from a terrorist, is to seize my electronics. However, I havent found a way to get the hashes yet.
Using a bootable CD with an OS and TrueCrypt, I'm able to mount the partitions as read only. This lets me be more cooperative with Customs than the law requires. I can enter my password, and allow border agents to browse through my encrypted files, should they ask, without changing the hash.
I can also mount the partitions in read only mode, to get the hash values of each file with HashMyFiles. But HashMyFiles only provides the hash for individual files that are present in allocated space. I don't know of a way to get the hash of the entire encrypted partition. This is both impractical, and a show stopper.
It's impractical, because one would need to check and verify the hash of many thousands of files.
It's a show stopper, since unallocated space is not accounted for. The reason unallocated space is important, is to ensure that a file has not been added- then deleted, which would show up in the unallocated space with recovery/forensic software, but without a time stamp. If this were to happen in the extended chain of command, out of my control, without a hash to prove tampering, I could be held liable.
At this time, I have no prior convictions, arrests, or even investigations against me that I am aware of, and I doubt I am any more at risk than the next guy. But I wish to keep this status, and am willing to take steps toward this end. Because the court has ruled that border agents don't need to suspect any wrongdoing to confiscate and examine electronics, I think it's prudent to protect myself from a rogue official bent on putting a feather in his cap at my expense.
Edit II
Thank you very much Cogman for for giving me the answer to my question. I will spell out the answer below, for any reader who, like me, is a novice with the command prompt.
Using a bootable CD with Linux, such as Hiren's Boot CD, use a partition manager like Gparted, or whatever is included with the CD, to view the disk structure. Make a note of the names of the partitions found in the partition manager- ie sda1 for disk 1 partition 1.
Open a terminal from any anywhere you like, as the location is unimportant.
Where sda is the name of the first disk, type "sha1sum /dev/sda" to get the SHA-1 hash of the entire drive. Adding a digit after the name of the disk will return the hash of the specific partition- ie "sha1sum /dev/sda1" for disk 1 partition 1.
Substituting md5sum for sha1sum will return the MD5 hash.
If the CD used to get to Linux doesn't allow the operation due to a lack of privileges, type sudo (and a single space) before the above command.
So, I'm getting ready to head back to the US, and I'm preparing my electronics for US Customs. As many of you know, the Ninth Circuit has ruled that it's OK tor US officials to seize any electronic device from travelers entering the US. They can keep the devices, without a time limit, forensically examine the data, and share it with other agencies and/or entities. No probable cause or even suspicion of any sort of wrongdoing is needed to confiscate a travelers electronics. Customs can, and have, simply taken electronic devices, for however long they like, without giving any reason. I understand that some electronic devices have never been returned at all, and no reason has been given. Setting aside any debate about the 4th Amendment, my concern is how to protect my privacy and freedom.
I use TrueCrypt full disk encryption, which may or may not include hidden partitions. The OS I travel with will be restored from a clean image I have prepared for this purpose. All the info on the data partition- visible with the normal passphrase- has been sanitized to ensure there is no confidential material. If I have normal images to recover too, or any confidential data on the drive(s), all of that would be hidden inside the normal encrypted partitions. Since the OS will never access any hidden partitions, if there are any, it is impossible to prove whether a hidden partition does in fact exist. This part I'm not concerned with, and am quite comfortable. If hidden data does in fact exist, it is not possible to prove that existence before the Sun burns out- or at least not in my life time. Yes, I understand it is a crime, in it's own right, to lie to law enforcement officials. If an official thinks I'm lying, I would be comfortable seeing their evidence in a court of law.
Before using a partition, I encrypt it with a very strong password string, without saving the string. I then delete the partition, create a new one in it's place, and only then encrypt it with my normal password string. Because the first password string is not recorded, and is unrecoverable, any data that was on the partition from an earlier time is lost forever in random noise. Without brute forcing the lost password, even unallocated space is scrambled, and unrecoverable.
I am willing to supply my normal passphrase to US officials to prevent them from seizing my equipment if required. However, this is no guarantee that they will not take it, since they don't actually need a reason. My concern is that the chain of custody will be out of my control, and anyone in the extended chain COULD insert some illegal data, such as child pornography, a message from Bin Laden, or (take your pick) onto my disk(s). Needless to say, this event would be a life changer, and not a good one.
Perhaps one might think I've got my tinfoil hat pulled just a little too far down over my ears. While I agree the likelihood of the above scenario is low, the consequences to my freedom, livelihood, and my reputation are so severe, that I believe some practical attempts to mitigate the risk is warranted .
I thought one way would be to calculate the hash of each encrypted partition, and upload those hashes for later retrieval. These hashes would be proof that my disks were or were not tampered with, should CPB decide the best way to save the world from a terrorist, is to seize my electronics. However, I havent found a way to get the hashes yet.
Using a bootable CD with an OS and TrueCrypt, I'm able to mount the partitions as read only. This lets me be more cooperative with Customs than the law requires. I can enter my password, and allow border agents to browse through my encrypted files, should they ask, without changing the hash.
I can also mount the partitions in read only mode, to get the hash values of each file with HashMyFiles. But HashMyFiles only provides the hash for individual files that are present in allocated space. I don't know of a way to get the hash of the entire encrypted partition. This is both impractical, and a show stopper.
It's impractical, because one would need to check and verify the hash of many thousands of files.
It's a show stopper, since unallocated space is not accounted for. The reason unallocated space is important, is to ensure that a file has not been added- then deleted, which would show up in the unallocated space with recovery/forensic software, but without a time stamp. If this were to happen in the extended chain of command, out of my control, without a hash to prove tampering, I could be held liable.
At this time, I have no prior convictions, arrests, or even investigations against me that I am aware of, and I doubt I am any more at risk than the next guy. But I wish to keep this status, and am willing to take steps toward this end. Because the court has ruled that border agents don't need to suspect any wrongdoing to confiscate and examine electronics, I think it's prudent to protect myself from a rogue official bent on putting a feather in his cap at my expense.
Edit II
Thank you very much Cogman for for giving me the answer to my question. I will spell out the answer below, for any reader who, like me, is a novice with the command prompt.
Using a bootable CD with Linux, such as Hiren's Boot CD, use a partition manager like Gparted, or whatever is included with the CD, to view the disk structure. Make a note of the names of the partitions found in the partition manager- ie sda1 for disk 1 partition 1.
Open a terminal from any anywhere you like, as the location is unimportant.
Where sda is the name of the first disk, type "sha1sum /dev/sda" to get the SHA-1 hash of the entire drive. Adding a digit after the name of the disk will return the hash of the specific partition- ie "sha1sum /dev/sda1" for disk 1 partition 1.
Substituting md5sum for sha1sum will return the MD5 hash.
If the CD used to get to Linux doesn't allow the operation due to a lack of privileges, type sudo (and a single space) before the above command.
Last edited:
Facebook
Twitter