remembrance of data passed: used disk drives and computer forensics
DESCRIPTION
Remembrance of Data Passed: Used Disk Drives and Computer Forensics. Simson L. Garfinkel Computer Science and Artificial Intelligence Laboratory. Acknowledgements. Abhi Shelat (MIT) Ben Geleb (MIT). Goals of Computer Security. Availability Confidentiality Data Integrity Control Audit. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/1.jpg)
Remembrance of Data Passed: Used Disk Drives
and Computer Forensics
Simson L. Garfinkel
Computer Science and Artificial Intelligence Laboratory
![Page 2: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/2.jpg)
Acknowledgements
Abhi Shelat (MIT) Ben Geleb (MIT)
![Page 3: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/3.jpg)
Goals of Computer Security
Availability Confidentiality Data Integrity Control Audit
![Page 4: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/4.jpg)
Assuring Confidentiality
Prevent unauthorized disclosure of confidential information.
Where is the data? Data in flight Stored data
Most data spends most of its time in storage.
![Page 5: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/5.jpg)
Data over time: Conceptual
0
5
10
15
20
25
2002 2003 2004 2005 2006 2007
Data (GB)
purchase retirement
![Page 6: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/6.jpg)
149M Drives Retired in 2002!
0
50000
100000
150000
200000
250000
1997 1998 1999 2000 2001 2002
ShippedRetired
![Page 7: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/7.jpg)
“Retire?”
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Harrison Ford as Deckard retiring a replicant.
Blade Runner (1982)
![Page 8: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/8.jpg)
Hard drives keep their data…
Even after you throw it away…
![Page 9: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/9.jpg)
Actual Data over Time
0
5
10
15
20
25
2002200320042005200620072008200920102011201220132014
Data (GB)
…
purchase retirement
![Page 10: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/10.jpg)
Hard Drives Pose Special Problems
Today’s computers can read hard drives that are 15 years old! Electrically compatible (IDE/ATA) Logically compatible (FAT16/32 file systems)
Hard to sanitize a hard drive Physically destroy the drives Overwrite the drives ATA “Secure Erase” takes ≈30 minuets! (You can’t use a bulk eraser)
![Page 11: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/11.jpg)
Many hard drives are “repurposed,” not “retired”
Re-used within an organization Given to charities Sold on eBay
![Page 12: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/12.jpg)
Long-Term Data Storage Threatens ConfidentialityTechniques for assuring confidentiality:
#1 - Physical security
#2 - Logical access controls (operating system)
#3 - Cryptography (disk & link)
![Page 13: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/13.jpg)
Repurposed disks…Techniques for assuring confidentiality:
#1 - Physical security
#2 - Logical access controls (operating system)
#3 - Cryptography (disk & link)
… and most data isn’t encrypted
![Page 14: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/14.jpg)
More bad news…
DEL doesn’t delete files It just removes the file’s name from its containing
directory
FORMAT C: doesn’t erase the hard drive It just writes a new root directory
True for DOS, Windows, Unix, MacOS, Novell, and most other systems
![Page 15: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/15.jpg)
A typical hard disk
0
0
Factory-Fresh Hard disk: All Blank
0 0
0 0
0 0
0 0
0 0
0 0
0
0
0 0
0 0
0 0
0 0
0 0
0 0
0 0 0 0 0 0 0
Each block is512 bytes
A 20G disk has40M blocks.
Disk blocks (not to scale)
![Page 16: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/16.jpg)
“All Blank”
Each block has 512 ASCII NULs:
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
![Page 17: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/17.jpg)
File Systems
Control allocation of blocks on the disk Usually part of the kernel Popular File Systems:
FAT12 - DOS Floppy disks FAT16, FAT32 - DOS hard drives, USB drives NTFS - Windows NT UFS, FFS, EXT2 - Unix HFS, HFS+ - MacOS Novell
Wrinkles: Compressed File systems Encrypted File Systems
![Page 18: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/18.jpg)
% format C:*
Writes: Boot blocks Root directory “File Allocation Table”
(FAT) Backup “superblocks”
(UFS/FFS)
May also: Validate surface
B
0
F F
0 0
F /
0 0
0 0
0 0
0
0
0 0
0 0
0 0
0 0
0 0
0 0
0 0 0 0 0 0 0
* Examples based on FAT32 running under Unix
![Page 19: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/19.jpg)
% cp bfs1 /mnt/b1% cp bfs2 /mnt/b2
Writes: File Contents File Directory Entry Bookkeeping
root directory:b1______.___ jan 1 2004 block 7b2______.___ jan 1 2004 block 14
B F F
0 0
F /b1
0 0
/b2 0
0 0
0
0
0 0
0 0
0 0
0 0
0 0
0 0
0 0 0 0 0 0 0
Big Secret File #1
Big Secret File #2
![Page 20: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/20.jpg)
% rm /mnt/b1% rm /mnt/b2
Writes: New root directory Bookkeeping
new root directory:?1______.___ jan 1 2004 block 7?2______.___ jan 1 2004 block 14
B F F
0 0
F /?1
0 0
/?2 0
0 0
0
0
0 0
0 0
0 0
0 0
0 0
0 0
0 0 0 0 0 0 0
Big Secret File #1
Big Secret File #2
![Page 21: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/21.jpg)
0 000Big Secret File #1
% cp Madonna.mp3 /mnt/mp3
Writes: New root directory madonna.mp3 Bookkeeping
new root directory:Madonna_.mp3 jan 2 2004 block 7?2______.___ jan 1 2004 block 14
B F F
Madonna
F /mp3 /?2 0
0
0
0
0 0
0 0
0 0
0 0
0 0
0 0
0 0 0 0 0 0 0
Big Secret File #2
![Page 22: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/22.jpg)
0 000Big Secret File #1
What’s on the disk?
Madonna.mp3
Madonna.mp3’s directory entry
All of B2
Most of B2’s directory entry
Part of B1
B F F
Madonna
F /mp3 /?2 0
0
0
0
0 0
0 0
0 0
0 0
0 0
0 0
0 0 0 0 0 0 0
Big Secret File #2
“Level 0 data”
“Level 2 data”
“Level 3 data”
![Page 23: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/23.jpg)
Taxonomy of hard disk data
Level 0 Files in file system
Level 1 Temp files (/tmp, /windows/tmp, etc)
Level 2 Recoverable deleted files
Level 3 Partially over-written files
Level 4 Data accessible by vendor commands
Level 5 Overwritten data
![Page 24: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/24.jpg)
Level 4 Data: Vendor Area
0 000Big Secret File #1
B F F
Madonna
F /mp3 /?2 0
0
0
0
0 0
0 0
0 0
0 0
0 0
0 0
0 0 0 0 0 0 0
Big Secret File #2
B0 Disk OS
0 0 0 0don
X
Disk operating system
Bad block regions
![Page 25: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/25.jpg)
Level 5: Overwritten Data
Disk Drives are analog devices
0
0.2
0.4
0.6
0.8
1
0 1 0 1 0
Voltage
![Page 26: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/26.jpg)
Level 5: Overwritten Data
Disk Drives are analog devices
Overwritten data doesn’t just die…
0
0.2
0.4
0.6
0.8
1
0 0 1 1 1
Pass 1Pass 2
![Page 27: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/27.jpg)
Level 5: Overwritten Data
Disk Drives are analog devices
Overwritten data doesn’t just die…
Read data should be a function of all previous data values… 0
0.2
0.4
0.6
0.8
1
0 .1 .9 1 .9
Pass 1Pass 2Voltage
![Page 28: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/28.jpg)
Level 5: What to do?
DOD 5220.22-M “Degauss with a Type I degausser” “Degauss with a Type II degausser” “Overwrite all locations with a character, it’s
complement, then a random character and verify”
Destroy, Disintegrate, incinerate, pulverize, shred, or melt
![Page 29: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/29.jpg)
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
Type 1 Degausser
Model HD-2000 73 seconds cycle time 260 lbs $13,995 Monthly rental $1,400
Note: Your hard disk won’t work after it’s
been degaussed (why not?)
http://www.datadev.com/v90.html
![Page 30: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/30.jpg)
Drive Slagging
Melting down the drives works just fine
http://driveslag.eecue.com/
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
![Page 31: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/31.jpg)
Drive Slagging Cont…
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
![Page 32: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/32.jpg)
Drive Slagging
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
“Good luck removing data from this.”
![Page 33: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/33.jpg)
The Bad News:
Most people aren’t using these techniques
Data is discovered on old hard drives… Used computers with hard drives. Computers discovered in the trash. Drives purchased on the “used” market.
![Page 34: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/34.jpg)
Garfinkel: August 1998
I purchased 10 used computers, all with operational hard drives Server from a law firm Database of mental health patients Quicken files Draft manuscript of a novelist…
![Page 35: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/35.jpg)
Other Stories of Data Passed…
April 1997 A woman in Pahrump, NV, purchases a used IBM PC and
discovers records from 2000 patients who had prescriptions filled at Smitty’s Supermarkets pharmacy in Tempe, AZ.
August 2001 More than 100 computers from Viant with confidential client data
sold at auction by Dovebid.
Spring 2002 Pennsylvania state Department of Labor and Industry sells
computers with “thousands of files of information about state employees.”
August 2002 Purdue student purchased used Macintosh computer at equipment
exchange; computer contains FileMaker database with names and demographic information of 100 applicants to Entomology Department.
![Page 36: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/36.jpg)
With so many used systems, why so few stories of actual data disclosure
Hypothesis #1: Disclosure of “data passed” is exceedingly rare because most systems are properly sanitized.
Hypothesis #2: Disclosures are so common that they are not newsworthy.
Hypothesis #3: Systems aren’t properly sanitized, but few notice the personal data.
![Page 37: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/37.jpg)
The “Remembrance of Data Passed” Study
I purchased 235 used hard drives between November 2000 and January 2003 eBay Computer stores Swap fests No more than 20 from the same vendor
Mounted the drives, copied off the data, looked at what I found.
![Page 38: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/38.jpg)
Drives arrived by UPS.
![Page 39: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/39.jpg)
Imaged using FreeBSD
![Page 40: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/40.jpg)
Stored images on RAID
![Page 41: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/41.jpg)
Every disk becomes three files:
-rw-r----- 1 simsong project 675 Aug 9 2002 70.fdisk-r--r----- 1 root project 541384704 Aug 9 2002 70.img-rw-r----- 1 simsong project 205892 Aug 9 2002 70.tar.gz
Disk #70: IBM-DALA-3540/81B70E32 Purchased for $5 from a Mass retail store
on eBay 541MB
1,057,392 disk blocks 67,878 blocks are all NULs
![Page 42: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/42.jpg)
70.fdisk: the disk partition report
******* Working on device /dev/ad2 *******parameters extracted from in-core disklabel are:cylinders=524 heads=32 sectors/track=63 (2016 blks/cyl)
parameters to be used for BIOS calculations are:cylinders=524 heads=32 sectors/track=63 (2016 blks/cyl)
Media sector size is 512Warning: BIOS sector numbering starts with sector 1Information from DOS bootblock is:The data for partition 1 is:sysid 11,(DOS or Windows 95 with 32 bit FAT) start 63, size 1054305 (514 Meg), flag 80 (active) beg: cyl 0/ head 1/ sector 1; end: cyl 522/ head 31/ sector 63The data for partition 2 is:<UNUSED>The data for partition 3 is:<UNUSED>The data for partition 4 is:<UNUSED>
![Page 43: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/43.jpg)
70.tar.gz: Level 0 files
% tar tfz images/tar.gz/70.tar.gz
./
IO.SYS
MSDOS.SYS
COMMAND.COM
%
![Page 44: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/44.jpg)
70.img: The raw data
% strings img.70 | more…[.??!ZY[0123456789ABCDEFSW0W0W090W0W06,.hInsert diskette for drive and press any key when readyYour program caused a divide overflow error.If the problem persists, contact your program vendor.Windows has disabled direct disk access to protect your long filenames.To override this protection, see the LOCK /? command for more information.The system has been halted. Press Ctrl+Alt+Del to restart your computer.You started your computer with a version of MS-DOS incompatible with thisversion of Windows. Insert a Startup diskette matching this version of
OEMString = "NCR 14 inch Analog Color Display Enchanced SVGA, NCR Corporation" Graphics Mode: 640 x 480 at 72Hz vertical refresh. XResolution = 640 YResolution = 480 VerticalRefresh = 72…
56M of printable strings!
![Page 45: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/45.jpg)
70.img con’t
wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwqling the Trial Edition----------------------------IBM AntiVirus Trial Edition is a full-function but time-limitedevaluation version of the IBM AntiVirus Desktop Edition product. Youmay have received the Trial Edition on a promotional CD-ROM or as asingle-file installation program over a network. The Trial Editionis available in seven national languages, and each language isprovided on a separate CC-ROM or as a separaEAS.STCmEET.STCELR.STCqELS.STC
![Page 46: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/46.jpg)
MAB-DEDUCTIBLEMAB-MOOPMAB-MOOP-DEDMETHIMAZOLEINSULIN (HUMAN)COUMARIN ANTICOAGULANTSCARBAMATE DERIVATIVESAMANTADINEMANNITOLMAPROTILINECARBAMAZEPINECHLORPHENESIN CARBAMATEETHINAMATEFORMALDEHYDEMAFENIDE ACETATEs@ MALATHIONMAZINDOLNOMIFENSINE MALEATEPIPOBROMAN
70.img ..
Appears to have some kind of medical information on it.
![Page 47: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/47.jpg)
Drive #227
No obvious files, but lots of deleted files…cluster 51152 looks like a directory...07/17/1995 21:38 <DIR> . (cluster 51152 / sector 409677)08/23/1993 11:41 1,818 ?GMTLTR WPS:del (cluster 11381 / sector 91509)08/23/1993 11:11 2,714 ?MDAGMT WPS:del (cluster 11382 / sector 91517)07/22/1993 12:05 2,068 ?BBLTR WPS:del (cluster 11383 / sector 91525)08/23/1993 11:56 1,434 ?BBLTR2 WPS:del (cluster 11384 / sector 91533)06/21/1993 09:29 3,610 ?ONTRACTWPS:del (cluster 11385 / sector 91541)07/26/1993 14:44 4,250 ?ONTRX90WPS:del (cluster 11386 / sector 91549)07/26/1993 11:52 2,202 ?VRLTR WPS:del (cluster 11388 / sector 91565)06/21/1993 10:12 2,202 ?VRLTR1 WPS:del (cluster 11389 / sector 91573)07/09/1993 12:45 2,202 ?VRLTR2 WPS:del (cluster 11390 / sector 91581)07/08/1993 12:41 5,018 ?CS1 WPS:del (cluster 11391 / sector 91589)07/22/1993 11:11 5,414 ?CSLTR WPS:del (cluster 11393 / sector 91605)09/06/1993 14:49 8,284 ?AILABL2WPS:del (cluster 11395 / sector 91621)07/12/1993 10:59 788 ?AILLAB :del (cluster 11398 / sector 91645)07/07/1993 11:18 8,808 ?AILLABLWPS:del (cluster 11399 / sector 91653)07/26/1993 23:35 34,616 ?EWPRAC BFX:del (cluster 11402 / sector 91677)07/27/1993 07:30 2,458 ?EWPRAC WPS:del (cluster 11411 / sector 91749)06/02/1993 15:02 2,720 ?BSSRV :del (cluster 11412 / sector 91757)06/02/1993 15:11 42,272 ?BSSRV BFX:del (cluster 11413 / sector 91765)06/02/1993 15:02 2,720 ?BSSRV WPS:del (cluster 11424 / sector 91853)08/01/1993 14:35 7,974 ?TRAGMT WPS:del (cluster 11425 / sector 91861)06/21/1993 09:51 2,976 ?URVEY WPS:del (cluster 11427 / sector 91877)
![Page 48: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/48.jpg)
Drive #227
Sometimes just the directory is deleted…
cluster 19401 looks like a directory...06/18/1995 12:39 1,715 POEMS11 WPS (cluster 14827 / sector 119077)04/14/1995 17:34 7,620 LATADD WDB (cluster 14828 / sector 119085)06/19/1995 16:09 1,459 POEM7 WPS (cluster 14829 / sector 119093)06/12/1995 15:35 1,178 POEMS22 WPS (cluster 14830 / sector 119101)06/18/1995 12:39 1,452 POEMS13 WPS (cluster 14831 / sector 119109)06/18/1995 13:23 1,459 POEMS14 WPS (cluster 14832 / sector 119117)06/18/1995 12:39 1,459 POEM WPS (cluster 14833 / sector 119125)06/18/1995 12:46 1,196 POEMS17 WPS (cluster 14834 / sector 119133)06/18/1995 12:47 1,069 POEMS18 WPS (cluster 14835 / sector 119141)06/18/1995 12:47 1,197 POEMS19 WPS (cluster 14836 / sector 119149)08/24/1994 14:08 660 LABEL WPS (cluster 14837 / sector 119157)06/18/1995 12:48 1,331 POEMS20 WPS (cluster 14838 / sector 119165)11/18/1994 17:40 1,300 ENG WPS (cluster 14839 / sector 119173)06/18/1995 12:50 1,203 POEMS21 WPS (cluster 14840 / sector 119181)06/19/1995 16:33 4,847 POEMS3 WPS (cluster 14841 / sector 119189)06/18/1995 12:50 1,069 POEMS23 WPS (cluster 14842 / sector 119197)
![Page 49: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/49.jpg)
Digital Forensics
“Forensics” has two meanings: The art or study of formal debate The use of science and technology to investigate and
establish facts in criminal or criminal courts of law
Digital Forensics: Disk drive forensics Network forensics Software forensics
![Page 50: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/50.jpg)
Hard Disk Forensics
Consumer Tools: Disk sector editors Norton Disk Doctor
Professional Tools: Access Data’s Forensic Tool Kit (FTK) Guidance Software’s EnCase
Open-Source Tools: SleuthKit
![Page 51: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/51.jpg)
Capabilities of Forensic Tools
All tools: Undelete files (level 2 data) Search for text (level 3 data)
Professional Tools: Display contents of Outlook .PST files Search for files by MD5 or SHA-1 Create report of operator’s actions Create “timeline” of disk’s activity
![Page 52: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/52.jpg)
The Forensics Challenge
Most forensic tools are designed to spend a lot of time with one drive.
I had a lot of drives and a little bit of time Tools that I used/created:
strings(1) fatdump - a “forensic file system” blockstats - forensics based on statistical analysis
![Page 53: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/53.jpg)
Types of data found
Level 0 Data: Operating systems Applications 675 Word files 274 Excel files 20 Outlook PST files
![Page 54: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/54.jpg)
Data con’t…
Level 1 Files: Web caches
• Hotmail• Purchases• Pornography
Cookies• Authentication cookies
![Page 55: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/55.jpg)
More data…
Level 3 data: Credit card numbers Email addresses
![Page 56: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/56.jpg)
Confidential information found
Medical records Short stories Personal correspondence HR correspondence Loan repayment schedules
![Page 57: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/57.jpg)
Of particular note
A letter to a child’s oncologist A “formatted” drive with 3722 credit card
numbers A drive that had been in an Illinois ATM
machine
![Page 58: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/58.jpg)
Why did we find this data?
1. Lack of Knowledge The individual disposing of the device may not
consider the problem
2. Lack of concern for the problem The individual knows, but doesn’t think that the
device actually contains confidential information.
3. Lack of concern for the data The individual knows that the drive contains
confidential data, but doesn’t care if the data is revealed.
![Page 59: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/59.jpg)
Possible explanations Con’t.
4. Failure to properly estimate the problem The individual is aware of the problem but doesn’t
believe that the information will be used by the device’s future owner
5. Despair The individual is aware of the problem but doesn’t
think that the problem can be solved
6. Lack of tools The individual doesn’t have the tool to properly
sanitize the device
![Page 60: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/60.jpg)
More explanations
7. Lack of Training or incompetence
8. Tool error The tool didn’t work
9. Equipment failure The device was broken, so it was too hard
to sanitize / sanitizing not obviously necessary.
![Page 61: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/61.jpg)
Tool error: DOS FORMAT lies!
A:\>format c:
WARNING, ALL DATA ON NON-REMOVABLE DISKDRIVE C: WILL BE LOST!proceed with Format (Y/N)?y
Formatting 1,007.96M100 percent completed.Writing out file allocation tableComplete.
“Data Passed” is a Usability Problem!
![Page 62: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/62.jpg)
“Format” doesn’t sanitize
10 GB drive: 20,044,160 sectors “FDISK”
Writes 2,563 sectors (0.01%) “FORMAT”
Writes 21,541 sectors (0.11%) Does erase the FAT (makes recovery of
fragmented files difficult.)
![Page 63: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/63.jpg)
“Formatted” drives
51 out of 129 drives had been formatted 19 had easily recoverable Level 3 data
46 out of 129 drives had been FDISKed 30 of these had easily recoverable data
![Page 64: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/64.jpg)
USB Drives & Digital Cameras
Everything about hard drives applies to other storage media that is treated as a “hard disk.”
Most are formatted with FAT32
![Page 65: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/65.jpg)
Example: Digital Photography
Many police have forced photographers to “delete” images they didn’t want taken. Ground Zero, post-9/11. Unnammed photographer forced
by police to delete photos. Was able to recover with help from slashdot.
College student Mohammed Budeir, Philadelphia, Sept. 4, 2002, taking photographs of police cars.http://www.copcar.com/mo0902.htm
Airlines.net photographer Daniel Wojdylo, forced to delete photos photographed at BUF in April 2002.
Google for: officer made me delete pictures in my digital camera
![Page 66: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/66.jpg)
So how do you sanitize?
dd if=/dev/zero of=/dev/ad2 AutoClave
http://staff.washington.edu/jdlarious/autoclave DataGone
http://www.symantec.com/ -- ? SecureClean
http://www.bluesquirrel.com/so/secureclean/
These just aren’t big sellers…
![Page 67: Remembrance of Data Passed: Used Disk Drives and Computer Forensics](https://reader034.vdocuments.us/reader034/viewer/2022051402/568158be550346895dc606e0/html5/thumbnails/67.jpg)
One final thought
Spending less than $1000 and working part time, I was able to collect: Thousands of credit card numbers Detailed financial records on hundreds of
people Confidential corporate files
Who else is doing this?