Running head: GARAGE SALE FORENSICS 1. Information Assurance and Security Integrative Project. Garage Sale Forensics. John M.

Pages 56
Views 15

Please download to get full document.

View again

of 56
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Description
Running head: GARAGE SALE FORENSICS 1 Information Assurance and Security Integrative Project Garage Sale Forensics John M. Wright TS5910 Information Assurance and Security Integrative Project Instructor:
Transcript
Running head: GARAGE SALE FORENSICS 1 Information Assurance and Security Integrative Project Garage Sale Forensics John M. Wright TS5910 Information Assurance and Security Integrative Project Instructor: Randy Stauber June 14, 2011 GARAGE SALE FORENSICS 2 Abstract The purpose of this paper is to explain how information left on electronic data storage devices can be retrieved and used when the devices are not properly disposed of. This project began with the assumption that individuals and organizations leave data on electronic data storage devices when they disposed of them. These assumptions were confirmed using simple and advance digital forensic techniques, tools, and software, many of which are freely available on the Internet. Individuals and organizations often feel that they can simply delete data and then sell, donate, recycle, or dispose of their unneeded devices without putting themselves or their clients at risk. There are many ethical and legal considerations with regards to protecting electronic data including, but not limited to, identity theft, financial loss, legal liability, loss of reputation, and embarrassment. It is important that electronic data storage devices be properly purged of all residual data before they are disposed of. Individuals and organizations need to understand that failing to properly purge these devices, before they are disposed of, can come at a great cost to them both financially and legally. GARAGE SALE FORENSICS 3 Table of Contents Abstract... 2 Garage Sale Forensics... 6 The Hunt for Electronic Data Storage Devices... 7 Electronic Data Storage Device: Defined... 7 Assumptions: Data can Easily be Found... 8 Where Devices can be Found... 9 What to Look for When Selecting Devices to Acquire Budget and Cost Analyzing Electronic Data Storage Devices Storage Device Organization, Cataloging, and Documentation Forensic Investigation Workstation Connecting Devices to Forensic Investigation Workstation Software: Acquisition Software: Booting to the Operating System Software: Credential/Password Hacking Software: Analysis Software: Data Recovery The Review Process The Data All Your Passwords Are Belong to us! Software License Keys Personally Identifiable Information, Financial Data, Health Data Personal Images and Videos Pornographic Images and Videos Black Market Value of Data Laws and Regulations Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS) California Information Practices Act of 1977 (IPA) Disposal of Electronic Data Storage Devices Proper Data Destruction Methods Software: Disk Wiping Hardware: Degaussing Hardware: Destruction Resale of Devices Conclusion References Appendix A: List of Software and Tools Appendix B: Computer Equipment and Storage Media Disposal Policy... 55 GARAGE SALE FORENSICS 4 List of Tables Table 1. Device Condition Table 2. Data Sources / Device Source Table 3. Passwords Discovered Table 4. Windows OS and Office Keys Table 5. Data of Interest and PII Table 6. Black Market Value of Data Table 7. NIST Media Sanitization Guidlines... 41 GARAGE SALE FORENSICS 5 List of Figures Figure 1. USA Recycling Flyer Figure 2. Example of Actual ebay Hard Drive Purchase Figure 3. Example of Actual Craigslist Hard Drive Purchase Figure 4. Windows Disk Defragmenter Figure 5. Data Sources / Device Sources Figure 6. Data Sources / Device Interface Figure 7. IDE/SATA to USB Adaptor Figure 8. USB WriteBlocker by WiebeTech Figure 9. Example of Original Owner Information Figure 10. Examples of Discovered Passwords Figure 11. Flow Chart of Review Proccess Figure 12. Map of Device Sources Figure 13. Data Source / Previous Owners Figure 14. Passwords Discovered Figure 15. PII Data Types Discovered Figure 16. DiskWipe Figure 17. DiskWipe... 45 GARAGE SALE FORENSICS 6 Garage Sale Forensics This Garage Sale Forensics project describes how electronic data storage devices can be discovered and the data left on those devices are used for unauthorized purposes. Storage devices can be found in many places such as garage sales, second hand stores, ebay, Craigslist, recycle centers, trashcans, and dumpsters. Often these devices are disposed of without completely destroying the data that resides or resided on the storage device. The data that is left on these devices may be used in an identity theft and the original owner of the data could be subject to financial loss, legal liability, loss of reputation, and embarrassment. During the course of this project many electronic storage devices were acquired from many different sources. Devices were identified as belonging to a variety of different owners including private parties, businesses, government organizations, law enforcement agencies, school districts, and colleges. A variety of techniques, software, and forensic tools were used to analyze the data left on these devices. Much of the software used is freely available on the Internet and all of the software used can be found using illegal torrents or file sharing mechanisms. Some of the information discovered on these devices include Social Security numbers, credit card numbers, bank account information, loan documents, tax returns, bookkeeping files, address and phone number lists, health information, application and operating system serial numbers, digital copies of music and movies, personal images and videos, and pornographic images and videos. This project will examine the types of the data found on the analyzed devices and attempt to show how the loss of these data types can affect individuals and organizations. GARAGE SALE FORENSICS 7 This project will address legal and regulatory requirements including how organizations are supposed to be destroying the data that they are entrusted with, the costs associated with the loss of information, and the costs associated with notifying individuals when their information is lost. Identity theft is of great concern for individuals and this type of crime can be facilitated by the improper disposal of electronic storage devices by the individuals themselves. This project will address ways that individuals can protect themselves by disposing of their devices in a secure and safe manner. Many software applications and other methods can be used to ensure that data is completely removed and unrecoverable before the electronic storage device is disposed of. Unfortunately, as this project will show, many individuals and organization are unaware of these tools or are simply not using them. This project will describe methods that can be used in order to completely sanitize and destroy any data left on these devices. The Hunt for Storage Devices Electronic data storage devices can be found in many locations. It does not require a large financial investment or a great amount of time to locate devices that may yield useful information. An individual simply needs to understand where to locate devices and how to identify devices that may contain useful data. Understanding this can ultimately protect individuals and organizations from losses that may be incurred from the improper disposal of electronic data storage devices. Electronic Data Storage Devices Defined There is a lack of a single clear definition of the term electronic data storage device. Many sources simply classify data storage devices as computer storage disks. A decent definition of electronic media is found in NIST Special Publication ; which states, GARAGE SALE FORENSICS 8 Electronic media are the bits and bytes contained in hard drives, random access memory (RAM), read-only memory (ROM), disks, memory devices, phones, mobile computer devices, networking equipment, and many other types [of devices]... (NIST pub , 2006). To define electronic data storage device, for the purpose of this project, the term must be dissected into two parts. First, a data storage device ; a data storage device is any device capable of storing data or information. Second, an electronic data storage device; an electronic data storage device requires electrical power to read data on or write data to the storage device. Some examples of a data storage device could be a note pad, stone tablet, vinyl record, or a book. Electronic data storage devices, as described above, require electricity to read or write data; therefor, examples would include magnetic drives such as tapes and hard disk drives, solid state drives such as flash memory, volatile memory, secure digital cards (SD), and optical devices such as compact disks (CD) and digital video disks (DVD). One can easily see the difference between the two mediums. The focus of this project will be on electronic data storage devices. Any reference to storage, data, or storage devices within this document, unless otherwise stated, concern electronic data storage devices. Assumptions: Data can be Easily Found At the onset of this project an assumption was made that individuals and organizations were disposing of electronic data storage devices without completely destroying the data that resides, or resided, on the storage device. This assumption was made after reading many articles and reports about data loss, data theft, and that identity theft was on the rise year after year. According to the Federal Trade Commission, in 2008 the number of identity theft cases raised 22% over 2007 and in 2009 they raised 12% over the 2008 numbers (blogiversity.org, 2010). According to an article from Government Technology magazine online, even office equipment GARAGE SALE FORENSICS 9 like digital photocopiers contain hard drives which can be a potential target for data theft, especially if the machinery is resold after it s been used (Rich, 2011). Identity theft is the unauthorized use of personal information such as a person s name, bank account number, address, birth date, and Social Security number (Hadnagy, 2011, p. 17). Criminals can discover information that may be used in the commission of an identity theft from many sources. Some of these sources include data breaches and/or hacks, social engineering, and the loss of data from the improper disposal, loss, or theft of electronic data storage devices. Where Devices can be Found Electronic data storage devices can be found in many places. A requirement of this project was to locate devices that have or potentially have residual data left by the previous owner on the device. This requirement then would stipulate that all devices must be used and must be purchased or found from a source that did not explicitly state during the sale that the device was securely erased. Securely erasing, otherwise known as wiping, would render any and all data on the device unrecoverable. Wiping is defined as the act of...overwriting each addressable sector [of the storage device] with either random or a discrete character (Cardwell, et.al., 2007, p. 58). Locations that could provide a high probability of un-wiped devices include garage sales, Craigslist, ebay, second hand stores, thrift shops, recycling centers, trashcans, and dumpsters. Examples of locations that could provide a low probability of un-wiped devices include government surplus, hospital surplus, and other regulated organizations. Dumpster diving is a term that described pawing through a target s garbage in search of valuable information (Mitnick, 2003, p. 253). In California, as with many states, dumpster diving is a legal act as long as accessing the dumpster, or area where the trash is set for disposal, GARAGE SALE FORENSICS 10 does not require trespassing on private property. The case of California v. Greenwood states that when:...respondents voluntarily left their trash for collection in an area particularly suited for public inspection, their claimed expectation of privacy in the inculpatory items they discarded was not objectively reasonable... Moreover, respondents placed their refuse at the curb for the express purpose of conveying it to a third party... who might himself be expected to have sorted through it or permitted others... to do so (California v. Greenwood, 1988) Recycling centers or neighborhood recycling drives may also provide opportunities to acquire devices. In August of 2010, a notice was taped to many mailboxes in the eastern area of Oroville, California. This notice, shown in the Figure 1, advertises that an organization known only as USA Recycling will provide a free curbside pick-up service of unwanted electronic items. This curbside pickup would arguably fall into the same classification as dumpster diving. The owners of the items lost their claim to any expectation of privacy when they voluntarily discarded the items by placing them on the curb for the express purpose of conveying them to a third party. GARAGE SALE FORENSICS 11 Figure 1. USA Recycling flyer that advertises free pickup of devices. What to Look for When Selecting Devices to Acquire The location of the device by itself cannot dictate whether or not data would be recoverable. Written advertisements included in Craigslist and ebay postings may include wording that indicates that the device may have been wiped and tested, which would have been avoided when acquiring devices for this project. While other postings include wording such as pulls from working computers or pulled from running desktops which would lend evidence that may indicate that the devices contain data. Figure 2 and Figure 3 show advertisements of actual purchases made during research for this project. GARAGE SALE FORENSICS 12 Figure 2. Shows an actual ebay listing that was purchased for this project. Note the description states that the devices were Pulls from working computers. GARAGE SALE FORENSICS 13 Figure 3. Shows an actual Craigslist listing that was purchased for this project. During this purchase, the seller powered the devices on and used Windows XP to delete the data. When searching garage sales for storage devices, asking questions like does the drive work? may return answers like it was when I pulled it from the computer. Another question that could be asked to derive information from the owner would be is there still an operating system on the drive? Often people will sell entire working systems at garage sales and on some occasions they will have them powered on so that the prospective buyer can see that they work. This would give the buyer a chance to quickly review the system on site. A quick way to possibly determine if the device may have data on it would be look at the recycle bin, Internet history, My Documents folder, or quickly launch the Windows disk defragmentation utility (dfrgui.exe) to see if there is any fragmented data or free space on the drive. Fragmented data or free space may indicate that data had been deleted by the user but had not yet been written over GARAGE SALE FORENSICS 14 by the operating system (Stanek, 2007, p. 474). Figure 4 shows the Windows disk defragmentation utility running. Notice the white space in the chart that indicates free space. This free space may house recoverable data. Figure 4. Notice the white space shown in the first chart; this space indicates that residual data may be recoverable on this device. When purchasing from second hand stores and thrift shops, the owners of the device or employees working at these locations normally have no idea where the devices came from. Therefore, any purchase of devices from these types of locations may be a gamble. As with second hand and thrift shops, dumpster diving provides no contact with the previous owners of the devices and is also a gamble as to whether or not there is data on the devices. However, dumpster diving has no financial risk associated with it. Budget and Cost Purchasing used electronic data storage devices can quickly become very expensive. It was decided early in the project that a budget was required in order to minimize expenses. A GARAGE SALE FORENSICS 15 maximum of $500 was allotted for the purchase of storage devices. This amount would include any shipping costs or other costs associated with the purchase. In total, 89 storage devices were purchased or acquired for this project at a total cost of $ This amount was well under the $500 project budget. Analyzing Electronic Data Storage Devices Analyzing electronic data storage devices can be defined as the process of discovering useful information that addresses the questions that were the grounds for performing the collection and examination (Marcella & Menendez, 2008, p. 463). In order to discover data found on storage devices one must make a plan, create or use an analysis computer system to acquire and examine the information, determine methods of connecting the devices to the analysis computer, create usable copies of the devices, develop ways to look into operating systems, and have the tools and skills required to break or hack passwords in order to gain system and/or file access. Storage Device Organization, Cataloging, and Documentation A spread sheet was developed in order to organize, catalog, and document each device acquired during this project. Whenever a device was acquired it was added to the spreadsheet along with detailed information about the date, location, manufacturer, serial number, interface type, capacity, and cost. This information would later be helpful in identifying individual devices. In total, 89 storage devices where acquired and used in this project. As shown in Figure 5, 54% were purchased from ebay, 25% were taken from trashcans or dumpsters, 10% from garage sales, 6% from Craigslist, 4% from second hand or thrift stores, and 1% were donated for the project. GARAGE SALE FORENSICS 16 Figure 5. Locations of where devices were acquired for this project. As shown in Figure 6, many of the devices found were older technology utilizing Integrated Drive Electronics (IDE) interfaces. These IDE types may also include Advanced Technology Attachment (ATA) and Parallel Advanced Technology Attachment (PATA). IDE, ATA, PATA, and other similar technologies use the same physical connector; therefor they are all grouped together in the statistics. GARAGE SALE FORENSICS 17 Figure 6. Different interfaces of the devices acquired for this project. Forensic Investigation Workstation In order to ensure that project data did not comingle with any non-project data, a forensic work station was built exclusively for this project. The computer was built using spare parts and components from older computer systems. The central processing unit (CPU) was an Intel based dual core 2.4 GHz, 4 GB memory, two 500 GB SATA hard disk drives, and Windows 7 64 bit operating system. Prior to preforming any analysis of any device, the system was fully patched and updated. Other applications installed included, Microsoft Office 2010, Microsoft Security Essentials, QuickTime Player, VideoLAN Media Player (VLC), Adobe Flash, Adobe Reader, Adobe Macromedia, Sun Java, Mozilla Firefox, VMWare, Quickbooks, and WinRAR. All software installed was legitimately purchased or was licensed as freeware, shareware, or as a General Public License (GNU). While many, if not all, of the commercially licensed applications listed within this project are available via illegal downloading and file sharing applications, no hacked or illegally acquired applications were used. GARAGE SALE FORENSICS 18 Connecting Devices to Forensics Investigation Workstation In order to view data on storage devices, the device must be physically connected to the forensic investigation workstation. In order to facilitate connection, an IDE/SATA to USB adaptor was utilized. This adaptor allows for many different devices to be connected using a standard USB port to the forensic workstation. Figure 7 shows the adaptor used during the course of this project. In some cases secure digital cards (SD cards) would be inspected requiring a USB multi-card reader. This multi-card reader allows for the inspection of many different flash memory card types comm
Advertisements
Related Documents
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x