new directions in disk forensics simson l garfinkel
play

New Directions in Disk Forensics Simson L. Garfinkel January 15, - PowerPoint PPT Presentation

Aug 21, 2022 •205 likes •991 views

New Directions in Disk Forensics Simson L. Garfinkel January 15, 2006, 3:15pm Postdoctoral Fellow, Center for Research on Computation and Society Harvard University 1 Here are 200 hard drives Which contain the email address

  1. New Directions in Disk Forensics Simson L. Garfinkel January 15, 2006, 3:15pm Postdoctoral Fellow, Center for Research on Computation and Society Harvard University 1

  2. Here are 200 hard drives Which contain the email address “ simsong@media.mit.edu ”? 2

  3. This talk presents new tools and techniques for performing forensic analysis on a large number of disk drives. The drives Project The Traceback Study Cross Drive Forensics and AFF 3

  4. Purchased used from a computer store in August 1998: 4

  5. Computer #1: 486-class machine with 32MB of RAM A law firm’s file server... ...with client documents! Computers #2 through #10 had: • Mental health records • Home finances • Draft of a novel... Was this a chance accident or common occurrence? 5

  6. Hard drives pose special problem for computer security Do not forget data when power is removed. Contain data that is not immediately visible. Today’s computers can read hard drives that are 15 years old! • Electrically compatible (IDE/ATA) • Logically compatible (FAT16/32 file systems) • Very different from tape systems 6

  7. Scale of the problem: huge! 400 M Drives Shipped Drives Retired 350 M 300 M 250 M 200 M 150 M 100 M 50 M 1996 1998 2000 2002 2004 2006 210 million drives will be retired this year. 7

  8. Physical destruction will remove the information... ...but many “retired” drives are not physically destroyed. 8

  9. There is a significant secondary market for used disk drives. Retired drives are: • Re-used within organizations • Given to charities • Sold at auction About 1000 used drives/day sold on eBay. 9

  10. There are roughly a dozen documented cases of people purchasing old PCs and finding sensitive data. • A woman in Pahrump, NV bought a used PC with pharmacy records [Markoff 97] • Pennsylvania sold PCs with “thousands of files” on state employees [Villano 02] • Paul McCartney’s bank records sold by his bank [Leyden 04] • O&O Software GmbH – 100 drives.[O&O 04] • O&O Software GmbH – 200 drives.[O&O 05] None of these are scientifically rigorous studies. 10

  11. I purchase hard drives on the secondary market. 2001: 100 drives 2003: 150 drives 2005: 500 drives 2006: 950 drives 11

  12. Drives arrive by UPS and USPS 12

  13. Some drives are purchased in person 10GB drive: $19 “tested” 500 MB drive: $3 “as is” Q: “How do you sanitize them?” A: “We FDISK them!” Weird Stuff, Sunnyvale California, January 1999 13

  14. Data on drives “imaged” using FreeBSD and AImage 14

  15. Images stored on external firewire drives This is 900GB of storage. 15

  16. Note: I am not considering exotic recovery techniques. I assume that writing a sector destroys its previous contents. Some people claim that secret government agencies with advanced technology can recover overwritten data. This technology has never been publicly demonstrated. Even without the Men In Black, a lot of data can be recovered! 16

  17. Example: Disk #70: IBM-DALA-3540/81B70E32 Purchased for $5 from a Mass retail store on eBay Copied the data off: 541MB Initial analysis: Total disk sectors: 1,057,392 Total non-zero sectors: 989,514 Total files: 3 The files: drwxrwxrwx 0 root 0 Dec 31 1979 ./ -r-xr-xr-x 0 root 222390 May 11 1998 IO.SYS -r-xr-xr-x 0 root 9 May 11 1998 MSDOS.SYS -rwxrwxrwx 0 root 93880 May 11 1998 COMMAND.COM 17

  18. Clearly, this disk was FORMATed... 18

  19. FORMAT and FDISK overwrite very few disk sectors. 10 GB drive: 20,044,160 sectors Sectors Command Written % FORMAT 21,541 0.11% FDISK 2,563 0.01% FORMAT erases the FAT, complicating the recovery of fragmented files. 19

  20. UNIX “strings” reveals the disk’s previous contents... % strings 70.img | more Insert diskette for drive and press any key when ready Your program caused a divide overflow error. If the problem persists, contact your program vendor. Windows has disabled direct disk access to protect your long To override this protection, see the LOCK /? command for more The system has been halted. Press Ctrl+Alt+Del to restart You started your computer with a version of MS-DOS incompatible version of Windows. Insert a Startup diskette matching this OEMString = "NCR 14 inch Analog Color Display Enchanced SVGA, Graphics Mode: 640 x 480 at 72Hz vertical refresh. XResolution = 640 YResolution = 480 20

  21. 70.img con’t... ling the Trial Edition ---------------------------- IBM AntiVirus Trial Edition is a full-function but time-limited evaluation version of the IBM AntiVirus Desktop Edition product. may have received the Trial Edition on a promotional CD-ROM single-file installation program over a network. The Trial is available in seven national languages, and each language provided on a separate CC-ROM or as a separa EAS.STCm EET.STC ELR.STCq ELS.STC 21

  22. 70.img con’t... MAB-DEDUCTIBLE MAB-MOOP MAB-MOOP-DED METHIMAZOLE INSULIN (HUMAN) COUMARIN ANTICOAGULANTS CARBAMATE DERIVATIVES AMANTADINE MANNITOL MAPROTILINE CARBAMAZEPINE CHLORPHENESIN CARBAMATE ETHINAMATE FORMALDEHYDE MAFENIDE ACETATE 22

  23. [Garfinkel & Shelat 03] established the scale of the problem. We found: • Thousands of credit card numbers • Financial records • Medical information • Trade secrets • Highly personal information We did not determine why the data had been left behind. 23

  24. Why don’t we hear more stories? Hypothesis #1: Disclosure of “data passed” is exceedingly rare because most systems are properly cleared. Hypothesis #2: Disclosures are so common that they are not newsworthy. Hypothesis #3: Systems aren’t properly cleared, but few people notice the data. 24

  25. Data on a hard drive is arranged in sectors. / tmp usr bin a b slg ls cp mv beth mail junk The white sectors indicate directories and files that are visible to the user. 25

  26. Data on a hard drive is arranged in sectors. x8 / x5 tmp usr x4 bin x1 a x6 b slg ls cp mv x7 beth mail junk x3 x2 The brown sectors indicate files that were deleted. 26

  27. Data on a hard drive is arranged in sectors. x8 / x5 tmp usr x4 bin x1 a x6 b slg ls cp mv x7 beth mail junk x3 x2 The green sectors indicate sectors that were never used (or that were wiped clean). 27

  28. Stack the disk sectors: Zero Blocks x8 / Deleted Files x5 tmp usr x4 bin x1 a x6 b slg ls cp mv x7 beth mail junk x3 x2 Files . 28

  29. NO DATA: The disk is factory fresh. . Zero Blocks Deleted Files All Blocks are Zero Files time . 29

  30. FORMATTED: The disk has an empty file system . Zero Blocks Deleted Files Blank All Blocks are Blocks Zero Files File System Structures time . 30

  31. AFTER OS INSTALL: Temp. files have been deleted . Zero Blocks Deleted Files Blank All Blocks are Blocks Free Blocks Zero Files Deleted temporary files OS and Applications File System Structures time . 31

  32. AFTER A YEAR OF SERVICE . Blocks never written Zero Blocks Deleted files Deleted Files Blank All Blocks are ... 1 year ... Blocks Free Blocks Zero OS, Applications, and user files Files Deleted temporary files OS and Applications File System Structures time . 32

  33. DISK NEARLY FULL! . Blocks never written Zero Blocks Deleted files OS, Apps, Deleted Files Blank user files, All Blocks are ... 1 year ... Blocks Free Blocks and lots of Zero MP3s! OS, Applications, and user files Files Deleted temporary files OS and Applications File System Structures time . 33

  34. FORMAT C: \ (to sell the computer.) . Blocks never written Zero Blocks Deleted files OS, Apps, Deleted Files Blank user files, All Blocks are ... 1 year ... Blocks Free Blocks and lots of Recoverable Zero MP3s! Data OS, Applications, and user files Files Deleted temporary files OS and Applications File System Structures time . 34

  35. We can use forensics to reconstruct motivations: . OS, Apps, Training Usability user files, failure failure and lots of Recoverable MP3s! Data time . 35

  36. Drives 1–236 are dominated by failed sanitization attempts. 2 , 500 2 , 000 No Data (blocks cleared) Data not in the file system (level 2 and 3) Data in the file system (level 0) 1 , 500 Megabytes 1 , 000 500 0 ..but training failures are also important. 36

  37. Overall numbers for the June 2005 report: Drives Acquired: 236 Drives DOA: 60 Drives Images: 176 Drives Zeroed: 11 Drives “Clean Formatted:” 22 Total files: 168,459 Total data: 125G 37

  38. Only 33 out of 176 working drives were properly cleared! • 1 from Driveguys — but 2 others had lots of data. • 18 from pcjunkyard — but 7 others had data. • 1 from a VA reseller — 1 DOA; 3 dirty formats. • 1 from an unknown source — 1 DOA, 1 dirty format. • 1 from Mr. M. who sold his 2GB drive on eBay. There is no consistency on which organizations deliver cleared drives. 38

  39. But what really happened? ? I needed to contact the original drive owners. 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate

Anti-Forensics: Techniques, Detection and Countermeasures Simson L. Garfinkel Naval Postgraduate School What is Anti-Forensics? Computer Forensics: Scientific Knowledge for collecting, analyzing, and presenting evidence to the courts

322 views • 15 slides
Automating Disk Forensic Processing with SleuthKit, XML and Python Simson Garfinkel, Ph.D. May

Automating Disk Forensic Processing with SleuthKit, XML and Python Simson Garfinkel, Ph.D. May

Automating Disk Forensic Processing with SleuthKit, XML and Python Simson Garfinkel, Ph.D. May 20, 2009 SADFE 2009 Associate Professor Naval Postgraduate School http://faculty.nps.edu/slgarfin/ NPS is the Navys Research University.

627 views • 35 slides
CSCI E-170 L13: Aligning Security and Usability Simson L. Garfinkel Center for Research on

CSCI E-170 L13: Aligning Security and Usability Simson L. Garfinkel Center for Research on

CSCI E-170 L13: Aligning Security and Usability Simson L. Garfinkel Center for Research on Computation and Society Harvard University 1 Administrivia Final Project Presentation Schedules are on the website. HW4 2 Tonight we will look at

520 views • 35 slides
CSCI E-170 Lecture 02: Physical Security and Information Leakage Simson L. Garfinkel Center for

CSCI E-170 Lecture 02: Physical Security and Information Leakage Simson L. Garfinkel Center for

CSCI E-170 Lecture 02: Physical Security and Information Leakage Simson L. Garfinkel Center for Research on Computation and Society Harvard University September 26, 2005 1 Todays Outline: 1. LiveJournal 2. HW1 and HW2 3. Readings 4.

1.36k views • 113 slides
CSCI E-170 Lecture 03: Hash functions and Symmetric Ciphers Simson L. Garfinkel Center for

CSCI E-170 Lecture 03: Hash functions and Symmetric Ciphers Simson L. Garfinkel Center for

CSCI E-170 Lecture 03: Hash functions and Symmetric Ciphers Simson L. Garfinkel Center for Research on Computation and Society Harvard University October 3, 2005 1 Administrivia 1. LiveJournal everybody okay? 2. HW1 Checkpoint 3.

450 views • 42 slides
CSCI E-170 Lecture 09: Attacker Motivations, Computer Crime and Secure Coding Simson L. Garfinkel

CSCI E-170 Lecture 09: Attacker Motivations, Computer Crime and Secure Coding Simson L. Garfinkel

CSCI E-170 Lecture 09: Attacker Motivations, Computer Crime and Secure Coding Simson L. Garfinkel Center for Research on Computation and Society Harvard University November 21, 2005 1 Todays Agenda 1. Administrivia 2. Missing Readings

1.29k views • 108 slides
Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on Computation and Society Harvard University 1:15pm, Tuesday, August 15, 2006 1 Todays forensic tools are designed for one drive at a time.

552 views • 34 slides
IRBs and Security Research: Myths, Facts and Mission Creep Simson L. Garfinkel Center for

IRBs and Security Research: Myths, Facts and Mission Creep Simson L. Garfinkel Center for

IRBs and Security Research: Myths, Facts and Mission Creep Simson L. Garfinkel Center for Research on Computation an Society Naval Postgraduate School Since the late 1990s, security researchers have increasingly focused on "the

557 views • 41 slides
Forensic Carving of Network Packets and Associated Data Structures Robert Beverly, Simson

Forensic Carving of Network Packets and Associated Data Structures Robert Beverly, Simson

Forensic Carving of Network Packets and Associated Data Structures Robert Beverly, Simson Garfinkel, Greg Cardwell Naval Postgraduate School {rbeverly,slgarfin,gscardwe}@nps.edu August 2, 2011 DFRWS Conference 2011 R. Beverly, S. Garfinkel,

351 views • 32 slides
Small-block Disk Forensics and Triage Outline Disk Structure. Triage. File Signatures.

Small-block Disk Forensics and Triage Outline Disk Structure. Triage. File Signatures.

Small-block Disk Forensics and Triage Outline Disk Structure. Triage. File Signatures. Discriminators. Contraband Identification. Sector-based Hashing. Conclusions. Author: Prof Bill Buchanan Small Block Disk Forensics and

768 views • 45 slides
CSCI E-170 Lecture 11: Redux of papers, Logging, The Law, Integrity Management Simson L.

CSCI E-170 Lecture 11: Redux of papers, Logging, The Law, Integrity Management Simson L.

CSCI E-170 Lecture 11: Redux of papers, Logging, The Law, Integrity Management Simson L. Garfinkel Center for Research on Computation and Society Harvard University December 5, 2005 1 Todays Agenda 1. Administrivia 2. Midterm Projects:

881 views • 54 slides
Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter:

Introduction to Security Forensics and Incident Handling Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Topic Outcomes Acquire data (from a disk) using `dd` Analyze image of disk from `dd` using forensics tools including

492 views • 19 slides
Live Disk Forensics on Bare Metal Hongyi Hu and Chad Spensky {hongyi.hu,chad.spensky}@ll.mit.edu

Live Disk Forensics on Bare Metal Hongyi Hu and Chad Spensky {hongyi.hu,chad.spensky}@ll.mit.edu

Live Disk Forensics on Bare Metal Hongyi Hu and Chad Spensky {hongyi.hu,chad.spensky}@ll.mit.edu Open-Source Digital Forensics Conference 2014 This work is sponsored by the Assistant Secretary of Defense for Research and Engineering under Air

800 views • 50 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class Teaching forensics at of students UL FRI

Teaching digital forensics in a large class of students Teaching digital forensics in a large class Teaching forensics at of students UL FRI Generating customized disk images Gaper Fele-or University of Ljubljana, Faculty of

446 views • 23 slides
Vertical Oscillation of Protoplanetary Disk (PP disk): 1D multi color Radiation Hydrodynammical

Vertical Oscillation of Protoplanetary Disk (PP disk): 1D multi color Radiation Hydrodynammical

Vertical Oscillation of Protoplanetary Disk (PP disk): 1D multi color Radiation Hydrodynammical Simulations Hot upper atmospheres and cold main disk oscillate in the opposite directions. Tomoyuki Hanawa Tetsuya Harada (Chiba U.) 1 13 7

524 views • 23 slides
On Third-Order Asymptotics for DMCs Vincent Y. F. Tan Institute for Infocomm Research (I 2 R)

On Third-Order Asymptotics for DMCs Vincent Y. F. Tan Institute for Infocomm Research (I 2 R)

On Third-Order Asymptotics for DMCs Vincent Y. F. Tan Institute for Infocomm Research (I 2 R) National University of Singapore (NUS) January 20, 2013 Vincent Tan (I 2 R and NUS) Third-Order Asymptotics for DMCs HKTW Workshop 2013 1 / 29

1.77k views • 96 slides
The Hospitality Industry Chapter 11 1 Learning Outcomes Recall advice from professionals

The Hospitality Industry Chapter 11 1 Learning Outcomes Recall advice from professionals

The Hospitality Industry Chapter 11 1 Learning Outcomes Recall advice from professionals working in hospitality professions Remember key terms, events and people that relate to the past and present in hospitality professions

273 views • 11 slides
Food/Non-food Image Classification and Food Categorization using Pre-Trained GoogLeNet Model

Food/Non-food Image Classification and Food Categorization using Pre-Trained GoogLeNet Model

1 Food/Non-food Image Classification and Food Categorization using Pre-Trained GoogLeNet Model Ashutosh Singla, Lin Yuan , and Touradj Ebrahimi lin.yuan@epfl.ch Multimedia Signal Processing Group Wearable, October 13, 2016 EPFL, Lausanne,

309 views • 14 slides
October 11 th , 2017 Adapted from Stanford U124 Outline What is sentiment analysis? Positive

October 11 th , 2017 Adapted from Stanford U124 Outline What is sentiment analysis? Positive

DATA130006 Text Management and Analysis Sentiment Analysis School of Data Science, Fudan University October 11 th , 2017 Adapted from Stanford U124 Outline What is sentiment analysis? Positive or

740 views • 73 slides
Fair Scheduling On the Coasts: A Look at Research and Campaigns in NYC and LA Liz Ben-Ishai ,

Fair Scheduling On the Coasts: A Look at Research and Campaigns in NYC and LA Liz Ben-Ishai ,

Fair Scheduling On the Coasts: A Look at Research and Campaigns in NYC and LA Liz Ben-Ishai , Center for Law and Social Policy (CLASP) Harold Stolper , Community Service Society (CSS) Brad Lander , New York City Council Member Saba

339 views • 16 slides
The e Ghan anai aian an Per erspe pecti tive George Kofi Amoako, Phd Evans Sokro , Phd

The e Ghan anai aian an Per erspe pecti tive George Kofi Amoako, Phd Evans Sokro , Phd

Dec ecen ent t Job and d Job Satis isfacti action on among g Wome men: The e Ghan anai aian an Per erspe pecti tive George Kofi Amoako, Phd Evans Sokro , Phd Robert Kwame Dzogbenuku Ophelia Delali Dogbe Zungbey @ Central

415 views • 27 slides
Problem and Solution Overview Problem The problem is simple. Ordering food in a sushi restaurant

Problem and Solution Overview Problem The problem is simple. Ordering food in a sushi restaurant

Problem and Solution Overview Problem The problem is simple. Ordering food in a sushi restaurant takes a long time. The process starts with the waitress, and goes something like this: Waitress -> Takes an order -> Goes to Sushi bar to place

467 views • 9 slides
Wr WriteShop (The Food Fi First way) A fast and efficient way of documen2ng knowledge,

Wr WriteShop (The Food Fi First way) A fast and efficient way of documen2ng knowledge,

Wr WriteShop (The Food Fi First way) A fast and efficient way of documen2ng knowledge, sharing stories, forging a strategic vision, and ac2va2ng the voices of social movements In t In the Begin e Beginnin ing g Convene 12-20

628 views • 28 slides

More recommend