• SALES EXECUTIVE
• Pre-Sales Solutions Architect -...
• Application Support Officer
• Head of Business Intelligence -...
• SALES ENGINEER- NATIONAL UPS...

Your corporate information...going, going, gone to the highest bidder

Dr Craig Valli, Information Age

18/08/2006 11:56:52

Organisations and individuals increasingly store information and data about themselves on a wide variety of digital devices which form an organisation's "digital memory". As such it should be safeguarded against disclosure and breaches of integrity, and many organisations and individuals use various measures (often at considerable expense) to do so.

However, evidence suggests that these assets are disposed of poorly with much of the data being intact or readily retrievable using simple forensic recovery techniques.

This paper is results from an ongoing Australian study into the ability to recover information from hard drives that are for sale at public auctions in Australia. This study is in turn a part of a larger collaborative study into hard disk disposals in the UK and Europe.

The examined hard disks were taken from computers that were randomly selected and purchased at several auctions both physical and online. The results from this study indicate careless disposal of data devices is widespread in Australia. Introduction All individuals or organisations using computers have data that they wish to remain private for reasons of confidence or commercial sensitivity. Users of information technology spend a large amount of money protecting information systems with firewalls, antiviral measures and cryptographic controls to stop disclosure or destruction of data that is contained on these systems.

The intelligent use of IT can enable organisations to have significant strategic advantage over their competitors. This strategic information is typically being stored on semi-permanent magnetic media in the form of hard disk storage. This information could indicate financial status or arrangements of the entity, corporate methods, processes and resultant data, as well being subject to strict privacy and confidentiality issues.

The market for hard disks is expanding: Gartner Dataquest predicts that shipments of desktop-class 3.5-inch hard disks will grow from 190.8 million in 2003 to 298.7 million in 2008. For laptops with 2.5-inch hard disks the growth is expected to go from 3.6 million units in 2003 to almost 20 million units in 2008 (Monroe 2003). This indicates that the problem of disk disposal will continue to increase as these drives become obsolete.

These hard disks or disk arrays contain megabytes to terabytes of valuable personal or corporate information. This information size increases in organisations with the addition of each new computer or hard disk array. A disposal of 100 corporate computers with 80GB hard disks would see a combined storage capacity at 8 terabytes of data being released to auction houses. It is true that much of this data on the hard disks would be replicated (for example, standard operating systems plus standard application suites that are used by the organisation).

However, these devices as an entity have the potential to document totally a corporate memory as many of the fungible artefacts that organisations produce are now in digital form. Even the makeup and security patch level of a standard operating environment will give potential attackers valuable information about potential avenues for exploit. This corporate memory if incorrectly erased will still be remnant on these hard disks.

It is a fact that all organisations and individuals that use computers at some stage will have to dispose of hardware due to obsolescence. Many organisations and individuals will simply on-sell or trade in the computer without forensically erasing the hard disk. The problem is that many of these disposed computers have drives that are in a state where information contained on the drives can be recovered via simple forensic techniques (Duvall 2003; Garfinkel and Shelat 2003; Monroe 2003; de Paula 2004; de Paula 2004)

This paper is an extended study into the ability to recover information from hard drives that are for sale at public auctions in Australia. The hard disks were taken from computers that were randomly selected and purchased at several traditional face-to-face auctions as well as online auctions.

An initial study in 2004 examined a total of 19 disks; in 2006 a total of 53 hard disks were studied. All hard disks were forensically imaged and investigated. The techniques and methods used in the subsequent forensic analysis ranged from the simple such as searching the image with hexadecimal editor through to the complex with specialist recovery tools such as Foremost and Autopsy.

What ensures that a hard drive is erased? The US Department of Defense (USDOD) has a standard for erasure of hard drives which is stated as "Overwrite all addressable locations with a character, its complement, then a random character and verify" p58, (Defense 1997). This standard is referred to as DoD 5220.22-M and is used as a defacto standard by manufacturers of hard disk erasure software.

This level of erasure is recommended for all devices except those containing materials classified top secret (due to the possibility of recovery using magnetic remanence techniques).

A paper by Gutmann (1996) examined and outlined the problems associated with secure erasure of magnetic devices due to recovery via remanence and other issues. Gutmann suggests that a system that overwrites the drive 35 times with random patterns is able to reduce the possibility of recovery using magnetic microscope (remanence) techniques. Gutmann states in an epilogue to the 1996 paper that this is not the "magic number" against recovery using the advanced techniques.

However, it does make recovery by advanced methods too expensive to achieve. It should be noted for the purposes of forensic examination that the use of a certified erasure tool is sufficient cleaning when returning hard disks to a forensically sterile condition. Most of the certified tools can use the "35 pass Gutmann" method as the most secure level of erasure.

Since Gutmann's 1996 publication and subsequent epilogue, the density of hard disk devices has increased significantly. For example, at present the minimum capacity of 3.5-inch hard drive for a desktop computer is 40GB.

The density of modern hard disk drives is such that recovery by magnetic remnant imaging is fast becoming an infeasible attack. The tight packing of tracks and contemporary methods of storing data on the disk surfaces are at a level of precision that many of the effects described in Gutmann's original paper would potentially cause disk corruption.

There was some movement to develop a standardised method for forensic wiping of drives through the development of a standard called The Universal Secure Overwrite (CCSE 2000). This standard was intended to determine the correct techniques for overwriting hard disk drives with the intention that disk manufacturers would then implement the feature in hard disk controller firmware to provide an in-built standardised mechanism for the secure erasure of the hard drive.

Experimental procedure During these two projects, each selected machine had any hard disks present removed and forensically imaged. The resultant integrity of these images was verified using MD5 cryptographic hashes; this was done with dd and md5 on the bootable Linux distribution called Helix which is developed for as a forensic analysis suite. The verified copies of the disk images were then duplicated onto forensically clean media for forensic analysis, and the existing hard drives were forensically wiped before being disposed of again.

The resultant disk images were subjected to examination and experimentation with the methods listed below in increasing level of complexity until such time as documents and other digital artefacts on the drive were readily recoverable.

Level 1 - Mounting the drive and accessing the contents. This was accomplished by simply mounting the image as a volume on the investigative computer

Level 2 - Searching for Date/Day strings with a hexeditor/Undoing format of drive

1. Use of a simple hexeditor to search the image for common date strings such as Mon, Tues, 16/3/2004, 2004. 2. The use of freely available unformat tools suited to the particular hard drive image format.

Level 3 - Interrogation of the image using foremost (quick mode)

Level 4 - Interrogation of the image using foremost (standard mode)

Level 5 - Analysis using Autopsy in attempt to recover documents

Foremost is a tool that searches for hexadecimal file header and footer strings and then extracts a file that is bounded by this header and footer. This extracted file can then be loaded using standard applications such as Microsoft Office, OpenOffice or suitable graphics programs for verification. Autopsy is a freely available forensic analysis tool written primarily for the Linux platform enabling the examiner to analyse forensically a hard disk image for content. In combination with the Sleuthkit tool, Autopsy allows for extensive forensic analysis of a hard disk image. All disk images when not in use were secured and stored using GnuPG encryption. It was not the intention of this study to analyse or divulge the specific organisations or the content of the material recovered but simply to ascertain if the materials were recoverable, and at what minimum level of interrogation this occurred. Then, from examining the recovered/seen data, make reasoned evaluations of the general profile of the ex-owner of that drive.

Results of the analysis In 2004, of the 19 hard drives analysed, 18 had documents that were recoverable with no more than Level 2 interrogation. Likewise, in the 2006 study of 53 disks, 41 had documents that were recoverable with no more than Level 2 interrogation. However, 12 disks were properly erased -- a pleasing increase.

In some extreme cases, the drives simply needed powering on to boot into the installed operating systems which included Windows98, Windows2000, WindowsXP and Sun Solaris. Furthermore, some of the drives simply had the documents deleted from the drive and no formatting of the disk drive had even occurred.

The following are brief outlines of some of the data able to be recovered in the analysis conducted:

2004-1&2 were from a manufacturing company. The drives were simply formatted and a simple restoration of the drive allowed the author to access the drive contents by mounting the drives. The drives contained a large amount of potentially sensitive material relating to network infrastructure and corporate processes.

2004-3 was a home use or potential home office computer. The disk itself was not formatted and it was simply a matter of mounting the disk image and accessing the disk content. Simple undeletion of files contained within the My Documents folder successfully recovered deleted documents. These were all deleted in sequence and would be indicative of a user deleting files before reselling the computer.

2004-4 was securely erased and no data using the methods applied was able to be recovered. The asset tags and stickers associated with the device, and the fact that the auction house advertised the computers as being disposed from a telecommunications organisation, would indicate that the computer originated from it.

2004-5 was from a laptop from a state government department in charge of water infrastructure. This was clearly ascertained due to the large plastic tag attached to the laptop case. The drive within the laptop was not wiped and it was possible to mount the drive and examine the contents at will. The templates and documents contained on the laptop also concurred with the physical tags. 2004-7 was a corporate desktop with limited documents stored on the drive. It contained linkage to the network for working documents however; the e-mail folder was still on the drive. This drive had been formatted. 2004-9 was indicative of a corporate laptop due to the naming convention on the hard disk partition. The peculiar thing with this machine was that the drive taken out of the laptop was a 1.3 Gbyte mechanism yet it had only a 340MB partition on it. This would indicate that that drive had simply been imaged with a standard operating environment. The drive had a large amount of *jpg files which later were determined to be pornographic.

2004-14 was from a Sun Sparc server that came from a state-based power utility. This drive booted the operating system and allowed root access without a password. The drive contained routing, password files and other sensitive materials.

2006-8&9 was from a large Sydney law firm; the documents were recent and were of a highly sensitive nature. Several of the documents included advice on what was an acceptable level of payment on legal matters between two parties involved in litigations and settlements.

2006-11 was a SOHO machine that contained MYOB accounting files that were less than three months old. In addition, the hard disk contained personal photographs of the owners. The hard disk also contained over 1000 pornographic images. The interesting occurrence to note was that by timelining the activity over 13 months, one could see a progression from bikini-clad images to the final images of highly graphic hardcore pornography.

2006-36 was from someone with musical inclinations. The disk contained copies for various high-end music sequencing software packages, an extensive MP3 collection and sound effects files.

2006-26 were development files and control files for a mainframe application to do with an engineering development.

2006-49 was a Sun Microsystems SCSI hard disk array that was identified as coming from an energy supplier due to the asset tags still on the array. What further verified this was the SCADA data logs that were found on the images.

2006-52 had control software for managing telephone exchanges using Ericsson equipment and VPN control/management software.

Why the data disregard? This low-level of data protection indicates a potential problem with the disposal of data devices. Organisations often spend large budgets securing and maintaining the data on their functioning information systems from attacks on confidentiality, integrity and availability. However, it would appear from this research and other work (Garfinkel & Shelat, 2003) that organisations are disposing of their data with foolish disregard to security. In the Garfinkel & Shelat (2003) article only 9 per cent of the drives they examined were erased correctly; likewise in these studies statistics are representative.

Why is it that organisations are ignoring the implications of exposing corporate data to recovery by others, and all the threats that this practice implies? There are several reasons why this could be occurring.

First, information systems (IS) staff could be totally unaware of the possibility of recovery of data from magnetic media. Second, even though IS staff may be aware of the problem, because of the relatively slow processing of disk drives by erasure software, they may see little benefit in performing the erasures. This problem will only increase as hard disk capacities continue to climb and secure erasure (which involves the need multiple overwrites) is needed to ensure confidentiality.

The nature of modern system disposal may also be a contributing factor. This can occur as a result of large rollouts of new standard operating environments in a corporate environment where large sections or entire organisations roll over to the newer computer systems. These rollovers are often performed during non-business hours, typically on weekends or holidays to minimise disruption to business. The redundant computer is often live until the close of business at week's end leaving little time for the secure erasure let alone removal and de-registration of the equipment.

As Garfinkel and Shelat (2003) also state recovery from drives that may actually still be functional on a computer that has failed is a possibility. This could be categorised as a loss of data by misassumption i.e., the specialist has assumed that the hard disk is the cause of the failure. In this study, this was taken into account and several of the computers purchased were marked as faulty in the auction catalogue. The 2004 drives 3, 5 and 9 in this case were extracted from such a computer and had salvageable drives. Similarly 2006 hard disks were tagged as faulty but were found to be in working or recoverable order.

A lack of legislative requirement could be a contributing factor in the lack of proper erasure of digital media. Many state and Federal Acts cover the use, storage and transmission of information. One such is the Privacy Act, 1988 which provides legislated requirement to protect information collected on individuals. It covers the transmission and transferral of data and private information but does not cover the destruction or disposal of this data particularly in digital form.

This is an area that could be considered for incorporation into legislature to ensure the correct erasure of data from drives. However, as noted in Valli and Jones (2005), in the UK where the data protection act is in place, similar levels of incomplete erasure were detected. Further studies by Jones, Sutherland and Valli (2006) that are being completed on UK hard drives are giving similar patterns.

Conclusion This is ongoing research which is part of a broader international study to ascertain the level of problem with disposal of IT resources and the data they store. Indicators and evidence uncovered as a result of examining these devices shows that there is a significant problem with disposal of IT data assets. Australian data concurs with similar results from the UK, USA and Europe.

The improper erasure of data stored on hard drives by organisations and individuals is leaving their information open to compromise at the fall of the auctioneer's hammer. The forensics capability needed to extract this information in all of the studies both in Australia and the UK has been little more than basic, and is easily accomplished without specialist forensic tools or skills.

Further directed research needs to be conducted into the causes for the insecure erasure of hard disks by organisations and individuals. Freeware utilities exist that will adequately perform secure erasure of disk drives so the cost of software acquisition is not an overly relevant factor. So it would be fair to assume that the problem exists for reasons other than lack of suitable technical resources to perform the secure erasures.

Based upon this assumption, research should focus on the human and organisational impediments to the secure erasure and disposals of data devices.

This problem of inadequate data erasure is one that will only continue to grow as the use of digital storage technology expands. Research and education is urgently needed to combat the extreme risk of data recovery from incorrectly cleansed data devices, that for the best part individuals and organisations appear to be either ignorant of or simply unwilling to address.

References CCSE (2000). Clearing and Declassifying Electronic Data Storage Devices, Government of Canada, Communications Security Establishment.

de Paula, M. (2004). "One Man's Trash Is... Dumpster-diving for disk drives raises eyebrows." USBanker 114(6): 12.

de Paula, M. (2004). "Security: Risk Of Improper Disposal Of Computer Trash Grows ; Wamu found out the hard way that special care is necessary when discarding software and hardware." Bank Technology News 17(6): 12.

Defense (1997). DoD 5220.22-M: National Industrial Security Program Operating Manual, Department of Defense.

Duvall, M. (2003). "Memory Loss ; How a missing $100 pocket-sized drive spooked 825,000 customers of canadian companies." Baseline 1(16): 65.

Garfinkel, S. L. and A. Shelat (2003). "Remembrance of Data Passed: A Study of Disk Sanitization Practise." IEEE Security and Privacy 1(1).

Gutmann, P. (1996). Secure Deletion of Data from Magnetic and Solid-State Memory. Sixth USENIX Security Symposium, San Jose, CA.

Monroe, J. (2003). Forecast: hard disk drives, worldwide, 1999-2008 (executive summary), Gartner.

Valli, C. and Jones, A. (2005). A UK and Australian Study of Hard Disk Disposal, Proceedings of the 3rd Australian Computer, Network and Information Forensics Conference, Edith Cowan University, Perth, 29th September, 2005

Dr Craig Valli is senior lecturer, computer and network security, School of Computer and Information Science, Edith Cowan University, Western Australia. c.valli@ecu.edu.au

Recycling and IT governance

By Tom Cleary

Picture the scene: the teenager turns from reading an online news site and says, with a smile: "Told you I should have taken care of those old machines for you, Dad."

He leans over the boy's shoulder and reads how someone has gained access to his employer's private data which should have been tightly controlled but was left on a dumped PC. What should he do?

The answer to that question is frequently felt to be "Call in the IT guys and give them a good roasting." But this answer crumbles to nothing before your eyes.

If you examine some of the Federal cases in similar legal territory (such as cases relating to dumping of toxic waste, for instance) the person hired to dispose of materials is often not the one who gets held liable for the damage caused, because waste is often traceable to its source.

So, from the guidance provided in AS 8015-2005, the Australian Standard for "Corporate Governance of Information and Communication Technology", you can make someone responsible for an activity, but not accountable; even if it's not directly your mistake, you still carry the can for the consequences.

This accountability under principle 4 to "ensure ICT performs well, whenever required". advises directors that they should "monitor that assets are decommissioned and disposed of in accordance with environmental and data management requirements".

Most recycling efforts in Australia involve some ethical consideration; whether "for profit" or a charity they have someone with a clue to handle the process. (Maybe there's a link with the fact that most of them subsist on free/open source software - F/OSS?)

Not that the biggest in the industry are lagging: Microsoft is also actively working to ensure our industry takes its responsibilities seriously.

And if some glitch in the disposal process leads to a HGE (Headline Generating Event) whether through identity theft or some other unforeseen disclosure, taking the available guidance seriously in the short term and doing something active about it, such as investing in the appropriate conformance measures, will be seen as a wise investment down the line.

Sure as eggs, anything that does slip through the measures in place can be tracked to its source and those who choose to do nothing to prevent HGEs will be held accountable.

Somewhere on the horizon, there is legislation which will cause Australian organisations to take a more pro-active view of recycling initiatives, whether like the Canadian scheme where a tax is paid on every item purchased to make sure the costs of disposal are met, or some other uniquely Australian approach.

And as with the physical problems of recycling, such as disposing of hazardous materials, the owner will pay one way or another.

The liability vulture is coming home to roost on the shoulder of companies who refuse to look at the problem while it is still small and manageable.

Chernobyl? Maybe not. But wouldn't your company rather pay dividends than fines or damages?

Tom Cleary is lead information risk manager for CSC in Perth.