The very first article I wrote for Security Technology & Design was “What's on That Hard Drive?” published in February 2002. That article was based on a white paper I wrote for SANS Institute certification called “Secure File Deletion: Fact or Fiction?” (An updated version of this paper can be found in the SANS reading room at www.sans.org. ) Both the article and the white paper discuss the types of residual data that can be recovered from a computer's hard drive and some of the methods that can be used to remove this data.
From a security perspective, removing this information is an excellent way to prevent the inadvertent dissemination of proprietary information as well as the accidental disclosure of personal information. When I wrote the white paper back in 2001, businesses and individuals were just beginning to recognize the significance of residual data. Now, high-profile security breaches and new privacy and security regulations have increased businesses' interest in protecting data by encrypting or removing residual information.
Wipe Out or Lock Up
You only have to do a quick search on the Internet to find an array of products intended to wipe certain data from a system. Many third-party tools exist to help prevent the inadvertent dissemination of confidential data, such as the “Remove Hidden Data” tool that removes metadata from Microsoft Office 2003 documents.
Encryption is becoming another popular tool for protecting private and proprietary information. While encryption is used extensively to protect data during transmission, it has not been widely embraced to secure data at rest, such as on the hard drive of a desktop or laptop computer.
Many people erroneously believe that since they must provide a password in order to boot up their computer, the data stored on the computer's hard drive is secure. All anyone has to do is remove the hard drive from the computer and connect it to another computer, either as an external drive or a secondary (slave) internal drive, to remove all of the data from the drive.
This significant security threat has now been addressed by the storage vendor Seagate. The company includes hardware-based drive encryption as part of its DriveTrust technology. As of this writing, this technology is only available for the Momentus 5400 FDE.2 drive for notebook computers and DB35 Series drive for digital video recorders. With the current concerns regarding the protection of digital information, however, it won't be too long before Seagate offers this technology on additional drives and other manufacturers begin offering similar solutions.
OS Privacy Enhancements
Third-party solutions aren't the only option anymore. Now, major software and technology vendors have begun incorporating privacy tools into computer operating systems and applications.
Apple's Mac OS X includes new privacy enhancements:
• FileVault. Enabling this feature secures a user's home directory by encrypting its contents using AES 128-bit encryption.
• Secure Virtual Memory. Enabling this feature encrypts the system's swap file. The swap file (in Microsoft Windows this is called a pagefile) is used when a new application is launched or a system's memory is full and needs to make space for additional information. Data in memory will get written to the hard drive in a swap file. Swap files are a great source of information during an investigation, but this feature makes the data unrecoverable.
• Erase Free Space. This is built into the Mac OS X Disk Utility feature and provides the ability to “zero out” or overwrite free space.
• Private Browsing. Safari, Apple's Internet browser, includes a private browsing option, which, according to Apple's main information site on the product, ensures that “no information about where you visit on the Web, personal information you enter or pages you visit are saved or cached. It's as if you were never there.”
Microsoft products are also starting to include privacy tools. The next version of Microsoft Office will include a feature called Document Inspector that, according to Microsoft, “provides a central location for you to examine documents for personal, hidden, or sensitive information. You can then use built-in Document Inspector modules to remove unwanted information more easily.” And Internet Explorer 7 has a new option in the Tools menu called Delete Browsing History, which provides the ability to delete evidence of your Internet activities from one interface.
As with many technologies, data removal tools, though intended for good, can be used for evil. The names of some third-party solutions point to a grim intent: Evidence Eliminator, HistoryKill, Tracks Eraser, Digital File Shredder. These tools aren't being used just to protect privacy and sensitive data; they're being used to cover the digital tracks of employees and others who may be up to no good. In fact, the home page of one of these products flat-out says it's a great way to defeat forensics analysis equipment.
Even when such tools are used by companies specifically to protect data, the impact on forensic capability may be significant. Will these new enhancements to operating systems and applications combined with increased privacy paranoia cause problems for investigations and prevent the effective use of computer forensics? The potential is certainly there.
New Forensic Options
Some in the industry believe that “old-style” computer forensics, whereby a system is turned off and examined in a lab environment, is going to be replaced by “live analysis.” Through live analysis, analysts use special tools and processes to examine computers while they are still running. This methodology is counter to historic computer forensics examinations because working on a live system can modify data. However, it is recognized that as long as the examiner knows what data is being modified, a live analysis is valid.
The issues surrounding live analysis are explained in the document, “Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community” by Todd G. Shipley, CFE, CFCE and Henry R. Reeve, Esq., which is published by SEARCH: The National Consortium for Justice Information and Statistics. This document can be downloaded in pdf format from the publications section of the SEARCH Web site, www.search.org.
Live analysis allows the examiner to capture data that is otherwise not available during a standard computer forensics examination, such as data from memory, from drives and partitions that might normally be encrypted when the system is turned off, and residual data that has yet to be overwritten. It also allows examiners to determine what services are running on the system as well as what ports are currently open.
Tools for Live Analysis
Numerous tools exist to analyze a live system. One of the best known is the Helix Live CD, a free set of tools that provides the ability to capture data from a live Windows system and to acquire an image of the drive. Another is the Forensic Server Project. (The developer of this project, Harlan Carvey, has written a book, Windows Forensics and Incident Recovery, that is an excellent primer for someone new to live system analysis.)
Both Helix and the Forensic Server Project are helpful if you have physical access to the system in question, but neither is helpful if the system is located in another city, state or country. This issue has been resolved by several products that provide the ability to capture data from a live system “across the wire,” meaning that the analysis can be conducted covertly across a network. These products include Guidance Software's EnCase Enterprise, Wetstone's LiveWire Investigator and Technology Pathways' ProDiscover Investigator.
Another option to determine a computer user's activities, specifically Internet activity, is to conduct a packet capture analysis of the data going to and from a subject's computer. While this activity (often called network forensics) falls normally to network security specialists, with the increased use of Internet privacy tools, this may eventually be one of the only ways to capture a subject's Internet activity. Tools that can assist with this activity include Ethereal, TCPDump, and Windump for Windows. Commercial products include NetWitness, NetIntercept from Sandstorm Enterprises, and NetDetector Live from Niksun.
Look Out for Change
With the constant development of privacy enhancement tools, will these new investigative techniques be required immediately? To answer this question, let's take a look at the BitLocker Drive Encryption capabilities of the Microsoft Windows Vista operating system.
The BitLocker capabilities are intended to protect data when devices are lost or stolen and consist of robust encryption technologies.
This new feature sounds great, but implementing it requires significant user intervention. Some configuration changes must be made in order for the tool to function properly. The computer must have a TPM microchip, version 1.2, turned on; a TCG-compliant BIOS; two NTFS drive partitions, one for the system volume and one for the data volume (and the system volume partition must be at least 1.5 GB and be set as the active partition); and a BIOS setting to boot first from the hard drive, not the USB or CD drives. Those are obviously very technical requirements that the average user won't have a clue how to configure.
This currently holds true for nearly all privacy enhancement tools. They need to be turned on, configured or manually started by the user. As long as this holds true, standard computer forensics methodologies will continue to be effective.
The existence of these tools does not mean that the analysis of a computer can no longer be conducted to determine a user's activities. Most computer users are unaware of all of these tools, they are not used consistently, and multiple tools must be used to truly destroy all evidence of computer activities.
I have provided an “anti-forensics” presentation at several security conferences. The presentation is designed to show methodologies that can be used to defeat computer forensics investigations. The audiences consisted of experienced computer forensics and computer security professionals. At the end of each presentation I asked the audience, “How many of you were aware of all of the tools and methods presented?” Not a single person raised their hand.
As long as sophisticated, technical users are unaware of all possible methods to remove evidence of computer activities, it will be a long time before the average computer user is aware of them. But once these privacy enhancements are turned on by default, investigative techniques will have to change.
John Mallery is a managing consultant for BKD, LLP, one of the ten largest accounting firms in the United States . He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. He is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at firstname.lastname@example.org.