Post on 29-Aug-2014
description
transcript
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Threats to privacy arising in themanagement of data stored in
Computer Systems
Gustavo Betarte
Instituto de Computación, Facultad de Ingeniería
Universidad de la República, Uruguay
www.fing.edu.uy/~gustun
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
1 Overview
2 Data preservation and analysis
3 Data revelation
4 An Investigation on remnant data
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Overview
The use of any modern computer system (pc, tablet,smartphone, ...) leaves unintended traces of expireddata and remnants of users’ past activities
We put forward the issue of the unintendedpersistence of data stored in digital repositoriesThis data can be recovered by forensic analysis, andit may pose a threat to privacy
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Overview
The use of any modern computer system (pc, tablet,smartphone, ...) leaves unintended traces of expireddata and remnants of users’ past activitiesWe put forward the issue of the unintendedpersistence of data stored in digital repositories
This data can be recovered by forensic analysis, andit may pose a threat to privacy
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Overview
The use of any modern computer system (pc, tablet,smartphone, ...) leaves unintended traces of expireddata and remnants of users’ past activitiesWe put forward the issue of the unintendedpersistence of data stored in digital repositoriesThis data can be recovered by forensic analysis, andit may pose a threat to privacy
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data preservation and analysis
Preserving a historical record of activities and data iscritical for a wide range of applications
To recover after system failureTo analyze past events after a breachTo audit compliance with security policies
Intentional preservation of history can thus serve agood purpose (inexpensive storage makes it possible)Conversely, in many scenarios, retaining a history ofpast data or operations can pose a serious threat toprivacy and confidentiality
In large institutions and enterprises, systems that retaindata for too long risk unwanted disclosure, forexample by security breach
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data preservation and analysis
Preserving a historical record of activities and data iscritical for a wide range of applications
To recover after system failureTo analyze past events after a breachTo audit compliance with security policies
Intentional preservation of history can thus serve agood purpose (inexpensive storage makes it possible)
Conversely, in many scenarios, retaining a history ofpast data or operations can pose a serious threat toprivacy and confidentiality
In large institutions and enterprises, systems that retaindata for too long risk unwanted disclosure, forexample by security breach
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data preservation and analysis
Preserving a historical record of activities and data iscritical for a wide range of applications
To recover after system failureTo analyze past events after a breachTo audit compliance with security policies
Intentional preservation of history can thus serve agood purpose (inexpensive storage makes it possible)Conversely, in many scenarios, retaining a history ofpast data or operations can pose a serious threat toprivacy and confidentiality
In large institutions and enterprises, systems that retaindata for too long risk unwanted disclosure, forexample by security breach
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data remnants
Modern computer systems unintentionally preserve history
It can be surprisingly difficult to remove traces of the pastfrom computer systems
Without precise control over data destruction, unwelcomeremnants of past data can become a serious problem
A wealth of sensitive data, including financial andmedical records, have been recovered fromdecommissioned hard drivesDigital documents published on the Web have beenfound to include sensitive content believed to bedeletedEmail was used in court cases against Enronemployees and released to the public, some of whichwas contained in deleted items in folders
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data remnants
Modern computer systems unintentionally preserve history
It can be surprisingly difficult to remove traces of the pastfrom computer systems
Without precise control over data destruction, unwelcomeremnants of past data can become a serious problem
A wealth of sensitive data, including financial andmedical records, have been recovered fromdecommissioned hard drivesDigital documents published on the Web have beenfound to include sensitive content believed to bedeletedEmail was used in court cases against Enronemployees and released to the public, some of whichwas contained in deleted items in folders
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data remnants
Modern computer systems unintentionally preserve history
It can be surprisingly difficult to remove traces of the pastfrom computer systems
Without precise control over data destruction, unwelcomeremnants of past data can become a serious problem
A wealth of sensitive data, including financial andmedical records, have been recovered fromdecommissioned hard drivesDigital documents published on the Web have beenfound to include sensitive content believed to bedeletedEmail was used in court cases against Enronemployees and released to the public, some of whichwas contained in deleted items in folders
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data remnants
Modern computer systems unintentionally preserve history
It can be surprisingly difficult to remove traces of the pastfrom computer systems
Without precise control over data destruction, unwelcomeremnants of past data can become a serious problem
A wealth of sensitive data, including financial andmedical records, have been recovered fromdecommissioned hard drives
Digital documents published on the Web have beenfound to include sensitive content believed to bedeletedEmail was used in court cases against Enronemployees and released to the public, some of whichwas contained in deleted items in folders
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data remnants
Modern computer systems unintentionally preserve history
It can be surprisingly difficult to remove traces of the pastfrom computer systems
Without precise control over data destruction, unwelcomeremnants of past data can become a serious problem
A wealth of sensitive data, including financial andmedical records, have been recovered fromdecommissioned hard drivesDigital documents published on the Web have beenfound to include sensitive content believed to bedeleted
Email was used in court cases against Enronemployees and released to the public, some of whichwas contained in deleted items in folders
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data remnants
Modern computer systems unintentionally preserve history
It can be surprisingly difficult to remove traces of the pastfrom computer systems
Without precise control over data destruction, unwelcomeremnants of past data can become a serious problem
A wealth of sensitive data, including financial andmedical records, have been recovered fromdecommissioned hard drivesDigital documents published on the Web have beenfound to include sensitive content believed to bedeletedEmail was used in court cases against Enronemployees and released to the public, some of whichwas contained in deleted items in folders
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Unintended data retentionExample scenarios
Businesses can unintentionally violate privacyregulations by leaving data in table or file storage
Analysts that investigate data repositories recoveredfrom lost or stolen computers can reveal sensitiveinformation that was thought to be deletedAuthorized investigators may recover data fromequipment subpoenaed or seized from a crimescene, or simply in situations where company policyhas been violated
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Unintended data retentionExample scenarios
Businesses can unintentionally violate privacyregulations by leaving data in table or file storageAnalysts that investigate data repositories recoveredfrom lost or stolen computers can reveal sensitiveinformation that was thought to be deleted
Authorized investigators may recover data fromequipment subpoenaed or seized from a crimescene, or simply in situations where company policyhas been violated
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Unintended data retentionExample scenarios
Businesses can unintentionally violate privacyregulations by leaving data in table or file storageAnalysts that investigate data repositories recoveredfrom lost or stolen computers can reveal sensitiveinformation that was thought to be deletedAuthorized investigators may recover data fromequipment subpoenaed or seized from a crimescene, or simply in situations where company policyhas been violated
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Unintended data retentionEmbedded Database storage
Message headers and time stamps for messagesbelieved to be deleted can be found on disk inembedded databases (Mail.app in OS X)
Firefox allows applications to store data that persistsacross sessions in an SQLite database. This storage is asophisticated replacement for cookies, and can be aprime resource for forensic investigators to recoverinadvertently retained deleted data
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Unintended data retentionEmbedded Database storage
Message headers and time stamps for messagesbelieved to be deleted can be found on disk inembedded databases (Mail.app in OS X)Firefox allows applications to store data that persistsacross sessions in an SQLite database. This storage is asophisticated replacement for cookies, and can be aprime resource for forensic investigators to recoverinadvertently retained deleted data
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data RevelationThrough forensic analysis
Remnants of past data and activities are revealedthrough forensic analysis
When forensic analysis is performed by authorizedinvestigators it can be a valuable tool, helping to holdindividuals or systems accountable for malicious ormistaken actions, butWhen tools and methods of forensic analysis are usedby an unauthorized party, it threatens privacy
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data RevelationThrough forensic analysis
Remnants of past data and activities are revealedthrough forensic analysisWhen forensic analysis is performed by authorizedinvestigators it can be a valuable tool, helping to holdindividuals or systems accountable for malicious ormistaken actions, but
When tools and methods of forensic analysis are usedby an unauthorized party, it threatens privacy
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data RevelationThrough forensic analysis
Remnants of past data and activities are revealedthrough forensic analysisWhen forensic analysis is performed by authorizedinvestigators it can be a valuable tool, helping to holdindividuals or systems accountable for malicious ormistaken actions, butWhen tools and methods of forensic analysis are usedby an unauthorized party, it threatens privacy
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data RevelationThreat model
Threats to privacy and confidentiality usually result fromunintended retention of data in lower storage layers,where data is accessible through interfaces that are notcontrolled by the application or the database
Existing security threats make it impossible to ensure thatusers will be limited to the intended interface provided bythe application or the database where is stored the data.It is necessary to consider that an intruder will haveunrestricted access to storage on disk
This models the capabilities of a system administrator, aforensic investigator, a hacker who has gained privilegeson the system, or an intruder who has breached physicalsecurity
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data RevelationThreat model
Threats to privacy and confidentiality usually result fromunintended retention of data in lower storage layers,where data is accessible through interfaces that are notcontrolled by the application or the database
Existing security threats make it impossible to ensure thatusers will be limited to the intended interface provided bythe application or the database where is stored the data.It is necessary to consider that an intruder will haveunrestricted access to storage on disk
This models the capabilities of a system administrator, aforensic investigator, a hacker who has gained privilegeson the system, or an intruder who has breached physicalsecurity
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Data RevelationThreat model
Threats to privacy and confidentiality usually result fromunintended retention of data in lower storage layers,where data is accessible through interfaces that are notcontrolled by the application or the database
Existing security threats make it impossible to ensure thatusers will be limited to the intended interface provided bythe application or the database where is stored the data.It is necessary to consider that an intruder will haveunrestricted access to storage on disk
This models the capabilities of a system administrator, aforensic investigator, a hacker who has gained privilegeson the system, or an intruder who has breached physicalsecurity
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Investigation: remnant data on memory cardsDescription
Memory cards are widely used in numerous electronicdevices
Provide interfaces allowing for a large array of private andconfidential data to be stored into the card
Investigation conducted by a team of Australianresearchers [Szewczyk, Sansurooah; 2011]
Goal: to determine the sensitivity, type and amount ofdata that remained on second hand card memorypost saleIn 2011, 119 second hand memory cards wererandomly purchased from eBay AustraliaFindings: highly sensitive data is stored on memorycards and it is not destroyed prior to sale
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Investigation: remnant data on memory cardsResults
State of the cards75% had their data deleted and or formatted12% were not recoverable13% were purchased with all data intact and no signof data deletion attempt
Some of the information types recovereddriver’s license together with full name, address anddate of birth and photo of the driver with a luxury cardreal state settlement documents including names,addresses and purchasing information together withcopies of bank deposit chequeshundreds of photographics images of an office partywhere the name of the company was showed andexposed photos of employees towards the end of thenight
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
Some concluding remarks
Digital devices provide a false view of stored dataTools for removing data might not be effectiveTransparency principles to improve privacy seems tobe needed
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data
PlanOverview
Data preservation and analysisData revelation
An Investigation on remnant data
References
T. Garfinkel, B. Pfaff, J. Chow, M. RosenblumData Lifetime is a System Problem.In Proceedings of ACM SIGOPS European Workshop, 2004.
M. Geiger, L. CranorScrubbing Stubborn Data: An evaluation of counter-forensic privacy tools.IEEE Security and Privacy Magazine, 4(5): 16-25, 2006.
P. Stahlberg, G. Miklau, B. N. LevineThreats to Privacy in the Forensic Analysis of Database Systems.In Proceedings of SIGMOD 07, Beijin, China, 2007.
W. Enck, D. Octeau, P. McDaniel,S. ChaudhuriA Study of Android Application Security.In Proceedings of the 20th USENIX Conference on Security, Berkeley, CA, USA, 2011.
P. Szewczyk, K. SansurooahA 2011 investigation into remnant data on second hand memory cards sold in Australia.In Proceedings of the 9th Australian Digital Forensics Conference, Perth Western, Australia, 5th -7th,December 2011
34th IC Data Protection and Privacy Commissioners G. Betarte - Threats to Privacy of Stored Data