70
Agenda
• Discuss how widely disseminated data can be
• It is now to the point where it is difficult to control
IMPOSSIBLE
• Address mechanisms that exist to control document “behavior”• Not finding copies of documents when you need them
PDA’s
HomeUsers
Cell Phones
Business Partnerships
Road Warriors
Online storage sites
• Files Anywhere - http://www.filesanywhere.com/• BestSharing - http://www.bestsharing.com• BigUpload – http://www.bigupload.com• bigVault – http://www.bigvault.com• biscu.com – http://www.biscu.com• DropSend – http://www.dropsend.com• ecPocket.com – http://www.ecpocket.com• Elephant Drive – http://www.elephantdrive.com• MyFileHut – http://www.myfilehut.com• Putfwd.com – http://www.putfwd.com• Savefile – http://www.savefile.com• Xdrive – http://www.xdrive.com• Global Data Vault – http://www.globaldatavault.com• Online Storage Solutions – http://www.onlinestoragesolution.com• Box.net – http://www.box.net
GSpace
Firefox Plugin
GSpace
USB Mass Storage Devices
What will they think of next?
USB Mass Storage Devices
USB Mass Storage Devices
Amazing!
What about human fingernail?
Too Cool!
Privacy software for USB Devices
• PI Protector Mobility Suite http://www.imaginelan.com/winboot/Internet Explorer, Outlook and File Sync – all files stored on USB drive
• Migo USB Deviceshttp://www.4migo.com
U3 USB
• Allows any application to run on a USB device.
• USB devices now “parasites” on host computers
USB SyncBox
Can transfer data between USB devices without a computer.
Preventing USB Data Transfers
• Fill USB Ports with Epoxy• Modify BIOS• Create Group Policy Object removing
permissions to usbstor.dll for all except System and possibly Admins. Still allows use of non-storage related USB devices
• Modify registry to make USB devices read only (see next slide)
Thanks to Mark Minasi
• “It's a simple Registry change. First, create a whole new key: HKLM\System\CurrentControlSet\Control \ StorageDevicePolicies. Then create a REG_DWORD entry in it called WriteProtect. Set it to 1 and you'll be able to read from USB drives but not write to them.”
• XP – SP2• www.minasi.com
USB Hacksaw
“The USB Hacksaw is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account.”
From http://www.hak5.org/wiki/USB_Hacksaw
Don’t forget paper…
3 Accused In Theft Of Coke SecretsInformation Offered To Pepsi, FBI Says
“A company surveillance camera caught Coca-Cola employee Joya Williams at her desk looking through files and "stuffing documents into bags," Nahmias and FBI officials said. Then in June, an undercover FBI agent met at the Atlanta airport with another of the defendants, handing him $30,000 in a yellow Girl Scout Cookie box in exchange for an Armani bag containing confidential Coca-Cola documents and a sample of a product the company was developing, officials said.”
Washingtonpost.comKathleen DayJuly 6, 2006 http://tinyurl.com/ppwh6
Regaining Control
End User and Enterprise Tools
Enterprise P.D.S.D. Control
• Device Wall - www.devicewall.com• DeviceLock: http://www.protect-me.com/dl/
• Sanctuary Device Control: http://www.securewave.com/sanctuary_DC.jsp
Old Ways
• File Rights Management• Essentially controlling who has access to
which documents• Helpful if properly implemented• Still not implemented properly• Easier to allow everyone access to
everything• Still Exists!
Document Life Cycle Management – End User Tools
• Tools like Net-It Now and Adobe Acrobat provide the ability to add some control
• These tools require users to determine what rights to apply
Net-It Now
“Net-It® Now is a free print driver that renders your files to CSF (content secure format), a compressed encrypted format thatallows you to add Visual Rights™, including password protection, an expiration date, and feature restrictions, to your files(settings). Files are viewable with the free Brava! Reader (views TIFF, PDF and CSF files)”.
http://www.net-it.com/nin.htm
Example
View file in Hex Editor
Adobe Acrobat
Document Lifecycle Management – Enterprise Tools
• Microsoft Office IRM – Information Rights Management
• Liquid Machines• Authentica• Adobe Life Cycle Policy Server
Microsoft IRM
• Information Rights Management• Available for Microsoft Office 2003• Requires the following
– Microsoft Windows Rights Management Services for Windows Server 2003 (http://www.microsoft.com/rms)
– Active Directory– IIS– Database such as MS SQL– Office 2003 Professional
Office IRM
Allow users with earlier versions of Office to read with browsers supporting Information Rights Management. (Increases file size)
Liquid Machines
“Liquid Machines Document Control™ uses its patented Policy Droplet™ control to provide an intuitive, consistent user interface across more than 65 applications and file formats, including Microsoft Office, Visio, Sharepoint® and Adobe Acrobat, to persistently control access to and usage of electronic information throughout its lifecycle.”
Authentica
• Provides complete after-delivery protection and control; prevents sensitive documents from being forwarded
• Lets content owners define access privileges (copy/paste, print) and expire access to documents at any time
• Lets content owners insert a custom watermark into a document to deter authorized viewers from printing and distributing the document
From http://www.authentica.com/products/securedocs.aspx
Authentica
• Provides a detailed audit trail so that organizations can actively track document activity (what pages were viewed, by whom, when, from where, for how long, and whether they were printed)
• Leverages a company's existing authentication systems and LDAP user directories for creating document policies, thereby reducing administrator involvement
Investigating Theft of Documents
Privacy vs. Investigations
(Anti-forensics)
Privacy Concerns
• Plastic Surgeon story• “Deleted Files” being used in litigation• Increased awareness of computer
forensics capabilities
Agenda
• Configuration settings – methods used to cover tracks using “supplied” tools and configuration settings
• Third party tools – wiping, properties changers, registry cleaners, steganography/encryption, etc.
• Tools and methods designed specifically to fool computer forensics programs.
Simple
• “Shift+Delete” to bypass Recycle Bin
• Recycle Bin – configured to delete immediately
• defrag
OS/Application Supplied
Empty Temporary Internet Files folder when browser
is closed.
OS/Application Supplied
Shutdown: Clear virtual memory pagefile Enabled
XP- Control Panel | Administrative Tools | Local Security Policy | Local Policies | Security Options | Shutdown: Clear virtual memory Page File | Select Enabled
Clear Page File
Configured? Check following registry key:
Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Control\Session Manager\Memory Management
Name: ClearPageFileAtShutdown
Type: REG_DWORD
Value: 1
Slows down shutdown process
OS/Application Supplied
CIPHER - “Displays or alters the encryption of directories[files] on NTFS partitions”
CIPHER /W:directory
(XP)
OS/Application Supplied
Disk Cleanup
OS/Application Supplied
• Word (Excel)– Hidden font– White on White– Small font
• Plug ins– Remove hidden data tool– Redaction tool– Payne scrambling tool
Hidden Font
Hidden font
Redaction tool
http://tinyurl.com/dgokp(Word 2003)
“OverviewRedaction is the careful editing of a document to remove confidential information.
The Microsoft Office Word 2003 Redaction Add-in makes it easy for you to mark sections of a document for redaction. You can then redact the document so that the sections you specified are blacked out. You can either print the redacted document or use it electronically. In the redacted version of the document, the redacted text is replaced with a black bar and cannot be converted back to text or retrieved.”
Remove Hidden Data(metadata)
http://tinyurl.com/5bams
Scramble Assistant
http://www.payneconsulting.com/products/scramword_free/
For Word&
Excel
Advantages of OS Supplied Tools
• Appear less “nefarious” than commercial tools (Evidence Eliminator).
• Free
Third Party Tools
Fun for the Whole Family
Registry Cleaner
Merge Streams/Glue
• Hides Excel file within a Word Document (vice versa)• .doc – see Word file• .xls – see Excel file• Won’t fool forensics examiner – may confuse them• Word – “Recover Text from any file”
Merge Streams/Glue
Merge Streams/Glue
• Demo• http://www.ntkernel.com/w&p.php?id=23
File Properties Changer
www.segobit.com
Wiping Tools
• Gazillions of them• Eraser (comes with DBAN)• Sdelete – www.sysinternals.com• Evidence Eliminator • BC Wipe• Cyberscrub• Etc.• Do they perform as promised? PGP does it
really wipe slack space?• Are they used frequently?
Removing Residual Data
• Tools exist to remove residual data
• But do not use them in response to litigation
• See - Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605 (N.D.Ill.), May 27, 2003 - "Any reasonable person can deduce, if not from the name of the product itself, then by reading the website, that Evidence Eliminator is a product used to circumvent discovery.”
• Anderson v. Crossroads Capital Partners
SoftwareHKEY_CURRENT_USER\Software\
[Manufacturer Name]\[Tool]
Encryption
• Cryptext – free and easy to use, a shell extension (http://tinyurl.com/do2qs )
• EFS• OTFE – Encrypted partitions
www.truecrypt.org• USB Thumb Drives – new ones include
encrypted partitions • Encrypted file stored on an encrypted partition…
• Locknote - http://locknote.steganos.com/
Steganography
• Includes encryption• Free tools• Complex method of hiding data• But easy to do…• Can you detect it?• “Duplicate Colors?”• Wetstone Technologies• stegdetect
stools
DEMO
Metasploit Project
• Timestomp – modifies MAC times so EnCase can’t read them.
http://www.metasploit.com/projects/antiforensics/
Timestomp
Timestomp
Timestomp
Good News/Bad News
• First the Bad News• Using a combination of these tools on a
regular basis can defeat a computer forensics examination
• Now the Good News• Very few users know about “all” of these
tools and methods• Not all tools perform as promised
Last thoughts
• Determining whether these tools have been used can be just as important as finding evidence.
• Finding these tools can counter the “I’m not sophisticated enough” argument.
• Found in illegal movie and music distribution cases.
MAC OS X – the shape of things to come
FileVault – Encrypted Home Folder
Secure Virtual Memory
MAC OSX – the shape of things to come
Mac OS X - Safari
IE7
http://www.eweek.com/article2/0,1895,1830962,00.asp
