dark data hiding in your records: opportunity or danger?
DESCRIPTION
There is Dark Data hiding in every document that we create. Does this Dark Data represent an opportunity or danger to us and our business?TRANSCRIPT
Dark DataHiding in your Records
Opportunity or Danger?
Rob ZirnsteinPresident
Forensic InnovationsJanuary 19th, 2011
Darth Vader?
• No, “Dark Data”, but they both– Are often associated with evil– Keep secrets (“Luke, I’m your father”)– Are potentially harmful
Dark Matter?
• No, “Dark Data”! But they both– Go undetected– Are surrounded by detectable stuff– Affect things around them
What is Dark Data?
• Dark Data in our digital devices– Everyone creates it (unintentionally)– Criminals may hide it (Anti-Forensics)– Forensic tools can’t see it– But it is there!
• Data that we can’t see– On our hard drives– On out flash drives– In our computer files
Where is Dark Data?
• DCO & HPA• Unformatted Disk Space• Deleted Files• Unknown Files• Between Files• Inside Common Files• Deleted Data Objects
Hard Drive Layout
• Device Configuration Overlay (DCO)
– http://www.forensicswiki.org/wiki/SAFE_Block_XP– Data Cleaner+ http://www.mp3cdsoftware.com/blancco---data-cleaner--download-16317.htm– http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BE
B146864A2671.pdf
• Host Protected Area (HPA)
– http://www.thinkwiki.org/wiki/Hidden_Protected_Area– Forensic Duplicator http://www.tableau.com/pdf/en/Tableau_TD1_Product_Brief.pdf– HDD Capacity Restore Tool http://hddguru.com/software/2007.07.20-HDD-Capacity-
Restore-Tool/
• Unformatted Disk Space
Deleted Files
• Deleted Files aren’t really gone?– Unused Disk Space (in a volume)– Disk Caches / Swap Files– Windows Recycle Bin
• Are they hard to recover?– Fragmentation is deadly– Large databases tend to be heavily fragmented– Even DFRWS Researchers find that fragmentation can make some file types impossible to recover (http://www.dfrws.org/2007/challenge/results.shtml)
Unknown Files (1)
• 500 types of files handled by eDiscovery, Document Management & Computer Forensics Tools
• 50,000+* types of files in the world• 5,000 types of files typically in use
*http://filext.com
Unknown Files (2)
Typical Tools FI Tools (23 wrong files) (26 Correct Files)
Between Files
• Alternate Data Streams (ADS)– Files hiding behind files (on NTFS)
• RAM Slack– Padding between the end of a file and the end of the
current sector– Typically zeros, sometimes random content
• File/Cluster/Residual/Drive Slack– Padding between sectors used & the end of the current cluster– Previous sector content that should be used in File Carving– http://www.forensics-intl.com/def6.html
Inside Common Files
• Deleted Objects– Ex: Adobe PDF & MS Office 2003 (OLE)
not removing deleted data (change tracking)
• Smuggled Objects– Ex: MS Office 2007 (Zip) and MS Wave
(RIFF) formats ignore foreign objects
• Object / Stream Slack– Ex: OLE objects have sector size issues,
just like with disk sectors
• Field Slack– Ex: Image files that don’t use the whole
palette, and/or less than 8/16/32/48 bpp– Steganography
Smuggled Objects
• Some formats ignoreforeign objects–MS Office 2007 (Zip)–MS Wave (RIFF)
• This example– I added a file to a
Word 2007 document.– The document opens
without any error.
Deleted Data in Slack
Deleted Data that evades Redaction
Steganography
Intentional Data Hiding
Dark Data Can Be Fragile
– Deleting Files without using the Recycle Bin.• SHIFT + DEL
– Defragmenting a hard drive.– Installing Applications.– Turning off “Track Changes” & “Fast Save” options.– Using Redaction Tools.
• MS Word - http://redaction.codeplex.com• PDF - http://www.appligent.com/redax• PDF - http://www.rapidredact.com
– Using Data Wipers.• SafeErase - http://www.oo-software.com• CyberScrub - http://www.cyberscrub.com
Dangers
• You may loose a law suit if the other side finds what you missed.
• Corporate Digital Assets may be walking out the door.
• Intellectual Property theftcan put a company out of business.
Opportunities
• Protect your company by being Aware of your Digital Assets.– Illegal content may be hidden accidentally or
intentionally.
• Recover lost Digital Assets by knowing where to look.
• Employee misconduct is tracked by the hidden trail of improper acts.
• Catch Intellectual Property theft before it walks out the door.– Identify in-house criminals by detecting their
smuggling methods.
What Does FI Do?
• Create Technologies to Capture Dark Data– File Investigator– File Expander– File Harvester
• Equip Law Enforcement with Tools– FI TOOLS– FI Object Explorer– FI Data Profiler Portable
FI Technologies
• File Investigator– Discovers Files Masquerading as Other Types– Identifies 3,953+ File Types– High Accuracy & Speed
• File Expander– Discovers Hidden Data within files– Data missed by all forensic tools
• File Harvester (Under Development)
– Recovers deleted/lost files therest of the industry can’t
– Will eventually rebuild partial files
Thank you
• ContactRob ZirnsteinRob.Zirnstein@ForensicInnovations.comwww.ForensicInnovations.com(317) 430-6891