Testing your outsourcing partner data elimination process

I always stumble upon companies with no clue about what their business partners and outsourced peers do with the data they should protect and eliminate when is not needed anymore.

They should be wiping disks right? There are free tools like DBAN, right? There are pretty cheap appliances dedicated to write bogus 0 and 1’s to all sectors, right? Do outsourced companies use these solutions? Of course, (mostly) not…

Here are some basic steps I follow to check their data elimination process (including Linux commands).

First, check how many data repositories (e.g. hard disks) they are holding that “used to have” your data but are now considered (by them) as cleaned.
Schedule a visit to the outsourcing site and asks to view ALL equipments (or disks), then, select 10 or 20% of the disks to be analyzed. DON’T let them choose which ones you will check. You must pick each one by yourself from the whole.

Now, with this sample in your hands, use any cheap hard disk external adapter for USB ports, and connect each disk to your Linux equipment. I suggest Kali or even some old Backtrack version.

Important: disable Linux to AUTO-mount if you plan to use legal actions, like contract fines, or you may lose your argument by changing sectors in the original investigated disk.

 

I use a simple “fdisk -l” to verify which /dev/path the external disk is using. Often, it will be /dev/sdb or /dev/sdc

After connecting the investigation target to my Linux USB port, I use foremost to perform a Data Carving in that disk.

The command is:

sudo foremost -t png,jpg,doc,xls -i /dev/sdb -v -o /home/folder_disk_name/
Explaining the command above:
-t is used to choose which file formats I will search for. Note I don’t need to detail docx and xlsx. They are implied into doc and xls

-i is the external drive, not mounted

-v is verbose, I like to see what foremost is doing (and it takes at least 3 hours if the investigated disk is bigger than 100 gb)

-o is where foremost will save recovered data. I usually use a folder to each disk, created inside my Linux /home

Another tip: since foremost is DATA CARVING, it will not search for an allocation table, so it will ignore file names. This tool generate random names, so expect to see 22342.xls or 45342.jpg etc. Original names are not recovered.

Another big and important tip: after seeing foremost recovering files at the first minute for some disks, you may assume other disks are empty if verbosed foremost is giving you only ******  for some other disks during the first searching minutes, or even during the first hour.

Do not swallow that. Sometimes, your not-so-dedicated outsourced wiping analyst will only execute a cleaning process for 20 minutes, which could wipe 50% of the disk (and he “finishes” his task and goes home early), but leaving the other half disk full of recoverable files. Make sure to wait foremost finishing to read all sectors, from 0 to the last one. And yes, it takes hours, even if the disk is 100% wiped.

When foremost is finished, you will have the /home/folder_disk_name with one sub-folder to each file format. So, from the example above, you will have (even if some folders are empty):

/home/folder_disk_name/jpg/ ;

/home/folder_disk_name/xls/ ;

/home/folder_disk_name/xlsx ; etc

Important: from this point, turn your USB adapter off and put the investigated original disk back in your safe or shoe box.

Now, assuming (I) you recovered hundreds of thousands of files and (II) you run Linux in an old laptop as my 512Mb RAM 10-years-old Toshiba , you won’t be able to open the /jpg/ folder, because Linux will (try to) show images thumbnails for each file and it may freeze or take hours to show what is inside that folder. Trust me, your Linux will scream before you touch the scrollbar.

Use a simple find + cp command to quickly copy some images to another more powerful computer. I use the following command (with an USB thumb drive connected to my Linux, mounted as /media/Cruzer):

find /home/folder_disk_name/ -iname *.jpg -size +1000k -exec cp ‘{}’ /media/Cruzer/ \;

The command above would only copy .jpg or .JPG files bigger than 1Mb to my thumb drive. This is not a good method if you want to check every single jpeg file content…

I repeat the above command to xls/x, doc/x etc. So my thumbdrive ends full of recovered samples and I can open them in a faster desktop.

Remember: I’m only testing if the wipe process was performed or not, and I’m also checking the biggest recovered files – as samples – to determine which kind of file remains there, possibly telling me the files real owner.

This may help to accomplish a secondary objective: let me know if that drive was reused by another partner’s client, which is usually forbidden in outsourcing contracts like DR Sites, outsourced Data Centers etc, specially when ineffective wipe processes are in place. Again, samples examination…

Hope this helps you. If so, leave a comment.

R.Martin

Advertisements

CHFI – study notes

Security Incident – when a crime or wrongdoing was performed, involving a computer (as target, tool or crime scene).

– Note: wrong access is not necessary an incident. What if the wrong access was not used to do something else. You must go further

5WH to an investigation – Who, What, Where, When, Why – and How

ETI – Enterprise Theory of Investigation – each separated incident is part of an ongoing series of activities (see: Clifford Stoll – Cuckoo’s Egg)

An investigator must: detect evidence, preserve evidence, analyze evidence, report findings – DPAR

.

.

.

After a long time, I just returned (to this blog, to books, to maybe achieve something else).

In memory of my father – 03/01/42 to 24/12/14

Beating 2-Factor Authentication

I can imagine how it goes.

The provider implements 2FA to its clients, using text messages only.

Clients adopt it. Then, clients claim they are not getting the text messages.

Business asks for IT: “Please, improve the 2FA system, texts messages are not enough”
IT thinks: “Ok, we can call the client if text messages are not working. Should we submit this system change to CSO approval?”
Business answers “No, it will delay the process and it is only a minor change”.

The rest of story is below.

http://shubh.am/how-i-bypassed-2-factor-authentication-on-google-yahoo-linkedin-and-many-others/