Testing your outsourcing partner data elimination process

I always stumble upon companies with no clue about what their business partners and outsourced peers do with the data they should protect and eliminate when is not needed anymore.

They should be wiping disks right? There are free tools like DBAN, right? There are pretty cheap appliances dedicated to write bogus 0 and 1’s to all sectors, right? Do outsourced companies use these solutions? Of course, (mostly) not…

Here are some basic steps I follow to check their data elimination process (including Linux commands).

First, check how many data repositories (e.g. hard disks) they are holding that “used to have” your data but are now considered (by them) as cleaned.
Schedule a visit to the outsourcing site and asks to view ALL equipments (or disks), then, select 10 or 20% of the disks to be analyzed. DON’T let them choose which ones you will check. You must pick each one by yourself from the whole.

Now, with this sample in your hands, use any cheap hard disk external adapter for USB ports, and connect each disk to your Linux equipment. I suggest Kali or even some old Backtrack version.

Important: disable Linux to AUTO-mount if you plan to use legal actions, like contract fines, or you may lose your argument by changing sectors in the original investigated disk.

 

I use a simple “fdisk -l” to verify which /dev/path the external disk is using. Often, it will be /dev/sdb or /dev/sdc

After connecting the investigation target to my Linux USB port, I use foremost to perform a Data Carving in that disk.

The command is:

sudo foremost -t png,jpg,doc,xls -i /dev/sdb -v -o /home/folder_disk_name/
Explaining the command above:
-t is used to choose which file formats I will search for. Note I don’t need to detail docx and xlsx. They are implied into doc and xls

-i is the external drive, not mounted

-v is verbose, I like to see what foremost is doing (and it takes at least 3 hours if the investigated disk is bigger than 100 gb)

-o is where foremost will save recovered data. I usually use a folder to each disk, created inside my Linux /home

Another tip: since foremost is DATA CARVING, it will not search for an allocation table, so it will ignore file names. This tool generate random names, so expect to see 22342.xls or 45342.jpg etc. Original names are not recovered.

Another big and important tip: after seeing foremost recovering files at the first minute for some disks, you may assume other disks are empty if verbosed foremost is giving you only ******  for some other disks during the first searching minutes, or even during the first hour.

Do not swallow that. Sometimes, your not-so-dedicated outsourced wiping analyst will only execute a cleaning process for 20 minutes, which could wipe 50% of the disk (and he “finishes” his task and goes home early), but leaving the other half disk full of recoverable files. Make sure to wait foremost finishing to read all sectors, from 0 to the last one. And yes, it takes hours, even if the disk is 100% wiped.

When foremost is finished, you will have the /home/folder_disk_name with one sub-folder to each file format. So, from the example above, you will have (even if some folders are empty):

/home/folder_disk_name/jpg/ ;

/home/folder_disk_name/xls/ ;

/home/folder_disk_name/xlsx ; etc

Important: from this point, turn your USB adapter off and put the investigated original disk back in your safe or shoe box.

Now, assuming (I) you recovered hundreds of thousands of files and (II) you run Linux in an old laptop as my 512Mb RAM 10-years-old Toshiba , you won’t be able to open the /jpg/ folder, because Linux will (try to) show images thumbnails for each file and it may freeze or take hours to show what is inside that folder. Trust me, your Linux will scream before you touch the scrollbar.

Use a simple find + cp command to quickly copy some images to another more powerful computer. I use the following command (with an USB thumb drive connected to my Linux, mounted as /media/Cruzer):

find /home/folder_disk_name/ -iname *.jpg -size +1000k -exec cp ‘{}’ /media/Cruzer/ \;

The command above would only copy .jpg or .JPG files bigger than 1Mb to my thumb drive. This is not a good method if you want to check every single jpeg file content…

I repeat the above command to xls/x, doc/x etc. So my thumbdrive ends full of recovered samples and I can open them in a faster desktop.

Remember: I’m only testing if the wipe process was performed or not, and I’m also checking the biggest recovered files – as samples – to determine which kind of file remains there, possibly telling me the files real owner.

This may help to accomplish a secondary objective: let me know if that drive was reused by another partner’s client, which is usually forbidden in outsourcing contracts like DR Sites, outsourced Data Centers etc, specially when ineffective wipe processes are in place. Again, samples examination…

Hope this helps you. If so, leave a comment.

R.Martin

Kali Linux 1st impressions

Kali Linux is (or will be or is going to be) the new Backtrack, a Linux distribution dedicated to Security tests, hacking, forensics, or for dummies to realize they really need more study before using a Linux system to wrong behaviors.

Here, the first Metasploit / Kali webcast provided by Rapid7 and Offensive Security.

Kali has an advertising video, something amazing for an open source / non commercial tool. Congrats to Offensive Security guys.

I was able to download the 2Gb iso this week and here are my first impressions.

The first thing I noticed is the live CD options include a Forensic Boot, so one of the great Backtrack features was kept. \o/

The live mode detected my installed Windows 7 was hibernating, so it refused to mount it (at least it explained the reason to me).

I’m not sure if for the same reason (existing / sleeping OS in the hard drive), but terminal icon did not work in Live Mode. It gave me a “gnome-terminal” input / output error. I was able to shut Live Mode down using the upper-right corner icon “root”.

Installing:

You can’t use “disk partitioning” to shrink your current installed O.S. and deploy Kali side by side with other systems if you have your current O.S. hibernating (it was a shot in the dark, I’ve discovered this like that guy whose head was hit by an apple and thought about gravity Isaac Newton).

If you don’t boot your original OS, and shut it down properly (no hibernation!!!!), Kali will offer only install options that would erase the entire disk.

To be honest, I could have erased this win7, but I wanted to see how Kali was going to treat existing systems, so I took some minutes to completely shut down Win7 and got back to Kali install screens.

One great thing: I was able to shrink my Windows 7 using percentage instead of choosing how many Gb I wanted to my original partition (I’ve chosen 60% for my fat windows).

After shrinking it, Kali offered me to install all linux partitions in the same free space or redivide the free space to separate /home, /usr, /var and /tmp.

I’ve decided to go “all in one” and my 80Gb hard drive was sliced in win7 (48Gb), ext4 (30.7Gb) and swap (1.3Gb).

Configuring a network mirror to download updates: good luck on filling the proxy credentials in that format http://user:password@proxy_IP:port. I’ve skipped it and later I edited /etc/bash.bashrc to include that info.

Testing GRUB Boot Loader with Windows 7 – first time after Kali installation.

1st, Mr Grub, it’s not a “Vista system”, it’s a Win7…

2nd. Invalid argument? What?! Ok, continue it… loading win7…

Of course, Windows 7 detected inconsistency in my NTFS partition and it asked for a check up (using the good’ol CHKDSK). I allowed it. Win7 finally loaded up and I’ve shut it down, after all, this should be a post about KALI!! LoL. Going back to it now.

Top 10 Security Tools division. For those with no real clue about where to start. Easiness is the word!

Here’s the list:

1 – Aircrack-ng (I would replace it for Gerix, since it’s more complete and user-friendly tool)

2 – burpsuite

3 – john the ripper

4 – Maltego

5 – Metasploit framework

6 – nmap

7 – sqlmap

8 – webscarab

9 – wireshark

10 – “zaproxy” – a.k.a Owasp Zap

Others:

– No more Ubuntu. Now, it’s Debian!! 🙂

– No more red background? Should be kept. After all, this kind of distro still represents the HELL for sysAdmins;

– Arduino IDE – for electronic components programming. Inclusion may have been inspired by latest Black Hat challenges or fuzzer presentations;

– Hardware Hacking, where you can find android tools. The next target for security researchers, indeed;

– Gerix is really not found. Am I missing something? Is it obsolete already? Or it was removed because it has those disgusting graphic mouse/click screens?

Anyway, there’s a lot to test before a new post. But I’m glad everyday more & more tools are being created or reorganized.

Bottom line is: Kali Linux replaced Backtrack, which now can be considered RETIRED. Kali is improved, reorganized, with more tools and some (at least one) removed, for some reason I still intend to understand better.

Edit 2: Be careful when installing outside packages from Debian resources. It can screw your Kali tools menu.

Useful commands:

http://docs.kali.org/live-build/customize-the-kali-desktop-environment

apt-get install git live-build cdebootstrap

vim config/package-lists/kali.list.chroot

service postgresql start

service metasploit start