Difference between pages "Windows" and "Residual Data on Used Equipment"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(RPC)
 
m (ATMs)
 
Line 1: Line 1:
{{Expand}}
+
Used hard drives are frequently a good source of images for testing forensic tools. That's because many individuals, companies and organizations neglect to properly sanitize their hard drives before they are sold on the secondary market.
  
'''Windows''' is a widely-spread [[operating system]] from [[Microsoft]].
+
You can find used hard drives on eBay, at swap meets, yard sales, and even on the street.
 +
=Popular Press=
 +
==ATMs==
 +
* '''2009-11-21''': Robert Siciliano, a security consultant to Intelius.com and personal ID theft expert, buys an ATM machine for $750 from a bar in Boston. The machine comes with more than 1000 credit and ATM card numbers. http://www.theregister.co.uk/2009/11/18/second_hand_atm_fraud_risk/
  
There are 2 main branches of Windows:
+
==Memory Sticks==
* the DOS-branch: i.e. Windows 95, 98, ME
+
* USED memory sticks being sold on the internet have been found to contain sensitive Australian government data, according to a study Patryk Szewczyk and Krishnun Sansurooah, of the Security Research Institute at Perth's Edith Cowan University. http://www.theaustralian.com.au/technology/government-data-found-on-memory-sticks/story-e6frgakx-1226773129880
* the NT-branch: i.e. Windows NT 4, XP, Vista
+
  
== Features ==
+
==Hard Drives==
* Basic and Dynamic Disks, see: [http://msdn.microsoft.com/en-us/library/windows/desktop/aa363785(v=vs.85).aspx]
+
  
=== Introduced in Windows NT ===
+
There have been several incidents in which individual have purchased a large number of hard drives and written about what they have found. This web page is an attempt to catalog all of those stories in chronological order.
* [[NTFS]]
+
  
=== Introduced in Windows 2000 ===
+
* '''2003-01''': [[Simson Garfinkel]] and Abhi Shelat at MIT publish a study in ''IEEE Security and Privacy Magazine''  which documents large amount of personal and business-sensitive information found on 150 drives purchased on the secondary market.
  
=== Introduced in Windows XP ===
+
* '''2006-06''': A man buys a family's hard drive at a fleamarket in Chicago after the family's hard drive is upgraded by Best Buy. Apparently somebody at Best Buy violated company policy and instead of destroying the hard drive, they sold it.
* [[Prefetch]]
+
* System Restore (Restore Points); also present in Windows ME
+
  
==== SP2 ====
+
* '''2006-08-10''': The University of Glamorgan in Wales purchased 317 used hard drives from the UK, Australia, Germany, and the US. 25% of the 200 drives purchased from the UK market had been completely wiped. 40% of the purchased drives didn't work.  40% came from businesses, of which 23% contained enough information to identify the company. 5% had business sensitive information. 25% came from individuals, of which many had pornography, and 2 had to be referred to the police for suspected child pornography.
* Windows Firewall
+
  
=== Introduced in Windows Server 2003 ===
+
* '''2006-08-14''': [http://news.bbc.co.uk/2/hi/business/4790293.stm BBC News] reports on bank account information recovered from used PC hard drives and being sold in Nigeria for £20 each. The PCs had apparently come from recycling points run by UK town councils that are then "recycled" by being sent to Africa.
* Volume Shadow Copies
+
  
=== Introduced in [[Windows Vista]] ===
+
* '''2006-08-15''': Simson Garfinkel presents results of a study of 1000 hard drives (750 working) at the 2006 Workshop on Digital Forensics. Results of the study show that information can be correlated across hard drives using Garfinkel's [[Cross Drive Analysis]] approach.
* [[BitLocker Disk Encryption | BitLocker]]
+
* [[Windows Desktop Search | Search]] integrated in operating system
+
* [[ReadyBoost]]
+
* [[SuperFetch]]
+
* [[NTFS|Transactional NTFS (TxF)]]
+
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
+
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
+
* $Recycle.Bin
+
* [[Windows XML Event Log (EVTX)]]
+
* [[User Account Control (UAC)]]
+
  
=== Introduced in Windows Server 2008 ===
+
* '''2007-02-06''': [http://www.fulcruminquiry.com Fulcrum Inquiry], a Los Angeles litigation support firm, purchased 70 used hard drives from 14 firms and discovered confidential information on 2/3rds of the drives.
  
=== Introduced in [[Windows 7]] ===
+
* '''2007-08-30''': Bill Ries-Kinght, an IT consultant, purchases a 120GB Seagate hard drive on eBay for $69. Although the drive was advertised as being new, it apparently was previously used by the campaign of Mike Beebe, who won the Arkansas state governorship in November 2006. "Among the files were documents listing the private cell phone numbers of political allies, including US Senators Blanch Lincoln and Mark Pryor and US Representatives Marion Berry, Mike Ross and Vic Snyder. It also included talking points to guide the candidate as he called influential people whose support he sought," states an article published in [http://www.theregister.co.uk/2007/08/30/governors_data_sold_on_ebay/ The Register].
* [[BitLocker Disk Encryption | BitLocker To Go]]
+
* [[Jump Lists]]
+
* [[Sticky Notes]]
+
  
=== Introduced in [[Windows 8]] ===
+
* '''2008-01-28''': Gregory Evans, a security consultant in Marina Del Ray, Calif., bought a $500 computer at a swap meet from a former mortgage company. It contained credit reports on 300 people in a deleted file, according to an article published in [http://www.nydailynews.com/money/2008/01/28/2008-01-28_sensitive_info_lives_on_in_old_computers.html The New York Daily NEws]. The security consultant was also able to recover the usernames and passwords of the mortgage company's former employees.
* [[Windows File History | File History]]
+
* [[Windows Storage Spaces | Storage Spaces]]
+
* [[Search Charm History]]
+
* [[Resilient File System (ReFS)]]; Was initially available in the Windows 8 server edition.
+
  
=== Introduced in Windows Server 2012 ===
+
*'''2009-02-10''': Michael Kessler, CEO of Kessler International, a New York City forensics firm, bought 100 "relatively modern drives, the vast majority of them Serial ATA" from eBay over the course of 6 months. The drives ranged in size from 400GB to 300GB. 40% of the drives were found to contain sensitive data. [http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9127717&taxonomyId=19&intsrc=kc_top]
* [[Resilient File System (ReFS)]]
+
  
== Forensics ==
+
*'''2009-05-07''': University of Glamorgan bought disks in its annual survey of used hard drives and found "Details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground-to-air missile defence system. [http://news.bbc.co.uk/2/hi/uk_news/wales/8036324.stm Missile data found on hard drives, BBC News, May 7, 2009]
  
=== Partition layout ===
+
*'''2009-07-30''': Reporters working for the PBS show Frontline on an article about electronic waste find hard drives in Ghana that contain "hundreds and hundreds of documents about government contracts" from a hard drive that had been previously used by a TSA subcontractor. The documents were marked "competitive sensitive" and covered contracts with the Defense Intelligence Agency. The hard drive was not encrypted.  [http://itworld.com/security/69758/reporters-find-northrop-grumman-data-ghana-market Reporters find Northrop Grumman data in Ghana market, Robert McMillan, IT World, June 24, 2009]
Default partition layout, first partition starts:
+
* at sector 63 in Windows 2000, XP, 2003
+
* at sector 2048 in Windows Vista, 2008, 7
+
  
=== Filesystems ===
+
*'''2009-09-23''': The Inspector General of the United States Department of Defense issues a report about the widespread sale and return of equipment containing sensitive information. [http://www.dodig.mil/Audit/reports/fy09/09-104.pdf Report No. D-2009-104 September 21, 2009 Sanitization and Disposal of Excess Information Technology Equipment].
* [[FAT]], [[FAT|exFAT]]
+
* [[NTFS]]
+
* [[Resilient File System (ReFS) | ReFS]]
+
  
=== Recycle Bin ===
+
*'''2010-12-08''': NSAS decomissions 14 computers with hard drives that "failed tests to verify data had been destroyed.'''  The drives turn up in a dumpster with sensitive information regarding the Space Shuttle. [http://www.theregister.co.uk/2010/12/08/nasa_disk_wiping_failure/ Reported By Dan Goodin in San Francisco, The Register, 8th December 2010]
  
==== RECYCLER ====
+
*'''2012-04-25''': A report published by the [http://www.ico.gov.uk/ UK Information Commissioner's Office] finds that 1 in 10 hard drives sold on the secondary market contains highly sensitive information, based on a "mystery shopper" study in which an organization purchased 200 hard drives on the Internet and at used computer fairs. [http://news.techworld.com/security/3353817/infosec-2012-one-in-10-second-hand-hard-drives-contain-personal-data/ Sophie Curtis, "InfoSec 2012: One in 10 second-hand hard drives contain personal data, April 2012].
Used by Windows 2000, XP.
+
Uses INFO2 file.
+
  
See: [http://www.cybersecurityinstitute.biz/downloads/INFO2.pdf]
+
* '''2013-07-14''': [http://news.techworld.com/security/3457470/hospital-fined-200000-after-hard-drive-full-of-patient-data-bought-on-ebay/ UK's National Health Service Surrey was fined a £200,000 ($300,000)] after it sold a hard drive that contained 3,000 patient records (2,000 children and 900 adults). Apparently the drives were provided to a PC recycler on the grounds that they be destroyed. The recycler provided a destruction certificate, then sold the drives on eBay. A member of the public bought the drive, discovered what they had, and alerted the authorities.  [Source: Hospital fined £200,000 after hard drive full of patient data bought on eBay, By John E Dunn, Techworld, 14 July 2013]
  
==== $RECYCLE.BIN ====
+
==Cell Phones==
Used by Windows Vista.
+
* [http://www.wired.com/techbiz/media/news/2003/08/60052 BlackBerry Reveals Bank's Secrets], Wired, August 8, 2005.
Uses $I and $R files.
+
* [http://www.taipeitimes.com/News/feat/archives/2008/09/28/2003424400 Who has your old phone's data], Pete Warren, The Guardian, London, Sept. 28, 2008, page 13.
 +
* [http://www.myfoxdc.com/myfox/pages/News/Detail?contentId=8055902&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1 McCain Campaign Sells Info-Loaded Blackberry to FOX 5 Reporter], by Tisha Thompson and Rick Yarborough, FOX 5 Investigative Unit, 11 December 2008.  (See also [http://www.theregister.co.uk/2008/12/12/mccain_blackberry/])
  
See: [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf]
+
==Cameras==
 +
* [http://www.telegraph.co.uk/news/uknews/3107003/Camera-sold-on-eBay-contained-MI6-files.html Camera sold on eBay contained MI6 files], Jessica Salter, Telegraph, September 30, 2008.
  
=== Registry ===
+
==Network Equipment==
 +
* [http://www.pcpro.co.uk/news/227190/council-sells-security-hole-on-ebay.html Council sells security hole on Ebay], Matthew Sparkes, PC Pro, September 29, 2008 - Kirkless Council (UK) sells a Cisco [[VPN]] 3002 Concentrator on Ebay for 99 pence. The device is purchased by Andrew Mason, a security consultant, who discovers that the Cisco [[VPN]] device still has the full configuration for the Kirkless Council and the device hasn't been deactivated.
  
The [[Windows Registry]] is a database of keys and values that provides a wealth of information to forensic [[investigator]]s.
+
==MP3 Players==
 +
* [http://news.yahoo.com/s/ap/20090127/ap_on_re_as/as_new_zealand_us_military_files NZ man's MP3 player holds US military files], Associated Press, Jan 27, 2009. A man from New Zealand bought an MP3 player at a thrift shop in Oklahoma that had 60 US military files, "including names and telephone numbers for American soldiers."
  
=== Thumbs.db Files ===
+
=Academic Publications=
 +
<bibtex>
 +
@article{JICLT80,
 +
author = {Andy Jones and Glenn Dardick and Gareth Davies and Iain Sutherland and Craig Valli},
 +
title = {The 2008 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market},
 +
journal = {Journal of International Commercial Law and Technology},
 +
volume = {4},
 +
number = {3},
 +
year = {2009},
 +
keywords = {Computer forensics, disk analysis, data recovery, data disposal, data destruction, data leakage, privacy.},
 +
abstract = {<p>The use of computers that contain hard disks to process and store information has been ubiquitous across organisations in both the public and private sector for more than two decades and is being ever more widely used by individuals in the home. During that time, the processing capability of the computers has increased enormously. At the same time the storage capacity of the computers has increased from tens of Megabytes to hundreds of Gigabytes and the use of Terabyte<br />storage devices in both commercial and private locations is now becoming increasingly common. In recent years, because of social change and alterations in the way in which organisations work, there has also been an increasing trend in the use of the same computer to process and store both the organisation’s and the individuals personal information. It is clear that the majority of organisations and private individuals still remain ignorant or misinformed of the potential volume and type of<br />information that is stored on the hard disks contained within these computer systems. As a result, they have not considered, or are unaware of, the potential impact of this information becoming available to an unintended third party.</p><p>This is the fourth study in an ongoing research effort that is being conducted into the volume and type of information that remains on computer hard disks offered for sale on the second hand market. The research has been undertaken to gain an understanding of the level and types of information that remains on these disks and to determine the damage that could, potentially be caused, if the information was misused. These studies have examined a large number of disks that have been purchased in a number of countries. The rationale for this was to determine whether there are any national or regional differences in the way that computer disks are disposed of and to compare the results for any regional or temporal trends. </p><p><br />The first study was carried out in 2005 and has been repeated annually with the scope extended to include additional research partners and countries during each of the subsequent years. The studies were carried out by British Telecommunications and the University of Glamorgan in the UK, Edith Cowan University in Australia and Longwood University in the USA.</p><p><br />The core methodology of the research has remained the same over the duration of the study: to acquire a number of second hand computer disks from a range of sources and then to determine whether they still contained information relating to a previous owner or if the device had been effectively erased. If the disks still contained information, the research examined whether it was in a sufficient volume and of enough sensitivity to the original owner to represent a risk if unintentionally exposed to a third party. One of the results of the research has been that for a very large proportion of the disks that have been examined, there was significant information present and both organisations and individuals were potentially exposed to the possibility of a compromise of sensitive information. Potential impacts of this might include embarrassment to individuals and organisations, fraud, blackmail and identity theft. It is noted that where the disks had originally been<br />owned by organisations, they had, in most cases, failed to meet their statutory, regulatory and legal obligations.</p><p><br />In the 2008 study, the fourth in the series, the research methodology that had been followed in the previous studies was repeated, but in addition the scope was again broadened geographically to include disks sourced from within France.</p>},
 +
issn = {1901-8401},
 +
url = {http://www.jiclt.com/index.php/jiclt/article/view/80/79}
 +
}
 +
</bibtex>
  
[[Thumbs.db]] files can be found on many Windows systems. They contain thumbnails of images or documents and can be of great value for the [[investigator]].
 
  
See also: [[Vista thumbcache]].
 
  
=== Browser Cache ===
+
=See Also=
 
+
* [[Residual Data]]
=== Browser History ===
+
* [[Residual Data in Document Files]]
 
+
* [http://www.privacyrights.org/data-breach?order=field_breach_total_value&sort=desc Privacy Rights Clearinghouse Chronology of Data Breaches]
The [[Web Browser History]] files can contain significant information. The default [[Web browser|web browser]] that comes with Windows is [[Internet Explorer|Microsoft Internet Explorer]] but other common browsers on Windows are [[Apple Safari]], [[Google Chrome]], [[Mozilla Firefox]] and [[Opera]].
+
 
+
=== Search ===
+
See [[Windows Desktop Search]]
+
 
+
=== Setup log files (setupapi.log) ===
+
Windows Vista introduced several setup log files [http://support.microsoft.com/kb/927521].
+
 
+
=== Sleep/Hibernation ===
+
 
+
After (at least) Windows 7 recovers from sleep/hibernation there often is a system time change event (event id 1) in the event logs.
+
 
+
=== Users ===
+
Windows stores a users Security identifiers (SIDs) under the following registry key:
+
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
+
</pre>
+
 
+
The %SID%\ProfileImagePath value should also contain the username.
+
 
+
=== Windows Error Reporting (WER) ===
+
 
+
As of Vista, for User Access Control (UAC) elevated applications WER reports can be found in:
+
<pre>
+
C:\ProgramData\Microsoft\Windows\WER\
+
</pre>
+
 
+
As of Vista, for non-UAC elevated applications (LUA) WER reports can be found in:
+
<pre>
+
C:\Users\%UserName%\AppData\Local\Microsoft\Windows\WER\
+
</pre>
+
 
+
Corresponding registry key:
+
<pre>
+
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
+
</pre>
+
 
+
== Advanced Format (4KB Sector) Hard Drives ==
+
Windows XP does not natively handle drives that use the new standard of 4KB sectors. For information on this, see [[Advanced Format]].
+
 
+
== %SystemRoot% ==
+
The actual value of %SystemRoot% is store in the following registry value:
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
+
Value: SystemRoot
+
</pre>
+
 
+
== See Also ==
+
* [[Windows Event Log (EVT)]]
+
* [[Windows XML Event Log (EVTX)]]
+
* [[Windows Vista]]
+
* [[Windows 7]]
+
* [[Windows 8]]
+
 
+
== External Links ==
+
 
+
* [http://en.wikipedia.org/wiki/Microsoft_Windows Wikipedia: Microsoft Windows]
+
* [http://support.microsoft.com/kb/927521 Windows 7, Windows Server 2008 R2, and Windows Vista setup log file locations]
+
* [http://www.forensicfocus.com/downloads/forensic-analysis-vista-recycle-bin.pdf The Forensic Analysis of the Microsoft Windows Vista Recycle Bin], by [[Mitchell Machor]], 2008
+
* [http://www.ericjhuber.com/2013/02/microsoft-file-system-tunneling.html?m=1 Microsoft Windows File System Tunneling], by [[Eric Huber]], February 24, 2013
+
* [http://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Log_Monitoring.pdf Spotting the Adversary with Windows Event Log Monitoring], by National Security Agency/Central Security Service, February 28, 2013
+
 
+
=== Malware/Rootkits ===
+
* [http://forensicmethods.com/inside-windows-rootkits Inside Windows Rootkits], by [[Chad Tilbury]], September 4, 2013
+
 
+
=== Tracking removable media ===
+
* [http://www.swiftforensics.com/2012/08/tracking-usb-first-insertion-in-event.html Tracking USB First insertion in Event logs], by Yogesh Khatri, August 18, 2012
+
 
+
=== Under the hood ===
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/aa366533(v=vs.85).aspx MSDN: Comparing Memory Allocation Methods], by [[Microsoft]]
+
* [http://blogs.msdn.com/b/ntdebugging/archive/2007/06/28/how-windows-starts-up-part-the-second.aspx How Windows Starts Up (Part the second)]
+
* [http://msdn.microsoft.com/en-us/library/aa375142.aspx DLL/COM Redirection]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx Dynamic-Link Library Search Order]
+
* [http://blogs.msdn.com/b/junfeng/archive/2004/04/28/121871.aspx Image File Execution Options]
+
 
+
==== MSI ====
+
* [http://blogs.msdn.com/b/heaths/archive/2009/02/02/changes-to-package-caching-in-windows-installer-5-0.aspx?Redirected=true Changes to Package Caching in Windows Installer 5.0], by Heath Stewart, February 2, 2009
+
* [http://blog.didierstevens.com/2013/07/26/msi-the-case-of-the-invalid-signature/ MSI: The Case Of The Invalid Signature], by Didier Stevens, July 26, 2013
+
 
+
==== Side-by-side (WinSxS) ====
+
* [http://en.wikipedia.org/wiki/Side-by-side_assembly Wikipedia: Side-by-side assembly]
+
* [http://msdn.microsoft.com/en-us/library/aa374224.aspx Assembly Searching Sequence]
+
* [http://blogs.msdn.com/b/junfeng/archive/2007/06/26/rt-manifest-resource-and-isolation-aware-enabled.aspx RT_MANIFEST resource, and ISOLATION_AWARE_ENABLED]
+
* [http://msdn.microsoft.com/en-us/library/windows/desktop/dd408052(v=vs.85).aspx Isolated Applications and Side-by-side Assemblies]
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/01/24/517221.aspx#531208 DotLocal (.local) Dll Redirection], by [[Junfeng Zhang]], January 24, 2006
+
* [http://blogs.msdn.com/b/junfeng/archive/2006/04/14/576314.aspx Diagnosing SideBySide failures], by [[Junfeng Zhang]], April 14, 2006
+
* [http://omnicognate.wordpress.com/2009/10/05/winsxs/ EVERYTHING YOU NEVER WANTED TO KNOW ABOUT WINSXS]
+
 
+
==== Application Compatibility Database ====
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
 
+
==== System Restore (Restore Points) ====
+
* [http://en.wikipedia.org/wiki/System_Restore Wikipedia: System Restore]
+
* [http://www.stevebunting.org/udpd4n6/forensics/restorepoints.htm Restore Point Forensics], by [[Steve Bunting]]
+
* [http://windowsir.blogspot.ch/2007/06/restore-point-analysis.html Restore Point Analysis], by [[Harlan Carvey]],  June 16, 2007
+
* [http://windowsir.blogspot.ch/2006/10/restore-point-forensics.html Restore Point Forensics], by [[Harlan Carvey]], October 20, 2006
+
* [http://www.ediscovery.co.nz/wip/srp.html System Restore Point Log Decoding]
+
 
+
==== Crash dumps ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Technet: Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
* [http://support.microsoft.com/kb/315263 MSDN: How to read the small memory dump file that is created by Windows if a crash occurs], by [[Microsoft]]
+
 
+
==== Recent File cache ====
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
+
 
+
==== RPC ====
+
* [http://blogs.technet.com/b/networking/archive/2008/10/24/rpc-to-go-v-1.aspx RPC to Go v.1], by Michael Platts, October 24, 2008
+
* [http://blogs.technet.com/b/networking/archive/2008/12/04/rpc-to-go-v-2.aspx RPC to Go v.2], by Michael Platts, December 4, 2008
+
 
+
==== USB ====
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf USBKEY Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
* [https://blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf USB Drive Enclosure Guide], by [[SANS | SANS Institute - Digital Forensics and Incident Response]], September 2009
+
 
+
==== WMI ====
+
* [http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__understanding-wmi-malware.pdf Understanding WMI Malware], by Julius Dizon, Lennard Galang, and Marvin Cruz, July 2010
+
 
+
==== Windows Error Reporting (WER) ====
+
* [http://blogs.technet.com/b/yongrhee/archive/2010/12/29/drwtsn32-on-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2.aspx Drwtsn32 on Windows Vista/Windows Server 2008/Windows 7/Windows Server 2008 R2], by Yong Rhee, December 29, 2010
+
 
+
==== Windows Firewall ====
+
* [http://en.wikipedia.org/wiki/Windows_Firewall Wikipedia: Windows Firewall]
+
* [http://technet.microsoft.com/en-us/library/cc737845(v=ws.10).aspx#BKMK_log Windows Firewall Tools and Settings]
+
 
+
==== Windows 32-bit on Windows 64-bit (WoW64) ====
+
* [http://en.wikipedia.org/wiki/WoW64 Wikipedia: WoW64]
+
 
+
=== Windows XP ===
+
* [http://support.microsoft.com/kb/q308549 Description of Windows XP System Information (Msinfo32.exe) Tool]
+
 
+
[[Category:Operating systems]]
+

Latest revision as of 20:52, 3 December 2013

Used hard drives are frequently a good source of images for testing forensic tools. That's because many individuals, companies and organizations neglect to properly sanitize their hard drives before they are sold on the secondary market.

You can find used hard drives on eBay, at swap meets, yard sales, and even on the street.

Popular Press

ATMs

Memory Sticks

Hard Drives

There have been several incidents in which individual have purchased a large number of hard drives and written about what they have found. This web page is an attempt to catalog all of those stories in chronological order.

  • 2003-01: Simson Garfinkel and Abhi Shelat at MIT publish a study in IEEE Security and Privacy Magazine which documents large amount of personal and business-sensitive information found on 150 drives purchased on the secondary market.
  • 2006-06: A man buys a family's hard drive at a fleamarket in Chicago after the family's hard drive is upgraded by Best Buy. Apparently somebody at Best Buy violated company policy and instead of destroying the hard drive, they sold it.
  • 2006-08-10: The University of Glamorgan in Wales purchased 317 used hard drives from the UK, Australia, Germany, and the US. 25% of the 200 drives purchased from the UK market had been completely wiped. 40% of the purchased drives didn't work. 40% came from businesses, of which 23% contained enough information to identify the company. 5% had business sensitive information. 25% came from individuals, of which many had pornography, and 2 had to be referred to the police for suspected child pornography.
  • 2006-08-14: BBC News reports on bank account information recovered from used PC hard drives and being sold in Nigeria for £20 each. The PCs had apparently come from recycling points run by UK town councils that are then "recycled" by being sent to Africa.
  • 2006-08-15: Simson Garfinkel presents results of a study of 1000 hard drives (750 working) at the 2006 Workshop on Digital Forensics. Results of the study show that information can be correlated across hard drives using Garfinkel's Cross Drive Analysis approach.
  • 2007-02-06: Fulcrum Inquiry, a Los Angeles litigation support firm, purchased 70 used hard drives from 14 firms and discovered confidential information on 2/3rds of the drives.
  • 2007-08-30: Bill Ries-Kinght, an IT consultant, purchases a 120GB Seagate hard drive on eBay for $69. Although the drive was advertised as being new, it apparently was previously used by the campaign of Mike Beebe, who won the Arkansas state governorship in November 2006. "Among the files were documents listing the private cell phone numbers of political allies, including US Senators Blanch Lincoln and Mark Pryor and US Representatives Marion Berry, Mike Ross and Vic Snyder. It also included talking points to guide the candidate as he called influential people whose support he sought," states an article published in The Register.
  • 2008-01-28: Gregory Evans, a security consultant in Marina Del Ray, Calif., bought a $500 computer at a swap meet from a former mortgage company. It contained credit reports on 300 people in a deleted file, according to an article published in The New York Daily NEws. The security consultant was also able to recover the usernames and passwords of the mortgage company's former employees.
  • 2009-02-10: Michael Kessler, CEO of Kessler International, a New York City forensics firm, bought 100 "relatively modern drives, the vast majority of them Serial ATA" from eBay over the course of 6 months. The drives ranged in size from 400GB to 300GB. 40% of the drives were found to contain sensitive data. [1]
  • 2009-05-07: University of Glamorgan bought disks in its annual survey of used hard drives and found "Details of test launch procedures for the THAAD (Terminal High Altitude Area Defence) ground-to-air missile defence system. Missile data found on hard drives, BBC News, May 7, 2009
  • 2009-07-30: Reporters working for the PBS show Frontline on an article about electronic waste find hard drives in Ghana that contain "hundreds and hundreds of documents about government contracts" from a hard drive that had been previously used by a TSA subcontractor. The documents were marked "competitive sensitive" and covered contracts with the Defense Intelligence Agency. The hard drive was not encrypted. Reporters find Northrop Grumman data in Ghana market, Robert McMillan, IT World, June 24, 2009
  • 2013-07-14: UK's National Health Service Surrey was fined a £200,000 ($300,000) after it sold a hard drive that contained 3,000 patient records (2,000 children and 900 adults). Apparently the drives were provided to a PC recycler on the grounds that they be destroyed. The recycler provided a destruction certificate, then sold the drives on eBay. A member of the public bought the drive, discovered what they had, and alerted the authorities. [Source: Hospital fined £200,000 after hard drive full of patient data bought on eBay, By John E Dunn, Techworld, 14 July 2013]

Cell Phones

Cameras

Network Equipment

  • Council sells security hole on Ebay, Matthew Sparkes, PC Pro, September 29, 2008 - Kirkless Council (UK) sells a Cisco VPN 3002 Concentrator on Ebay for 99 pence. The device is purchased by Andrew Mason, a security consultant, who discovers that the Cisco VPN device still has the full configuration for the Kirkless Council and the device hasn't been deactivated.

MP3 Players

  • NZ man's MP3 player holds US military files, Associated Press, Jan 27, 2009. A man from New Zealand bought an MP3 player at a thrift shop in Oklahoma that had 60 US military files, "including names and telephone numbers for American soldiers."

Academic Publications

Andy Jones, Glenn Dardick, Gareth Davies, Iain Sutherland, Craig Valli - The 2008 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market
Journal of International Commercial Law and Technology 4(3),2009
http://www.jiclt.com/index.php/jiclt/article/view/80/79
Bibtex
Author : Andy Jones, Glenn Dardick, Gareth Davies, Iain Sutherland, Craig Valli
Title : The 2008 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market
In : Journal of International Commercial Law and Technology -
Address :
Date : 2009


See Also