Difference between pages "Global Positioning System" and "Residual Data on Used Equipment"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Forensics)
 
m (Newsworthy Used Hard Drive Stories)
 
Line 1: Line 1:
The '''Global Positioning System''' ('''GPS''') is a satellite navigation system.
+
Used hard drives are frequently a good source of images for testing forensic tools. That's because many individuals, companies and organizations neglect to properly sanitize their hard drives before they are sold on the secondary market.
  
== Forensics ==
+
You can find used hard drives on eBay, at swap meets, yard sales, and even on the street.
  
There are several places where GPS information can found. It can be very useful for forensic investigations in certain situations. GPS devices have expanded their capabilites and features as the technology has improved. Some of the most popular GPS devices today are made by [http://www.TomTom.com TomTom]. Some of the other GPS manufacturors include [http://www.garmin.com Garmin] and [http://www.magellangps.com Magellan].
 
  
[http://www.cortextech.com/tomtom910.jpg Picture of TomTom910]
+
=Newsworthy Used Hard Drive Stories=
  
TomTom provides a wide range of devices for biking, hiking, and car navigation. Depending on the capabilities of the model, several different types of digital evidence can be located on these devices. For instance, the [http://www.tomtom.com/products/product.php?ID=212&Category=0&Lid=1 TomTom 910] is basically a 20GB external harddrive. This model can be docked with a personal computer via a USB cable or through the use of Bluetooth technology. The listed features include the ability to store pictures, play MP3 music files, and connect to certain cell phones via bluetooth technology. Data commonly found on cell phones could easily be found on the TomTom910. Via the Bluetooth, the TomTom can transfer the entire contact list from your phone. The GPS unit also records your call logs and SMS messages. Research needs to be done to see if the TomTom stores actual trips conducted with the unit. This would include routes, times, and travel speeds.  
+
There have been several incidents in which individual have purchased a large number of hard drives and written about what they have found. This web page is an attempt to catalog all of those stories in chronological order.
  
The TomTom unit connects to a computer via a USB base station. An examiner should be able to acquire the image of the harddrive through a USB write blocker. If not, it may be necessary to remove the hard drive from the unit.  
+
* '''2003-01''': [[Simson Garfinkel]] and Abhi Shelat at MIT publish a study in ''IEEE Security and Privacy Magazine''  which documents large amount of personal and business-sensitive information found on 250 drives purchased on the secondary market.
  
TomTom models such the TomTom One Regional, TomTom Europe, Go 510, Go 710 and the Go 720 store map data, favourites, and recent destinations on a removable SD card.  This allows the forensic examiner to remove the SD card and make a backup with a write blocked SD card reader.  The most important file for the forensic examiner will be the CFG file that is held in the map data directory. This holds a list of all recent destinations that the user has entered into the device. The information is held in a hex file and stores the represents grid coordinates of these locations.
+
* '''2006-06''': A man buys a family's hard drive at a fleamarket in Chicago after the family's hard drive is upgraded by Best Buy. Apparently somebody at Best Buy violated company policy and instead of destroying the hard drive, they sold it. [http://www.youtube.com/watch?v=pcyemfJ5H3o&NR Target 5 Investigation]
  
Certain TomTom models (Go 510, Go 910, Go 920 etc.) allow the user to pair their mobile phone to the device so they can use the TomTom as a hands free kitIf the user has paired their phone to the TomTom device, then the TomTom will store the Bluetooth MAC ID for up to five phones, erasing the oldest if a sixth phone is paired. Depending on the phone model paired with the TomTom, there may also be Call lists, contacts and text messages (sent & received) stored in the device too. Automated forensic analysis for TomTom GPS units is possible with software from Digivence - Forensic Analyser - TomTom Edition.  [http://www.digivence.com/SCREEN%20OPTIMISED%20REPORT%20-%20Demo%2011072007%20163219.htm Sample Report]
+
* '''2006-08-10''': The University of Glamorgan in Wales purchased 317 used hard drives from the UK, Australia, Germany, and the US. 25% of the 200 drives purchased from the UK market had been completely wiped. 40% of the purchased drives didn't work40% came from businesses, of which 23% contained enough information to identify the company. 5% had business sensitive information. 25% came from individuals, of which many had pornography, and 2 had to be referred to the police for suspected child pornography.
 
+
=== Digital Camera Images with GPS Information ===
+
  
Some recent digital cameras have built-in GPS receivers (or external modules you can connect to the camera). This makes it possible for the camera to record where extactly a photo was taken. This positioning information (latitude, longitude) can be stored in the [[Exif]] [[metadata]] header of [[JPEG]] files. Tools such as [[jhead]] can display the GPS information in the [[Exif]] headers.
+
* '''2006-08-14''': [http://news.bbc.co.uk/2/hi/business/4790293.stm BBC News] reports on bank account information recovered from used PC hard drives and being sold in Nigeria for £20 each. The PCs had apparently come from recycling points run by UK town councils that are then "recycled" by being sent to Africa.
  
=== Cell Phones with GPS ===
+
* '''2006-08-15''': Simson Garfinkel presents results of a study of 1000 hard drives (750 working) at the 2006 Workshop on Digital Forensics. Results of the study show that information can be correlated across hard drives using Garfinkel's [[Cross Drive Analysis]] approach.
  
Some recent cell phones (e.g. a [http://wiki.openezx.org Motorola EZX phone] such as the Motorola A780) have a built-in GPS receiver and navigation software. This software might record the paths travelled (and the date/time), which can be very useful in forensic investigations.
+
* '''2007-02-06''': [http://www.fulcruminquiry.com Fulcrum Inquiry], a Los Angeles litigation support firm, purchased 70 used hard drives from 14 firms and discovered confidential information on 2/3rds of the drives.
 
+
== External Links ==
+
 
+
* [http://en.wikipedia.org/wiki/Global_Positioning_System Wikipedia: GPS]
+
 
+
 
+
* [http://www.digivence.com Digivence: TomTom Forensic Analyser]
+

Revision as of 16:54, 14 February 2007

Used hard drives are frequently a good source of images for testing forensic tools. That's because many individuals, companies and organizations neglect to properly sanitize their hard drives before they are sold on the secondary market.

You can find used hard drives on eBay, at swap meets, yard sales, and even on the street.


Newsworthy Used Hard Drive Stories

There have been several incidents in which individual have purchased a large number of hard drives and written about what they have found. This web page is an attempt to catalog all of those stories in chronological order.

  • 2003-01: Simson Garfinkel and Abhi Shelat at MIT publish a study in IEEE Security and Privacy Magazine which documents large amount of personal and business-sensitive information found on 250 drives purchased on the secondary market.
  • 2006-06: A man buys a family's hard drive at a fleamarket in Chicago after the family's hard drive is upgraded by Best Buy. Apparently somebody at Best Buy violated company policy and instead of destroying the hard drive, they sold it. Target 5 Investigation
  • 2006-08-10: The University of Glamorgan in Wales purchased 317 used hard drives from the UK, Australia, Germany, and the US. 25% of the 200 drives purchased from the UK market had been completely wiped. 40% of the purchased drives didn't work. 40% came from businesses, of which 23% contained enough information to identify the company. 5% had business sensitive information. 25% came from individuals, of which many had pornography, and 2 had to be referred to the police for suspected child pornography.
  • 2006-08-14: BBC News reports on bank account information recovered from used PC hard drives and being sold in Nigeria for £20 each. The PCs had apparently come from recycling points run by UK town councils that are then "recycled" by being sent to Africa.
  • 2006-08-15: Simson Garfinkel presents results of a study of 1000 hard drives (750 working) at the 2006 Workshop on Digital Forensics. Results of the study show that information can be correlated across hard drives using Garfinkel's Cross Drive Analysis approach.
  • 2007-02-06: Fulcrum Inquiry, a Los Angeles litigation support firm, purchased 70 used hard drives from 14 firms and discovered confidential information on 2/3rds of the drives.