Anti-Forensics – not as easy as once thought
April 4, 2009
image by wchulseiee (http://www.flickr.com/photos/wchulseiee/2427418216/)
My laptop is pretty secure. I am not silly enough to think that is is 100% secure or that no one could get into it, but relative to most laptops out there it’s not too bad. There are weaknesses due to time or software requirements, but I think I am aware of most of them. I don’t encrypt the operating system (yet), but all data partitions are encrypted. It has been configured with the goal that all sensitive data and metadata (web browser, IM, video, audio, cache, bookmarks) is encrypted.
once data is no longer ‘required it is stored on the servers at the office and then ‘wiped’ off the encrypted drives at regular intervals . All metadata is wiped from the encrypted drives each weekend, which gives at most one week of metadata, assuming an attacker can get into the encrypted drives to view it. The main reason for all this is to protect customer data. I like others in my industry work with institutions and their data. In many cases that data can be politically, financially, or image ‘sensitive’ in nature if it was to get into the wrong hands. Should my laptop ever be stolen, I want to at least make it difficult for an attacker to gain easy access to the data in a reasonable period of time.
Imagine my surprise when I was re-configuring my laptop and I discovered that my deleted file metadata had somehow been reset to write to a different area, on an unencrypted area of my drive. The following is a partial view of the files I discovered. The files went back as far as November, 2008.
Trash Meta Directory on laptop
These are standard text files with information about each file that was deleted. The information includes the original file location as well as a timestamp indicating when the file was deleted.
Trash meta data file details
Even though the actual data files were not present, there is a lot of information here. Just from working with the data contained in the files above, one could easily determine names of files worked on, importance, directory structure of encrypted partitions, date file was deleted and more. You could very easily put together a time line of a customer, projects being worked on, dates of project activity, useful information that can be sold, used to a competing company or party’s advantage in court, for a bid, or a competitive product or service.
There is a lot of ‘negativity’ with Anti-Forensics lately, especially in the forensics community. Although I understand and appreciate the problems and concerns they have, I believe anti-forensics is necessary and a good thing. It all depends on who is using it and why. Needless to say, I have fixed the problem with my laptop, and ‘double checked’ my drive encryption and scripts to ensure correct execution.
