Buying a computer for your bustling property management company in 1998: $500
City of Roswell Garbage Pickup Cost: $22/mo
Leaving the social security numbers for hundreds of people at your curb: Priceless
For everything else, there are the half dozen Visa card numbers you left on the computer.
The Backstory
Earlier this week, my wife tells me there is a small monitor perfect for the computer closet sitting in the garbage pile of someone’s house up the road. We go out to eat dinner, and check things out on the way home. I spot not only a small crappy Daewoo monitor, but an old PC, keyboard, and mouse to go with it. I grab everything and throw it in my trunk, hoping to find something useful to keep. I bring it home, power it up, and was surprised to see it boot straight into Windows 98, with a desktop full of junk.
I turn the machine off, place the HD in a USB drive cannister, and plug it up into my Mac to browse around the drive with a slightly faster machine. I haven’t done any incident forensics in a while, so I decided to brush up on things. I was curious: Did the machine ever get hacked into? ever infected by a virus? contain any interesting illegal software or data? Plugging a drive into my Mac was a big mistake however, as Spotlight quickly indexed the drive, stomping over all of the access time records. I disabled the indexing, and made an image of the drive:
% df -h Filesystem Size Used Avail Capacity Mounted on /dev/disk0s2 298Gi 87Gi 211Gi 30% / /dev/disk5s1 10Gi 1.3Gi 8.7Gi 14% /Volumes/NO NAME # (Drag "NO NAME" icon from Desktop to Trash to dismount) % dd if=/dev/disk5 of=disk5 bs=64k
The machine appeared to be an office machine for a small property management company, that outsourced the management of apartment buildings and or low-income housing. It had budgets, presentations, e-mails, all readily available. The only password protected document was a budget in an Excel spreadsheet, who’s password was found to be the initials of the company owner. I used the Autopsy Forensic Browser to build a file timeline to see if any suspicious activities occured, and Clam AntiVirus to see if it had any infections. At first, the only interesting thing I found was a list of some of the hilarious AOL nicknames used by the people who used the machine at work. Eventually, I saw a spreadsheet containing someone’s social security number. Uh oh.
Autopsy has some built-in searches for things such as social security numbers or credit card numbers. It searches both the current files, and any previously deleted files that still exist in the drive’s unallocated space. Oddly, doing an SSN search for more numbers yielded an empty result set. So, I had Autopsy dump out all of the strings on the drive, and searched through it by hand. Here is how I looked for Visa cards, for instance:
cat disk5-63-21093344-fat32-1.asc| perl -ne \
'if (/\W4\d{3}[- ]?\d{4}[ -]?\d{4}[- ]?\d{4}\W/) { print; }'
The drive was a gold mine. It appeared to contain in excess of 500 unique social security numbers, though I had no way to verify their validity. The drive also had a handful of Visa cards, but most of them had expired. I saw a Quickbooks data file, which I had no way of reading, so I decided to convert the raw drive image I made above into a VMware image. All of the solutions I found for this required either Linux or Windows, but if you download Q.app or compile a recent snapshot of qemu, you can convert a raw dd image to either a QEMU image or a VMDK (VMware). The command-line parser for qemu-img doesn’t match it’s documentation exactly, but this seemed to work:
/Applications/Q.app/Contents/MacOS/qemu-img convert -O vmdk ~/Desktop/disk5 \ ~/Desktop/trash.vmdk
The Quickbook file was just a demo one that came with a trial version of Quickbooks. I decided my work was done, so I went ahead and wiped the drive:
% df -h Filesystem Size Used Avail Capacity Mounted on /dev/disk0s2 298Gi 86Gi 212Gi 29% / /dev/disk4s1 10Gi 1.3Gi 8.7Gi 14% /Volumes/NO NAME # Unmount "NO NAME" by dragging icon from desktop to Trash % sudo dd if=/dev/zero of=/dev/disk4 bs=128k
I also deleted all of the data I copied to my machine, and made sure to overwrite the deleted data so that it couldn’t be maliciously recovered from my machine. I strapped the machine to the back of my motorcycle, and brought it to the local recycling center. Placing a machine at the curb is NOT proper recycling. Computers have all sorts of toxic materials in them. Be good to the environment.
Final Thoughts
- If you throw away or give away a machine, please wipe the hard drive. I recommend DBAN. You just place it on a floppy or CD-ROM, boot up, and your machine is safe to give away.
- If you need to keep an operating system on there for the next owner, make sure to delete any personal files, and make sure the deleted data has been wiped properly! When you delete a file, it only removes the filename, not the data. The data stays around until something else needs the space. Here are some tools you can use:
- Windows XP/Vista comes with the cipher.exe tool. See How To Use Cipher.exe to Overwrite Deleted Data in Windows
- Windows 95/98 has no built-in tool, but Disk Redactor appears to do the trick.
- Mac OS X or other UNIX machines can use dd to fill a drive up with blank data:
cd / && dd if=/dev/zero of=beleted bs=128k; rm beleted
- If you ever want to see what someone might recover from your machine, boot up with the Helix Live CD
- Don’t try to use Mac OS X for forensics unless the data is on a read-only drive: It will try to index your drive, and create extraneous files and directories.
- Don’t kill mother earth. Recycle your hardware properly.
Add New Comment
Viewing 1 Comment
Thanks. Your comment is awaiting approval by a moderator.
Do you already have an account? Log in and claim this comment.
Do you already have an account? Log in and claim this comment.
Add New Comment
Trackbacks
(Trackback URL)