Data Destruction

The threat of sensitive data being found on scrap or recycled computers is something faced by everyone from large businesses to the home user. Deleting a file in your operating system isn’t quite what it seems to most people unfortunately. When you remove a file, your computer simply marks the area where the file sat as free for reuse. Gradually as you save more files to your disk, these areas are overwritten. However, much like someone pasting a poster over older signs on a shop window, some of the original information can still be seen if the new file is smaller.

As a security company we are constantly asked by our clients for advice in correctly disposing of disks. A common method employed is to ‘shred’ the disks, physically destroying them beyond repair. Whilst this is the most reliable way to destroy data, it is very wasteful. Removing a disk from a computer or laptop often renders the device unusable. A new owner would have to source a disk and fit it, meaning that the potential resale value of the device is greatly decreased.

We hate to see fully functional computers end up in landfills just because they’re a few years off the trend. To avoid this, we use a series of hardware and software tools to securely wipe the data while leaving the disks physically undamaged. As part of our ongoing research, we are constantly exploring new methods for comprehensive wiping and reducing the time taken as disks have rapidly grown in size.

Our most recent research on this has been conducted in partnership with Bangor University and the initial findings were recorded in a dissertation published by J. Smith. The project has proved very successful so far with our tools wiping disks in half the time of a traditional high-security cleanse. The most impressive results saw us able to wipe SSD hard disks in less than 10 seconds. We are constantly working in this area and hope to produce some useful tools for everyone to use in the near future.

Fovea –Forensic Visual Analytics

Digital forensic investigations can produce hundreds of pages of data that can be difficult to understand. This project aims to produce a set of tools to visualise the data, allowing investigators to spot patterns and non-technical observers to easily understand the evidence.

The project is looking at several areas of forensic and security data sources. The first application we have developed imports a file exported from a web browser history extraction tool and visualises the activity in a way so that patterns may be easily identified.

Whilst the project is primarily looking at novel ways to illustrate security data, it is our hope that this project will lead to a small collection of tools. These will be made available to the community to use during investigations.

The initial research has been presented at the UKVAC Workshop on Visual Analytics, University College London in the paper “Forensic Visual Analytics of User Computing Activities” Ellis, Pritchard & Roberts.

 

NMap Graphical Analyser

The Open Source tool Nmap is an extremely powerful tool for mapping networks and identifying potential rogue hosts.

Our tool reads the XML output file from a scan and visualises the data as a virtual map of the network. This allows easy interrogation and reporting.

The user can move objects within the diagram to help match the physical layout of the servers or to fit a preferred layout pattern. Once happy with the diagram, the user can export it as an image to be included in reports.

Clicking on a host reveals further information about the system scanned, including open ports, operating system and other signatures.

This project is hosted on Java.net under the GPL license. If you would like to get involved with the current development version please get in touch.


Forensic Live CD

Having the ability to make forensic images of systems on-site can avoid disruption and distress. So called ‘live CDs’ allow an examiner to boot up a system from an operating system running entirely off a CD.

Our aim is to develop a live CD that is small, fast and simple to use. The entire operating system and tools total less than 50MB, making the CD fast to boot without all the unnecessary software often included on regular live CDs. The research involved in building a forensically sound operating system was detailed in a dissertation submitted to the University of Chester by B. Arnold.

To accompany this CD, we have conducted research into the most efficient methods of acquiring data across a network using a dynamic and robust set of protocols to ensure consistency of data whilst providing the maximum transfer speeds. The CD automatically locates the evidence store and manages all the network data transport.

Using a system of authenticated auto-discovery, investigators can simply connect a data storage box to the network and all systems booted with the live CD will find it.It runs constant checksums to ensure that the data being received exactly matches the original source data. This work was published as part of a dissertation by J. Nachtigall, Glwyndwr University.