CD-ROMs and DVDs and USB flash memory media
CD-ROMs and DVDs and USB flash memory media
If your whistleblowing documents are too large to fit onto a floppy disk e.g. they contain lots of digital photos or video or audio clips etc. then you might be tempted to write them to a CD-ROM or DVD disc or USB flash memory media (USB memory sticks, MP3 players, digital camera or mobile phone removable memory etc.), which can be ok, if you remember that
- CD-ROM and DVD discs are excellent for taking fingerprint impressions and DNA samples, which may betray the identity of a whistleblower or a courier who has physically handled them or their plastic packaging.
- Most CDROM or DVD writer equipment sold since 1995 contains an industry standard mandated (.pdf) Serial Number called a Recorder Identification Code, which is in three parts, denoting the Manufacturer, the Model, and a 20bit Serial Number uniquely allocated to each recorder. The RID was introduced as a sop the powerful music and film industry lobbyists seeking to commercially exploit copyrighted material.
This RID is burnt into each CDROM or DVD disc which the writer copies, This serial number may provide evidence matching a whistleblower's home or office computer to a leaked copy of documents or photos or videos etc on a seized or intercepted CDROM or DVD.
- Given the difficulty, or, with some of the technologies, virtual impossibility short of physical destruction of securely erasing or genuinely overwriting data files, a whistleblower should use a fresh "virgin" blank or at least a low level formatted floppy disc, CD-ROM, DVD or flash memory device, on which to copy their whistleblowing leak documents or other video or audio data files, even if these files are themselves protected with strong encryption or other steganographic techniques which embed the data hidden within, say, graphics or music files.
USB keys and SmartMedia
These are useful to spies or to whistleblowers, for smuggling out electronic copies of documents. Given the size of the memory capacity these days, which is often larger than hard disks of only a few years ago, a very large amount of data can be carried.
They are small and easy to hide, and can also legitimately be hidden in mobile phones, digital cameras or MP3 music players etc.
- Some Government Departments e.g. the UK Ministry of Defence do tend to use modified operating systems software which controls access to floppy disk drives, CDROM, DVD or USB devices, either totally preventing their use, or logging all such uses to a central audit server.
We suspect that not every desktop PC in the Home Office is protected in this way.
- The use of USB memory or other USB connected devices e.g. an Apple iPod or other MP3 player, leaves a trail on the Windows computer to which it was attached e.g. you can see a list of such devices which have been connected successfully to a particular PC running WIndows XP via the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBTOR.
- Some US government departments and agencies, like the Department of Homeland Security (DHS), use the National Security Agency (NSA) developed USBDetect scanning software, (see page 13 of this 2008 report Review of DHS Security Controls for Portable Storage Devices (.pdf) which centrally audits the Registries of connected Windows computers, looking for the Registry traces of USB devices. Such software can only detect "policy violations" and it "does not identify if USB devices are currently connected, nor if any sensitive information was copied"
- If you have permission to access the Registry on the Computer, you can, of course delete the entries generated by your use of a particular USB device. However, most corporate or government PCs will have this sort of access restricted to privileged systems administrators only, so a whistleblower should make sure that they are not using an unusual brand of USB device which stands out from the crowd of entries which might plausibly be found in that environment.
- USB memory devices (and also CDROM or DVD devices) leave traces of their use in the Windows Registry. It is even possible to correlate the amount of data transferred with the time taken to do it in, to narrow down or even specifically identify, the make and model of USB device used.
This may be enough of a clue to "leak investigators", although this experimental technique is certainly not yet established in Court for legal evidential purposes.
See this New Scientist article
* 16 February 2010 by Paul Marks
Vasilios Katos and Theodoros Kavallaris at the Democritus University of Thrace in Komotini, Greece, have been testing every make and model of USB stick and iPod/iPhone. They have discovered that each one has a distinctive transfer rate when copying data from a PC's hard drive (Computers and Security, DOI: 10.1016/j.cose.2010.01.002). This is due to the differences in the microcircuitry and components that go into making each type of device.
They are able to find out if files have been copied by consulting the Windows registry, which records the make and model of every USB device plugged into that computer with a time stamp. The pair then check all document folders for any files that were accessed shortly after the USB device was plugged in - the computer registry counts copying as file access.
When they find a folder they suspect has been copied, they list the times the files within it were accessed. If the total time it took to access all the files matches the transfer rate of a particular USB stick or iPod plugged into the PC at that point, then it is fair to assume a pod-slurping attack has taken place.
Kavallaris is writing a program to automate the process of trawling the Windows registry to work out which files have been copied to a USB stick.
- Deliberately "erasing" the "whistleblower files" stored on USB memory sticks, Digital Camera or MP3 music player memory devices, which can then be recovered with File recovery utilities (e.g. those designed to recover accidentally erased Digital Camera images , such as PhotoRescue) once the whistleblower is in a safe place, may well be enough to let a whistleblower smuggle out copies of sensitive documents past cursory security checkpoints,
- Depending on the operating system and the particular settings on your PC, USB memory devices may have a local Trash or Trashcan folder on the USB device itself, in addition to the main one on the computer Desktop. Sometimes this is a Hidden folder or directory on the USB memory device, e.g. Apple Mac OS X and Ubuntu Linux.
- However, if you are caught with a USB key or MP3 player or SmartMedia memory stick or card, which uses Flash Memory, they are nigh on impossible to securely erase electronically, and there is a good chance that data on them, even if "deleted" can be forensically recovered.
- It is even possible for USB Flash memory data to eventually be permanently "burned in" to memory cells, which cannot then be erased. There are also "wear leveling" and "block write" algorithms, which may fail to physically overwrite crucial data, which you are trying to erase.Therefore do not store your PGP Private Keyring or other vital data, on unencrypted USB Flash memory. See the Wikipedia article on Flash Memory
- Older operating systems like Windows 98 or WIndows 2000 require that you Stop the USB memory device before you physically remove it, otherwise the latest data which you have tried to save / overwrite or erase may not actually get written from the memory buffers into the Flash Memory cells, since this tends to use "block writes", rather than random access writes, to the individual memory cell locations. Obviously this can also lead to supposedly erased or overwritten or amended files not being updated properly, if the USB Flash Memory device is simply yanked out of the slot in a hurry.
- We hope to publish information on the levels of risk for (in)secure data erase behavior of different types of USB or other SmartMedia. - see the File Deletion hints and tips section.
c.f. this academic paper:
Reliably Erasing Data From Flash-Based Solid State Drives
Michael Wei∗, Laura M. Grupp∗, Frederick E. Spada†, Steven Swanson∗
∗Department of Computer Science and Engineering, University of California, San Diego
†Center for Magnetic Recording and Research, University of California, San Diego
- Obviously, sometimes the all too common failures with CDROM, DVD and USB data handling security, by government or corporate employees, is itself the actual source material for whistleblower leaks.
The Daily Telegraph reports that the former MI6 employee Daniel Houghton, who is being tried under the Theft Act and the Official Secrets Act, for ineptly trying to sell alleged MI6 and MI5 "intelligence gathering techniques" secrets to undercover UK counter intelligence agents, used this USB technology to smuggle out and store the alleged top secret and secret documents:
Daniel Houghton, 25, was caught in a sting operation after allegedly approaching a foreign intelligence agency offering to sell them information he had collected while working for the Secret Intelligence Service, known as MI6.
The files, which belonged to the domestic security service MI5, allegedly related to the capabilities of the security and intelligence services and the techniques they have developed to gather intelligence, sources said, and were labeled "top secret" and "secret."
Houghton, who worked for MI6 between September 2007 and May 2009, allegedly telephoned the foreign intelligence service three months after leaving MI6 to try and arrange a deal.
But undercover MI5 officers, known as "spy catchers", met him in February to view the material on his laptop and allegedly negotiated a price of £900,000, while recording the meeting with hidden listening devices.
Houghton allegedly told them he had downloaded the information onto a number of CDs and DVD disks which he then copied onto a secure digital memory card of the type used in cameras.
He also allegedly told the undercover MI5 officers that he had copied material onto a second memory card which he had hidden at his mother's home in Devon.
They arranged to meet him again at a central London hotel where he allegedly showed them the material on a laptop and then handed over two memory cards and a computer hard drive.
Sources said he was allowed to leave the hotel room with £900,000 in a suitcase before he was arrested as he waited for a hotel lift by plain clothes officers from the Metropolitan Police Counter Terrorism Command.
Presumably this smuggling out and storage of the sensitive secret electronic files on to USB SD card camera memory went undetected, until his inept, amateur attempt to sell the information.