Tuesday, June 22, 2010

Unusual devices

by Sean McLinden

In 2007, New Jersey Governor Jon Corzine made the news twice for a single event. The first time was the report of a car accident on the Garden State Parkway in which he was seriously injured. The second time was a report, which appeared a few days later, detailing how the governor's account of the accident had been contradicted by a witness, his automobile. Since 2000, most US cars have been equipped with a :black box” known as the Motor Vehicle Event Data Recorder. Standards for a common data set, including protections against data theft, altering of vehicle information, odometer fraud and misuse of collected data on owners and drivers are the subject of the IEEE 1616a Standards for Motor Vehicle Event Data Recorders (MVEDRs). In spite of such protections, a number of states have enacted privacy protections which regulate the recovery and use of such data.

A 2007 Computerworld article was entitled Photocopiers: The newest ID theft threat. In 2010, CBS News was able to recover Personal Health Information, and other personally identifiable information (PII) from the hard disk drives of copiers found in a warehouse in New Jersey. These copiers had been leased by various health care, law enforcement, financial and other institutions.

The focus of these stories was the risk to personal privacy, but to forensic examiners and eDiscovery personnel, there is a more significant issue which is, When does the data contained in such devices constitute evidence deserving of preservation and a possible subject of discovery? More importantly, perhaps, is determining when a thorough investigation demands the investigation of information contained in a peripheral not, normally, the subject of a forensic examination?

A couple of recent cases presented to our offices illustrate when and how such concerns arise.

Case 1: A branch office of a financial services company becomes concerned that confidential information is in the possession of unauthorized employees and outsiders. This arises after a client notices a securities trade that was undertaken on their behalf but without their knowledge or consent. Internal IT personnel examined each of the office computers and found no evidence of malware, keyloggers or possession of PII except by authorized personnel. An outside digital forensics (DF) firm was brought in to investigate and found no evidence of an intrusion or extrusion. A former IT administrator was the principle suspect but he had been gone for over 6 months and his account disabled. A second DF firm was brought in to confirm the findings of the original firm.

The second firm noticed, as did the first, that the small office used a Linksys wireless access point (WAP) in lieu of a wired network. Interviews with, then, current IT personnel and attempts to “sniff” the wireless network confirmed that WPA2-PSK was used and that the key was strong. The SSID was not advertised. Using the Web administrative console, the second DF firm determined that the firmware was not the Linksys default, but a modified kernel based upon Sveasoft Talisman. Further examination showed that it had been configured for port mirroring, something which was, also, not the default. The former IT administrator had set up a rogue access point which, effectively, doubled as the secure access point for the business...

Read more at http://www.forensicfocus.com/sean-mclinden

No comments: