Click to edit Master title style Click to edit Master subtitle style Southbank.
Click to edit Master title Understanding Data Remanence … · 2019. 7. 16. · Click to edit...
Transcript of Click to edit Master title Understanding Data Remanence … · 2019. 7. 16. · Click to edit...
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
1
1
1
Understanding Data Remanence Management and What It Means to You
ACSAC Tucson Session 3:30 pm 6 DEC 2005
Understanding Data Understanding Data Remanence Management Remanence Management and What It Means to Youand What It Means to You
ACSAC Tucson ACSAC Tucson Session 3:30 pm 6 DEC 2005Session 3:30 pm 6 DEC 2005
Presented By
STEVEN SKOLOCHENKO CISSP, CISM, CISA
Booz | Allen | Hamilton
Presented By
STEVEN SKOLOCHENKO CISSP, CISM, CISA
Booz | Allen | Hamilton
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
2
2
2
Managing
Data Remanence
Managing Managing
Data RemanenceData Remanence
•• Intended for those who have information Intended for those who have information technology security responsibilities.technology security responsibilities.
•• Goal: Provide participants with Goal: Provide participants with information on managing data remanence to information on managing data remanence to protect the confidentiality of data remanence protect the confidentiality of data remanence on storage media. on storage media.
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
3
3
3
ObjectivesObjectivesObjectives
Upon completion of this session you Upon completion of this session you will be able to:will be able to:
•• Identify the terms used to discuss and Identify the terms used to discuss and describe data remanence.describe data remanence.
•• Identify remanence management issues.Identify remanence management issues.
•• Discuss sanitization techniques for various Discuss sanitization techniques for various types of types of media.media.
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
4
4
4
A News Story About Data Remanence
A News A News StoryStory About About
Data RemanenceData Remanence
By Karen Hensel of the News 8 I-Team (Indiana) Aug. 2002- An Indiana congressman is demanding answers after a security
breach at a local hospital was uncovered by the News 8 I-Team. What was most disturbing was where the I-Team's Karen Henseluncovered the information and at what price.-Used computers are cheap and easy to find. The News 8 I-Teamfound three at the very first thrift store they shopped at. All threewere tested with the help of computer forensics expert Dan Cavalliniof 20/20 Investigations. His reaction? "I was really surprised to seesome of this in there."-Within minutes the News 8 I-Team found hospital patient records,patient's social security numbers, along with their home addressesand home telephone numbers. News 8 I-Team also found page afterpage of credit card numbers. Cavallini said "identity theft is the firstthing that comes to mind."
By Karen Hensel of the News 8 IBy Karen Hensel of the News 8 I--Team (Indiana) Aug. 2002Team (Indiana) Aug. 2002-- An Indiana congressman is demanding answers after a securityAn Indiana congressman is demanding answers after a security
breach at a local hospital was uncovered by thbreach at a local hospital was uncovered by the News 8 Ie News 8 I--Team. Team. What was most disturbing was where the IWhat was most disturbing was where the I--Team's Karen HenselTeam's Karen Henseluncovered the information and at what price.uncovered the information and at what price.--Used computers are cheap and easy to find. The News 8 IUsed computers are cheap and easy to find. The News 8 I--TeamTeamfound three at the very first thrift store thefound three at the very first thrift store they shopped at. All threey shopped at. All threewere tested with the help of computer forensicwere tested with the help of computer forensics expert Dan Cavallinis expert Dan Cavalliniof 20/20 Investigations. His reaction? "I waof 20/20 Investigations. His reaction? "I was really surprised to sees really surprised to seesome of this in there."some of this in there."--Within minutes the News 8 IWithin minutes the News 8 I--Team found hospital patient records,Team found hospital patient records,patient's social security numbers, along with patient's social security numbers, along with their home addressestheir home addressesand home telephone numbers. News 8 Iand home telephone numbers. News 8 I--Team also found page afterTeam also found page afterpage of credit card numbers. Cavallini said "page of credit card numbers. Cavallini said "identity theft is the firstidentity theft is the firstthing that comes to mind."thing that comes to mind."
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
5
5
5
A News Story About Data Remanence
A News Story About A News Story About Data RemanenceData Remanence
Federal BytesDumb-criminals filesWhile the FBI is loathe to reveal detailsof its investigations, we had to chuckleat a recent tidbit gleaned from ameeting of the Computer SystemSecurity and Privacy Advisory Board, According to Susan Koeppen, a trialattorney with the Justice Department’sComputer Crime and IntellectualProperty section, the FBI recentlyinvestigated an extortion threat directedat Microsoft Corp.s’ Bill Gates.
It seems a not-so-clever criminal senta diskette to Gates with an attachedimage containing the terms of thethreat. The extortionist may have beentrying to save a bit of money: instead ofbuying a new diskette to carry out hisscheme, he simply erased files on adiskette he already had.
His thriftiness cost him, however,because the FBI was able to recover thedeleted files from the disk. One ofthese files contained the name andaddress of the man, whom federalagents quickly arrested.Source: Federal Computer Week, Sept. 22, 1997.
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
6
6
6
AgendaAgendaAgenda
• Concepts and Terms
• Situation Assessment
• Attacks and Protection
• Media
• Media Destruction
Remanence:Deleted or erased,but not really gone!
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
7
7
7
•• Workstations donWorkstations don’’t last forevert last forever
•• Storage media degrades over timeStorage media degrades over time
•• New technologies make some media obsoleteNew technologies make some media obsolete
•• A disk crash doesnA disk crash doesn’’t destroy all data on a disk, but it t destroy all data on a disk, but it denies easy access to the datadenies easy access to the data
Why is Remanence Management of concern?
Why is Remanence Why is Remanence Management of concern?Management of concern?
When systems and media are taken out of service, care must be taken to ensure the confidentiality of the information that is/was on the internal/removable storage of the system.
When systems and media are taken out of service, care must be taken to ensure the confidentiality of the information that is/was on the internal/removable storage of the system.
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
8
8
8
How Often Are Hard Drives Reused?
How Often Are Hard How Often Are Hard Drives Reused?Drives Reused?
•• A report by market research firm IDC A report by market research firm IDC estimates the 257 million hard drives will be estimates the 257 million hard drives will be shipped for use in PCs or laptops in 2004.shipped for use in PCs or laptops in 2004.
•• Estimates are that seven drives will be retired Estimates are that seven drives will be retired for every 10 shipped. for every 10 shipped.
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
9
9
9
HistoryHistoryHistory
•• Problem recognized in 1960Problem recognized in 1960
•• Issue addressed in DOD 5200.28Issue addressed in DOD 5200.28--M, 1973 M, 1973
•• Watergate tapes brought attention to itWatergate tapes brought attention to it
•• DOD studies, IL Inst. of Tech, 1981DOD studies, IL Inst. of Tech, 1981--8282
•• NBS issues NBS Special Pub. 500NBS issues NBS Special Pub. 500--101, 101, Care and Handling of Magnetic Media, 1983Care and Handling of Magnetic Media, 1983
•• DOD Magnetic Remanence Security Guideline, 1985DOD Magnetic Remanence Security Guideline, 1985
•• NCSC Pub. A Guide to Understanding Data Remanence in Automated NCSC Pub. A Guide to Understanding Data Remanence in Automated Information Systems, 1991Information Systems, 1991
•• NSA/CSS Manual 130NSA/CSS Manual 130--2, Use in Conjunction w/ Operational Computer 2, Use in Conjunction w/ Operational Computer Security Manual, 130Security Manual, 130--11
•• Peter Gutmann paper at USENIX,1996Peter Gutmann paper at USENIX,1996
•• NIST SP 800NIST SP 800--88 ~Summer 200688 ~Summer 2006
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
10
10
10
Basic TermsBasic TermsBasic Terms
•• CoercivityCoercivity is a measure of signal strength that is a measure of signal strength that is required to alter magnetic storage media.is required to alter magnetic storage media.
•• SanitizationSanitization is a general term that refers to is a general term that refers to actions taken to ensure unactions taken to ensure un--needed data on needed data on media are difficult to recover or virtually media are difficult to recover or virtually unrecoverable.unrecoverable.
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
11
11
11
Coercivity ValuesCoercivity ValuesCoercivity Values
• Diskette, 5.25”, 720 Kb 300 Oe• Diskette, 3.5” , 1.44 Mb 660 Oe• Diskette, 3.5”, 120 Mb 1,500 Oe• Tape, 8mm, DAT 1,650 Oe• Hard Drive, 20 GB 2.500 Oe• Hard Drive, 50+ GB 3,000 Oe
• Diskette, 5.25”, 720 Kb 300 Oe• Diskette, 3.5” , 1.44 Mb 660 Oe• Diskette, 3.5”, 120 Mb 1,500 Oe• Tape, 8mm, DAT 1,650 Oe• Hard Drive, 20 GB 2.500 Oe• Hard Drive, 50+ GB 3,000 Oe
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
12
12
12
P-list and G-listPP--list and Glist and G--listlist
•• PP--list: A permanent list of defective memorylist: A permanent list of defective memory–– Originates from manufacturerOriginates from manufacturer’’s media testing s media testing
processprocess–– Itemizes defective or marginal regionsItemizes defective or marginal regions
of mediaof media•• GG--list: A grown list of defective memorylist: A grown list of defective memory
–– Identifies memory locations that Identifies memory locations that become unusable over time become unusable over time
–– Lists defective regions with SCSI Lists defective regions with SCSI ““Format UnitFormat Unit””cmdcmd
–– Drive firmware usually handles Drive firmware usually handles grown defectsgrown defects
P-listG-list
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
13
13
13
• Memory scavenging refers to the process of recovering data from media that has not been sanitized properly.
•• Keyboard attacksKeyboard attacks occur when an occur when an unauthorized person uses commands, unauthorized person uses commands, utilities, and tools from a standard utilities, and tools from a standard workstation to discover the contentsworkstation to discover the contentsof memory locations on media that of memory locations on media that they are not authorized to access.they are not authorized to access.
•• Laboratory attacksLaboratory attacks occur when an occur when an unauthorized person uses advanced unauthorized person uses advanced signal processing equipment to signal processing equipment to recover data from media.recover data from media.
Types of AttacksTypes of AttacksTypes of Attacks
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
14
14
14
•• SanitizationSanitization is the process of making information on is the process of making information on the media difficult or virtually impossible to recover.the media difficult or virtually impossible to recover.
•• OverwritingOverwriting is a multiis a multi--step sanitization process that step sanitization process that writes 0s, 1s, and random binary strings into every writes 0s, 1s, and random binary strings into every memory space on the media. memory space on the media.
•• DegaussingDegaussing is a sanitization technique for destroying is a sanitization technique for destroying the electromagnetic image on magnetic media by the electromagnetic image on magnetic media by submitting the media to an extremely powerful submitting the media to an extremely powerful magnetic field .magnetic field .
SafeguardsSafeguardsSafeguards
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
15
15
15
•• ClearingClearing is the process of removing is the process of removing data from media to protect information data from media to protect information from keyboard attack.from keyboard attack.
•• Erasing/DeletingErasing/Deleting is the process of is the process of altering the directory structures and altering the directory structures and pointers to remove knowledge pointers to remove knowledge of a file and its location.of a file and its location.
•• PurgingPurging is the process of removing is the process of removing data from the media such that is data from the media such that is virtually unrecoverable.virtually unrecoverable.
Overwriting TechniquesOverwriting TechniquesOverwriting Techniques
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
16
16
16
•• RemanenceRemanence refers to those data refers to those data that are still recoverable from media that are still recoverable from media after it has been sanitized.after it has been sanitized.
•• RemnantsRemnants is the term is the term used for scraps of carpet used for scraps of carpet or fabric.or fabric.
Last But Not LeastRemanence vs. Remnants
Last But Not LeastLast But Not LeastRemanence vs. RemnantsRemanence vs. Remnants
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
17
17
17
AgendaAgendaAgenda
• Concepts and Terms
• Situation Assessment
• Attacks and Protection
• Media
• Media Destruction
Remanence:Deleted or erased,but not really gone!
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
18
18
18
Remanence Management Situation Assessment
Remanence Management Remanence Management Situation AssessmentSituation Assessment
1. Determine data storage media sensitivity1. Determine data storage media sensitivity
2. Determine the type of medium2. Determine the type of medium
3. Determine the operational condition3. Determine the operational condition
4. Determine future uses4. Determine future uses
5. Determine future protection5. Determine future protection
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
19
19
19
Other Assessment Considerations
Other Assessment Other Assessment ConsiderationsConsiderations
•• Disks can be used as virtual memoryDisks can be used as virtual memory
•• Many applications create temporary filesMany applications create temporary files
•• Applications create automatic backupsApplications create automatic backups
•• Saves do not always write over same memory spaceSaves do not always write over same memory space
•• Slack space in blocksSlack space in blocks
•• Instant on feature writes clear textInstant on feature writes clear textinformation to diskinformation to disk
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
20
20
20
Object ReuseObject ReuseObject Reuse
•• Who remembers?Who remembers?
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
21
21
21
AgendaAgendaAgenda
• Concepts and Terms
• Situation Assessment
• Attacks and Protection
• Media
• Media Destruction
Remanence:Deleted or erased,but not really gone!
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
22
22
22
Keyboard AttackKeyboard AttackKeyboard Attack
•• How is it conducted?How is it conducted?
•• Who can do it?Who can do it?
•• What are the tools?What are the tools?
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
23
23
23
Keyboard Attack ToolsKeyboard Attack ToolsKeyboard Attack Tools
•• Norton UtilitiesNorton Utilities•• Fixit UtilitiesFixit Utilities•• Nuts & BoltsNuts & Bolts•• PC MedicPC Medic•• PPIRTPPIRT•• Various Forensic Various Forensic
ToolsTools
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
24
24
24
FORENSIC TOOLSFORENSIC TOOLSFORENSIC TOOLS
•• Google search on Google search on ““Forensic toolsForensic tools””resulted in a listing of over 500,000 resulted in a listing of over 500,000 entries.entries.
•• Entries covered PCs, PDAs, even Entries covered PCs, PDAs, even ““Mainframes.Mainframes.””
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
25
25
25
Clearing MediaClearing MediaClearing Media
•• What happens when we write on What happens when we write on media?media?
–– PP--ListList
–– GG--ListList
–– Why is coercivity important?Why is coercivity important?
•• Head Alignment, is it important?Head Alignment, is it important?
–– What is head alignment ?What is head alignment ?
–– What can alter head alignment?What can alter head alignment?
Clearing Media
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
26
26
26
Common Commands for Clearing Data
Common Commands Common Commands for Clearing Datafor Clearing Data
•• EraseErase
•• DeleteDelete
•• FormatFormat
••Erase Erase••Delete Delete••Format Format••Object Object
Reuse Reuse
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
27
27
27
Overwriting Used for Clearing (1 of 2)
Overwriting Used Overwriting Used for Clearingfor Clearing (1 of 2)(1 of 2)
•• Program should write specific data patternProgram should write specific data pattern
•• Pattern should be written Pattern should be written to all data storage to all data storage locationslocations
•• Program should check Program should check to see that the pattern to see that the pattern has been writtenhas been written
•• How much overwriting is enough?How much overwriting is enough?
Overwritein progress…
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
28
28
28
Overwriting Usedfor Clearing (2 of 2)Overwriting UsedOverwriting Usedfor Clearing for Clearing (2 of 2)(2 of 2)
•• Very slow for floppiesVery slow for floppies
•• Even more time for today's hard Even more time for today's hard drivesdrives
Current computer takes about 15 Current computer takes about 15 mins to overwrite and verify one mins to overwrite and verify one gig, one passgig, one pass
•• For most current drives one For most current drives one pass is sufficient, provided it is pass is sufficient, provided it is specific and verifiedspecific and verified
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
29
29
29
Purging MediaPurging MediaPurging Media
•• Protection from Protection from laboratory attacklaboratory attack
•• How are media How are media purged?purged?–– OverwritingOverwriting
–– DegaussingDegaussing
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
30
30
30
Overwriting Usedfor Purging
Overwriting UsedOverwriting Usedfor Purgingfor Purging
•• Same technique as Same technique as clearingclearing
•• There are more overwrites There are more overwrites to purgeto purge
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
31
31
31
Overwriting Tools for Clearing and Purging Media
Overwriting Tools for Overwriting Tools for Clearing and Purging MediaClearing and Purging Media
•• UniShred ProUniShred Pro--Los Altos Technologies, Inc.Los Altos Technologies, Inc.
•• Norton UtilitiesNorton Utilities--Symantec, Symantec, ““WipeWipe””
•• UNIXUNIX
•• ISTAC Security Utilities ISTAC Security Utilities (US Gov. & Contractors)(US Gov. & Contractors)--CIACIA
•• PC Safe & SecurePC Safe & Secure--Boomerang SoftwareBoomerang Software
•• BlackoutBlackout--Kintech SoftwareKintech Software
•• BC WipeBC Wipe--JeticoJetico
Overwrit
ing
Tools
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
32
32
32
DegaussingDegaussingDegaussing
•• This is the most effective This is the most effective purging techniquepurging technique
•• Media coercivity dictates the Media coercivity dictates the type of Degaussing device that type of Degaussing device that is required for effective is required for effective destruction of the datadestruction of the data
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
33
33
33
Degausser Products ListDegausser Products ListDegausser Products List
•• Published twice a year by the: Published twice a year by the: Media Technology Center, NSA9800 Savage RoadFt. Meade, MD 20755-6000
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
34
34
34
AgendaAgendaAgenda
• Concepts and Terms
• Situation Assessment
• Attacks and Protection
• Media
• Media Destruction
Remanence:Deleted or erased,but not really gone!
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
35
35
35
Magnetic TapesMagnetic TapesMagnetic Tapes
•• Magnetic Tape, types I, II, IIIMagnetic Tape, types I, II, III–– Type I, Coercivity of 0Type I, Coercivity of 0--350 Oe350 Oe
–– Type II, Coercivity of 351Type II, Coercivity of 351--750 Oe750 Oe
–– Type III, Coercivity of 751+ OeType III, Coercivity of 751+ Oe
•• Examples of magnetic tape typesExamples of magnetic tape types–– 4 MM, DAT, Coercivity 1650 Oe4 MM, DAT, Coercivity 1650 Oe
–– 8MM, Cartridge, Coercivity 650 Oe8MM, Cartridge, Coercivity 650 Oe
–– Cartridge, SQ 400, Coercivity 950 OeCartridge, SQ 400, Coercivity 950 Oe
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
36
36
36
DisksDisksDisks
•• 3.53.5””, 1.4 MB, Coercivity 700 Oe, 1.4 MB, Coercivity 700 Oe
•• 3.53.5””, 120 MB, Coercivity 1500 Oe, 120 MB, Coercivity 1500 Oe
•• Atlas III, HD, 10 GB, Coercivity 2300 OeAtlas III, HD, 10 GB, Coercivity 2300 Oe
•• Hard Drives 50+ GB, Coercivity 3000+ Hard Drives 50+ GB, Coercivity 3000+
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
37
37
37
Other MediaOther MediaOther Media
•• UVPROM/EPROMUVPROM/EPROM
•• MagnetoMagneto--Optical Read Only Optical Read Only (ROM and Worm) CD/DVD(ROM and Worm) CD/DVD
•• EAROM and EEPROMEAROM and EEPROM
•• etc.etc.
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
38
38
38
UVPROM/EPROMUVPROM/EPROMUVPROM/EPROM
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
39
39
39
Magneto-OpticalMagnetoMagneto--OpticalOptical
•• Read Only Memory (ROM)Read Only Memory (ROM)
•• Write Once Read Many (Worm)Write Once Read Many (Worm)
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
40
40
40
EAROM, EEPROMEAROM, EEPROMEAROM, EEPROM
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
41
41
41
FLASHFLASHFLASH
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
42
42
42
FLASHFLASHFLASH
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
43
43
43
Perpendicular RecordingPerpendicular RecordingPerpendicular Recording
•• What is it?What is it?
•• The superparamagnitism limitThe superparamagnitism limit
•• Coercivity of 10,000 OeCoercivity of 10,000 Oe
•• Density of 100 Gbits/Sq inchDensity of 100 Gbits/Sq inch
•• 3 3 ½½ inch floppy to store 1 Tbit of datainch floppy to store 1 Tbit of data
•• Seagate & Maxtor may have drives out Seagate & Maxtor may have drives out in 2006, est.in 2006, est.
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
44
44
44
etc.etc.etc.
•• Researchers at Syracuse University have Researchers at Syracuse University have developed a recording medium that suspends developed a recording medium that suspends a bacterial protein in a gela bacterial protein in a gel
•• The molecular medium stores information in The molecular medium stores information in threethree--dimensional neural architectures when dimensional neural architectures when exposed to a sequence of two red laser beamsexposed to a sequence of two red laser beams
•• A blue laser resets the molecules, erasing the dataA blue laser resets the molecules, erasing the data
For info: Google on “R. Birge Syracuse”
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
45
45
45
Future Medium?Future Medium?Future Medium?
•• Another project is to make a proteinAnother project is to make a protein--p based p based threethree--dimensional memory based on dimensional memory based on bacteriorhodopsinbacteriorhodopsin
•• Proteins will be encapsulated Proteins will be encapsulated in a polymer matrix that will in a polymer matrix that will allow threeallow three--dimensional dimensional addressingaddressing
•• Holographic memoryHolographic memory
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
46
46
46
AgendaAgendaAgenda
• Concepts and Terms
• Situation Assessment
• Attacks and Protection
• Media
• Media Destruction
Remanence:Deleted or erased,but not really gone!
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
47
47
47
Media DestructionMedia DestructionMedia Destruction
Why destroy media?Why destroy media?
•• PolicyPolicy
P O IL C Y
•• System/media are System/media are damaged beyond repairdamaged beyond repair
•• System/media System/media are obsoleteare obsolete
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
48
48
48
Media Destruction Techniques
Media Destruction Media Destruction TechniquesTechniques
•• Not always a simple processNot always a simple process–– Remove componentsRemove components
–– PulverizePulverize
–– IncinerateIncinerate
•• Examples:Examples:–– MagnetoMagneto--optical disksoptical disks
–– Wafers/chipsWafers/chips
–– DiskettesDiskettes
–– Hard drivesHard drives
–– TapesTapes
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
49
49
49
What’s New?WhatWhat’’s New?s New?
•• Purging machine for Purging machine for optical CD/DVDoptical CD/DVD’’ss
•• Universal Secure Universal Secure OverwriteOverwrite--””Secure Secure EraseErase””
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
50
50
50
CD/DVD DESTROYERSCD/DVD DESTROYERSCD/DVD DESTROYERS
Turns CD/DVD’s to Dust CD/DVD Remains
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
51
51
51
TIME TAKES ITS TOLLTIME TAKES ITS TOLLTIME TAKES ITS TOLL
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
52
52
52
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
53
53
53
Who Does This Kind of Data Recovery?
Who Does This Kind of Who Does This Kind of Data Recovery?Data Recovery?
•• Ontrack Data RecoveryOntrack Data Recovery
•• CBL Data Recovery Technologies, Inc.CBL Data Recovery Technologies, Inc.
•• Data Retrieval ServicesData Retrieval Services
•• Data Recovery LabsData Recovery Labs
Who’s
Who
in Da
ta
Recov
ery
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
54
54
54
Quick ReviewQuick ReviewQuick Review
•• There is a difference between:There is a difference between:–– Clearing and Clearing and
purging mediapurging media
–– Keyboard and Keyboard and laboratory attacklaboratory attack
–– Overwriting and Overwriting and Degaussing mediaDegaussing media
Remanence:Deleted or erased,but not really gone!
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
55
55
55
ReferencesReferencesReferences
•• Article: Article: ““The Data DilemmaThe Data Dilemma”” Security ManagementSecurity Management, 1 FEB 1995, , 1 FEB 1995, by Charles M. Prestonby Charles M. Preston
•• NIST SP 500NIST SP 500--252, Care and Handling of CDs & DVDs, Oct. 252, Care and Handling of CDs & DVDs, Oct. 20032003
•• GAO Rpt. GAOGAO Rpt. GAO--0101--469, 469, ““Safeguarding of Safeguarding of Data in Excessed DOE Computers,Data in Excessed DOE Computers,”” Mar. 2001Mar. 2001
•• Article: Article: ““Remembrance of Data Passed: A Study of Disk Remembrance of Data Passed: A Study of Disk Sanitization PracticesSanitization Practices””, IEEE, Mar, 2003, by Garfinkle and , IEEE, Mar, 2003, by Garfinkle and ShelatShelat
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
56
56
56
Questions?Questions?Questions?
Click to edit Master title Click to edit Master title
stylestyle
•• Click to edit Master text stylesClick to edit Master text styles
•• Second levelSecond level
•• Third levelThird level
•• Fourth levelFourth level
•• Fifth levelFifth level
57
57
57
Understanding Data
Remanence Management
and What It Means to You
Understanding Data Understanding Data
Remanence Management Remanence Management
and What It Means to Youand What It Means to You
Presented By
STEVEN SKOLOCHENKO CISSP, CISM, CISA
Booz | Allen | Hamilton
Presented By
STEVEN SKOLOCHENKO CISSP, CISM, CISA
Booz | Allen | Hamilton
Thanks for
Attending!
Thanks for Thanks for
Attending!Attending!