WIPING DATA AND ITS FORENSIC TRAIL

In the modern security climate, securing data is of vital importance — key corporate data such as client lists, development roadmaps, and even employee data are constant targets of espionage, domestic hacking, and international data trafficking.

That is why it’s so surprising, then, that one of the most important elements of data management is so often overlooked. Forensic data trails, that is, the data that is left over after deleting the content on a workstation, are incredibly valuable. In fact, given enough time and with the right tools, skilled data experts can take data that was “deleted” from a computer and restructure it in mostly or entirely complete form, rendering the initial deletion a moot point.

What are Forensic Data Trails, Exactly?

Forensic data trails are the result of modern operating systems and how they handle deletion. When an operating system like Windows or OSX is told to delete a file, what they actually do is delete the “pointer”, or the mark on the hard drive where the data string begins and ends.

By deleting the pointer, this section of data is marked as okay to “overwrite”, but is not actually erased. The reason operating systems do this is because deletion is actually a time-intensive process — data must be located in all of its parts spread throughout the hard drive platters, and then sequentially erased. Deleting the pointer takes milliseconds, making for a faster process.

While solid-state drives do not have this problem (as they lack platters and already store data sequentially), they are not yet ubiquitous, so throughout this article, when we talk about “hard drives”, we’re purposefully excluding solid-state drives.

Why are Forensic Data Trails Bad?

Forensic data trails are, by themselves, not a bad thing. If you’ve accidentally deleted a folder storing your vacation pictures, for instance, being able to recover this data from the forensic trail left behind is a great thing.

Unfortunately, in a corporate environment, when data is deleted, it’s less often accidental or for lack of purpose, but more to destroy data that, if accessed by unauthorized personnel, would be damaging to the data source.

Data of this kind, such as sales reports, authorization forms, medical documentation, or other such data, needs to be securely deleted not only for corporate reasons but often for legal reasons. One such example is the Health Insurance Portability and Accountability Act (HIPAA), the medical privacy law of the United States of America, which requires data retention in a secure format until such time the data deletion is requested. At this time, data must be fully and completely destroyed.

International law follows this same structure. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires secure data handling and complete deletion when data is collected for commercial or federal use. This law is further expanded upon and codified by Article 8 of the European Convention on Human Rights (ECHR) with a stringent restriction on how data can be processed, utilized, retained, and destroyed.

All of this serves to illustrate the severity of mismanaging forensic data trails in a legal sense — not to mention the moral arguments of the right to privacy and responsibility of the corporation to the consumer.

3 Steps to Secure Data Deletion

Thankfully, forensic data trails can be handled with relative ease by those who are aware of the problem. The following three steps should be part of any forensic data trail management program and should be used as a guideline for developing internal processes and rules.

Step 1 – Be Cognizant of the Problem

First and foremost, everyone in an organization whose data is important enough to delete to comply with the legal and corporate policy should be aware of what forensic data trails are and how to properly handle data.

Part of this is to simply have a data deletion plan. A data deletion plan is an overview plan from identifying data for deletion to wiping the disk upon which it was transferred to ensure data deletion.

When a data deletion plan incorporates proper tracking methodologies (i.e. limiting data transfer to physical media only and recording the change of custody during the process), data is recorded and tracked in such a way that the forensic trail itself is contained to only a single generation of devices. Failing to keep with this plan will result in multiple copies of the data, and a forensic trail on many devices.

Step 2 – Grade Data

Grading data is the process of internally marking data by its sensitivity and the damage that can be done if it were to be leaked out of the organization. Take a page out of the government’s classification scheme here, and grade your data.

Any classification system will do — you can mark data as “sensitive”, “non-sensitive”, and “common”, or even as “grade A”, “grade B”, and “grade C” — but what truly matters is that the organization is trained and aware of the process.

Doing this will allow you to control the movement of data according to grade. Sensitive data will be restricted on a “need to access” basis, and will naturally result in data control.

Step 3 – Isolate Data

The third step, and arguably the most important, is to isolate and quarantine data. Proper quarantining of data will result in a contained forensic data trail and will help identify failures in the chain of custody and data handling process by segmenting data to the department that handles it.

For instance, if a salesperson needs customer support data, only this data should be provided — while sharing a common “customer dossier” may seem like an easier and more efficient solution, it ties customer payment data, identifying characteristics, and more into a single file. When this single file is passed around between departments, this results in a spread out and uncontrollable forensic data trail.

Putting it All Together

Organizational data needs to be handled in a very careful, methodical way. When a policy for data retention and deletion is crafted, it needs to be crafted in a way to align with local laws and regulations, as well as any international law that may apply to your specific consumer set. Of considerable importance is also finding a solution that does not divert the focus on your team and create a cycle of attention and delay.

For data deletion and the destruction of forensic data trails, there are a variety of solutions one can use. Clarabyte’s Wipe Standard provides an automated, auditable reporting solution that can reduce downtime and remove any worries pertaining to forensic data trails.

References and Further Reading

DRAFT Special Publication 800-88 Revision 1, Guidelines for Media Sanitization

http://csrc.nist.gov/publications/drafts/800-88-rev1/sp800_88_r1_draft.pdf

Why SSD Drives Destroy Court Evidence, and What Can Be Done About It

http://belkasoft.com/why-ssd-destroy-court-evidence

Clearing and Declassifying Electronic Data Storage Devices

https://www.cse-cst.gc.ca/en/system/files/pdf_documents/itsg-06-eng.pdf

Digital Forensic Evidence in the Courtroom: Understanding Content and Quality

http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=1218&context=njtip

Evaluation of Audit Trails and Security Features in Software Systems

http://forensics.marshall.edu/NEST/PDFs-NEST/Posters/SecurityAudits-09.pdf

Anti-Forensics and the Digital Investigator

http://www.garykessler.net/library/2007_ADFC_anti-forensics.pdf