Sold! Please take my data…

“One man’s trash is another man’s treasure”. A common saying which I am sure everybody has used at one time or another. A quote we use when we throw away that old 50 inch plasma TV or that synthetic bonded leather sofa which has passed our predetermined use by date.

Giving new life to our odds and ends is a simple case of holding a Saturday morning garage sale, or auctioning off our goods to the highest bidder online with a handful of convenient point and clicks. While an old TV or an old sofa may not have any significant privacy value to another party, what about the every day items that form part of the technologically saturated world we live in? We live in a world of seamless connectivity and the internet of things; a world where our digital devices store some of our most personal and private information.

For those of you that have read some of my other infosec ramblings, you will know that I am not one to just throw together a bunch of words in the hope that you will believe me when I make statements like dispose of your data in a secure manner. I enjoy backing up my statements through demonstration, so let’s get to it!

Enter stage left a second hand Network Attached Storage (NAS) device listed for sale on the internet:

—snip—
For sale: QNAP TS-109 NAS with HDD $40

Qnap TS-109 nas with power pack and two feet
http://qnap.nas-central.org/wiki/Category:TS-109
Firmware Installed and operating to a Seagate 500gb HDD
NO warranty with the above
—snip—

The NAS looked like a great candidate for two reasons. One – I am currently in the process of performing some security research on this particular vendor’s line of devices. And two – I needed a cheap hard drive for demonstration purposes. Sold! Please give me your data!

Fast forward a week and the device arrived on my doorstep extremely well packaged…. as shiny and new as it would have appeared three years prior. I eagerly connected the NAS to my isolated sandpit network (never trust anyone), and once the device had booted and acquired a DHCP lease I proceeded to have an initial poke around. It is fair to say the previous owner had not only erased all of their data, but had also restored the drive back to the vendors original factory defaults. All of the settings had been reset, all of the data appeared to have been wiped, and the NAS proudly boasted ~500GB of free space ready to absorb my personal data.

qnap_free_space

Enough of this polite facade of an introduction …. We are not here to tout how well the original owner looked after his kit; we are here to break things! It was time to dismantle the NAS and recover some personal data!

Recover personal data? What?!? Correct… deleting data, sending it to the recycle bin, or performing a standard format of a device does not necessarily guarantee the data has been securely removed. The details and science behind why the data will still exist is out-of-scope for this article, so if you are interested in the finer details of securely wiping data, please embrace your google-fu. It’s time to break things!

First step; dismantle the NAS so we can access the HDD.

20150715_083636

Next, attach the HDD to the system which we will utilise for our data forensics, and confirm the location of the device with fdisk.

Let’s create an image of the device… Whenever you are delving into data forensics, it is important to ensure that you keep the integrity of the original source intact. Personally I like to acquire images with a tool created by US Department of Defense Computer Forensics Lab called dcfldd, however there are a number of other commercial and open source tools which can perform the same task.

The command breakdown is as follows:

-if= : input file
hash=md5 : use the md5 hashing algorithm
md5log= : storage location for the md5 hash
bs= : block size for reading/writing
-of= : output file

The time it takes for the imaging process to complete will obviously depend on your hardware and the size of the disk/s or partition/s you are cloning. As you can see from above, it took my system roughly 2 hrs 15 mins. While it may seem obvious, it is important to ensure that you have enough space free for your output file; plenty of new players have wasted a lot of time and become unstuck whilst working with large amounts of data.

I believe it is a good practice to hash the original source as well as the working copy in order to prove the copy is exactly the same as the original and has not been tampered with. While it is not necessary with personal projects like this, it is a good idea to incorporate hashing into your standard routine or workflow.

md5 hash of original drive:

md5 hash of our working copy:

With our image successfully created, it is time to take a look at what data we can carve from the dumped image. My tool of choice is scalpel. Other tools such as foremost, autopsy, and a number of commercial products are also useful depending upon your requirements.

For the purposes of this exercise, I have only chosen to look for avi files. Obviously if you were performing a full forensic analysis of the drive you would look for a number of other file types, as well as compare results between the various tools. To set the type of file you would like to carve with scapel, uncomment the appropriate fields in the /etc/scapel/scalpel.conf file.

As you can see above, our carving activity possibly found 720 avi files in a relatively short period, especially considering that the device had been previously erased and formatted a number of times.

Taking a look at the results, we can see that the previous owner/s had a wide variety of movie and series tastes. We found various TV shows such as Frasier and Futurama, and also recovered a number of full movie titles in a variety of different genres.

Screenshot from 2015-07-15 20:33:00

Screenshot from 2015-07-15 20:48:26

Screenshot from 2015-07-15 20:34:56

Screenshot from 2015-07-15 20:36:17

Screenshot from 2015-07-15 20:48:15

Whilst the screenshots above were chosen as harmless examples of carved data, it is important to note that the recovered data was somebody’s private information which may or may not have been intended to be disclosed to a third party. Performing a full forensic analysis of the drive may expose personal documents, images, passwords, or any other information a third party may be searching for.

So the obvious question is how should you erase data from a device you intend to sell? There are a number of methods available, from zero’ing out a drive, to writing random data. In a future article I will delve into the world of securely erasing data and provide the pros and cons of various techniques. For me personally, I do not sell any hard drives or NAS devices to any unknown or untrusted party, especially for such a low price as $40. I am a big fan of zero’ing out the drives, and then physically destroying the device.

In closing… at a recent Australian Information Security Association (ASIA) branch meeting, the CISO of Telstra, Mike Burgess, presented the “5 knows of cyber security”:

– Know the value of your data
– Know where your data is
– Know who has access to it
– Know who is protecting it
– Know how well it is protected

I believe Mr Burgess hit the nail on the head when it comes to data. Our world is technologically savvy, data hungry, and highly tuned to ensure that all devices can exist in a ‘simple to connect’ and ‘easy to access’ environment. More than ever, we need to recall the saying “one man’s trash is another man’s treasure”, remembering that all is not as black and white as it once seemed. Data is valuable, and we need to ensure that we protect our data from those who may wish to cause us harm. Sometimes, one man’s trash should remain one man’s trash, not someone’s treasure.