Digital Information, User Tokens, Privacy And Forensics Investigations: The Case Of Windows Xp Platform

No ratings

Presented at Blackhat Europe 2003 by

Larry Leibrock

Incident Response and IT Security practitioners are aware that normal user interactions with digital devices create, delete and typically leave a range of data, metadata and residue (termed tokens) on differing systems media. We seek to explore the Microsoft Windows XP as an illustrative platform to review how these tokens are created, discovered and perhaps cleaned using some generally available privacy tool sets. This paper explores a field study that intends to review extant knowledge, determination of the range of user tokens and current forensics used to discover evidentiary findings. The field study focuses solely on two variants (Windows XP Professional and Windows Tablet PC) commercially available Windows XP platforms in networked settings. The paper describes the Windows XP platform from these perspectives: files, registry, system folders, special folders, media and forensics processes. A review of present data-hiding techniques (cryptography and steganography) is presented and demonstrated. Finally a set of data destruction algorithms and tools are described. Lastly in the context of a teaching case, a set of public policy perspectives are presented for discussion. The purpose of the case is to set out a dialogue about individual privacy rights, privacy of information, ownership of data, protection of sensitive information and legal investigative processes in democratic settings. Discussion topics in the presentation include the following: Investigation and Privacy of Digital Data and Introductory Forensics Investigations: Practices/Procedures An International Forensics Case discussion - law - privacy - ethics - law enforcement Microsoft Windows XP - Media typology and morphology of data Data Caches - files - registry - folders - metadata derivatives Networking artifacts and residue Introduction to information hiding techniques, data wiping tools - special hardware - some special tools Extant political - public policy - legal systems perspectives Larry Leibrock, Ph.D., is a member of the McCombs Business School – The University of Texas faculty and serves as the Associate Dean and Technology Officer for the McCombs Business School. He has held or currently holds clinical teaching and research appointments at McCombs Business School, Institute for Advanced Technology, The University of Texas Law School, Emory University, Helsinki School of Economics and Monterrey Technologica in Mexico City and Monterrey. He is a member of IEEE, ACM, Internet Society, FIRST and USENIX/SAGE. He is also a member of the Department of Defense Software Engineering Institute and a participant in the Air Force Software Technology Conference. He is the founder and CTO for eForensics LLC, a private technical services firm. He has experience in enterprise systems support, offensive/defensive systems security measures, systems security audits, and IT deployment projects in both governmental and corporate settings. In clinical practice, he has served as the project manager in over IT projects in several US and international sites. He holds professional certifications in IT project management, Windows“, UNIX“, systems performance, computer security and networking. He has authored papers in the topics of information systems attacks, encryption, public key infrastructures, privacy, systems survivability and systems forensics. He has won several University teaching awards and has served as an expert in a range of legislative matters, judicial testimony, and legal disputes. Larry has served as a Special Master for a Texas Court in the areas of systems management, systems survivability, security and protection of systems mechanisms. Larry has delivered expert digital evidence testimony at both civil and criminal trials. He has testified for the Presidential Commission for Protection of Critical Information Infrastructure and the Senate Science Committee. He recently presented forensics testimony at an invitational conference for the Executive Office of the President. He presently serves on the Texas Infrastructure Protection Advisory Committee formed by the Attorney General of Texas. He is also appointed to the Board of Directors - Texas Department of Information Resources. Larry is active in IT industry and government systems consulting projects in the areas of systems forensics, enterprise IT operations, security and incident investigations.