Complete Delete and Cross Drive Forensics

April 3, 2006
12:00 pm - 1:00 pm
Halligan 111


Complete Delete and Cross Drive Forensics

What could you do with 1000 used hard drives? Garfinkel examined the data on them that had been left by their previous owners and found credit card numbers, medical records, pornography, and email. But he also found that the oft-neglected need to sanitize discarded media is a serious problem among computer users --- one that appears to be getting worse.

This talk examines the results-to-date of Garfinkel's five-year research program involving the recovery of data from used hard drives. Automated analysis of the drives can reveal significant information about the drive's former owner. It can also show what steps the owners took---if any---to clear the drives before they were sold. This work was then confirmed with a "trace back study," in which the owners of the original data were contacted and interviewed.

The unintentional release of confidential information is primarily the result of common usability failures present in consumer operating systems. These failings can be overcome through the implementation of patterns that Garfinkel has identified. The patterns are generally applicable---for example, they can be applied to the problem of sanitizing information left behind in web browsers and in Microsoft Word and Adobe Acrobat documents.

Next, Simson Garfinkel will discuss his current area of research --- a set of exciting new forensic techniques called "hot drive discovery" and "cross-drive analysis." These statistical tools have the ability to redefine computer forensics as we know it by greatly increasing the amount of information that a forensics specialist can analyze at a given time.

Finally, Garfinkel will discuss attempts in the US and private industry to deal with the data sanitization issue. He'll explore whether these new regulations and business practices are likely to help or hinder both business and law enforcement.