Document Life Cycle Management - Isaca
advertisement
Document Life Cycle Management John Mallery Managing Consultant BKD, LLP jmallery@bkd.com Agenda • Discuss how widely disseminated data can be IMPOSSIBLE • It is now to the point where it is difficult to control • Address mechanisms that exist to control document “behavior” • Not finding copies of documents when you need them PDA’s Business Partnerships Home Users Road Warriors Cell Phones Online storage sites • • • • • • • • • • • • • • Files Anywhere - http://www.filesanywhere.com/ BestSharing - http://www.bestsharing.com BigUpload – http://www.bigupload.com bigVault – http://www.bigvault.com biscu.com – http://www.biscu.com DropSend – http://www.dropsend.com ecPocket.com – http://www.ecpocket.com Elephant Drive – http://www.elephantdrive.com MyFileHut – http://www.myfilehut.com Putfwd.com – http://www.putfwd.com Savefile – http://www.savefile.com Xdrive – http://www.xdrive.com Global Data Vault – http://www.globaldatavault.com Online Storage Solutions – http://www.onlinestoragesolution.com • Box.net – http://www.box.net GSpace Firefox Plugin GSpace USB Mass Storage Devices USB Mass Storage Devices What will they think of next? USB Mass Storage Devices Amazing! What about human fingernail? Too Cool! Privacy software for USB Devices • PI Protector Mobility Suite http://www.imaginelan.com/winboot/ Internet Explorer, Outlook and File Sync – all files stored on USB drive • Migo USB Devices http://www.4migo.com U3 USB • Allows any application to run on a USB device. • USB devices now “parasites” on host computers USB SyncBox Can transfer data between USB devices without a computer. Preventing USB Data Transfers • Fill USB Ports with Epoxy • Modify BIOS • Create Group Policy Object removing permissions to usbstor.dll for all except System and possibly Admins. Still allows use of non-storage related USB devices • Modify registry to make USB devices read only (see next slide) Thanks to Mark Minasi • “It's a simple Registry change. First, create a whole new key: HKLM\System\CurrentControlSet\Control \ StorageDevicePolicies. Then create a REG_DWORD entry in it called WriteProtect. Set it to 1 and you'll be able to read from USB drives but not write to them.” • XP – SP2 • www.minasi.com USB Hacksaw “The USB Hacksaw is an evolution of the popular USB Switchblade that uses a modified version of USBDumper, Blat, Stunnel, and Gmail to automatically infect Windows PCs with a payload that will retrieve documents from USB drives plugged into the target machine and securely transmit them to an email account.” From http://www.hak5.org/wiki/USB_Hacksaw Don’t forget paper… 3 Accused In Theft Of Coke Secrets Information Offered To Pepsi, FBI Says “A company surveillance camera caught Coca-Cola employee Joya Williams at her desk looking through files and "stuffing documents into bags," Nahmias and FBI officials said. Then in June, an undercover FBI agent met at the Atlanta airport with another of the defendants, handing him $30,000 in a yellow Girl Scout Cookie box in exchange for an Armani bag containing confidential Coca-Cola documents and a sample of a product the company was developing, officials said.” Washingtonpost.com Kathleen Day July 6, 2006 http://tinyurl.com/ppwh6 Regaining Control End User and Enterprise Tools Enterprise P.D.S.D. Control • Device Wall - www.devicewall.com • DeviceLock: http://www.protect-me.com/dl/ • Sanctuary Device Control: http://www.securewave.com/sanctuary_DC.jsp Old Ways • File Rights Management • Essentially controlling who has access to which documents • Helpful if properly implemented • Still not implemented properly • Easier to allow everyone access to everything • Still Exists! Document Life Cycle Management – End User Tools • Tools like Net-It Now and Adobe Acrobat provide the ability to add some control • These tools require users to determine what rights to apply Net-It Now “Net-It® Now is a free print driver that renders your files to CSF (content secure format), a compressed encrypted format that allows you to add Visual Rights™, including password protection, an expiration date, and feature restrictions, to your files (settings). Files are viewable with the free Brava! Reader (views TIFF, PDF and CSF files)”. http://www.net-it.com/nin.htm Example View file in Hex Editor Adobe Acrobat Document Lifecycle Management – Enterprise Tools • Microsoft Office IRM – Information Rights Management • Liquid Machines • Authentica • Adobe Life Cycle Policy Server Microsoft IRM • Information Rights Management • Available for Microsoft Office 2003 • Requires the following – Microsoft Windows Rights Management Services for Windows Server 2003 (http://www.microsoft.com/rms) – Active Directory – IIS – Database such as MS SQL – Office 2003 Professional Office IRM Allow users with earlier versions of Office to read with browsers supporting Information Rights Management. (Increases file size) Liquid Machines “Liquid Machines Document Control™ uses its patented Policy Droplet™ control to provide an intuitive, consistent user interface across more than 65 applications and file formats, including Microsoft Office, Visio, Sharepoint® and Adobe Acrobat, to persistently control access to and usage of electronic information throughout its lifecycle.” Authentica • Provides complete after-delivery protection and control; prevents sensitive documents from being forwarded • Lets content owners define access privileges (copy/paste, print) and expire access to documents at any time • Lets content owners insert a custom watermark into a document to deter authorized viewers from printing and distributing the document From http://www.authentica.com/products/securedocs.aspx Authentica • Provides a detailed audit trail so that organizations can actively track document activity (what pages were viewed, by whom, when, from where, for how long, and whether they were printed) • Leverages a company's existing authentication systems and LDAP user directories for creating document policies, thereby reducing administrator involvement Investigating Theft of Documents Privacy vs. Investigations (Anti-forensics) Privacy Concerns • Plastic Surgeon story • “Deleted Files” being used in litigation • Increased awareness of computer forensics capabilities Agenda • Configuration settings – methods used to cover tracks using “supplied” tools and configuration settings • Third party tools – wiping, properties changers, registry cleaners, steganography/encryption, etc. • Tools and methods designed specifically to fool computer forensics programs. Simple • “Shift+Delete” to bypass Recycle Bin • Recycle Bin – configured to delete immediately • defrag OS/Application Supplied Empty Temporary Internet Files folder when browser is closed. OS/Application Supplied Shutdown: Clear virtual memory pagefile Enabled XP- Control Panel | Administrative Tools | Local Security Policy | Local Policies | Security Options | Shutdown: Clear virtual memory Page File | Select Enabled Clear Page File Configured? Check following registry key: Hive: HKEY_LOCAL_MACHINE\SYSTEM Key: CurrentControlSet\Control\Session Manager\Memory Management Name: ClearPageFileAtShutdown Type: REG_DWORD Value: 1 Slows down shutdown process OS/Application Supplied CIPHER - “Displays or alters the encryption of directories [files] on NTFS partitions” CIPHER /W:directory (XP) OS/Application Supplied Disk Cleanup OS/Application Supplied • Word (Excel) – Hidden font – White on White – Small font • Plug ins – Remove hidden data tool – Redaction tool – Payne scrambling tool Hidden Font Hidden font Redaction tool “Overview Redaction is the careful editing of a document to remove confidential information. The Microsoft Office Word 2003 Redaction Add-in makes it easy for you to mark sections of a document for redaction. You can then redact the document so that the sections you specified are blacked out. You can either print the redacted document or use it electronically. In the redacted version of the document, the redacted text is replaced with a black bar and cannot be converted back to text or retrieved.” http://tinyurl.com/dgokp (Word 2003) Remove Hidden Data(metadata) http://tinyurl.com/5bams Scramble Assistant For Word & Excel http://www.payneconsulting.com/products/scramword_free/ Advantages of OS Supplied Tools • Appear less “nefarious” than commercial tools (Evidence Eliminator). • Free Third Party Tools Fun for the Whole Family Registry Cleaner Merge Streams/Glue • Hides Excel file within a Word Document (vice versa) • .doc – see Word file • .xls – see Excel file • Won’t fool forensics examiner – may confuse them • Word – “Recover Text from any file” Merge Streams/Glue Merge Streams/Glue • Demo • http://www.ntkernel.com/w&p.php?id=23 File Properties Changer www.segobit.com Wiping Tools • • • • • • • • Gazillions of them Eraser (comes with DBAN) Sdelete – www.sysinternals.com Evidence Eliminator BC Wipe Cyberscrub Etc. Do they perform as promised? PGP does it really wipe slack space? • Are they used frequently? Removing Residual Data • Tools exist to remove residual data • But do not use them in response to litigation • See - Kucala Enterprises, Ltd. v. Auto Wax Co., Inc., 2003 WL 21230605 (N.D.Ill.), May 27, 2003 - "Any reasonable person can deduce, if not from the name of the product itself, then by reading the website, that Evidence Eliminator is a product used to circumvent discovery.” • Anderson v. Crossroads Capital Partners Software HKEY_CURRENT_USER\Software\ [Manufacturer Name]\[Tool] Encryption • Cryptext – free and easy to use, a shell extension (http://tinyurl.com/do2qs ) • EFS • OTFE – Encrypted partitions www.truecrypt.org • USB Thumb Drives – new ones include encrypted partitions • Encrypted file stored on an encrypted partition… • Locknote - http://locknote.steganos.com/ Steganography • • • • • • • • Includes encryption Free tools Complex method of hiding data But easy to do… Can you detect it? “Duplicate Colors?” Wetstone Technologies stegdetect stools DEMO Metasploit Project • Timestomp – modifies MAC times so EnCase can’t read them. http://www.metasploit.com/projects/antiforensics/ Timestomp Timestomp Timestomp Good News/Bad News • First the Bad News • Using a combination of these tools on a regular basis can defeat a computer forensics examination • Now the Good News • Very few users know about “all” of these tools and methods • Not all tools perform as promised Last thoughts • Determining whether these tools have been used can be just as important as finding evidence. • Finding these tools can counter the “I’m not sophisticated enough” argument. • Found in illegal movie and music distribution cases. MAC OS X – the shape of things to come FileVault – Encrypted Home Folder Secure Virtual Memory MAC OSX – the shape of things to come Mac OS X - Safari IE7 Questions/Comments John Mallery Managing Consultant BKD, LLP 816 221-6300 jmallery@bkd.com http://www.eweek.com/article2/0,1895,1830962,00.asp
