Chapter 10: Hard Disk Forensics: The Hard Disk as a Source of Evidence

Overview

While the hard disk is a truly wonderful storage medium, it also has the capacity for storing information that can later come back to incriminate an individual or a company. The Federal Bureau of Investigation (FBI), for example, has become particularly skilled at gleaning evidence from computer disks. In many cases, agents can even recover data from disks that people spent time carefully erasing. In this chapter, we take a look at the subject of forensics in detail as it relates to hard disks. Just how many ways is data stored on the hard drive? What does it take to completely remove information from a drive? What are your corporate and legal responsibilities with regard to data, and what can you do to eliminate sensitive data that should never be seen by prying eyes? These questions and more are covered here (see Exhibits 1 and 2 for some statistics).

Exhibit 1: Joint Computer Security Institute/FBI Computer Crime Survey (2002)

Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months.

Eighty percent acknowledged financial losses due to computer breaches.

Forty-four percent (223 respondents) were willing and/or able to quantify their financial losses; these 223 respondents reported a total of $455,848,000 in financial losses.

The most serious financial losses occurred through theft of proprietary information (26 respondents reported a total of $170,827,000) and financial fraud (25 respondents reported a total of $115,753,000).

Most respondents (74 percent) cited their Internet connection as a frequent point of attack rather than citing internal systems as a frequent point of attack (33 percent).

Thirty-four percent reported the intrusions to law enforcement (in 1996, only 16 percent acknowledged reporting intrusions to law enforcement).

Respondents detected a wide range of attacks and abuses.

Forty percent detected system penetration from the outside.

Forty percent detected denial of service attacks.

Seventy-eight percent detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems).

Eighty-five percent detected computer viruses.

Exhibit 2: Computer Security Institute Survey Regarding Attacks on Web Sites and Web Servers

Ninety-eight percent of respondents had World Wide Web sites.

Fifty-two percent conducted electronic commerce on their sites.

Thirty-eight percent suffered unauthorized access or misuse on their Web sites within the last 12 months; 21 percent said that they did not know if there had been unauthorized access or misuse.

Twenty-five percent of those acknowledging attacks reported from two to five incidents. Thirty-nine percent reported ten or more incidents.

Seventy percent of those attacked reported vandalism (compared to 64 percent in 2000).

Fifty-five percent reported denial of service (compared with 60 percent in 2000).

Twelve percent reported theft of transaction information.

Six percent reported financial fraud (compared with 3 percent in 2000).