Re: Private information on public computers

["Serguei A. Mokhov" <mokhov () cs concordia ca>]

Hi,

On Wed, 15 Mar 2006, Steven Meyer wrote:

> Date: Wed, 15 Mar 2006 10:00:37 +0100
>
> Hello list,
> A lot of collaborators in the company do some office work (word,
> excel, PowerPoint) at home or on "public computer".
> Since some of there work information is confidential, I was wondering
> what kind of information (if no key loggers are installed,) could be
> reviled ( there always save there document on a usb stick,) after
> there have done with they work. I know for example in the recent files
> menu, you can find the name of the last accessed files. But is they
> some temp files of the document that are stored one the hard drive.
> The real Question would be: what kind of information could someone
> retrieve from the computer after the collaborators work is done and
> saved on a usb stick.

If a rogue person is savvy enough and interested enough in the stuff you
are working on, they can get pretty much all of it. This of course a few
conditions must hold like for example whether they have a low-level access
to disk (e.g. with dd) as say Administrator and how much other disk
read/write activity is going on in the particular computer.

One of the "problem" is that the deleted files are not really deleted
physically, just marked as deleted and their physical cluster space is
available for re-used by new files. If the files are not created very
often or moved around very often and disk defragmentation is not done very
often, the original files can pretty much be often recovered in full with
disk editing tools.

Then, even there is a lot of disk r/w activity and the clusters that your
confidential files might have occupied were overwritten, they still may
have some stuff left in their "slack" space. For example, if your cluster
size is 64K, and your confidential file was say ~60K in length, then got
deleted and its cluster was re-used for another file of ~30K length, the
remaining 34K~ of the cluster are untouched and can still be recovered.

M$ Office also has options in its Word, Excel, etc. to keep the backup tmp
files every once in a while, and if a computer crashed before you closed
your document, these aren't clean up. These files are usually marked as
"hidden" and begin with "~" in the name.

> And what would there need to do for the computer to be completely
> cleaned of all information about they work.

There are tools to wipe out media (by explicitly zeroing out every sector
and stuff); some low-level formatting will help provided the disk isn't
taken to a sophisticated recovery firm that can often recover data from
even a formatted disk. Of course, the procedures I described require
privileged access to the disk. Regular users would not be able to do
either file recovery or disk wiping by themselves.

In the nutshell: don't use public computers for confidential stuff ;-) or
use some proxy that stores them at least encrypted when they make their
way to disk.

> Thanks for all help
> Steven Meyer

-- 
Serguei A. Mokhov            |  /~\    The ASCII
Computer Science Department  |  \ / Ribbon Campaign
Concordia University         |   X    Against HTML
Montreal, Quebec, Canada     |  / \      Email!

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------