Security Basics mailing list archives
Re: Private information on public computers
From: "Serguei A. Mokhov" <mokhov () cs concordia ca>
Date: Thu, 16 Mar 2006 10:59:11 -0500 (EST)
Hi, On Wed, 15 Mar 2006, Steven Meyer wrote:
Date: Wed, 15 Mar 2006 10:00:37 +0100 Hello list, A lot of collaborators in the company do some office work (word, excel, PowerPoint) at home or on "public computer". Since some of there work information is confidential, I was wondering what kind of information (if no key loggers are installed,) could be reviled ( there always save there document on a usb stick,) after there have done with they work. I know for example in the recent files menu, you can find the name of the last accessed files. But is they some temp files of the document that are stored one the hard drive. The real Question would be: what kind of information could someone retrieve from the computer after the collaborators work is done and saved on a usb stick.
If a rogue person is savvy enough and interested enough in the stuff you are working on, they can get pretty much all of it. This of course a few conditions must hold like for example whether they have a low-level access to disk (e.g. with dd) as say Administrator and how much other disk read/write activity is going on in the particular computer. One of the "problem" is that the deleted files are not really deleted physically, just marked as deleted and their physical cluster space is available for re-used by new files. If the files are not created very often or moved around very often and disk defragmentation is not done very often, the original files can pretty much be often recovered in full with disk editing tools. Then, even there is a lot of disk r/w activity and the clusters that your confidential files might have occupied were overwritten, they still may have some stuff left in their "slack" space. For example, if your cluster size is 64K, and your confidential file was say ~60K in length, then got deleted and its cluster was re-used for another file of ~30K length, the remaining 34K~ of the cluster are untouched and can still be recovered. M$ Office also has options in its Word, Excel, etc. to keep the backup tmp files every once in a while, and if a computer crashed before you closed your document, these aren't clean up. These files are usually marked as "hidden" and begin with "~" in the name.
And what would there need to do for the computer to be completely cleaned of all information about they work.
There are tools to wipe out media (by explicitly zeroing out every sector and stuff); some low-level formatting will help provided the disk isn't taken to a sophisticated recovery firm that can often recover data from even a formatted disk. Of course, the procedures I described require privileged access to the disk. Regular users would not be able to do either file recovery or disk wiping by themselves. In the nutshell: don't use public computers for confidential stuff ;-) or use some proxy that stores them at least encrypted when they make their way to disk.
Thanks for all help Steven Meyer
-- Serguei A. Mokhov | /~\ The ASCII Computer Science Department | \ / Ribbon Campaign Concordia University | X Against HTML Montreal, Quebec, Canada | / \ Email! --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Private information on public computers Steven Meyer (Mar 16)
- Re: Private information on public computers Serguei A. Mokhov (Mar 16)
- Re: Private information on public computers l00t3r (Mar 17)
- <Possible follow-ups>
- RE: Private information on public computers Bergert, David (Mar 16)
- RE: Private information on public computers Beauford, Jason (Mar 16)