Sunday, January 30, 2011

Data Leak Detection, Continued: Wikileaks and Live File System DVDs

So Wired’s coverage of the big Wikileaks incident sounds like a DVD with a live file system was used. For example, this alleged description of the method used is recounted: “I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”

Sounds like a live file system DVD masquerading as a music CD. A live file system DVD comes into being when a DVD-R is formatted with a live file system; this happens when the user selects “like a USB flash drive” when the disc is first inserted. With this option selected, the disc works very much like a USB drive, allowing arbitrary file creation and deletion. These types of discs can also be monitored using Windows Management Instrumentation (WMI) like a disk drive, unlike a regular CD/DVD, as LFS discs seem to use the file subsystem rather than the CDROM subsystem.

Identifying writable CD/DVD discs is pretty straightforward under Windows as their filesystem is “UDF” while read-only discs have a filesystem of “CDFS”. Live file system DVDs can be further differentiated as they differ from ordinary writable DVDs in one attribute: they report non-zero free space in bytes like a disk drive; ordinary writable DVDs report zero bytes free space.

Win32_LogicalDisk instance
CreationClassName: Win32_LogicalDisk
Description: CD-ROM Disc
DeviceID: E:
DriveType: 5
FileSystem: UDF
FreeSpace: 4557275136

Why we care: this means it is possible to detect and monitor live file system DVDs with the same few minutes of vbscript used to monitor removable drives. Here is a user story that addresses the LFS DVD scenario.

In this user story, the security analyst is using a using a modified version of the “leakomatic” script used to detect and monitor removable drives. This version ignores removable drives – not interesting because USB is disabled or controlled – and only looks for LFS DVDs with a UDF filesystem and free space greater than zero.

The analyst runs the script and provides the name of the target computer. The script connects to the target across the network and examines target system. No DVD is present yet so the script waits for the arrival of a disc.

The subject arrives with a DVD containing MP3 files labeled to appear as a music CD. He inserts the DVD, and begins listening to the music on the disc. The disc is immediately detected.

After a while, the subject deletes MP3 files to free up space and starts copying confidential files onto the DVD. The subject watches for signs of detection or monitoring, ready to delete the confidential files from the disc if necessary to erase the evidence. What he does not know is that all of this file activity is logged by the script the security analyst is running, including the deletes, and the analyst has found her leak.

Getting file events from ordinary non-LFS writable discs will take more work as these use the CDROM subsystem for file writes and cannot be easily monitored in this way. However, spotting them them is simple as their filesystem is UDF. In a high security environment where writable discs are not appropriate, it would be realtively easy to detect the appearance of a writable disc and investigate.

No comments: