Classified Data Identification
& Data Elimination Guidelines

Introduction

The potential for the leakage of sensitive data and the unintentional transfer of sensitive data to unclassified computer storage devices is of great concern in classified government agencies. Government contractors, working for government agencies, are required to assure that classified government data does not migrate onto unclassified computer storage devices. Similar concerns exist in business concerning the potential unauthorized transfer of trade secrets data and sensitive financial data.

NTI developed and began to distribute state-of-the-art computer forensic software search utilities for use in security reviews by security specialists in classified government environments in 1997. NTI's TextSearch Plus and TextSearch NT forensic software search utilities are currently used in hundreds of classified U. S. government facilities, U. S. embassies and U. S. foreign outposts around the world to identify data leakage and potential breaches of computer security. These forensic text search utilities were developed based upon requirements provided by government computer security specialists. They have also been tested and certified by the U. S. Department of Defense.

NTI's TextSearch Plus and TextSearch NT programs have continually been updated by NTI's software engineers to meet identified security needs of classified government agencies. Both of these forensic software search utilities scan all areas of computer storage devices at a very high rate of speed when compared with other similar tools, e.g., D-Scan. These tools can scan all physical areas of a 40 gigabyte hard disk drive in under 2 hours depending upon the processing speed of the computer system involved. They have no realistic drive size limits and they can easily be operated from a single floppy diskette or USB storage device. These specialized search tools are accurate in identifying targeted strings of text in files, file slack, unallocated space, swap files, floppy drives and Zip disks. The programs are designed to operate from a single, system-formatted, floppy diskette and they are used to identify targeted strings of text on DOS, Windows, Windows 95, Windows 98, Windows NT, Windows 2000 and Windows XP-based computer systems.

NTI's founders have been leaders in the development of computer forensics search utilities since 1989. Continual improvements in forensic search utilities have been their trademark since that time and after the creation of NTI in 1996. Computer forensic software tools developed by NTI and its founders have helped hundreds of law enforcement agencies and classified government agencies over the years. NTI has also developed strong trust relationships with numerous government agencies and NTI's forensic search utilities are currently used to identify data leakage of sensitive and classified information in numerous government and military agencies around the world. NTI's Data Elimination Suite of Tools is also used by some of the same agencies to eliminate sensitive data when it has strayed onto unclassified storage devices. This suite of tools is also certified by the U. S. Department of Defense.

These guidelines have been provided primarily for use by our government clients and government contractors who deal with classified computer data.

Background - Personal Computer Security Issues:

The personal computer has become a powerful analysis and communications tool which is widely used in the private and public sectors around the world. Sensitive business and government documents are created on and printed from these small but powerful personal computers.

E-Mail is routed around the world via the Internet and over closed wide-area networks (WAN's). Database applications are used to store and access sensitive information and spreadsheet applications are used to track sensitive financial transactions and to make calculations. These wonderful tools are also used to conduct classified research and to store classified government reference materials.

Digital photography and the use of programs like Microsoft PowerPoint have also been widely adopted in both the private public sectors. The same can be said about popular data compression programs, e.g., PKZip. Unfortunately, graphics and compression-based files do not lend themselves to traditional text search and key word-based security searches. NTI has taken this into account concerning the development of its search tools and they automatically identify such files based upon file header identification. However, this methodology is not without its faults and limitations. The shortcomings of traditional text and keyword based searches are too numerous for inclusion in this paper. Individuals seeking more information about these critical security topics should consider attending one of NTI's training courses. Those courses are described in detail at http://www.secure-data.com/riskcrs.html and http://www.secure-data.com/forensic.html.

The popularity of the personal computer has come with mixed blessings because these small computers were not originally designed with computer security in mind. The creators of the original IBM PC never imagined that their computer design would eventually be used as a mainstay of worldwide commerce and as a critical component of classified government operations. The foundation for the original personal computers still exists today in computer systems which rely on DOS, i.e., Windows, Windows 95a, Windows 95b and Windows 98. The same is essentially true concerning Microsoft NTFS based systems, i.e., Windows NT, Windows 2000 and Windows XP.

No substantial security improvements were made until Microsoft released Windows NT and more recently Windows XP. Clearly, Windows NT and Windows XP provide better security features than prior Microsoft-based operating systems. The features include logon authentication, directory and file permissions and powerful auditing capabilities. However, Windows NT and Windows XP systems provide very little security at the data storage level. These advanced operating systems can create a false sense of security for the computer user concerning the storage of classified and sensitive data. The problem is compounded when portable notebook computers are used to process or analyze classified and sensitive data. These portable computers can easily be compromised and password and logon controls can easily be circumvented using basic computer forensic tools and methods. NTI's TextSearch Plus and TextSearch NT forensic search tools can completely evaluate and document all data storage areas on a Windows NTFS-based computer system. It does this operating from DOS on a single floppy diskette and no logons or passwords are required to circumvent the security afforded by Windows NT, Windows 2000 and/or Windows XP. Microsoft is addressing this problem with AES encryption in future releases of Windows XP, e.g., code name LongHorn, but realistically it will take Microsoft several years to adequately secure the Microsoft Windows NTFS-based operating system(s).

Most users of personal computers are unaware that data automatically migrates onto a computer's hard disk drive(s) as a normal process in the operation of the computer. They are unaware that all of their computer session work products or portions of them seep into temporary files, print files and ambient data storage areas of the computer's hard disk drive. These ambient data storage areas include file slack, the windows swap/page file and temporary application level files that are unsecurely deleted when a background process has been completed. These technical terms are defined on NTI's web site in more detail at http://www.secure-data.com/define.html.

Most computer users are also unaware that when files are "deleted" by the computer user or when hard disk drives are reformatted, the data remains behind to be easily identified and recovered through the use of computer forensic tools and processes. Even the access to files on floppy diskettes or network computers results in data seeping into ambient data storage areas on the work session computer and or the network server. This occurs even when the computer user has just viewed or read files. He or she need not intentionally save the information to disk during the work session. A similar situation exists when files are printed. The printing process involves the creation of a background file which the operating system relies upon in the printing process.

Because of a lack of technical understanding, mistakes happen in classified government environments and classified/sensitive data can and does migrate onto unclassified computers and storage devices. Programs like NTI's TextSearch Plus and TextSearch NT software utilities can be used to identify data leakage in the form of strings of text. Programs like NTI's GExtract can be used to identify and capture data associated with potentially sensitive graphic file images. As most government computer specialists know, graphic file images can be a significant source of classified data leakage and traditional text and keyword searches do not accurately identify such files. The same is true of compressed files, e.g., PKZip files but the threat is less significant however this is changing because Microsoft has integrated PKZip logic into its most current operating systems.

Personal Computers - Inherent Security Risks

The Windows Swap/Page File:

Most computer users are unaware that Microsoft Windows and Microsoft Windows NT/2000/XP-based systems create and relies upon a special working file which acts as an extension of Random Access Memory (RAM). In the case of Windows, Windows 95a, Windows 95b and Windows 98 the file is called the Windows swap file. With Windows NT, Windows 2000 and Windows XP the file is called the Windows page file. Windows swap files and Windows page files are huge and may be as large as 500-800 million bytes in size. Fragments of any work performed, files accessed, Internet sessions and word processing documents created during a Windows work session can seep into Windows swap files and Windows page files. For this reason, they are considered to be a significant source of leads and evidence in computer related investigations. However, they are also considered to be a significant security risk depending upon the perspective you choose to take.

Interestingly, the Windows swap/page file cannot be read and evaluated by the computer user using Windows applications and Windows system tools. For this reason, most users are unaware of this potential security risk. TextSearch Plus and TextSearch NT programs can effectively evaluate the contents of Windows swap/page files. NTI's M-Sweep Pro can be used to eliminate the data stored in Windows swap/page files and it has been tested and certified by the U. S. Department of Defense. Because of the potential for any Windows work session data to transparently seep into the Windows swap/page file, these files should be considered a significant source of concern when computers may have had access to sensitive and classified information. More detailed information about the Windows page/swap file can be found at http://www.secure-data.com/def7.html.

File Slack:

Word processing documents, spreadsheets, databases entries and E-Mail messages are all stored in files. Temporary working files, as discussed above, are also automatically created by Windows as work is performed. It works this way - files are made up of blocks of data called clusters which are of uniform in size. It is rare that the file size exactly matches a specific number of clusters. Typically the last part of the file will only partially fill the last cluster of the file. The residual space is generically called file slack and it made up of RAM slack and drive slack. Because the operating system must write data in even block (cluster) sizes filler data is needed to pad the remainder of the space assigned to the last cluster. RAM slack, which comes from the operating system buffers, pads the remainder of the last sector of the file and the remainder of the last cluster of the file is padded with what was on the storage device before the file was saved. This is called drive slack and it can contain fragments of previously erased files, previously erased temporary files, etc.

It is important for you to understand that file slack is created at the time a file is saved (closed) and the computer user has no control over the event. Most computer users are unaware of file slack and RAM slack and drive slack can potentially contain sensitive or classified data. File slack is therefore deemed to be a security risk. The good news is that Microsoft has partially eliminated the risks associated with drive slack in Windows NT/2000/XP. These operating systems automatically eliminate RAM slack risks because the storage space is automatically padded with uniform (non-data) characters. However, the risks associated with drive slack still exist in Windows NT/2000/XP.

Potentially millions of bytes of storage space are occupied by file slack on a well used computer and NTI's TextSearch Plus and TextSearch NT programs are designed to search these areas. NTI's M-Sweep software eliminates all data from file slack and NTI's GetSlack software can be used to validate that the file slack was securely cleared of data. All of these tools are U. S. DoD tested and certified.

More information about the technical terms mentioned above can be found at http://www.secure-data.com/def19.html, http://www.secure-data.com/def15.html and http://www.secure-data.com/def6.html.

Unallocated File Space:

When a file is "deleted" in DOS, Windows, Windows 95, Windows 98, Windows NT, Windows 2000 and Windows XP, the data associated with the file is not erased. Rather, the space assigned to the file is deallocated by the operating system and the space is made available for the potential storage of new files. This space is referred to as unallocated file space and it is a significant source of security risks. Data associated with previously erased files can linger on computers for months or even years. Unallocated file space can contain both file data and the file slack associated with the previously erased files. Potentially millions of bytes of computer data occupies unallocated file space on a well used computer and NTI's TextSearch Plus and TextSearch NT tools are designed to search these areas. NTI's M-Sweep software eliminates all data from unallocated file space and NTI's GetFree software can be used to validate that the unallocated file space was securely cleared of data. All of these tools are U. S. DoD tested and certified.

Temporary Files:

Many Windows-based applications create temporary files to facilitate sorting functions, the creation of indexes, and visual scrolling. Temporary files can contain artifacts of the process and the related data. Most temporary files created by Windows applications, e.g., databases and word processing applications, are automatically deleted when the application created file is saved or application program is terminated. As with other files "erased" files, the data remains behind with Windows and Windows NT/2000/XP. Windows also creates its own temporary files, as a normal process, during the operation of the computer. Most of these Windows-based files are not deleted by the operating system. Therefore, all temporary files should be considered a security risk because the potential exists for such files to contain classified information. NTI's M-Sweep software can be used to target temporary files for secure deletion and this software has been tested and certified by the U. S. DoD.

Partition Boundary Leakage:

Hard disk drives are referred to as physical storage devices and the contents of a hard disk drive can be broken into smaller drives (or drive segments) which are called logical drives. By way of example, one hard disk drive can be broken into three separate logical drives. In this example, the logical drives could be named drives C:, D: and E:. These logical drives are created with partitioning software and multiple operating systems can actually reside on one physical hard disk drive. The example used here deals with three logical drives but there can be more or less. In the example, DOS/Windows volume names have been used. If Windows NT/2000/XP were involved, the volume identifiers could be actual names vs drive letters.

When partitions are changed and/or operating systems are upgraded, the potential exists for data to linger from prior work sessions in space previously assigned to a partition. This data can reside between the new partitions or it can reside beyond the last partition. This data storage area is called the partition gap and programs like NTI's DiskScrub are used to scrub logical drives before a physical disk drive's partitioning is changed. Programs like NTI's PTable can be used to identify the number of partitions (and related operating systems) that are contained on a physical hard disk drive. Programs like NTI's TextSearch Plus and TextSearch NT programs can be used to scan all areas of a physical hard disk drive. Other options available in both of these programs allow for the searching of individual logical disk drives. Both of these search tools have been tested and certified by the U. S. Department of Defense. For more information about partition gaps, please refer to http://www.secure-data.com/def9.html

Suspense Mode Files and Related Partitions:

Many portable notebook computers provide the computer user with the option of saving the work session. This is done so that state of the work session can be saved and easily restored when the system is restarted. This suspense operation can be initiated by the computer user or it can be initiated by the operating system when user activity has not been detected after a period of time. When the operating state of the computer is captured and the operation is suspended, the computer essentially "book marks" the last work completed and puts the computer into a sleep mode. Computers which offer this feature capture the work session and the state of the operating system in a special file or partition. When the computer is "awakened" the computer user is allowed to continue their work from the point when the work session was suspended. From a security standpoint, this is a cause for concern because data artifacts from the suspended work session will remain behind. Both TextSearch Plus and TextSearch NT tools can identify data stored in most suspense files.

Determining Which Computers and Media To Scan

Portable Computers:

Risk potentials increase when notebook computers are involved (for the reasons listed above). Portable notebook computers can also be used to access networked computer systems, the Internet, USB drives and floppy diskettes. They can also be used to create, review and print files and documents which contain classified information. For these reasons, in addition to the portability aspect, notebook computers create more potentials for intentional and unintentional breaches of security. Notebook computers should therefore be given a high priority in security reviews when classified data is potentially involved.

Risks also increase when unclassified computer systems reside in the same proximity with classified computer systems. This is because the potential exists for the unclassified computer to be "quickly" used by an employee or contractor to view, print or edit classified computer files. Most computer users do not understand that personal computers can capture and store sensitive data even when files are not intentionally saved to or stored on the subject computer. They are typically unaware of the security risks associated with swap files, temporary files, file slack, unallocated storage space, partition gaps and suspense files. These security risks exist even if files are simply viewed from a floppy diskette. For this reason, unclassified computers located near classified computers should be given a high priority in security reviews. As with most things, education can make a difference and NTI has created a special one day Computer Security Risk Training Course. Information about that training can be found at http://www.secure-data.com/riskcrs.html.

Scanning Floppy Diskettes and Removable Storage:

In some classified environments, floppy disk drives are disabled to avoid the transfer of classified or sensitive data. However, other classified environments allow floppy disk drive access and the use of Iomega Zip disks, CD's, USB drives and other removable storage media. This is a mistake because the risks increase exponentially. Security reviews and scans of computer media should always include all forms of removable media. This is especially true of floppy diskettes used with notebook computers. Do not over look these storage devices. Although they are relatively small and their storage capacities are limited, significant risks for security breaches exist. Remember the alleged Russian mole, Robert Hanssen, used specially formatted floppy diskettes to store and transmit classified national secrets. NTI's TextSearch Plus and TextSearch NT programs can be used to review most forms of external storage media. When security breaches are identified, NTI recommends that the external storage devices be destroyed through burning. Concerning CD and DVD storage devices, a microwave oven can be used to destroy the stored data. This technique involves operating the microwave for just a few seconds and the destruction of the media is obvious when the technique is performed correctly.

Security Search Particulars and Methods

Creation of Search Terms and Targeted Strings of Text:

One of the most important tasks involved in conducting security reviews is the creation of the list of key words and/or strings of text to use in the search. The effectiveness of the search is only as good as the quality (and design) of the information contained in the keyword file. NTI's TextSearch Plus and TextSearch NT programs both rely upon such a file to conduct security review scans and searches. Time must be invested in the creation of a key word file that contains relevant information. Long strings of text should be broken into smaller strings of text to avoid missing relevant classified data due to disk fragmentation. If fragmentation exists, it is possible that targeted strings of text may be split across cluster and sector boundaries. The shorter the key words or strings of text, the less likely that disk fragmentation will cause problems in security reviews.

Key word files can be created using DOS Edit, Windows Notepad and even a word processing program. The only requirement is that the listing of key word search terms be in pure ASCII form and that each line of text be terminated with a carriage feed/line feed sequence. DOS Edit and Windows Notepad generate this type of file format automatically and a word processor can be used to generate such a file using the File Save As option. When using a word processor, always save the list of terms in a file saved in an ASCII DOS Text file format

Ideally, individual words should not be included in the keyword file. This is because some relevant classified words, terms or markings may be found in common forms of data that will likely be stored on any computer. The following list of key words is an example of a flawed key word list that will likely generate hundreds or thousands of false hits in a security review:

An Example of a Poor Key Word Listing:

secret
classified

These key words may appear to be relevant for the purposes of scanning a computer storage device for classified terms. However, both of these terms potentially exist on non-classified computer systems. The word "secret" is included in the word secretary and the word "classified" will appear in numerous operating system files and standard computer data types.

An Example of a Good Key Word Listing:

top secret
project aardvark
classified project
Colorado Springs

This listing relies upon short strings of text rather that individual words. Therefore, the likelihood is that these strings of text will not appear in data that would likely be found on most computer systems. The only exception might be the name "Colorado Springs" because that city name may be contained internally within address look-up programs, unclassified communications and computer help files.

Key word lists, for use in security reviews, should be crafted with much thought and by someone who has knowledge of the targeted classified data. As indicated above, short strings of text work better than single words and long strings of text.

Data Types Not Identified by Text Searches:

Although NTI's TextSearch Plus and TextSearch NT programs automatically identify most graphics files and compressed files, consideration should be given for the inclusion of some file header information in the key word listing. Encrypted files, compressed files and graphics files will defeat your ability to identify classified information contained within the files. The same is true concerning deleted graphics files and compressed files and NTI's TextSearch Plus and TextSearch NT programs will not automatically identify such files if they are stored in unallocated storage space. However, NTI's GExtract will automatically identify and capture previously deleted graphics files. For the reasons stated, file headers signatures might be relevant for inclusion in the key word listings. By way of example, you may want to add "PK" in your key word list to identify data files compressed using the PKZIP program. You may also want to include "GIF", and "JPG" to identify graphics files which may contain sensitive data stored in a graphics image. There are other file types that may increase the potentials for risk and the computer security specialist should take such factors into account when he or she creates a key word listing for use in security reviews.

Note: A more comprehensive article, targeted specifically at classified U. S. Government agencies, is available for NTI's U. S. Government clients and it can be downloaded from this site. However, a password is required to access the restricted article and the password can be obtained from NTI by U. S. Government computer security specialists once their identity has been verified. Click here to obtain the password protected article.

Back To NTI's Home Page

Classified Data Identification& Data Elimination Guidelines