Universal Serial Bus: Small, Available, Threatening (2006)

Abstract

While the implementation of the USB standard across multiple computing platforms has given rise to new devices and allowed for the advancement in portable technology, including the development of devices for the easy transmission of data between computing platforms, seldom is the question asked in regard to the forensic integrity of these devices and the operating systems that they utilise as hosts.

Keywords

USB, Computer Forensics, U3, Malicious Code

Introduction

The Universal Serial Bus (USB) has been a great leap forward for computing world wide. This plug standard along with the device drivers allow the connection and near-instant recognition of a variety of devices including input devices such as keyboards and mice, out put devices such as speakers, headsets and printers, and also removable storage devices such as USB memory keys, external hard disk drives and external CD ROM drives. The USB standard allows these connections to occur across many computing platforms and operating systems such as Apple MAC OS, Microsoft Windows NT-based systems and the Linux platforms.

While the use of USB has been a giant leap forward for the computing world, it appears that both hardware implementations, such as Direct Memory Access (DMA), and software security factors, for example Operating System implementations of Autorun, have been overlooked in favour of usability. This oversight has lead to concerns that USB devices could be used for unlawful purposes including intellectual property theft and the spread of malware. Although it is not a new phenomena for removable computing devices to be utilised in computer crimes, as exemplified with the USB’s CD and floppy disk predecessors, USB devices represent an alarming development that will more readily enable criminals to minimise the audit trail of their crimes while also having the ability to transport increasingly large amounts of data.

This paper seeks to investigate the forensic implications of USB storage devices with a view to examining the inability of operating systems to manage the threat these devices pose. An investigation that incorporates the impact of technological advances will also be undertaken into the security and forensic implications resulting from USB devices. The outcomes of these investigations will demonstrate that current security measures lack the capacity to minimise the threat posed by USB devices and that this will in turn lead to difficulties in investigating crimes that have utilised such devices.

Pervasiveness of the Universal Serial Bus

Since 1996 (Koon, 2005) the Universal Serial Bus platform has come from obscurity to become the unified platform for plugging external devices into computing objects. The most interesting of these in terms of computer forensics is USB storage devices due to their ability to store and shift large volumes of data leaving only small amounts of trace on the computing device.

USB storage is everywhere, helping us move files from one place to another, holing and playing our songs on our digital music devices, storing our digital photos on our digital cameras and holding our appointments and emails on our Personal Data Assistants. The USB interface gives us the ability for devices to be recognised quickly, and the capability to be upward mobile due to the size and portability of these devices.

The USB device has changed the corporate environment just as floppy drives and CD-Burners before it. However unlike the floppy disk and the CD the USB storage device poses a far larger risk. Transferring large quantities of data on floppies was not feasible, and the deployment of CD burners within the enterprise is, for the larger part, not implemented due to cost. The implementation of USB connections on enterprise workstations is, for the greater part, common place.

The pervasiveness of the USB standard has meant that the uptake of the wired USB standard has more than two billion connections today (USB-IF, 2006), this accounts for all varieties of input/output devices. The USB standard is implemented in nearly every Desktop and Laptop computer across the globe. Making this connection standard highly it available to most users, both at home and in the corporate environment.

In the corporate environment the USB standard has allowed people to be upwardly mobile with information, giving the mobile workforce more access to the information on the move. The use of the USB storage device has enabled large quantities of data to be easily transmissible between system entities without the aid of network resources.

USB is great, so where is the threat?

While USB storage devices allow for the fast transmission of data between systems and devices, there are a number of threats that are presented by USB storage. These include:

· the ability to store and migrate large amounts of data,

· the portability of this data from one place to another

· The variety of appearances of these storage devices

· The ease of concealment making the USB storage device harder to detect

· The ability to trace the device post incident during forensic examination

The preceding list of threats illustrates that the ability to use USB devices to store and transport large amounts of data heightens the vulnerability of many corporations, leaving them more open to criminal attacks that may ultimately remain anonymous. Following is a more in-depth analysis of these threats and their forensic implications.

USB Storage Limits

USB storage devices allow for the storage of massive amounts of data and give the owner the freedom to easily transport such data. The storage capacity of these devices ranges from 8 megabytes to an amazing 64 gigabytes on a relatively small USB key (Buslink, 2006). For example, the Apple Corporation’s iPod is capable for storing 60 gigabytes of information, both music and data. To date, approximately 60 million iPod devices have been sold since their launch in 2001 (Dahdah, 2006) with Apple continuously developing and marketing this product as it forms a core component of its business. There are also external hard drive devices that can now exceed 4 terabytes. While these devices are not as compact as USB keys, they still have a high level of portability. The ability to covertly use these devices to rapidly siphon or deposit large amounts of data onto a system poses the greatest security and forensic threat to computing systems that have not been secured against this possibility.

Concept of Storage: USB Devices are Becoming Smaller and Harder to Detect

The large variety of devices readily available on the market as lead to the proliferation of confusion and misinformation regarding the definition of a storage device and the real and potential threat these devices could pose to the information security of an organisation. The lack of a comprehensive list of what constitutes a storage device has lead to many oversights in terms of devices that could potentially be used for storing and transporting data. For instance, Anderson (n.d.) has outlined a variety of devices that could be overlooked when collecting evidence, including watches, pens and novelty devices that may in fact have USB storage capabilities. It is reasonable to expect that beige boxes with “storage” or “hard drive” written in bold letters down the side of the device would be noticed, but some USB devices such as the iPod or Music devices are not thought of as data transfer devices. However, they should never in the first instance be discounted as mere music players.

Furthermore, although some devices are quite obviously storage devices, their increasingly small size translates into portability and ease of concealment. For instance, the USB pen drive or memory stick was created with portability in mind and, as such, was designed to be as small as possible. This minimal size allows the device to transported and concealed with ease while not compromising on storage capacity. Many fictional works have also captured the fact that USB can be easily smuggled into and out of workplace environments with ease. For example, the fictional Hollywood movie The Recruit shows classified data being smuggled from an American intelligence agency through the use of a USB memory stick small enough to be hidden in base of a traveller’s coffee mug.

Moreover, the general rule is that the smaller a device is, the easier it is to destroy. This is particularly relevant to USB storage devices. Once the attack has been carried out the data has been uploaded or downloaded, the USB device can easily be destroyed, thus removing a vital piece of forensic evidence. Both the size of the device and the container enable the device to be destroyed with little waste to dispose of.

USB Storage is Becoming More Intelligent

While operating systems have always been able to permit USB devices to function with some level of intelligence, there have been advances in these devices that enable them to provide their own smarts. The use of such technology as the Autorun feature and the newer U3 standard provide this cleverness by allowing the system to identify the device as something that could be trusted such as a Compact Disk or a localised hard disk drive. Additionally, the U3 Standard has provided users with greater systems portability by enabling USB devices to store and run self-contained programs. This allows the user to operate programs, such as personalised web browsing software, and also provides the user with consistent environment abilities across different computers.

Despite the positive features of these developments, many individuals are of the opinion (Garfinkel, 2006) that the Microsoft Windows Autorun feature is surplus to the requirements of any user and is a bad idea in any situation. These opinions have arisen in spite of the fact that the Autorun feature must be enabled by the user before it can become functional. The potential for this type of technology to be exploited for malicious purposes has been identified by many security professionals (Hak.5, 2006). One of the major risks posed by the U3 standard is the ability it provides to operate a device as one or multiple devices, a storage area and a virtual CD-ROM device. This duality enables the device to immediately run as a CD-ROM and negate the user interaction required for the Autorun to occur as. Furthermore, by hacking the CD/DVD part of this device Malware is able to run as a CD would giving it the same rights to run such features as Autorun and giving access to the file system under the current uses account (Lemos, 2006; McGrew, 2006).

Further risk is posed by the development of products, such as Switchblade and Hacksaw. In the case of the USB Switchblade application, which enables the program’s user to offer the drive to others while the other system downloads local information such as passwords and account details (Hak.5, 2006). USB Hacksaw, an extension of USB Switchblade, is designed to silently and automatically install data from the victim’s computer onto a USB storage device. This data is then sent to a predefined email account (Hak.5, 2006). The two preceding products have also been combined with several network aware products, which further extends the risk of these programs by giving them the ability to traverse not only portable storage devices but also the network in which the host system is connected. This has been illustrated by Spektormax’s combination of the tools HakSaw, SwitchBlade, VNC as well as an Nmap. This has allowed the infested system to scan for network clients and information and even eventually compromise systems on the network.

The aforementioned features present a forensic quandary in that the increased intelligence of these devices allows for a system to be compromised even when a valid user is connected or logged into the machine. For instance, in addition to the attacker utilising a USB device, a legitimate user may inadvertently assist in the crime simply by plugging in their own USB key. There are also other mechanisms that allow a system to be compromised without the user’s knowledge, for example, buffer overflow issues that are largely caused by incorrect or poor coding on device drivers. Garfinkel (2006) attributes this problem to the DMA connections that are allowed on FireWire and USB connections. However, regardless of the source of these weaknesses, the result is that the ability to trace the source of a computer crime is becoming increasingly diminished and the computer crime that makes use of physical storage devices may now not require physical proximity to the targeted system.

While USB devices can be a risk themselves, advances in data storage have allowed USB devices to pose further threats. For instance, programs such as TrueCrypt (TrueCrypt, 2006) offer the ability to hide a secure file system area within another encrypted file, thus enabling the true protection of data to occur. This file within a file also allows the individual to give the forensic examiner the pass phrase with plausible deniability that any other internal file system exists (TrueCrypt, 2006).

Meat-Bag Security

Due to the large variety of readily available USB devices, it is reasonable to expect that both security and regular personnel might not instantly recognise the risks posed by some devices. Take, for example, personal music players. In an environment where such devices are allowed, many employees may be entering and exiting the building with large-capacity storage devices. However, physical security staff are unlikely to recognize a device with headphones as a threat to the organisation’s security. Furthermore, the information stored on these devices can easily be hidden to a casual inspection, particularly in the inspector is inexperienced with the use and manipulation of such products. In such cases, the inspection may reveal nothing of interest on the device even though the data is there awaiting the use of an undelete program to restore it to its former glory.

In terms of physical security, size is also a factor. As mentioned above, the increasingly small size of USB storage devices has translated into portability and ease of concealment. Their small size has created a multitude of ways for storage devices to be covertly removed from an establishment, even if that establishment is manned by security personnel authorised to conduct bag searches. This issue could easily translate into an inability to trace the source of the attack.

Are the Principles of Computer Forensics Able to Address the USB Threat?

As the above investigation demonstrates, the principles of forensic science are hampered by USB devices. This is due in part to the fact that information stored on the device is unknown prior to the device being after. Furthermore, once the device has been removed it can change and no checksums done before and after the device is removed. This means that information could be placed in an encrypted partition on the device. Also, there are no transfer records on the computer system except for information stating that the device was plugged in.

When these features combine with the security threats discussed above, one becomes aware of the new challenge that USB devices present to a forensic investigation. Currently, the tools used to prevent and investigate attacks are, in many respects, inadequate for effectively dealing with a violation that has utilised a USB storage device. As in most cases, prevention is better than cure, and many of the forensic implications can be pre-emptively dealt with by examining the cause of the threat.

The Failure of Operating Systems AND the IMPACT on forensic systems

While it would be convenient to blame the USB storage device for the aforementioned problems, the heart of the issue lies with the security-related inadequacies of the operating systems that are presently available. By looking beyond the device itself, one can determine that the operating system acts as an enabler to the crimes that can be committed through the use of a USB storage device. The true forensic impact of the USB storage device is due to the lack of proper logging into and out of the port. In fact, the majority of operating systems do not offer any form of logging mechanism nor are there appropriate system controls to monitor the throughput – either input or output – in the USB connection . For example, the endpoint security in Microsoft Windows XP for USB and storage devices requires the use of third party products in order to ensure the true data security of the ports.

Logging

While there are log files available in current generation operating systems, when these logs are replayed they may sometimes appear incomplete (Farmer, 2001) and overlook some of the important events that occurred during a given session. Furthermore, USB logs do not yet even show that this is a problem. As such, there is no proof that the input device identified by the computer actually belongs to the computer’s regular operator. These issues are compounded by that fact that there is also no indication as to what type of data has been accessed or copied (Lemos, 2006). The gravity of this threat is evidence through the ability for a file to appear to be local on the machine before being stolen by a third party. Barring trace amounts of data telling the investigator that the device had been plugged in, no records would exist that this event had occurred. In his article, Garza (2005) highlights the problems this can create for a system. Consider, for instance, the possibility of the Autorun feature being combined with two ten second attacks. This would enable the perpetrator to load tracking or key logging software before stealing dozens of credit card records, leaving only a thin trace of evidence regarding the device, such as the device ID. Even though Microsoft prohibits the use of Autorun scripts in combination with an active USB device, the use of a U3 device can bypass the security due to its unique ability to appear as two devices.

In the majority of operating systems there is simply no logging taking place pertaining to information such as files copied, files used on the device or executables utilised. This lack of logging on USB storage devices can also make it harder to build a cohesive case against the accused. For example, the individual in question may have had or been entitled to access to the resource that contained Intellectual Property. However, if an intelligent device, such as an enhanced U3 device like Hacksaw, was plugged into the computer it could retrieve the word documents or excel files that contain the information.


Remedies

While there are many suggested remedies, it seems that the only way of permanently shutting down a USB, serial or any other unsecured port is by using a physical method such as glue or Duco Cement (Lundquist, 2006) . However, there are alternatives that can be pursued such as monitoring, logging, disabling supporting driver resources, the use of deterrent software, training security personnel to recognise the risks presented by portable devices and the creation and enforcement of policy. These options are outlined below.

1. Development of a meaningful security policy.

The development of a meaningful policy is perhaps the most important element in protecting the organisation and its associated infrastructure from a variety of malware including viruses, worms and other malicious executables. This policy should also allow relevant personnel the ability to request the inspection of storage devices that are present on the premises. If the level of information sensitivity deems it necessary, provisions could also be made for the registration of all storage devices entering and exiting the building. These policies in regard to USB devices need to be developed to ensure that at least within the enterprise the impact of the USB device is minimised if not entirely removed.

2. Reminding the customer of their rights and responsibilities

While the user has the right to their privacy, they also have the responsibility to the organisation to ensure that their practices abide to the policies and codes of conduct that are laid out by the organisation. This could include posters, internal newsletters or system warnings when a USB storage device is detected. This reminding of the customer should enforce the fact that there are risks associated with the use of external unapproved media. Explaining the risks in an illustrated, meaningful, non-technical manner can assist in this education campaign.

3. Enforcing the security policy - to the letter

The enforcement of security and device policies is not an easy sell; however, security enforcement is a necessity, particularly in the case of managing portable storage devices within an organisation. This process can be optimised by enuring that security staff are adequately trained to detect unauthorised storage devices, including the various forms of USB devices. Employees should also be required to undergo awareness training in order to familiarise them with the security processes that they will operate under as a member of the organisation. Employees who then breach the company security policy should then be dealt with according to a predefined action plan.

4. Use of deterrent software

In order to mitigate the threat posed by USB devices, an organisation should consider installing software that enables all information from a device to be a dumped in a specified location where it can later be subjected to post-incident analysis. Consideration should also be given to the implementation of key dumping software through which staff are able to access information from a USB device from their desktop once that information has been scanned and cleaned in a temporary holding area. Another alternative is using logging software such as devicewall (Devicewall, 2006) , which monitors device throughput, allowing certain devices and restricting the rights the user has to copy or move a file from one place to another. The key point for organisations to note with regards to computer forensics is that recording an incident is the first step toward the minimisation of the risk associated with prosecution.

5. Disabling ports for endpoint security

The Microsoft Windows solution allows corporations to disable the USB device drivers, removing rights to the drivers so that only administrators can access USB storage devices and change the registry so that no devices can be added to the system. However, with the right tools these changes could be overthrown. Unfortunately, glue or Duco cement appears to be the only failsafe means of eliminating the threats posed by USB storage devices.

CONCLUSION:

As the above discussion demonstrates, the enormous benefits that have accompanied the introduction of USB devices have been counterbalanced by the new threats these devices pose to information security. These threats stem from the oversight of security factors in favour of usability. This is because the features of usability and transportability are the mainstays of the USB device, and it is in these areas that constant improvement is sought by USB device manufacturers.

While the security implications posed by such devices are grave and may include practically untraceable thefts and attacks, what is perhaps of even more concern is that this threat is yet to be taken seriously. Oversights by USB device and operating system providers means that USB devices can readily be used for unlawful purposes, such an intellectual property theft and the proliferation of malware. Granted, it is not a new phenomena for removable storage devices to be utilised in computer crimes; however, USB devices represent an disquieting development that more readily enables criminals to minimise the audit trail of their crimes through the methods exemplified in this paper. The impact of this development is compounded by the ability to transport increasingly larger amounts of data on increasingly smaller, and therefore less detectable, devices.

This paper has examined the forensic implications presented by USB storage devices in order to illustrate that this threat has been neglected in the security design of the currently available operating systems. This investigation has demonstrated that current security measures lack the capacity to minimise the threat posed by USB devices and that, if appropriate security measures are not implemented, this threat will in turn lead to difficulties in investigating crimes that have used USB technology.

REFERENCES:

Buslink. (2006). 64GB USB 2.0 Bus Drive Pro 2 Series [Electronic Version]. Retrieved 14 October 2006 from http://www.buslinkbuy.com/products.asp?sku=BDP2%2D64G%2DU2.

Dahdah, H. (2006). How long will the iPod be the core of Apple’s business? [Electronic Version] from http://www.computerworld.com.au/index.php/id;1547444792;fp;2;fpid;3.

Devicewall. (2006). Endpoint Security: USB Security, Device Lockdown and USB Encryption - Prevent Data Theft with DeviceWall [Electronic Version] from http://www.devicewall.com/.

Farmer, D. a. V., W. (2001). Forensic Computer Analysis: An Introduction [Electronic Version] from http://www.ddj.com/184404242.

Garfinkel, S. (2006). Attack of the iPods! [Electronic Version]. Retrieved 14 October 2006 from http://www.csoonline.com/read/050106/ipods_pf.html.

Garza, V. R. (2005). Attack: USB could be the death of me [Electronic Version]. Retrieved 14 October 2006 from http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1112458,00.html.

Hak.5. (2006). USB Hacksaw [Electronic Version] from http://www.hak5.org/wiki/USB_Hacksaw.

Koon, J. (2005). The USB Vision: 10 Years Later [Electronic Version] from http://www.everythingusb.com/timeline.html.

Lemos, R. (2006). USB drives pose insider threat [Electronic Version]. The Register from http://www.theregister.co.uk/2006/06/27/usb_drives_security_threat/.

Lundquist. (2006). USB Security: A Sticky Situation [Electronic Version].

McGrew, W. (2006). Hacking U3 Smart USB Drives [Electronic Version] from http://cse.msstate.edu/~rwm8/hackingU3/.

TrueCrypt. (2006). TRUECRYPT - F R E E O P E N - S O U R C E O N - T H E - F L Y E N C R Y P T I O N [Electronic Version]. Retrieved 14 October 2006 from http://www.truecrypt.org/.

USB-IF. (2006). Certified Wireless USB from the USB-IF [Electronic Version] from http://www.usb.org/developers/wusb.