Information can be retrieved from many hardware devices, including internal and external hard drives, CD-ROMs, USB flash drives, Compact Flash devices, memory cards or sticks, and smartphones. Information stored on such devices is nonvolatile, and usually persists intact when such a device is powered off (and sometimes even after erasure).
By comparison, devices such as keyboards, monitors, and printers do not store data permanently (or at all). These devices are used to send data to and receive data from computers. After a computer is turned off, these devices do not truly store information. However, a trained computer forensic investigator who employs specialized techniques can often find data or evidence on these devices even when a system is powered off (as with printer buffers or onboard storage devices).
Because technology is constantly changing, keeping up-to-date on new devices and methods for communication is important. You must also determine which of these technologies and devices are permitted in an organization under investigation. That’s because employees frequently use their own devices for convenience’s sake, but intruders use them to gather information, often illicitly.
What I/O Devices Are Used?
Many of the terms used to describe computers or their components actually describe their capability, use, or size. Even though the word “computer” can apply to just about any device that contains a microprocessor, most of us think of a computer as a device that processes what we input using a keyboard or a mouse and then displays the results on a screen.
input/output (I/O)
Data transfer that occurs between the thinking part of the computer, or CPU, and an external device or peripheral. For example, when you type on a keyboard, that device sends input to the computer. Usually software directs the computer to output what you type on a screen.
One of the first items on your planning agenda should be to list all types of input/output (I/O) devices used in the organization. This list will drive the selection of tools needed to analyze the information they contain. It will also give you a good idea of what areas could be susceptible to intrusion and might therefore need more monitoring.
Servers
In the early days of computing, mainframes were the primary repositories for storing and processing data. These were huge computers that filled entire rooms. As the power of computers has increased, their size has decreased. Many mainframes have been replaced by enterprise servers—although you’ll still find mainframes in use, particularly in large enterprises. Mainframes generally involve large, specialized, expensive hardware systems from vendors such as IBM, Hitachi, HP (NonStop systems), Fujitsu, and NEC. Older models use proprietary CPUs, memory, and bus architectures. Enterprise servers, on the other hand, are generally modular, rack-mounted computers built around stock Intel or AMD server processors (such as Xeon and Opteron, respectively), and use standard memory packages and bus architectures. Price is also a major differentiator: It’s easy to spend millions on a mainframe installation, but difficult to spend more than $500,000 on an entire equipment rack stuffed with server blades, storage devices, high-speed interconnects, plus redundant power supplies.
server
A computer with sufficient processing power and storage capacity to provide services to other computers over a network. Servers often include multiple processors, large amounts of memory, and many sizable hard drives. They also often incorporate two or more high-speed network interfaces (Gigabit Ethernet, also known as GbE, or better).
Servers can play various roles. By identifying the role that each server plays, you can more easily determine which tools you’ll need. Common server roles include application, file, web hosting, print, e-mail, Voice over Internet Protocol (VoIP) services and messaging, and File Transfer Protocol (FTP).
You should also determine where servers are situated. Are they accessed from the internal network only, from the external world (over the Internet), or both? This helps identify vulnerabilities, as well as protective measures that should be in place. This is important because, owing to the anonymity of networks and the Internet, attacks on all types of servers are increasing. The reasons for such attacks can be attributed to everything from simple curiosity to malicious intent.
Workstations
workstation
A high-end desktop computer that delivers enhanced processing power, significant memory capacity, and performs special functions, such as software or game development, CAD/CAM design, finite element analysis, and so forth.
personal computer (PC)
A personal computer intended for generic use by an individual. PCs were originally known as microcomputers because they were built on a smaller scale than the systems most businesses used at the time.
desktop
A PC designed to be set up in a permanent location because its components are too large or heavy to transport easily.
The term workstation used to refer to extremely powerful desktop computers most often used by research and development teams. Because technology has advanced so rapidly and a lot of processing power can be packed into a small machine, workstation is often used interchangeably with personal computer (PC) or desktop.
Although PCs and workstations can be used as stand-alone systems (for example, in a home environment), they are often linked together to form a local area network (LAN). Figure 2-1 shows the relationship between a server and workstations on a LAN.
Figure 2-1: Typical LAN setup
You should maintain an inventory of workstations on the premises. You should also know who connects to the network remotely.
In today’s mobile society, telecommuting has become a way of life. Telecommuting saves overhead and energy costs. Many organizations hire contractors without providing them with work space on-site. This is an important factor to remember. Everyone has heard horror stories about people hacking into corporate networks through home computers. It can—and does—happen all the time!
John Deutch
One high-profile case is that of ex-CIA director John Deutch. He stored over 17,000 pages of classified documents on unsecured Macintosh computers in two of his homes. National security secrets were stored where almost anyone could access them. His computers, designated for unclassified use only, were connected to modems and regularly used to access the Internet and the Department of Defense (DoD). Family members were also allowed to use those same PCs.
Unsecured classified magnetic media were also found in Deutch’s residences. A team of data recovery experts retrieved all data from Deutch’s unclassified computers and magnetic media. The results of this inquiry were submitted to CIA senior management.
Deutch pled guilty to storing government secrets on unsecured home computers in exchange for receiving no prison time. Deutch was pardoned by President Bill Clinton hours before his presidency ended.
Workstation security is too often overlooked and under-appreciated. Yet this is one target that proves irresistible to intruders because it is a path of least resistance when deploying an attack.
Mobile Devices and More
mobile device
A catch-all term that refers to any of a number of handheld computing and communications devices, including cell phones, smartphones, handheld computers, and even so-called personal digital assistants (PDAs). All of these handheld devices have some or all of the following capabilities: general computing including web access and compact local applications (called apps), wireless Internet and networking components, wireless telecommunications, global positioning systems (GPSes), e-mail access, and phone/address book capabilities. Mobile devices generally use flash memory instead of a hard drive for storage to keep them as light and small as possible.
Mobile devices include ordinary cell phones as well as smartphones. Cell phone design puts a strong emphasis on phone use; smartphones include a strong emphasis on Internet access and applications as well. Cell phones are more compact, feature smaller screens and keyboards, and aim more at basic voice communication with limited text-handling. Smartphones are somewhat larger with bigger, higher-resolution screens and keyboards that more easily accommodate text-handling, and feature basic Internet access (Web, e-mail, Twitter, and so forth) along with voice communications. At the moment, the Apple iPhone is the must-have smartphone, though other models from LG, HTC, and Motorola also inspire strong “gadget lust.”
Mobile devices also encompass handheld computers and PDAs, which may also be referred to as palmtops or pocket computers. The two major categories in this case are handheld and palm-sized. The differences between the two are size, display, and method of data entry. Handheld computers tend to be larger, with larger liquid crystal displays (LCDs), and might use a miniature keyboard in combination with touch-screen technology for data entry (the Apple iPad is an interesting and popular example of this type). Palm-sized computers are smaller and lighter, with smaller LCDs and stylus/touch-screen technology or handwriting recognition programs for data entry. They can also include voice recognition technologies. A typical PDA can function as a cell phone, fax, web browser, and personal organizer. Figure 2-2 shows some typical mobile devices, including a cell phone, a smartphone, and an iPad.
Figure 2-2: Samsung 2G cell phone (left) and Apple iPhone (right) on top of an Apple iPad
Smartphones, handheld PCs, and PDAs are often designed to work in conjunction with a desktop or laptop PC. Communication to synchronize the device and the computer typically occurs via a USB cable. Many mobile devices can rest in a cradle while hooked up to a PC. Besides communicating via cable, mobile devices can use infrared (IR) ports or various wireless methods (such as 802.11b, 802.11g, 802.11n, and Bluetooth) to transfer data.
All mobile devices are highly susceptible to theft because they are small, valuable, and frequently contain important or sensitive information. Many of them use wireless or infrared technology so that any data they transfer can be intercepted if it is not properly protected.
Mobile devices, especially smartphones, remain some of the fastest selling consumer devices in history. You should know whether they are used on the network of the organization you’re investigating because malicious individuals can use them to transfer sensitive information outside normal access controls, for later reuse or even resale.
Other Devices
CD/DVD-ROM/RW drive
A drive, either internal or external, that is used to read and/or write CDs and DVDs. A CD can store large amounts of digital information (650 MB to 750 MB) on a very small surface. Single-sided, single-layer DVDs hold 4.70 GB while double-sided double-layer DVDs hold more than 17 GB of digital information. CDs and DVDs are incredibly inexpensive to manufacture.
Many other devices can be used to transport or transmit data. They mainly consist of removable media. When you think of removable media, you probably think of floppy disks or CDs and DVDs, which are used in floppy drives and CD/DVD-ROM/RW drives, respectively. An increasing number of Blu-ray Disc devices (which can accommodate 50 GB of data per recordable media blank) are also showing up in the workplace.
In addition, you should be aware of other devices and determine if any of them are being used. For example, older storage media and devices are present in many workplaces. These include:
- floppy disks: There are several form factors called floppy disks. Capacities range from hundreds of kilobytes to a couple of megabytes. From most recent to oldest, they are:
- 3.5-inch rotating magnetic media in rigid but compact plastic shells
- 5.25-inch rotating magnetic media in flexible plastic shells
- 8-inch rotating magnetic media in flexible plastic shells
- zip disks: These are somewhat larger than conventional floppies and store hundreds of megabytes of data.
- Jaz disks: Removable, single-platter hard disks packaged in special protective plastic shells. These devices, which can store hundreds of megabytes and up to 8 GB, are basically hard disks (the drive mechanism) with removable media (the Jaz disks themselves).
Remember that for any kind of removable media (and this includes all kinds of tape formats and other lesser-known removable media from days of yore) a matching drive must be found, and then a driver for a PC or other computer used to access media contents. Putting together all the pieces of this sometimes pesky puzzle can make life interesting during forensic investigations.
USB flash drive (UFD)
A small, portable, high-capacity flash memory device that attaches to a computer or mobile device via a Universal Serial Bus (USB) port.
USB flash drives (UFDs) come in many sizes, from 1 GB to as high as 256 GB (older models in the 16 MB to 512 MB range are also still kicking around). USB flash drives can be used for exchanging large files with someone, running an alternate or repair system on another computer (such as a laptop computer), and keeping certain files separate from files on a hard disk (for example, hacking utilities).
Figure 2-3 shows various UFDs, all of which are small enough to fit into a shirt or pants pocket with ease. Many UFDs include password and encryption utilities, and there are many utilities available to protect UFD contents from third parties as well. Secure UFDs from vendors like IronPort are also available. These not only protect their contents, but also permit access to be managed and controlled remotely and centrally, even to the point of destroying a UFD that has been lost or possibly stolen.
Figure 2-3: UFDs, ranging in physical size (tiny blue model and large Survivor model with waterproof case both hold 8 GB of data)
external hard drive
A hard disk in an external enclosure with its own power supply and data interface(s). Nearly all external hard disks support USB; many support higher-speed interfaces such as eSATA or FireWire (IEEE 1394).
At the time of this writing, modern external hard drives come in capacities from 160 GB to as high as 4 TB. Many include backup utilities, and some even include encryption plus protection and password management utilities as well. You will learn about passwords, encryption, and decryption in Chapter 7, “Passwords and Encryption.”
External hard drives (see Figure 2-4) come in two primary form factors nowadays: smaller, more portable units (which can accommodate as much as 2 TB) incorporate 2.5-inch notebook drives; larger, less portable but more spacious units (which can accommodate as much as 4 TB right now) incorporate standard 3.5-inch desktop PC drives.
Figure 2-4: Two external hard disks: 160 FB 2.5” USB mini-jack type on top of 1.5 TB 3.5” USB Type B jack
Tales from the Trenches: A Preparation War Story
Computer forensic experts should heed the Boy Scout motto: “Be prepared!”
While working with a group of computer forensic specialists who were preparing for a trip to a “far off land” to recover information of “interest to the nation,” we organized a list of every item that might possibly be needed during an extended stay. This team was assembled based on each member’s unique talents and skills. We brainstormed for days, running through every scenario we could imagine to determine how best to prepare for the upcoming mission.
Our team developed a list incorporating all typical items you would expect for such a trip, including strong, secure shipping containers, appropriate commercial forensic recovery tools, a collection of hard drives of various sizes, commercial hard drive duplication hardware, and adapters to read assorted forms of media. We collected a copy of each operating system we anticipated seeing in the field as well as an assortment of application CDs and a variety of other software.
We conducted intensive “ramp up” training to bring all team members “up to speed” and “on the same page” with policies and procedures for this mission. Each team member was instructed on legal limits and requirements for conducting searches and seizing evidence in this foreign location. Everyone was reminded that any evidence located might later be used in court proceedings. Everyone was ready to go. We had planned for every possible contingency.
With all the preparation completed and the equipment safely packed away, the team departed for their new assignment, confident they had the training, equipment, and resources necessary to accomplish their mission. The team arrived on-site and began to set up lab equipment in a safe and secure location to protect their gear and to preserve the integrity of any evidence they processed. Members of the team were assigned to test the equipment to ensure everything worked properly. Other team members were dispatched to locate potential evidence to bring back to the lab for analysis.
Within a few days the team had begun to locate items of interest and began conducting forensic analyses of computers and hard drives. Each case was documented fully, and each investigation appeared to be running smoothly. All our prior planning appeared to be paying off and every part of the operation was running nicely. And then, right on time, Mr. Murphy made his much-dreaded appearance!
With every plan, no matter how well-conceived or executed, something always seems to go wrong. Usually it is something minor—something that typically would cost only a little time and money to fix—had we considered it before the team left home. It is usually something so trivial no one anticipates its occurrence. Here, it was something so important that the team was stuck until the problem was solved.
In this part of the world, old 5 1/4-inch floppy disks are still in use; and the team located a large collection of such disks that very possibly contained evidence linked to the investigation. The team had no blank 5 1/4-inch media on which to corral the evidence and, of course, no 5 1/4-inch disk drives were installed in any of the lab PCs. Even our training had skipped this issue, so younger members of the team had to be instructed in proper techniques for write-protecting such disks to safeguard evidence. New 5 1/4-inch media had to be flown in from another country along with brand-new 5 1/4-inch disk drives. While this did not stop the team from ultimately accomplishing their mission, it did cause a minor delay in processing time-critical information.
What can you learn from this? No matter how much planning and preparation you undertake, something for which you are not prepared usually pops up. It certainly is nice when you can run down to a local computer superstore and buy whatever you need; but sometimes you just have to make do until proper supplies arrive. Planning is important, but so is another skill that the Scouts might just want to add to their list—an ability to improvise.
Networked printers, webcams, networked fax machines, and networked copiers also have vulnerabilities that can lead to data exposure or denial of service. They can be used as gateways for attacks on other systems. These types of I/O devices are often taken for granted, and their security is rarely questioned. Sometimes organizations use the same printers to print sensitive documents that they use to print public documents, such as announcements for company parties. Don’t forget these devices as you inventory the environment.
Check for Unauthorized Hardware
Frequently, employees just assume that it’s okay to install a device on the network or their PC. Unauthorized installations can present security issues to an organization. Once you have inventoried all approved devices in use in the organization you’re investigating, it’s time to look for installed hardware that isn’t approved. You may be surprised at what you will find, if not astonished outright.
Modems
modem
A shorthand version of the words modulator-demodulator. A modem is used to send digital data over a phone line. The sending modem converts digital data into a signal that is compatible with the phone line (modulation), and the receiving modem then converts that signal back into digital data (demodulation).
Modems are devices connected to a phone line that can be used to dial into a server or computer. Wireless modems convert digital data into radio signals and convert radio signals back into digital signals. Although modems are still in use in some geographic areas, they have been replaced (particularly in urban areas) by high-speed cable and digital subscriber line (DSL) solutions, which are faster than dial-up access.
war dialing
Automated software that attempts to dial numbers within a given range of phone numbers to determine if any of those numbers are actually used by modems accepting dial-in requests.
Nevertheless, modems and modem pools or banks are still operational in corporations or SOHO (small office, home office) environments. Many companies still use modems so employees can dial into their networks and work from home. These modems are usually configured to be available to any incoming calls. War dialing takes advantage of these situations and targets connected modems set to receive calls without authentication.
War dialing was extremely popular years ago. In fact, it figured into the popular 1983 movie War Games starring Mathew Broderick, who dialed into a military missile control system and nearly started a world war while thinking he was simply playing a strategy game. However, because newer technologies have replaced connected modems set to receive calls without authentication, war dialing may be an unlikely threat for a LAN. It depends on how advanced an organization’s technology might be.
Tales from the Trenches: The Case of the Missing Modems
Security audits can—and very often do—turn up all kinds of unexpected elements in an organization’s IT infrastructure. One case in point was an audit, followed by a datacenter move, that I helped to conduct for a major U.S. banking and financial services company.
In the process of conducting the audit, we discovered that the datacenter continued to maintain an even dozen analog phone lines through its PBX system (such lines are normally digital, and analog lines in this environment usually point to the presence of a modem somewhere). But while we could find the lines, try as we might, searching high and low, we couldn’t find the modems that went with them.
The mystery was solved when we started to disassemble the raised-floor area in the datacenter. (In many datacenters, cabling and power leads are generally routed under the floor, and related equipment such as servers, power conditioners, cooling units, and so forth, sit on top of the floor.) As we started moving servers, we had to disconnect their cables, which perforce meant lifting the floor tiles to get at the cables and wires. Directly under one dozen of the one-hundred-plus servers in that room, we found our missing modems. It turned out the company permitted project administrators to request and use special modems to dial into their project servers so that they could be remotely restarted after hours and on weekends. They used special interface devices called POST boot cards that can recycle the power to a server and support what’s called a “cold start” when a machine needs to be completely reset. Over time, records for these devices were misplaced or lost. The lines were kept live, and the modems kept running, but nobody knew where they were, or even that they were still up and running.
This discovery underscores the importance of systematic phone number and extension checking when conducting security surveys. Whenever a live modem is found, it needs to be located and documented. Even more important, such modems should only remain online if there’s no other equipment available to perform the tasks that they handle. In our datacenter, for example, a gradual switchover from Compaq to Dell servers meant that the Dell Remote Access Controller (DRAC) devices that the bank had purchased for their new servers could have taken over the role that those mysterious modems were meant to handle. When it comes to modems, the cardinal rule of security has to be “Don’t use them, if you don’t need them!”
Cable and DSL modems are more popular these days. These devices are not vulnerable to dial-up attacks, but they present a danger because they maintain always-on connections to the Internet. Cable modems enable Internet access through a shared cable medium and users are actually on a LAN with all subscribers in their area, which means everything that travels to or from a connected machine can be intercepted by other cable users if the security features in the hardware are compromised.
Former Employee of Hostgator.com Sentenced to Prison for Computer Attack
On January 26, 2009, Cliff L. Wade, a former support technician at Hostgator.com, a Houston-based Internet service provider, was sentenced in a Georgia federal court to eight months in prison and three years of supervised release, plus a fine of $100, in connection with a scheme to intentionally damage his former employer’s network and business.
In early October 2007, Wade moved to Atlanta, GA, from Houston, TX, and started work for a competitor organization without notifying Hostgator of his departure or his changed employment situation. After this time, Wade accessed the Hostgator system and intentionally executed various command and code functions to impair the integrity of Hostgator’s customer support network. Hostgator.com neither authorized nor was aware of Wade’s activities, and Wade’s intrusion caused the company to suffer financial damages in excess of $5,000. Hostgator.com incurred a significant reduction in revenues, and also lost money from resulting damage assessments and the costs involved in restoring damaged data and programs to their proper states.
In the course of the investigation, computer forensic analyses conducted by the FBI revealed that, although Wade had attempted to erase all electronic traces of his identity or presence, those attacks could be linked by certain computer records to other computers outside Hostgator that were in use or otherwise controlled by Wade.
As you can see from this case, knowing who has access to what machines is important. The fact that Wade remained able to access to the computers at Hostgator, even after going AWOL, is revealing and informative. In fact, cases have been documented where former employees are able to access networks years after their termination dates.
Key Loggers
key logger
Device that intercepts, records, and stores everything typed on a keyboard into a file. This includes all keystrokes, even passwords.
Key loggers record and retrieve everything typed, including e-mail messages, instant messages, and website addresses. To install a hardware key logger, you unplug the keyboard cable from the back of the PC, plug it into one end of a key logger, and then plug the other end into the PC. Figure 2-5 is a photo of the Keelog KeyDemon USB Hardware Keylogger.
Figure 2-5: The Keylog KeyDemon USB keylogger plugs in between the keyboard cable and the PC’s USB port.
(Photograph Courtesy of Keelog. 2010, www.keelog.com)
Organizations use key loggers for the following reasons:
- As a tool for computer fraud investigations
- As a monitoring device to detect unauthorized access
- To prevent unacceptable use of company resources
- As a backup tool
So why are they on the list of unauthorized hardware? Simply put, anything can be used for bad intent, and unauthorized individuals can use key loggers to capture logins and passwords illicitly. Unless an organization uses them according to an explicit policy, key loggers should not be present on a network, or systems attached to a network.
Key logging is not restricted to hardware. Numerous key logging programs are readily available on the Internet.
Software key loggers become easier to detect as time goes by because their log files grow. You’ll eventually be able to tell when one is in use because available hard-drive space decreases markedly.
Key Logging Scam Targets Bank Users
On March 13, 2007, the U.S. Army website http://www.army.mil/NEWS/ reported from Fort Belvoir, VA, that soldiers, family members, and DoD civilians who use their home computers to access Thrift Savings Plan (TSP is a popular, widely used bank for military personnel, their families, and those who work for the military) could be vulnerable to information theft, and possibly theft of funds, as a result.
In the story, TSP officials indicated that they had identified numerous customers who had fallen victim to a key logging attack. The technique of keystroke logging was used in these cases to obtain TSP personal identification numbers and passwords, which in turn could provide access to identity information such as social security numbers (SSNs) in compromised accounts.
Michael Milner, Director of the U.S. Army Criminal Investigation Command (CIC) Computer Crime Investigative Unit, said that “personal information is increasingly available on ‘keylogger’ lists for sale through criminal networks and so far, all of the TSP cases involve the transfer of electronic funds, since criminals normally prefer the ‘paperless’ way to steal money.” Milner also went on to say that users should take steps to protect themselves from key loggers and malware, and should promptly close their web browsers after visiting the TSP site. Even then, he also observed that “logging off a Web site does not clear a browser’s memory, and subsequent users might be able to access the TSP account information.”
According to the TSP, external penetration testing they conducted confirmed that TSP records had not been breached, but that personal information for those users whose keystrokes had been logged was compromised. The institution also identified some customers who had relatively small amounts withdrawn from their accounts. As a security precaution, TSP has discontinued making electronic payments for online transactions.
I/O Devices
Besides key loggers and modems, you may find lots of unapproved and potentially dangerous devices on an organization’s network. The technologies behind many of them are discussed in the next section. Here is a list of some of these devices:
- Any UFD plugs into a USB port and saves up to 256 GB of data. Sizes vary, but these drives are affordable and no software is required to use them. These drives are also easily carried or concealed in pockets.
- Compact Flash drives (CFDs) and memory sticks of many kinds come in capacities up to 128 GB. These drives are also affordable and highly portable, and plug right into most notebook PCs and mobile devices.
- Secure Digital (SD) and miniature SD (miniSD) drives now come in capacities up to 64 GB (128 GB units are scheduled for release in 2011). Widely used in cell phones, cameras, and other portable devices, an increasing number of notebook PCs and portable devices now feature SD ports.
- A portable laptop drive can be only half an inch thick and weigh less than 4 ounces, yet it can store 1 TB.
The common factor in all of these devices is that they are small, hold a lot of data, and are easy to transport. Detecting that they are being used on a network can be challenging because they are easy to conceal, and their data transfer rates are fast. Corporate policy should address use of such devices.
USB Devices
In the early days of computing, each computer came with a limited number of ports to which you could attach devices. Printers connected to parallel printer ports, and most computers had only one port. Modems used the serial port, but so did Palm Pilots and digital cameras. Most computers had two serial ports. New technology was needed to support all of the I/O devices people wanted to attach to their computers.
Universal Serial Bus (USB)
A connectivity standard that allows for the connection of multiple devices without the need for software or hardware.
Today, all laptop and desktop computers come with two or more Universal Serial Bus (USB) connectors. USB connectors let you attach devices to your computer quickly and easily. Compared to other ways of connecting devices to your computer, USB devices are simple and straightforward. USB devices you can attach to your computer include printers, scanners, modems, and storage devices of all kinds and sizes.
You might need to attach more devices to a computer than you have USB ports. Purchasing an inexpensive USB hub enables you to connect additional USB devices to your computer. Figure 2-6 depicts a USB hub.
Figure 2-6: USB hub
The USB standard supports up to 127 devices per port, and USB hubs are covered in that standard. A hub typically includes four or more ports. Just plug a hub into any USB port on your computer, and then plug devices into the hub. You can add dozens of available USB ports to a single computer by chaining hubs together using USB cables.
USB standard version 2, which was released in April 2000, can support data rates up to 480 megabits per second (Mbps). USB standard version 3, released in November 2008 (the first commercial devices that implemented USB 3 became available in January 2010), supports data rates up to 5 gigabits per second (Gbps). At the time of this writing, USB 3 devices are starting to be widely available, but Intel isn’t expected to support the standard until 2011.
hot pluggable
Also called “hot swappable,” a computer device such as an external drive that you can connect without having to power down the computer first.
USB devices are also hot pluggable. This means they can be attached to and unplugged from the computer without turning off the system. No special settings are necessary to unplug the USB devices without damaging device data. Many USB data storage devices are tiny. For example, many UFDs are small enough to fit on a key ring. Just plug a UFD into your USB port, and the operating system (OS) recognizes it immediately, allowing you to transfer files at your convenience. When you’re done, simply eject the drive, plug it into another system, and transfer the files to that system.
FireWire
FireWire
An IEEE-1394 technology that implements a high-performance, external bus standard for rapid data transfer and streaming multimedia (such as video).
FireWire was originally developed by Apple and is now an official IEEE 1394 standard (more than 60 vendors belong to the 1394 Trade Association). At 400 Mbps, FireWire 1394a has base bandwidth nearly on par with USB 2 (a higher bandwidth 1394b version, called Firewire 800, runs at 800 Mbps). FireWire is well-suited for transferring large data files, and supports up to 63 devices on a single bus. Connecting to a device is similar to using USB.
Just like USB, FireWire is plug-and-play compliant and hot swappable, so you can connect and disconnect devices without shutting down your computer.
Because this technology is well-suited for high-quality digital, video, and audio, FireWire is a good way to store pornography or proprietary company designs. It can also be used on a plug-in computer storage device, making it easy to copy and then remove tons of data.
Keep Up with I/O Trends
As new technologies emerge, so do ways for intruders to infiltrate networks. Because technology is always changing, you have to evaluate new technologies before those devices appear on your (or your clients’) networks. You should spend some time reading about these new technologies as they are developed and marketed.
Everybody has become familiar with seeing people talking to themselves in public places, thanks to wireless in-ear headsets for mobile devices that are so small you can’t even see them when a person’s head is turned the wrong way. You have Bluetooth to thank for these moments of apparent lunacy, but as you’ll see, Bluetooth provides a great deal more functionality than enabling wireless voice link-ups: Bluetooth also enables printer, network, and even data transfer links.
Bluetooth
Bluetooth
A standard developed to allow various types of electronic equipment to make their own connections by using a short-range (10 meter) frequency-hopping radio link between devices.
Bluetooth was named after Harald Bluetooth, the king of Denmark in the late 900s. It doesn’t require any special equipment to work. The devices simply find one another and begin communicating.
Bluetooth operates on a frequency of 2.45 GHz, which is the same radio frequency band as baby monitors, garage door openers, and newer cordless phones.
The design process makes sure that Bluetooth and other devices don’t interfere with one another. Bluetooth uses a technique called “spread-spectrum frequency hopping.” This means a device will use randomly chosen frequencies within a designated range and regularly hop or change from one range to another. Bluetooth transmitters change frequencies 1,600 times every second.
Bluetooth covers an astonishing array of products (more than 11,000 of them as we write this chapter, according to the product list at Bluetooth.com). They include audio/visual, phone and headset, automotive, networking, and widespread computer applications. Wireless mice, keyboards, speakers, printers, and even USB extenders are all available in Bluetooth versions.
eSATA
eSATA
External Serial Advanced Technology Attachment (eSATA) is an interface technology that permits external hard drives to use the same high-speed SATA interface that internal hard drives use.
To understand eSATA, you should first know that Serial Advanced Technology Attachment (SATA) was originally designed for high-speed internal connections for PC hard drives. Add an e for external on the front, and you get eSATA, a high-speed interface for external hard disks. As of 2009, modern PCs use SATA more or less exclusively for hard drives, and old-fashioned parallel interfaces serve only to support legacy devices.
SATA comes in three generations, so eSATA devices do, too:
- SATA 1.5 Gbps is the first generation and supports data rates up to 1.5 Gbps. It’s also known as SATA 1.0.
- SATA 3.0 Gbps is the second generation and supports data rates up to 3.0 Gbps. This exceeds the capability of all but the fastest solid state disks (SSDs), serial attached SCSI (SAS), and flash drives currently available in today’s marketplace. It’s also known as SATA 2.0.
- SATA 6.0 Gbps is the third generation and is a relatively recent introduction to the computing world (the standard was approved in July 2008, but devices and computer interfaces that implement the standard didn’t hit the market until late 2009). It’s also known as SATA 3.0.
Most eSATA devices (and interfaces) available today implement SATA 1.0 or 2.0, with 3.0 eSATA devices starting to enter the marketplace at the time of this writing. Over time, the newer and faster technology will garner more presence. The SATA (and eSATA) technology supports data transfers as fast as modern storage technology can go, especially in its 2.0 and 3.0 versions.
Unlike FireWire and USB, eSATA devices cannot draw power through the PC interface. This means external power is required for eSATA, which makes it less convenient—and harder to conceal—than these other two interfaces. However, its astounding speed (and increasing availability of eSATA ports and flash drives) means security policies for external storage devices must mention eSATA.
When it comes to modern external storage, eSATA and USB 3.0 represent the current pinnacle for bandwidth. Thus, these technologies are even better-suited for high-quality digital, video, and audio than FireWire. These, too, are compelling ways to grab and go out the door with pornography or proprietary company designs.
Other Technologies
In addition to the technologies we have already discussed, a few others are worth mentioning, especially wireless ones. The world of wireless is rapidly expanding, and you may find yourself investigating issues that involve capturing data through wireless devices. Here are brief descriptions of some of those technologies:
- 802.1x is a standard developed for wireless local area networks (WLANs). It utilizes port-based network access control. Current standards range from 802.11a to 802.11n.
- IR transmissions use an invisible light spectrum range for device communication, so the devices have to be in direct line of sight with each other.
- I-Mode is NTT DoCoMo’s mobile Internet access system that originated in Japan.
- BlackBerry is an end-to-end wireless solution developed by Research In Motion Limited.
These technologies make our lives easier, yet they can pose a threat to any network environment. A wireless device advertises that it is out there, making it easy for an intruder to pick up and monitor.