8

Alice, an anonymous informant, would like to transmit digital documents to Bob while maintaining her anonymity.

For whatever reason, she chooses to copy the documents to some kind of physical removable storage, for example: USB flash drives, external hard drives or DVD-ROM / BD-ROM, and deliver the media to Bob via sneakernet.

(Assume it's possible to deliver the physical media to Bob anonymously, there's no physical identifiable evidence (fingerprints, etc.), and the documents themselves do not contain identifiable information.)

In what ways may Alice inadvertently leave identifiable information in the removable storage, so that Bob can trace back to Alice?

I am looking for answers that apply uniquely to the usage of physical media, as opposed to e.g. transferring the documents by Internet. For an obvious example: If Alice edited a .docx file with Microsoft Word, she may have left identifiable metadata in the file. However such metadata will be available whether she used sneakernet or Internet to transfer that document, so this is not a valid answer for this question.

Some ideas I can think of:

  • DVD / Bluray burners writing their serial numbers to the blank media. (We know laser printers encode their serial numbers in printouts. Do optical drives do something similar?)
  • Identifiable metadata in file system, either at FS creation or with files stored in them. For example, I imagine NTFS knows a user's SID if any file has permissions assigned for that user. Does e.g. casually copying a file from "My Documents" to an NTFS-formatted flash drive leave your SID in that flash drive? What about Linux file systems? A bare UID:GID doesn't seem very identifiable, but what about ACL?
  • Serial number of the media itself. Perhaps the serial number of a portable hard drive can somehow be traced back to the purchaser.

How plausible are any of these scenarios above? What else can you think of?

twisteroid ambassador
  • 771
  • 4
  • 6

1 Answers1

3

Very plausible. Windows stores device information from connected USB devices in the registry, this is commonly used in forensics.

If you attach an iPod/iPhone, it can leave traces on the local system as well and traces of the system you connected to my be left on the device.

Endpoint DLP and antivirus may also scan removable media and leave traces. If a devices is scanned upon being insert files may be indexed, copied, or entered into logs.

CD/DVD media is less likely to include media metadata or serial numbers, but the media name assigned to the disk may be useful.

If Alice cannot control or cannot guarantee the security of Bob's system, she may be better off at least using some fresh media (brand new in package, randomly selected) and not connect the media to a system with any unique data (e.g, boot up in LiveCD then copy from one media to another; or more paranoid, use a new or public PC which cannot easily be linked back to Alice).

Eric G
  • 9,691
  • 4
  • 31
  • 58
  • Thanks for the answer! If I understand correctly, the issue with Windows logging USB devices and AV software are about traces left entirely on Alice's computer, and not the removable media themselves. So unless the adversary already had a reason to search Alice's computer, they would not be able to gain such information. Is that correct? – twisteroid ambassador Mar 14 '15 at 20:26
  • Yes and no. The information will populate on Bob's computer as well when he connects the device. Moreover, since Bob has physical control he can probe the device, use forensic techniques and tools to look for metadata in old deleted files, etc. Depending on Bob's resources or the resources of someone attacking Bob (a nation state) they may be able correlate device ids or other information in a database containing information they obtained otherwise. If they previously targeted Alice and have identifiers on her, and they find these on Bob's system, they can be cross referenced. – Eric G Mar 14 '15 at 20:45
  • See `blkid` [man blkid](http://linux.die.net/man/8/blkid) – earthmeLon Mar 20 '15 at 21:08
  • Apparently [DVD-R does store the serial number](https://security.stackexchange.com/questions/12363/do-burned-dvds-contain-trackable-information/13075#13075) of the drive used to burn it. – forest Dec 11 '17 at 05:54