|
TECHNICAL-ADVISORY-2021-006
DATA PASSTHROUGH OR RETENTION AND DEVICE/SYSTEM CLASSIFICATION CONSIDERATIONS
|
|
This technical advisory addresses the topic of data passthrough and retention of devices, which can inform decisions such as determining what the current classification of a device should be, and what are the possibilities and considerations for using the same device for both unclassified and classified work, or various levels of classified work. |
|
It is not always clear what data a device retains during and after certain operations, which impacts whether a device can be used for various levels of classified work. |
|
|
A “system” is a group of elements/components meant to function together. So this can comprise a single device, such as a hard drive, or even a group of devices, such as a server or a network. Data “Passthrough” refers to whether or not data is persistently retained by an element as it passes through a system during an operation.
Since a device or system is considered to be classified at the highest level of the data contained therein, it can be argued that an element, and thus the system of which that element is a part, would only assume the classification of a set of data as long as that data is present in the element/system. So, if an element does not retain the passing data at all, it would also not assume its classification. If an element does retain the data for any period of time, the system containing the element would assume the highest classification level of that data only until the element, and thus the data, is removed. In some cases, it is also possible to purge the element of the data itself in its entirety (such as by removing the power from an element comprised of volatile memory), in which case the element will return to its original, unclassified state. If all the elements of a system that are persistently storing data are either removed or can have the data properly purged, the overall system would also return to its original unclassified state.
For some devices, such as data extraction devices with one main persistent storage element, clearing the volatile memory to prevent data from being stored/cached and then replacing the main storage element with one of the appropriate classification is what manufacturers recommend when moving the same extraction device between different classifications.
Many organizations (DC3 included) do NOT use separate devices/systems according to classification out of necessity (but may use them by practice and choice), since having a separate tool for every classification level and/or situation would greatly compound cost and complication that comes with need to operate in several environments of different classifications. In the absence of first-hand testing, DC3 has been trusting vendor statements regarding the data retention of their systems and removing persistent storage elements and purging volatile data as appropriate before moving the device between platforms of different classification levels. This is done in accordance with any DoD policies/instructions for handling and protecting classified data where applicable guidance is available.
|
|
|
Although it is the current practice to use vendor statements for guidance, DC3 recognizes that there circumstances in which they may not be completely reliable. When there is a doubt or concern raised about the supply chain or design of a specific device, further in-depth analysis can be performed by an entity capable of doing so, such as DC3. It is not practicable or realistic to attempt to deconstruct and reverse-engineer every tool entering the market, so submission of these devices for vetting would be affected by community priorities, available resources, and other such factors.
Vendors must also be encouraged and held responsible by the forensic community to make data removal/purging a priority in their products. This would include building easy and reliable purging mechanisms into their products and operational workflows, providing clear instructions for the proper execution of these mechanisms, and providing clear documentation of what kinds of data are retained as well as where/how/why/etc.
|
|
Contributors Acknowledgements
Technical Advisories are a five-minute read to raise awareness among investigators, forensic practitioners, attorneys, and judges about an emerging trend in Digital/Multimedia Forensics.
- Scott Lalliss, Kat Cole, Dr. Eoghan Casey (DC3)
- Vincent Olman, Clint Adamkavicius (U.S. Army)
- DC3 Editorial Board (Curation, Review, & Publication)
For additional information and forensic analysis capabilities please reach out to DC3.
|
|
|
|
