Home > Computer forensics > One attempt at copier forensics

One attempt at copier forensics

In April of 2010, CBS News kicked off a bit of a firestorm with an article about the lack of security in digital copiers. Like too many mainstream news articles about security, this one was a bit sensationalistic and lacked a broad perspective. Yes, there certainly are some copiers out there that keep unencrypted digital copies of scanned documents but based on my own experience and the experiences of other forensic examiners, there are a lot of secure copiers out there as well.

A high level view of my experience with one Ricoh copier follows. This is one copier that is not susceptible to accidental information leakage and that would require tools beyond those available to a normal forensic examiner to crack.

I was able to determine that:

  1. The copier uses two hard drives that have an identical 193 byte boot (?) sector and are superficially close but not identical after that. They contain large sections of null bytes.
  2. The copier uses two operating systems, one a BSD derivative and one a proprietary OS using a proprietary file system.
  3. The processor is a MIPS processor that is bi-endian, capable of operating in little or big endian mode.

I imaged both drives. None of the following tools will recognized a file system, RAID, or any artifacts in the images:

– X-Ways
– FTK 3
– EnCase 6.15
– UFS Explorer
– RAID Reconstructor
– strings

To restate – running strings over the images produces no recognizable strings, none of the file carving tools locate any artifacts, and indexing produced no results.

To account for the bi-endian nature of the CPU, I swapped the bytes in both images with dd (‘swab’ option) and applied all the tools to the byte swapped images with the same negative results.

I looked at the images with a hex editor and found the 193 byte start to the drives along with the similar but not identical structure after that.

I don’t believe the drives were encrypted per se but it seems likely that they contain a proprietary file system.

I have output from the copier’s printer configuration utility that shows BSD style daemons and logging.

A Ricoh engineer who works in an area other than copiers confirmed that the copier does use two operating systems, and that one of them is proprietary and very tightly guarded.

Advertisements
  1. H. Barnwell
    October 15, 2010 at 3:44 pm

    Excellent article, can you share with us which Ricoh Model you performed the evaluation on?

    • October 30, 2010 at 6:34 pm

      It was a Lanier LD228C, which is a Ricoh under the covers….

  2. Snare B
    December 27, 2010 at 5:09 pm

    Could I ask what operators you added to the dd command so as to reverse endianess? I`m trying to acquire a hard drive from an embedded device.

    • December 27, 2010 at 5:18 pm

      Greetings,

      Look at the conv=swab option.

      -David

    • March 4, 2011 at 10:09 pm

      Greetings,

      Look at the “-swab” option to dd.

      -David

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: