One attempt at copier forensics
In April of 2010, CBS News kicked off a bit of a firestorm with an article about the lack of security in digital copiers. Like too many mainstream news articles about security, this one was a bit sensationalistic and lacked a broad perspective. Yes, there certainly are some copiers out there that keep unencrypted digital copies of scanned documents but based on my own experience and the experiences of other forensic examiners, there are a lot of secure copiers out there as well.
A high level view of my experience with one Ricoh copier follows. This is one copier that is not susceptible to accidental information leakage and that would require tools beyond those available to a normal forensic examiner to crack.
I was able to determine that:
- The copier uses two hard drives that have an identical 193 byte boot (?) sector and are superficially close but not identical after that. They contain large sections of null bytes.
- The copier uses two operating systems, one a BSD derivative and one a proprietary OS using a proprietary file system.
- The processor is a MIPS processor that is bi-endian, capable of operating in little or big endian mode.
I imaged both drives. None of the following tools will recognized a file system, RAID, or any artifacts in the images:
– FTK 3
– EnCase 6.15
– UFS Explorer
– RAID Reconstructor
To restate – running strings over the images produces no recognizable strings, none of the file carving tools locate any artifacts, and indexing produced no results.
To account for the bi-endian nature of the CPU, I swapped the bytes in both images with dd (‘swab’ option) and applied all the tools to the byte swapped images with the same negative results.
I looked at the images with a hex editor and found the 193 byte start to the drives along with the similar but not identical structure after that.
I don’t believe the drives were encrypted per se but it seems likely that they contain a proprietary file system.
I have output from the copier’s printer configuration utility that shows BSD style daemons and logging.
A Ricoh engineer who works in an area other than copiers confirmed that the copier does use two operating systems, and that one of them is proprietary and very tightly guarded.