How to handle PII like strings found in binary data streams
The following is a working-draft based on a case where forensic analysis resulted in the discovery of a SSN-like string embedded in a TIF image binary data stream. The procedure starts after discovery and ends with resuming normal routine for creating a preservation package.
What you need
A data preview and imaging tool, like FTK Imager
A picture viewer, browser and converter, like XnView
What you do
Add the disk image as an evidence item. Verify PII in TIF with view files in hex format. Export the TIF to a locally created export destination 1. Convert TIF to JPG using an imaging editor 2 Add the export destination as an evidence item in FTK. Then, search for the PII text 3 .Or search for the hex 4 . You shouldn't find any PII in the derivative JPG file as it's a new binary stream. From here it's the routine steps of updating analysis reports, like bulk extractor .txt files, by replacing PII strings with redacted values (i.e. SSN: XXX-XX-XXXX). Document redaction efforts made per usual documentation routine. Finally, proceeding with routine AIP steps for preservation.
Todo: document batch converting similar file formats. Batch edit using vim/grep/sed analysis reports like bulk extractor .txt files.
Welcome to the University Wiki Service! Please use your IID (yourEID@eid.utexas.edu) when prompted for your email address during login or click here to enter your EID. If you are experiencing any issues loading content on pages, please try these steps to clear your browser cache.