2008-06-26 03:12 PM
I'm trying to get some background info for my legal department.
I'm not very savvy when it comes to hardware, but what would prevent someone (with time, motivation, and physical access to the drives) from bypassing the SnapLock software or even the OnTap OS and altering files directly on the media.
Granted, this would probably be beyond the sophistication of most, but is it technically possible?
We're trying to get off OSAR, but our legal department likes the "truly" unalterable media format.
We tried to make the case that even OSAR can be faked (copy all data to new disk with new alterations), but they just covered their ears and started making funny sounds to drown us out. ;?)
Anyone familiar enough with the system to provide some insight?
2008-07-25 10:54 PM
One of the beauties of how SnapLockC works is that once data is written - it is locked until the data expires or the drives are physically destroyed.
If you went the route of pulling disks and attempting direct writes to them, you're not going to get anywhere there, based upon how the data is layered upon the disk.
Once written, we're locked in until the ComplianceClock expires - And then we can delete, but not modify the data.
Here are a few reference docs on SnapLock and the ComplianceClock which is always great reading for Legal..
Hopefully this helps address your situation.
WORM Storage on Magnetic Disks Using SnapLock® Compliance and SnapLock Enterprise
Does SnapLock protection stop when I remove the license?
Understanding SnapLock® ComplianceClock™
2008-07-26 10:34 AM
Thanks for your response, but I guess I'm still missing something.
If a "black hat" had low-level access to the drive, knew the internals of OnTap's file system enough to find the MFT, and understood whatever, if any, encryption/hashing algorthim is used on the individual files/blocks, could he/she replace selected ones with modified versions?
I realize that we're probably talking NSC-level sophication, but is it technically possible?
Our Legal department's contention is that data can't be "reburnt" to the optical disk (which may or may not be true), while magnetic can.
We have holes that you could drive a bus through, but they are fixated on this trivial detail.
2008-07-26 07:34 PM
Scott, I understand the legal departments position on it.
With intimate knowledge of the inner workings, physical access, the ability to take the media offline and manipulate it, and even copy and replace.
Given those circumstances - we could then indeed end up replacing data which resides on optical disk.
However, from an operational and auditing perspective when we're talking about working with volumes which are treated with SnapLock - we tend to have additional boundaries to work with.
Optical disk - treated as it is, is more or less hardware utilized by some technology, at which point you need to only exploit the technology utilizing the media.
Working within the realm of SnapLockC, we have a number of hardware and software components to work with, which have their own checks and balances to deal with.
From a compliance and auditing perspective with filers you would be able to report on a downtime event, the length of the impact, the impact it had and any subsequent changes as a result of that downtime. Then within the SnapLock volume(s) itself, there are a number of methods of accounting, checksums, hashing, etc - letting you have a traceable event to tie back to any potential for modification (Though given the circumstance of an attempt at modification, I'd be more concerned with the storage outage of an active WORM filesystem, compared with a writable destination which may be referenced at times.)
That is one of the differences of Magnetic WORM vs Optical WORMS, is that most opticals are treated like a black-box: in that it is something you don't even think about or look at until there is a problem. Part of the reasoning behind that, is it often so complicated and difficult to try to report or act against it, it truly is a black box.
In this particular implementation of a Magnetic WORM - we have all the assurance of an Optical medium, but with the intelligence to audit and hold accountable directly the medium, so we'll know when data is coming out of its retention (5yr, 7yr, 30yr or unlimited, etc) - in a matter which isn't hidden and secluded behind smoke and mirrors.
With that, the perception of magnetic WORM's isn't the pariah that most legal departments view it as, infact even more of an advanced form of the prior optical medium without the limitations within the space - while also shielding it through technical advancements and sophistication so as to protect it from the vulnerabilities which do exist in optical WORM's but are usually seen as 'unlikely'.
Hopefully this was beneficial to the effort you're looking to accomplish.
My opinions and technical guidance reflect my security background and experience of other black and white hats in industry.
Thanks Scott and good luck!