Search This Blog

Thursday, November 4, 2010

How Your Office Copier is Spying...

So I was looking into the specs for the Canon ir2200.  This is a copier/printer/scanner/fax-type device that costs around $1,500.00 USD used, a lot more new.

This is the kind of device you might find in any office.  Typically something like this is leased.  In fact, most modern copiers are leased these days.

The specs for this device include the following:

Image Server Memory: Standard 128MB RAM+5.1GB

So this is not only a copier/printer/scanner/fax device, but it has a hard drive and a built in processor of some sort as well.


I did a bit of digging and I came up with this PDF on "The Forensic Analysis of Digital Copiers":

"Many modern digital copiers store copied and printed information on internal hard drives.  Such information may have value as evidence. In order to test the possiblities for evidence extraction from copiers, two digital copiers containing hard drives were dismantled and forensically analyzed. The analysis shows that it is possible to retrieve exact copies of documents that has previously been copied and/or printed on digital copiers. "

So this device, as probably most or all of the same type, doesn't simply image your copy onto the old-fashioned selenium drum, charge the drum, let toner stick to the drum, and impress the toner on the paper.  No.  It scans your page into a hard drive memory and prints it out onto the page.  This PDF is about using that information as evidence.

Apparently it never deletes the scanned image.

Now the old fashioned copier method ensured security because once the selenium drum as discharged all the toner would come off - leaving almost no trace of what was copied.  I suppose someone very clever could probably recover an image or two from the toner residue on the drum.  But that's probably a lot more tricky and complicated than what I am about to describe.

So these folks in the forensic analysis PDF do the following:

1) They scan a set of 20 pages of known content into the copier.

2) They take the copier apart.  Apparently this involves nothing complicated.

3) They find the hard drive: a standard 2 ½ “ ATA hard drive of size 5.6 Gb. "The drive was easily imaged using EnCase 3.20 through a writer blocker on a standalone computer."  The EnCase 3.20 is some sort of commercially available disk tool for accessing contents computer hard drives.  Basically you physically remove the drive from the copier and hook it up to this device - most geeky 12-year olds could do this.  My guess its probably not even as complicated as they describe.

So they dump out the information on the hard drive:

Code Type Start Sector Total Sectors  Size
06 BIGDOS 0 8401995 4.0GB
06 BIGDOS 8401995 1269135 619.7MB
06 BIGDOS 9671130 1028160 502.0MB
06 BIGDOS 10699290 1028160 502.0MB

Their first attempts to read the information yield some gibberish, but with some effort:

"... it was found that swapping the bytes of the entire file systems, the contents could be read. The file systems of partition 2-4 were now readable as a variant of the FAT file system (with headers reading as “VXDOS”.) The first partition however contains no clearly visible file system (With header reading “NadaFSFastVCTTable”.

It was however found that the contents of this partition was indeed corresponding to the direct storage of images of previously copied document pages. These pages could be extracted and viewed in a standard image viewer.

4) They find their 20 pages of images.

Now they don't specify the image format used but my guess would be TIFF or JPEG - very standard because open-source (free) software is available to read and write these formats.

The byte-swapping they describe is because the device was probably designed in Japan.  Japanese DOS-type operating systems, no doubt like the one used in the ir2200, use a different byte order than those in the US.

So, in the case of the Canon ir2000, it can store about 4.000 images.  Now, most software that's embedded in a device like this is fairly dumb.  My guess is that it simply cycles through all 4,000 image slots as copies are made and only starts writing over previously copied and stored images on copy 4,001 - leaving an embedded history of the last 4,000 copies at any given time.

The analysis I describe to was done by some sort of group associated with gathering evidence, i.e., lawyers or prosecutors.

So what does this mean for you?

Well, for one thing that photocopy of your "rear end" made at the last Christmas party might still be lingering in the office copier (remember that the device I discuss is about 7 years old and has a tiny 5.6Gb drive - I am sure newer devices have much larger drives holding a much longer history of images).

If your boss leased the copier and the lease has run out since then your "rear end" copy might be hanging out across town at this very moment - say at "Joe's Autobody".  Hopefully little Joe Jr. isn't reading this article...

It turns out that "erasing" this hard drive is not something that happens between one lease and another. (Though by now there is no doubt legislation making it a federal felony of some horrific sort to not erase the drive - but still I doubt anyone bothers.)

On the other hand, if you made copies of your spouses or boss's personal files for revenge, well, that evidence may also still be on the copier.  Hopefully their lawyers are reading this either...

Then there's the issue of whether the device supports networking.  If so, no doubt there is hackery to simply access the images.  Imagine the fun when someone emails the image of your "rear end" to ... well, you get the picture (no pun intended).

The bottom line is this: modern copiers are not your friend.  Public copiers even less so...

Who knew?

1 comment: