Transcript Slide 1
Computer Forensics BACS 371 Hiding Evidence in “Plain Sight”
Places to hide evidence
Evidence can be hidden in many places within a disk.
The notion of “empty space” on a disk is more complicated than you might suspect.
The question becomes “what are the different types of empty space?”
Usable Storage Space
Evidence can be found and hidden wherever there is usable storage space: Disk drives and file systems System processes and memory Central processing unit (CPU) and network card memory Digital cameras, mobile phones, music players Network storage and attached devices Network communications and protocols
Where do Files Get Hidden on the Disk?
File slack (RAM slack & Disk Slack) Volume slack, where partition boundaries leave free space Partition slack, where leftover sectors remain in stored blocks of data Good drive blocks marked as bad and used for storage
Where do Files Get Hidden on the Disk?
Host protected area (HPA) or vendor-specific drive space Master boot record (MBR) where empty drive sectors remain Boot sectors in non-bootable partitions
Data Hiding
Hard Drive Data Storage Concepts
Sector Minimum storage size on a hard drive One “pie shaped” arc of a platter Common storage size of 512 Bytes Established during low-level formatting Numbered sequentially starting at 1 Cluster (File Allocation Units) File Minimum storage size for a file as determined by file system Common cluster size is 4096 Bytes (4KB) – 8 Sectors Sectors Determined by file system Clusters File 8 Sectors 2 Clusters * Just an example, your file may occupy more or fewer clusters.
File
Collection of Information written to a disk Generally created in an application-specific format Occupies a fixed number of clusters Each file’s cluster has a pointer to the next cluster in the file The final cluster contains the End of File (EOF) marker
Files
Logical File Size Exact size of contents of file in bytes Physical File Size Amount of space a file occupies on disc in bytes File Slack Unused space between logical end of file and physical end
of a cluster
Two types: RAM slack and Disk Slack Physical File Size <- Logical File Size -> <- File Slack ->
File Slack
What does File Slack Contain?
Who knows??!!
Old data that was deleted but not overwritten yet May contain remnants of older files, or other evidence including Passwords Old directory structures Miscellaneous information ….
File Slack Example
Hello World!
Has 12 Characters in the file But occupies 4096 bytes on the disk!
File Slack Example
File Slack Example
File Contents: “Hello world!” 12 bytes 3 rd Sector Disk Slack: 4096 Bytes – 512 Bytes = 3584 Bytes 2 nd Sector RAM Slack: 512 bytes – 12 bytes = 500 bytes Assumptions: • Sector Size = 512 Bytes • Cluster Size = 4KB = 8 Sectors
File Slack Example
RAM Slack Unused space at the end of a sector. Contains information adjacent to the stored information from Main Memory (RAM).
The file has only 12 characters, but must write a minimum 512-byte block to the disk – the other 500 characters are whatever happen to be in RAM at the time.
Disk Slack Unused space at the end of the cluster. Contains information left over on the disk from prior files.
The file system must always write in multiples of clusters (4096 bytes in this case.) The other 3584 bytes (7 sectors) are filled with whatever used to be in the clusters before they were marked for deletion.
Ways of Hiding Information
Rename the File Make the Information Invisible Use Windows to Hide Files Protect the File with a Password Encrypt the File Use Steganography Compress the File Hide the Hardware Use Application programs
Rename the File
If you change the file suffix to a different one, then the standard Windows applications will not “see” it.
This is not a particularly effective way to hide data since the file will still run the application if you double-click on it.
This happens because there is an internal file signature that tells Windows which application to run.
Changing the external name does not affect this.
Use Windows to hide files
You can set a property on a file to make it “hidden”.
If you set a folder view options to not show hidden files, they become invisible.
Windows also automatically hides files with particular suffixes from being seen in the directory window.
The most common hidden type is .sys
If you name a file with a .sys suffix and then change the folder view options to not show hidden system files, they will also disappear.
Both of these methods are easy to overcome.
Use a Password
You can hide the contents of a file with a password.
On older versions of Windows this was not particularly effective.
More recent versions are significantly more robust.
While the passwords can be broken, it is not a trivial task.
Basic Approaches to Password Cracking
Illegal Methods Social Engineering Pretexting Phishing Login spoofing Keystroke logging Shoulder surfing Dumpster diving Security System Attacks
Basic Approaches to Password Cracking
Legal Methods Ask!
Interview/Interrogation Plain sight Post-It Notes Documents Guess Weak Encryption Dictionary Attack Brute Force Attac k
Guessing
1 Not surprisingly, many users choose weak passwords, usually one related to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include: blank (none) the word "password", "passcode", "admin" and their derivates the user's name or login name the name of their significant other their birthplace or date of birth or another relative a pet's name automobile licence plate number a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters. a row of letters from a standard keyboard layout (eg, the and so on.
qwerty keyboard -- qwerty itself, asdf , or qwertyuiop ) Some users even neglect to change the default password that came with their account on the computer system. And some administrators neglect to change default account passwords provided by the operating system vendor or hardware supplier. A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password; such service accounts often have higher access privileges than a normal user account.
The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information.
1 http://en.wikipedia.org/wiki/Password_cracking
Encrypt the File
This is the next level up from using a password.
It basically scrambles the bits of the file in a systematic way so that, with the proper key, it can be unscrambled.
Typically, any file with a password is also encrypted.
High level encryption can be extremely difficult to “crack” even with vast computer resources.
Use Steganography
This is a method where one file is embedded into the bits that make up another file.
Like encryption, it depends upon a password and a decoding algorithm to recover the original hidden data.
This can be particularly hard to uncover because text messages can be hidden in seemingly innocuous images or sound files.
Compress the file
This method is not particularly effective.
Most modern operating systems have built-in programs to compress and decompress files and folders.
Previously, this was not true, so a compressed file was as unreadable as an encrypted one.
Hide the Hardware
The computer settings can be manipulated so that specific hardware devices are invisible.
A close examination of the actual machine can quickly find this situation and the hardware can be made visible again.
Less obvious forms of this are to hide segments of a disk drive so that portions of the physical drive are not “counted” even by low-level disk partition tools.
Use Application Programs
You can hide data in application programs in various ways.
Word, for example, has several hiding places that can be used.
Likewise, webpages can hide a good deal of information in the code or in invisible text.
Methods for Hiding Data in Word Docs
Font Size Font Color Hidden Text Comments Track Changes Meta Data (File Properties) Author Organization … Versions Fast Saves
Methods for Uncovering Data in Word Docs
Select All -> Font Black on white Font Size Font Type Read as Text (notepad) Forensic tools (Hex Editor)