Hiding Evidence in “Plain Sight” Computer Forensics BACS 371

Places to hide evidence  Evidence can be hidden in many places within a disk.  The notion of “empty space” on a disk is more complicated than you might suspect.  The question becomes “what are the different types of empty space?”

Usable Storage Space Evidence can be found and hidden wherever there is usable storage space:  Disk drives and file systems  System processes and memory  Central processing unit (CPU) and network card memory  Digital cameras, mobile phones, music players  Network storage and attached devices  Network communications and protocols

Where do Files Get Hidden on the Disk?  File slack (RAM slack & Disk Slack)  Volume slack, where partition boundaries leave free space  Partition slack, where leftover sectors remain in stored blocks of data  Good drive blocks marked as bad and used for storage

Where do Files Get Hidden on the Disk?  Host protected area (HPA) or vendor-specific drive space  Master boot record (MBR) where empty drive sectors remain  Boot sectors in non-bootable partitions

Data Hiding

Hard Drive Data Storage Concepts  Sector  Minimum storage size on a hard drive  One “pie shaped” arc of a platter  Common storage size of 512 Bytes  Established during low-level formatting  Numbered sequentially starting at 1  Cluster (File Allocation Units)  Minimum storage size for a file as determined by file system  Common cluster size is 4096 Bytes (4KB) – 8 Sectors  File  Determined by file system Sectors Clusters File 2 Clusters 8 Sectors * Just an example, your file may occupy more or fewer clusters.

File  Collection of Information written to a disk  Generally created in an application-specific format  Occupies a fixed number of clusters  Each file’s cluster has a pointer to the next cluster in the file  The final cluster contains the End of File (EOF) marker

Files  Logical File Size  Exact size of contents of file in bytes  Physical File Size  Amount of space a file occupies on disc in bytes  File Slack  Unused space between logical end of file and physical end of a cluster  Two types: RAM slack and Disk Slack Physical File Size

File Slack  What does File Slack Contain?  Who knows??!!  Old data that was deleted but not overwritten yet  May contain remnants of older files, or other evidence including Passwords Old directory structures Miscellaneous information ….

File Slack Example Hello World! Has 12 Characters in the file But occupies 4096 bytes on the disk!

File Slack Example

File Contents: “Hello world!” 12 bytes 2 nd Sector 3 rd Sector RAM Slack: 512 bytes – 12 bytes = 500 bytes Disk Slack: 4096 Bytes – 512 Bytes = 3584 Bytes Assumptions: Sector Size = 512 Bytes Cluster Size = 4KB = 8 Sectors

File Slack Example  RAM Slack  Unused space at the end of a sector. Contains information adjacent to the stored information from Main Memory (RAM).  The file has only 12 characters, but must write a minimum 512-byte block to the disk – the other 500 characters are whatever happen to be in RAM at the time.  Disk Slack  Unused space at the end of the cluster. Contains information left over on the disk from prior files.  The file system must always write in multiples of clusters (4096 bytes in this case.) The other 3584 bytes (7 sectors) are filled with whatever used to be in the clusters before they were marked for deletion.

Ways of Hiding Information  Rename the File  Make the Information Invisible  Use Windows to Hide Files  Protect the File with a Password  Encrypt the File  Use Steganography  Compress the File  Hide the Hardware  Use Application programs

Rename the File  If you change the file suffix to a different one, then the standard Windows applications will not “see” it.  This is not a particularly effective way to hide data since the file will still run the application if you double-click on it.  This happens because there is an internal file signature that tells Windows which application to run.  Changing the external name does not affect this.

Use Windows to hide files  You can set a property on a file to make it “hidden”.  If you set a folder view options to not show hidden files, they become invisible.  Windows also automatically hides files with particular suffixes from being seen in the directory window.  The most common hidden type is.sys  If you name a file with a.sys suffix and then change the folder view options to not show hidden system files, they will also disappear.  Both of these methods are easy to overcome.

Use a Password  You can hide the contents of a file with a password.  On older versions of Windows this was not particularly effective.  More recent versions are significantly more robust.  While the passwords can be broken, it is not a trivial task.

Basic Approaches to Password Cracking  Illegal Methods  Social Engineering  Pretexting  Phishing  Login spoofing  Keystroke logging  Shoulder surfing  Dumpster diving  Security System Attacks

Basic Approaches to Password Cracking  Legal Methods  Ask! Interview/Interrogation  Plain sight Post-It Notes Documents  Guess  Weak Encryption  Dictionary Attack  Brute Force Attac k

Guessing 1  Not surprisingly, many users choose weak passwords, usually one related to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include:  blank (none)  the word "password", "passcode", "admin" and their derivates  the user's name or login namelogin  the name of their significant other or another relativesignificant other  their birthplace or date of birth  a pet's name  automobile licence plate numberlicence plate  a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.  a row of letters from a standard keyboard layout (eg, the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop)qwerty keyboardasdfqwertyuiop  and so on.  Some users even neglect to change the default password that came with their account on the computer system. And some administrators neglect to change default account passwords provided by the operating system vendor or hardware supplier. A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password; such service accounts often have higher access privileges than a normal user account.  The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information. 1

Encrypt the File  This is the next level up from using a password.  It basically scrambles the bits of the file in a systematic way so that, with the proper key, it can be unscrambled.  Typically, any file with a password is also encrypted.  High level encryption can be extremely difficult to “crack” even with vast computer resources.

Use Steganography  This is a method where one file is embedded into the bits that make up another file.  Like encryption, it depends upon a password and a decoding algorithm to recover the original hidden data.  This can be particularly hard to uncover because text messages can be hidden in seemingly innocuous images or sound files.

Compress the file  This method is not particularly effective.  Most modern operating systems have built-in programs to compress and decompress files and folders.  Previously, this was not true, so a compressed file was as unreadable as an encrypted one.

Hide the Hardware  The computer settings can be manipulated so that specific hardware devices are invisible.  A close examination of the actual machine can quickly find this situation and the hardware can be made visible again.  Less obvious forms of this are to hide segments of a disk drive so that portions of the physical drive are not “counted” even by low-level disk partition tools.

Use Application Programs  You can hide data in application programs in various ways.  Word, for example, has several hiding places that can be used.  Likewise, webpages can hide a good deal of information in the code or in invisible text.

Methods for Hiding Data in Word Docs  Font Size  Font Color  Hidden Text  Comments  Track Changes  Meta Data (File Properties)  Author  Organization  …  Versions  Fast Saves

Methods for Uncovering Data in Word Docs  Select All -> Font  Black on white  Font Size  Font Type  Read as Text (notepad)  Forensic tools (Hex Editor)