Hiding Data in “Plain Sight” Computer Forensics BACS 371

Ways of Hiding Information  Rename the File  Make the Information Invisible  Use Windows to Hide Files  Protect the File with a Password  Encrypt the File  Use Steganography  Compress the File  Hide the Hardware  Use Application programs

Rename the File  If you change the file suffix to a different one, then the standard Windows applications will not “see” it.  This is not a particularly effective way to hide data since the file will still run the application if you double-click on it.  This happens because there is an internal file signature that tells Windows which application to run.  Changing the external name does not affect this.

Use Windows to hide files  You can set a property on a file to make it “hidden”.  If you set a folder view options to not show hidden files, they become invisible.  Windows also automatically hides files with particular suffixes from being seen in the directory window.  The most common hidden type is.sys  If you name a file with a.sys suffix and then change the folder view options to not show hidden system files, they will also disappear.  Both of these methods are easy to overcome.

Use a Password  You can hide the contents of a file with a password.  On older versions of Windows this was not particularly effective.  More recent versions are significantly more robust.  While the passwords can be broken, it is not a trival task.

Basic Approaches to Password Cracking  Illegal Methods  Social Engineering  Pretexting  Phishing  Login spoofing  Keystroke logging  Shoulder surfing  Dumpster diving  Security System Attacks

Basic Approaches to Password Cracking  Ask!  Interview/Interrogation  Social Engineering  Plain sight  Post-It Notes  Documents  Guess  Social Engineering  Weak Encryption  Dictionary Attack  Brute Force Attack

Guessing 1  Not surprisingly, many users choose weak passwords, usually one related to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include:  blank (none)  the word "password", "passcode", "admin" and their derivates  the user's name or login namelogin  the name of their significant other or another relativesignificant other  their birthplace or date of birth  a pet's name  automobile licence plate numberlicence plate  a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the letters.  a row of letters from a standard keyboard layout (eg, the qwerty keyboard -- qwerty itself, asdf, or qwertyuiop)qwerty keyboardasdfqwertyuiop  and so on.  Some users even neglect to change the default password that came with their account on the computer system. And some administrators neglect to change default account passwords provided by the operating system vendor or hardware supplier. A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password; such service accounts often have higher access privileges than a normal user account.  The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information. 1

Encrypt the File  This is the next level up from using a password.  It basically scrambles the bits of the file in a systematic way so that, with the proper key, it can be unscrambled.  Typically, any file with a password is also encrypted.  High level encryption can be extremely difficult to “crack” even with vast computer resources.

Use Steganography  This is a method where one file is embedded into the bits that make up another file.  Like encryption, it depends upon a password and a decoding algorithm to recover the original hidden data.  This can be particularly hard to uncover because text messages can be hidden in seemingly innocuous images or sound files.

Compress the file  This method is not particularly effective.  Most modern operating systems have built-in programs to compress and decompress files and folders.  Previously, this was not true, so a compressed file was as unreadable as an encrypted one.

Hide the Hardware  The computer settings can be manipulated so that specific hardware devices are invisible.  A close examination of the actual machine can quickly find this situation and the hardware can be made visible again.  Less obvious forms of this are to hide segments of a disk drive so that portions of the physical drive are not “counted” even by low-level disk partition tools.

Use Application Programs  You can hide data in application programs in various ways.  Word, for example, has several hiding places that can be used.  Likewise, webpages can hide a good deal of information in the code or in invisible text.

Methods for Hiding Data in Word Docs  Font Size  Font Color  Hidden Text  Comments  Track Changes  Meta Data (File Properties)  Author  Organization  …  Versions  Fast Saves

Methods for Uncovering Data in Word Docs  Select All -> Font  Black on white  Font Size  Font Type  Read as Text  Forensic tools (Hex Editor)