Hiding Data in “Plain Sight”

Computer ForensicsBACS 371

Places to hide data

Evidence can be hidden in many places within a disk.

The notion of “empty space” on a disk is more complicated than you might suspect.

The question becomes “what are the different types of empty space?”

Usable Storage Space

Data can be found and hidden wherever there is usable storage space:

Disk drives and file systems System processes and memory Central processing unit (CPU) and network

card memory Digital cameras, mobile phones, music

players Network storage and attached devices Network communications and protocols

Where do Files Get Hidden on the Disk? File slack (RAM slack & Disk Slack) Volume slack, where partition

boundaries leave free space Partition slack, where leftover sectors

remain in stored blocks of data Good drive blocks marked as bad and

used for storage

Where do Files Get Hidden on the Disk? Host protected area (HPA) or vendor-

specific drive space Master boot record (MBR) where

empty drive sectors remain Boot sectors in non-bootable

partitions

Data Hiding

Hard Drive Data Storage Concepts Sector

Minimum storage size on a hard drive One “pie shaped” arc of a platter Common storage size of 512 Bytes Established during low-level formatting Numbered sequentially starting at 1

Cluster (File Allocation Units) Minimum storage size for a file as determined by file system Common cluster size is 4096 Bytes (4KB) – 8 Sectors

File Determined by file system

Sectors

Clusters

File 2 Clusters

8 Sectors* Just an example,

your file may occupy more or fewer clusters.

File

Collection of Information written to a disk

Generally created in an application-specific format

Occupies a fixed number of clusters Each file’s cluster has a pointer to the

next cluster in the file The final cluster contains the End of File

(EOF) marker

Files

Logical File Size Exact size of contents of file in bytes

Physical File Size Amount of space a file occupies on disc in

bytes File Slack

Unused space between logical end of file and physical end of a cluster

Two types: RAM slack and Disk Slack

<- Logical File Size -> <- File Slack ->

Physical File Size

File Slack

What does File Slack Contain? Who knows??!! Old data that was deleted but not

overwritten yet May contain remnants of older files, or

other evidence including Passwords Old directory structures Miscellaneous information ….

File Slack Example

Hello World!

Has 12 Characters in the file

But occupies 4096 bytes on the disk!

File Slack Example

File Slack Example

File Contents:“Hello world!”12 bytes

2nd Sector

3rd Sector

RAM Slack:512 bytes – 12 bytes = 500 bytes

Disk Slack:4096 Bytes – 512 Bytes = 3584 Bytes

Assumptions:• Sector Size = 512 Bytes• Cluster Size = 4KB = 8 Sectors

File Slack Example

RAM Slack Unused space at the end of a sector. Contains information

adjacent to the stored information from Main Memory (RAM). The file has only 12 characters, but must write a

minimum 512-byte block to the disk – the other 500 characters are whatever happen to be in RAM at the time.

Disk Slack Unused space at the end of the cluster. Contains information left

over on the disk from prior files.

The file system must always write in multiples of clusters (4096 bytes in this case.) The other 3584 bytes (7 sectors) are filled with whatever used to be in the clusters before they were marked for deletion.

Ways of Hiding Information

Rename the File Make the Information Invisible Use Windows to Hide Files Protect the File with a Password Encrypt the File Use Steganography Compress the File Hide the Hardware Use Application programs

Rename the File

If you change the file suffix to a different one, then the standard Windows applications will not “see” it.

This is not a particularly effective way to hide data since the file will still run the application if you double-click on it.

This happens because there is an internal file signature that tells Windows which application to run.

Changing the external name does not affect this.

Use Windows to hide files

You can set a property on a file to make it “hidden”. If you set a folder view options to not show hidden

files, they become invisible. Windows also automatically hides files with

particular suffixes from being seen in the directory window.

The most common hidden type is .sys If you name a file with a .sys suffix and then change

the folder view options to not show hidden system files, they will also disappear.

Both of these methods are easy to overcome.

Use a Password

You can hide the contents of a file with a password.

On older versions of Windows this was not particularly effective.

More recent versions are significantly more robust.

While the passwords can be broken, it is not a trival task.

Basic Approaches to Password Cracking

Illegal Methods Social Engineering Pretexting Phishing Login spoofing Keystroke logging Shoulder surfing Dumpster diving Security System Attacks

Basic Approaches to Password Cracking

Ask! Interview/Interrogation Social Engineering

Plain sight Post-It Notes Documents

Guess Social Engineering

Weak Encryption Dictionary Attack Brute Force Attack

Guessing1

Not surprisingly, many users choose weak passwords, usually one related to themselves in some way. Repeated research over some 40 years has demonstrated that around 40% of user-chosen passwords are readily guessable by programs. Examples of insecure choices include: blank (none) the word "password", "passcode", "admin" and their derivates the user's name or login name the name of their significant other or another relative their birthplace or date of birth a pet's name automobile licence plate number a simple modification of one of the preceding, such as suffixing a digit or reversing the order of the

letters. a row of letters from a standard keyboard layout (eg, the qwerty keyboard -- qwerty itself, asdf, or

qwertyuiop) and so on.

Some users even neglect to change the default password that came with their account on the computer system. And some administrators neglect to change default account passwords provided by the operating system vendor or hardware supplier. A famous example is the use of FieldService as a user name with Guest as the password. If not changed at system configuration time, anyone familiar with such systems will have 'cracked' an important password; such service accounts often have higher access privileges than a normal user account.

The determined cracker can easily develop a computer program that accepts personal information about the user being attacked and generates common variations for passwords suggested by that information.

1http://en.wikipedia.org/wiki/Password_cracking

Encrypt the File

This is the next level up from using a password.

It basically scrambles the bits of the file in a systematic way so that, with the proper key, it can be unscrambled.

Typically, any file with a password is also encrypted.

High level encryption can be extremely difficult to “crack” even with vast computer resources.

Use Steganography

This is a method where one file is embedded into the bits that make up another file.

Like encryption, it depends upon a password and a decoding algorithm to recover the original hidden data.

This can be particularly hard to uncover because text messages can be hidden in seemingly innocuous images or sound files.

Compress the file

This method is not particularly effective. Most modern operating systems have

built-in programs to compress and decompress files and folders.

Previously, this was not true, so a compressed file was as unreadable as an encrypted one.

Hide the Hardware

The computer settings can be manipulated so that specific hardware devices are invisible.

A close examination of the actual machine can quickly find this situation and the hardware can be made visible again.

Less obvious forms of this are to hide segments of a disk drive so that portions of the physical drive are not “counted” even by low-level disk partition tools.

Use Application Programs

You can hide data in application programs in various ways.

Word, for example, has several hiding places that can be used.

Likewise, webpages can hide a good deal of information in the code or in invisible text.

Methods for Hiding Data in Word Docs Font Size Font Color Hidden Text Comments Track Changes Meta Data (File Properties)

Author Organization …

Versions Fast Saves

Methods for Uncovering Data in Word Docs

Select All -> Font Black on white Font Size Font Type

Read as Text Forensic tools (Hex Editor)