Timestomp is a utility co-authored by developers James C. Foster and Vincent Liu. The software's goal is to allow for the deletion or modification of time stamp-related information on files.

Take for example the "Timestomp MACE Values" screenshot displaying a command prompt window displaying the MACE values for a document file titled "text.txt". There are (4) four date time and date stamps displayed that are useful to Forensic Examiners in reconstructing when data was last modified, accessed, created, or entered into the NTFS Master File Table by the Operating system or manually by the user.

Using the Timestomp application, the modified date and time stamp can be completely changed (i.e., evidenced by the "Timestomp MACE Change" screenshot). If I were to change it, along with the other entries to more believable dates and times, then the validity of the document falls into question as does its ability to completely slip by an examiner's watchful eye if looking for modified files in an entirely different year or date span.

The "Timestomp MACE Change Proof" screenshot is a final shot of the Operating System's interpretation of the Modified time stamp. It reflects the aforementioned change exactly.

Note: Although this program is designed to frustrate forensic analysis, it should be noted that its use can be easily detected. Because the program can delete all time stamp information, the lack of time stamp values would lead an examiner to the conclusion that something is amiss on the system. Microsoft-based Windows operating system record at least some timestamp information. The total absence of such is a dead giveaway that a user has tried to hide something. On the flipside, if the values are simply changed to believable values, then there is little chance of the change(s) being noticed at a casual glance.

Computer Forensics is a relatively young discipline. In short it is about using computer science and technology to establish facts and preserve evidence of those facts. (I realize that are definitions are in use.) It is an after the fact reactive method of establishing what has happened or reconstruct crimes that have taken place. More and more tools are coming out that are being used to make reconstruction more difficult if not impossible, computer forensics more and more expensive and legally irrelevant.

During an investigation into data theft it was established that one of the employees of the client had been downloading an mp3 and played it.t was also established that hidden in the mp3 was a rootkit that had installed itself. As a result a hacker had been able to gain "administrators" access to the system of the client, completely undetected and for over a year this access had been used to obtain confidential information. But here's the catch. It was not identified who the hacker was and most likely no one ever will. (If there are some up for the challenge they are hereby invited). It makes you wonder: who and what else?

More and more hackers appear to focus on what is currently being named as the field of anti-forensics. Tools that make it hard if not impossible for computer forensic investigators to identify what has happened, who the perpetrator is and to link the perpetrator to the identified security breaches and data thefts. What makes life especially hard for forensic investigators is that the elite nature of these techniques is over. Very similar to the availability of hacking techniques that focussed on gaining access in the old days more and more these anti-forensic tools are coming down the ladder of availability for the greater public. What's more, this is taking place in a time when more and more people with less noble intentions, technically not up there are looking for ways to get their hands on all the cash moving around on-line. Anti-forensics are a great help in covering their tracks.
In the good old days, hackers and data thieves tried to avoid detection using back doors and other techniques. Nowadays, they seem not to care. Why? Because even when you do detect what is happening and this gets easier and easier, you will never find out who the perpetrator is.

The Legal Side of Things: from hard evidence to circumstantial evidence
It is my sincere expectation that well before the field of computer forensics has come to full bloom, especially here in New Zealand, we will already be faced with a situation or at least an increased chance that computer forensic evidence will become more and more circumstantial as a result of the anti forensic tools that are readily available on the market.

Computer forensics is in a way telling a story, establishing what has happened and who made things happen. The basis has always been that data captured could be trusted. This is no longer necessarily true (btw very similar to abuse of telephone facilities since VOIP networks came in place).

While it has always been a challenge to put a person behind a machine in terms of reconstructing what has happened, we are now faced with an additional problem of establishing which machine was the one that can be identified as "the guilty machine".

In this environment data is no longer trustworthy. The implication of this can hardly be understated. Where a presumption of reliability falls away, prosecution becomes a severe challenge and more and more a less appealing option when you take into consideration the relatively heavy burden of evidence in criminal prosecutions.

Anti forensic tools could in effect create a form of de facto legal immunity for those that know how to use these new tools.

Will Computer Forensics stay an Economically Viable Option?
With the rise in insecurity of a useful and reliable outcome and with the continuously growing difficulties in this field of investigation, it is not too hard to imagine what will happen with this field of expertise.

If it becomes increasingly difficult to figure out what has happened and if the chances of legal usability of the findings decrease as a result of these anti forensic tools, chances are that corporates will opt for the economically most viable alternative: forget about investigations and write off the losses. (Might there be a new market for the insurance industry here?)

Back to Basics
What does this mean for the computer forensics field? In my view it means that we will need to (re-)establish broader approaches to investigating computer crimes.

I cannot help but finding myself in situations where the technical capabilities will need to be downplayed and instead a broader focus is required that takes into consideration physical investigative techniques such as traffic analysis of phones, email, mobiles and data, interviewing and interrogation, physical inspection and investigations of suspect's premises, telephone taps, running informants and focusing on witnesses close to the suspects, loggers on suspected computers, following up on victim transactions (including and where possible appropriate camera footage analysis and for instance instance in case of credit card abuse tracing and surveillance of people and goods) and good old crime analysis techniques that depart from an all-source approach.

Come to think of it, every computer forensic investigation I did had a physical component to it if only to interview and take statements of subjects thought to be behind the incidents. What has changed over the years in many instances is that the technique has become a means in itself, used by those with great technical capabilities but not necessarily equipped with the general investigative skills and creativity to come to a satisfactory result. Back to basics I would say.

Thinking about it, this takes me back to the days I worked with one great police officer in the Netherlands, Hoofd Inspecteur Harm Beukenholdt. He once told me, years back: "John, you have the technical guys, and you have the old school detectives. Success will be for those that know how to bring these apparently strictly divided worlds together to work efficiently and effectively."

The field of anti forensics is now proving him well ahead of his time. He could basically have predicted what is taking place at the moment.

What he understood and so many nowadays have forgotten is that it is all a matter of layering the evidence, building it up and narrowing the escapes. If we had to rely on computer forensic evidence solely, we would get stuck. Luckily however there are those that understand the value of a multi-disciplinary approach.

For those considering a business in computer forensics: don't give up your day job if that is all you have to offer. Some time ago I wrote a blog called Evolutionary Notes on Private Investigators, dealing with the changing face of investigators. The last stage in evolution the investigator manager of all new experts in a multi-disciplinary approach. That's where we at Dierckx & Associates shines. We have a network in place covering all relevant disciplines and John Dierckx is equipped and experienced in bringing these disciplines together.

Deletion

Computers > Software > File Management > Deletion

Go to Directory Home

Related Category:
    Computers > Security > Products and Tools > Forensics and Anti-Forensic Degaussers  (20)

Web Pages

Viewing in Google PageRank order               View in alphabetical order

	Eraser - http://www.heidi.ie/eraser/ Secure data removal tool for Windows. (Open Source)
	NoClone - http://noclone.net Shareware file deletion and management utility, search for duplicate files, zero-size files and same filename. Windows 9x/Me/NT4/XP/2000.
	EAST Technologies - http://www.east-tec.com/ Utilities designed to completely eliminate sensitive data from your computer and protect your computer and Internet privacy. Encrypt sensitive files and folders. For all Windows operating systems.
	FSlint - http://www.pixelbeat.org/fslint/ A Linux toolkit with GUI and command line modes, to report various forms of disk wastage on a file system. Reporting duplicate files, file name problems, dangling links and redundant binary files. This program is distributed under the terms of the GNU GPL.
	Recover98 - http://www.recover98.com/ Recover files from a hard disk drive or floppy diskette with a corrupted file system or a virus. Also access files from an accidentally formatted disk, or recover any files that have been deleted. For all Windows operating systems.

	Complete Cleanup Shareware - http://www.softdd.com/complete/index.htm Deletes browsing history, cookies, recent documents and recent files lists. From Softdd.
	Fast Cleaner Gold - http://www.eshinesoft.com/ Utilities to scan and clean up error making and useless garbage files, clear IE cache, cookies, history, for Internet privacy protection and perform disk usage analysis.
	Delenda - http://peccatte.karefil.com/Software/Purge/DelendaEng.htm Automatically deletes old files in a set of folders. Continuously displays the number of files in each defined folder or tree. Automatically purges Macintosh files stored on NT/2000 file server.
	Acronis Drive Cleanser - http://www.acronis.com/enterprise/products/drivecleanser/ Guarantees the complete destruction of data on selected partitions and/or entire disks.
	Data Destroyer - http://www.hermetic.ch/dd/dd.htm A Windows program for secure file deletion which destroys (or purges) data in multiple files and multiple folders on floppy, ZIP or hard disk so that the data cannot be recovered, a process also known as 'sanitization'.

	Destroy - http://www.destroy.com.au/ A Data Removal System that securely erases all data from every hard disk on a PC.
	PANTERASoft Utilities - http://www.panterasoft.com/ Smart Cleaner and Advanced Cleaner Lite, clean unwanted files from disks. Windows shareware. Note: May not support some browsers.
	Mutilate File Wiper - http://mutilatefilewiper.com Mutilate destroys sensitive files so they can never be recovered or undeleted.
	X-Ways Security Permanent Erasure - http://www.x-ways.net/security/ Erase logical drives or entire physical disks completely and irreversibly. Clean formerly used NTFS file records, which contain filenames and other data.
	Check Identical Files - http://www.abc-view.com/cif.html Utility that checks your hard disk for annoying duplicate files and allows you to delete them easily. [Win 9x/NT/2000/Me]

	4Diskclean Gold - http://4diskclean.com/ Cleans up temporary, duplicate, internet and garbage files. Windows 95/98/ME/2000/NT/XP shareware from RSS Systems.
	QuickWiper - http://www.aks-labs.com/products/quickwiper.htm Windows file wipe utility with NSA erasure algorithm, works with FAT16, FAT32 and NTFS.
	Remove 3.1.2 - http://www.mikasalonen.com/remove/ Full featured uninstaller program for removing shown and hidden applications and entries from the Windows Add/Remove applet in the Control Panel. Software overview, screenshots, and trial download. [Windows 95/98/ME/NT/2000/XP]
	Miniwish Software - http://www.miniwish.com/ Application to free up disk space by deleting junk files that are no longer used by any software on the system. Additionally this software will clean cookies and many other temporary folders on the hard drive. [Windows 95/98/Me/NT/2000/XP]
	CleanEm - http://camtech2000.net/Pages/CleanEm.html Safely remove unnecessary files of temporary, duplicate, internet and garbage files. Designed in an XP style theme. Windows 95/98/Me/NT/2000]

	CleanCenter - http://www.cleancenter.net/ Delete unwanted files from hard drives. Free trial offer, supports all Windows systems.
	123 Cleaner - http://www.zminsoft.com/123cleaner Protect your privacy by cleaning your tracks on the Internet and protecting personal information.
	PC Garbage Remover - http://www.softdd.com/pcgarb/index.htm Scans for different types of useless files, includes viewers. Windows shareware from Softdd.
	Duplic8 - http://www.kewlit.com/duplic8/ Duplicate file manager for Windows 95/98/ME/NT/2000. Load and save search profiles for quick repeat searches. With Mark Wizard select all the oldest/newest files for deletion, or target them by drive automatically. Features many unique and powerful features.
	Find Unused Files - http://kanadepro.com/findunusedfiles/ Check for old and unused files for deletion. Specify which folder to look in and whether to include the subfolders when looking for such files. [Freeware]

	WinClean - http://www.batl.com/winclean.html Cleans up unnecessary files and components of operating system, scan the registry, delete broken shortcuts. Equipped with a 'Safety Net' mechanism that allows reverting major changes made to the operating system.
	SeeknClean - http://www.seeknclean.com/ Fixes and prevents errors by finding and deleting 40 different types of error producing and space-wasting garbage files. Targets specific types of error producing files that common disk utilities, uninstall, and defrag miss. [Win 95/98/Me/NT/2000]
	Disk Secure Eraser - http://www2.neweb.ne.jp/wd/morimoto/en/diskeraser/ Windows shareware utility to erase all files, and hidden data on a storage media.
	TimesUp - http://timesup.hartsoft.com Command-line tool for deleting files after a given number of days. Delete old tmp files, log files and orphaned directories. Software overview, screenshot, FAQs, and download.
	File Pulverizer - http://www.toplang.com/filepulverizer.htm Delete files and folders directly to prevent others from recovering, support delete files/folders in explorer directly.

	Lizard Labs - http://lizardlabs.tripod.com/ XT File Shredder Lizard is a secure file removal shareware utility, to remove sensitive data from disk drives by overwriting it and than delete it. Multi lingual site in English and Macedonian language.
	File Monster - http://members.aol.com/PurpleTSoft/monster Completely erases and deletes files from your system by overwriting all the data in the file to ensure that a file recovery utility will not be able to recover the file. [Shareware]
	CHAOS Shredder - http://www.safechaos.net/cs.htm Completely erase files from the hard disk, without the possibility to recover it by any practical software or hardware methods. [Windows 95/98/Me/NT/2000/XP]
	CleanKeeper - http://www.cleankeeper.esmartweb.com/ An easy and powerful tool to find and delete garbage files. Download the shareware version and get free disk space.
	Smart Cleaner - http://www.scaramouch.com/en_home.php Disk cleaner which removes more than 25 unnecessary file types from your hard drive. Program can be set to run automatically at specified times. Time limited demo for all versions of Windows.

A program to hide files within the slack space of the NTFS file system. Developed by James C. Foster and Vincent Liu.

External Links

• Slacker.exe
• Presentation at Blackhat 2005

Eraser

Darik's Boot and Nuke is a disk image that can create a bootable CD/DVD/Floppy/USB Device that can securely wipes the hard disks of most computers. Dban has support for all 32-bit x86 machines as well as beta builds for Cisco Routers, Sparc, PowerPC and HP PA-RISC hardware architecture. DBan is bundled with Eraser

Wipe Methods

• Quick Erase
• Canadian RCMP TSSIT OPS-II Standard Wipe
• American DoD 5220-22.M Standard Wipe
• Gutmann Wipe
• PRNG Stream Wipe

Data Destroyer is for:

1. Purging disk files (by overwriting them many times) so that not only are the files deleted but the data which was in them cannot be recovered by any means.
2. Removing (using the same purge process) all data (or, optionally, almost all data) on a disk.

If you wish to make sure that information which has been written to disk (such as financial data, etc.) can never be seen again after you remove it then you need a program with the capabilities of this one. Also, if you sell your old PC you may wish to make sure that all data is erased (permanently and irrecoverably) from the hard disk, including data in the swap file.

Beware of data removal programs that are claimed to delete files quickly. The only way data can be removed permanently is to overwrite it (on disk, not just in the disk cache) several times at least, and this takes time.

Data Destroyer can purge multiple files in multiple folders in a single operation. You can also tell it to purge the slack area at the end of files. You can tell Data Destroyer not to delete a purged file so that you can inspect the contents with a hex editor. And you can request an estimate of the time required for a file purge or a disk wipe operation.

Here is a typical screenshot:

Here is the user manual for the software:

Introduction Types of purge Testing purge speed Purging a single file Purging multiple files Specifying the folder containing the files to be purged Subfolders? Specifying the the files (in the folder) to be purged Confirm files?

Listing files and estimating purge time Purging files Wiping a disk Saving and Loading the setup Further considerations Purging the slack area Compatibility with antivirus software Protected files Purging the swap file

---

Trial version: A copy of the Data Destroyer software can be downloaded from this website. Click on the following link to go to a page with further information about downloading the software and how it runs as a trial version:

Download Data Destroyer ...

via PayPal:

or via our Kagi order form.

or via our Share-it! order form.

Price and ordering: A single-user license for Data Destroyer costs US$33.00, ?25.00 or £17.00 (excluding any sales tax).  (Purchase via any of the links at right.)  After a user license has been purchased an activation key can be obtained by email to make the software fully-functional.

Refund: A refund will be provided promptly up to 30 days after purchase if the software does not perform satisfactorily.

Updates: Purchasers of a user license for this software are entitled to an update to any later version at no additional cost

FSlint is a utility to find and clean various forms of lint on a filesystem. For example, one form of lint it finds is duplicate files. It has both GUI and command line modes.
Screenshots Version Languages 1.22 English 2.02 English Română Deutsch 2.04 Gaeilge Nederlands 2.06 Français српски 2.08 Português do Brasil 2.11 Tiếng Việt Svenska 2.12 English 2.14 中文 Bahasa Melayu 2.15 English 2.16 English 2.18 Dansk 2.22 Español 2.24 עברית italiano русский
Installation Commands and Downloads official: 2.16 sudo apt-get install fslint latest: 2.24 wget http://www.pixelbeat.org/fslint/fslint_2.24-1_all.deb sudo dpkg -i fslint_2.24-1_all.deb devel: 2.25 svn checkout http://fslint.googlecode.com/svn/trunk/ fslint-2.25 cd fslint-2.25 dpkg-buildpackage -I.svn -rfakeroot -tc sudo dpkg -i ../fslint_2.25-1_all.deb   official: 2.24 sudo yum install fslint devel: 2.25 svn checkout http://fslint.googlecode.com/svn/trunk/ fslint-2.25 tar czf fslint-2.25.tar.gz --exclude=.svn fslint-2.25 sudo rpmbuild -ta fslint-2.25.tar.gz sudo rpm -Uvh /usr/src/redhat/RPMS/noarch/fslint-2.25-1.noarch.rpm   latest: 2.24 [ -f /etc/mandrake-release ] && pkg=rpm [ -f /etc/SuSE-release ] && pkg=packages wget http://www.pixelbeat.org/fslint/fslint-2.24.tar.gz sudo rpmbuild -ta fslint-2.24.tar.gz sudo rpm -Uvh /usr/src/$pkg/RPMS/noarch/fslint-2.24-1.noarch.rpm devel: 2.25 [ -f /etc/mandrake-release ] && pkg=rpm [ -f /etc/SuSE-release ] && pkg=packages svn checkout http://fslint.googlecode.com/svn/trunk/ fslint-2.25 tar czf fslint-2.25.tar.gz --exclude=.svn fslint-2.25 sudo rpmbuild -ta fslint-2.25.tar.gz sudo rpm -Uvh /usr/src/$pkg/RPMS/noarch/fslint-2.25-1.noarch.rpm   Generic Source Code latest: 2.24 wget http://www.pixelbeat.org/fslint/fslint-2.24.tar.gz tar xzf fslint-2.24.tar.gz cd fslint-2.24 (cd po && make) ./fslint-gui devel: 2.25 svn checkout http://fslint.googlecode.com/svn/trunk/ fslint cd fslint (cd po && make) ./fslint-gui   Other Downloads gentoo fslint-2.24.ebuild, signed checksums
Project Info Change Log bug list source code repository Create new translation Edit translations online FAQ Release Process	Reviews Linux Format Hotpick Oct 2004 Linuxuser german edition May 2005 Linux Journal Mar 2007 Linux.com feature Oct 2007

Hiding Data, Forensics and Anti-Forensics

Hal Berghel

 

DIGITAL DATA HIDING

Data hiding has been with us as long as there have been digital computers and networks. Some of us are long enough in the tooth to remember data hiding on tracks above 80 of the ubiquitous 5 ¼” double-sided, double density floppy drives in the late 1970's. It was not uncommon to store a program key on the upper regions of the disk for copy protection of PC software. The simplicity of this scheme was elegant: the DOS operating system would only recognize the first 80 tracks, so the program key would be lost during any DOS copy procedure. This became one of the more common techniques of data hiding in the early microcomputer era, although its effectiveness was short-lived because applications programs could access the out-of-standard tracks directly by bypassing the operating system function calls and accessing disk controller directly. This gave rise to a cottage industry of copy-protection-defeating (aka “pirating”) software as “bitsmiths” quickly developed controller-based copy software that rendered this form of out-of-standard copy protection obsolete. Now of only historical interest, data hiding techniques such as this led the way to more sophisticated approaches that remain with us today.

Similar strategies exist for data hiding over networks. “Covert channeling,” is a case in point. Two popular covert channeling techniques, protocol bending and packet crafting, share the same out-of-standards approach to concealing data as the PC data hiding example above.

Protocol bending involves the use of a network protocol for some unintended purpose. Typically, this involves embedding data in TCP/IP packets in unexpected places (akin to the higher level tracks in our floppy example). A time-worn tactic is covert channeling over Internet Control Message Protocol (ICMP) packets – e.g, by using the ICMP options field in each packet to convey applications-layer covert data. Since ICMP was created to transmit “command and control” information between network appliances such as network destination unreachable, source quenching, echoes (pings) and their replies, there is no expectation that applications-layer data will be included in ICMP packets. As a result, most firewalls and intrusion detection/prevention systems don't inspect ICMP packets. This is where the protocol is ‘bent.' This results in the establishment of a covert channel between network endpoints that lies under the radar of any network administration tool that assumes that ICMP packets will all conform to IETF specifications. Perhaps the most widely known ICMP covert channel tool is Loki, a program named after the contriver of mischief in Norse mythology. In the absence of exhaustive packet analysis, Loki traffic looks like any other routine ICMP request-reply pattern for pings, source quenching, etc., while in fact these ICMP packets are transmitting covert data. Another popular protocol bender is Reverse WWW Shell which uses a form of protocol bending called “shell shoveling” over HTTP.

Covert channeling via protocol benders deploy protocols in non-standard and perhaps nefarious ways. Contrasted with protocol benders, are covert channeling tools that use packet crafting to embed data in the actual packet headers, themselves. Covert_TCP and NUSHU are two such examples. Covert_TCP uses active channeling where it generates it's own packet train to create the channel. On the other hand, NUSHU is a passive channeler that piggybacks on packets transmitted to the TCP/IP stack by other applications. The covert effect is the same.

So there you have it. Data hiding in a nutshell from hiding application data on storage media or TCP/IP packets in places where the standards suggest it doesn't belong. In part one of this two-part column, we'll deal with physical data hiding on disk file systems.

PHYSICAL DATA HIDING

Physically hidden data is a special case of dark data (aka data dark-matter). Information technologists speak of cyberspace, the Internet, and corporate intranets as mostly “dark,” in that they contain large amounts of undiscovered, concealed, misplaced, missing or hidden data. By some accounts, dark data is an order of magnitude larger than light data (data that is known, linked, observed, recovered, retrievable, etc.)

Covert data may be thought of as a small subset of dark data. There are many categories of covert data. Encryption produces dark data in the sense that while the existence of the data isn't hidden, its content is only readable and usable to those who have the correct decryption key. Steganography produces dark data that is typically buried within light data (e.g., a non-perceptible digital watermark buried within a digital photograph). Both are illustrations of intentional concealment. They share this characteristic with physical data hiding.

The forensically interesting dimension of physical data hiding at this writing are those techniques that take advantage of the physical characteristics of formatted storage media to hide data. One early attempt to do this was illustrated by Camouflage (camouflage.unfiction.com) that hid data in the area between the logical end-of-file and the end of the associated cluster in which the file was placed (called file slack or slack space). Though primitive, hiding data in file slack has the dual advantage that the host or carrier file is unaffected while the hidden data is transparent to the host operating system and file managers. The disadvantage is that the hidden message is easily recovered with a basic disk editor.

The ability to hide data on computer storage media is a byproduct of the system and peripheral architectures. If all storage were bit-addressable at the operating system level, there would be no place to hide data, hence no physical concealment. But for efficiency considerations, system addressability has to be at more abstract levels (typically words in primary, and blocks in secondary). Such abstractions create digital warrens where data may go unnoticed or, in some cases, be inaccessible.

DISK DRIVES AND DIGITAL WARRENS

Where on disk may data be hidden?

A formatted hard drive may be thought of as a logical structure mapped onto a physical medium. The logical structure consists of partitions, file systems, files, records, fields etc. The physical structure consists of disks, cylinders, tracks, clusters, sectors. etc. The absence of 1:1 mappings between the logical and the physical realms creates the digital warrens for concealed data.

This has several implications. First, applications software and operating systems typically interface with the logical structure. Were concealed data on a disk, the typical user would never know it.

More frightening, however, is that modern computer forensics tools are not designed to uncover all digital warrens. They typically focus on those disk areas that have already been observed to hold concealed data. This presents a major problem for law enforcement, because the more sophisticated hacker, criminal, or terrorist could take advantage of the disk warrens that are not easily found by current forensics tools. So, from a security and forensics point of view it's wise to approach the problem of data hiding from the point of view of what's possible rather than what's already known.

For example, computer vendors commonly create two reserved areas when the format new computer hard disks: a Host Protected Area (HPA) for their proprietary software and data, and a Device Configuration Overlay (DCO) area for disk metadata. You've probably noticed the abundance of software that bears the name of the manufacturer that came with your computer for management, updating, diagnostics, etc. The manufacturer wants this software available to the user, and wants to make it difficult for the user to delete it. Such software would typically fit in the HPA.

Access of these areas by an operating system is prohibited by the disk controller. This is the modern-day analog to our track 81-82 copy protection scheme that we described in the first paragraph of this column. The hack in this case would be to write a program at a low enough level to access the disk controller, and then hide the data in the HPA or DCO – not difficult at all if one knows the physical boundaries and boots to a non-host OS. Even within the OS, it's possible to reassign these areas to OS-control, change the contents, and then reassign them to HPA/DCO. This is an example of a hiding method that takes advantage of what is more or less a “physical” feature of the drive architecture. So, with a little sophistication one could bury covert data in either the HPA or DCO where it would be concealed from even the operating system!

Further down in the disk hierarchy, we have the disk partition. Modern Operating Systems allow the administrator to re-define the number and sizes of disk partitions with any number of commercial and shareware utilities. It is fairly common to place the operating system (that is seldom modified) on a partition by itself and place all applications on another partition. In this manner, rigorous configuration changes to the applications software would be unlikely to affect the OS.

Therein lies another opportunity to conceal data. Because the logical partition may not fit perfectly within the physical subdivisions of the disk, partition slack results. Partition slack is the area between the end of a logical partition and the end of the physical block the partition falls within. As with the HPA/DCO example, this partition slack space is unusable to applications and the operating system. Extended partitions exacerbate the problem by enabling a multitude of embedded logical partitions, each one of which is contains a digital warren of 62 sectors.

If the partitions in aggregate do not use up all of the available disk space, volume slack results. One could easily create a multitude of partitions, load one with covert data and then delete it. Since deleting the partition does not delete the data but only the reference to it by the operating system, the data stays behind beyond the reach of applications and OS.

Down further still, we have routine disk slack. It would be very unusual to find files that are exactly as long as the sector/cluster sequence they're stored on. At the sector level, any unused part of a partially-filled sector is padded with either data from memory (ram slack) or null characters (sector slack). After the padded sector, any remaining, unused sectors are simply ignored (file slack). Once again, the OS and applications have no access to this space as physically follows the end of an active file, but within the allocated sectors and clusters.

You get the idea. Figure 1 lists eleven data warrens on file systems that are typically unobservable. Variations on this theme are endless.

 

Figure 1: Covert Data Warrens on Disk Drives

Source: Hal Berghel, David Hoelzer and Michael Sthultz, “Data Hiding Tactics for Windows and Unix File Systems” (used with permission)

 

FORENSIC IMPLICATIONS

Without question, the most frightening side effect of these digital warrens is the inability of modern forensic tools to easily recover the data. With workstations now shipping with RAID 5 stacks and terabytes of disk space, manual investigation of hard drives at the byte level is simply not viable.

In a sense, we've been living in a fool's paradise because today's crooks and criminals seldom take extraordinary measures to conceal data. Most of the forensics work in law enforcement that I'm aware of involves very basic data recovery techniques with a few popular forensics tools. Even encryption and thorough disk wiping is. However, it would be unwise to expect this to continue, as crooks and their misdeeds become more sophisticated.

For simplicity, we'll illustrate the principle of covert data hiding on a hard disk with a simple example based on the old FAT 16 format. The relevant design consideration is a 1:1 mapping between the entries in the file allocation table and the physical clusters on the disk. For example, a FAT entry of hex 0000 indicates that the corresponding cluster on the disk is free for use. A hex value of 0002-FFEF is a pointer to the next cluster on the disk that is part of a file. Hex FFF7 indicates a bad cluster that has been culled so that it can't be reallocated.

You guessed it, our simple example will involve changing some entries in the FAT from “free” to “bad,” and then storing data on the bad clusters. In our case, we modified the FAT to show clusters 24-29 as bad, and then stored a GIF file on those clusters. The OS sees the clusters as bad and won't access them, so the data is covert from the OS point of view. But suppose we look at this forensically.

A mainstay of modern forensics tools is a file carver. File carvers attempt to reconstruct the disk contents without using the operating system's meta-level information. Figure 2 shows the result of looking at our disk with a modern file carver.

 

Figure 2: File Carver Analysis of Covert Data on “Bad” Clusters

Source: “Data Hiding Tactics for Windows and Unix File Systems” (ibid)

We observe that the file carver ignored the file's “magic number” identifier that revealed it as a GIF graphics file, and simply reported the clusters as a lost file fragment – i.e., it saw something there, but didn't look to see what it was so it, erroneously, assumed that it must have been data residue from a broken file allocation chain. This is analogous to network administration ignoring the contents of the options field of an ICMP packet.

CONCLUSION

It isn't a question of “whether” covert data is being hidden on hard drives of unsuspecting users, but “what” and “for what purposes.” Well-funded hackers, criminals and terrorists are already hiding the data, while law enforcement tries to catch up with the latest tactic of the day. Challenged by resource limitations, they must rely on the technical community to help provide solutions and motivate vendors to pay closer attention to such potential security breaches.

To make matters worse, anti-forensic tools have been developed that are becoming as sophisticated as the forensics tools they seek to defeat. To illustrate, the Metasploit project (www.metasploit.com/projects/antiforensics) has developed three tools that are devastating for automated forensic analysis tools:

Timestamp : that provides complete editing capabilities of the NTFS timestamp rendering the timestamps recovered by forensics tools unreliable in court)

Slacker : a automated tool for storing files in slack space, and to appear in the near future.

Transmogrify : A tool to defeat file signature analysis.

The importance of this burgeoning art of anti-forensics can not be over-stated. Imagine the impact on law enforcement if fingerprint evidence was unreliable and iris scans could be easily spoofed. In many ways, anti-forensics is scarier than network hacking. It offers the triple threat of hiding covert data, manipulating system data to exonerate a criminal, and planting system data to implicate an innocent party – without leaving behind telltale evidence!

BERGHEL'S URL PEARLS

Out-of-standard disk copying software has passed into the digital dustbin. Trade magazines of the late 1970's and early 1980's would reveal widespread use of such software among computer enthusiasts of that era.

Loki (www.phrack.org) has been a premier covert channeling tool for Unix systems for many years. Although it is widely associated with ICMP, in principle it could use any protocol that is unlikely to be subjected to close inspection by network security appliances. Unless the packets are analyzed, the Loki transmission looks innocuous (e.g., an ICMP “ping request”, a UDP “DNS query,” etc.). Loki can encrypt all data for additional stealth, and swap between ICMP and UDP on the fly. For further detail on the ICMP and UDP packet formats, see our Packet Pal Primer at www.berghel.net/resources/packetpal/index.php.

Another approach to covert channeling is the reverse WWW shell (aka, shoveling shell) developed by van Hauser in the late 1990's (www.megasecurity.org/Sources/rwwwshell-1_6_perl.txt). Like Loki, reverse WWW shell requires a server daemon to be running on the server. The daemon submits outbound HTTP requests for commands from an external computer. The intruder's command is contained within the HTTP response. The command is executed on the compromised computer, and the results are subsequently shoveled to the intruder via a stream of outbound HTTP packets. The HTTP traffic that contain the covert data appears to the network to be routine Web surfing.

Where Loki and reverse WWW shell establish the covert channel over an embedded protocol by means of protocol bending, other techniques exist for establishing a covert channel by means of packet crafting. Craig Rowland's Covert_TCP ( www.securityfocus.com/tools/1475) and Joanna Rutkowska's NUSHU (http://invisiblethings.org/papers/passive-covert-channels-linux.pdf) are two such examples.

Covert_TCP creates “active channels,” i.e. the daemon actually generates packets with data buried in the either the ID field of the IP packet, or the Sequence or Acknowledgment Number fields of the TCP packet (cf. www.berghel.net/resources/packetpal/index.php). By contrast, NUSHU creates “passive channels” by embedding the data in the SEQ and ACK fields of existing packets by adding an offset (data value) to the existing sequence number. The sequence of offset values is the covert data. The daemon just has to remember to subtract that offset from the returned sequence number to fool the application. nu shu, incidentally, means “woman's writing.” It is a apparently a secret language developed by Chinese women. “ Traditional Chinese culture is male-centered and forbids girls from any kind of formal education, so Nushu was developed in secrecy over hundred of years in the Jiangyong county of Hunan province.” - www.crystalinks.com/nushu.html.

Dark data/digital dark matter is usually used in some search or indexing context. See Paul Chin's 2005 summary of dark data within intranets (www.intranetjournal.com/articles/200507/pij_07_07_05a.html) or the recent discussion on the recent PC Forum blog where Yahoo's Jeff Weiner estimates that 99% of the worlds collective knowledge is dark data - blogs.zdnet.com/BTL/?p=2715.

Cryptography, steganography, and digital watermarking have been extensively reported in the professional literature, so a Web search will provide millions of links.

For readers interested in file carving and disk wiping, consult our August 2006 column in CACM.

Finally, for a more thorough treatment of the topic, consult Hal Berghel, David Hoelzer and Michael Sthultz, “Data Hiding Tactics for Windows and Unix File Systems” at www.berghel.net/publications/data_hiding/data_hiding.php , and the February, 2006 section of CACM on Next-Generation Cyber Forensics.