1. Data Protection Topics: Anti-Forensics Cryptographic Filesystems Encrypted Network Tunnels Secure Deletion Encrypted Remote Filesystems 1

2. Approaches to Data Protection Data Hiding ● Anti-Forensics ● Steganography (not stenography) Data Encryption ● Data lifecycle ● Creation ● Storage on filesystems ● Transfer across networks ● Deletion 2

3. Basic Data Hiding Linux Hidden Mount Points ● Mount filesystem on top of pre-existing filesystem Camouflaged files ● Hide file in large directory like /dev ● Camouflaged names like “. “ ( ) 3

4. NTFS Alternate Data Streams (ADS) Windows NTFS only Arbitrary file/directory attributes Manipulated from command prompt No GUI recognizes ADS, including Windows Explorer Overlooked by most antivirus, IDS and security tools LADS (List ADS) only tool for discovering ADS 4

5. Filesystem Slack Space and BMAP Filesystems (particularly ext2) ● View disk as contiguous series of blocks ● Blocks are the smallest addressable unit ● Ext2 block size: 1024, 2048 or 4096 bytes ● File's inode contains blockmap ● Internal fragmentation when file doesn't fill block ● Free space between EOF and EO Block is slack space BMAP ● bmap stores data in a single file's slack space ● slacker stores large data in multiple file's slack space 5

6. Cryptographic Filesystems and EncFS Everybody needs a cryptographic filesystem Cryptographic filesystems used to be difficult EncFS makes Linux crypto filesystems easy ● Uses OpenSSL for encryption; very fast and secure ● Decrypted filesystem mount point is transparent ● Friendly features: ● One simple userland command ● encfs ~/.crypt ~/crypt ● encfs -u ~/crypt ● Automatic idle unmounting ● Paranoid mode 6

7. Encrypted Network Tunnels Problem: have cleartext protocol; need encryption Non-intrusive solution: Tunnels (aka. port-forwarding) Tunnels ● Wrap existing TCP protocol with strong-encryption ● Also good for bypassing draconian firewalls ● Tunnel Contractors ● SSH port-forwarding ● Stunnel SSL tunneling 7

8. Tunnelling/Port Forwarding 8 http://www.bitvise.com/port-forwarding.html

9. Stunnel – Universal SSL Wrapper Stunnel Features ● SSL Client ● SSL Server ● Server and client certificate validation ● TCP wrapper support ● IDENT lookups ● SMTP protocol negotiation ● Source address rewriting ● IP source routing protection ● DNS spoofing protection 9

10. Secure Remote Filesystem Mounts with SHFS SHFS ((Secure) SHell FileSystem) No server-side configuration required Linux Loadable Kernel Module on client side Easily mount remote filesystems through SSH tunnel Friendly Features ● Two simple userland commands ● shfsmount -ps foo.bar.com ~/mnt/remote ● shfsumount ~/mnt/remote ● Broken connections re-established ● Follows symlinks 10

11. Secure Deletion Magnetic Force Scanning Tunnelling Microscopy Filesystem unlinking Secure Deletion Methods ● Gutmann Wipe ● American DoD 5220-22.M Standard Wipe ● Canadian RCMP TSSIT OPS-II Standard Wipe ● PRNG Stream Wipe Tools ● Wipe ● Securely deletes files/directories from command line ● Darik's Boot and Nuke ● Bootable secure deletion floppy ● Wipes all detectable hard disks 11

12. What You Will Do In Lab Explore Alternate Data Streams on NTFS Hide data in slack space with bmap/slacker Create a cryptographic filesystem with EncFS Encrypt arbitrary network protocols ● Stunnel Tunnels ● SSH port-forwarding Mount a remote filesystem securely with SHFS Explore secure deletion with wipe Discuss Darik's Boot and Nuke 12