Computer Forensics: Basics Media Analysis

Agenda Common Data Hiding Techniques Windows Registry Writing files Deleting and Reformatting Recycle Bin

Learning Objectives At the end of this module you will be able to: – Describe the forensic mind set – Discuss organizing the investigation – Describe various data hiding techniques – Hide data using NTFS ADS

Data Hiding Review Look out David Copperfield!

Common Techniques Rename files/directories Delete files/directories Copy files/directories Print files Format a disk

Rename Files Rename files and/or file extensions Example: Rename extortion_letter.doc to fuzzy_bunny.jpg People looking for incriminating evidence probably won’t check a picture file called fuzzy_bunny.jpg

Copying Files Scenario #1: Copying a file to a floppy disk or hard disk. If you run out of space, the pointer to the file is removed, but the data that was copied to the sectors is left in place Scenario #2: Computer crashes while copying a file. Again, the file contents copied to the unallocated sectors will exists, but the pointer to the data will not have been created.

Printing a File When printing a file, it is spooled to the hard disk before it is printed. Spooling involves copying the file to a temporary location, printing it, then deleting it. After the temporary file is deleted, the data still exists on disk

Formatting a Disk When a disk is quick formatted, the file table on the disk is cleared, but the data on the disk is left in place. Again, similar to deleting all the files on a disk.

Hiding Folders (Win) Create files or directories with non-printable characters Example: At a DOS prompt, type the character Alt-255 using the numeric keypad. This will insert a “blank space” character, but it is not an actual space. If you show a directory listing, you can see the file/directory exists, but you might not know exactly how many “non- printing” characters exist, or their location within the file name. You can still access the directory via the Windows Explorer and similar graphical tools.

Attributes In Windows, set the “hidden” attribute on a file or directory. Can still view files if the “Show hidden files and folders” option is checked in Windows Explorer. Other tools may or may not display hidden files.

Folders In Unix, rename a file or directory starting with a “.” Example: mv important.doc.important.doc Can still be viewed by listing all files “ls –a” Other methods??? –., …,.,.., etc. – Root kits love making these kind of hidden folders

FS UNIX In Unix it is possible to hide files and directories “under” a filesystem Example: mkdir /temp Create files/directories in /temp Mount a filesystem at /temp The files are not visible, and cannot be read/written The files are accessible again after the filesystem has been unmounted This might be detectable, but not always. Example: / is 10 GB, space used is 2 GB, but only 4 GB are free. This could indicate the presence of files hidden under a filesystem

Swap Space Swap Space (also called a page file) is used to increase the amount of memory available to the system The total memory available (real RAM and the swap space) is called virtual memory. Information is constantly being written to memory, and therefore to the hard disk. Information can then be extracted from this file

Core Dumps Core dumps are created on Unix systems when a process or program generates a fault The core dump will contain all the data from CPU registers and memory at the time of the fault Information can then be extracted from core dump

Slack Space When files are deleted, both the deleted data and the data in slack space still exists When a file is wiped from the system (permanently removed), any data in the slack space still exists The data in the slack space will only be removed when it is overwritten, or it is explicitly removed

Cluster 2 What are the two types of slack? RAM Slack RAM Slack is the area from the end of the file to the end of that sector. - Comes from RAM File Slack Space

Cluster 2 RAM Slack Residual Slack Residual data slack is the area from the end of RAM slack to the end of the cluster – whatever was on the media before. File Slack Space

Alternate Data Streams “Proof of a parallel Universe!”

Alternate Data Streams Microsoft introduced the Alternate Data Stream (ADS) into NTFS in the early 1990’s Created so Microsoft Windows NT could be a file server for Macintosh files Mac’s Hierarchical File System (HFS) uses alternate streams called Resource Forks to store additional file information, such as icons

ADS Unlike FAT (and other filesystems) which only have one data stream, NTFS allows the creation of multiple data streams (see Fig. 1) ADSs in NTFS can be used to store summary information about files (see Fig. 2) This information is not transportable to other filesystem types (eg. FAT, ext2)

ADS Figure 1 ADS Figure 2

ADS Most file system utilities (such as Windows Explorer) will only report on the default data stream The reported file size will remain the same, regardless of the number of ADSs attached to a file

ADS Microsoft does not provide any tools to detect ADSs LADS, created by Frank Heyne, is a command-line tool that will search a NTFS filesystem for ADSs LADS is available from

ADS (cont’d) Creating an ADS echo text in default stream > myfile.txt echo extra text in ADS > myfile.txt:hidden.txt

ADS C:\temp>echo some text > myfile.txt C:\temp>dir myfile.txt Volume in drive C has no label. Volume Serial Number is 40AB-8351 Directory of C:\temp :11p 12 myfile.txt 1 File(s) 12 bytes 0 Dir(s) 3,227,021,312 bytes free C:\temp>type bigfile.tgz > myfile.txt:hidden C:\temp>dir myfile.txt Volume in drive C has no label. Volume Serial Number is 40AB-8351 Directory of C:\temp :12p 12 myfile.txt 1 File(s) 12 bytes 0 Dir(s) 3,183,009,792 bytes free C:\temp>

ADS C:\temp>lads LADS - Freeware version 3.10 (C) Copyright Frank Heyne Software ( This program lists files with alternate data streams (ADS) Use LADS on your own risk! Scanning directory C:\temp\ size ADS in file C:\temp\myfile.txt:hidden bytes in 1 ADS listed C:\temp>

ADS Running a hidden command in ADS (try this on a NTFS file system): C:\>echo some text > c:\temp\file.txt C:\>type c:\winnt\system32\calc.exe > c:\temp\file.txt:hidden.exe C:\>type c:\temp\file.txt C:\>start /b c:\temp\file.txt:hidden.exe This will start the Windows calculator program from a 12 byte file!

Steganography The hiding of information within a more obvious kind of communication Quite often the “obvious communication” is a picture The data is hidden is such a way as to minimally impact the original image

Summary There are various areas that can be used to conceal data. Start simple then work to the more complex. Understanding common hiding techniques and where artifacts can be found is crucial.

Delete, Reformat & Recycle Bin

Outline Deleting & Reformatting – FAT Drives – NTFS Drives Recycle-Bin (NTFS)

Learning Objectives At the end of this module you will be able to: – Describe the changes that take place on a FAT drive when a file is deleted – Describe the changes that take place on a FAT drive when the drive is reformatted – Describe the changes that take place on an NTFS drive when a file is deleted – Explain the changes that take place when a file is moved to the recycle bin – Recover deleted files and files placed in the recycle bin

What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Writing a file

What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Filename Start Cluster Size FILE Unused Directory Entry Directory entry is created Writing a file

What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Filename Start Cluster Size FILE Unused Directory Entry Directory entry is created 2 E FATs are updated Writing a file

What areas change when a FILE is written? MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Filename Start Cluster Size FILE Unused Directory Entry Directory entry is created 2 E FATs are updated FILE contents written to data area Writing a file

MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area What areas change when a FILE is deleted? Deleting a file

MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Filename Start Cluster Size  ILE Unused Directory Entry First character of the Directory entry is changed to  Deleting a file

MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area FAT entries are  ed Filename Start Cluster Size  ILE Unused Directory Entry First character of the Directory entry is changed to  Deleting a file

MBR FAT1 BR FAT1 FAT2 Root D FAT2 Root D FILE Reserved Area FAT entries are  ed Filename Start Cluster Size  ILE Unused Directory Entry First character of the Directory entry is changed to  Data area is not changed ! Deleting a file

MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area What areas change when a partition is reformatted? Reformatting

MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Root Directory entries are  ed Reformatting

MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Root Directory entries are  ed FAT entries are  ed Reformatting

MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Root Directory entries are  ed Boot Record is written FAT entries are  ed

MBR FAT1 BR FAT1 FAT2 Root C FAT2 Root C FILE Reserved Area Three areas change when a partition is reformatted Filename Start Cluster Size Unused Directory Entry Root Directory entries are  ed Boot Record is written FAT entries are  ed Data area is not changed

NTFS NTFS is different! Reiser and some others will cause different problems in the future.

Storing Files in NTFS $LogFile metadata file is updated – Transaction steps are logged – Used to “roll back” if necessary

Deleted File Parent directory – Index entry removed – $BITMAP attribute updated* MFT file record marked available MFT $BITMAP attribute Updated $Bitmap Metadata file updated – If non-resident clusters

Deleted File Index entry removed File Record (MYFILE.HLP) File Record (SYSTEM.DLL) File Record (README.TXT) Directory Record (Recycler) Index Entry (S xxxxxx) Directory Record (S xxxxxx) [214] [218] File Record Directory Record (MYFILES) Index Entry (README.TXT) Index Entry (SYSTEM.DLL) File RecordEntry 6File Record($BITMAP) [Parent] Index Entry (MYFILE.HLP)

Deleted File MFT record marked available File Record (SYSTEM.DLL) File Record (README.TXT) Directory Record (Recycler) Index Entry (S xxxxxx) Directory Record (S xxxxxx) [214] [218] File RecordEntry File Record Directory Record (MYFILES) Index Entry (README.TXT) Index Entry (MYFILE.HLP) Index Entry (SYSTEM.DLL) [Parent] File RecordEntry 6File Record($BITMAP) [Parent] File Record (MYFILE.HLP) [214] 216

$MFT Attribute Updated File Record Header $MFT $STANDARD_ INFORMATION $DATA$BITMAP

File Deleted $Bitmap updated File Record (MYFILE.HLP) File Record (SYSTEM.DLL) File Record (README.TXT) Directory Record (Recycler) Index Entry (S xxxxxx) Directory Record (S xxxxxx) [214] [218] File RecordEntry File Record Directory Record (MYFILES) Index Entry (README.TXT) Index Entry (MYFILE.HLP) Index Entry (SYSTEM.DLL) [Parent] [214] File RecordEntry 6File Record ($Bitmap) [Parent]

Directory Deleted/Recycled Recycled: Same as file, but NOTHING happens to the contents Deleted: Same as file except all contents are deleted as well

Recovering Deleted Files Software Tools – GetDataback (Runtime) – R-studio – CIA Unerase – Etc

Review What happens to deleted FAT files What about formatting? What happens to deleted NTFS files Recovering deleted files

Deleted vs “Recycled” Deleted or “Recycled” – Sent to Recycle Bin – Deleted from the Recycle Bin – Deleted bypassing the Recycle Bin

Win2K/XP Recycle Bin “Recycled” Folder for FAT: INFO2 Place holder(s) Desktop.ini – See notes for NT4 differences in Recycle Bin Structure

Win2K/XP Recycle Bin “Recycler” Folder for NTFS – SID named subdirectory contains: Place holder(s) INFO2 Desktop.ini – See notes for NT4 differences in Recycle Bin Structure

NTFS Recycle Bin

Placeholder(s) Entry for each deleted item: – Hidden from view in GUI environment – Date & time unchanged from original file If a subdirectory is deleted only one placeholder is made

Placeholder(s) D. DC1.TXT DC2.JPG DC3.BMP

INFO2 file 800 Byte Entry is made for each Recycled object – Recycled date – Original path and filename – Place holder drive letter and #

INFO2 file Counter Drive Letter Recycled Date and Time (GMT) Offset 260 – 275 of an INFO2 entry

INFO2 File Recycled date and time issue – The date and time are stored in GMT in hexadecimal format – Recycle Bin tools (IEHistory, Datalifter) will convert the time for you! – Something wrong here? Hint! HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation

Desktop.ini Created when Recycle Bin is created Only modified if recycle bin is EMPTIED – All Date / Time information updated when bin is emptied

Recovering From Recycle Bin Copy placeholders to separate drive Copy INFO2 file; use utility to parse out date / time data – Datalifter – IE History

Summary Deleting and formatting on a Hard Drive does not touch the data area. Often evidence can be found in deleted files, and the recycle bin. Systems clocks and default timezone settings are very important.