WindowsNetworking.com Newsletter of April 2008

WindowsNetworking.com Monthly Newsletter of February 2009 Sponsored by: AdventNet

Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: tshinder@windowsnetworking.com

Are you using multiple free tools for your network management needs?

Put a stop to the daily searches, downloads and confusing reports that come along with disparate management tools! ManageEngine OpManager offers IT administrators a single management console for managing their servers, services, applications, databases, networks, devices, VoIP services, and much more.

Download a free 30-day trial and see for yourself why OpManager is also called the ‘Swiss Army knife of network management’. OpManager starts at $445.

1. Hiding Data on and Off the Network

Disgruntled employees can do the darnedest things, such as hiding data on their hard disks. Sometimes a disgruntled employee will try to ruin your business and hide valuable information on his own or someone else's computer. This data hidden on the hard disk can, in some cases, be very useful to investigators in building a case against a budding cybercriminal.

Some of this may be ambient data that was left behind when files were deleted or disks were repartitioned. There are also a number of places where data can be deliberately hidden by technically savvy criminals using a disk editor, Steganographic software, and other methods. Finding, retrieving and reconstructing this hidden data can be an extremely tedious process, but worth the effort if it results in evidence that can make or break a criminal case, or if it's data that is crucial to your business.

Where Data Hides

A disk sector is a unit of space of a fixed size (such as 512 bytes). Older hard disks may have some wasted storage space on the outside tracks because of the way the disks are divided into sectors that contain an equal number of sectors per track. The discrepancy in circumference between the inside and outside tracks causes this wasted space. It is possible in some cases to hide data in the space between sectors on the larger outside tracks. This is called the sector gap. Some data recovery services may be able to locate and retrieve data that is hidden in this gap.

Another place that data can be hidden is in the slack area caused by file sizes that do not exactly match the size of the clusters in which they are stored. Cluster sizes can vary, but anytime a file or portion of a file is smaller than the cluster size, the "leftover" bits in that cluster go unused. In file systems such as FAT16, where cluster sizes increase based on the partition size, this can result in a very large amount of "empty" space, and that space can be used to covertly store other bits of data. Data may be hidden here unbeknownst to the user.

Clusters are made up of sectors. When the file is too small to fill up the last sector in a file, Windows will use random data from the system's memory buffers to make up the difference. This is called RAM slack, and can result in data from the work session (anytime since the computer was last booted) being stored on the disk in this slack space to "pad" the final sector. All sorts of data dumped from memory can be lurking in the slack space and may prove useful to the investigator. Any kinds of disks (floppy, hard disk, and removable disks) are subject to slack. Computer forensic analysis tools such as those marketed by NTI can recover data hidden in slack areas.

Shadow data is created because the vertical and horizontal alignments of the mechanical heads that write to the disk are not exactly the same each time a write operation is performed. This means that even when data is overwritten, there may be remnants of the old data that are still there. It is sometimes possible (although very time consuming and expensive) to reconstruct the data from these remnants.

Detecting Steganographic Data

Steganography software hides files within other files, using empty space or the least significant bit to encode messages. For example, data can be hidden within an image file by slightly altering a single bit related to a particular pixel. If one pixel in the photo has a red component represented by the binary number 10001100, the least significant bit (the last one) can be changed to a 1, making the binary 10001101. This will make that one pixel a tiny bit more red, which will not be noticeable to viewers. This creates one "hidden" bit, a 1. To create a 0, you would leave the least significant bit as it was.

The entire file that you want to hide is broken up into its binary components and these are then concealed in different parts of the photo image. Determining which pixels contain the hidden bits, and in what order, can be done by a random number generator that uses a key so that only someone who knows the key will be able to reconstruct the hidden message by retrieving the hidden bits in the correct order.

Detecting the presence of Steganographic data is much easier than extracting the message itself. This is usually done by software that checks the statistical profile of an image and looks for statistical artifacts left by Steganographic software. Stegananalysis is the process of detecting Steganography in files and rendering the covert messages useless.

For more information, see Steganalysis: The Investigation of Hidden Information.

Alternate Data Streams

Windows NT/2000+ systems that use the NTFS file system support a feature called alternate data streams (ADS). Streams of any size can be created and linked to normal visible files (called the parent files), but the streams are invisible and special software is required to detect them. These streams provide another, legitimate function. They allow the NT/2000+ operating systems to support Macintosh files, which consist of two forks (data fork and resource fork). The resource fork is stored in the hidden alternate data stream. Also, some anti-virus programs use the streams to store checksums for files. Streams can be attached to either files or directories (folders).

You can not directly delete an alternate data stream without deleting the parent file or directory. In fact, many file wiping utilities delete only the parent files and do not get rid of the ADS. Trojans and viruses can hide themselves in streams, or technically savvy criminals can hide incriminating data there. Streams can be created in Notepad and other ADS-aware programs. The filename is in two parts, consisting of the parent file's name and the stream name separated by a colon.

For example, if the parent file is named filename.txt, the stream might be named filename.txt:filestream. The stream name does not have a file extension like a regular file. Editing the parent file doesn't change the contents of the stream file, and vice versa. For more information, see the ADS FAQ here.

Hidden Files

There are a number of ways that files can be hidden on the system. On Windows file systems, setting the hidden attribute (-h at the command line, or set in the file properties dialog box in the GUI) will prevent the file from showing up in response to the DIR command at the command line or in the files list in Explorer if the default settings are in place in Folder Options | View. However, if the Show Hidden Files and Folders option button is enabled, these hidden files will still be displayed. On UNIX systems, files and directories with a name that begins with a dot is hidden and is not displayed in response to the ls command (unless you use the -a switch).

Utilities allow you to hide files and directories (as well as processes and Registry entries) by renaming them with the prefix _root (this only works on the local machine; if the share is accessed remotely by mapping a drive to it, the _root files and directories will be visible.

Linux systems using the ext2 filesystem provide several ways to hide data. One way to hide files on most UNIX filesystems (including ext2) is to run a process that keeps the file open, then, remove the file using the /bin/rm command. The data will remain on the disk and the space until it is overwritten by other files. You can find “unerase” utilities for Linux that will recover deleted ext2 files. It is also possible to manually recover these files using the debugfs utility. This process is described in the Linux Ext2fs Undeletion mini-HOWTO here.

The ext2 file system stores data in blocks and creates slack space when files are smaller than the 1, 2 or 4KB blocks used by the file system. Data can be hidden in this slack space, just as in DOS/Windows file systems.

On the Scene: Hiding Files in Plain View

Another method for hiding files is known as "hiding in plain view". Using this method, a cybercriminal gives a file a name that makes it appear to be something it is not - and something that the investigator would not be interested in. For example, a graphic file containing child pornography could be renamed to something like window.sys and stored in the Windows system directory. To the casual observer, it looks like just another operating system file. When the criminal wants to access it, he merely has to change the file extension back to .jpg or .gif and open it in any graphics viewer program.

The Recycle Bin

Although it may seem obvious to technical experts that moving a file to the Recycle Bin or Trash does not even remove the file's pointers as deleting it does, many cybercriminals are not technical experts and may think that they have "deleted" evidence when in fact, it is still intact in the Recycle Bin. Of course, this is more likely to be true in the case of "non-technical" cybercrimes such as child pornography or con artist scams than network intrusions and other hacker activities - although considering the level of technical knowledge required (or rather, not required) to launch attacks using the script and click kiddie methods, it never hurts to check. The evidence you need may be sitting right there waiting for you, easily restored with a single click of the mouse.

See you next month!
Tom 
tshinder@windowsnetworking.com
For ISA or TMG firewall, as well as other Forefront Consulting Services in the USA, call me at 206-443-1117 or visit Prowess Consulting web site

=======================
Quote of the Month - "Reading is to the mind what exercise is to the body." - Sir Richard Steele
======================

2. ISA Server 2006 Migration Guide - Order Today!

Dr. Tom Shinder's best selling books on ISA Server 2000 and 2004 were the "ISA Firewall Bibles" for thousands of ISA Firewall administrators. Dr. Tom and his illustrious team of ISA Firewall experts now present to you , ISA Server 2006 Migration Guide. This book leverages the over two years of experience Tom and his team of ISA Firewall experts have had with ISA 2006, from beta to RTM and all the versions and builds in between. They've logged literally 1000's of flight hours with ISA 2006 and they have shared the Good, the Great, the Bad and the Ugly of ISA 2006 with their no holds barred coverage of Microsoft's state of the art stateful packet and application layer inspection firewall..

Order your copy of ISA Server 2006 Migration Guide. You'll be glad you did.


   Click here to Order
   your copy today

Are you using multiple free tools for your network management needs?

Put a stop to the daily searches, downloads and confusing reports that come along with disparate management tools! ManageEngine OpManager offers IT administrators a single management console for managing their servers, services, applications, databases, networks, devices, VoIP services, and much more.

Download a free 30-day trial and see for yourself why OpManager is also called the ‘Swiss Army knife of network management’. OpManager starts at $445.

3. WindowsNetworking.com Articles of Interest

4. KB Article of the Month

How to use the System Configuration utility to troubleshoot configuration errors in Windows Vista

This article describes how to use the System Configuration utility (Msconfig.exe) to troubleshoot configuration errors that might prevent Windows Vista from starting correctly. I used this information to fix a very troublesome problem with my new HP multimedia laptop. The wireless NIC looked like it was working, but if you checked the TCP/IP configuration from the command line, you could see that no IP addressing information was assigned to the NIC. This article will show you how to use msconfig to fix the problem.

5. Windows Networking Tip of the Month

Have problems with intermittent connectivity issues on your wired network? The problem might be related to auto-negotiation for link speed with the switch. The default setting for most NICs is to set the link speed to auto-negotiate. Some combinations of NICs and switches don't get along as well as they should and this could end up giving you connectivity issues. To solve this problem, set your NIC to use the highest supported speed on the switch. You can do this by opening the NICs properties, and then clicking on the Configure button on the General tab. The interface will be different for different brands of NICs, but you want to find the Link Speed settings and change them from auto-negotiate to a hard coded value.

Are you using multiple free tools for your network management needs?

Put a stop to the daily searches, downloads and confusing reports that come along with disparate management tools! ManageEngine OpManager offers IT administrators a single management console for managing their servers, services, applications, databases, networks, devices, VoIP services, and much more.

Download a free 30-day trial and see for yourself why OpManager is also called the ‘Swiss Army knife of network management’. OpManager starts at $445.

6. WindowsNetworking Links of the Month

7. Ask Dr. Tom

QUESTION:

Hi Tom,

I’m thinking about getting into Windows 7 testing and was wondering if you knew about any of the new networking features to be included with the “Not Vista” operating system.

Thanks! - Richard J.

ANSWER:

Hi Richard,

While I do not have all the details yet regarding what is new and improved with networking in Windows 7, here are a few things you can look forward to when pairing up Windows 7 with Windows Server 2008 R2:

  • Direct Access. This extends the domain to anywhere on the Internet
  • VPN reconnect. A resilient VPN solution based on the IKEv2 protocol
  • BranchCache. The ability to cache HTTP and file sharing objects at the branch office

Next week we will go into the Direct Access feature in a bit more depth. Its an interesting subject and something that all Windows admins should consider in a world where more and more people are working from home and away from the office. See you then! - Tom.

Got a question for Dr. Tom? Send it to tshinder@windowsnetworking.com.

Are you using multiple free tools for your network management needs?

Put a stop to the daily searches, downloads and confusing reports that come along with disparate management tools! ManageEngine OpManager offers IT administrators a single management console for managing their servers, services, applications, databases, networks, devices, VoIP services, and much more.

Download a free 30-day trial and see for yourself why OpManager is also called the ‘Swiss Army knife of network management’. OpManager starts at $445.