WindowsNetworking.com Monthly Newsletter of February 2009 Sponsored by: AdventNet
Welcome to the WindowsNetworking.com newsletter by Thomas W Shinder MD, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: firstname.lastname@example.org
Disgruntled employees can do the darnedest things, such as hiding data on their hard disks. Sometimes a disgruntled employee will try to ruin your business and hide valuable information on his own or someone else's computer. This data hidden on the hard disk can, in some cases, be very useful to investigators in building a case against a budding cybercriminal.
Some of this may be ambient data that was left behind when files were deleted or disks were repartitioned. There are also a number of places where data can be deliberately hidden by technically savvy criminals using a disk editor, Steganographic software, and other methods. Finding, retrieving and reconstructing this hidden data can be an extremely tedious process, but worth the effort if it results in evidence that can make or break a criminal case, or if it's data that is crucial to your business.
Where Data Hides
A disk sector is a unit of space of a fixed size (such as 512 bytes). Older hard disks may have some wasted storage space on the outside tracks because of the way the disks are divided into sectors that contain an equal number of sectors per track. The discrepancy in circumference between the inside and outside tracks causes this wasted space. It is possible in some cases to hide data in the space between sectors on the larger outside tracks. This is called the sector gap. Some data recovery services may be able to locate and retrieve data that is hidden in this gap.
Another place that data can be hidden is in the slack area caused by file sizes that do not exactly match the size of the clusters in which they are stored. Cluster sizes can vary, but anytime a file or portion of a file is smaller than the cluster size, the "leftover" bits in that cluster go unused. In file systems such as FAT16, where cluster sizes increase based on the partition size, this can result in a very large amount of "empty" space, and that space can be used to covertly store other bits of data. Data may be hidden here unbeknownst to the user.
Clusters are made up of sectors. When the file is too small to fill up the last sector in a file, Windows will use random data from the system's memory buffers to make up the difference. This is called RAM slack, and can result in data from the work session (anytime since the computer was last booted) being stored on the disk in this slack space to "pad" the final sector. All sorts of data dumped from memory can be lurking in the slack space and may prove useful to the investigator. Any kinds of disks (floppy, hard disk, and removable disks) are subject to slack. Computer forensic analysis tools such as those marketed by NTI can recover data hidden in slack areas.
Shadow data is created because the vertical and horizontal alignments of the mechanical heads that write to the disk are not exactly the same each time a write operation is performed. This means that even when data is overwritten, there may be remnants of the old data that are still there. It is sometimes possible (although very time consuming and expensive) to reconstruct the data from these remnants.
Detecting Steganographic Data
Steganography software hides files within other files, using empty space or the least significant bit to encode messages. For example, data can be hidden within an image file by slightly altering a single bit related to a particular pixel. If one pixel in the photo has a red component represented by the binary number 10001100, the least significant bit (the last one) can be changed to a 1, making the binary 10001101. This will make that one pixel a tiny bit more red, which will not be noticeable to viewers. This creates one "hidden" bit, a 1. To create a 0, you would leave the least significant bit as it was.
The entire file that you want to hide is broken up into its binary components and these are then concealed in different parts of the photo image. Determining which pixels contain the hidden bits, and in what order, can be done by a random number generator that uses a key so that only someone who knows the key will be able to reconstruct the hidden message by retrieving the hidden bits in the correct order.
Detecting the presence of Steganographic data is much easier than extracting the message itself. This is usually done by software that checks the statistical profile of an image and looks for statistical artifacts left by Steganographic software. Stegananalysis is the process of detecting Steganography in files and rendering the covert messages useless.
For more information, see Steganalysis: The Investigation of Hidden Information.
Alternate Data Streams
Windows NT/2000+ systems that use the NTFS file system support a feature called alternate data streams (ADS). Streams of any size can be created and linked to normal visible files (called the parent files), but the streams are invisible and special software is required to detect them. These streams provide another, legitimate function. They allow the NT/2000+ operating systems to support Macintosh files, which consist of two forks (data fork and resource fork). The resource fork is stored in the hidden alternate data stream. Also, some anti-virus programs use the streams to store checksums for files. Streams can be attached to either files or directories (folders).
You can not directly delete an alternate data stream without deleting the parent file or directory. In fact, many file wiping utilities delete only the parent files and do not get rid of the ADS. Trojans and viruses can hide themselves in streams, or technically savvy criminals can hide incriminating data there. Streams can be created in Notepad and other ADS-aware programs. The filename is in two parts, consisting of the parent file's name and the stream name separated by a colon.
For example, if the parent file is named filename.txt, the stream might be named filename.txt:filestream. The stream name does not have a file extension like a regular file. Editing the parent file doesn't change the contents of the stream file, and vice versa. For more information, see the ADS FAQ here.
There are a number of ways that files can be hidden on the system. On Windows file systems, setting the hidden attribute (-h at the command line, or set in the file properties dialog box in the GUI) will prevent the file from showing up in response to the DIR command at the command line or in the files list in Explorer if the default settings are in place in Folder Options | View. However, if the Show Hidden Files and Folders option button is enabled, these hidden files will still be displayed. On UNIX systems, files and directories with a name that begins with a dot is hidden and is not displayed in response to the ls command (unless you use the -a switch).
Utilities allow you to hide files and directories (as well as processes and Registry entries) by renaming them with the prefix _root (this only works on the local machine; if the share is accessed remotely by mapping a drive to it, the _root files and directories will be visible.
Linux systems using the ext2 filesystem provide several ways to hide data. One way to hide files on most UNIX filesystems (including ext2) is to run a process that keeps the file open, then, remove the file using the /bin/rm command. The data will remain on the disk and the space until it is overwritten by other files. You can find “unerase” utilities for Linux that will recover deleted ext2 files. It is also possible to manually recover these files using the debugfs utility. This process is described in the Linux Ext2fs Undeletion mini-HOWTO here.
The ext2 file system stores data in blocks and creates slack space when files are smaller than the 1, 2 or 4KB blocks used by the file system. Data can be hidden in this slack space, just as in DOS/Windows file systems.
On the Scene: Hiding Files in Plain View
Another method for hiding files is known as "hiding in plain view". Using this method, a cybercriminal gives a file a name that makes it appear to be something it is not - and something that the investigator would not be interested in. For example, a graphic file containing child pornography could be renamed to something like window.sys and stored in the Windows system directory. To the casual observer, it looks like just another operating system file. When the criminal wants to access it, he merely has to change the file extension back to .jpg or .gif and open it in any graphics viewer program.
The Recycle Bin
Although it may seem obvious to technical experts that moving a file to the Recycle Bin or Trash does not even remove the file's pointers as deleting it does, many cybercriminals are not technical experts and may think that they have "deleted" evidence when in fact, it is still intact in the Recycle Bin. Of course, this is more likely to be true in the case of "non-technical" cybercrimes such as child pornography or con artist scams than network intrusions and other hacker activities - although considering the level of technical knowledge required (or rather, not required) to launch attacks using the script and click kiddie methods, it never hurts to check. The evidence you need may be sitting right there waiting for you, easily restored with a single click of the mouse.
3. WindowsNetworking.com Articles of Interest
How to use the System Configuration utility to troubleshoot configuration errors in Windows Vista
This article describes how to use the System Configuration utility (Msconfig.exe) to troubleshoot configuration errors that might prevent Windows Vista from starting correctly. I used this information to fix a very troublesome problem with my new HP multimedia laptop. The wireless NIC looked like it was working, but if you checked the TCP/IP configuration from the command line, you could see that no IP addressing information was assigned to the NIC. This article will show you how to use msconfig to fix the problem.
Have problems with intermittent connectivity issues on your wired network? The problem might be related to auto-negotiation for link speed with the switch. The default setting for most NICs is to set the link speed to auto-negotiate. Some combinations of NICs and switches don't get along as well as they should and this could end up giving you connectivity issues. To solve this problem, set your NIC to use the highest supported speed on the switch. You can do this by opening the NICs properties, and then clicking on the Configure button on the General tab. The interface will be different for different brands of NICs, but you want to find the Link Speed settings and change them from auto-negotiate to a hard coded value.
I’m thinking about getting into Windows 7 testing and was wondering if you knew about any of the new networking features to be included with the “Not Vista” operating system.
Thanks! - Richard J.
While I do not have all the details yet regarding what is new and improved with networking in Windows 7, here are a few things you can look forward to when pairing up Windows 7 with Windows Server 2008 R2:
Next week we will go into the Direct Access feature in a bit more depth. Its an interesting subject and something that all Windows admins should consider in a world where more and more people are working from home and away from the office. See you then! - Tom.
Got a question for Dr. Tom? Send it to email@example.com.