Computer Forensics ~ Computer Science 1 INTRODUCTION H. M. Customs and Excise have broken a smuggling ring dealing in rare and endangered species. One of the felons was utilising a Microsoft Windows based laptop to record details of their illegal trade and is suspected of corresponding with a number of his co-conspirators via the laptop. The primary objective of this research was to detail typical places in a Windows based file system where incrimination evidence may be hidden and a discussion regarding key technologies that may have been used for communication with his partners and the resulting difficulties they may pose to the forensics investigators.
2 CONCEALING DATA ON A WINDOWS-BASED HARD DISK FILE SYSTEM Microsoft Windows systems are typically found formatted in one of the following two file systems (Mirza, 2008)xiii: File Allocation Table (FAT) or New Technology File System (NTFS). The FAT file system architecture is found as a legacy 12-bit version (FAT12), 16-bit version (FAT16) and more commonly a 32-bit version (FAT32).
The defining
characteristic of these file systems is their maximum volume size, which are 32 MB, 2 GB and 2 TB, respectively. As most modern computer have a Hard Disk Drive (HDD) capacity of at least 1 GB, the FAT12 system is considered outdated and has such been termed a ‘legacy’ technology. The NTFS (also known as the ‘Windows NT File System’), introduced in July of 1993, superseded FAT as the file system of choice due to many of its inherent improvements. The primary hiding mechanisms will be focussed upon hard drive architecture, their basic geometry and these two file systems.
1
The Host Protected Area (HPA) is a reserved area that is found on some HDDs, where Device Configuration Overlay (DCO) allows computer manufacturers and vendors to store data in the HPA, which is protected from conventional access such as Windows Explorer (Mirza, 2008)xiii. With ample knowledge on DCO and HPA, a computer program may be developed to store sensitive data by taking advantage of this “physical” feature. Since the availability of the HPA is limited to certain makes and models of HDDs, it would be useful for any forensic investigator to have access to a comprehensive database on all such brands, makes and model serial numbers which support HPA as well as detailed information on any proprietary modifications to the HPA or DCO methods and manufacturer supplied utilities for accessing the information held in the HPA. During the phase of installing Microsoft Windows, the HDD needs to be partitioned and formatted. A partition sector, also commonly called a Master Boot Record (MBR), is the first sector of a partitioned volume of a HDD. Although the primary purpose of the MBR is to hold the disks partition map (primary partition table), since the MBR only requires a single drive sector and partitions must start on the boundary of a cylinder, the MBR will have sixty two empty sectors which are ideally suited for storing sensitive information within this ‘free space’ (Carrier, 2005)v. Volume Slack (VS) is defined as ‘wasted space’ as it is free space of a HDD that has not been partitioned. It is possible to create a partition, write sensitive information to that partition, and delete that particular partition so that it becomes Volume Slack (Casey, 2004)vi. Since this space is no longer partitioned, the Operating System (OS) will not be able to access this area via a mapped drive letter in Windows Explorer. The next stage once the partitions have been created, the drive needs to be formatted with an appropriate file system. Depending on the chosen type of file system, data can only be accessed as block-sized chunks rather than whole sectors. Whilst this improves the efficiency in accessing and storing data (read/write latency etc) within the file system, it may lead to wastage of sectors at the end of the partition if the total number of sectors is not an integer multiple of the block size. Of course, these wasted
2
sectors are once again an ideal location for writing sensitive data to as it is not typically accessible by the OS and is dubbed ‘partition slack’ (Casey, 2004)vi. All partitions, even those that have been configured as non-bootable, contain a boot sector. Therefore, the boot sector of a non-bootable partition is simply wasted space that is ideally suited for storing confidential information. Similarly, unallocated space within a partition is inaccessible by Windows until a particular file’s creation has been allocated to that space.
Therefore, this unallocated ‘free’ space could contain
sensitive information, however, it is quite a gamble as any modifications made within Windows could lead to over-writing of this space, and thereby potentially losing the data (although it could be retrieved if the drive platters are read by hand). Looking back at the file system, it is also possible to ‘abuse’ the functionality of a particular safety feature in both FAT16/32 and NTFS to hide information within blocks marked as bad blocks. The purpose of marking bad blocks is to prevent data loss, and manipulating such metadata is once again ideal for the purpose of storing sensitive information (Britz, 2008)iii. The detailed storage locations for hiding data above apply to both FAT16/32 and NTFS. However, the NTFS file system allows for some unique locations for storing such sensitive information. Similar to the bad cluster metadata modification previously discussed, a particular metadata belonging to the NTFS file system is its Cluster Allocation Bitmap. The Cluster Allocation Bitmap is quite simply a complete map that marks the allocation status of each and every addressable cluster within the particular partition in question. Similar to the bad cluster method, it would only require for the contents of the Cluster Allocation Bitmap to be modified, although the fact that a malicious modification has taken place would be made obvious if it were inspected. The advantage of using this method, however, is that the hidden information would persist in its hidden state for the lifespan of the file system (Farmer and Venema, 2005)ix. The NTFS file system in particular also provides for a couple more alternatives. One possibility would be to alter the Alternate Date Streams (ADS), which are associated with the Master File Allocation Table (MFT). Modification of reported such files streams would be suited for hiding sensitive data, as they are not within the scope of 3
Windows Explorer. NTFS has another inherent ‘quirk’ with regards to handling extremely small files and ADS. In the event a particular file is sufficient small enough to occupy the space within the MFT, rather than referencing its location, the entire file itself would be stored within the MFT (Jones, Bejtlich and Rose, 2005)x. This allows for a computer program to create multiple such files to create enough ‘free space’ within the MFT, delete them and proceed creating a potentially large enough file within the MFT to store hidden information of choice. Of course, this hidden information would only persist until further small files start to overwrite this particular location in the MFT, and as such would be best suited for ephemeral data. The above discussion shows that most of the ‘hiding’ places within a typical Windows-based file system are more suited for ephemeral data, whilst the more long term hiding places are easier to detect. However, any information found in the previously discussed locations where data could be concealed, it has being taken for granted that the data would be stored in plain text without first undergoing some form of encryption such as 3DES, Blowfish, or even Advanced Encryption Standard (AES) (Burnett, 2001)iv.
3 COMMUNICATION
TECHNOLOGIES
THAT
THWART
FORENSIC
EFFORTS Accessing the Internet is simpler than ever with free WiFi in many coffee shops and even unsecured networks in many densely populated cities. A couple years ago, accessing e-mail relied on client programs running on the users computer via POP/SMTP sessions – leading to all the emails being stored locally on the computers file system. This is no longer the case. With many free email services available online, there are far more users relying in storing most of their information online as a result of cloud computing (Miller, 2008)xii. In the following discussion of the various means by which an individual could communicate with his or her co-conspirators regarding their illegal activities, an assumption is made where this individual has at least a basic working knowledge of covering their tracks after any of the web browsers installed on their system. This 4
includes, but is not limited to, clearing all details of browsing history, download history, saved Form and Search history, cache, cookies, offline website data, saved passwords and authenticated SSL sessions. Currently, even Google offer an online system called ‘Google Docs’ which is a free web-based word processor and spreadsheet application enabling easy collaboration. Making matters even more complicated, for example, the free email service by Google (GMail) has an option to always force the browser to connect via a Secure Sockets Layer (SSL) encrypted session. This is also supported by other free email systems such as Hotmail and Yahoo. RC4 is the stream cipher used in SSL, as a 128 or 256-bit cipher that offers remarkable performance although it does have several weaknesses.
However, from an evidence-gathering standpoint, these weaknesses
would only be of use if exploiting a particular SSL session between known Internet Protocol (IP) addresses (Viega, Messier and Chandra, 2002)xix, and therefore would not leave any traces on the laptop as long as the user has been careful. With the popularity of cloud computing, from a forensics perspective, the browser software installed on a Windows system (Microsoft Internet Explorer, Mozilla Firefox, etc.) would need to undergo close scrutiny for evidence in the form of its cache, history, cookies and most recently downloaded files. Although it may be possible to obtain some information via this method, it is not the only means for communication across the Internet and World Wide Web (WWW). Since it is common knowledge that many intelligence gathering agencies, such as MI6, Interpol, FBI, and the CIA, around the world are screening email traffic for “tell tale” signs of communication of a less than legal nature, a scrupulous individual could take advantage of the free online email systems in the following manner: login to the email system and create a draft email with whatever information that needs passing. Their co-conspirators also access this same email account, accessing the draft, as only these two parties have the respective username and password for the email account. As such, no actually emails are ever sent and all the information is stored in the ‘draft’ folder.
5
This could also be applied to other online services such a Scribd, which offers an easy means for collaborating documentation as PDF and Word content. It even supports a means for storing ‘private’ files online, and only those given a particular Uniform Resource Locator (URL) may be able to access the private document in question. However, it is quite possible that the Scribd system has text scanning systems in place to ensure such information does not stay active on their system for long, but it will only ‘flag’ information that is posted as being blatantly obvious – it is unlikely any intelligence agencies would be notified by the posting of a recipe for a thin crust pizza. With the exercise of caution and a certain degree of common sense, this system could easily be used for passing sensitive information between parties. Further more, the Scribd URL to private documents could easily be communicated to co-conspirators via the Short Message Service (SMS), which is a standardized communication service in the GSM cellular communication system, and as such would leave no traces that such a document was ever passed to someone else – unless the browser’s logging features suggest otherwise. For the most tech savvy criminals, a secure Virtual Private Network (VPN) that utilises
cryptographic
tunnelling
is
another
extremely
feasible
means
of
communication. VPN is an extremely powerful system and is therefore a standard feature of most corporate networks, allowing their employees to work from home and while on the move (Steinberg et al., 2005)xviii without compromising the security of their network and data. During a VPN session, the connecting user will be effectively logging onto this remote network of computers, thereby gaining complete access to all shared volumes, attached computer peripherals and computer terminals themselves (depending on their firewall configuration and network topology). “Local” video conferencing would be extremely simple to achieve, as well as transferring files and other data whilst connected to the remote network via VPN (Snader, 2005)xvii. It would be the duty of the forensic investigator to check if the IP address of the VPN network (or networks) they have connected to has been recorded in some way, or if any logs of such sessions are recorded locally on the HDD of the laptop.
6
Although less complicated in setting up and connecting, a Secure Shell (SSH) connection to a remote server allows for an encrypted session for the duration of the link. Once again, the two parties are able to exchange files (via File Transfer Protocol or FTP), utilise instant messaging and a host of other capabilities. However, the SSH system is susceptible to ‘man in the middle’ attacks. Not unlike VPN though, this is another secure means of cryptographic tunnelling via the Internet (Barrett, Silverman and Byrnes, 2005)ii. FTP is a simple system devised on Linux and Unix based system for the transferring of files between a client and a FTP server, and vice versa. A typical FTP session runs completely unsecured in the open, even with the username and password transmitted as plain text and can easily be captured with a packet sniffer listening on port 21 (Kozierok, 2005)xi. To ensure that such a connection is made with a means of encryption, a viable alternative would be the SSH File Transfer Protocol (SFTP) or FTP over SSL (FTPS). Although the FTP/SFTP system was not designed as a means for passing information, one could easily take advantage of it in this fashion. Suppose the co-conspirators have setup a FTP server (or daemon as they are commonly called, and thus FTPd) and they place their ‘secret’ information in the FTPd welcome message that is customised to only appear to a particular user who logs in. Such messages could be setup for each of the various accounts for their co-conspirators, who only simply need to login over SFTP to received the information, and they can easily leave there response by transferring their comments and response as a file to their folder on the FTPd. Paired with SMS messaging, it would be extremely simple for the members of their organisation to handle communications in this fashion. It is, however, possible to find out if SSH sessions have been in use on the laptop. Since SSH is native to Linux and Unix based systems, a typical Windows program to offer similar simulation would be Cygwin, or alternatively to actually run a flavour of Linux (such as Ubuntu or Debian) via a Windows application known as VMWare (Newham, 2005)xiv.
7
To
use
public-key
secure
connections,
public
keys
are
stored
in
~/.ssh/known_hosts and such a typical file might contain something similar to what is shown below, 128.138.249.8 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0d7Aoure0toNJ+YMYi61QP2ka8m5x5ZQlT7obP8CK 3eropfqsMPPY6uiyIh9vpiFX2r1LHcbx139+vG6HOtVvuS8+IfMDtawm3WQvRuOopz3vV y5GtMwtaOgehsXoT930Ryev1bH5myPtWKlipITsOd2sX9k3tvjrmme4KCGGss=
As seen from the example above, the destination IP address is stored along with the RSA public-key hash. This research would not be complete without discussing freely available Instant Messaging (IM) systems such as Windows Live Messenger (formerly named MSN Messenger), Yahoo Messenger, ICQ and AOL Instant Messenger (AIM). These systems allow users to freely ‘chat’ in purely text mode by running the same client application on each of their PCs. However, their communications are routed through the servers belonging to the companies that developed the client applications and as such encryption is not a main feature of this applications (Wikipedia, 2009)xxi. Alternative software such as BitWise IM is available freely and also supports realtime 128-bit Blowfish encryption, whilst the paid professional version supports 448bit Blowfish encryption. This particular application also generates a new random key for each and every new conversation. In terms of evidence gathering, a regular feature of these programs is their ability to log conversations to the HDD as plain text files that are usually time stamped. Since this is a user-enabled option these log files may or may not exist on the system. Reflecting back upon the discussion regarding GMail, the free web-based email system provided by Google, it also features an IM system called GMail Chat. In the event the connection to GMail is made over the Hypertext Transport Protocol (HTTP), all the contents of these conversations can easily be compromised by anyone looking to do so over the Internet. However, if the web browser connects to the GMail system with SSL enabled, the contents of these conversations will be far more difficult to tap into.
8
With regards to making voice and video calls over the Internet, Skype offers free voice calling between Personal Computers (PC) utilising the Internet (Abdulezer et al., 2007)i. Their system utilises Advances Encryption Standard (AES), also known as Rjindael (Daemen and Rijmen, 2002)viii as it is a portmanteau of the names of the two inventors of the Rijndael cipher – Joan Daemen and Vicent Rijmen, with a 256bit encryption key to actively encrypt the data of voice calls, voice and video calls (known as video conferencing), and instant messages (Skype, 2009)xvi. It is clear that making free calls over the Internet, which are encrypted, is an extremely attractive alternative for communicating with co-conspirators. With much exercised prudence and care, even if each call is logged and analysed by the Skype system, it is highly unlikely that it would get flagged unless both parties are extremely incompetent and careless. The Instant Messaging aspect of Skype allows for these conversations to be recorded to the HDD, and is most likely the only evidence it would leave behind apart from the various Skype contacts if the user of the program allowed Skype to remember his password. Of course, Skype also allows those with Skype Credit to make PC to landline calls, where part of the call is carried over the Internet and the rest over fibre optic, Voice over Internet Protocol (VoIP), Cellular (GSM/3G) and Public Switched Telephone Networks (PSTN) (Wallingford, 2005)xx. This of course, poses a couple risks to the parties using this system for communication: (1) the caller has to have Skype Credit in their account, and this needs to be purchased via a Credit Card or PayPal account and (2) the final number being called gets recorded on the passing and target network. As for the former, a stolen Credit Card could be used or a hacked PayPal account, but this would result in their current IP address being noted down. This alone may not help as they could be connecting through many piggybacked proxy servers to mask their real IP or they could even be connecting via an unsecured WiFi connection in a metropolitan area (although, this would place them within a 32 m radius to a maximum radius of 95 m from the location of the wireless base station. This would result in their possible location covering a 3.2 to 28 square-km area, respectively). A similar system is also offered by Google Talk (GTalk), which runs natively as a Windows web-based application and offers Instant Messaging and VoIP
9
communications between PCs. Unlike Skype, the GTalk system does not impose complete encryption at this point in time. Another popular means of online communication is Internet Relay Chat (IRC), that allows for real-time text based chat by joining a particular IRC server utilising a freely available IRC client (Charalabidis, 1999)vii. One of the most popular IRC clients for Windows is mIRC, and similar to most other communication applications it allows for previous conversations or sessions to be logged to the HDD. Unlike IM conversations, with IRC, the user must join an IRC server of his choice and there are many such servers based on the country they are based in. Upon joining an IRC server, the user can either join pre-existing IRC channels or join and create his own. At this point, any co-conspirators may join the same channel and enter a private conversation. Files can be exchanged via Direct Client-to-Client (DCC) connection or a Secure DCC (SDCC), which can also allow individuals to privately chat over IRC with encryption enabled. It should be noted that both DCC and SDCC, are peer-to-peer (P2P) connections that are independent of the IRC client-server connection, that rely directly upon the Wide Area Network (WAN) IP addresses belonging to the PCs of both users. SSL may be used on the client-server connection, depending on the particular features of that server, to make eavesdropping on a particular users IRC session difficult. Internet Forums or messaging boards are extremely popular web applications that allow for users to collaborate online in a system akin to traditional Bulletin Board Systems (BBS), in the days of dialup Internet well before broadband was introduced. Most forums are dedicated to a central theme – some are dedicated to Computer Technology and Hardware discussions, such as HEXUS.net, and some are even dedicated to specific hobbies, interests and discussions. Most online forums simply require a user to define a ‘nickname’ to be recognised by and to supply a valid email address to register on the system. Once this is setup, they are free to access various features of the forum as well as a Private Messaging (PM) 10
system.
There are almost no measures to prevent scrupulous individuals from
communicating via forums utilising their PM system as a means for conversation, while only some forums tend to monitor PMs sent and received. Once again, as long as common sense and a degree of caution is exercised, an online forum could be ideally used between co-conspirators although they would be limited by not being able to exchange files by this method. As such, a system such as Scribd could be use in conjunction to overcome this limitation. In the event they decided to communicate by means of digital photos, many free online systems are also available for this purpose, with Flickr and Photobucket being the most popular.
Although they present a limitation on the number of photos
uploaded, a fair amount of photos can still be stored online with full access to anyone accessing the site with a web browser or mobile device with such capabilities, such as the Apple iPhone. This notion could also be extended to the extremely popular networking and socialising web-applications such as FaceBook and MySpace. These systems allow for users to post online profiles about themselves, host freely photographs and even video clips in their accounts as well as privately communicate utilising across the sites system (Shuen, 2008)xv.
In all likelihood these systems monitor all private
communications, but as mentioned earlier, they will never cause for panic, unless someone were to blatantly pass across the list of chemicals and instructions required to manufacture military-grade explosives. Used sensibly, it could be ideally used for the co-conspirators to easily communicate with each other privately, and even ensure that no record of these communications are held locally on the HDDs of their computers.
4 CONCLUSION With regards to concealing information in the laptop’s file system, it is apparent that most of the options result in storing ephemeral data while the more reliable methods are more straightforward. However, even if this data is located, it is far more likely that it would be encrypted in one of the more reliable encryption algorithms. 11
In terms of communication technology that may pose problems to the team of forensic investigators, many avenues exist for utilising freely available online systems for making contact and passing information across, with very little scope for leaving evidence behind. It is a given though, that a careless criminal could easily leave behind enough evidence that is easily accessible. At the end of the day, if dissecting the file system down to it minimum does not prove to be useful, the only alternative would be to have the hard disk platters manually read allowing possible access to data that was not sufficiently deleted or undergone any secure erasing (known as zeroing).
12
REFERENCES i
Abdulezer, L. et al. (2007) Skype For Dummies, Hoboken, NJ: Wiley Publishing, Inc.
ii
Barrett, D. J., Silverman, R. E. and Byrnes, R.G. (2005) SSH, The Secure Shell: The Definitive Guide, 2nd edition, Sebastopol, CA: O'Reilly Media, Inc.
iii
Britz, M.T. (2008) Computer Forensics and Cyber Crime: An Introduction, 2nd edition, Upper Saddle River, NJ: Prentice Hall.
iv
Burnett, S. (2001) RSA Security's Official Guide to Cryptography, New York, NY: McGraw-Hill.
v
Carrier, B. (2005) File System Forensic Analysis, Reading, Massachusetts: Addison-Wesley.
vi
Casey, E. (2004) Digital Evidence and Computer Crime, 2nd edition, London, UK: Academic Press.
vii
Charalabidis, A. (1999) The Book of IRC: The Ultimate Guide to Internet Relay Chat, San Francisco, CA: No Starch Press.
viii
Daemen, J. and Rijmen, V. (2002) The Design of Rijndael: AES - The Advanced Encryption Standard, New York, NY: Springer Publishing Company.
ix
Farmer, D. and Venema, W. (2005) Forensic Discovery, Reading, Massachusetts: Addison-Wesley.
x
Jones, K. J., Bejtlich, R. and Rose, C.W. (2005) Real Digital Forensics: Computer Security and Incident Response, Reading, Massachusetts: Addison-Wesley.
xi
Kozierok, C. (2005) The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference, San Francisco, CA: No Starch Press.
xii
Miller, M. (2008) Cloud Computing: Web-Based Applications That Change the Way You Work and Collaborate Online, Canada: Que Publishing.
xiii
Mirza, F. (2008) ‘Looking for digital evidence in Windows’, International Symposium on Biometrics and Security Technologies 2008, April, pp. 23-24.
xiv
Newham, C. (2005) Learning the bash Shell: Unix Shell Programming, 3rd edition, Sebastopol, CA: O'Reilly Media, Inc.
xv
Shuen, A. (2008) Web 2.0: A Strategy Guide: Business thinking and strategies behind successful Web 2.0 implementations, Sebastopol, CA: O'Reilly Media, Inc.
xvi
Skype (2009) What type of encryption is used?, http://support.skype.com/en_GB/faq/FA145/What-type-of-encryption-is-used, Date accessed 28 March 2009. 13
xvii
Snader, J.C. (2005) VPNs Illustrated: Tunnels, VPNs, and IPsec, Reading, Massachusetts: Addison-Wesley.
xviii
Steinberg, J. et al. (2005) SSL VPN: Understanding, evaluating and planning secure, web-based remote access: A comprehensive overview of SSL VPN technologies and design strategies, Birmingham, UK: Packt Publishing Ltd.
xix
Viega, J., Messier, M. and Chandra, P. (2002) Network Security with OpenSSL, Sebastopol, CA: O'Reilly Media, Inc.
xx
Wallingford, T. (2005) Switching to VoIP, Sebastopol, CA: O'Reilly Media, Inc.
xxi
Wikipedia (2009) Instant messaging, http://en.wikipedia.org/wiki/Instant_messaging, Date accessed 28 March 2009.
14
QUALITY CONTROL ID: 603001 WORD COUNT: ~3500+ (EXCLUDING EQUATIONS, FIGURES, CAPTIONS, DATA, CODE, OUTPUT, TABLE CONTENTS, LIST OF FIGURES, LIST OF TABLES, REFERENCES AND APPENDICES.)
OF
15-20 REFERENCES/3K WORDS? WEB REFERENCES < 15%?
21 REFERENCES (INC. BOOKS, JOURNALS AND WEB) 2 WEB REFERENCES
DATE COMPLETED: NOTES:
28TH MARCH 2009 / 1442 HRS GMT
Q1: ~1000 WORDS AS PER BRIEF Q2: ~2500 WORDS AS PER BRIEF HENCE, THE TOTAL WORD COUNT IS SLIGHTLY GREATER CONSIDERING THE CONCLUSION AS WELL.
NOTE: This document has been created with compatibility for Word 97 – 2004. It is recommended that the Word document have all its fields, tables, cross-references updated if this document is subjected to modification.