Research Examples in Computer Forensics (Michael M. W. de Silva, 2009)

Research Examples on Computer Forensics (2009)
Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

email: michael@mwdesilva.com • blog: bsodmike.com • résumé: mwdesilva.com
Computer Forensics ~ Computer Science
1 INTRODUCTION
H. M. Customs and Excise have broken a smuggling ring dealing in rare and
endangered species. One of the felons was utilising a Microsoft Windows based
laptop to record details of their illegal trade and is suspected of corresponding with a
number of his co-conspirators via the laptop.
The primary objective of this research was to detail typical places in a Windows
based file system where incrimination evidence may be hidden and a discussion
regarding key technologies that may have been used for communication with his
partners and the resulting difficulties they may pose to the forensics investigators.
2 CONCEALING DATA ON A WINDOWS-BASED HARD DISK FILE SYSTEM
Microsoft Windows systems are typically found formatted in one of the following two
file systems (Mirza, 2008)xxxvii: File Allocation Table (FAT) or New Technology File
System (NTFS).
The FAT file system architecture is found as a legacy 12-bit version (FAT12), 16-bit
version (FAT16) and more commonly a 32-bit version (FAT32). The defining
characteristic of these file systems is their maximum volume size, which are 32 MB, 2
GB and 2 TB, respectively. As most modern computer have a Hard Disk Drive
(HDD) capacity of at least 1 GB, the FAT12 system is considered outdated and has
such been termed a ‘legacy’ technology.
The NTFS (also known as the ‘Windows NT File System’), introduced in July of
1993, superseded FAT as the file system of choice due to many of its inherent
improvements. The primary hiding mechanisms will be focussed upon hard drive
architecture, their basic geometry and these two file systems.

The Host Protected Area (HPA) is a reserved area that is found on some HDDs,
where Device Configuration Overlay (DCO) allows computer manufacturers and
vendors to store data in the HPA, which is protected from conventional access such as
Windows Explorer (Mirza, 2008)xxxvii. With ample knowledge on DCO and HPA, a
computer program may be developed to store sensitive data by taking advantage of
this “physical” feature. Since the availability of the HPA is limited to certain makes
and models of HDDs, it would be useful for any forensic investigator to have access
to a comprehensive database on all such brands, makes and model serial numbers
which support HPA as well as detailed information on any proprietary modifications
to the HPA or DCO methods and manufacturer supplied utilities for accessing the
information held in the HPA.
During the phase of installing Microsoft Windows, the HDD needs to be partitioned
and formatted. A partition sector, also commonly called a Master Boot Record
(MBR), is the first sector of a partitioned volume of a HDD. Although the primary
purpose of the MBR is to hold the disks partition map (primary partition table), since
the MBR only requires a single drive sector and partitions must start on the boundary
of a cylinder, the MBR will have sixty two empty sectors which are ideally suited for
storing sensitive information within this ‘free space’ (Carrier, 2005)v.
Volume Slack (VS) is defined as ‘wasted space’ as it is free space of a HDD that has
not been partitioned. It is possible to create a partition, write sensitive information to
that partition, and delete that particular partition so that it becomes Volume Slack
(Casey, 2004)xxviii. Since this space is no longer partitioned, the Operating System
(OS) will not be able to access this area via a mapped drive letter in Windows
Explorer.
The next stage once the partitions have been created, the drive needs to be formatted
with an appropriate file system. Depending on the chosen type of file system, data
can only be accessed as block-sized chunks rather than whole sectors. Whilst this
improves the efficiency in accessing and storing data (read/write latency etc) within
the file system, it may lead to wastage of sectors at the end of the partition if the total
number of sectors is not an integer multiple of the block size. Of course, these wasted

sectors are once again an ideal location for writing sensitive data to as it is not
typically accessible by the OS and is dubbed ‘partition slack’ (Casey, 2004)xxviii.
All partitions, even those that have been configured as non-bootable, contain a boot
sector. Therefore, the boot sector of a non-bootable partition is simply wasted space
that is ideally suited for storing confidential information. Similarly, unallocated space
within a partition is inaccessible by Windows until a particular file’s creation has been
allocated to that space. Therefore, this unallocated ‘free’ space could contain
sensitive information, however, it is quite a gamble as any modifications made within
Windows could lead to over-writing of this space, and thereby potentially losing the
data (although it could be retrieved if the drive platters are read by hand).
Looking back at the file system, it is also possible to ‘abuse’ the functionality of a
particular safety feature in both FAT16/32 and NTFS to hide information within
blocks marked as bad blocks. The purpose of marking bad blocks is to prevent data
loss, and manipulating such metadata is once again ideal for the purpose of storing
sensitive information (Britz, 2008)iii. The detailed storage locations for hiding data
above apply to both FAT16/32 and NTFS. However, the NTFS file system allows for
some unique locations for storing such sensitive information.
Similar to the bad cluster metadata modification previously discussed, a particular

metadata belonging to the NTFS file system is its Cluster Allocation Bitmap. The
Cluster Allocation Bitmap is quite simply a complete map that marks the allocation
status of each and every addressable cluster within the particular partition in question.
Similar to the bad cluster method, it would only require for the contents of the Cluster
Allocation Bitmap to be modified, although the fact that a malicious modification has
taken place would be made obvious if it were inspected. The advantage of using this
method, however, is that the hidden information would persist in its hidden state for
the lifespan of the file system (Farmer and Venema, 2005)xxxiv.
The NTFS file system in particular also provides for a couple more alternatives. One
possibility would be to alter the Alternate Date Streams (ADS), which are associated
with the Master File Allocation Table (MFT). Modification of reported such files
streams would be suited for hiding sensitive data, as they are not within the scope of

Windows Explorer. NTFS has another inherent ‘quirk’ with regards to handling
extremely small files and ADS. In the event a particular file is sufficient small
enough to occupy the space within the MFT, rather than referencing its location, the
entire file itself would be stored within the MFT (Jones, Bejtlich and Rose, 2005)x.
This allows for a computer program to create multiple such files to create enough
‘free space’ within the MFT, delete them and proceed creating a potentially large
enough file within the MFT to store hidden information of choice. Of course, this
hidden information would only persist until further small files start to overwrite this
particular location in the MFT, and as such would be best suited for ephemeral data.
The above discussion shows that most of the ‘hiding’ places within a typical
Windows-based file system are more suited for ephemeral data, whilst the more long
term hiding places are easier to detect. However, any information found in the
previously discussed locations where data could be concealed, it has being taken for
granted that the data would be stored in plain text without first undergoing some form
of encryption such as 3DES, Blowfish, or even Advanced Encryption Standard (AES)
(Burnett, 2001)iv.
3 COMMUNICATION TECHNOLOGIES THAT THWART FORENSIC

EFFORTS
Accessing the Internet is simpler than ever with free WiFi in many coffee shops and
even unsecured networks in many densely populated cities. A couple years ago,
accessing e-mail relied on client programs running on the users computer via
POP/SMTP sessions – leading to all the emails being stored locally on the computers
file system. This is no longer the case. With many free email services available
online, there are far more users relying in storing most of their information online as a
result of cloud computing (Miller, 2008)xii.
In the following discussion of the various means by which an individual could

communicate with his or her co-conspirators regarding their illegal activities, an
assumption is made where this individual has at least a basic working knowledge of
covering their tracks after any of the web browsers installed on their system. This

includes, but is not limited to, clearing all details of browsing history, download
history, saved Form and Search history, cache, cookies, offline website data, saved
passwords and authenticated SSL sessions.
Currently, even Google offer an online system called ‘Google Docs’ which is a free
web-based word processor and spreadsheet application enabling easy collaboration.
Making matters even more complicated, for example, the free email service by
Google (GMail) has an option to always force the browser to connect via a Secure
Sockets Layer (SSL) encrypted session. This is also supported by other free email
systems such as Hotmail and Yahoo. RC4 is the stream cipher used in SSL, as a 128
or 256-bit cipher that offers remarkable performance although it does have several
weaknesses. However, from an evidence-gathering standpoint, these weaknesses
would only be of use if exploiting a particular SSL session between known Internet
Protocol (IP) addresses (Viega, Messier and Chandra, 2002)xix, and therefore would
not leave any traces on the laptop as long as the user has been careful.
With the popularity of cloud computing, from a forensics perspective, the browser
software installed on a Windows system (Microsoft Internet Explorer, Mozilla
Firefox, etc.) would need to undergo close scrutiny for evidence in the form of its
cache, history, cookies and most recently downloaded files. Although it may be
possible to obtain some information via this method, it is not the only means for
communication across the Internet and World Wide Web (WWW).
Since it is common knowledge that many intelligence gathering agencies, such as

MI6, Interpol, FBI, and the CIA, around the world are screening email traffic for “tell
tale” signs of communication of a less than legal nature, a scrupulous individual could
take advantage of the free online email systems in the following manner: login to the
email system and create a draft email with whatever information that needs passing.
Their co-conspirators also access this same email account, accessing the draft, as only
these two parties have the respective username and password for the email account.
As such, no actually emails are ever sent and all the information is stored in the ‘draft’
folder.

This could also be applied to other online services such a Scribd, which offers an easy
means for collaborating documentation as PDF and Word content. It even supports a
means for storing ‘private’ files online, and only those given a particular Uniform
Resource Locator (URL) may be able to access the private document in question.
However, it is quite possible that the Scribd system has text scanning systems in place
to ensure such information does not stay active on their system for long, but it will
only ‘flag’ information that is posted as being blatantly obvious – it is unlikely any
intelligence agencies would be notified by the posting of a recipe for a thin crust
pizza.
With the exercise of caution and a certain degree of common sense, this system could
easily be used for passing sensitive information between parties. Further more, the
Scribd URL to private documents could easily be communicated to co-conspirators
via the Short Message Service (SMS), which is a standardized communication service
in the GSM cellular communication system, and as such would leave no traces that
such a document was ever passed to someone else – unless the browser’s logging
features suggest otherwise.
For the most tech savvy criminals, a secure Virtual Private Network (VPN) that
utilises cryptographic tunnelling is another extremely feasible means of
communication. VPN is an extremely powerful system and is therefore a standard
feature of most corporate networks, allowing their employees to work from home and
while on the move (Steinberg et al., 2005)xviii without compromising the security of
their network and data. During a VPN session, the connecting user will be effectively
logging onto this remote network of computers, thereby gaining complete access to all
shared volumes, attached computer peripherals and computer terminals themselves
(depending on their firewall configuration and network topology). “Local” video
conferencing would be extremely simple to achieve, as well as transferring files and
other data whilst connected to the remote network via VPN (Snader, 2005)xvii. It
would be the duty of the forensic investigator to check if the IP address of the VPN
network (or networks) they have connected to has been recorded in some way, or if
any logs of such sessions are recorded locally on the HDD of the laptop.

Although less complicated in setting up and connecting, a Secure Shell (SSH)
connection to a remote server allows for an encrypted session for the duration of the
link. Once again, the two parties are able to exchange files (via File Transfer Protocol
or FTP), utilise instant messaging and a host of other capabilities. However, the SSH
system is susceptible to ‘man in the middle’ attacks. Not unlike VPN though, this is
another secure means of cryptographic tunnelling via the Internet (Barrett, Silverman
and Byrnes, 2005)ii.
FTP is a simple system devised on Linux and Unix based system for the transferring
of files between a client and a FTP server, and vice versa. A typical FTP session runs
completely unsecured in the open, even with the username and password transmitted
as plain text and can easily be captured with a packet sniffer listening on port 21
(Kozierok, 2005)xi. To ensure that such a connection is made with a means of
encryption, a viable alternative would be the SSH File Transfer Protocol (SFTP) or
FTP over SSL (FTPS).
Although the FTP/SFTP system was not designed as a means for passing information,
one could easily take advantage of it in this fashion. Suppose the co-conspirators
have setup a FTP server (or daemon as they are commonly called, and thus FTPd) and
they place their ‘secret’ information in the FTPd welcome message that is customised
to only appear to a particular user who logs in. Such messages could be setup for
each of the various accounts for their co-conspirators, who only simply need to login
over SFTP to received the information, and they can easily leave there response by
transferring their comments and response as a file to their folder on the FTPd. Paired
with SMS messaging, it would be extremely simple for the members of their
organisation to handle communications in this fashion.
It is, however, possible to find out if SSH sessions have been in use on the laptop.
Since SSH is native to Linux and Unix based systems, a typical Windows program to
offer similar simulation would be Cygwin, or alternatively to actually run a flavour of
Linux (such as Ubuntu or Debian) via a Windows application known as VMWare
(Newham, 2005)xiv.

To use public-key secure connections, public keys are stored in
~/.ssh/known_hosts and such a typical file might contain something similar to
what is shown below,
128.138.249.8 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEA0d7Aoure0toNJ+YMYi61QP2ka8m5x5ZQlT7obP8CK
3eropfqsMPPY6uiyIh9vpiFX2r1LHcbx139+vG6HOtVvuS8+IfMDtawm3WQvRuOopz3vV
y5GtMwtaOgehsXoT930Ryev1bH5myPtWKlipITsOd2sX9k3tvjrmme4KCGGss=
As seen from the example above, the destination IP address is stored along with the
RSA public-key hash.
This research would not be complete without discussing freely available Instant
Messaging (IM) systems such as Windows Live Messenger (formerly named MSN
Messenger), Yahoo Messenger, ICQ and AOL Instant Messenger (AIM). These
systems allow users to freely ‘chat’ in purely text mode by running the same client
application on each of their PCs. However, their communications are routed through
the servers belonging to the companies that developed the client applications and as
such encryption is not a main feature of this applications (Wikipedia, 2009)xxi.
Alternative software such as BitWise IM is available freely and also supports real-
time 128-bit Blowfish encryption, whilst the paid professional version supports 448-
bit Blowfish encryption. This particular application also generates a new random key
for each and every new conversation. In terms of evidence gathering, a regular
feature of these programs is their ability to log conversations to the HDD as plain text
files that are usually time stamped. Since this is a user-enabled option these log files
may or may not exist on the system.
Reflecting back upon the discussion regarding GMail, the free web-based email
system provided by Google, it also features an IM system called GMail Chat. In the
event the connection to GMail is made over the Hypertext Transport Protocol
(HTTP), all the contents of these conversations can easily be compromised by anyone
looking to do so over the Internet. However, if the web browser connects to the
GMail system with SSL enabled, the contents of these conversations will be far more
difficult to tap into.

With regards to making voice and video calls over the Internet, Skype offers free
voice calling between Personal Computers (PC) utilising the Internet (Abdulezer et
al., 2007)i. Their system utilises Advances Encryption Standard (AES), also known
as Rjindael (Daemen and Rijmen, 2002)xxii as it is a portmanteau of the names of the
two inventors of the Rijndael cipher – Joan Daemen and Vicent Rijmen, with a 256-
bit encryption key to actively encrypt the data of voice calls, voice and video calls
(known as video conferencing), and instant messages (Skype, 2009)xvi. It is clear that
making free calls over the Internet, which are encrypted, is an extremely attractive
alternative for communicating with co-conspirators. With much exercised prudence
and care, even if each call is logged and analysed by the Skype system, it is highly
unlikely that it would get flagged unless both parties are extremely incompetent and
careless. The Instant Messaging aspect of Skype allows for these conversations to be
recorded to the HDD, and is most likely the only evidence it would leave behind apart
from the various Skype contacts if the user of the program allowed Skype to
remember his password.
Of course, Skype also allows those with Skype Credit to make PC to landline calls,
where part of the call is carried over the Internet and the rest over fibre optic, Voice
over Internet Protocol (VoIP), Cellular (GSM/3G) and Public Switched Telephone
Networks (PSTN) (Wallingford, 2005)xx. This of course, poses a couple risks to the
parties using this system for communication: (1) the caller has to have Skype Credit
in their account, and this needs to be purchased via a Credit Card or PayPal account
and (2) the final number being called gets recorded on the passing and target network.
As for the former, a stolen Credit Card could be used or a hacked PayPal account, but
this would result in their current IP address being noted down. This alone may not
help as they could be connecting through many piggybacked proxy servers to mask
their real IP or they could even be connecting via an unsecured WiFi connection in a
metropolitan area (although, this would place them within a 32 m radius to a
maximum radius of 95 m from the location of the wireless base station. This would
result in their possible location covering a 3.2 to 28 square-km area, respectively).
A similar system is also offered by Google Talk (GTalk), which runs natively as a
Windows web-based application and offers Instant Messaging and VoIP

communications between PCs. Unlike Skype, the GTalk system does not impose
complete encryption at this point in time.
Another popular means of online communication is Internet Relay Chat (IRC), that
allows for real-time text based chat by joining a particular IRC server utilising a
freely available IRC client (Charalabidis, 1999)vii. One of the most popular IRC
clients for Windows is mIRC, and similar to most other communication applications it
allows for previous conversations or sessions to be logged to the HDD.
Unlike IM conversations, with IRC, the user must join an IRC server of his choice
and there are many such servers based on the country they are based in. Upon joining
an IRC server, the user can either join pre-existing IRC channels or join and create his
own. At this point, any co-conspirators may join the same channel and enter a private
conversation.
Files can be exchanged via Direct Client-to-Client (DCC) connection or a Secure

DCC (SDCC), which can also allow individuals to privately chat over IRC with
encryption enabled. It should be noted that both DCC and SDCC, are peer-to-peer
(P2P) connections that are independent of the IRC client-server connection, that rely
directly upon the Wide Area Network (WAN) IP addresses belonging to the PCs of
both users. SSL may be used on the client-server connection, depending on the
particular features of that server, to make eavesdropping on a particular users IRC
session difficult.
Internet Forums or messaging boards are extremely popular web applications that
allow for users to collaborate online in a system akin to traditional Bulletin Board
Systems (BBS), in the days of dialup Internet well before broadband was introduced.
Most forums are dedicated to a central theme – some are dedicated to Computer
Technology and Hardware discussions, such as HEXUS.net, and some are even
dedicated to specific hobbies, interests and discussions.
Most online forums simply require a user to define a ‘nickname’ to be recognised by

and to supply a valid email address to register on the system. Once this is setup, they
are free to access various features of the forum as well as a Private Messaging (PM)

system. There are almost no measures to prevent scrupulous individuals from
communicating via forums utilising their PM system as a means for conversation,
while only some forums tend to monitor PMs sent and received. Once again, as long
as common sense and a degree of caution is exercised, an online forum could be
ideally used between co-conspirators although they would be limited by not being
able to exchange files by this method. As such, a system such as Scribd could be use
in conjunction to overcome this limitation.
In the event they decided to communicate by means of digital photos, many free
online systems are also available for this purpose, with Flickr and Photobucket being
the most popular. Although they present a limitation on the number of photos
uploaded, a fair amount of photos can still be stored online with full access to anyone
accessing the site with a web browser or mobile device with such capabilities, such as
the Apple iPhone.
This notion could also be extended to the extremely popular networking and
socialising web-applications such as FaceBook and MySpace. These systems allow
for users to post online profiles about themselves, host freely photographs and even
video clips in their accounts as well as privately communicate utilising across the sites
system (Shuen, 2008)xv. In all likelihood these systems monitor all private
communications, but as mentioned earlier, they will never cause for panic, unless
someone were to blatantly pass across the list of chemicals and instructions required
to manufacture military-grade explosives. Used sensibly, it could be ideally used for
the co-conspirators to easily communicate with each other privately, and even ensure
that no record of these communications are held locally on the HDDs of their
computers.
4 CONCLUSION
With regards to concealing information in the laptop’s file system, it is apparent that
most of the options result in storing ephemeral data while the more reliable methods
are more straightforward. However, even if this data is located, it is far more likely
that it would be encrypted in one of the more reliable encryption algorithms.

In terms of communication technology that may pose problems to the team of forensic
investigators, many avenues exist for utilising freely available online systems for
making contact and passing information across, with very little scope for leaving
evidence behind.
It is a given though, that a careless criminal could easily leave behind enough
evidence that is easily accessible. At the end of the day, if dissecting the file system
down to it minimum does not prove to be useful, the only alternative would be to have
the hard disk platters manually read allowing possible access to data that was not
sufficiently deleted or undergone any secure erasing (known as zeroing).

REFERENCES
i
Abdulezer, L. et al. (2007) Skype For Dummies, Hoboken, NJ: Wiley Publishing,
Inc.
ii
Barrett, D. J., Silverman, R. E. and Byrnes, R.G. (2005) SSH, The Secure Shell:
The Definitive Guide, 2nd edition, Sebastopol, CA: O'Reilly Media, Inc.
iii
Britz, M.T. (2008) Computer Forensics and Cyber Crime: An Introduction, 2nd
edition, Upper Saddle River, NJ: Prentice Hall.
iv
Burnett, S. (2001) RSA Security's Official Guide to Cryptography, New York,
NY: McGraw-Hill.
v
Carrier, B. (2005) File System Forensic Analysis, Reading, Massachusetts:
Addison-Wesley.
vi
Casey, E. (2004) Digital Evidence and Computer Crime, 2nd edition, London, UK:
Academic Press.
vii
Charalabidis, A. (1999) The Book of IRC: The Ultimate Guide to Internet Relay
Chat, San Francisco, CA: No Starch Press.
viii
Daemen, J. and Rijmen, V. (2002) The Design of Rijndael: AES - The Advanced
Encryption Standard, New York, NY: Springer Publishing Company.
ix
Farmer, D. and Venema, W. (2005) Forensic Discovery, Reading, Massachusetts:
Addison-Wesley.
x
Jones, K. J., Bejtlich, R. and Rose, C.W. (2005) Real Digital Forensics: Computer
Security and Incident Response, Reading, Massachusetts: Addison-Wesley.
xi
Kozierok, C. (2005) The TCP/IP Guide: A Comprehensive, Illustrated Internet
Protocols Reference, San Francisco, CA: No Starch Press.
xii
Miller, M. (2008) Cloud Computing: Web-Based Applications That Change the
Way You Work and Collaborate Online, Canada: Que Publishing.
xiii
Mirza, F. (2008) ‘Looking for digital evidence in Windows’, International
Symposium on Biometrics and Security Technologies 2008, April, pp. 23-24.
xiv
Newham, C. (2005) Learning the bash Shell: Unix Shell Programming, 3rd
edition, Sebastopol, CA: O'Reilly Media, Inc.
xv
Shuen, A. (2008) Web 2.0: A Strategy Guide: Business thinking and strategies
behind successful Web 2.0 implementations, Sebastopol, CA: O'Reilly Media, Inc.
xvi
Skype (2009) What type of encryption is used?,
http://support.skype.com/en_GB/faq/FA145/What-type-of-encryption-is-used,
Date accessed 28 March 2009.

xvii
Snader, J.C. (2005) VPNs Illustrated: Tunnels, VPNs, and IPsec, Reading,
Massachusetts: Addison-Wesley.
xviii
Steinberg, J. et al. (2005) SSL VPN: Understanding, evaluating and planning
secure, web-based remote access: A comprehensive overview of SSL VPN
technologies and design strategies, Birmingham, UK: Packt Publishing Ltd.
xix
Viega, J., Messier, M. and Chandra, P. (2002) Network Security with OpenSSL,
Sebastopol, CA: O'Reilly Media, Inc.
xx
Wallingford, T. (2005) Switching to VoIP, Sebastopol, CA: O'Reilly Media, Inc.
xxi
Wikipedia (2009) Instant messaging,
http://en.wikipedia.org/wiki/Instant_messaging, Date accessed 28 March 2009.

POSSIBLE DEFENCES FACED IN COMPUTER FORENSICS
ABSTRACT: The aim of this research was to study the possible defences
faced by a prosecuting investigator, with regards to Computer Forensics.
The focus was on techniques used in concealing data in modern mass
storage media, popular file systems, and the consequences of data
encryption (to current standards) on successful retrieval of forensic
evidence.

TABLE OF CONTENTS
1  INTRODUCTION .............................................................................................. 17 
2  CONCEALMENT OF DIGITAL DATA................................................................... 17 
2.1  Formidable Cryptography of the 21st Century......................................................................... 19 
2.2  Computer Hard Disk Drives and File Systems ......................................................................... 20 
3  CONCLUSION .................................................................................................. 26 


5 INTRODUCTION
The aim of this research was to detail some of the possible defences that may be faced
by a prosecuting investigator. Since these defences vary directly with the nature of
the particular case at hand, this research attempts to address the most relevant
domains of Computer Forensics with regards to the concealment of digital data in
media and its file system structure. Other hiding methods are out of the scope of this
research, which include (but are not limited to) – Swap files, binding executable files
together, compressed files, renamed files, BIOS parameter alteration, and
steganography.
6 CONCEALMENT OF DIGITAL DATA
The two types of data collected in Computer Forensics are persistent data and volatile
data. The former is information that is preserved in the storage media of choice when
the power to the computer, or device, is removed and is even applicable to many
mobile devices in production today. Volatile data is data stored in memory – cache
and Random Access Memory (RAM) of a computer, including mobile devices, and is
inherently ephemeral in nature as it is lost within a matter of seconds to a couple
minutes at most once the power is removed and supporting capacitive-circuits
discharge.
In current times, the concealment of digital data is usually attributed to

steganography, watermarking, and cryptography (Cole, 2003). The word
steganography means concealed writing and as such is concerned with concealing the
communication of its contents. Watermarking is more concerned with the addition of
sufficient information to establish its source or provenance. Similarly,
cryptographer’s interest lies in obscuring the message’s contents.
It can be seen that both steganography and cryptography are both means by which the
information of interest is concealed or obscured, and even sometimes embedded in
other information such as pictures. Whereas, the object of interest is protected by the
obscured or embedded watermark created by digital watermarking, not unlike a

fingerprint. In terms of application, steganography and watermarking may be
combined with cryptography, although as an added measure rather than a
requirement. Further more, imperceptible watermarking would be inherently related
with steganography, in terms of functionality.
The inclusion of Metadata can be considered as a loose application of perceptible

watermarking. Since it is perceptible, it inherently does not comply with the
philosophy of watermarking, however, as implied by the name it means “data about
other data” – and therefore, tends to be descriptive of other data and depending on its
context can hold information such as author, date last accessed, and copyright.
Metadata was found embedded in a deleted Microsoft Word document on a 3.5”

floppy disk, sent by the BTK killer on 16th February 2005 in Wichita, Kansas, USA.
The recovered metadata revealed the document had been last modified by “Dennis”
and contained “Christ Lutheran Church” (Smith, 2006). A search of the church
website detailed a Dennis Lynn Rader as a member of their congregation thereby
providing the police with their first suspect in the case and strong circumstantial
evidence. He was arrested ten days later and formally charged with the murders on
the 28th of February 2005 (Douglas and Dodd, 2008).
In considering the process of concealing data digitally, there is also a physical aspect
to be considered – such as modern digital storage media, utilised to conceal digital
information. Since most modern digital storage are not bit-addressable at the
Operating System (OS) level, and addressability is at a far more abstract level, creates
the possibility for data to be stored in inaccessible, or sometimes unnoticeable, areas
of these digital storage media.
Those looking to conceal data that could be potentially incriminating or utilise a

computer for illegal activities tend to be aware that methods exist for deleted data to
be retrieved. Therefore, they tend to resort to using freely available and commercial
‘disk wiper’ utilities in an attempt to be rid of any loose ends. Berghel and Hoelzer
(2006) illustrate in their paper titled “What Does a Disk Wiper Wipe when A Disk
Wiper Wipes Disks”, that these utilities are quite ineffective in eliminating all hidden
data.

6.1 FORMIDABLE CRYPTOGRAPHY OF THE 21ST CENTURY
The most widely utilised and trusted implementation of symmetric key cryptography1
is the Advanced Encryption Standard (AES) algorithm, originally published as
Rjindael (Daemen and Rijmen, 2002). In June 2003, the National Security Agency
(NSA) of the US Government approved AES for its utilisation in protecting classified
information (CNSS, 2003).
Related-key attacks on AES-256 typically require 2128 different combinations.

Biryukov and Khovratovich (2009) have shown two devised related-key attacks with
a better complexity (2119 data and time), which essentially reduces the strength of
AES-256 to virtually that of a 119-bit AES encryption. Although this is quite a
significant attack, it is still far from a viable solution; hypothetically, if each operation
took 1 picosecond (1×10−9 s) to complete – 2119 it would require ~ 2.11×1013
millennia or 21,000,000 billion years to complete! The authors believe their attack
could be further improved to a complexity of 2110.5. Based on the previous
€ €
110.5
hypotheses, 2 operations would require a vastly reduced ~ 5.82 ×1010 millennia or
58,000 billion years.
€
Considering Landauer’s Principle that states, “…each bit of lost information will
release an amount of kT ln(2) of heat”, where k is Boltzmann’s constant and T is
the Cosmic Microwave Background (CMB) radiation (2.725 K, today). Evaluating
E = 2110.5 kT ln(2) yields 6.9 ×1010 Joules of energy, which is an order of ten less than
€ € €
the energy released in explosions of GBU-43/B Massive Ordnance Air Blast (MOAB)
bombs or the M-388 Davy Crockett nuclear projectile used during the Cold War.
€ €
This is to simply illustrate the electrical power requirements for computers used in
successfully cracking AES-256 utilising the related-key attacks devised by Biryukov
and Khovratovich (2009). From a theoretical and mathematical standpoint, it seems
that AES-128 is more secure than AES-256; however, in practical terms, AES-256 is
still considered more secure and made evident by the NSA as they continue to
implement AES-192 and AES-256 for information designated as TOP SECRET.
1
Symmetric-key Cryptography algorithms utilise similar, often identical, cryptographic keys for both
encryption and decryption.

Halderman et al. (2008) have shown, on some computer systems, volatile data held in
RAM can persist for approximately a minute after sleeping, hibernating or even
shutting the system down. They extended this to > 8 minutes by physically accessing
the memory modules and cooling them down to –50 ºC. The memory modules could
even be removed in this cold state and transferred to another computer to undergo
“cold boot attacks”. The paper details their obtaining of a 1 GB memory dump within
four minutes.
The coupling of cold reboots to mount attacks against popular disk encryption
systems (including algorithms of AES-128, AES-192, and AES-256) – BitLocker in
Microsoft Windows Vista, Apple’s FileVault disk encryption, open-source
implementations such as TrueCrypt (for Windows, Mac OS X, and Linux) and dm-
crypt found in Linux kernels since v2.6 – is simply reduced to the task of obtaining
the encryption-key from RAM within minutes to unscramble encrypted information.
When a forensics investigator is presented with a running system, time is of the

essence with regards to gathering as much data from its volatile sources of evidence –
running processes, ARP (Address Resolution Protocol) cache, list of open files,
virtual and physical memory, and active network connections (Bidgoli, 2006).
Considering the implications of the work by Halderman et al. (2008), a further step
could be implemented to obtain a qualified forensic duplicate of data held in RAM,
onto another data storage medium, via cold boot attacks. This will improve the
possibility of circumventing any potential active disk encryption in place on the
system (such as BitLocker, FileVault, TrueCrypt, and dm_crypt).
6.2 COMPUTER HARD DISK DRIVES AND FILE SYSTEMS
Modern storage media comes in various forms such as Hard Disk Drives (HDDs) to
Compact Flash (CF), Secure Digital (SD), Secure Digital High Capacity (SDHC)
cards and USB Flash Drives. During typical use, they would be partitioned and
formatted to a popular file system, however, this many not always be the case
especially with mass storage media encountered in the field.

Assumptions should not be made regarding recovered desktop PCs, laptop computers,
HDDs, external portable HDDs, Flash storage and other mass storage devices. HDDs
typically come in various physical sizes – 3.5”, 2.5”, 1.8”, 1.3”, 1”, and 0.85”
thickness – with connectivity ranging from IDE (Integrated Drive Electronics) to
SCSI (Small Computer System Interface) and Serial-ATA (SATA). HDDs could be
utilised as means for storing and communicating incriminating evidence and would
not be utilised in a regular manner and as such precautions need to be taken when
forensically investigating data held on a HDD.
With regards to HDDs, methods for hiding data take advantage of their architecture
and geometry. Hiding mechanisms that rely in abusing inherent traits of partitioning
schema and file systems not only affects HDDs but also Flash storage. Due to the
computer skill required to take advantage of these data caches, it is extremely likely
any data recovered would first be subjected to a form of encryption, as detailed in
Section (6.1), further thwarting forensic efforts in evidence retrieval. This research
considers the two main file systems utilised by computers operating Microsoft
Windows as well as those operating Linux, a freely distributed OS that is well suited
for manipulating and accessing these hidden and restricted areas in the file systems.
The most common file systems in the Windows environment are the File Allocation
Table (FAT) and New Technology File System (NTFS). The FAT file system is
implemented today as a 16-bit version, FAT16, and a more common 32-bit version,
FAT32. FAT16 allows a maximum file system volume of 2 GB, whereas FAT32 can
support single partitions up to 2 TB in size (Mirza, 2008). The various flavours of
Linux OSes have no problem in accessing and working with the FAT16 and FAT32
file systems, although most installations are formatted by default as Ext3 (or, the
legacy Ext2) since it is a journaled file system (Carrier, 2005).
A special feature, found only on certain makes of HDDs, the Host Protected Area
(HPA) is designated as a reserved area on HDDs designed to store information that
cannot easily be subjected to alteration by users, OS, or the BIOS (Basic Input/Output
System). The purpose of the HPA is to allow computer manufacturers and vendors to
store information and utilities, such as diagnostic tools and HDD utilities, whilst
ensuring bit-level modification of data held in the HPA is typically made impossible

to installed operating systems (Gupta, Hoeschele and Rogers, 2006). In addition to
this, an additional hidden area on modern HDDs is the Device Configuration Overlay
(DCO), which allows vendors to configure HDDs of potentially various sizes to
conform to having the same number of sectors (Mirza, 2008), i.e. the DCO would be
used to make a 160 GB HDD appear as a 120 GB HDD to both the system BIOS and
any installed operating systems.
The availability of the HPA and DCO is only available on certain makes and models
of HDDs and therefore their implementation is inherently a proprietary process by the
respective HDD manufacturer. Forensic investigators therefore need to rely on the
claims of HDD manufactures with regards to the capability of their tools, when
creating forensic images in the field. These tools may or may not be able to properly
detect and image the HPA, however, these vendors remain silent with regards to the
imaging of the DCO. Gupta, Hoeschele and Rogers (2006) have recommended future
research into the implications of creating or removing the HPA and DCO on the data
integrity of a HDD. Since the HPA and DCO are independent of any partitioning
schema or file systems, they are impervious to any such modifications made.
Other means for hiding digital data look at taking advantage of features of respective
file systems. Once again, in consideration of file systems on HDDs, the common
methodologies for hiding information are – ‘free space’ within the Master Boot
Record (MBR), volume slack, partition slack, boot sector of a non-bootable partition,
unallocated space in a partition, bad-blocks, NTFS Cluster Allocation Bitmap, NTFS
Alternate Data Streams (ADS), and the Master File Allocation Table (MFT) and
extremely small files.
Before the installation of an operating system, a HDD needs to be partitioned. Once

partitioned, it is then formatted to a suitable file system that is useable by the
operating system to be installed. The first sector of a partitioned volume of a HDD, is
called the Master Boot Record (MBR). The MBR only requires a single drive sector
and since partitions must start on the boundary of a cylinder, this results in the MBR
containing sixty-two empty sectors (Casey, 2004) – this free space can be utilised to
conceal information and is impervious to re-partitioning of the HDD and re-
formatting of the exiting partition.

If a partition is created and sensitive information is written to it with the intention of

subsequently deleting the partition in question, it turns into what is known as volume
slack (Carrier, 2005). This is essentially space on a HDD that has yet to be
partitioned, and until this space is partitioned the data written to it will remain in the
volume slack – yet remain inaccessible by installed operating systems. In the event
the HDD is re-partitioned and the newly created partition and file system extend into
this area – it would render the hidden data useless.
Once a HDD has been partitioned and formatted with a suitable file system,
depending on the chosen file system, data will be read and written as block-sized
chunks instead of entire sectors. This tends to lead to a wastage of sectors at the end
of partitions in the event the total number of sectors are not an integer multiple of the
block-size – this free space is known as partition slack (Casey, 2004), and is once
again a possible storage location for sensitive information. Any information stored in
the partition slack would remain persistent during a re-formatting of the existing
partition. However, in the event the HDD is re-partitioned and the newly created
partition and file system extend into this area – this would render the hidden data
useless.
Partitions that have not been initialised as a non-bootable partition, still contain a boot
sector. Therefore, this boot sector can be used to store information and would remain
persistent, even if the partition is re-partitioned (which requires a re-format) or re-
formatted. However, moving the partition or initialising it as a bootable partition, via
the Drive Manager in Windows, Disk Utility in Mac OS, or fdisk in Linux (Nelson,
Phillips, Enfinger and Steuart, 2007) – would render the hidden data useless.
Unallocated space in a partition can be utilised to hide data – although it would be

ephemeral at best during normal use of a HDD. Any hidden data in the unallocated
partition space would remain persistent if the data held on the HDD was not altered,
unless intentionally. Any lapses on the part of the forensic investigator could result in
the loss of any data held in this space, unless careful measures are taken (Bidgoli,
2006).

A safety feature present in both FAT16/32 and Windows NTFS is one that marks
blocks as ‘bad-blocks’ so as to prevent data loss. The file system metadata that
identifies bad-blocks could be altered (Carvey, 2004) so as to mark accessible blocks
as bad-blocks. Once marked as bad-blocks, these ‘fake’ bad-blocks will no longer be
accessible by Microsoft Windows and as such any data held by them will remain
persistent on the disk, until it is re-partitioned (which requires a re-format of the
newly created partition) or the existing partition is re-formatted.
A special case of metadata belonging to the NTFS file system is its Cluster Allocation
Bitmap, which is a complete map of every addressable cluster within a particular
partition. Alteration of the Cluster Allocation Bitmap will allow for data to be hidden
in a method similar to that of the ‘fake bad-block’ method (Farmer and Venema,
2005). Data hidden by this method would persist for the lifespan of the file system as
long as it is not subjected to re-partitioning or re-formatting.
NTFS offers a couple more special cases inherent to its design. One such case is
where Alternate Data Streams (ADS), that are related to the Master File Allocation
Table (MFT). The alteration of reported file streams would allow for sensitive data to
be hidden – kept obscured from the purview of Windows Explorer and even
command line access via the console.
Further to this, NTFS has an inherent quirk with regards to handling rather small files
and ADS. If the file was sufficiently small, rather than referencing its location via the
MFT, it could be completely stored within it. This would allow for a conceived
program to create multiple tiny files, so as to create enough references within the
MFT to them – upon deleting all the created dummy files, it would free up the
required space within the MFT for concealing a large enough file (Berghel and
Brajkovska, 2004). This approach though is ephemeral in nature, as the freed up
space utilised within the MFT will soon start to be populated with smaller references
during typical use of the HDD.

All the details above apply to almost every file system implemented today including
FAT16, FAT32, NTFS and Ext-based Linux file systems. The Linux ExtX file
systems offer some unique data hiding places, are these are detailed below.
The legacy Ext2 and current Ext3 (henceforth, “ExtX”) file systems are divided into
separate sections known as block groups, which are used to store metadata, file
names, and content. A superblock at the beginning of the file system contains
information regarding the block group size and configuration – and copies of these are
located throughout the partition. The block following the superblock, if present, or
the first block of every group, if not present, contains what is known as a group
descriptor table detailing the layout of each block group (Casey, 2002).
ExtX superblocks have 1,024 bytes allocated to them, although the last 788 bytes are
unused. Depending on the block size, it is possible for some reserved area to be
located behind the superblock as well – this is known as superblock slack and is a
digital hiding place for data unique to Linux file systems (Farmer and Venema, 2005).
Data stored in the superblock slack is persistent as long as the partition is not moved
when re-partitioned, and is immune to re-formatting of the existing partition.
Since the ExtX group descriptor is only 32 bytes in size, a reserved area behind it
exists, and the block bitmap that follows it starts on a block boundary. Therefore, a
minimum of 992 bytes of space exists to conceal data and more available if the block-
size is great than 1,024 bytes (Carrier, 2005). This is known as ExtX group descriptor
slack and data stored here is persistent as long as the partition is not moved when re-
partitioned, and is immune to re-formatting of the existing partition.
ExtX directories behave like any other file in these Linux file systems, and therefore,
are allocated in blocks such that the resulting space between the last directory entry
and the end of the block can be used to hide data (Casey, 2004). During typical drive
use this space can be encroached upon rendering data stored in this area useless.
A comparative overview of the relative volatility of data concealment areas on HDDs

and the various file systems that have been discussed are tabulated on the following
page as Table 1.

NORMAL DRIVE RE-PARTITION RE-FORMAT

DATA CONCEALMENT AREA
USE (W/ RE-FORMAT) PARTITION
HPA and DCO Persistent Persistent Persistent

MBR Persistent Persistent Persistent
Volume Slack Persistent Ephemeral Persistent
Partition Slack Persistent Ephemeral Persistent
Boot Sector in non-bootable partition Persistent Persistent* Persistent
Unallocated partition space Ephemeral – –
Bad-blocks Persistent Ephemeral Ephemeral
NTFS Cluster Allocation Bitmap Persistent Ephemeral Ephemeral
NTFS Alternate Date Streams Persistent Ephemeral Ephemeral
MFT and extremely small files Ephemeral – –
Superblock slack Persistent Persistent* Persistent
ExtX group descriptor slack Persistent Persistent* Persistent
Directory slack Ephemeral – –
Table 1: Relative Volatility of Data Concealment Areas (* see description for exceptions).
7 CONCLUSION
In recent times, the most prominent case in the media to utilise Computer Forensics,
with regards to locating obscured evidence in a data storage format, was the BTK
killings by Dennis Rader – subsequently apprehended in 2005. With general public
awareness constantly being raised by many popular forensic TV shows, the average
perpetrator would tend to be better informed – especially on deleting data on HDDs,
other storage media, and its ease of recovery by forensic investigators.
Forensic software such as AccessData’s Forensic Tool Kit (FTK) and Guidance’s
EnCase prove to be the more dominant commercial tools in the marketplace whilst
one of the most well known open-source alternatives is The Sleuth Kit (TKT). The
process of searching for hidden data is termed data carving and while these tools
offer better analysis of storage media up to around 250 – 300 MB in capacity, hunting

down hidden caches of information on the larger capacities available today would be
an incredible challenge considering that most manufactures are producing 1.5 TB
HDDs, whilst Western Digital in particular are touting 2 TB HDDs – that’s 1,500 GB
and 2,000 GB respectively; 300 MB represents 0.015% the capacity of a 2 TB HDD!
These tools alone simply allow accessing hidden data, but do not provide any means
around file encryption, compression, and steganography – although the list does go
on. It is evident that possible defences faced by a prosecuting investigator in modern
times are insurmountable, leaving the Computer Forensic industry at a serious
disadvantage whilst perpetrators continually polish their skills and the sophistication
of technologists on both sides of the law increases.
The solution lies in leaving behind the doctrine of strict signature based analysis of
storage media and looking at the research and development of intelligent heuristic
processes driven by neural networks and “fuzzy logic”.

REFERENCES
xxii
Berghel, H. and Brajkovska, N. (2004) ‘Wading through Alternate Data Streams’,
Communications of the ACM, vol. 47, no. 4, pp. 21-27.
xxiii
Berghel, H. and Hoelzer, D. (2006) ‘What Does a Disk Wiper Wipe when A Disk
Wiper Does Wipe Disks’, Communications of the ACM, vol. 49, no. 8, pp. 17- 21.
xxiv
Bidgoli, H. (2006) Handbook of Information Security, Hoboken, NJ: Wiley
Publishing, Inc.
xxv
Biryukov, A. and Khovratovich, D. (2009) Related-key Cryptanalysis of the Full
AES-192 and AES-256
http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html
[Accessed 16 July 2009].
xxvi
Carrier, B. (2005) File System Forensic Analysis, Upper Saddle River, NJ:
Addison-Wesley.
xxvii
Carvey, H. (2004) Windows Forensics and Incident Recovery, Upper Saddle
River, NJ: Addison-Wesley.
xxviii
Casey, E. (2004) Digital Evidence and Computer Crime, 2nd edition, London, UK:
Academic Press.
xxix
Casey, E. (2002) Handbook of Computer Crime Investigation, London, UK:
Academic Press
xxx
CNSS (2003) National Policy on the Use of the Advanced Encryption Standard
(AES) to Protect National Security Systems and National Security Information
http://www.cnss.gov/Assets/pdf/cnssp_15_fs.pdf
xxxi
Cole, E., (2003) Hiding in Plain Sight: Steganography and the Art of Covert
Communication, Hoboken, NJ: Wiley Publishing, Inc.
xxxii
Daemen, J. and Rijmen, V. (2002) The Design of Rijndael: AES - The Advanced
Encryption Standard, New York, NY: Springer Publishing Company.
xxxiii
Douglas, J. and Dodd, J. (2008) Inside the Mind of BTK: The True Story Behind
the Thirty-Year Hunt for the Notorious Wichita Serial Killer, Hoboken, NJ:
Jossey-Bass.
xxxiv
Farmer, D. and Venema, W. (2005) Forensic Discovery, Reading, Massachusetts:
Addison-Wesley.
xxxv
Gupta, M.R., Hoeschele, M.D. and Rogers, M.K. (2006) ‘Hidden Disk Areas:
HPA and DCO’, International Journal of Digital Evidence, vol. 5, no. 1, pp. 1-8.

xxxvi
Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino,
J.A., Feldman, A.J., Appelbaum, J. and Felten, E.W. (2008) ‘Lest We Remember:
Cold Boot Attacks on Encryption Keys’, Proc. 2008 USENIX Security
Symposium.
xxxvii
Mirza, F. (2008) ‘Looking for digital evidence in Windows’, International
Symposium on Biometrics and Security Technologies 2008, April, pp. 23-24.
xxxviii
Nelson, B., Phillips, A., Enfinger, F. and Steuart, C. (2007) Guide to Computer
Forensics and Investigations, 3rd edition, Florence, KY: Course Technology –
Cengage Learning, Inc.
xxxix
Smith, C. (2006) The BTK Murders: Inside the "Bind Torture Kill" Case that
Terrified America's Heartland, New York, NY: St. Martin’s Press.
xl
US-CERT (2008) Computer Forensics
http://www.us-cert.gov/reading_room/forensics.pdf

Research Examples in Computer Forensics (Michael M. W. de Silva, 2009)

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Research Examples in Computer Forensics (Michael M. W. de Silva, 2009)

Caricato da

Copyright:

Formati disponibili

Research Examples on Computer Forensics (2009)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Computer Forensics ~ Computer Science

2 CONCEALING DATA ON A WINDOWS-BASED HARD DISK FILE SYSTEM

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Similar to the bad cluster metadata modification previously discussed, a particular

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

3 COMMUNICATION TECHNOLOGIES THAT THWART FORENSIC

In the following discussion of the various means by which an individual could

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Since it is common knowledge that many intelligence gathering agencies, such as

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Files can be exchanged via Direct Client-to-Client (DCC) connection or a Secure

Most online forums simply require a user to define a ‘nickname’ to be recognised by

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

POSSIBLE DEFENCES FACED IN COMPUTER FORENSICS

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

1 INTRODUCTION .............................................................................................. 17

2.1 Formidable Cryptography of the 21st Century......................................................................... 19

2.2 Computer Hard Disk Drives and File Systems ......................................................................... 20

3 CONCLUSION .................................................................................................. 26

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

6 CONCEALMENT OF DIGITAL DATA

In current times, the concealment of digital data is usually attributed to

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

The inclusion of Metadata can be considered as a loose application of perceptible

Metadata was found embedded in a deleted Microsoft Word document on a 3.5”

Those looking to conceal data that could be potentially incriminating or utilise a

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Related-key attacks on AES-256 typically require 2128 different combinations.

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

When a forensics investigator is presented with a running system, time is of the

6.2 COMPUTER HARD DISK DRIVES AND FILE SYSTEMS

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Before the installation of an operating system, a HDD needs to be partitioned. Once

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

If a partition is created and sensitive information is written to it with the intention of

Unallocated space in a partition can be utilised to hide data – although it would be

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

A comparative overview of the relative volatility of data concealment areas on HDDs

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

NORMAL DRIVE RE-PARTITION RE-FORMAT

HPA and DCO Persistent Persistent Persistent

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Michael M. Wijetunge de Silva MSc (Dist), BEng (Hons), MIEEE, AMIMechE(UK)

Potrebbero piacerti anche

1  INTRODUCTION .............................................................................................. 17 

2.1  Formidable Cryptography of the 21st Century......................................................................... 19 

2.2  Computer Hard Disk Drives and File Systems ......................................................................... 20 

3  CONCLUSION .................................................................................................. 26 