±Forensic Focus Partners
New Today: 3
New Yesterday: 7
· Standard Processes in Windows 10
· NAS Forensics Explained
· Project Spartan Forensics
· FT Cyber Security Summit Europe – London 22nd September
· The Future of Mobile Forensics
· TSFIC 2015 – Recap
· Evidence Acquisition and Analysis from Live Exchange
· TDFCon 2015 – Recap
· Acquiring Windows PCs
Analysis of hidden data in the NTFS file systemBack to top Back to main Skip to menu
Analysis of hidden data in the NTFS file system
Figure 9 shows the flow to analyse hidden data in file slack. Analysis begins by checking the RAM slack of all files. If there is non 0 bit in the RAM slack, both RAM slack and drive slack of files are extracted for further analysis. Else, only drive slack is extracted.
Figure 9: Flow to analyse hidden data in file slack
This example extracts the slack space of file with MFT number 28. To get the file size
./istat -f ntfs /case1/image1 28
Now calculate the RAM slack and drive slack. Int is function to get the integer value of a number. For example, both int(4.9) and int(4.1) return 4 as result.
file slack = allocated size - real size
drive slack = int(file slack / 512) * 512
RAM slack = file slack - drive slack
To extract the entire file with MFT number 28 including its file slack
./icat -sf ntfs /case1/image1 28 > /case1/file28
dd if=/case1/file28 of=/case1/file28RAMslack bs=1 skip=119875 count=445
To extract drive slack
dd if=/case1/file28 of=/case1/file28driveslack bs=512 skip=235 count=1
This process should be repeated to extract slack space of all files for analysis. Similar to the analysis of faked bad clusters, the extracted data is then analysed by using hex editor, foremost and comeforth. Keyword search can also be performed if you know the content of the hidden files. However, if a word is separated in 2 clusters and are not extracted correctly, the keyword search would fail. For example, a suspect hide data only in the first sector in the drive slack but extraction is done on the entire file slack, a word might be separated as shown in figure 10 and keyword search fails.
Figure 10: separation of a word in different sector
The most challenging step in detecting and recovering hidden data in file slack is to guess how data is hid. For example, suspects can hide data only in the first sector of the drive slack. A Suspect can also hide data only in the drive slack of the first file in each of the 5 directories created by him. Detection and recovery is hard, if not impossible without knowing this. It is recommended to search for data hiding tools in the system (Kruse & Heiser, 2001). The algorithm used to hid data is then analysed to decide on appropriate ways to extract file slack.
ADS (ALTERNATE DATA STREAM)
Whenever a MFT file record has more than 1 $DATA attribute, additional $DATA attribute is called ADS (Alternate Data Stream). ADS can be used to hide data in NTFS file system as ADS does not show up in directory listing and the file size of original file does not change (Cook, 2005). There are also legitimate uses of ADS. For example, ADS is used to store summary data and volume change tracking (Means, 2003)
The size of data that can be hidden in ADS is unlimited. One major difference between this data hiding technique and others is that ADS is relatively easy to create (Zadjmool, 2004). Other data hiding techniques discussed in this paper requires specific program or low level file system manipulation tools such as hex editor. ADS can be created easily with DOS command as shown in example below.
To hide slacker.exe in an ADS called hahaha of abcd.txt
type slacker.exe > h:\abcd.txt:hahaha
Procedure to create test data
ADS are created by issuing DOS command as shown above
Figure 11 shows the flow to analyse hidden data with ADS. Due to the popularity of using ADS to hide data, there are many well developed tools can be used to scan a drive for ADS such as lads and streams.
lads /sv h:
streams -s h:
Figure 11: flow to analyse hidden data with ADS
Since there are legitimate uses of ADS, it cannot be assumed that every single ADS encountered is used to hide data. Each of these ADS should be examined to verify whether it is used for legitimate purpose or used to hide data. On the other hand, a suspect may also use the common ADS name used by legitimate program to avoid detection.
To get the MFT address and attribute identifier of ADS called "h:\abcd.txt:hahaha" shown in the result of lads or streams:
./fls -rf ntfs /case1/image1 | grep abcd.txt:hahaha
From the result, you get the MFT address, attribute type and attribute identifier. Let's say 59-128-4 is returned. Inspect the content of ADS as following:
./icat -f ntfs /case1/image1 59-128-4 > /case1/ADS1
$DATA ATTRIBUTE IN DIRECTORY
$DATA attribute is usually used to store the content of a file or other specific information such as allocation status. It is a common attribute on normal file and some metadata file but not directory. Although $DATA attribute is unnecessary for a directory, validation checking with chkdsk does not return error when a directory contains a $DATA attribute. As a result, $DATA attribute in directory can be used to hide data (Carrier, 2005). In addition, alternate data streams can also be created on directories in stead of files to hide data. The size of data that can be hid with this technique is unlimited.
Procedure to create test data
1) A directory is created
2) $DATA attribute is inserted in the directory. The $DATA attribute is inserted before $INDEX_ROOT, $INDEX_ALLOCATION and $BITMAP because the type identifier of $DATA is smaller than these attributes.
3) Allocated size of MFT entry is modified to appropriate size
4) Attribute identifier of other attributes might need to be changed to avoid the new created $DATA attribute has the same identifier with other existing attributes.
5) Allocation status of clusters for this $DATA attribute is set to 1.
6) The file content is pasted to the clusters.