±Forensic Focus Partners
|New Today: 0||Overall: 35667|
|New Yesterday: 6||Visitors: 129|
Analysis of hidden data in the NTFS file systemBack to top Back to main Skip to menu
Analysis of hidden data in the NTFS file system
Sleuth Kit is used to analyse the file system. Throughout this paper, /case1/image1 will be used in examples as the acquired image of NTFS that need to be analysed. Figure 2 shows the flow to analyse hidden data in faked bad sectors.
Figure 2: Flow to analyse hidden data in faked bad clusters
Check for clusters allocated to $Bad attribute of $BadClus.
istat /case1/image1 -f ntfs 8
If there is clusters allocated to $Bad, it must be inspected as modern hard disks usually handle bad sectors themselves. If you have the physical hard disk with you, you can also perform a surface scan to verify whether there are bad sectors on the disk.
Check the content of the clusters with dcat in Sleuth Kit. However, this only reveal hidden data if the data is stored in ASCII encoding. In this example, let's assume cluster 383624-383635 are marked as bad cluster and suspected to contain hidden data.
dcat /case1/image1 -f ntfs 383624 12
For further analysis, extract the clusters and use data craving tools such as foremost and comeforth to recover data.
dd if=/case1/image1 bs=4096 skip=383624 count=12 of=/case1/badclusters
foremost -c /etc/foremost.conf -v -o /forensic/recover /case1/badclusters
In addition, a suspect may also remove the signature of a file to avoid detection of data craving tools (Carvey, 2004a). Data carving tools such as foremost recover files based on their data structure such as header and footer (sourceforge, n.d.).Without these structures, it is impossible to recover the file. During this research, testing has been carried out to recover files hidden using these techniques in faked bad clusters and results are shown in table 2.
Table 2: Result of hidden data detection/recovery attempts for different hiding techniques
|Hidden file||Technique||Result of foremost|
|A Microsoft document file||Normal, follow the sequence||Success in detect and recover|
|A Microsoft document file and a html file||Normal, follow the sequence||Success in detect and recover|
|A Microsoft document file and a html file||Reversed order of clusters||Success in detecting the files but unable to open them or files opened with meaningless data displayed|
|A Microsoft document file and a jpg file||Header removed||Fail to detect the files|
Comeforth, an add-on of Sleuth Kit is more useful in recovering data if a file is not stored in sequence. Comeforth is similar to lazarus, where it divides file into block and run file command on every block (sleuth kit.org, n.d.). Users can then view each block and select blocks to be recovered as a file.
Keyword search can also be performed with hexedit, strings or other tools if part of the content of the hidden file is known.
strings /case1/image1 | grep keyword
VOLUME SLACK AND FILE SYSTEM SLACK
Volume slack is the unused space between the end of file system and end of the partition where the file system resides. File system slack is the unused space in the end of a file system that is not allocated to any cluster. This happens due to the partition size may not be the multiple of the cluster size (Carrier, 2005). For example, there is 10001 sectors in the partition, there first 10000 sectors are allocated to 2500 clusters with the cluster size of 4 sectors and the last sector left becomes file system slack.
The size of hidden data in volume slack is unlimited as suspects can simply change the size of volume slack to hide more data. The data that can be hid in file system slack, however, is depends on size of cluster. For example, for a file system with cluster size of 8 sectors, the maximum size of file system slack is 7 sectors.
Procedure to create test data
1) Sectors allocated to file system is modified in the $Boot file
2) Bits used for setting the allocation status of clusters in $Bitmap is reduced
3) Data is pasted to the volume slack and file system slack