Simple Steganography on NTFS when using the NSRL

First published October 2009

Adam Hurwitz
[email protected]
Business Intelligence Associates, Inc.
39 Broadway, NYC, NY 10006

Abstract

NTFS is structured so that there can be a physical separation of the data that comprises a file and the properties or metadata of the file. One side-effect of this is that when a file is hashed on NTFS, only the content of the file is hashed and not necessarily the properties or metadata. For a forensics investigator using the NSRL database to reduce the number of files to review in an investigation, this creates a simple way for someone to hide data if they store information in the properties or metadata of files in the NSRL.

1. Using the NSRL


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

It is well-known in the forensics community that one of the biggest challenges for the forensics investigator today and in the foreseeable future is the number of files that have to be reviewed. The best tool right now that a forensics investigator has to deal with this situation is the use of a database of “known” files that can be used to identify and then remove files from the review set. The authoritative database for this is the National Software Reference Library (NSRL) maintained by the National Institute of Standards and Technology (NIST) [1]. Ideally the NSRL can be used to identify most of the system files and many of the software applications that exist on a hard drive. The use of a hash, whether MD5 or SHA-1, not only identifies these files, but also ensures that the files have not been tampered with. These files are considered known because the NSRL is created from software received directly from the manufacturer. For example, a user would not be able to hide one of his documents by changing its name to a system file or by adding content at the end of a known file. A forensics investigator is thus able to remove a large percentage of files from a hard drive and only concentrate on ones that the user created and/or edited. [2]

2. Steganography

Steganography is the “art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message.” The word derives from Greek and literally means “concealed writing.” [3]

3. NTFS Metadata

There are three places where metadata for a NTFS file can exist: the Master File Table (MFT), an Alternate Data Stream (ADS), and inside the file [4]. The metadata contained in the MFT is “envelope” metadata, such as modified, accessed, and created (MAC) dates. Then there is the metadata that is commonly referred to as Summary Properties or just Properties. This is the metadata that can be found when you right-click on a file and choose the Summary tab, revealing fields like: Title, Subject, and Author. Depending on the file, the Properties will be contained in an ADS or inside of the file. The Properties are contained inside the file for certain file formats that support this, such as Microsoft Office files or PDF.

There are two places where this is a problem: in the MFT and in an ADS. Obviously when the metadata is contained inside of the file, the hash will change and the problem does not exist.

4. Hiding in Properties

A file in NTFS is composed of streams. Only one of those streams is the actual file and it is only this stream that is hashed. When a file has Properties, NTFS often stores them in a separate stream that is associated with the file. The association between the file is noted in the MFT. As a separate stream on disk, the size of the stream can be as large as any other file, limited only by available disk space.

This stream, or ADS, is not hashed when the file is hashed because it is technically a different file. Thus, a user can put information inside of the Comments field of a known DLL and, if the forensics investigator relies on the NSRL, he will not find it.

A user, of course, could come up with more sophisticated techniques, such as spreading the information throughout the Properties of a number of files that he knew were part of the NSRL, possibly making the info contained in each one seem innocuous or erroneous if found. A simple program could be developed to read and write to these Properties in order to form a shadow file system in the Properties of known files.

5. Hiding in the MFT

A more subtle form of the problem exists using the metadata in the MFT. Manipulating the metadata in the MFT does not provide much space to work with, but a user could easily rewrite the MAC dates of a known file. A very simple program can be written that reads and writes the dates of all known files on a system. This program can be used to write dates that actually encode information for the user and could manage to store a large amount of information. The fact that the dates would be nonsensical would not occur to the forensic investigator because the files were not examined in any detail. It is even theoretically possible to create an encoding scheme that relied on dates that were not visibly erroneous. For instance, the information could just be encoded in the time portion of the dates. This is obviously an issue that extends beyond the use of the NSRL.

6. Conclusion

The principles discussed in this paper can certainly be applied to other hash sets and other file systems. I have limited my discussion to the NSRL and NTFS because they are the most popular and offer clear issues with the way that metadata is stored and its impact on hashing.

The forensics investigator who wishes to overcome the issue of Properties stored in an ADS has to check all known file matches for Properties and only remove files that do not have Properties. Without a proper reference to what should be contained in the Properties section of a file, the investigator cannot automatically determine except through a manual process whether the Properties are actually from the software manufacturer or not.

With regards to the issue of metadata in the MFT, it is not clear how to overcome this issue.

7. References

[1] http://www.nsrl.nist.gov/
[2] “Using File Hashes to Reduce Forensic Analysis”, SC Magazine, May 2002, Dan Mares.
http://www.scmagazineus.com/Using-File-Hashes-to-Reduce-Forensic-Analysis/article/30472/
[3]http://en.wikipedia.org/wiki/Steganography
[4] For more info on NTFS from a forensics perspective, see File System Forensic Analysis by Brian Carrier.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...