Hiding data from En...
 
Notifications
Clear all

Hiding data from Encase

27 Posts
13 Users
0 Reactions
3,167 Views
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

Are there ways to hide data on a hdd that Encase wont be able to find? ?

At one time, before forensics tools acquired data from the Host Protected Area and Device Configuration Overlay, it was possible to "hide" data in these that might be missed during acquisition. This is no longer the case since nearly (of not) all of the tools in use, today, process these.

As others have noted, it is also possible to "hide" data within the slack associated with files, file systems, records (MFT) and, of course, steganography, which can be impractically difficult to detect.

If Encase doesn't recognize the file system, it can report the space as unallocated but that doesn't mean that raw data are not visible.


   
ReplyQuote
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
 

Are there ways to hide data on a hdd that Encase wont be able to find?

At most levels in any storage hierarchy there will be hiding places. Good or bad.

What is 'hdd level'? Some methods were described in the article 'How Disks are PadLocked' (IEEE Spectrum, 1986) – true, they were intended to prevent copying of floppy disks, but that is very close to preventing forensic acquiry also. And some of the methods (not all - like burning a hole in the floppy disk) can be applied still.

The classical method is to reformat one or more tracks to contain more sectors than the current configuration recognizes – it was used with floppies and early HDDs, but I must admit I'm not sure if it still can be used. Check the ATAPI specification, along with some description of how a modern hard drive is configures, for instance the Hitachi Travelstar 5K320 Hard Disk Drive Specification, which I had reason to study a few days ago, and which I know contains a table over sectors allocation per cylinder. (That document is also useful to remind you that there are drives that do full disk encryption on their own.)

You'll also find some HDD command described in the Hitachi manual check for instance the 'Write S.M.A.R.T. Log Sector', and some of the other logs mentioned.

Will EnCase see informationyou write to the S.M.A.R.T. log? Not unless that log is acquired, and made available to EnCase. Does LinEn or EnCase extract this information? As far as I know, no. So far it seems few if any acquiry programs do acquire anything but data sectors, and perhaps also the 'Identify Device' response. But as you will see from the manual, there is much else that could be acquired. Those things for which there is a user-level 'Write' (such as the S.M.A.R.T. Log Sector) I think are good candidates for additional acquiry.

I don't find any information in the Hitachi document about P and G lists – you may need to look those up in the ATAPI documentation. Briefly, the P list contains permanent defects on the drive (set up when the disk is manufactured), and G list those defects that appear while the drive is used. If you can add/remove sectors to the G list, you can write information a sector, then remap that sector address to another sector. This won't be discovered unless the remapping is undone. I'm almost certain there are commands described in the ATAPI for this – I can't say of they are available in all commercial HDDs, though. I would not be surprised to learn that some acquiry software does this, but I don't think it's in the hands of the general public.

That the way to find these kinds of things, I think decide what storage hierarchy level you are examining, and read all available documentation and standards that apply to this level with a magnifying glass and a black hat handy.


   
ReplyQuote
traknerud
(@traknerud)
Active Member
Joined: 18 years ago
Posts: 12
 

Are there ways to hide data on a hdd that Encase wont be able to find? ?

Some suggestions have been made. But whats the point of hiding data from a piece of software? I think you'll find it's easier to hide the data from the Encase user, and/or simply make it unreadable to both of them. Steganography? Encryption? Have your pick.


   
ReplyQuote
(@krishna)
Trusted Member
Joined: 17 years ago
Posts: 47
 

i think the host protected area of the hard disk may be helpful and encase may not see this data.


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
 

there are tecniques called file FISTING (doh')

even if it's not a good idea to use such keywords on google, basically it's a tecnique that aims to hide data in filesystems areas wich are not meant to be used for storing informations, or wich are used to store data used by the filesystem itself.

there are tools that can hide data into bad blocks (and mark bad blocks in an arbitrary way to enlarge storage capacity)

or even tools for storing data into sectors used by journal in an ext3 fs.

generally encase and other forensics software don't look in such area.
obviously data is not invisible, but it requires skill and is time consuming couse you need to analyze the raw filesystem in hex or know exactly what you are looking for and use keyword search.


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
 

Are there ways to hide data on a hdd that Encase wont be able to find? ?

Some suggestions have been made. But whats the point of hiding data from a piece of software? I think you'll find it's easier to hide the data from the Encase user, and/or simply make it unreadable to both of them. Steganography? Encryption? Have your pick.

i think that he's running a research that aims to demonstrate that software can be tricked, and that investigators that relay on a certain software too much can be easly tricked too, and that the thing that metters is the investigator's skill and not the tool he uses.


   
ReplyQuote
Beerbaron
(@beerbaron)
Trusted Member
Joined: 20 years ago
Posts: 71
Topic starter  

I have been using the slacker tool mentioned above a bit more. Is there anything that can search for files hidden in slack space?

This is a fairly helpful guide for the slacker tool if anyone wants to use it.

http//synfulpacket.blogspot.com/2008/11/metasploit-anti-forensics-project-mafia.html

Thanks


   
ReplyQuote
Beetle
(@beetle)
Reputable Member
Joined: 17 years ago
Posts: 318
 

I am curious about this issue. If someone hides data in an area encase etc can't see so what is the point. The data was put there so there must be a way to get it out or it's useless to the person hiding it. Sort of like encrypting something with a 'blind' password. There must be a way of getting the hidden information out. That is one reason to carve unallocated space and search file slack.

Back when I started out we looked at ways of placing data between partitions by manipulating the beginning and ending cylinders. That is why we _never_ imaged logical space only and why we look at the layout of the partitions. One exercise I recall had banking information embedded in 'bad' blocks. We had to go in and mark the blocks as good and try and read them with a disk editor (ah, Norton Utilities, those were the days…)


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Beetle,

I am curious about this issue. If someone hides data in an area encase etc can't see so what is the point. The data was put there so there must be a way to get it out or it's useless to the person hiding it.

Excellent point.

I don't think it's so much of an issue of something that hides data from EnCase (or any other commercial or open source tool)…as you've pointed out, it's possible to hide something such that no tool finds it. I think it's more of an issue to subvert the analyst and their training…and there have been presentations on that subject.

Back when I started out we looked at ways of placing data between partitions by manipulating the beginning and ending cylinders. That is why we _never_ imaged logical space only and why we look at the layout of the partitions. One exercise I recall had banking information embedded in 'bad' blocks. We had to go in and mark the blocks as good and try and read them with a disk editor (ah, Norton Utilities, those were the days…)

If the data was hidden in blocks marked 'bad', weren't they recognized as 'bad' by the OS? How, then, would someone access them and use the data on a live system? More to the point, wouldn't you then look for something on the system that would allow someone to access those blocks?


   
ReplyQuote
Beetle
(@beetle)
Reputable Member
Joined: 17 years ago
Posts: 318
 

>>snip

If the data was hidden in blocks marked 'bad', weren't they recognized as 'bad' by the OS? How, then, would someone access them and use the data on a live system? More to the point, wouldn't you then look for something on the system that would allow someone to access those blocks?

We looked at them through Norton and could see the bad sector flags in the FAT and change them at will. This was all done on floppies BTW.


   
ReplyQuote
Page 2 / 3
Share: