Digital Forensics: Can You Find Hidden Data?

Digital forensics are. Here are some ways that data can be hidden within storage media :

Example 1: Deleted Files and Slack Space

Recently deleted files leave slack space. The files are still there, but the area is marked unallocated. Those unallocated sectors are eventually overwritten, permanently “deleting” prior data in the sector (Olzak, 2007).

Example 2: Hiding data in HPA on disk

Host Protected Areas on disks are not visible to the operating system. Boot diagnostics, BIOS support, and other manufacturer tools are generally loaded there in the host protected area. Rootkits can write to that space, which makes them difficult to detect because the operating system and anti-virus cannot see those rootkits either (Volonino, 2017).

Example 3: Hiding data by marking sectors that contain data as “bad” and therefore unreadable by end user software

This process forces the operating system to think a sector is bad, and therefore it will ignore it. It requires creating bad blocks on the file system where data is logically located to “hide” it. This is generally reversible by unmarking bad blocks and making them visible to the operating system (Cisar et al., 2014).

Hidden Data Detection Methods:

Forensic tools such as FTK, EnCase, Coroner’s Toolkit perform sector by sector analysis for existence of non-zero data in reserved file system spaces. Dd/hex viewer/editors also use this methodology (Volonino, 2017).

File System Checkers look for existence of data modifications of critical system files by checking file integrity by comparing checksums. My company’s Tripwire Enterprise product performs file integrity monitoring (http://www.tripwire.com/it-security-software/scm/file-integrity-monitoring/).

Data detection utilities can also look for data in reserved spaces on file systems, changes in file sizes, and non-zero values in places where zeros should be. This is indicative of data presence if the values are non-zero (Cisar et al., 2014)

References

Cisar, P., Cisar, S., & Bosnjak, S. (2014). Cybercrime and Digital Forensics – Technologies and Approaches. DAAAM International Scientific Book, 525-542. doi:10.2507/daaam.scibook.2014.42

Olzak, T. (2007, May 21) Computer forensics: Finding “hidden” data. TechRepublic. Retrieved from: http://www.techrepublic.com/blog/it-security/computer-forensics-finding-hidden-data/

Volonino, L. (2017). Computer forensics. Salem Press Encyclopedia Of Science

 

Share the love!