Computer Forensics ~ Computer Science

1 INTRODUCTION

H. M. Customs and Excise have broken a smuggling ring dealing in rare and
endangered species. One of the felons was utilising a Microsoft Windows based
laptop to record details of their illegal trade and is suspected of corresponding with a
number of his co-conspirators via the laptop.

The primary objective of this research was to detail typical places in a Windows
based file system where incrimination evidence may be hidden and a discussion
regarding key technologies that may have been used for communication with his
partners and the resulting difficulties they may pose to the forensics investigators.

2 CONCEALING DATA ON A WINDOWS-BASED HARD DISK FILE SYSTEM

Microsoft Windows systems are typically found formatted in one of the following two
file systems (Mirza, 2008)xiii: File Allocation Table (FAT) or New Technology File
System (NTFS).

The FAT file system architecture is found as a legacy 12-bit version (FAT12), 16-bit
version (FAT16) and more commonly a 32-bit version (FAT32). The defining
characteristic of these file systems is their maximum volume size, which are 32 MB, 2
GB and 2 TB, respectively. As most modern computer have a Hard Disk Drive
(HDD) capacity of at least 1 GB, the FAT12 system is considered outdated and has
such been termed a ‘legacy’ technology.

The NTFS (also known as the ‘Windows NT File System’), introduced in July of
1993, superseded FAT as the file system of choice due to many of its inherent
improvements. The primary hiding mechanisms will be focussed upon hard drive
architecture, their basic geometry and these two file systems.

1
The Host Protected Area (HPA) is a reserved area that is found on some HDDs,
where Device Configuration Overlay (DCO) allows computer manufacturers and
vendors to store data in the HPA, which is protected from conventional access such as
Windows Explorer (Mirza, 2008)xiii. With ample knowledge on DCO and HPA, a
computer program may be developed to store sensitive data by taking advantage of
this “physical” feature. Since the availability of the HPA is limited to certain makes
and models of HDDs, it would be useful for any forensic investigator to have access
to a comprehensive database on all such brands, makes and model serial numbers
which support HPA as well as detailed information on any proprietary modifications
to the HPA or DCO methods and manufacturer supplied utilities for accessing the
information held in the HPA.

During the phase of installing Microsoft Windows, the HDD needs to be partitioned
and formatted. A partition sector, also commonly called a Master Boot Record
(MBR), is the first sector of a partitioned volume of a HDD. Although the primary
purpose of the MBR is to hold the disks partition map (primary partition table), since
the MBR only requires a single drive sector and partitions must start on the boundary
of a cylinder, the MBR will have sixty two empty sectors which are ideally suited for
storing sensitive information within this ‘free space’ (Carrier, 2005)v.

Volume Slack (VS) is defined as ‘wasted space’ as it is free space of a HDD that has
not been partitioned. It is possible to create a partition, write sensitive information to
that partition, and delete that particular partition so that it becomes Volume Slack
(Casey, 2004)vi. Since this space is no longer partitioned, the Operating System (OS)
will not be able to access this area via a mapped drive letter in Windows Explorer.

The next stage once the partitions have been created, the drive needs to be formatted
with an appropriate file system. Depending on the chosen type of file system, data
can only be accessed as block-sized chunks rather than whole sectors. Whilst this
improves the efficiency in accessing and storing data (read/write latency etc) within
the file system, it may lead to wastage of sectors at the end of the partition if the total
number of sectors is not an integer multiple of the block size. Of course, these wasted

2
sectors are once again an ideal location for writing sensitive data to as it is not
typically accessible by the OS and is dubbed ‘partition slack’ (Casey, 2004)vi.

All partitions, even those that have been configured as non-bootable, contain a boot
sector. Therefore, the boot sector of a non-bootable partition is simply wasted space
that is ideally suited for storing confidential information. Similarly, unallocated space
within a partition is inaccessible by Windows until a particular file’s creation has been
allocated to that space. Therefore, this unallocated ‘free’ space could contain
sensitive information, however, it is quite a gamble as any modifications made within
Windows could lead to over-writing of this space, and thereby potentially losing the
data (although it could be retrieved if the drive platters are read by hand).

Looking back at the file system, it is also possible to ‘abuse’ the functionality of a
particular safety feature in both FAT16/32 and NTFS to hide information within
blocks marked as bad blocks. The purpose of marking bad blocks is to prevent data
loss, and manipulating such metadata is once again ideal for the purpose of storing
sensitive information (Britz, 2008)iii. The detailed storage locations for hiding data
above apply to both FAT16/32 and NTFS. However, the NTFS file system allows for
some unique locations for storing such sensitive information.

Similar to the bad cluster metadata modification previously discussed, a particular

metadata belonging to the NTFS file system is its Cluster Allocation Bitmap. The
Cluster Allocation Bitmap is quite simply a complete map that marks the allocation
status of each and every addressable cluster within the particular partition in question.
Similar to the bad cluster method, it would only require for the contents of the Cluster
Allocation Bitmap to be modified, although the fact that a malicious modification has
taken place would be made obvious if it were inspected. The advantage of using this
method, however, is that the hidden information would persist in its hidden state for
the lifespan of the file system (Farmer and Venema, 2005)ix.

The NTFS file system in particular also provides for a couple more alternatives. One
possibility would be to alter the Alternate Date Streams (ADS), which are associated
with the Master File Allocation Table (MFT). Modification of reported such files
streams would be suited for hiding sensitive data, as they are not within the scope of

3
Windows Explorer. NTFS has another inherent ‘quirk’ with regards to handling
extremely small files and ADS. In the event a particular file is sufficient small
enough to occupy the space within the MFT, rather than referencing its location, the
entire file itself would be stored within the MFT (Jones, Bejtlich and Rose, 2005)x.
This allows for a computer program to create multiple such files to create enough
‘free space’ within the MFT, delete them and proceed creating a potentially large
enough file within the MFT to store hidden information of choice. Of course, this
hidden information would only persist until further small files start to overwrite this
particular location in the MFT, and as such would be best suited for ephemeral data.

The above discussion shows that most of the ‘hiding’ places within a typical
Windows-based file system are more suited for ephemeral data, whilst the more long
term hiding places are easier to detect. However, any information found in the
previously discussed locations where data could be concealed, it has being taken for
granted that the data would be stored in plain text without first undergoing some form
of encryption such as 3DES, Blowfish, or even Advanced Encryption Standard (AES)
(Burnett, 2001)iv.

3 COMMUNICATION TECHNOLOGIES THAT THWART FORENSIC

EFFORTS

Accessing the Internet is simpler than ever with free WiFi in many coffee shops and
even unsecured networks in many densely populated cities. A couple years ago,
accessing e-mail relied on client programs running on the users computer via
POP/SMTP sessions – leading to all the emails being stored locally on the computers
file system. This is no longer the case. With many free email services available
online, there are far more users relying in storing most of their information online as a
result of cloud computing (Miller, 2008)xii.

In the following discussion of the various means by which an individual could

communicate with his or her co-conspirators regarding their illegal activities, an
assumption is made where this individual has at least a basic working knowledge of
covering their tracks after any of the web browsers installed on their system. This

4
includes, but is not limited to, clearing all details of browsing history, download
history, saved Form and Search history, cache, cookies, offline website data, saved
passwords and authenticated SSL sessions.

Currently, even Google offer an online system called ‘Google Docs’ which is a free
web-based word processor and spreadsheet application enabling easy collaboration.
Making matters even more complicated, for example, the free email service by
Google (GMail) has an option to always force the browser to connect via a Secure
Sockets Layer (SSL) encrypted session. This is also supported by other free email
systems such as Hotmail and Yahoo. RC4 is the stream cipher used in SSL, as a 128
or 256-bit cipher that offers remarkable performance although it does have several
weaknesses. However, from an evidence-gathering standpoint, these weaknesses
would only be of use if exploiting a particular SSL session between known Internet
Protocol (IP) addresses (Viega, Messier and Chandra, 2002)xix, and therefore would
not leave any traces on the laptop as long as the user has been careful.

With the popularity of cloud computing, from a forensics perspective, the browser
software installed on a Windows system (Microsoft Internet Explorer, Mozilla
Firefox, etc.) would need to undergo close scrutiny for evidence in the form of its
cache, history, cookies and most recently downloaded files. Although it may be
possible to obtain some information via this method, it is not the only means for
communication across the Internet and World Wide Web (WWW).

Since it is common knowledge that many intelligence gathering agencies, such as

MI6, Interpol, FBI, and the CIA, around the world are screening email traffic for “tell
tale” signs of communication of a less than legal nature, a scrupulous individual could
take advantage of the free online email systems in the following manner: login to the
email system and create a draft email with whatever information that needs passing.
Their co-conspirators also access this same email account, accessing the draft, as only
these two parties have the respective username and password for the email account.
As such, no actually emails are ever sent and all the information is stored in the ‘draft’
folder.

5
This could also be applied to other online services such a Scribd, which offers an easy
means for collaborating documentation as PDF and Word content. It even supports a
means for storing ‘private’ files online, and only those given a particular Uniform
Resource Locator (URL) may be able to access the private document in question.
However, it is quite possible that the Scribd system has text scanning systems in place
to ensure such information does not stay active on their system for long, but it will
only ‘flag’ information that is posted as being blatantly obvious – it is unlikely any
intelligence agencies would be notified by the posting of a recipe for a thin crust
pizza.

With the exercise of caution and a certain degree of common sense, this system could
easily be used for passing sensitive information between parties. Further more, the
Scribd URL to private documents could easily be communicated to co-conspirators
via the Short Message Service (SMS), which is a standardized communication service
in the GSM cellular communication system, and as such would leave no traces that
such a document was ever passed to someone else – unless the browser’s logging
features suggest otherwise.

For the most tech savvy criminals, a secure Virtual Private Network (VPN) that
utilises cryptographic tunnelling is another extremely feasible means of
communication. VPN is an extremely powerful system and is therefore a standard
feature of most corporate networks, allowing their employees to work from home and
while on the move (Steinberg et al., 2005)xviii without compromising the security of
their network and data. During a VPN session, the connecting user will be effectively
logging onto this remote network of computers, thereby gaining complete access to all
shared volumes, attached computer peripherals and computer terminals themselves
(depending on their firewall configuration and network topology). “Local” video
conferencing would be extremely simple to achieve, as well as transferring files and
other data whilst connected to the remote network via VPN (Snader, 2005)xvii. It
would be the duty of the forensic investigator to check if the IP address of the VPN
network (or networks) they have connected to has been recorded in some way, or if
any logs of such sessions are recorded locally on the HDD of the laptop.

6
Although less complicated in setting up and connecting, a Secure Shell (SSH)
connection to a remote server allows for an encrypted session for the duration of the
link. Once again, the two parties are able to exchange files (via File Transfer Protocol
or FTP), utilise instant messaging and a host of other capabilities. However, the SSH
system is susceptible to ‘man in the middle’ attacks. Not unlike VPN though, this is
another secure means of cryptographic tunnelling via the Internet (Barrett, Silverman
and Byrnes, 2005)ii.

FTP is a simple system devised on Linux and Unix based system for the transferring
of files between a client and a FTP server, and vice versa. A typical FTP session runs
completely unsecured in the open, even with the username and password transmitted
as plain text and can easily be captured with a packet sniffer listening on port 21
(Kozierok, 2005)xi. To ensure that such a connection is made with a means of
encryption, a viable alternative would be the SSH File Transfer Protocol (SFTP) or
FTP over SSL (FTPS).

Although the FTP/SFTP system was not designed as a means for passing information,
one could easily take advantage of it in this fashion. Suppose the co-conspirators
have setup a FTP server (or daemon as they are commonly called, and thus FTPd) and
they place their ‘secret’ information in the FTPd welcome message that is customised
to only appear to a particular user who logs in. Such messages could be setup for
each of the various accounts for their co-conspirators, who only simply need to login
over SFTP to received the information, and they can easily leave there response by
transferring their comments and response as a file to their folder on the FTPd. Paired
with SMS messaging, it would be extremely simple for the members of their
organisation to handle communications in this fashion.

It is, however, possible to find out if SSH sessions have been in use on the laptop.
Since SSH is native to Linux and Unix based systems, a typical Windows program to
offer similar simulation would be Cygwin, or alternatively to actually run a flavour of
Linux (such as Ubuntu or Debian) via a Windows application known as VMWare
(Newham, 2005)xiv.

7
To use public-key secure connections, public keys are stored in
~/.ssh/known_hosts and such a typical file might contain something similar to
what is shown below,

128.138.249.8 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEA0d7Aoure0toNJ+YMYi61QP2ka8m5x5ZQlT7obP8CK
3eropfqsMPPY6uiyIh9vpiFX2r1LHcbx139+vG6HOtVvuS8+IfMDtawm3WQvRuOopz3vV
y5GtMwtaOgehsXoT930Ryev1bH5myPtWKlipITsOd2sX9k3tvjrmme4KCGGss=

As seen from the example above, the destination IP address is stored along with the
RSA public-key hash.

This research would not be complete without discussing freely available Instant
Messaging (IM) systems such as Windows Live Messenger (formerly named MSN
Messenger), Yahoo Messenger, ICQ and AOL Instant Messenger (AIM). These
systems allow users to freely ‘chat’ in purely text mode by running the same client
application on each of their PCs. However, their communications are routed through
the servers belonging to the companies that developed the client applications and as
such encryption is not a main feature of this applications (Wikipedia, 2009)xxi.

Alternative software such as BitWise IM is available freely and also supports real-
time 128-bit Blowfish encryption, whilst the paid professional version supports 448-
bit Blowfish encryption. This particular application also generates a new random key
for each and every new conversation. In terms of evidence gathering, a regular
feature of these programs is their ability to log conversations to the HDD as plain text
files that are usually time stamped. Since this is a user-enabled option these log files
may or may not exist on the system.

Reflecting back upon the discussion regarding GMail, the free web-based email
system provided by Google, it also features an IM system called GMail Chat. In the
event the connection to GMail is made over the Hypertext Transport Protocol
(HTTP), all the contents of these conversations can easily be compromised by anyone
looking to do so over the Internet. However, if the web browser connects to the
GMail system with SSL enabled, the contents of these conversations will be far more
difficult to tap into.

8
With regards to making voice and video calls over the Internet, Skype offers free
voice calling between Personal Computers (PC) utilising the Internet (Abdulezer et
al., 2007)i. Their system utilises Advances Encryption Standard (AES), also known
as Rjindael (Daemen and Rijmen, 2002)viii as it is a portmanteau of the names of the
two inventors of the Rijndael cipher – Joan Daemen and Vicent Rijmen, with a 256-
bit encryption key to actively encrypt the data of voice calls, voice and video calls
(known as video conferencing), and instant messages (Skype, 2009)xvi. It is clear that
making free calls over the Internet, which are encrypted, is an extremely attractive
alternative for communicating with co-conspirators. With much exercised prudence
and care, even if each call is logged and analysed by the Skype system, it is highly
unlikely that it would get flagged unless both parties are extremely incompetent and
careless. The Instant Messaging aspect of Skype allows for these conversations to be
recorded to the HDD, and is most likely the only evidence it would leave behind apart
from the various Skype contacts if the user of the program allowed Skype to
remember his password.

Of course, Skype also allows those with Skype Credit to make PC to landline calls,
where part of the call is carried over the Internet and the rest over fibre optic, Voice
over Internet Protocol (VoIP), Cellular (GSM/3G) and Public Switched Telephone
Networks (PSTN) (Wallingford, 2005)xx. This of course, poses a couple risks to the
parties using this system for communication: (1) the caller has to have Skype Credit
in their account, and this needs to be purchased via a Credit Card or PayPal account
and (2) the final number being called gets recorded on the passing and target network.
As for the former, a stolen Credit Card could be used or a hacked PayPal account, but
this would result in their current IP address being noted down. This alone may not
help as they could be connecting through many piggybacked proxy servers to mask
their real IP or they could even be connecting via an unsecured WiFi connection in a
metropolitan area (although, this would place them within a 32 m radius to a
maximum radius of 95 m from the location of the wireless base station. This would
result in their possible location covering a 3.2 to 28 square-km area, respectively).

A similar system is also offered by Google Talk (GTalk), which runs natively as a
Windows web-based application and offers Instant Messaging and VoIP

9
communications between PCs. Unlike Skype, the GTalk system does not impose
complete encryption at this point in time.

Another popular means of online communication is Internet Relay Chat (IRC), that
allows for real-time text based chat by joining a particular IRC server utilising a
freely available IRC client (Charalabidis, 1999)vii. One of the most popular IRC
clients for Windows is mIRC, and similar to most other communication applications it
allows for previous conversations or sessions to be logged to the HDD.

Unlike IM conversations, with IRC, the user must join an IRC server of his choice
and there are many such servers based on the country they are based in. Upon joining
an IRC server, the user can either join pre-existing IRC channels or join and create his
own. At this point, any co-conspirators may join the same channel and enter a private
conversation.

Files can be exchanged via Direct Client-to-Client (DCC) connection or a Secure

DCC (SDCC), which can also allow individuals to privately chat over IRC with
encryption enabled. It should be noted that both DCC and SDCC, are peer-to-peer
(P2P) connections that are independent of the IRC client-server connection, that rely
directly upon the Wide Area Network (WAN) IP addresses belonging to the PCs of
both users. SSL may be used on the client-server connection, depending on the
particular features of that server, to make eavesdropping on a particular users IRC
session difficult.

Internet Forums or messaging boards are extremely popular web applications that
allow for users to collaborate online in a system akin to traditional Bulletin Board
Systems (BBS), in the days of dialup Internet well before broadband was introduced.
Most forums are dedicated to a central theme – some are dedicated to Computer
Technology and Hardware discussions, such as HEXUS.net, and some are even
dedicated to specific hobbies, interests and discussions.

Most online forums simply require a user to define a ‘nickname’ to be recognised by

and to supply a valid email address to register on the system. Once this is setup, they
are free to access various features of the forum as well as a Private Messaging (PM)

10
system. There are almost no measures to prevent scrupulous individuals from
communicating via forums utilising their PM system as a means for conversation,
while only some forums tend to monitor PMs sent and received. Once again, as long
as common sense and a degree of caution is exercised, an online forum could be
ideally used between co-conspirators although they would be limited by not being
able to exchange files by this method. As such, a system such as Scribd could be use
in conjunction to overcome this limitation.

In the event they decided to communicate by means of digital photos, many free
online systems are also available for this purpose, with Flickr and Photobucket being
the most popular. Although they present a limitation on the number of photos
uploaded, a fair amount of photos can still be stored online with full access to anyone
accessing the site with a web browser or mobile device with such capabilities, such as
the Apple iPhone.

This notion could also be extended to the extremely popular networking and
socialising web-applications such as FaceBook and MySpace. These systems allow
for users to post online profiles about themselves, host freely photographs and even
video clips in their accounts as well as privately communicate utilising across the sites
system (Shuen, 2008)xv. In all likelihood these systems monitor all private
communications, but as mentioned earlier, they will never cause for panic, unless
someone were to blatantly pass across the list of chemicals and instructions required
to manufacture military-grade explosives. Used sensibly, it could be ideally used for
the co-conspirators to easily communicate with each other privately, and even ensure
that no record of these communications are held locally on the HDDs of their
computers.

4 CONCLUSION

With regards to concealing information in the laptop’s file system, it is apparent that
most of the options result in storing ephemeral data while the more reliable methods
are more straightforward. However, even if this data is located, it is far more likely
that it would be encrypted in one of the more reliable encryption algorithms.

11
In terms of communication technology that may pose problems to the team of forensic
investigators, many avenues exist for utilising freely available online systems for
making contact and passing information across, with very little scope for leaving
evidence behind.

It is a given though, that a careless criminal could easily leave behind enough
evidence that is easily accessible. At the end of the day, if dissecting the file system
down to it minimum does not prove to be useful, the only alternative would be to have
the hard disk platters manually read allowing possible access to data that was not
sufficiently deleted or undergone any secure erasing (known as zeroing).

12
REFERENCES
i
Abdulezer, L. et al. (2007) Skype For Dummies, Hoboken, NJ: Wiley Publishing,
Inc.
ii
Barrett, D. J., Silverman, R. E. and Byrnes, R.G. (2005) SSH, The Secure Shell:
The Definitive Guide, 2nd edition, Sebastopol, CA: O'Reilly Media, Inc.
iii
Britz, M.T. (2008) Computer Forensics and Cyber Crime: An Introduction, 2nd
edition, Upper Saddle River, NJ: Prentice Hall.
iv
Burnett, S. (2001) RSA Security's Official Guide to Cryptography, New York,
NY: McGraw-Hill.
v
Carrier, B. (2005) File System Forensic Analysis, Reading, Massachusetts:
Addison-Wesley.
vi
Casey, E. (2004) Digital Evidence and Computer Crime, 2nd edition, London, UK:
Academic Press.
vii
Charalabidis, A. (1999) The Book of IRC: The Ultimate Guide to Internet Relay
Chat, San Francisco, CA: No Starch Press.
viii
Daemen, J. and Rijmen, V. (2002) The Design of Rijndael: AES - The Advanced
Encryption Standard, New York, NY: Springer Publishing Company.
ix
Farmer, D. and Venema, W. (2005) Forensic Discovery, Reading, Massachusetts:
Addison-Wesley.
x
Jones, K. J., Bejtlich, R. and Rose, C.W. (2005) Real Digital Forensics: Computer
Security and Incident Response, Reading, Massachusetts: Addison-Wesley.
xi
Kozierok, C. (2005) The TCP/IP Guide: A Comprehensive, Illustrated Internet
Protocols Reference, San Francisco, CA: No Starch Press.
xii
Miller, M. (2008) Cloud Computing: Web-Based Applications That Change the
Way You Work and Collaborate Online, Canada: Que Publishing.
xiii
Mirza, F. (2008) ‘Looking for digital evidence in Windows’, International
Symposium on Biometrics and Security Technologies 2008, April, pp. 23-24.
xiv
Newham, C. (2005) Learning the bash Shell: Unix Shell Programming, 3rd
edition, Sebastopol, CA: O'Reilly Media, Inc.
xv
Shuen, A. (2008) Web 2.0: A Strategy Guide: Business thinking and strategies
behind successful Web 2.0 implementations, Sebastopol, CA: O'Reilly Media, Inc.
xvi
Skype (2009) What type of encryption is used?,
http://support.skype.com/en_GB/faq/FA145/What-type-of-encryption-is-used,
Date accessed 28 March 2009.

13
xvii
Snader, J.C. (2005) VPNs Illustrated: Tunnels, VPNs, and IPsec, Reading,
Massachusetts: Addison-Wesley.
xviii
Steinberg, J. et al. (2005) SSL VPN: Understanding, evaluating and planning
secure, web-based remote access: A comprehensive overview of SSL VPN
technologies and design strategies, Birmingham, UK: Packt Publishing Ltd.
xix
Viega, J., Messier, M. and Chandra, P. (2002) Network Security with OpenSSL,
Sebastopol, CA: O'Reilly Media, Inc.
xx
Wallingford, T. (2005) Switching to VoIP, Sebastopol, CA: O'Reilly Media, Inc.
xxi
Wikipedia (2009) Instant messaging,
http://en.wikipedia.org/wiki/Instant_messaging, Date accessed 28 March 2009.

14
QUALITY CONTROL ID: 603001

WORD COUNT: ~3500+

(EXCLUDING EQUATIONS, FIGURES, CAPTIONS, DATA, CODE, OUTPUT, TABLE OF
CONTENTS, LIST OF FIGURES, LIST OF TABLES, REFERENCES AND APPENDICES.)

15-20 REFERENCES/3K WORDS? 21 REFERENCES (INC. BOOKS, JOURNALS AND WEB)

WEB REFERENCES < 15%? 2 WEB REFERENCES

DATE COMPLETED: 28TH MARCH 2009 / 1442 HRS GMT

NOTES:

Q1: ~1000 WORDS AS PER BRIEF

Q2: ~2500 WORDS AS PER BRIEF

HENCE, THE TOTAL WORD COUNT IS SLIGHTLY GREATER CONSIDERING THE CONCLUSION
AS WELL.

NOTE: This document has been created with compatibility for Word 97 – 2004. It is recommended that
the Word document have all its fields, tables, cross-references updated if this document is subjected to
modification.