DELETED AND HIDDEN FILES

If one runs the inquiry “recovering deleted documents” in a Web search engine like Google, endless pages of hits will appear offering in-structions, hints, and products for the reversal of the delete function.

Vast resources exist for undeleting files. Any computer forensics exam-iner possesses the requisite tools to locate all files on a hard drive, re-gardless of their naming convention. Most operating systems (OSs) slightly change the name of the file to render it invisible to the OS and permit reuse of the disk space. “Secretfile.doc” may become “!ecret-file.doc,” a trifle to restore for undelete programs.

Hidden files come in several flavors. Usually, the person seeking to hide a file has just the resources of the operating system to accomplish the task. The common technique involves setting the file attribute to

“hidden.” In Windows the user just right clicks on the file icon and goes into Properties/General. The General Properties permit checking the

“Hidden” attribute box. If the “Folder Options” utility in Control Panel has the radio button pressed for “Do not show hidden files and fold-ers,” then files or folders with the “Hidden” attribute box checked will become invisible to users. This thin veneer of protection disappears when one presses the radio button in the “Folder Options” utility in Control Panel for “Show hidden files and folders.” This elementary form of “security through obscurity” can be effective when someone else is not aware it is being used, but this ploy would not fool a forensics examiner.

Altering file extensions is another gambit in the “hiding game.” In-stead of the file being “jones.doc,” it becomes “jones.mht.” This tactic prevents the file from being visible to the word processing application or any of the normal office suite applications. Images of a sensitive nature can also be renamed to appear to be text files or spreadsheets.

Burying the file in a large directory makes it difficult to find, and per-haps, the user wants to mask a file as a spreadsheet and gives the file the “.doc” extension. In any event, this simple ruse causes someone looking for a sensitive file a bit of a challenge. Carrying the deception to an additional level involves renaming the file from say “mysecretfi-nances.xls” to “aggregate.exe” and then placing the file in a directory filled with executables and program files. Fortunately for forensic ex-aminers, a number of programs are available that examine the contents and structure of a file to uncover its real format despite any name or extension alterations. These forensic applications compile a list of sus-picious files for review by the examiner.

Hiding directories themselves or placing files in obscure directories are other tactics employed by users to ward off prying eyes. Again, computer forensics examiners have tools to look for suspicious files in

unusual locations on a hard drive. Searching for word patterns and doc-ument structure uncovers suspicious files where the content does not match the location and naming of the file. Placing files in the host pro-tected area (HPA) of a hard drive is another hiding technique. Since the HPA is not readable by the computer’s BIOS, data stored there may evade routine detection and analysis. Examining the HPA area, how-ever, is now a standard computer forensics practice, so its value as a

“stashing” area may be diminished.

Computer forensics is not a static discipline, for new developments occur constantly. At first appearance, data hiding through steganography seems impregnable. Steganography involves hiding one file inside of another. For example, a user has a sensitive text file on his drug-dealing activities and places it inside of a JPEG file, which is a photograph of a scenic vista taken during a vacation. This hiding is possible because not all the elements (bits, a “1” or a “0”) of a byte (a group of eight bits) are significant in preserving the image. The steganography program switches out the least significant bit (LSB) in the image’s bytes with a bit from the text file. Think of each byte as an egg carton. Steganogra-phy removes one “egg” from the carton (one bit from the host file’s byte) and replaces it with an “egg” (the replacement bit) from the file the user is trying to hide. Bit by bit the entire sensitive text file becomes hidden in the host or container file.

This technology, however, has a major vulnerability. It requires a spe-cialized software tool to accomplish the replacement process. These steganographic tools like Steganos, Hide and Seek, and White Noise Storm each have a unique signature in their software, which enables computer forensics experts to develop tools to detect them. They re-semble malware in the sense of their susceptibility to detection. Once an examiner knows what steganography tool is in use, detecting files em-bedded with sensitive text or images becomes much easier. Computer forensics has adapted to this challenge.

Trace evidence is the last area of hidden data that needs review. Two activities create trace evidence on the computer. (See Figure 7.1.) First, when files get “deleted” the space becomes available on the hard disk drive again; however, subsequent writing over the space with new data is not always perfect. The new data may not cover the entire original space, so some of the original information remains. This gap between the new and old information is “slack space.” Even though fragmentary in nature, this slack space contains valuable information. For example,

a drug trafficker keeps transactions about cocaine sales on his hard drive. Even finding bits and pieces of transactional information can be quite incriminating especially when words like “coke” and cocaine”

keep reappearing. Other sensitive information faces the same scenario as to forensic capture and analysis. It does not take a large amount of in-formation to reveal the larger picture. Computer forensics examiners have a wide range of tools, such as disk slack checkers and HEX editors, to detect “slack space” and to analyze its contents.

The term “slack space” does not refer to a laid-back attitude or a place where everything turns mellow. Rather, the residual data on a storage device, like a hard drive, or in RAM (random access memory) constitutes slack space. Visualize three scribes writing down what you say on chalk slates. Each scribe records a sentence on a rotating basis. The third scribe jots down every third sentence you say. After the speaking goes on for a few minutes, the first two scribes wipe their slates clean. Your next recita-tion is shorter, so only the first scribes take it down. The writing remain-ing on the third scribe’s tablet is a data fragment of your original message.

Think of your computer as a collection of scribes that capture your data and keystrokes flawlessly and place the information it sectors on a hard

Figure 7.1: Trace Evidence

drive, floppy disk, or on other storage media. When you write over exist-ing data, often the new data does not fill up completely all the previously used sectors. Some of the residual data remains in slack space on the storage medium, much like the scribe’s tablet that has not been erased.

Since human language and data possess significant redundancy in structure and in repetitive words, such as connectors and common nouns and verbs, fragments can reveal a great deal of information about the original message. Reading a computer’s slack space is the stock-in-trade of a computer forensics professional. Such experts take as an arti-cle of faith that most users do not realize how unerring the scribes inside a computer can be.

Some of the misconceptions about how computers store information include:

1. Deleting a file obliterates the data. (Unless you take extraordi-nary measures, much of your data remains available for foren-sic examination even after deleting and normal overwriting.) 2. “I can hide data on my computer by changing filenames,

plac-ing files in obscure directories, or by settplac-ing the file attribute to hidden.” (Unfortunately, these clever moves will not deter even a minimally competent computer forensics person.)

3. Password protecting a file keeps it secure. (Actually, most pass-words are easy to crack. Any conventional password of less than eight characters will succumb eventually to a brute-force attack.) 4. Storing all your secrets on a floppy, a USB drive, or on other removable media automatically protects those secrets. (The truth is mixed. Yes, the specific file contents do not appear on the hard drive within the PC. Data trails, however, pointing to those re-movable drives will be on the PC’s hard drive. Unless you know how to erase those trails, strong clues exist as to what you did. You have to be ready to explain why you wrote data to another device.) 5. “I format the hard drive to erase everything.” (Unfortunately, that trick really does not work. Unformat programs can restore the original data.)

6. “I encrypt everything.” (Perhaps you do, but is the encryption effective? Encryption offers a fool’s paradise unless you under-stand the technology. More about this issue in Chapter 8.) The second activity computers do that creates hidden data automat-ically is the use of swap files. If the available memory in the RAM

(Random Access Memory) on microchips is not sufficient for process-ing, then the computer creates virtual memory on the hard drive to ac-commodate the processing’s needs. Swap files facilitate the use of this virtual memory; therefore, the swap file on the computer has pages of information recently processed by the machine. Searching swap files is a normal part of the forensic examination of the computer. Data otherwise erased, overwritten, or expunged may be there in the swap file data. It is a place to consider with caution when processing sensitive data.