Digital Forensics method to analyze various data hiding spaces in NTFS file system

Transcription

1 Digital Forensics method to analyze various data hiding spaces in NTFS file system Tejpal Sharma Assitant Professsor C.S.E Deptt, CGC-COE, Landran Harleen Kaur Sahota Masters of Technology Department Computer Science and Engineering Abstract: NTFS is a file system which restores and manages the important data. It is a common file system in Windows Operating System. A suspect hides the data in these files so that they are not accessible to anyone. In this paper a technique is proposed which will be helpful to analyze the storage media having NTFS file system. In this we will check the hard disk for the hidden data in the boot sector and copy of boot sector and also to analyze the slack space on the disk for hidden data. And, this will also check here for the possibility of the hidden data in the boot sector file of the partition and analysis of deleted files. It will help in cyber crime cases to collect the evidence and solve the cases. Keywords: Digital Forensic, ADS, NTFS, Master File Table, Boot Sector, Slack Space I. INTRODUCTION Computer forensics is a branch of forensic science that employs various analysis techniques to verify facts and obtain evidence related to computer crimes. Criminals try to hide the sensitive information so that even if their computers are retrieved by anyone, there is no proof that can be used against them. As a new kind of high-technology crime, the evidence of computer crime is stored and transmitted through the computers or webs. Computer forensic process is the process which is used to analyze the digital media like hard disk for the forensic process and then acquire the evidences from that media that may be helpful to solve the cyber crime case in which that hard disk involves.. There are various ways to hide the data in NTFS file system and analysis techniques that can be applied to detect and recover the hidden data. File system, can be used to hide data. The file system is used to manage these files present on disk. The computers store the data on hard disk using the suitable file system supported by operating system installed on the computer system. Data stored in the files is the main source of evidence in computer forensics II. OVERVIEW OF NTFS NTFS (New Technologies File System) is a primary file system available for Microsoft Windows operating systems. It is a file system which is an upgrade from FAT file system and offers better performance and reliability such as file encryption, disk quota and also provides higher level security to user. A file system manages files and folders, and the information needed to locate and access these items by local and remote users. NTFS is needed to organize and access information on a hard drive disk, optical media, diskettes, and other media. It is a special disk format designed for management safety features, such as web disk quota and file encryption. NTFS supports the managing function of encrypting files, and so it can provide a higher- level security guarantees to the users. The figure Organization of an NTFS Volume illustrates how NTFS organizes structures on a volume. [5] NTFS Boot Sector Master File Table File System Data Figure 1. Organization of NTFS Volume Master File Table Copy NTFS Boot Sector contains the BIOS parameter block that stores information about the layout of the volume and the file system structures, as well as the boot code that loads Windows Server MFT contains the information necessary to retrieve files from the NTFS partition, such as the attributes of a file. File System Data stores data that is not contained within the Master File Table. Master File Table Copy includes copies of the records essential for the recovery of the file system if there is a problem with the original copy. RES Publication 2012 Page 58 III. METHOD TO ANALYSE HIDDEN DATA IN NTFS Main aim is to get hidden data from the boot sector, copy of boot sector and from slack spaces in the disk. An additional thing in this technique is the analysis of files and folders according to their timing information.

2 Analysis of boot sector and copy of boot sector Analysis of Slack space 1(c) 1(d) data. Further analysis of these bytes can be used to collect evidence related to the crime. Values in categories C should be zero. If any nonzero value is detected in these bytes, it can be the data hidden by the criminals/attackers. It must be analyzed for the evidence collection process. Criminals cannot use category D byte ranges to hide their secret data. IV. Figure 2. Analysis of Hidden Data in NTFS ANALYSIS OF BOOT SECTOR AND COPY OF A. Boot sector analysis BOOT SECTOR According to the observation, each partition contains its first sector as boot sector. Size of boot sector is 512 bytes. These 512 bytes are divided into four categories for the analysis of hidden data in the boot sector. These categories are shown in Table 1.[16] Categories Analysis of deleted files Table 1 Categories according to byte ranges Byte Ranges A 14-15,16-20,22-23,32-35 B 24-25, C 28-31, 36-39, 65-67, 69-71, D All other remaining Bytes between (0-511) i. It is observed that when any change is applied on the category A bytes, it causes the file system to be invalid and make the partition inaccessible. ii. When any change is applied on bytes in category B, it does not effect on file system. iii. Any Change performed in the category C also does not affect the file system. iv. Any modification in category D causes the file system boot sector problem and creates disk partition inaccessible. Rules 1: 1(a) All the bytes in category A are reserved and unused bytes that should be 0 according to Microsoft and cant used for hiding data by criminals. 1(b) Bytes range in category B contains information about sector per track and number of heads respectively. These should contain only the numerical values. Any alphabetical value in this range is symptom of hidden B. Analysis of copy of boot sector: It is observed that there is a copy of boot sector stored on the disk partition at the last sector of partition. It also contains 512 bytes and same data as the boot sector. It is observed that any modification on the data of copy boot sector does not effect on the disk file system. It depicts that criminals can store their data in the copy of boot sector.[16] Rule 2: All the 512 bytes of copy of boot sector can be used to hide secret data. V. ANALYSIS OF SLACK SPACE Slack space is the space in the file system that remains unallocated or unused. It can be used to hide data. On the other hand, when partitions are created on the disk, then the space left unallocated at the end of disk is also known as slack space and named as disk slack space. There are also some other types of slack space that are described further. Three types of slack spaces are considered here: (i) Disk Slack space (ii) File system slack space (iii) File slack space A. Disk Slack space analysis Each new hard disk is divided into physical sectors. When that disk is divided into partitions, then some space left unallocated at the end of disk. This space is left behind the last partition. When any data editing is performed on the unallocated space, that does not affect the file system structure and is not detected by the operating system. This space is known as disk slack space. Rule 3: Disk slack space can be used to hide data. Analysis steps and extraction of data from disk slack space When partitions are created on the disk and then any file system is installed on them, some portion of the disk remains unallocated at the end of the disk while this process is RES Publication 2012 Page 59

3 performed. Because the disk is physically divided into sectors and when disk is formatted according to any file system, then disk is divided into logical drives. At the end of disk, some part may remain unallocated because of file system storage data structures and those unallocated sectors can be used by the criminals to hide their data. So, this technique is proposed to analyze these hidden spaces that are in the form of disk slack space. Steps: 1. First check total number of physical sectors (X) on the disk. 2. Then find the end sector number (Y) of the last partition on the disk. 3. If Z = 0, (Z=(X-1)-Y) then both the numbers are equal then no hidden data on the disk slack space. Otherwise follow the next step. 4. Disk slack space occurs and contains Z sectors. 5. Analyze the data on the disk slack space. B. File system Slack Space It is observed that when disk is divided into partitions, some memory is assigned to the disk volume in the form of sectors. While that volume is formatted according to file system (NTFS), some portion at the end of volume remains unallocated. NTFS partition is multiple of clusters (1 cluster= 8 sectors). So 0 to 7 sectors may left unallocated at the end of volume. These sectors are known as file system slack space. These can be used to store secret data by the criminals. Rule 4: Space left unallocated at the end of file system can be used to hide data. Steps to perform analysis: 1. Check the total number of sectors (FSS) is allocated to file system. 2. Divide the total number of sectors by the unit size of NTFS file system and calculate the remainder. 3. If remainder is 0, then there is no hidden data. 4. If remainder (R) is non-zero (0-7), then there may be hidden data on last R sectors. 5. Then compare copy of boot sector with boot sector, if both are same then check (R-1) sectors and follow the next step. Otherwise go to step Analyze those sectors if all have value zero then ok otherwise extract the data. 7. Analyze and collect hidden data from R sectors at the end of file system and extract hidden data from them. C. File Slack Space When any file is created, it is stored on the disk. NTFS file system uses cluster as its storage unit to store the file. Each cluster contains 8 sectors. When the size of file stored on the disk is less than 1 cluster (4096 bytes) or last allocated cluster of bigger file contains less than 4096 bytes, then some bytes remains unused on that cluster. So those bytes can be use to hide secret data. Any change on those bytes does not influence the formation of NTFS file system on that volume. Rule 5: File slack space in NTFS file system can be used to conceal data. Steps to perform analysis of File slack space: 1. It is known that boot sector is on the first sector of partition, so check the starting cluster of MFT 2. Then check the MFT entries and find the entry of file which is used for analysis. 3. Check whether the $data attribute is resident or nonresident. If resident then it means no hidden data. Otherwise further analysis is needed. 4. Find the value of allocated size to data space to file and actual data size of file. If both the values are same then there is no hidden data in the file data attribute content. If not equal then follow the next step. 5. Check the number of clusters allocated to store data and the starting address of external run. 6. Check whether all the bytes after the last byte of actual data are zero or not. If all remaining all bytes on that cluster are zero then there is no hidden data on that clusters. Otherwise analyze remaining bytes for hidden data. overlapped by the new MFT entry. RES Publication 2012 Page 60 VI. ANALYSIS OF DELETED DATA ON THE DISK When files are created by the operating system then these files are stored on the disk clusters and one entry of file is also added in the MFT list. It contains all information about the file. As the file is created, the allocation status of that cluster is changed from unallocated to allocate. And when the file is deleted then all data of file is not deleted from the disk. All data remains stored on the disk and only the allocation status of cluster changes from allocated to unallocated. This means that the clusters that were storing that file are now available for use again. But they contain the data on them. a) If file is deleted recently, then the MFT entry leftovers in the list. b) If new more files are created on the same volume after deletion of file then deleted file entry may be

4 Rule 4: a) Deleted file can be extracted from the information in master file table entry of file. b) If MFT entry is overlapped by the new entry, then it can be analyzed by cluster search of unallocated clusters on disk partition. VII. A. Scenario 1 EXPERIMENTAL RESULTS When criminal hide their data in the space on the hard disk which lies outside the limit of space that the user is allowed to use. Experimental : As per the analysis it has been founded that this space which is not allowed to user to use is known as disk slack space. According to the rule 3 this space can be used to hide data. So when analysis is performed on the tested data then disk slack space is detected in that case. Table 2 describes the results of analysis process. Table 2. of analysis process Operating System Microsoft Windows 7 File System ultimate NTFS Hard Disk Size: 500GB B. Scenario 2 When data is stored by the criminals/attackers in the free space left unallocated at the end of file system. Experimental : One partition of 4GB is created for the testing purpose. That partition is formatted according to NTFS files system.then the analysis is performed on the disk according to our second technique and according to rule 4 it is found that there is file system slack in the disk partition where someone can hide their data. Then results are collected from analysis process. Table 3. Analysis result of file system slack space Total number of sectors allocated to file system Unit Size File system slack space Data extracted from hidden area Cluster=8 sectors 7 Figure 4. image extracted from hidden area Partitions C:/, D:/, E:/, F:/ and G:/ Physical Sectors (X) End Sector of Last Partition (Y) Disk Slack Space (Z) sectors Then the analysis of these 2096 sectors is performed to check any hidden file in these sectors. These sectors start from According to rule no. 3, Sector contains an image file. C. Scenario 3 When criminals hide their secret data in the unused storage space left which is provided to store the file. Experimental : In this case the second section of technique is used where the third part of technique analyze the file slack space. It is found that the same problem in this case according to our rule 3. Then analysis is performed according to the steps defined in the analysis of file slack space method. F:/ drive of disk is used for analysis of file slack space. First it performs its check on the $boot at volume sector 0. And from that it get information about the starting address of $MFT. That is useful to find the MFT entry of test file (textfile.txt).on the base of which all analysis is done. Figure 3. Image found from hidden data Table 4. Analysis Result of file slack space Starting address of MFT Cluster no , sector no MFT entry of file Cluster no , sector RES Publication 2012 Page 61

5 textfile.txt no $DATA attribute Non-resident ( byte-8 of $data attribute is 01) Allocated size of attribute content Actual size of attribute content Starting address of external cluster 4096 bytes 1269 bytes 87042(decimal) hard disk of computer which can be used in crime investigation. Basically technique is divided into three parts. In the first part both the boot sector and the copy of boot sector are checked for the hidden data in them. Secondly data is analyzed in the hidden space which includes disk slack space, file system slack space, file slack space and deleted files.. In this different scenarios of crimes are created and on those scenarios proposed analysis methods are implemented and collect the results from those scenarios. As our analysis according to rule 5 it is found that there is some data on the file slack space of data content of textfile.txt file. The data is text data containing some information is shown on Table 5. This table contains information about the type of file and the size of file. And this also contains information about mobile numbers that were hidden in the data attribute of file by the criminals. Table 5. Data extracted from file slack space File type Size Containing Information VIII. Text Text file 380 bytes Mobile numbers of higher authorities: Planner XXXXXX1234 Plan distributer XXXXXX3245 Regional commander XXXXXX0987 Weapon distributer XXXXXX4329 Area commander XXXXXX2324 any help - XXXXXX0990 Information related to crime plans can be accessed from this website. and login ID-aaaa and paswword - crimes555 is used to get information CONCLUSION There are some spaces in the NTFS file system that can be used by the criminal to hide secret data. In this paper, a REFERENCES [1] Agarwal, A., Gupta, M., Gupta, S. and Gupta, S.C., Systematic Digital Forensic Investigation Model, International Journal of Computer Science and Security, Vol. 5, No. 1, pp [2] Bang, J., Yoo, B., Kim, J. and Lee S., Analysis of time information for digital investigation, Fifth international joint conference on In, IMS and IDC, pp [3] Carrier, B., File system forensic analysis Addison Wesley Professional, ISBN: [4] Carrier, B., Open source digital forensic tools, published in Stake research report, pp [5] (v=ws.10).aspx [6] Chakravarthy, A.S.N. and Kumar, T.V.Sarath, Survey on Computer Crime Scene Investigation Forensic Tools, International Journal of Computer Trends and Technology, Vol. 3, No. 2, pp [7] Chow, K.P., Kawan, M.Y. K., Law, F. Y. W. and Lai, K.Y., The rules of time on NTFS system, In Proceedings of Systematic Approaches to Digital Forensic Engineering, Department of computer Science, The University of Hong Kong. [8] Davis, J., MacLean, J. and Dampier, D., Methods of information hiding and detection in file systems, Fifth international workshop on systematic approaches to digital forensic engineering, pp [9] DMDE Free Edition- Disk Editor, Dmitry Sidorov, last accessed august, 2012, [10] DiskExplorer 4.25 for NTFS file system, Runtime software, Last accessed august, 2012, [11] Dixon, D.P., An overview of computer forensics, IEEE Potentials, pp [12] Huebner, E., Bem, D. and Wee, C.K., Data hiding in NTFS file system, Digital investigation, pp [13] Kai, Z., En, C. and Qinquan, G., Analysis and Implementation of NTFS file system based on computer forensics, Second international workshop on education technology and computer science, pp [14] Mamoun, A., Sitalakshmi, V. and Paul, W., Effective digital forensic analysis of the NTFS disk image, Special issue on ICIT conference-applied Computing, UbiCC journal, Vol. 4, No. 3, pp [15] Martini, I.A., Zaharis, A. and Ilioudis, C., Detecting and manipulating compressed alternate data streams in a forensics investigation, Third international annual workshop on digital forensics and incident analysis, pp [16] Tejpal Sharma, Dhavlesh Rattan, Computer Forensic Analysis of NTFS File System, International Journal of Computer Science and Communication Engineering, Volume 1 Issue 1 October 2012 technique is proposed for the computer forensic analysis of RES Publication 2012 Page 62

6 AUTHOR S BIOGRAPHIES Tejpal Sharma received the B.Tech. degree in Computer Science and Engineering and M.Tech. degree in E-Security from Baba Banda Singh Bahadur Engineering College, Fatehgarh Sahib (Punjab). Presently working as Assistant Professor (CSE Deptt.) in CGC-College of Engineering, Landran, Mohali (Punjab), India. Harleen Kaur Sahota received the B.Tech. degree in Computer Science and Engineering from RBIEBT, Punjab and M.Tech. degree in Computer Science and Engineering from CGC, Landran, Punjab. Had one year of experience as Assistant Professor in Department of Computer Science Engineering. RES Publication 2012 Page 63