Post on 31-May-2015
description
Dark DataHiding in your Records
Opportunity or Danger?
Rob ZirnsteinPresident
Forensic InnovationsJanuary 19th, 2011
Darth Vader?
• No, “Dark Data”, but they both– Are often associated with evil– Keep secrets (“Luke, I’m your father”)– Are potentially harmful
Dark Matter?
• No, “Dark Data”! But they both– Go undetected– Are surrounded by detectable stuff– Affect things around them
What is Dark Data?
• Dark Data in our digital devices– Everyone creates it (unintentionally)– Criminals may hide it (Anti-Forensics)– Forensic tools can’t see it– But it is there!
• Data that we can’t see– On our hard drives– On out flash drives– In our computer files
Where is Dark Data?
• DCO & HPA• Unformatted Disk Space• Deleted Files• Unknown Files• Between Files• Inside Common Files• Deleted Data Objects
Hard Drive Layout
• Device Configuration Overlay (DCO)
– http://www.forensicswiki.org/wiki/SAFE_Block_XP– Data Cleaner+ http://www.mp3cdsoftware.com/blancco---data-cleaner--download-16317.htm– http://www.utica.edu/academic/institutes/ecii/publications/articles/EFE36584-D13F-2962-67BE
B146864A2671.pdf
• Host Protected Area (HPA)
– http://www.thinkwiki.org/wiki/Hidden_Protected_Area– Forensic Duplicator http://www.tableau.com/pdf/en/Tableau_TD1_Product_Brief.pdf– HDD Capacity Restore Tool http://hddguru.com/software/2007.07.20-HDD-Capacity-
Restore-Tool/
• Unformatted Disk Space
Deleted Files
• Deleted Files aren’t really gone?– Unused Disk Space (in a volume)– Disk Caches / Swap Files– Windows Recycle Bin
• Are they hard to recover?– Fragmentation is deadly– Large databases tend to be heavily fragmented– Even DFRWS Researchers find that fragmentation can make some file types impossible to recover (http://www.dfrws.org/2007/challenge/results.shtml)
Unknown Files (1)
• 500 types of files handled by eDiscovery, Document Management & Computer Forensics Tools
• 50,000+* types of files in the world• 5,000 types of files typically in use
*http://filext.com
Unknown Files (2)
Typical Tools FI Tools (23 wrong files) (26 Correct Files)
Between Files
• Alternate Data Streams (ADS)– Files hiding behind files (on NTFS)
• RAM Slack– Padding between the end of a file and the end of the
current sector– Typically zeros, sometimes random content
• File/Cluster/Residual/Drive Slack– Padding between sectors used & the end of the current cluster– Previous sector content that should be used in File Carving– http://www.forensics-intl.com/def6.html
Inside Common Files
• Deleted Objects– Ex: Adobe PDF & MS Office 2003 (OLE)
not removing deleted data (change tracking)
• Smuggled Objects– Ex: MS Office 2007 (Zip) and MS Wave
(RIFF) formats ignore foreign objects
• Object / Stream Slack– Ex: OLE objects have sector size issues,
just like with disk sectors
• Field Slack– Ex: Image files that don’t use the whole
palette, and/or less than 8/16/32/48 bpp– Steganography
Smuggled Objects
• Some formats ignoreforeign objects–MS Office 2007 (Zip)–MS Wave (RIFF)
• This example– I added a file to a
Word 2007 document.– The document opens
without any error.
Deleted Data in Slack
Deleted Data that evades Redaction
Steganography
Intentional Data Hiding
Dark Data Can Be Fragile
– Deleting Files without using the Recycle Bin.• SHIFT + DEL
– Defragmenting a hard drive.– Installing Applications.– Turning off “Track Changes” & “Fast Save” options.– Using Redaction Tools.
• MS Word - http://redaction.codeplex.com• PDF - http://www.appligent.com/redax• PDF - http://www.rapidredact.com
– Using Data Wipers.• SafeErase - http://www.oo-software.com• CyberScrub - http://www.cyberscrub.com
Dangers
• You may loose a law suit if the other side finds what you missed.
• Corporate Digital Assets may be walking out the door.
• Intellectual Property theftcan put a company out of business.
Opportunities
• Protect your company by being Aware of your Digital Assets.– Illegal content may be hidden accidentally or
intentionally.
• Recover lost Digital Assets by knowing where to look.
• Employee misconduct is tracked by the hidden trail of improper acts.
• Catch Intellectual Property theft before it walks out the door.– Identify in-house criminals by detecting their
smuggling methods.
What Does FI Do?
• Create Technologies to Capture Dark Data– File Investigator– File Expander– File Harvester
• Equip Law Enforcement with Tools– FI TOOLS– FI Object Explorer– FI Data Profiler Portable
FI Technologies
• File Investigator– Discovers Files Masquerading as Other Types– Identifies 3,953+ File Types– High Accuracy & Speed
• File Expander– Discovers Hidden Data within files– Data missed by all forensic tools
• File Harvester (Under Development)
– Recovers deleted/lost files therest of the industry can’t
– Will eventually rebuild partial files
Thank you
• ContactRob ZirnsteinRob.Zirnstein@ForensicInnovations.comwww.ForensicInnovations.com(317) 430-6891