分析在ntfs文件系统下的数据隐藏(二)
2008-09-24 16:33
267 查看
ADDITIONAL CLUSTERS ALLOCATED TO A FILE
This hiding technique hides data in the additional clusters allocated to a file. For example, there is a file with file size 10752 bytes, which would be allocated 3 clusters in a NTFS with cluster size of 8 sectors. Suspects can allocate extra clusters to this file and hide data in the additional clusters allocated.
With this technique, the size of hidden data is unlimited as suspects are free to allocate as many additional clusters as they wish. At the point of view of suspects, one disadvantage of this hiding technique is that whenever the file increases in size, the hidden data would be replaced and lost. As a result, stable files are preferable targets of this technique.
Procedure to create test data
1) Run list information of the file is modified to allocate more clusters to the file
2) Last VCN of the file is modified to appropriate value
3) Allocated size of the file is modified to appropriate value
4) Allocation status of the additional clusters is set to 1
Analysis techniques
Figure 5 shows the flow to analyse hidden data in additional clusters allocated to a file.
Figure 5: Flow to analyse hidden data in additional clusters allocated to a file
Run chkdsk to check the file system. During the testing, it is discovered that if a suspect forgets to complete any of the first 3 steps in the procedure, error will occur as shown in figure 6 and if he forgets to perform step 4 after first 3 steps, error message will be displayed as figure 7. This would be an indication of file system manipulation.
Figure 6: Error message displayed when running chkdsk command
Figure 7: Error message displayed when running chkdsk command
Perform a recursive directory listing of the file system to identify all files
./fls -rFf ntfs /case1/image1
Analysis begins by retrieving the first file and comparing the allocated size and real size of the file. The fastest way to obtain these values is from the header of $DATA attribute of the file. However, only the real size is shown with istat command of Sleuth Kit but not the allocated size. As a result, you can either processing the MFT file record manually to get the value (which is time consuming), use other tools (DiskExplorer) or calculate the allocated size by multiplying cluster size and total clusters allocated to the file.
Number of allocated clusters and real size of the file can be retrieved with istat command:
./istat /case1/image1 29
Get the cluster size of the file system with fsstat
./fsstat -f ntfs /case1/image1
Calculate the additional space of the file
Allocated size = number of clusters * cluster size
Additional space = allocated size - real size
If additional space is larger than cluster size, additional/unnecessary clusters have been allocated to that file. This is uncommon and might contain hidden data. The additional clusters should be extracted and analyse with hex editor, foremost and comeforth similar to the analysis of faked bad clusters. Keyword search can also be performed. The analysis is then continues with other files until all files have been analysed. This process is time consuming if performed manually. However, there is no specific tool that automates this process at the moment.
FILE SLACK
File slack is the unused space between the end of file and the end of cluster. File slack appears because cluster is the smallest unit of disk space allocation in NTFS and whole cluster is used even the file does not fill the whole cluster (Mallery, 2001). This empty space can be used to hide data (Chuvakin, 2002)
There are 2 types of file slack, which are RAM slack and drive slack. RAM slack spans from end of a file to the end of sector while drive slack spans from the start of next sector to the end of cluster (NTI, 2004). For example, a 600 bytes file is stored in a NTFS with 2048-bytes cluster and 512-bytes sector as shown in figure 8. RAM slack is from the end of file to the end of sector 2 and drive slack is composed of sector 3 and 4.
Figure 8: Slack space of a 600 bytes file in 4096 bytes cluster (Carrer, 2005)
Analysis of hidden data in slack space is depending on operating system as it is the operating system that decides how to handle file slack and not the file system. For example, Microsoft Windows pads RAM slack with 0 and ignores drive slack when storing a file (Carrier, 2005). So any non 0 bit in RAM slack of a file is suspicious and worth further analysis.
The size of data that can be hid in slack space of single file is based on the file size and cluster size (Paladion Network, 2004). The smaller the file size and the larger the cluster size, the more data can be hid. The size of hidden data in file slack is actually huge as suspects can hide data in slack space of multiple files in stead of just a single file. Hidden data in file slack have the danger of being erased/ replaced when the file size increases. As a result, stable files are preferable for this hiding technique.
Procedure to create test data
Test data is created by hiding data in RAM slack, drive slack and both.
1) Locate the suitable file/files with sufficient slack to hide data
2) Paste the data to slack space of the files
Analysis techniques
Figure 9 shows the flow to analyse hidden data in file slack. Analysis begins by checking the RAM slack of all files. If there is non 0 bit in the RAM slack, both RAM slack and drive slack of files are extracted for further analysis. Else, only drive slack is extracted.
Figure 9: Flow to analyse hidden data in file slack
This example extracts the slack space of file with MFT number 28. To get the file size
./istat -f ntfs /case1/image1 28
Now calculate the RAM slack and drive slack. Int is function to get the integer value of a number. For example, both int(4.9) and int(4.1) return 4 as result.
file slack = allocated size - real size
drive slack = int(file slack / 512) * 512
RAM slack = file slack - drive slack
To extract the entire file with MFT number 28 including its file slack
./icat -sf ntfs /case1/image1 28 > /case1/file28
Let's assume the file size is 119875 and RAM slack is 445 bytes. To extract RAM slack
dd if=/case1/file28 of=/case1/file28RAMslack bs=1 skip=119875 count=445
To extract drive slack
dd if=/case1/file28 of=/case1/file28driveslack bs=512 skip=235 count=1
This process should be repeated to extract slack space of all files for analysis. Similar to the analysis of faked bad clusters, the extracted data is then analysed by using hex editor, foremost and comeforth. Keyword search can also be performed if you know the content of the hidden files. However, if a word is separated in 2 clusters and are not extracted correctly, the keyword search would fail. For example, a suspect hide data only in the first sector in the drive slack but extraction is done on the entire file slack, a word might be separated as shown in figure 10 and keyword search fails.
Figure 10: separation of a word in different sector
The most challenging step in detecting and recovering hidden data in file slack is to guess how data is hid. For example, suspects can hide data only in the first sector of the drive slack. A Suspect can also hide data only in the drive slack of the first file in each of the 5 directories created by him. Detection and recovery is hard, if not impossible without knowing this. It is recommended to search for data hiding tools in the system (Kruse & Heiser, 2001). The algorithm used to hid data is then analysed to decide on appropriate ways to extract file slack.
ADS (ALTERNATE DATA STREAM)
Whenever a MFT file record has more than 1 $DATA attribute, additional $DATA attribute is called ADS (Alternate Data Stream). ADS can be used to hide data in NTFS file system as ADS does not show up in directory listing and the file size of original file does not change (Cook, 2005). There are also legitimate uses of ADS. For example, ADS is used to store summary data and volume change tracking (Means, 2003)
The size of data that can be hidden in ADS is unlimited. One major difference between this data hiding technique and others is that ADS is relatively easy to create (Zadjmool, 2004). Other data hiding techniques discussed in this paper requires specific program or low level file system manipulation tools such as hex editor. ADS can be created easily with DOS command as shown in example below.
To hide slacker.exe in an ADS called hahaha of abcd.txt
type slacker.exe > h:\abcd.txt:hahaha
Procedure to create test data
ADS are created by issuing DOS command as shown above
Analysis techniques
Figure 11 shows the flow to analyse hidden data with ADS. Due to the popularity of using ADS to hide data, there are many well developed tools can be used to scan a drive for ADS such as lads and streams.
lads /sv h:
streams -s h:
Figure 11: flow to analyse hidden data with ADS
Since there are legitimate uses of ADS, it cannot be assumed that every single ADS encountered is used to hide data. Each of these ADS should be examined to verify whether it is used for legitimate purpose or used to hide data. On the other hand, a suspect may also use the common ADS name used by legitimate program to avoid detection.
To get the MFT address and attribute identifier of ADS called "h:\abcd.txt:hahaha" shown in the result of lads or streams:
./fls -rf ntfs /case1/image1 | grep abcd.txt:hahaha
From the result, you get the MFT address, attribute type and attribute identifier. Let's say 59-128-4 is returned. Inspect the content of ADS as following:
./icat -f ntfs /case1/image1 59-128-4 > /case1/ADS1
file /case1/ADS1
hexedit /case1/ADS1
$DATA ATTRIBUTE IN DIRECTORY
$DATA attribute is usually used to store the content of a file or other specific information such as allocation status. It is a common attribute on normal file and some metadata file but not directory. Although $DATA attribute is unnecessary for a directory, validation checking with chkdsk does not return error when a directory contains a $DATA attribute. As a result, $DATA attribute in directory can be used to hide data (Carrier, 2005). In addition, alternate data streams can also be created on directories in stead of files to hide data. The size of data that can be hid with this technique is unlimited.
Procedure to create test data
1) A directory is created
2) $DATA attribute is inserted in the directory. The $DATA attribute is inserted before $INDEX_ROOT, $INDEX_ALLOCATION and $BITMAP because the type identifier of $DATA is smaller than these attributes.
3) Allocated size of MFT entry is modified to appropriate size
4) Attribute identifier of other attributes might need to be changed to avoid the new created $DATA attribute has the same identifier with other existing attributes.
5) Allocation status of clusters for this $DATA attribute is set to 1.
6) The file content is pasted to the clusters.
This hiding technique hides data in the additional clusters allocated to a file. For example, there is a file with file size 10752 bytes, which would be allocated 3 clusters in a NTFS with cluster size of 8 sectors. Suspects can allocate extra clusters to this file and hide data in the additional clusters allocated.
With this technique, the size of hidden data is unlimited as suspects are free to allocate as many additional clusters as they wish. At the point of view of suspects, one disadvantage of this hiding technique is that whenever the file increases in size, the hidden data would be replaced and lost. As a result, stable files are preferable targets of this technique.
Procedure to create test data
1) Run list information of the file is modified to allocate more clusters to the file
2) Last VCN of the file is modified to appropriate value
3) Allocated size of the file is modified to appropriate value
4) Allocation status of the additional clusters is set to 1
Figure 5 shows the flow to analyse hidden data in additional clusters allocated to a file.
Figure 5: Flow to analyse hidden data in additional clusters allocated to a file
Run chkdsk to check the file system. During the testing, it is discovered that if a suspect forgets to complete any of the first 3 steps in the procedure, error will occur as shown in figure 6 and if he forgets to perform step 4 after first 3 steps, error message will be displayed as figure 7. This would be an indication of file system manipulation.
Figure 6: Error message displayed when running chkdsk command
Figure 7: Error message displayed when running chkdsk command
Perform a recursive directory listing of the file system to identify all files
./fls -rFf ntfs /case1/image1
Analysis begins by retrieving the first file and comparing the allocated size and real size of the file. The fastest way to obtain these values is from the header of $DATA attribute of the file. However, only the real size is shown with istat command of Sleuth Kit but not the allocated size. As a result, you can either processing the MFT file record manually to get the value (which is time consuming), use other tools (DiskExplorer) or calculate the allocated size by multiplying cluster size and total clusters allocated to the file.
Number of allocated clusters and real size of the file can be retrieved with istat command:
./istat /case1/image1 29
Get the cluster size of the file system with fsstat
./fsstat -f ntfs /case1/image1
Calculate the additional space of the file
Allocated size = number of clusters * cluster size
Additional space = allocated size - real size
If additional space is larger than cluster size, additional/unnecessary clusters have been allocated to that file. This is uncommon and might contain hidden data. The additional clusters should be extracted and analyse with hex editor, foremost and comeforth similar to the analysis of faked bad clusters. Keyword search can also be performed. The analysis is then continues with other files until all files have been analysed. This process is time consuming if performed manually. However, there is no specific tool that automates this process at the moment.
FILE SLACK
File slack is the unused space between the end of file and the end of cluster. File slack appears because cluster is the smallest unit of disk space allocation in NTFS and whole cluster is used even the file does not fill the whole cluster (Mallery, 2001). This empty space can be used to hide data (Chuvakin, 2002)
There are 2 types of file slack, which are RAM slack and drive slack. RAM slack spans from end of a file to the end of sector while drive slack spans from the start of next sector to the end of cluster (NTI, 2004). For example, a 600 bytes file is stored in a NTFS with 2048-bytes cluster and 512-bytes sector as shown in figure 8. RAM slack is from the end of file to the end of sector 2 and drive slack is composed of sector 3 and 4.
Figure 8: Slack space of a 600 bytes file in 4096 bytes cluster (Carrer, 2005)
Analysis of hidden data in slack space is depending on operating system as it is the operating system that decides how to handle file slack and not the file system. For example, Microsoft Windows pads RAM slack with 0 and ignores drive slack when storing a file (Carrier, 2005). So any non 0 bit in RAM slack of a file is suspicious and worth further analysis.
The size of data that can be hid in slack space of single file is based on the file size and cluster size (Paladion Network, 2004). The smaller the file size and the larger the cluster size, the more data can be hid. The size of hidden data in file slack is actually huge as suspects can hide data in slack space of multiple files in stead of just a single file. Hidden data in file slack have the danger of being erased/ replaced when the file size increases. As a result, stable files are preferable for this hiding technique.
Procedure to create test data
Test data is created by hiding data in RAM slack, drive slack and both.
1) Locate the suitable file/files with sufficient slack to hide data
2) Paste the data to slack space of the files
Analysis techniques
Figure 9 shows the flow to analyse hidden data in file slack. Analysis begins by checking the RAM slack of all files. If there is non 0 bit in the RAM slack, both RAM slack and drive slack of files are extracted for further analysis. Else, only drive slack is extracted.
Figure 9: Flow to analyse hidden data in file slack
This example extracts the slack space of file with MFT number 28. To get the file size
./istat -f ntfs /case1/image1 28
Now calculate the RAM slack and drive slack. Int is function to get the integer value of a number. For example, both int(4.9) and int(4.1) return 4 as result.
file slack = allocated size - real size
drive slack = int(file slack / 512) * 512
RAM slack = file slack - drive slack
To extract the entire file with MFT number 28 including its file slack
./icat -sf ntfs /case1/image1 28 > /case1/file28
dd if=/case1/file28 of=/case1/file28RAMslack bs=1 skip=119875 count=445
To extract drive slack
dd if=/case1/file28 of=/case1/file28driveslack bs=512 skip=235 count=1
This process should be repeated to extract slack space of all files for analysis. Similar to the analysis of faked bad clusters, the extracted data is then analysed by using hex editor, foremost and comeforth. Keyword search can also be performed if you know the content of the hidden files. However, if a word is separated in 2 clusters and are not extracted correctly, the keyword search would fail. For example, a suspect hide data only in the first sector in the drive slack but extraction is done on the entire file slack, a word might be separated as shown in figure 10 and keyword search fails.
Figure 10: separation of a word in different sector
The most challenging step in detecting and recovering hidden data in file slack is to guess how data is hid. For example, suspects can hide data only in the first sector of the drive slack. A Suspect can also hide data only in the drive slack of the first file in each of the 5 directories created by him. Detection and recovery is hard, if not impossible without knowing this. It is recommended to search for data hiding tools in the system (Kruse & Heiser, 2001). The algorithm used to hid data is then analysed to decide on appropriate ways to extract file slack.
ADS (ALTERNATE DATA STREAM)
Whenever a MFT file record has more than 1 $DATA attribute, additional $DATA attribute is called ADS (Alternate Data Stream). ADS can be used to hide data in NTFS file system as ADS does not show up in directory listing and the file size of original file does not change (Cook, 2005). There are also legitimate uses of ADS. For example, ADS is used to store summary data and volume change tracking (Means, 2003)
The size of data that can be hidden in ADS is unlimited. One major difference between this data hiding technique and others is that ADS is relatively easy to create (Zadjmool, 2004). Other data hiding techniques discussed in this paper requires specific program or low level file system manipulation tools such as hex editor. ADS can be created easily with DOS command as shown in example below.
To hide slacker.exe in an ADS called hahaha of abcd.txt
type slacker.exe > h:\abcd.txt:hahaha
Procedure to create test data
ADS are created by issuing DOS command as shown above
Analysis techniques
Figure 11 shows the flow to analyse hidden data with ADS. Due to the popularity of using ADS to hide data, there are many well developed tools can be used to scan a drive for ADS such as lads and streams.
lads /sv h:
streams -s h:
Figure 11: flow to analyse hidden data with ADS
Since there are legitimate uses of ADS, it cannot be assumed that every single ADS encountered is used to hide data. Each of these ADS should be examined to verify whether it is used for legitimate purpose or used to hide data. On the other hand, a suspect may also use the common ADS name used by legitimate program to avoid detection.
To get the MFT address and attribute identifier of ADS called "h:\abcd.txt:hahaha" shown in the result of lads or streams:
./fls -rf ntfs /case1/image1 | grep abcd.txt:hahaha
From the result, you get the MFT address, attribute type and attribute identifier. Let's say 59-128-4 is returned. Inspect the content of ADS as following:
./icat -f ntfs /case1/image1 59-128-4 > /case1/ADS1
file /case1/ADS1
hexedit /case1/ADS1
$DATA ATTRIBUTE IN DIRECTORY
$DATA attribute is usually used to store the content of a file or other specific information such as allocation status. It is a common attribute on normal file and some metadata file but not directory. Although $DATA attribute is unnecessary for a directory, validation checking with chkdsk does not return error when a directory contains a $DATA attribute. As a result, $DATA attribute in directory can be used to hide data (Carrier, 2005). In addition, alternate data streams can also be created on directories in stead of files to hide data. The size of data that can be hid with this technique is unlimited.
Procedure to create test data
1) A directory is created
2) $DATA attribute is inserted in the directory. The $DATA attribute is inserted before $INDEX_ROOT, $INDEX_ALLOCATION and $BITMAP because the type identifier of $DATA is smaller than these attributes.
3) Allocated size of MFT entry is modified to appropriate size
4) Attribute identifier of other attributes might need to be changed to avoid the new created $DATA attribute has the same identifier with other existing attributes.
5) Allocation status of clusters for this $DATA attribute is set to 1.
6) The file content is pasted to the clusters.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 分析在ntfs文件系统下的数据隐藏(一)
- 分析在ntfs文件系统下的数据隐藏(三)
- 淘宝运营:淘宝指数中隐藏的店铺运营秘籍--数据分析实战应用
- 数据分析繁华的背后,都隐藏着怎样的哀伤
- 数据分析繁华的背后,都隐藏着怎样的哀伤
- 基础知识之数据分析与动态采样
- 数据分析≠Hadoop+NoSQL,不妨先看完善现有技术的10条捷径
- 统计分析与数据挖掘所涉及的应用领域探讨
- android中使用底部菜单栏造成Viewpager+fragment中ListView数据被隐藏一条的解决
- 大数据实战:用户流量分析系统
- Fiddler怎么对IPhone手机的数据进行抓包分析
- 使用mex C生成MATLAB的股票数据分析接口
- 从0开始,教你如何做数据分析
- Ethereal使用入门(数据流分析工具)
- 国内开展PHS数据与增值业务特点分析
- 数据结构基础 算法复杂度分析(一) 概念篇
- GreenDao源码分析及使用GreenDao实现静态数据缓存
- 如何正确的使用百度统计分析数据
- Python seaborn matplotlib 对数据进行图表分析
- 学会DataHub服务让您可以轻松构建基于流式数据的分析和应用