DAMODARAM SANJIVAYYA NATIONAL LAW UNIVERSITY

SABBAVARAM, VISAKHAPATNAM,

A.P., INDIA

PROJECT TITLE:

FORENSIC EVIDENCE TO COUNTER HOSTILE VICTIM

SUBJECT:

FORENSIC SCIENCE AND LAW

NAME OF THE FACULTY:

Dr. KATARI SRINIVASA RAO

NAME OF THE CANDIDATE:

PALURU NIKHIL VYAS

ROLL NUMBER:

2018LLB061

Program:

B.A., LL.B. Hons.

1|Page
 ACKNOWLEDGMENT:

I am highly indebted to my Hon’ble Forensic Science and Law Professor, Dr. Katari Srinivasa
Rao for giving me a wonderful opportunity to work on the topic: “Forensic Evidence to counter
Hostile Victim”, and it is because of their excellent knowledge, experience and guidance, this
project is made with great interest and effort. I would also like to thank my seniors who have
guided my novice knowledge of doing research on such significant topic. I would also take this
as an opportunity to thank my parents for their support at all times. I express my sincere gratitude
to each and every person who have guided and suggested me while conducting my research
work.

2|Page
 TABLE OF CONTENTS:

Introduction...............................................................................................................................................3

Subversion and Denial of Service.........................................................................................................4

Timestamps............................................................................................................................................5

Compression Bombs..........................................................................................................................5

Sparse Files........................................................................................................................................6

Magic Numbers..................................................................................................................................7

Data Concealment within File Systems................................................................................................7

a. Alternate Data Streams.............................................................................................................7

a. Slack Space.................................................................................................................................8

a. Reserved Locations....................................................................................................................9

Data Concealment outside File Systems.................................................................................................10

a. Random Access Memory.............................................................................................................10

a. Hard Drives..............................................................................................................................10

b. BIOS Chips...............................................................................................................................11

Conclusions..........................................................................................................................................12

References............................................................................................................................................12

3|Page
Introduction
The emerging discipline of digital forensics brings advanced scientific and engineering
techniques to bear on the tasks of detecting, recovering and analyzing electronic evidence |12,
14]. However, certain elements of the hacker community are engaged in developing “anti-
forensic” or "hostile forensic" techniques and tools to subvert digital forensic inves- tigations [8,
13, 15a. Efforts have been undertaken to exploit flaws in digital forensic techniques and tools.
The holy grail of these efforts is to find an exploit, e.g., a buffer overflow, that would result in
the execution of malicious code in forensic tools used by law enforcement agencies. Such an
exploit could make the tools unable to display certain data, make them delete evidence, or simply
prevent them from operat- ing. Fortunately, such an exploit has not yet been created, but hostile
forensic techniques and tools abound 8, 13, 15).

Some hostile forensic techniques hinder investigations by hiding evi- dence, destroying
evidence or by ensuring that little or no evidence is created. Others exploit vulnerabilities in
forensic procedures and tools

to prevent evidence from being discovered. More insidious are hostile techniques that perpetrate
denial of service attacks on forensic tools to prevent them from imaging media or analyzing
evidence.

Nothing can be done when no digital evidence is created. When digital evidence is destroyed,
not much can be done to recover it without the use of specialized equipment. However, if
evidence does exist on a computer system or network, it can be found and analyzed, even when
hostile forensic techniques have been employed.

This paper discusses the state of the art in hostile forensics and presents strategies for
countering hostile forensic techniques and tools. The next section focuses on techniques for
subverting investigations and perpetrating denial of service attacks on forensic tools. Following
this, techniques for concealing evidence within file systems are discussed. Fi- nally, strategies for
hiding data in devices that are not normally seized and in devices that are not easily imaged are
evaluated.

4|Page
Subversion and Denial of Service
Investigations cannot proceed if the forensic tools themselves are in- capable of detecting,
recovering or analyzing evidence from computer systems. One hostile forensic strategy is to
exploit a vulnerability in a forensic technique or procedure to prevent the discovery of evidence.
Another is to launch a denial of service attack on a forensic tool during imaging or analysis to
simply prevent it from operating properly.

Many file systems permit the creation of arbitrarily deep directory structures. However,
EnCase v4.15 is not designed to traverse a directory tree more than 253 directories deep. When
an investigator attempts to use EnCaee v4.15 to examine such a directory tree, the tool exhibits a
fatal error (Figure 1).

Piper, Davis H Shenoi

This section discusses techniques for defeating forensic procedures and tools. These
techniques, involving the manipulation of timestamps, in- sertion of compression bombs, and use
of sparse files and magic numbers, are described along with strategies for countering them.

Timestamps
A computer incident, e.g., a network intrusion, occurs within some period of time. Forensic
investigators focus the majority of their efforts on discovering what happened during that time
frame. The analysis typically involves reviewing the modification, access and creation (MAC)
times of files to determine what data may have been accessed during the intrusion. Many
forensic tools provide functionality for filtering files that meet the temporal criteria pertaining to
an incident. Malicious individuals have attempted to subvert investigations by changing the
timestamps associated with incriminating files.

The Linux touch command can be used to change file timestamps to the current time, and to
reset MAC times to arbitrary values. Several utilities (e.g., fileTweak) are available for changing
timestamps on Linux, FAT and NTFS file systems. The Metasploit Project [13], which pro-
duced a framework for developing exploit code, created the Timestomp utility that targets NTFS
files. In addition to MAC times, NTFS files have an "entry modified” time. Timestomp is the
first tool that permits the modification of all four timestamps associated with NTFS files [13].
File timestamps cannot be trusted.

5|Page
 This fact should be taken into account when filtering files during the examination of evidence
recovered from a computer system or network. Other evidence, such as access logs, should be
considered when searching for files that are relevant to an incident.

Compression Bombs
A compression bomb is a file that expands massively when it is un- compressed, causing the
system to crash [2]. For example, the 42. zip compression bomb is a mere 42KB. When
uncompressed completely, it expands to an astounding 4.5PB (Petabytes).

The technique for creating a compression bomb is relatively simple. First, a large file
containing zeroes is compressed (Figure 2). Multiple copies of this compressed file are combined
into a new file, which is compressed. Copies of the new compressed file are then made, and the
copies are compressed again into a single file. This procedure is repeated to produce a small but
extremely potent — compression bomb

Compression bombs were originally used to disable anti-virus filters. Typically, an attacker
would email a compression bomb to a targeted computer system. The anti-virus software on the
email server would attempt to scan the compression bomb for viruses by uncompressing it. In the
process, the anti-virus software would exhaust its memory resources and crash, exposing an open
portal for the attacker to send the real virus. Similarly, an individual wishing to disrupt an
investigation might store several compression bombs on a hard drive or other computer media,
causing digital forensic tools to crash.

The commonly used digital forensic tools react differently to compres- sion bombs. The
Forensic Toolkit (FTK) (v1.42 build 03.12.05) freezes and becomes unusable when it attempts to
acquire the image of a drive containing a compression bomb. EnCase (v4.15) is able to acquire
an image, but it freezes when it burrows too deep into the compression tree. ILook (v7.0.35), on
the other hand, is unable to traverse more then one compression level; therefore, a file that is
compressed two or more times is inaccessible to ILook.

Once a compression bomb has been identified, it can be ignored for the purpose of gathering
evidence. High compression ratios are achieved by compressing files composed entirely of
zeroes. Consequently, it is unlikely that useful data is stored within a compression bomb.

6|Page
Sparse Files
Sparse files are an obscure feature of Ext2/Ext3 and other file systems (e.g., NTFS) [5j. These
files allow data to be written to any location within the file. A sparse file has few data items, and
the locations that do not hold data are assigned zero values. It is inefficient to have many blocks
on a disk that contain identical data values, especially when the values are all zeroes.
Consequently, sparse files map all blocks with zero values to a single block on the disk

Magic Numbers
Every file system has a signature, called a "magic number," that al- lows the operating system
to determine its format 5]. The Ext2/Ext3 file system has a 2-byte magic number of 53 EF; FAT
has a magic num- ber of 55 AA. File systems continue to function normally even when the magic
number is corrupted. However, most software, including digital forensic tools, cannot determine
the correct file system, which prevents them from functioning properly. For example, a forensic
tool would not be able to parse the data structures in an imaged file, although it would still
permit hex dumps of the image.

The magic number on an Ext2 formatted floppy disk can be overwrit- ten by issuing the Linux
command:

If the magic number (or the beginning) of a partition is overwritten, it is first necessary to
determine the file system. Next, the magic number in the image must be corrected to permit
analysis using forensic tools.

A related denial of service attack involves overwriting a partition table so that forensic tools
cannot determine where partitions begin and end. The tools assume that the entire drive is one
giant partition and do not parse the real partitions correctly. The Linux utility gpart [3] can be
used to reconstruct the partition table in such a situation.

Data Concealment within File Systems

This section describes how secret information may be hidden within file systems to evade
detection by traditional digital forensic tools. Three data hiding techniques, involving alternate
data streams, file slack space and reserved locations of file systems, are discussed along with
strategies for detecting and recovering hidden data.

7|Page
 a. Alternate Data Streams
Microsoft Windows is commonly installed on a hard disk using the NTFS file system. NTFS
provides more functionality than FAT, which was used in earlier versions of Windows. Alternate
data streams, one of the new features of NTFS, can be used to conceal data |12J

The DOS command prompt can also be used to create alternate data streams. Alternate data
streams are created in the same way as normal files, but the file is referenced using the file name
and the alternate data stream name separated by a colon.

Figure 5 shown the procedure for creating a file with contents hello world. An alternate data
stream called secret is associated with the file; this alternate data stream contains this data is
hidden. Figure 5 also shows that when file contents are displayed, only the data associ- ated
with the default stream (hello world) appears. The alternate data stream is displayed using the
command: more X I ile . txt: secret. This demonstrates that the contents of the alternate data
stream are distinct from the default stream.

Alternate data streams are useful for concealing data because the Windows operating system
lacks the functionality to access them. In- deed, Windows ignores alternate data streams when
reporting file sizes and free space on a disk. For example, the file I ile . txt, which contains both
hello world and this data is hidden, is listed as being only 14 bytes. Alternate data streams are
not listed when viewing directory listings or browsing folders using Windows Explorer. In fact,
the only way to discover an alternate data stream is to use third-party software, e.g., Streams
{19].

Even more astonishing is the fact that, in Windows, the only way to delete an alternate data
stream is to delete the entire file. Since alternate data streams can be associated with files as well
as directories (including the root directory), the removal of an alternate data stream is somewhat

problematic. The Streams utility [19] can be used to selectively delete alternate data streams.

8|Page
 Until a few years ago, data concealed using alternate data streams could be discovered only by
string searches and hex dump analyses. Most forensic tools are now able to detect the presence
of alternate data streams.

a. Slack Space
Most file systems divide their partitions into blocks of equal size. In- stead of allocating just
enough bytes to store a particular file, complete blocks are reserved for the file. For example, on
a file system with 512- byte blocks, a 14-byte file takes up 512 bytes of storage, and a 526-byte
file uses 1024 bytes.

Thus, files can grow within their allocated blocks; when they outgrow them, additional blocks
can be allocated from else- where on the disk. Slack space is the unused space within a block 5,
12]. File black space is not overwritten unless the size of thefile increases.If the file shrinks, old
data residing in the slack space could be retained indefinitely.

Data may be hidden in slack space (Figure 6), for example, by using the baap tool that was
originally created to read slack space. Many files, especially those associated with the operating
system and applications, are updated rarely, if ever. The slack space of these files is a good place
to hide data. Most forensic tools can be used to examine slack space, but investigators must
know which files are most appropriate for hiding data and search their slack space for concealed
evidence.

a. Reserved Locations
File systems have reserved locations that are used to support upgrades and new features. Since
the reserved locations are unused until a file system is updated, data written to theae locations
neither overwrites useful data nor affects system operation.

The reserved locations of the Ext2/Ext3 file systems can be identified by reviewing Linux
kernel source code in . /include/linux/ezt2Ja. h. Figure 7 shows the aource code for one of the
structures in the Ext2 file

system. A total of 14 bytes of data can be hidden within this structure, 2 bytes in bg pad and 12
bytes in the bgneserved variable.

9|Page
 The Data Mule FS tool 8j was designed to hide data in Ext2/Ext3 file systems. This tool breaks
up a large file into small fragments, which are stored in reserved locations throughout a file
system. To counter this tool, we developed the rf inder utility |17j that detects and extracts
hidden data in Ext2/Ext3 file systems in a forensically sound manner.

Data Concealment outside File Systems

Standard forensic procedures involve seizing and imaging storage me- dia. Individuals seeking
to conceal evidence may hide data in devices that are not normally seized or in devices that are
not easily imaged. This section describes how data may be concealed within random access
memory, obscure hard drive locations and BIOS chips. Also, techniques for detecting and
recovering hidden data are discussed.

a. Random Access Memory

The question of whether or not a running computer should be turned off upon seizure is a
subject of debate |12, 14a. One side recommends pulling out the power cord. Another side,
concerned that this procedure may damage the drive or stop the machine from completing a write
oper- ation, insists that the machine be shut down properly using the operating system. Yet
another side, recognizing that valuable data might be lost during machine shutdown,
recommends that information pertaining to open ports, running processes, etc. be collected while
the machine is running. Each procedure has its advantages and disadvantages. How- ever, the
third procedure is based on an important observation — some key evidence may not be stored on
disk.

To reduce the amount of evidence potentially recoverable from a hard drive, a malicious
individual might attempt to perform most, if not all, actions in memory. A remote user could use
a root kit that remains persistent in memory, and attach to a currently running process or use
common utilities akeady on the machine to perform actions. Individuals desiring to minimize
evidence of their actions on a local machine could use Knoppix 11) or other CD-bootable
operating systems that do not require a hard drive or other permanent memory storage. The
Tinfoil Hat Linux operating system in designed to leave no evidence pertaining to user actions: it
encryptg all data written to persistent memory.

10 | P a g e
 a. Hard Drives
A hard drive has more memory than is accessible by imaging the drive. For example, the Host
Protected Area or ATA-Protected Area at the end of a hard drive cannot be read from or written
to using standard operating system calls because the drive reports that it is smaller than its true
capacity [5j. Forensic examiners should be aware that important evidence might be concealed in
these locations. While standard tools (FTK, EnCase and ILook) cannot access this evidence,
special tools, e.g., X-Ways Replica [20a, are capable of detecting and recovering the hidden data.

SMART technology [16], another obscure hard drive feature, could be used by a remote hacker
to determine if a victim machine hae been the subject of an investigation. This technology, which
is used to monitor the health of hard drives, provides information about how long a drive has
been in operation. Suppose a hacker 1oseg a connection to a vic- tim computer for a period of
time. Upon regaining the connection, the hacker could determine that the length of time that the
drive has been in operation does not match the time elapsed since it was mounted. The hacker
might infer that drive was imaged, and then attempt to subvert the investigation by wiping
incriminating evidence on other computers.

b. BIOS Chips
Every computer and embedded device has a Basic Input/Output Sys- tem (BIOS) chip, which
is required to boot the system. A BIOS chip typically has 128K to 512K of flash memory that
holds code and data. However, the chip may contain between 25K to 100K of unused space that
can be used to store data without affecting the operation of the BIOS. This unused space has
been exploited by virus writers and com- puter game enthusiasts. Malicious individuals can also
use this space to hide incriminating evidence |6, 7j.

Uniflash [18], a BIOS flashing utility, can be used to read and write data to a BIOS chip. Data
may be written to BIOS free space and certain regions of BIOS modules (e.g., those containing
error messages) without corrupting the BIOS 6, 7]. Alternatively, the entire BIOS memory may
be overwritten, which, of course, renders the BIOS chip unusable 6, 7J. In this case, however, a
BIOS Savior device [10] is required to boot the computer. This device provides a backup BIOS
chip and a hardware switch that enables the user to select whether the computer will use the
backup chip or the original BIOS chip for the booting process.

Forensic investigators must be aware that data may be hidden on a

11 | P a g e
BIOS chip. They should check for utilities (e.g., Uniflash) and tools (e.g., BIOS Savior) that
enable BIOS chips to be modified. It may also be necessary to conduct a forensic examination of
the BIOS chip itself. Certain segments of BIOS memory can be viewed using the Windows
debug command 6, 7]. The entire BIOS memory can be extracted us- ing special software (e.g.,
AwardMod |9j) and analyzed using standard forensic tools (e.g., EnCase,

Conclusions
As digital evidence becomes increasingly important in judicial pro- ceedings, it is logical to
assume that malicious individuals will attempt to subvert investigations by targeting
vulnerabilities in digital forensic procedures and tools. They wiI1 also endeavor to conceal
incriminating evidence in obscure regions of file systems, in devices that are not easily imaged or
in devices that are not normally seized.

This paper has two main contributions. The first is the description of the state of the art in
hostile forensic techniques and tools. The second, and more important, contribution is the
discussion of strategies for coun- tering hostile forensic techniques and tools. Of particular
significance are the strategies for combating subversion and denial of service attacks on forensic
tools, and techniques for detecting and extracting concealed ev- idence. This paper has been
written to raise awareness about hostile forensic techniques — and countermeasures — within
the law enforcement community. We hope it will stimulate efforts within the digital forensics
research and development community to ensure that all the evidence — wherever it may reside
— is recoverable and presentable in court.

References
(1] 42. zip (www.unforgettable.dk).

[2] AERAsec, Decompression bomb vulnerabilities (www.aerasee.de/

security/advisories/decompression-bomb-vulnerability.html).

12 | P a g e
13 | P a g e