In the first section of this chapter, we explored the types of evidence you can look for on a computer. What happens when you can't find any evidence but you know it's there? Chances are it's either hidden, or somewhere in trace evidence. (We'll cover trace evidence in the next section.)
There are various types of hidden evidence. We'll start with document meta- data . Virtually all applications produce some type of evidence that ordinary users aren't aware of. We will use a Microsoft Word document as an example. As a Word document is written and changed, these changes are normally tracked. To view this information, simply click the file and then choose Properties. The Properties dialog box is shown in the following graphic.
A data component that describes the data. In other words, it's data about data.
This information can be especially useful to a forensic investigator . For example, say you are dealing with a situation in which a system was compromised and intellectual property was stolen. If the criminal is unsophisticated, you could very well end up with a good lead just by looking at the properties of the new documents. Metadata can be found in most Word, Excel, and PowerPoint documents. Because metadata has become a visible issue, there are ways to delete it. Microsoft released a tool that removes personal or hidden data that might not be immediately apparent when you view the document in your Microsoft Office application. This tool is called rhdtool.exe , and it can be found at http://www.microsoft.com/downloads/details.aspx?FamilyID=144e54edd43e-42ca-bc7b-5446d34e5360 & displaylang=e .
Although some metadata is readily accessible through the user interface of each Microsoft Office program, other metadata is accessible only through extraordinary means (for example, opening a document in a low-level, binary file editor such as HexEditor).
A case in June 2003 involved the infamous British dossier, 'Iraq's Weapons of Mass Destruction: the Assessment of the British Government,' and how Saddam's intelligence services tried to conceal them from United Nation's inspectors. A good portion of the report was copied from three sources: (1) an article in the Middle East Review of International Affairs by Ibrahim al-Marashi, a research associate at the Center for Nonproliferation Studies in Monterey, California, (2) an article by Ken Gause (an international security analyst from Alexandria, Virginia), titled 'Can the Iraqi Security Apparatus Save Saddam?' (November 2002), pp.8-13, and (3) an article by Sean Boyne, titled 'Inside Iraq's Security Network,' in two parts published during 1997. The articles by Gause and Boyne appeared in Jane's Intelligence Review. The original sources were exposed by studying the metadata in the document. Most Word document files contain a revision log, which lists the last 10 edits of a document, showing the names of the users who worked with the document and the names of the files under which the document was saved. Revision logs are hidden and cannot be viewed in Word. However, a researcher used a utility to extract and display the revision logs and other hidden information in the files, and then made it public. The researcher used a low-level binary editor to extract this information.
The next method of hiding data we will look at is steganography . The goal of steganography is to avoid drawing suspicion to the transmission of a hidden message. Steganography is a special kind of cryptography that makes the presence of secret data undetectable. It encrypts the original plaintext information into a digital image. The least significant bit of each byte of the image can be replaced with bits of the secret message. Such a message can be hidden in a sound file, a graphic file, or on unused spaces on a hard disk. Someone who saves pornography to their hard disk may choose to hide the evidence through this method. In some instances, steganography can be used as a means of covert communication for terrorists. Three of the more popular steganography programs include Hide and Seek and Stealth, which can be used on Windows-based systems, and Stegano- graphic File System (SFS), which is used on Unix filesystems.
Passing information in a manner such that the very existence of the message is unknown.
You can readily view all the code for a web page simply by opening a web page and choosing the View Source option from the View menu on the toolbar (or right- click anywhere on the web page and choose View Source). The following graphic shows the result of viewing the source code for http://www.msn.com .
Most web pages are written in HTML. From looking at the previous graphic, you can see how easy it would be to hide messages or data in web page coding. For example, say I was stealing company secrets and wanted to allow a competitor to access them. I could set up my own website and hide the information in the source code. The competitor could then retrieve the information quite easily.
Most operating systems allow users to hide files based on extensions. Using this feature is as simple as changing the properties of a directory to Hidden on the General tab in the properties in Windows. An untrained eye might never see system files or even the extensions associated with files if the user chose to hide them.
You can hide Unix directories by putting them in existing directories that have a lot of files, such as in the /dev directory on a Unix implementation, or by making a directory that starts with three dots ( ... ) instead of the normal single or double dot. To hide files on a Unix computer, put one dot in front of the file (for example, .myfile ). This prevents the file from showing up in the output of a file listing. To see all hidden files, use the ls command with the -a parameter, like this: ls -a .
Hidden disk partitions are the last method of hiding data that we will cover in this chapter. We'll use the example of a dual-boot system , in which, essentially , one operating system is hidden from the other. One of our laptops (ComputerA) is set up for dual booting. It can boot to either Windows XP or SuSE Linux. When you view the system in Windows, the Linux partition doesn't show up, mainly because Windows doesn't understand the Linux filesystem. So, Windows acts as though it isn't there. If the bootloader is set up to know about the other operating system, you are given a choice of which operating system to use after a computer boots. This lets you know that more than one operating system is installed. However, some operating systems allow you to choose which operating system to boot to without user interaction. For example, another one of our computers (ComputerB) dual boots either Windows 98 or Windows Server 2003. An ordinary user would not know that Windows Server 2003 is installed because we configured the system to not display the operating systems upon boot. Because Windows 98 can't read the NTFS partition, the partition that Windows Server 2003 is installed on doesn't show when accessing data in Windows 98. This is another example of where an untrained person would have no idea that hidden data might exist. So, we can store files on the Windows 98 drive while booted to Windows Server 2003, and hide the directory so other users have no clue the files are even there. In this instance, the evidence you may be looking for could be stored partially on one partition and partially on another partition. If space allows, you could actually install more than two operating systems.
A system that has the ability to boot, or start, and run more than one operating system.
Several other methods , such as covert channels , can be used to hide data. A tool such as Loki can transmit valuable data in seemingly normal network traffic. Loki is a Trojan horse that looks like a stream of pings , but instead it provides a backdoor to the computer on which the client is installed. After the client is installed, it allows communication to occur without being controlled by a security mechanism. Tools such as Loki and other backdoor programs can be found at http://www.antihackertoolkit.com/tools.html . Data can also be hidden in the whitespace in documents, behind graphics in documents, and in host- protected areas (HPAs) on drives . These areas of a hard drive are created specifically to allow manufacturers to hide diagnostic and recovery tools, but they can be used to hide data as well.
A method by which an entity receives information in an unauthorized manner.
While many technical methods exist for hiding data (examples include stenography, encryption, and digital watermarking), some of the cases that you work will involve data that was hidden using techniques so simple that any average Microsoft Office user could use them.
I once worked on a case involving two coworkers who transferred information to each other by embedding short messages at the end of Word documents. They changed the color of the text to white so that the message was white text on a white background and appeared invisible to anyone who saw the document.
Another simple technique is to use a nonstandard font to write a Word document. The person receiving the document knows which font is needed to view the text and has that font loaded on their computer. Anyone without that font would see only 'garbage' on their screen when they viewed the document.
This last technique was used by an illegal drug supplier. He took a photograph of a handwritten sign that contained the instructions and location of how and where a drug transaction was to take place. The drug dealer hoped that anyone monitoring or 'sniffing' his network traffic would be unable to 'read' the message. A forensics examiner using the search functionality of any forensics utility would not see the message. The examiner would have to look at the graphics function of the tool to see the message.
These and many other techniques for finding hidden data are taught in the computer forensics course that Warren Kruse and Neil Broom teach for Intense School. For additional information about this training, please visit http://www.intenseschool.com or Neil's website at http://www.trcglobal.com .