Computer Forensics

Up to this point, we've discussed software security from an active standpoint. We looked at it from the perspective that a hacker may try to actively manipulate your software by finding security vulnerabilities and exploiting them to create access to data or to control the system. Another perspective is that it doesn't have to be that difficult. Sometimes, the data is just lying around for the viewing by those who know where to look.

The first example of this is with features that we're all familiar with in browsing the Web. Figure 13.3 show an example of Internet Explorer's drop-down address bar displaying the history list of websites that have been recently visited. For most users this is not a problem; it's actually useful, allowing you to go back and quickly return to sites you've visited without retyping their full URLs. But, what if this screen shot came from a public access terminal? The person behind you in line could know what you were viewing through a single mouse click.

Figure 13.3. The list of websites you've viewed could be a security vulnerability.

NOTE

Data that "stays around" and isn't deleted from user to user is known as latent data. It should be considered a potential security vulnerability and needs to be discussed in any threat modeling your team does. It may not be considered a problem for your product. Or, it could be a major issue.

Another example of latent data is the Google Toolbar AutoFill feature shown in Figure 13.4. This feature allows you to store information such as your name, address, phone number, email address, and so on so that when a blank form is displayed (such as on an ecommerce order page) you can populate all the fields with a single click. That's a great feature that many of us frequently use. But, if you're testing a product for software security, you need to think like a user and decide if such a feature needs some type of "override" to hide or delete the data so it's not accessible to others.

A more complex example of latent data is one used by computer security experts to discover evidence that could be used in a crime investigation. When data is written to a disk, it is written in blocks. The size of these blocks, called sectors, varies depending on the operating system. MSDOS/Windows uses 512-byte blocks. Depending on the file system being used, the sectors are written out in groups called clusters. The Windows FAT filesystem uses clusters of 2048 bytes, each made up of four 512-byte clusters.

Figure 13.5 shows what two clusters might look like on a disk drive after a text file called readme.doc has been written to it. The file is 2200 bytes in length and is shown by the white area spanning Sector 1 through the midpoint of Sector 5. So, if the file is 2200 bytes, what's in the gray area from the Sector 5 through Sector 8? That information is known as latent data.

Figure 13.5. The data in the file readme.doc is not the only data written to disk.

If the file is 2200 bytes long, it will take up 4.3 512-byte blocks (2200/512=4.3). The data at the end of Sector 5 is called RAM slack because what is contained there is information that happened to reside in the system's random access memory when the file was created. It could be nothing, or it could be administration passwords or credit card numbers. There's no way to know, but what is a given is that data other than what was in the file was written from the computer's memory onto its disk drive.

The remainder of the gray area, from Sector 6 through the end of Sector 8, is known as disk slack. It exists because the file system writes in 2048-byte clusters and our file only contained enough data to partially fill two of them. The data stored here is typically data that existed on the drive before the file was written. It could be the remnants of another file or a previous, longer, version of readme.doc. This latent data could be benign, or it could contain information that was intentionally deleted or is very private.

NOTE

Although this example uses a disk drive to illustrate the concept of latent data, the security issues of RAM slack and disk slack apply to writable CDs, DVDs, memory cards, and virtually any sort of storage media.

Simple, publicly available, tools can easily view and extract latent data from a disk. Some can even piece together scattered data fragments into their original complete files. When you're testing a software product, you'll need to work with your team to decide if latent data is a security vulnerability issue. If it is, you and your team will need to devise ways to prevent it from occurring.