Security

Computer forensics: Finding "hidden" data


Fortunately for the forensics investigator, most users aren't very good at covering their tracks. Ignorance of how computers manage memory and disks results in incriminating file or memory content stored in various locations invisible to the subject of an investigation. In this post, we'll look at three potential locations for this information -- deleted files and slack space, swap space, and hibernation files.

Deleted files and slack space When an operating system writes a file to disk, it allocates a certain number of sectors. The number of sectors allocated depends on the limitations of the operating system and configuration decisions made by the system administrator. The sectors allocated and their location on the disk are recorded in a directory table for later access. When the file is deleted, the space originally allocated to it is simply marked as unallocated. The actual data remains on the disk. Deleted files in this state are easily recoverable by many disk utilities, but what happens if a new file is written to this same space? Figure A shows what might happen to the original data.  

 Figure A

At some point in the past, File A was written to sectors 1 and 2. The sectors were completely filled by the file's content. When the user decides to delete the file, the sectors are marked as unallocated. However, the file content remains.

Sometime after File A is deleted, the user requests the OS to save File B. The OS once again allocates sectors 1 and 2, but notice that the file content doesn't completely fill sector 2. The unwritten portion of sector 2 is known as slack space, and it still contains content from File A.  Slack space data can be read and analyzed by any of the popular forensics toolkits. 

Swap space

Both Linux and Microsoft Windows systems expand RAM by using disk. In this virtual memory model, the OS moves data in memory to a special location on disk in order to free RAM for additional operations. When the data on disk is needed again, it's moved back into RAM. The area on disk used for this purpose is called the swap file or swap space. In Linux environments, the swap area is an actual disk partition.  On a Windows XP machine, the swap space is a file called Pagefile.sys.

Since everything in RAM is subject to being swapped to disk, some very interesting information can be found in a swap file. In addition to plain-text data that might be encrypted in a disk file, encryption keys might also be present. This is due to weaknesses in some applications that allow unencrypted keys to reside in memory. Further, information contained in e-mails or stored at remote locations might still reside in swap space. Any standard disk maintenance utility can access this information.

Hibernation files

Hibernation files are created when a system goes into sleep or hibernation mode. For example, a laptop running Windows XP writes the entire contents of RAM to a file when going into hibernation. Like swap space, hibernation files can contain a wealth of information not found anywhere else on the target system. The contents of a hibernation file can be accessed by a number of disk maintenance utilities.

A target disk is usually full of useful information. An investigator just needs to know where to look and how to employ the proper tools and techniques for extracting it.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

18 comments
inertman
inertman

disable the paging executive in the same area of the registry. this means that data is never written to disk, ever. but as w2ktech notes this doesn't affect slack space orfreespace. for this i use a file shredder, that came w/ giant, so instead of delete, you right click a file and 'shred'. but thenagain, i'm not actually that paranoid, just don't want my family finding my porn when i die.

rkuhn040172
rkuhn040172

I mean, I used to do it too. But really, if your PC is compromised to the point where someone has access to your page file, clearing it once a day or so isn't really protecting you now is it? All it did for me was add to my shutdown times.

DanLM
DanLM

I run a file shreader also.... Not because of porn or anything else. But, I do almost all my financial transactions online. Banking, bill paying, everything. I shread my tmp files, cookies, and everything else mutiple times a day. Wouldn't the consideration of these types of files be a reason for wanting to overwrite both slack space and any files you are deleting? Told ya, dumb question. Dan

AbbyD
AbbyD

I always wondered how much information can be read off a hard drive after it was over-written. I use Defrag on a weekly basis. Doesn't the defragmentation process write over the gaps in the broken files? If the old data is overwritten how can it be viewed by anyone? I also use a free program called Eraser that overwrites all the unused spaces several times. The program claims their process for erasing data is the same as the Dept. of Defense.

nighthawk808
nighthawk808

I said you could do it; I didn't say it was useful.

Kiltie
Kiltie

clearing the space used for the swap This is done on every shutdown/reboot (which is not daily, but can be very often in Windows) 3rd party utilities can do this, so can Live CDs (ones that don't touch the host OS at all) ie, there are ways to clear the space so that no sensitive data is retained at all.

Freebird54
Freebird54

It can help with some cases. However, in the specific case mentioned here (slack space) the file may well not be moved, and the slack space (with contents) will not be touched. I don't know if any tools address this problem or not (hopefully something does - in case I decide to do something 'sensitive' :) ) Just clearing a page file doesn't help much either - you need to overwrite it (multiple times) to make it inaccessible. You have to be pretty paranoid to worry much about this though - if they come for your machine - you are already in trouble!

apotheon
apotheon

If you are afraid of being brought up on charges for what you're doing with your computer, and you wipe your hard drive, they can still possibly get incriminating evidence off your pagefile or swap partition (depending on the OS). Thus, wiping out a pagefile or swap partition is more a tool of paranoia for those who engage in activity they don't want proven later than a way to secure data.

apotheon
apotheon

"[i]TrueCrypt isn't just for Windows....it works on Mac and Linux too.[/i]" This is true. It will also install on FreeBSD, [url=http://www.nabble.com/TrueCrypt-5.0-td15394497.html]with a few tweaks[/url]. However . . . there are better options for volume encryption on BSD Unix and Linux-based systems than TrueCrypt. TrueCrypt is designed more with a more completely GUI-oriented system in mind, and I prefer encryption tools that aren't limited to GUI-based operation when I'm not using an OS whose command line interface is crippled like MS Windows'. Your mileage may vary.

Daniel.Muzrall
Daniel.Muzrall

TrueCrypt isn't just for Windows....it works on Mac and Linux too. http://www.truecrypt.org/ T r u e C r y p t Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux Main Features: Creates a virtual encrypted disk within a file and mounts it as a real disk. Encrypts an entire partition or storage device such as USB flash drive or hard drive. Encrypts a partition or drive where Windows is installed (pre-boot authentication). Encryption is automatic, real-time (on-the-fly) and transparent. Provides two levels of plausible deniability, in case an adversary forces you to reveal the password: 1) Hidden volume (steganography ? more information may be found here). 2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data). Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS. Further information regarding features of the software may be found in the documentation.

apotheon
apotheon

There's a tool for MS Windows called TrueCrypt that has been available for a while now, and is at least one of the best personal disk encryption tools available for that platform, if not [b]the[/b] best. It's certainly better than Microsoft's built-in disk encryption tools. If you must use MS Windows, check out TrueCrypt.

Penguin_me
Penguin_me

I have to say, well said, deleting it does provide little to no protection (and can cause a false sense of security - even worse.). However, with Vista MS introduced full disk encryption - including the swap file - Mac has done this for a while too, and *nux has had this for donkeys years. The other useful thing that *nix has is to allow for Swap partition encryption with a *randomly generated key each time you boot*. So basically, you switch off the machine, the swap partition is full of unusable bits and bytes (little pun there, I like it). (Link: http://www.gentoo.org/proj/en/hardened/disk-cryptography.xml -- Gentoo docs on Disk encryption, starting with swap partition).

w2ktechman
w2ktechman

If it is encrypted, it would depend on the encryption, and where the key was. But yes, safe'ish' is a good term... But it is much better to use a utility that looks for this stuff and washes (scrubs) it completely.

w2ktechman
w2ktechman

Yes, there are 3rd party utils that can do this much better. I too used to do the 'clear page file at shutdown' but this is pretty ineffective. The data is still there, just not as accessible to the OS. Other issues are that it does not address part of the article well, like with the slack space and hibernation.

jmgarvin
jmgarvin

Some places even require you to have procedures like this so that if the box is lost, than (assuming the data is encrypted) the data is safeish.

rkuhn040172
rkuhn040172

But the question remains, what does it accomplish? Personally, I think clearing the page file on reboot is like the age old advice about hiding SSIDs on wireless networks. I think it provides little to no value to most people.

Editor's Picks