If you were a criminal and wanted to hide computer evidence, how difficult could it be? Actually, you don’t even have to be a criminal, maybe you just want to hide something from a family member or your employer. Your first thought would probably be to encrypt the data to guarantee that no one else can view it. That will work, but it will also stick out like a sore thumb if someone is looking for it. Then, they will know that you’re hiding something. Wouldn’t it be better if no one even knew that you had something to hide?
I’m not writing this to to help criminals, nor do I want to help people hide stuff. What I’m trying to do is raise the awareness of the holes in today’s Computer Forensics, Electronic Discovery and even your basic desktop search software. If I’m successful, then maybe we can raise the bar on finding the hidden data stored on everyone’s hard drive. That’s right, there is data hiding on your computer right now! It may not be malicious, or illegal, but it is there and you probably don’t know how to find it.
The easiest way to hide your data is to store it in a translated or compressed file that no one knows how to open. You don’t want anyone to even know what type of file it is. Did you know that Computer Forensics tools typically support 500 or less different file types? The most popular tool, EnCase by Guidance Software, only supports 250 natively. If you want to see a list of the 400 most common file types that tools usually look for, then visit Oracle’s Outside In web site. That’s where most tools get their file identification technology from. They simply license it, snap the File ID SDK into their source code, then forget about it. That’s why they are so far behind in competing against computer crime.
Looking at the list of 400+ file types, there are only 9 compressed file types supported. That means that using any other type of compressed file type renders your data as unknown in those computer forensics tools. To play it safe, you should still choose a lesser known compression tool to work around the few tools that use their own file identification method. You obviously don’t want to use PK Zip, LZA, LHA, TAR or Gzip. They’re too common. Here are a few that most people have not heard of: WinACE, Slim! & BMA. If you are concerned that someone will figure out the file type, then you can still encrypt your data first, then compress it with one of these programs.
Another step you can take is to simply change the file’s extension. It’s amazing how many applications and people can’t identify a file without the file extension. If you use one of those rare archive file types and rename the file extension, then people can’t even search the internet for a file extension match. Oh, and make sure that you don’t leave the archiving software on your hard drive. Otherwise, a good investigator could figure it out. Instead, use a simple command line compression program and keep it on a memory stick or flash card.
Microsoft’s NTFS hard drive format provides a more technical way to hide your files. If you are using a recent version of MS Windows, then you are probably already using NTFS. And, if you are, then you DO have files hiding on your hard drive RIGHT NOW! I don’t mean files with the ‘H’ attribute set, those are way too easy to find. I’m talking about Alternate Data Streams (ADS). These files are actually hidding behind other files. There are very few tools that can even see these stream files. ADS was intended to make it easier to mimic Apple’s Application/Resource Fork file system, but instead it has created a parallel dimension for files to be hidden in. For example, if I have a file called addresses.doc I can hide another file behind addresses.doc. It’s as simple as copying the second file (baddeeds.txt) behind addresses.doc, for a resulting filename of addresses.doc:baddeeds.txt. Here’s how:
>type evidence.txt > addresses.doc:baddeeds.txt
That may seem too simple, but now programs can’t see the second file. If you look at a list of files in that folder you won’t see it. But, if you already know what the name of the file is, then you can still open it with some programs. For example:
This command will open the hidden baddeeds.txt file and allow you to edit it. You can also copy the hidden file back later.
>more < addresses.doc:baddeeds.txt > evidence.txt
If you would like more information about manipulating NTFS ADS files, then visit the heysoft site. They provide one of the few tools (LADS) that can actually see these hidden files. Unfortunately, their tool can only be used on the command line and doesn’t tell you anything about each file, other than its name. Our File Investigator products also see NTFS ADS files. If you would like to find the ADS files on your hard drive, identify what they are and look inside them, then download our FI Tools applications. The trial version will stop searching after the first 100 files found, but you can set it to only show NTFS ADS files by selecting the Text & Attributes tab and adding a check in front of NTFS ADS before you click the Find Now button to perform your search.
Remember when I told you that you already have files hiding on your NTFS hard drive? Well, here’s proof. Download and install FI TOOLS, put the check by the NTFS ADS attribute on the Text & Attributes tab, then do a search of your entire hard drive (Look in: c:). Any files that appear are NTFS ADS files. If you wait long enough, you will see ????:Zone.Identifier and maybe some ????:SummaryInformation files. The Zone files are put there by Internet Explorer when you download a file from the Internet. The SummaryInformation files are a result of right clicking a file in Windows Explorer, selecting Properties and changing the values on the Summary tab. That’s right, you may have created some of those hidden files and not known it. If you see any other types of files, leave us a comment telling us what you found. Maybe you’ll catch a virus!
There are other more complicated places to hide data on a hard drive, but I wanted to show you how easy it is to hide files not how hard it can be. NTFS ADS files are already being used by some viruses/trojan horses, and many virus protection applications don’t know about NTFS ADS yet. So, this easy data hiding technique may be used against us. make sure that your virus scanner looks for NTFS ADS files or periodically use a tool like FI TOOLS to search your hard drive and remove anything that doesn’t look familiar to you. I’ve never known of an NTFS ADS that contained vital system or application information. The heysoft web site includes instructions for deleting NTFS ADS files.
Quality computer forensics software should identify thousands of file types, not 500, and be focused on increasing that support to perform competent searches for evidence. That’s why we are constantly adding more file types to our File Investigator products.