XP can store sensitive data without your knowledge

[bad_brain]

since a while I am into computer forensics, first mostly into Linux systems in context with incident handling. but now I got an external HDD I use for my sensitive data (encrypted of course), so I got a little into MS forensics too....

alright, now where is the data stored?
the data is stored in the so-called file slack.

what is the file slack?
let's say the block size on your HDD is 4096 bytes (which is the default size) and you store a file sized 2048 bytes....the remaining space in the block is the file slack.

why is data stored there?
the file slack can't stay empty, in *nix systems the space is filled with zeros "produced" by /dev/zero, but in MS systems the file slack is filled with random data taken from RAM. and when you have just written an email and the data is still in RAM it can happen your email data is used to fill the slack. good forensics can restore a lot of sensitive data that way, even full emails.

what can I do about it?
hm, not much...there are apps that flush the RAM, but it's not really practical because it will mess up the system performance.


well, if you found this a little interesting I might write a little tut about forensics...

[ayu]

Please do

[str33tl0rd]

yer go bad brain write the tut.

[Still_Learning]

A tut would be nice, from what i understand though is it only stays on your system for a couple formats, if you format your drive like 7 times then everything is completely gone.

[isapiens]

damn. i wonder what kind of sensitive data does B-Brain have? : )

I would like to hear how linux stores it. I am sure i could read about it but i am lazy.

To his own laptop in frustration: "Quit dumping my sensitive info all over the place, bitch!"

[Still_Learning]

damn. i wonder what kind of sensitive data does B-Brain have? : )

I would like to hear how linux stores it. I am sure i could read about it but i am lazy.

To his own laptop in frustration: "Quit dumping my sensitive info all over the place, bitch!"

I would guess linux stores it in a directory simular to windows but has /'s instead of \'s .. there is probuly a good program to encrypt the partition or drive like truecrypt.

[bad_brain]

no, my "sensitive data" is NOT porn... passwords, server backups and stuff like that...
I used Truecrypt and created a hidden volume inside an encrypted one, besides the password a keyfile is needed to access the volume, the keyfile is stored on an USB stick.

[Lyecdevf]

Actually I remember having an application that was supposed to delete the secret XP logs about you! I know that it is out there and I used it once but I do not remember how it is called any more.

[DNR]

I use CCleaner and Kremlin to keep my box as tidy as possible. It is not a matter of someone actually getting physical access to my box to try to steal passwords, but malware collecting data by looking for these logs. I can take all the care to conduct biznatch on the internet, but leave it to some log or memory leak to give out my last transaction or session, exposing a active cookie or unencrypted user/pass.

File Slack Defined
Files are created in varying lengths depending on their contents. DOS, Windows and Windows NT-based computers store files in fixed length blocks of data called clusters. Rarely do file sizes exactly match the size of one or multiple clusters perfectly. The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called "file slack". Cluster sizes vary in length depending on the operating system involved and,in the case of Windows 95, the size of the logical partition involved. Larger cluster sizes mean more file slack and also the waste of storage space when Windows 95 systems are involved. However, this computer security weakness creates benefits for the computer forensics investigator because file slack is a significant source of evidence and leads.

File slack potentially contains randomly selected bytes of data from computer memory. This happens because DOS/Windows normally writes in 512 byte blocks called sectors. Clusters are made up of blocks of sectors. If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM Slack because it comes from the memory of the computer. RAM Slack can contain any information that may have been created, viewed, modified, downloaded or copied during work sessions that have occurred since the computer was last booted. Thus, if the computer has not been shut down for several days, the data stored in file slack can come from work sessions that occurred in the past.

RAM slack pertains only to the last sector of a file. If additional sectors are needed to round out the block size for the last cluster assigned to the file, then a different type of slack is created. It is called drive slack and it is stored in the remaining sectors which might be needed by the operating system to derive the size needed to create the last cluster assigned to the file. Unlike RAM slack, which comes from memory, drive slack is padded with what was stored on the storage device before. Such data could contain remnants of previously deleted files or data from the format pattern associated with disk storage space that has yet to be used by the computer. NTI devotes quite a bit of time to the topic of file slack in its popular 5-Day Computer Forensics Course.

The following example has been provided to help clarify these definitions. -- Let's say that a file is created by writing the word "Hello" to a file. Assuming that this is the only data written in the file and assuming a two sector cluster size for the file, the data stored to disk and written in file slack could be represented as follows:


--------------------------------------------------------------------------------

Hello+++++++++++++++++++|------------------------(EOC)

RAM Slack is indicated by "+"
Drive Slack is indicated by "-"


--------------------------------------------------------------------------------

File Slack is created at the time a file is saved to disk. When a file is deleted under DOS, Windows, Windows 95, Windows 98 and Windows NT/2000/XP, the data associated with RAM slack and drive slack remains in the cluster that was previously assigned to the end of the 'deleted' file. The clusters which made up the 'deleted' file are released by the operating system and they remain on the disk in the form of unallocated storage space until the space is overwritten with data from a new file.

It is important that you to understand the significance of file slack in computer-related investigations. Because file slack potentially contains data dumped randomly from the computer's memory, it is possible to identify network logon names, passwords and other sensitive information associated with computer usage. File slack can also be analyzed to identify prior uses of the subject computer and such legacy data can help the computer forensics investigator. File slack is not a trivial item. On large hard disk drives, file slack can involve several hundred megabytes of data. Fragments of prior E-Mail messages and word processing documents can be found in file slack. From a computer forensic standpoint, file slack is very important as both a source of computer evidence and security risks.

You should also be aware that slack potentially exists on floppy disks, hard disks, Zip disks and other computer storage devices. Data stored in file slack on DOS, Windows, Windows 95, Windows 98 and Windows NT/2000/XP-based systems is captured with NTI's GetSlack software. Strings of text stored in file slack can also be identified using NTI's TextSearch Plus and TextSearch NT software utilities.

http://www.forensics-intl.com/def6.html

-------------------

check out these links for more..

http://computer.forensikblog.de/en/2008 ... ewire.html

The ability to read and write to another computer's physical memory through the FireWire interface was first exploited by Quinn "The Eskimo" in 2002. His program FireStarter allowed to remotely manipulate the contents of a target Mac's display. For his hack Quinn was awarded the first price at the MacHack Best Hack Contest 2002.

Michael Becher, Maximillian Dornseif and Christian N. Klein explained in their talk 0wn3d by an iPod at PacSec 2004 how FireWire could be used in a forensically sound memory acquisition procedure.

Adam Boileau (aka "Metlstorm") solved the problem of accessing a computer running Microsoft Windows in his presentation at RUXCON 2006. He also released some Python modules and memory acquisition tools.

-----------------
http://software.filefactory.com/Linux/O ... -6pl1.html
----------------
http://froebe.net/blog/2006/12/28/helix ... -computer/
-----------------

yea someone should put together a complete tut on computer forensics..

DNR
[/url]

[bad_brain]

nice one DNR....some interesting resources for me, I'll definitely will go deeper into forensics, it's really interesting...

[Still_Learning]

nice one DNR....some interesting resources for me, I'll definitely will go deeper into forensics, it's really interesting...

Is it true that all the info will be completely gone after 7 formats? with no way to recover it?

I tried useing truecrypt and it just made a file that i have no idea on how to put files inside of that file. Can i encrypt files that allready exist like say i want to encrypt a partition on my drive that contains back up files?

[DNR]

hey man, check out mach-5's kremlin - you might prefer it over truecrypt right now. if you get the older version of kremlin there are plenty of cracks/serials available to activate to full version

Now, lets be clear - formating a hard drive just dumps the FAT - the table that tells the computer where the files are located. It does not get rid of the file itself - it just tells the computer that the file space is available to OVERWRITE.

Wiping a harddrive is printing 1's and 0's and maybe even some random garbage OVER the file space. You can select how many times a program is to OVERWRITE the file space, like up to 7 times - but this can take a long time (esp. if the cops are already knocking on the door). So wiping the harddrive AFTER a format is the key, you get rid of the file allocation table, and you overwrite the data left in the file space.

Truecrypt is good, but maybe not the easiest. I think most people like kremlin, wait til you get to the menu where is ask you what kind of encryption you want to use, blowfish, RC4, CAST-128, IDEA, NewDES, Safer SK-128

Version 2.21 has a crack/serial available, but you didn't hear it here..

DNR

[Still_Learning]

Yeah i just picked a random security method. lol it just created a file 1 gig large, which was like my practice file trying to learn truecrypt. So now i have a truecrypt file 1 gig and dont know how to add files to it.

The new 2600 magazine came in the mail today and has a great article on useing truecrypt to create a encrypted usb linux boot drive which i am going to try out

so i guess the key is to wipe the drive and format, format, and wipe, format and wipe .. i see.. whats a good program to wipe the drive? thanks

[DNR]

2600 is a old good read.
You'd just be cool with one format, and then wipe the drive as many times as you'd have time for. Me? I just do the wipe 4 times. Make sure you know and understand which encryption method you chose - I watch the news for cracks involving encryption that I use - if people start cracking blowfish, then I'd switch over to Safer SK-128...

DNR