• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
Data hiding and finding on Linux
Anton Chuvakin, Ph.D.
WRITTEN: 2002-2003
DISCLAIMER
:Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of changeto be accelerating. On top of that, to be able to stay in touch with such ever-changingreality, one has to evolve with the space as well. Thus, even though I hope that thisdocument will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around.
 The article briefly touches upon hiding, finding and destroying dataon Linux file systems. It should become clear that the area of computerforensics, aimed at recovering the evidence from captured disk drives,has many challenges, requiring knowledge of hardware, operatingsystems and application software.It is common knowledge, that what is deleted from the computer cansometimes be brought back. Recent analysis of security implicationsof "alternative datastreams" on Windows NT by Kurt Seifried(http://seifried.org/security/advisories/kssa-003.html) has shown thatWindows NTFS filesystem allows data hiding in "alternativedatastreams" connected to files. These datastreams are not destroyedby many file wiping utilities that promise irrecoverable removal of information. Wiping the file means "securely" deleting it from disk(unlike the usual removal of file entries from directories), so thatfile restoration becomes extremely expensive or impossible.
 
Some overview of what remains on disk after file deletion, how it canbe discovered and how such discovery can be prevented are providedhere http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Theauthor recommends overwriting files multiple times with specialpatterns. Against casual adversaries, simply overwriting the file withzeros once will help.Linux has no alternative data streams, but files removed using /bin/rmstill remain on the disk. Most likely, Linux system uses ext2filesystem (or its journaling version, ext3 by RedHat). A casual lookat the design of ext2 filesystem(http://e2fsprogs.sourceforge.net/ext2intro.html) shows several placeswhere data can be hidden.Let us start with the classic method to hide material on UNIXfilesystems (not even ext2 specific): run a process that keeps thefile open and then remove the file. The file contents are still ondisk and the space will not be reclaimed by other programs. It isworthwhile to note, that if an executable erases itself, its contentscan be retrieved from /proc memory image: command "cp /proc/$PID/exe/tmp/file" creates a copy of a file in /tmp.If the file is removed by /bin/rm, its content still remains on disk,unless overwritten by other files. Several Linux unerase utilities(e2undel - http://e2undel.sourceforge.net/ or recover -http://recover.sourceforge.net/) attempt automated recovery of files. They are based on "Linux Ext2fs Undeletion mini-HOWTO"
 
(http://www.linuxdoc.org/HOWTO/mini/Ext2fs-Undeletion.html) thatprovides a nice guide to file recovery from Linux partitions. Recoverycan also be performed manually using debugfs Linux utility (asdescribed in the above HOWTO).Overall, if recovery is attempted shortly after file removal and thepartition is promptly unmounted, chances of complete recovery arehigh. If the system was heavily used, the probability of successfuldata undeletion significantly decreases. However, if we are to look atthe problem from the forensics point of view, the chances of recovering *something* (such as a small part of the illegal image forthe prosecution) is still very high. It was reported that sometimesparts of files from several years ago are found by forensic examiners. Thus files can be hidden in free space. If many copies of the samefile are saved and then erased, the chance of getting the contentsback becomes higher using the above recovery methods. However, due tothe intricacies of ext2 filesystem, the process can only be reliablyautomated for small files.A more detailed look at ext2 internals reveals the existence of slackspace. Filesystem uses addressable parts of disk called blocks, thathave the same size. Ext2 filesystems typically use 1,2 or 4 KBblocks. If a file is smaller than the block size, the remaining spaceis wasted. It is called slack space. This problem long plagued earlyWindows 9x users with FAT16 filesystems, which had to use block sizesof up to 32K, thus wasting a huge amount of space if storing small
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...