Forensics Journal - Stevenson University 2011 | Page 47

FORENSICS JOURNAL Registry hiding and slack space hiding are alternative methods. On any Window-based host system, the registry is the “central repository for configuration data that is stored in a hierarchical manner” (Wong n. pag.). The registry is accessed on a constant basis by the host system to reference required and pertinent information in the execution of system tasks and processes. Registry key values support binary data types; those types used by the system to run executable code, thus a valuable archive location for malicious use. By using the binary support in key values, entire binary executables could be stored in one registry key, or segment those executable files and have them “placed in several dispersed keys” (Wong n. pag.) further promoting obfuscation and increasing the difficulty of detecting malicious files. Within the registry construct, text-based information may be encoded into binary format using hexadecimal notation and storing the “binary form in registry values as a string using type REG_SZ” (Wong n. pag.) for the key value. Instead of using a binary format to represent characters, hexadecimal notation provides an alternative type to represent the same characters. The acceptable range for hexadecimal notation is 0-F in place of 0-1 for a binary equivalent. For example, the word “password” in its hexadecimal representation of 70 61 73 73 77 6F 72 64, would be similar to the binary representation of 01110000 01100001 01110011 01110011 01110111 01101111 01110010 01100100. This alternative method encodes the same data and hides text-based information from ready discovery. An implementation flaw with the Windows registry engine causes the registry itself to hide value names ranging from 256 to 259 characters from viewing and editing while also hiding any contained key values. This flaw can be exploited to hide malicious code into the AUTORUN registry location: FIGURE 1: Single 4KB File 4k File FIGURE 2: 1KB File and Slack Space 1k File 3k Slack Space FIGURE 3: Multiple files in same cluster (no slack space) 1k File 1k File 2k File FIGURE 4: Two contiguous 4KB Clusters with a 6KB file 4k of 6k file 2k of 6k file 2k Slack Space Three main types of slack space exist on the physical storage medium: volume slack, file system slack, and file slack. Volume slack is the “unused space between the end of the file system and the end of the partition where the file system resides” (Huebner 219). Volume slack has the largest amount of available space since the size could be as large as any unused space on a physical hard drive or at the end of a logical partition. File system slack is the unused space at the end of the file system which has not been allocated to any cluster in the physical or logical partition. File slack is the “unused space between the end of the file and the end of the last allocated cluster” (Huebner 220). [Refer to Figures 1-4.] Slack remains available until the unused space is overwritten by other data or the original resident file size is increased by an amount more than the currently available slack space. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run This location in the registry is referenced by the operating system to determine the executable files which will run during system startup. If a specifically crafted registry key with a binary value were provided a string name between 256 and 259 characters and inserted into this registry location, the executable binary would run during system start up processes. It would, however, be a transparent execution to the user and hidden by the registry viewer module. CYBER FORENSICS Although a multitude of steganography, data obfuscation, and data transformation techniques are available to cyber criminals, equally robust and capable mechanisms exist to assist in the discovery of hidden data. Cyber forensics is the discipline used by highly trained examiners to discover, detect, utilize, and in some cases, sterilize infected systems through the removal of hidden data a