As the scope of cyber crime increases ,new investigative methods using the latest scientific developments and new software are becoming popular
The rate of cyber crime is increasing in our country.A latest survey reveals that
over Rs.3500 million is lost annually due to white –collor crime, which includes cyber crime.When law enforcement agencies investigate cyber crimes,they use digital forensics ,which involves investigation of computer system to unearth the evidence against cyber criminals.Many new investigative methods that use the latest scientific developments and new software are becoming popular in this field.When cyber crimes occur,they naturally involves the computer hackers ,who usually leave some evidence or tracks on the system.
Generally cyber criminals conceal data on hard drive .There are two popular techniques to hide data on the hard drive –one ,by low-level formatting and the other by partitioning. With low-level formatting ,hackers prefer redundant sectors and bad sectors.While partitioning ,data can be hidden in the inter-partition gaps ,unallocated spaces ,patitions ,boot records ,partition tables and deleted partitions.To fully understand this ,we should know the details of the windows file system or other popular file systems.
Understanding File Systems
Low –level formatting is performed at the factory ,which creates sectors .Each sector holds 512 bytes and some overhead ,which provides error correction .The hard drive controller remaps bad sectors by redundant sectors .Criminals can misuse these redundant sectors.
FAT-File Allocation Table of file systems is popular in the Microsoft Windows environment .There are various tools such as Winhex ,Undelete and File scavenger to analyse FAT information.
NTFS is a popular file system in the windows xp ,windows NT and windows server operating systems .It provides compressed file feautures and encrypted file system feautures ,including file system metadata about the structure of the file system .
The Master file table is the heart of NTFS .Every file or directory has atleast one entry in MFT ,which is called file record and it’s default size is 1024 bytes .Data is stored in the cluster ,which is a small disk space .Every cluster in NTFS has a logical cluster number (LCN).The cluster number starts with zero.
There are also metadata files like $boot ,$logfile ,$badclus , and $volume that describe the file system .These metadata files can be explored with the help of Winhex software.
One important feauture of NTFS is alternate data streams(ADS),which can be added with any file by the command c:\notepad anyfile.txt:hide Here ,any hidden data can be typed in with the text file anyfile .txt :hide
Hidden data may be of 100KB but size of anyfile.txt does not get changed .Many hackers use this ADS feauture to hide information while uploading files onto the victim’s computer. Many times ,when a computer is saving a file on hard disk ,it cannot allocate the exact number of clusters to save the file .The last cluster will remain half filled and that’s where a hacker can hide information .System internal commands can be used to unearth this data.
No comments:
Post a Comment