Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Quantifying Windows File Slack 
in Size and Stability 
Martin Mulazzani, Sebastian Neuner, Peter Kieseberg, 
Sebastian Sch...
Slack Space 
Space between end of allocated space and space actually used 
Dierent forms of slack space: 
I File slack 
I ...
guration Overlay 
I ...
Slack Space 
Space between end of allocated space and space actually used 
Dierent forms of slack space: 
I File slack 
I ...
guration Overlay 
I ...
File Slack in Particular 
Clustering as artefact of
lesystems: 
I Goal: reduce adressing overhead 
I Sectorsize vs. Clustersize (512B/4K) 
I Part of ext4, FAT32, HFS+, NTFS, ...
le that doesn't align perfectly 
In forensics: 
I Can contain old
le fragments 
I Even if
le was securely deleted (shred / wiped) 
I Tools like slacker.exe or bmap freely available 
I recently: random sector hash...
File Slack in Particular 
Clustering as artefact of
lesystems: 
I Goal: reduce adressing overhead 
I Sectorsize vs. Clustersize (512B/4K) 
I Part of ext4, FAT32, HFS+, NTFS, ...
le that doesn't align perfectly 
In forensics: 
I Can contain old
le fragments 
I Even if
le was securely deleted (shred / wiped) 
I Tools like slacker.exe or bmap freely available 
I recently: random sector hash...
NTFS Details 
I NTFS e.g., with 2k cluster size, 512b sector size 
I 4 sectors per cluster 
I approx. 700 bytes
le in the picture (or size mod 2048) 
I Windows padds only till 1024 
In general: NTFS uses 4k cluster size for volumes  1...
Problem Description 
The current problems with
le slack space: 
I 3TB hard drives are commodity hardware 
I Possibly a lot of
le slack 
I Even worse if cluster size is large 
I Stable as long as
le is not re-written
Our Contribution 
Our contributions: 
I Quantify
le slack in dierent versions of Windows 
I Evaluate stability with regard to system updates 
I Present formula for estimat...
le slack capacity
Our Contribution 
Our contributions: 
I Quantify
le slack in dierent versions of Windows 
I Evaluate stability with regard to system updates 
I Present formula for estimat...
le slack capacity
Our Contribution 
Our contributions: 
I Quantify
le slack in dierent versions of Windows 
I Evaluate stability with regard to system updates 
I Present formula for estimat...
le slack capacity
Experiment Design 
Design: 
I Install Windows in VM 
I Patching, patching, patching ... 
I Collect hard drive state after ...
walk from Gar
Prochain SlideShare
Chargement dans…5
×

Quantifying Windows File Slack in Size and Stability

1 082 vues

Publié le

Slack space can be used to hide data from the operating system and other users. While some forms of data hiding are easily detectable, others are subtle and require an experienced forensic practitioner to discover the hidden data. The amount of data that can be hidden varies with the type of slack space and environmental parameters such as filesystem block size and partition alignment. This paper evaluates the amount of file slack space available in Windows systems and the stability of slack space over time with respect to system updates. Measurements of the file slack for eighteen versions of Microsoft Windows with the NTFS filesystem reveal that many of the files change very little during system updates and are, thus, highly suitable for hiding data. A model is presented for estimating the amount of data that can be hidden in the file slack space of Windows filesystems of arbitrary size.

Publié dans : Internet
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Quantifying Windows File Slack in Size and Stability

  1. 1. Quantifying Windows File Slack in Size and Stability Martin Mulazzani, Sebastian Neuner, Peter Kieseberg, Sebastian Schrittwieser, Markus Huber, Edgar Weippl SBA Research & TU Vienna, Austria
  2. 2. Slack Space Space between end of allocated space and space actually used Dierent forms of slack space: I File slack I RAM slack I $MFT slack I Partition slack I Volume slack I Host Protected Area I Device Con
  3. 3. guration Overlay I ...
  4. 4. Slack Space Space between end of allocated space and space actually used Dierent forms of slack space: I File slack I RAM slack I $MFT slack I Partition slack I Volume slack I Host Protected Area I Device Con
  5. 5. guration Overlay I ...
  6. 6. File Slack in Particular Clustering as artefact of
  7. 7. lesystems: I Goal: reduce adressing overhead I Sectorsize vs. Clustersize (512B/4K) I Part of ext4, FAT32, HFS+, NTFS, ... I For every
  8. 8. le that doesn't align perfectly In forensics: I Can contain old
  9. 9. le fragments I Even if
  10. 10. le was securely deleted (shred / wiped) I Tools like slacker.exe or bmap freely available I recently: random sector hashing
  11. 11. File Slack in Particular Clustering as artefact of
  12. 12. lesystems: I Goal: reduce adressing overhead I Sectorsize vs. Clustersize (512B/4K) I Part of ext4, FAT32, HFS+, NTFS, ... I For every
  13. 13. le that doesn't align perfectly In forensics: I Can contain old
  14. 14. le fragments I Even if
  15. 15. le was securely deleted (shred / wiped) I Tools like slacker.exe or bmap freely available I recently: random sector hashing
  16. 16. NTFS Details I NTFS e.g., with 2k cluster size, 512b sector size I 4 sectors per cluster I approx. 700 bytes
  17. 17. le in the picture (or size mod 2048) I Windows padds only till 1024 In general: NTFS uses 4k cluster size for volumes 16TB
  18. 18. Problem Description The current problems with
  19. 19. le slack space: I 3TB hard drives are commodity hardware I Possibly a lot of
  20. 20. le slack I Even worse if cluster size is large I Stable as long as
  21. 21. le is not re-written
  22. 22. Our Contribution Our contributions: I Quantify
  23. 23. le slack in dierent versions of Windows I Evaluate stability with regard to system updates I Present formula for estimating
  24. 24. le slack capacity
  25. 25. Our Contribution Our contributions: I Quantify
  26. 26. le slack in dierent versions of Windows I Evaluate stability with regard to system updates I Present formula for estimating
  27. 27. le slack capacity
  28. 28. Our Contribution Our contributions: I Quantify
  29. 29. le slack in dierent versions of Windows I Evaluate stability with regard to system updates I Present formula for estimating
  30. 30. le slack capacity
  31. 31. Experiment Design Design: I Install Windows in VM I Patching, patching, patching ... I Collect hard drive state after each reboot I Use
  32. 32. walk from Gar
  33. 33. nkel et. al. [1] I Generates XML based on DFXML [2] I Includes e.g., hash values and extracted metadata Use Python scripts to measure slack space capacity: I For each
  34. 34. le 4k I Detect
  35. 35. le updates: 1. SHA-1 hash values 2. timestamp ctime = metadata change time
  36. 36. Experiment Design Design: I Install Windows in VM I Patching, patching, patching ... I Collect hard drive state after each reboot I Use
  37. 37. walk from Gar
  38. 38. nkel et. al. [1] I Generates XML based on DFXML [2] I Includes e.g., hash values and extracted metadata Use Python scripts to measure slack space capacity: I For each
  39. 39. le 4k I Detect
  40. 40. le updates: 1. SHA-1 hash values 2. timestamp ctime = metadata change time
  41. 41. XML Example
  42. 42. Initial Slack Space Operating System MB Operating System MB Windows XP Pro. 22 Windows 7 Pro. SP1 65 Windows XP Pro. SP2 26 Windows 7 Ent. 83 Windows XP Pro. SP3 19 Windows 7 Ent. SP1 65 Vista Business 53 Windows 8 RC 86 Vista Business SP1 66 Server 2003 R2 Std. SP2 24 Vista Business SP2 51 Server 2003 R2 Ent. SP2 17 Vista Ent. SP1 67 Server 2008 R2 Std. 75 Vista Ent. SP2 72 Server 2008 R2 Std. SP1 70 Windows 7 Pro. 64 Server 2012 RC 70
  43. 43. Final Slack Space 1/2 Operating System Updates SPs Final Init Windows XP Pro. 189 2 37 22 Windows XP Pro. SP2 164 1 29 26 Windows XP Pro. SP3 177 0 23 19 Vista Business 246 2 147 53 Vista Business SP1 72 1 120 66 Vista Business SP2 143 0 83 51 Vista Ent. SP1 207 1 140 67 Vista Ent. SP2 143 0 114 72 Windows 7 Pro. 156 1 115 64
  44. 44. Final Slack Space 2/2 Operating System Updates SPs Final Init Windows 7 Pro. SP1 106 0 78 65 Windows 7 Ent. 212 1 455 83 Windows 7 Ent. SP1 167 0 382 65 Windows 8 RC 11 0 87 86 Server 2003 R2 Std. SP2 163 0 34 24 Server 2003 R2 Ent. SP2 167 0 35 17 Server 2008 R2 Std. 148 1 147 75 Server 2008 R2 Std. SP1 103 0 73 70 Server 2012 RC 6 0 71 70
  45. 45. Final Slack Space - Boxplot
  46. 46. Slack Stability Initial thought: I How often are OS
  47. 47. les updated, anyways? I i.e., how many
  48. 48. les will be ever re-written after installation I Our belief: most OS
  49. 49. les rather static in nature Results: I On average: 78% of initial slack, or 44 MB persisted I Top (relative!): I Vista SP2 (67MB, 90%) I Windows 7 Pro SP1 (60MB, 90%) I Good % for large OS without service pack
  50. 50. Slack Stability Initial thought: I How often are OS
  51. 51. les updated, anyways? I i.e., how many
  52. 52. les will be ever re-written after installation I Our belief: most OS
  53. 53. les rather static in nature Results: I On average: 78% of initial slack, or 44 MB persisted I Top (relative!): I Vista SP2 (67MB, 90%) I Windows 7 Pro SP1 (60MB, 90%) I Good % for large OS without service pack
  54. 54. Slack Stability
  55. 55. Slack Stability
  56. 56. Observations Complexity of OS increases the number of
  57. 57. les: I Windows XP = approx. 10.000
  58. 58. les I Windows 7 = approx. 40.000
  59. 59. les I Windows 8 = approx. 55.000
  60. 60. les Service packs add many additional
  61. 61. les, e.g.: I Windows Vista started with approx. 35.000 I after 2 service packs = approx. 90.000
  62. 62. Suitable File Types Dierent distribution of
  63. 63. le types: XP Pro SP2 Windows 7 Pro Server 2008 R2 .dll 4414 .dll 6302 .dll 7303 .exe 1106 .mui 3906 .cat 6752 .sys 793 .est 3190 .est 4204 .inf 692 .inf 1352 .mui 3907 .pnf 674 .gpd 1303 .exe 1364 .chm 317 .exe 1067 .gpd 1303 .htm 233 .png 1051 .inf 1160 .nls 192 .cat 945 .mum 909 .jpg 186 .pnf 914 .ppd 806 P ... ... ... ... ... ... 11723 8607 P 29561 20030 P 36394 27708
  64. 64. Limitations I No 4k sector sizes considered I No user actions I No user software (Flash, Oce, services) I Small
  65. 65. les ( 4k) were omitted Thus our numbers = conservative lower bound!
  66. 66. Capacity Approximation Formula Slack capacity dependent following factors I s = sector size I k = sectors per cluster I n = number of
  67. 67. les For standard NTFS (4k, 512b) I S = 1792 n I But: rather large error margin for small n
  68. 68. Larger Clustersize Large NTFS cluster sizes: I Can increase
  69. 69. le slack tremendously I Can have valid cause I Especially e.g.
  70. 70. leservers I Worth investigating though Example - Windows Vista: I Random image from our testdata I 90.000
  71. 71. les, approx. 150 MB of slack with 4kb clusters I Increases to 1.25 GB with 32kb cluster size I NTFS supports up to 64kb per clusters
  72. 72. Larger Clustersize Large NTFS cluster sizes: I Can increase
  73. 73. le slack tremendously I Can have valid cause I Especially e.g.
  74. 74. leservers I Worth investigating though Example - Windows Vista: I Random image from our testdata I 90.000
  75. 75. les, approx. 150 MB of slack with 4kb clusters I Increases to 1.25 GB with 32kb cluster size I NTFS supports up to 64kb per clusters
  76. 76. Future Work Future work - for our tools: I Tackle limitations discussed above I Survey of slack in deployed installations I Deeper analysis of
  77. 77. le types directories I Expand analysis to other operating systems
  78. 78. lesystems
  79. 79. Sharing is Caring We will release the data tools openly: I Analysis scripts I XML
  80. 80. les I Ping me for early access
  81. 81. Thank you for your time! Questions? mmulazzani@sba-research.org
  82. 82. Table 2
  83. 83. S. Gar
  84. 84. nkel. Automating disk forensic processing with sleuthkit, xml and python. In Systematic Approaches to Digital Forensic Engineering, 2009. SADFE'09. Fourth International IEEE Workshop on, pages 73{84. IEEE, 2009. S. Gar
  85. 85. nkel. Digital forensics XML and the DFXML toolset. Digital Investigation, 2011.

×