Slack Files
Slack space occurs on a hard drive or floppy when a file gets partially overwritten after deletion. The new file does not completely fill in the space created by the old file’s data. So, a slack space of residual data remains in the area between the end of file (EOF) boundary of the new file and the end of the cluster. On a given disk, then, large amounts of “hidden data” exist. These fragments may offer considerable evidence about what was deleted from the disk.
Bitstream copying will preserve slack space. Simple copying will not. Once safely backed up, the contents of slack space will be visible by using software such as Hex editors and the Norton Utilities. Such examination needs to be done by a qualified computer forensics specialist. If you need a list of questions to ask an examiner to evaluate his or her qualifications, try this Web page: http://www.keyco mputer.net/equest.htm. A good article giving an overview of examining a computer is in the March 1997 issue of Security Management, “Confessions of a Hard Drive” by Kristopher A. Sharrar and Jose Granado.
Slack space may reveal
- Evidence of pornography.
- Records of criminal activity or transactions.
- Deleted email used for illegal purposes.
- Files used in scams and to commit frauds.
- Stolen proprietary files and databases.
- Downloads from the Internet and the Web.
- Stolen or pirated software.
Digital Evidence and Computer Crime by Eoghan Casey also has a good overview of slack space on hard disks and how bitstreaming preserves the evidence.
Cryptography
Cryptography is a vast subject, and it can be as abstract as quantum physics. The average computer sleuth, though, does not have to know the inner workings of designing cryptographic algorithms. But, he or she does need to know the difference between simple and complex cryptography.
Simple cryptography is much like the decoder rings found in cereal boxes when you were a kid. The classic cipher along this vein is Caesar’s Cipher, which rotated the alphabet three letters to the right. In other words, in the ciphertext the letter H substitutes for the letter E in the plaintext. A modern version of this substitution cipher is ROT13, where the shift is thirteen (13) letters.
Another simple technique is to XOR (apply a logical OR to) the plaintext. For a more sophisticated method, using a Vigenere Square (an alphabet matrix: http://www.trincoll.edu/depts/cpsc/cryptography/vigen ere.html) produces a more difficult substitution cipher. Unfortunately, these methods are way too easy for computers to break and result in very weak ciphers and encrypted passwords.
The fact that certain letters in English have a higher frequency than others (“e” being the most common) makes these ciphers vulnerable. Yet, some software packages continue to use them for cryptographic protection. Such software may claim to have a secret, proprietary algorithm for encryption. A computer sleuth can check the strength of a package’s cryptography by having it encrypt some known text. If repetitions in letter patterns and frequencies are apparent (you can guess where the letters A or E are), then the encryption is weak. Breaking it using the resources found in the URLs below should be straightforward.
Strong, complex cryptography, suitable for the computer age, takes the form of PGP, Triple DES, Blowfish, RSA, Twofish, and other publicly documented strong algorithms. Tested in the public arena by experts, they will stand up to cryptanalysis for reasonable periods of time, provided they are implemented properly. And, they are only as good as the security precautions used to protect them. If a user is careless about safeguarding the keys used in the cipher, no matter how good the algorithm, the message will be compromised. So checking a computer and the floppies nearby for unencrypted files containing keys is a standard investigative step. If the user has employed complex cryptography to protect a file or password and you can’t find the keys, bring in a qualified computer forensics expert to develop a strategy for accessing the data.
