Ascension Blog

Introduction

Two weeks ago three people were arrested for using credit card numbers stolen from Heartland Payment Systems in what many are calling the largest data breach in history.  At this time it is unknown what role these individuals played in the actual breach as the investigation is still open.   What we do know is that the breach occurred due to the presence of malicious software (malware) planted on Heartland’s payment processing network.  Apparently this software hid in the unallocated portion of the server’s disk (See Evan Shuman’s Blog Post Heartland Sniffer Hid in Unallocated Portion of Disk). 

When I read this I decided to reach out to a friend who also happens to be an expert in digital forensics.  I asked him if he would be willing to write a guest post for the blog that attempts to explain what happened in layman’s terms.  In response to my request Ian has provided two great guest posts on the topic.  The first, presented here, gives the reader a short primer on empty disk space.  As I read the two posts that he sent me I felt that it was important to put this post first as it forms the basis for his explanation of the technique used in the Heartland Incident.  (Look for that post on Thursday).

So without further adu, here is Ian Charters with his Short Primer on Empty Disk Space:

A Short Primer on Empty Disk Space

As unfortunate as it may be sometimes even simple discussions of computer technology force you to get involved in some pretty complicated technical details. This is certainly the case when discussing “empty” disk space.  And the whole point of this short blog is to provide the background needed to understand the topic without getting hopelessly mired in bits and bytes.

Let’s start with at the top.  There are three basic types of empty or unused disk space. They are:

• Slack space
• Unused disk space
• Unallocated disk space

In order to understand what slack space is it is important to have some basic understanding of how computers use or assign storage space on a hard disk drive.  When you tell the system to save a file the operating system goes through a rather complex series of tasks.  However, for our purposes it:

1.       Determines how large the file to be saved is;

2.       Allocates an appropriate amount of space on the hard drive;

3.       Makes a reference to the file; and then

4.       Saves the file.

In order to illustrate this concept, let us use the analogy of a book.  Using the book analogy, the same steps could be described in this way:

1.       Determine how long the chapter you are printing is;

2.       Determine the number of pages required;

3.       Note the chapter in the table of context; and

4.       Print the chapter.

Now let’s put these two together. 

Slack Space

To put it simply, slack space is the difference between the length of your chapter and the number of pages you have printed.  What does that mean?  Well, when you print a document you never really think about it but there is almost always space at the end of the last page that isn’t used or is left blank.  That is the equivalent to slack space on a hard disk. 

Unused disk space

You would think that the concept of unused disk space would be simple and straight forward and in some ways it is but there are a couple of twists to the concept.    It is very important to keep in mind that computers don’t know anything if you don’t it to them.  So, the way computers use hard disk space is that they don’t “know” about any files or data that isn’t recorded in the table of context.  If you have a 1000 page book (hard disk) and you have only written a few, say 4 chapters in it and those chapters total say 43 pages, you have 957 pages of empty pages (unused hard disk space) right?

Well that is right as far as it goes.  What makes the concept of unused disk space a little more complicated is the way computers handle files (book chapters) when they delete them.  In order to understand this it is important to know a little bit about how hard disks are made.  They usually consist of a bunch of controlling electronics, several data disks, and what are called “read” and “write” heads.  There “heads” are really just thin probes that well, er, read and write to the data disks.  Note that I said nothing about erasing.  So, if you think of a hard disk as a book, you might think of there “heads” as very fast readers and writers that well, read from and write to the disk. Remember, these head have no erasers.

Say you have been using your computer for a while.  You have created and deleted many files.  When a file is deleted all the computer does is takes the reference to that file (chapter) out of its index of files (table of contents).  What amazes may people is that after a file is deleted all of the data is left behind on the disk.  It is not erased.  The computer simply considers that spaced unused and there available for reuse.  So, chances are at some point the space will be reused and original data will be overwritten. Until that happens, the data is still there.  It could be overwritten in an hour, or a day, or a week, or even a year from now.  It all really depends on when the computer needs the space that the old file was taking up. 

Keep this in mind the next time you chuck out an old computer.  You feel safe because you have deleted all of the sensitive files and they threw the whole thing out.  Well what you just did was delete all of the references to your sensitive files, but left all the data on the disk, and then gave the whole thing to someone you don’t know. Oh my!  Now you see why I warned that this seemingly simple topic can get complicated.

This is not the place to spend a lot of time on the topic.  But, if you are concerned about deleting sensitive data from a computer, talk to a computer security professional about your options.  The same applies to throwing out old computers.  There are simple, cheap and effective solutions to this problem.  But, there is also a lot of snake oil being peddled out there that simple web search will reveal as downloadable for only $39.95! Buyer beware.

Unallocated Disk Space

This last category of empty disk space is really of concern mostly for computer professionals.  Fortunately for us it is also a fairly simple topic.  You may or may not be aware but you can segment your hard disk into different sections called partitions.  The computer treats these partitions as separate smaller disks even though they are physically one hard drive.  This is much like defining your hard disk as containing several different books, each dedicated to a specific subject.  In terms of giving you flexibility to organize your data this can be a god-send.

Well, in the process of defining these books you may have a reason to define some books now and want to define some new ones at some time in the future.  Say for example you might want to keep all of your financial and tax records in a separate partitions or books.  What you would do in that case is leave a portion of the hard disk unallocated.

The ability to leave some disk space unallocated can also be a great use to a computer professional.  For example, let us say that a small company decided to deploy a server to serve as a repository for their client work.  They build the server and begin using it.  Sometime later they determine that it would be a wise move to back up this information onto a backup server (in case something happens to the first one).  By the time they decide this they are unable to purchase an exact copy of the first server.  Often as the price of larger hard drives comes down, they are placed into the same make and model server by the hardware providers.  The server itself stays at the same price point however it now has larger hard drives than its predecessor that may only be a few months (or even weeks) old.  This makes things a little harder.  Well, one thing that can be done is to size the disk partitions in the backup server so that they match the disk sizes from the original server.   This is a pretty common and accepted practice.  It also leaves the possibility that the remaining disk space on the larger drive be left unallocated. 

Building off of this we will move on to examine what may have happened in the Heartland breach and how it really isn’t anything new.  Stay tuned for “The Ghost in the Machine”

About the Author

With over 20 years of experience in the field of digital forensics, Ian Charters has a unique perspective on the evolution of digital forensics.  His career has taken him from the private sector into government service and back to the private sector. 

After successfully starting and running his own networking, software development and systems integration firm, Ian was recruited into the nation’s Intelligence Community, including service in both the Defense Intelligence Agency and the Central Intelligence Agency where he proudly served his country for over 20 years. 

Upon retiring from Federal service, Ian served as the Security Practice Leader with the Unisys Federal Group based in Reston, Virginia.  While being responsible for leading the practices efforts in the development, sales, and delivery of a full range of IT security solutions, he was responsible for the development and introduction of a code application assurance into the Federal market. 

Ian is currently a Senior Manager in a Big 4 Accounting firm’s information security and risk management practice.  His responsibilities include leading engagements to provide security services to both commercial enterprises and government agencies.

Ian holds a Bachelor of Arts in Political Science from Washington State University and a Masters of Arts in Security Policy Studies from George Washington University in addition to completing extensive post-graduate and commercial coursework in Computer Security, Architectures, Networking, Programming, Telecommunications, Computer Simulation and Simulation Theory.  He is a frequent seminar speaker with the Potomac Forum Ltd, a non-profit educational foundation (www.potomacforum.org) and serves on the Board of Advisors for Ascension Risk Management LLC (www.ascensionriskmanagement.com).

This entry was posted on Tuesday, February 24th, 2009 at 08:03 and is filed under General, Recent News.You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.