Introduction

This is the second in a two part guest post by Ian Charters, an expert in digital forensics.  As a result of reading Evan Shuman’s blog post: Heartland Sniffer hid in Unallocated Portion of Disk, I asked Ian if he would be willing to write a guest post on the topics that Mr. Shuman detailed in his post.  My thought was to reframe, in layman’s terms, what happened so that managers and executives would have a better understanding what happened without getting tied up in technical terms.   What I received were two submissions that gave a bit of background on unallocated disk space and then looked at what is reported to have happened in the Heartland Incident. 

Many thanks to Ian for sharing his time and knowledge with us.  Ladies and Gentlemen: Is there a Ghost in the Machine:

Is there a Ghost in the Machine?

It just seems that in the world of computer security and digital forensics, the more things change, the more they stay the same.  In this case, I’m referring to a recent security incident reported by Evan Schuman in his wonderful blog, entitled Heartland Sniffer hid in Unallocated Portion of Disk.

The incident that Mr. Shuman describes is typical of today’s credit card information theft.  It appears that organized criminals in Easter Europe targeted a credit card payment processing firm.  They implanted a software sniffer on the firm’s servers (a sniffer is a software package that examines and records data moving across the network that it is attached to).  The sniffer apparently collected significant amounts of unencrypted credit card data.  From a technical point of view, what makes the incident interesting if that it appears that the sniffer was installed in unallocated disk space on Heartland’s servers.  (For those who might need to brush-up on what unallocated disk space is see, “A short primer on empty disk space”.)

What was not reported was how the collected data was stored (presumably also in unallocated disk space), and how the collected data was moved off the network.  If the storage and transfer of the stolen data was handled in as sophisticated a manner as the implanting of the sniffer, this was an attack of some significance.  

Getting back to the initial issue of the use of unallocated disk space to hide files and executables is not a new technique.   It does require significant level of sophistication for both the programmer involved and for those operating the scheme over all.  One of the first times I saw the technique used was around 1990. At the time MP3s were fairly new but immensely popular with young computer professionals of all stripes. Young programmers in particular wanted to listen to music at work.  However, folks running the networks didn’t want them to use the network’s resources to listen to (and perhaps unfairly presumed sharing) music.  So, the cat and mouse game of hide and seek began.   When the “mouse’s” started hiding their file shares in plain sight using unallocated disk space they pretty much had the upper hand for a while.

The problem with this is that eventually this same technology started being used for darker purposes. Folks involved in the illegal or unlicensed sale of software want to have their software securely stored but they also didn’t want the software associated with or indeed located anywhere physically connected to them for fear of arrest.  In the early 1990’s, Federal law enforcement started treating the trade in illegal or unlicensed software seriously.  This resulted in several spectacular arrests. So, the folks selling unlicensed software started hacking corporate servers in order to hide their unlicensed software in the unallocated disk space found on their servers. 

Even before the peddlers of unlicensed software started using this approach, hackers had been storing and hiding their hacking tools on corporate servers.  This led to an interesting underworld market in hacked servers in which hackers would take over corporate or even government servers and “sell” control of the servers within the underworld to the highest bidder.  Unfortunately this trade goes on even today. 

Because I was aware of all of the silly games of file hide and seek going on, I got into the habit of regularly overwriting the slack space, unused space and unallocated space on my computers. I even did this on my home computers at the time.  However, with time the popularity of this approach to hiding data declined in favor of other techniques. As a result I also stopped this preventative practice.  I guess Evan’s article reminds me that there are several old security techniques that I have discontinued that I should reconsider. If you have similar concerns, please contact an digital forensics professional.  After all, I see a lot a “solutions” offered on the internet.  In many cases, if you aren’t careful, the cure is worse than the original symptom. 

Thanks Evan, for the great article and the nudge to never forget the past. 

About the Author

With over 20 years of experience in the field of digital forensics, Ian Charters has a unique perspective on the evolution of digital forensics.  His career has taken him from the private sector into government service and back to the private sector. 

After successfully starting and running his own networking, software development and systems integration firm, Ian was recruited into the nation’s Intelligence Community, including service in both the Defense Intelligence Agency and the Central Intelligence Agency where he proudly served his country for over 20 years. 

Upon retiring from Federal service, Ian served as the Security Practice Leader with the Unisys Federal Group based in Reston, Virginia.  While being responsible for leading the practices efforts in the development, sales, and delivery of a full range of IT security solutions, he was responsible for the development and introduction of a code application assurance into the Federal market. 

Ian is currently a Senior Manager in a Big 4 Accounting firm’s information security and risk management practice.  His responsibilities include leading engagements to provide security services to both commercial enterprises and government agencies.

Ian holds a Bachelor of Arts in Political Science from Washington State University and a Masters of Arts in Security Policy Studies from George Washington University in addition to completing extensive post-graduate and commercial coursework in Computer Security, Architectures, Networking, Programming, Telecommunications, Computer Simulation and Simulation Theory.  He is a frequent seminar speaker with the Potomac Forum Ltd, a non-profit educational foundation (www.potomacforum.org) and serves on the Board of Advisors for Ascension Risk Management LLC (www.ascensionriskmanagement.com).

Tags: Data Breach, Digital Forensics, Heartland Payment Systems, Ian Charters

Introduction

Two weeks ago three people were arrested for using credit card numbers stolen from Heartland Payment Systems in what many are calling the largest data breach in history.  At this time it is unknown what role these individuals played in the actual breach as the investigation is still open.   What we do know is that the breach occurred due to the presence of malicious software (malware) planted on Heartland’s payment processing network.  Apparently this software hid in the unallocated portion of the server’s disk (See Evan Shuman’s Blog Post Heartland Sniffer Hid in Unallocated Portion of Disk). 

When I read this I decided to reach out to a friend who also happens to be an expert in digital forensics.  I asked him if he would be willing to write a guest post for the blog that attempts to explain what happened in layman’s terms.  In response to my request Ian has provided two great guest posts on the topic.  The first, presented here, gives the reader a short primer on empty disk space.  As I read the two posts that he sent me I felt that it was important to put this post first as it forms the basis for his explanation of the technique used in the Heartland Incident.  (Look for that post on Thursday).

So without further adu, here is Ian Charters with his Short Primer on Empty Disk Space:

 

A Short Primer on Empty Disk Space

As unfortunate as it may be sometimes even simple discussions of computer technology force you to get involved in some pretty complicated technical details. This is certainly the case when discussing “empty” disk space.  And the whole point of this short blog is to provide the background needed to understand the topic without getting hopelessly mired in bits and bytes.

Let’s start with at the top.  There are three basic types of empty or unused disk space. They are:

• Slack space
• Unused disk space
• Unallocated disk space

 

In order to understand what slack space is it is important to have some basic understanding of how computers use or assign storage space on a hard disk drive.  When you tell the system to save a file the operating system goes through a rather complex series of tasks.  However, for our purposes it:

1.       Determines how large the file to be saved is;

2.       Allocates an appropriate amount of space on the hard drive;

3.       Makes a reference to the file; and then

4.       Saves the file.

In order to illustrate this concept, let us use the analogy of a book.  Using the book analogy, the same steps could be described in this way:

1.       Determine how long the chapter you are printing is;

2.       Determine the number of pages required;

3.       Note the chapter in the table of context; and

4.       Print the chapter.

 

Now let’s put these two together. 

Slack Space

To put it simply, slack space is the difference between the length of your chapter and the number of pages you have printed.  What does that mean?  Well, when you print a document you never really think about it but there is almost always space at the end of the last page that isn’t used or is left blank.  That is the equivalent to slack space on a hard disk. 

Unused disk space

You would think that the concept of unused disk space would be simple and straight forward and in some ways it is but there are a couple of twists to the concept.    It is very important to keep in mind that computers don’t know anything if you don’t it to them.  So, the way computers use hard disk space is that they don’t “know” about any files or data that isn’t recorded in the table of context.  If you have a 1000 page book (hard disk) and you have only written a few, say 4 chapters in it and those chapters total say 43 pages, you have 957 pages of empty pages (unused hard disk space) right?

Well that is right as far as it goes.  What makes the concept of unused disk space a little more complicated is the way computers handle files (book chapters) when they delete them.  In order to understand this it is important to know a little bit about how hard disks are made.  They usually consist of a bunch of controlling electronics, several data disks, and what are called “read” and “write” heads.  There “heads” are really just thin probes that well, er, read and write to the data disks.  Note that I said nothing about erasing.  So, if you think of a hard disk as a book, you might think of there “heads” as very fast readers and writers that well, read from and write to the disk. Remember, these head have no erasers.

Say you have been using your computer for a while.  You have created and deleted many files.  When a file is deleted all the computer does is takes the reference to that file (chapter) out of its index of files (table of contents).  What amazes may people is that after a file is deleted all of the data is left behind on the disk.  It is not erased.  The computer simply considers that spaced unused and there available for reuse.  So, chances are at some point the space will be reused and original data will be overwritten. Until that happens, the data is still there.  It could be overwritten in an hour, or a day, or a week, or even a year from now.  It all really depends on when the computer needs the space that the old file was taking up. 

Keep this in mind the next time you chuck out an old computer.  You feel safe because you have deleted all of the sensitive files and they threw the whole thing out.  Well what you just did was delete all of the references to your sensitive files, but left all the data on the disk, and then gave the whole thing to someone you don’t know. Oh my!  Now you see why I warned that this seemingly simple topic can get complicated.

This is not the place to spend a lot of time on the topic.  But, if you are concerned about deleting sensitive data from a computer, talk to a computer security professional about your options.  The same applies to throwing out old computers.  There are simple, cheap and effective solutions to this problem.  But, there is also a lot of snake oil being peddled out there that simple web search will reveal as downloadable for only $39.95! Buyer beware.

Unallocated Disk Space

This last category of empty disk space is really of concern mostly for computer professionals.  Fortunately for us it is also a fairly simple topic.  You may or may not be aware but you can segment your hard disk into different sections called partitions.  The computer treats these partitions as separate smaller disks even though they are physically one hard drive.  This is much like defining your hard disk as containing several different books, each dedicated to a specific subject.  In terms of giving you flexibility to organize your data this can be a god-send.

Well, in the process of defining these books you may have a reason to define some books now and want to define some new ones at some time in the future.  Say for example you might want to keep all of your financial and tax records in a separate partitions or books.  What you would do in that case is leave a portion of the hard disk unallocated.

The ability to leave some disk space unallocated can also be a great use to a computer professional.  For example, let us say that a small company decided to deploy a server to serve as a repository for their client work.  They build the server and begin using it.  Sometime later they determine that it would be a wise move to back up this information onto a backup server (in case something happens to the first one).  By the time they decide this they are unable to purchase an exact copy of the first server.  Often as the price of larger hard drives comes down, they are placed into the same make and model server by the hardware providers.  The server itself stays at the same price point however it now has larger hard drives than its predecessor that may only be a few months (or even weeks) old.  This makes things a little harder.  Well, one thing that can be done is to size the disk partitions in the backup server so that they match the disk sizes from the original server.   This is a pretty common and accepted practice.  It also leaves the possibility that the remaining disk space on the larger drive be left unallocated. 

Building off of this we will move on to examine what may have happened in the Heartland breach and how it really isn’t anything new.  Stay tuned for “The Ghost in the Machine”

About the Author

With over 20 years of experience in the field of digital forensics, Ian Charters has a unique perspective on the evolution of digital forensics.  His career has taken him from the private sector into government service and back to the private sector. 

After successfully starting and running his own networking, software development and systems integration firm, Ian was recruited into the nation’s Intelligence Community, including service in both the Defense Intelligence Agency and the Central Intelligence Agency where he proudly served his country for over 20 years. 

Upon retiring from Federal service, Ian served as the Security Practice Leader with the Unisys Federal Group based in Reston, Virginia.  While being responsible for leading the practices efforts in the development, sales, and delivery of a full range of IT security solutions, he was responsible for the development and introduction of a code application assurance into the Federal market. 

Ian is currently a Senior Manager in a Big 4 Accounting firm’s information security and risk management practice.  His responsibilities include leading engagements to provide security services to both commercial enterprises and government agencies.

Ian holds a Bachelor of Arts in Political Science from Washington State University and a Masters of Arts in Security Policy Studies from George Washington University in addition to completing extensive post-graduate and commercial coursework in Computer Security, Architectures, Networking, Programming, Telecommunications, Computer Simulation and Simulation Theory.  He is a frequent seminar speaker with the Potomac Forum Ltd, a non-profit educational foundation (www.potomacforum.org) and serves on the Board of Advisors for Ascension Risk Management LLC (www.ascensionriskmanagement.com).

 

 

 

 

Tags: Data Breach, Digital Forensics, Heartland Payment Systems, malicious software, malware, slack space, unallocated disk space, unused disk space

The following is a very interesting white paper on the Evolution of Digital Forensics by Ian Charters.  Ian is a very good friend of mine and a member of the Board of Advisors for my company Ascension Risk Management.  The paper is aimed at the laymen and explores how digital forensics has evolved over the years. 

Ian’s background has covered a wide range of environments.  He began his career as an independent business man with his own networking and software development firm before he was recruited into the nation’s Intelligence community.  His tenure there spanned over 20 years and included service in both the Defense Intelligence Agency (DIA) and the Central Intelligence Agency (CIA).  It is from this time period from which Ian’s experience with digital forensics springs. 

If you have ever been interested in Digital Forensics then this paper is a great introduction into the field.  It is a quick, non-technical overview of the subject and aimed at the general reader.  Further papers may explore some of the more technical aspects of digital forensics and how they can be used in the corporate environment. 

This white paper was originally posted on The Guerilla CISO, a blog run by another friend of mine.  It is cross-posted here with permission by both The Guerilla CISO and the author. 

 

Click here to download the white paper in PDF format:

The Evolution of Digital Forensics by Ian Charters

Tags: Digital Forensics, Guerilla CISO, Ian Charters