Concealing and Recovering Hard Disk Data

Data recovery is not limited to cases with failed hard drives and corrupted file systems. If you delete a file it seems that is has gone forever. Of course, this is not true and there are many methods to get the file back. This is known to ordinary computer users and also to people involved in criminal activities. If you wan to delete some data it is not enough to delete the file, you need at least to overwrite it few times with some patterns to actually wipe out any remains of the original file. But there are also other ways to conceal data. You only need special software for writing and reading at hidden places.

Forensic data recovery experts need to know all the tricks that people use to hide their data. This may involve simple file deletion, alternative data streams, file slack space and other non-conventional file system features and places. Forensic data recovery goes beyond conventional methods to repair disks and file systems. The goal of forensics is to recover all deleted and hidden data that may contain valuable information or evidence.

File Deletion

The fact is that a lot of people think that deleting a file make it impossible to get the data back. They can not be more wrong. Data from deleted file is still where it was. It is only the the file system table that has this file flagged as deleted and the space available for writing. Unless we overwrite the space used by the deleted file it is pretty straightforward to recover any deleted file. There are many data recovery tools that can do the job. They are available for all operating systems and support all major file systems.

Secure File Deletion

The next step in hiding files to to securely delete files. It is not enough to press the delete button—you need to overwrite data belonging to this file with other (random) data. And not only once. Few such overwriting steps are needed to make sure no trace of the original file will remain. This way we will actually eliminate the possibility to use advanced (and expensive) methods to recover overwritten files.

Such methods are possible because the data is written as a stream of magnetic pulses on the disk platters. Since head does not always go over the same location there are also traces of previous writings that can be used to recover data. Such techniques include magnetic force microscopy and are used only in extreme situations. But the fact is that a secure file deletion is not a trivial task and forensic data recovery experts should take this into account.

File Slack Space

Each file system has a property that can be used to hide files. This property called file slack space is a consequence of how the data is stored. Disks are organized into sectors, blocks and other data structures. Each file occupies certain amount of blocks. And since file sizes are rarely equivalent to sizes of blocks there is a lot of unused space. For example, if the block size is 4K and the file size is 5K, the file would be stored using two blocks and 3K of data would remain unused. Special software can use this slack space to hide data. Since this method of hiding files is pretty simple it can be used by more advanced cyber criminals to store data that may incriminate them. Of course, data forensics are aware of this method and the have advanced tools to discover hidden files.

Alternative Data Streams

This is a legal method in NTFS file system that was originally not intended to hide data but to provide a simple mechanism to add associate some data with files. You can use ordinary file writing/reading commands to write additional data (files) that are associated with folders or files. These additional files are normally not visible in the file explorer—you need special software to discover them. Of course, if you know where are located and how are named you can easily access them as normal files. Such places are also a convenient place to hide malicious software. Modern anti virus software and forensic data recovery experts are aware of such data streams and can easily check file system to detect and recover hidden files in alternative data streams.


Tags: , , ,