Document Found!

Here's the setup. I created a partition, placed a Microsoft Office created Word document in that partition. I then deleted the document and designated the partition as HPA space. Well, magicrescue doesn't care about HPA space, as it was able to recover the deleted file. Which makes me wonder why this is so easy to find? Also, what are other ways to hide data? Which brought me to these articles on ext2 and ext3 slack space, and NTFS Alternate Data Streams (ADS). Of course I can only find bmap on packetstormsecurity.com. Yet, I can't get it compiled correctly. (sgml2latex error....and you want to be my latex salesman?) What I really want to do is hide data with bmap and see if magicrescue can find it. Also, I would like to hide a file via ADS and see if Identity Finder can locate it on my work computer. Just hoping some things go correctly for me here in the next week and a half. I've had enough of Identity Finder breaking and Symantec Endpoint Protection bombing thus removing my network drivers. But, I digress....

Anyways, this is what I've been attempting to work on. Below are links to other articles I've been reading when I have had a chance. I've been busy with some other forensic-esk work at work lately. Anyone else find that Canadians like to try and hack php servers? I have a simple chat forum running for an event in our office that has been sluggish, to say the least. I attributed it to updates, but that wasn't the case. The error and access logs showed systematic attempts to find administrator login pages. Thousands of them in a short period of time. After blocking those individuals I'm still trying to figure out why it's slow. To be continued I guess.

Articles:

http://www.linuxsecurity.com/content/view/117638/49/
http://blog.crowdway.com/2009/04/15/hide-data-in-hidden-partitions/
http://www.docstoc.com/docs/13637545/Data-hiding-and-finding-on-Linux
http://www.wikistc.org/wiki/Slack_space_data
http://books.google.com/books?id=nEqHuVht7HgC&pg=PA92&lpg=PA92&dq=linux+hide+data+in+slack+space&source=bl&ots=bLewREp97f&sig=ejFTtjwomuaIYNXBOWnL0MYyZRA&hl=en&ei=_D30SryVPInENpmz_OgF&sa=X&oi=book_result&ct=result&resnum=5&ved=0CBQQ6AEwBA#v=onepage&q=&f=false

Holy Hidden Partition Batman...

Happy dance time, again! I've been unable to recover any Microsoft Office documents that I purposefully delete. Until now! The only difference is that the document was created in Microsoft Office and not in Open Office. Apparently something is different in the file format/file signature. Which will be an investigation for another time. What I'm going to do now is, hide the partition again. (designate HPA space) and run another scan on the entire drive. I know the size of the file, and document type. So, if magic rescue is able to read HPA space, I *should* find the document in the recovery reservoir. The only problem is, scanning 30 G is going to take 9+ hours. So, time to start the scan, and we'll see where we're at tomorrow!

More magicrescue...

Well, I'm having a difficult time finding any data that I have purposefully hidden or deleted. I'm using Open Office to create Word documents and saving them to a partition. Now, magicrescue is recovering several documents just not any of the documents I want it to find. Also, this is without the partition being declared HPA space. I'm going to try a couple of different things. First, create the documents in Microsoft Word. Each of the documents recovered were created in Microsoft Office, and I'm not sure if Open Office is the problem. I'm just trying to eliminate variables. Second, I'm going to try to search for something else, like jpeg's or pdf's. The problem isn't recovering data, it's recovering files I've purposefully deleted. So, if someone is hiding data in an HPA protected partition, I can find the partition and remove the HPA designation. (Thank you Sleuth Kit tools!) Yet, if there was data in the partition that was deleted, I'm having a tough time recovering it.

To be continued...

Oh by the way, it takes 61 minutes to search a 3G partition. Did I mention this machine was slow?