Info Security Review Chapt 5

Fragmentation

A file may consist of several clusters in a row or its clusters may be scattered across the hard drive. The scattering often is called fragmentation. It can slow the system down when we work with those files. This is why people occasionally run a "defragment" utility on their hard drive. The utility moves the clusters in each file so that they are contiguous; this makes it faster to access the files. Fragmentation also refers to wasted space on the hard drive. Most files contain a "fragment" of wasted space at the very end. If a file ends exactly at the end of a cluster, then there is no wasted space. More often, the file ends short of the end of the cluster. The remaining space can't be used in another file, so the space is wasted.

Compromised Systems

Just as a bicycle incident may render a bike vulnerable without damaging it, an incident might render Bob's computer more vulnerable to attack. For example, a suitemate might disable access permissions on system files. Bob's computer now has been compromised. In Victorian times, people spoke of "compromising one's reputation." This indicated that an incident had rendered the reputation suspect, even without proof of misbehavior. The "compromise" indicates that the computer is no longer trustworthy, because it may have been subverted. We recover from attacks, incidents, and compromises, by taking steps to recover. The recovery process often is called remediation.

ADDRESS, INDEX, AND POINTER VARIABLES

Most programmers first encounter address variables when working with arrays. We select individual items from an array by using an index variable. This is the simplest type of address variable. The index value chooses which array element to use, just like an address variable chooses which memory location to use. Other variables may contain the complete address of a memory location; these are called pointer variables.

COLLECTING EVIDENCE AT THE SCENE

Secure the scene and all relevant digital equipment. • Document the scene (Evidence log). • Collect digital evidence.

HIGH-LEVEL FORMAT

The high-level format of a hard drive refers to the layout of its file system. Different file systems store particular information in particular places, as described later in this chapter. Typically, the high-level format divides the drive into groups of sectors called clusters (Figure 5.6). Each file contains one or more clusters. The file system keeps track of the clusters. When we create a new file or add more data to an existing file, the system locates an unused cluster and adds it to the file.

Cyclic Redundancy Checks

To improve error detection, more sophisticated drives computed more sophisticated check values using a CRC. A well-designed CRC detects "burst" errors, like a sequence of 0s or 1s, much more reliably than parity checking. CRCs may yield check values of 32 bits or more

Hard Drive Controller

To read and write data reliably, we must move the head assembly very precisely over the desired track. We also must be sure to read or write the correct sector on the track. Modern hard drives use a special circuit, the drive controller, to operate the head assembly and select the correct sector. Figure 5.4 illustrates the parts of a controller using a hardware block diagram. Such diagrams show the major components in a hardware device, and the signals that pass between those components.

The Fourth Amendment

Under U.S. law, surveillance and seizure are restricted by the Fourth Amendment of the Bill of Rights: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. The Fourth Amendment is, in turn, based on English common law, which treats a person's home as a "castle" intended to ensure personal safety and, if desired, seclusion. Government agents, including police officers, may intrude on one's home, but only after presenting a justifiable reason to a different official, such as a justice of the peace.

Incident Response and Attack

When we write information to a file, the file system copies that information onto blocks of storage on our hard drive or flash drive. The system then saves information about the blocks' locations in the file's folder. When we delete a file, most operating systems move it to a special folder called "trash" or "recycle." If we want to recover the file, we simply move it back to a permanent folder. After emptying the trash, the file system deletes the file from the folder, and then frees its data blocks to be reused the next time we write to the drive. Once we write new data over the old file's data blocks, it becomes almost impossible to recover the file. However, drives often have a lot of free space. Recently freed blocks might not be reused for hours or even weeks. An undelete program tries to reconstruct a file by locating the freed data blocks before they are reused. This act also is called file scavenging. Even though Bob and Tina "emptied the trash" each time they deleted the file, they didn't really remove the information from the hard drive.

due diligence

in other words, they must have taken reasonable steps to protect the files. If they could have used stronger measures and failed to, then perhaps they bear responsibility for the failure. If, on the other hand, they used the customary security measures and the community accepts those measures as adequate, then they showed due diligence. The instructor could justifiably hold them responsible if they failed to use the same security measures as others.

digital forensics

when we need to collect evidence from computers and other digital storage devices. Forensic techniques recover, preserve, and analyze information from a computer system to show what its users were doing. When we take a serious action, like firing an employee or pursuing legal measures against an attacker, we must take special care in collecting evidence. If the evidence must support legal action, then it must be admissible in court. Questions of gathering evidence are fundamental to forensics: • What data should we try to collect before a security incident that we can use as evidence after one occurs? • What data are we allowed to collect and use as evidence from an individual's computer? • What data can we retrieve from persistent computer memories, like hard drives and USB flash drives? The answers depend heavily on the legal system that applies to the computers, their owners, and the perpetrators of the attack.

LEGAL SYSTEMS

1. Civil law—based on legislative enactments. Roman and Napoleonic laws are examples of this. 2. Common law—based on judicial decisions. English Common Law and the U.S. legal system follow this tradition. 3. Religious law—based on religious systems or documents. Jewish, Islamic, and Christian canon law systems are examples of this.

Memory Sizes and Address Variables

As we look at hard drives and other large (and growing) storage devices, we use particular words and acronyms to identify large numbers. When we talk about storage in particular, we often need to say where information resides; we need to express its address. We often need to store that address in a variable; we call such things an address variable.

Parity Checking

Errors have plagued computer memories since their invention. Magnetic tapes often used a simple technique called parity checking to detect errors. The tape drives handled data on a byte-by-byte basis, storing each byte across the width of the tape. The parity check stored an extra "parity bit" with each byte. We calculate parity by looking at the individual bits in a byte. Each bit has a value of either 0 or 1. We count the number of bits containing the value 1. For example, Figure 5.7 shows the data bits stored in a single byte of a "nine-track tape." The first track contained the parity bit and the remaining contained the eight data bits, one per track. On the left of the figure, the tape contains the numeric value "3" in printable text; its 9-bit code is shown as "1 0011 0011." The nine-track tape stored data with "odd parity," which means that the parity bit is chosen to yield an odd number of 1 bits. If the remaining eight data bits had already contained an odd number of 1 bits, then the correct parity bit would be 0. To detect an error in odd parity, we count the 1 bits, including the parity bit. The right side of Figure 5.7 shows the result of a 1-bit tape error that has changed the "3" character to a "7" character. We detect the error by counting the bits on the tape, including the parity bit. These appear in the lower right of the figure. The character code for "7" contains an odd number of 1 bits. When we combine this with the parity bit, we have an even number of bits, yielding "even parity." The tape drive detects this as an error when reading the tape, because the byte no longer contains odd parity.

Storing Data on a Hard Drive

Even though we rely heavily on solid state drives and flash drives today, hard drive storage remains less expensive and is still widely used. Hard drives have heavily influenced how today's file systems work. These details help us understand what information a file system provides an investigator and what information it might hide. If we can retrieve a file after deleting it, a more clever program might give someone a way to actually hide data without deleting it. A clever computer hacker, when arranging a hard drive, might set aside space for secret file storage that isn't visible in the normal navigation windows. A really clever programmer might hide small bits of data, like encryption keys, in the "unused" space at the end of a file, or in "unusable" sections of the file system. To understand these tricks, we must understand hard drives and file systems.

Checksums

Hard drives store blocks of data in sectors, so it makes sense to check for errors on a per-sector basis. The simplest approach is to perform a checksum; we use a simple rule to calculate the check value from the sector's data. In Figure 5.8, for example, we have a 4-byte sector of data containing the text "$109." To calculate the check value, we add together the character codes stored in the sector's data bytes, and discard extra bits that don't fit in an 8-bit byte. We then store the checksum in the final byte of the sector.

Error Correcting Codes

Parity, checksums, and CRCs are all examples of error detecting codes (EDCs), techniques to detect errors. There are also techniques that both detect and correct errors, called error correcting codes (ECCs). These can correct smaller errors in a sector and detect larger errors. An ECC yields one of the few corrective measures available to system designers, because it both detects a problem and corrects it in some cases. Commercial hard drives have traditionally used CRCs to calculate sector check values. Sophisticated techniques like ECCs were used on RAMs and DVDs. As hard drives have increased in size and sophistication, some have adopted ECCs.

file allocation table (FAT),

Thanks to Moore's law, hard drive sizes have increased dramatically. They occasionally have exceeded the maximum size of contemporary file systems. The earliest version of FAT, now called "FAT 12," supported a maximum drive size of 15 MB. This was sufficient for the introduction of Microsoft's Disk Operating System (MS-DOS), which premiered with the first IBM PC in 1981. FAT 12 worked with the first PC hard drives, which were limited to 5 or 10 MB, but hard drives soon grew to 20 MB and larger. The user couldn't simply tell the file system to use the larger size. The FAT 12 format really was designed for diskettes holding less than 700 KB. It had no way to deal with more than 15 MB of hard drive space. Moreover, it was risky and difficult to try to patch the file system to support larger devices.

Boot Blocks

The boot block resides on the first sectors of the hard drive; they are the blocks read by the BIOS when we boot from this drive. Every file system stores special information in the boot block, as well as providing room for a bootstrap program. If we partition a hard drive, the first block contains the MBR, which itself contains a boot program. The MBR's boot program automatically redirects the boot operation to the boot block of the first "bootable" partition. The first item stored in the FAT boot block is a "jump" instruction. If the BIOS tries to start an operating system stored on the FAT volume, it first reads a boot program from these boot blocks and then jumps to the first instruction read into RAM. This first instruction jumps over the variables FAT provides to describe the volume's format. This block of variables is called the BIOS parameter block (BPB). Table 5.3 describes the contents of this block in the FAT 32 format.

admissible

We must collect evidence before we can use it in any dispute. If we want to use this evidence in a legal proceeding, the evidence must be admissible; in other words, it must meet the legal rules and standards for evidence. We may collect evidence through surveillance or seizure. In surveillance, we watch the behavior of the threat and keep a log of activities. In seizure, we take possession of equipment involved in the dispute. The requirements for surveillance and seizure vary according to whether we act as members of law enforcement or as a private party involved in the incident.

Quick Format

When we perform a "quick format" on a hard drive, we initialize the file system information. This doesn't disturb the existing sector addresses, and it ignores most of the data on the drive. Instead, it recreates all of the basic information for creating files, and gives the drive a single, empty "root" directory. If we had any files on the hard drive before reformatting, the process discards those files.

Hard Drive Formatting

When we perform a low-level format on a hard drive, we tell the controller to initialize the raw sectors themselves. Most hard drives use a sector size of 512 bytes, though some devices may have sectors as large as 2048 (2K) bytes. Each sector consists of three parts as shown in Figure 5.5: the header, the data, and the check value.

A controller typically contains the components

• Bus interface connector—a socket for connecting the drive to a high-speed bus, like those described in Section 2.1.1. Modern drives have a SATA connector or possibly an ATA or IDE connector. • Bus interface—circuits that convert the commands and data that flow between the bus and the command logic. • Command logic—circuits that convert the commands into a series of operations performed on the hard drive mechanism. • Buffer—a large block of RAM that stores data temporarily on its way to or from the hard drive mechanism. The mechanical operations are time sensitive. The buffer makes it easier to synchronize the bus data transfers with the hard drive's mechanical motions. • Fetch/store data—circuits that directly control the head motor to select tracks, and that retrieve or rewrite individually addressed sectors.

RESOLVING A LEGAL DISPUTE

• Private action, in which one party acts against another, based on a shared relationship. For example, an employer might discipline an employee, or a school might discipline a student, based on informal evidence that might not be admissible in court. • Mediation, in which the parties rely on a third party, a mediator, to help negotiate a settlement. The mediator is not bound by particular rules of evidence and may consider evidence that is not admissible by a court. • Civil complaint, in which one party files a lawsuit against another. Such matters still may be resolved privately, possibly through negotiation. If the parties go to court, then legal requirements for digital evidence must be followed precisely. • Criminal complaint, in which a person is charged with breaking particular laws. The complaint sets out the facts of the matter and presents probable cause for accusing a particular person for the crime. A criminal complaint may be made by the police, a district attorney, or any interested party. If there is no plea bargain, the trial goes to court, at which point the digital evidence must fulfill all legal requirements.

Legal Concepts

• Who performs the search. There are different rules for private citizens, for police officers, and for others performing an investigation on behalf of the government. • Private searches. Private individuals may perform searches without warrants on equipment in their possession. Evidence they find may be admissible in court. There are some restrictions when someone else owns or routinely uses the equipment. • Reasonable expectation of privacy. We can't arbitrarily search areas where the users expect their privacy to be protected. For example, neither police nor employers can arbitrarily wiretap telephone calls. • Consent to search. We can eliminate the expectation of privacy in some cases, especially in the workplace. For example, we don't expect privacy when we call a service number and hear: "This call may be monitored for quality assurance purposes." Likewise, a computer's owner can display a warning that computer use may be monitored and recorded. • Business records. If we collect data in activity logs as a routine part of doing business, then those records often are admissible in court. If we set up special logs to track an intruder, those are not business records and are not necessarily admissible as evidence.