CCT 110 – Intro to CyberCrime
“It Wasn’t Me”
As long as there have been laws there have been criminals attempting to elude the enforcement of those laws. Humans have always had the inclination to subvert authority and have proven rather adept at creating new and innovative ways of obscuring the evidence that might be used against them. With the arrival of ubiquitous desktop computers available to almost anyone with little to no infrastructure or investment other than the cost of the computer, this trend would continue. In fact, criminals hit the proverbial jackpot with this exciting new frontier in which to confound investigators as they engage in their illicit activities. Following is an extensive, though by no means exhaustive, description of the three main ways in which an alleged criminal might attempt to confuse and delay the investigators who seek to discover and compile evidence against them. This list does not include methods that might be used to deploy these actions, only the actions themselves. To be clear this will examine what the “booby trap” does, not how the trap is sprung. As such, there are three fundamental groupings of results that these criminals can target. They can obfuscate their data, hide their data, or destroy their data.
Obfuscating data trails is one of the most simple and accessible methods available to the novice. All these techniques leave the files and data in their original form, easily accessed and utilized in a court of law, if the investigator knows where or how to look. Probably the most easily understood by the layman is changing the file extension. A file extension is a three-letter code following a period at the end of a file name. An extensions purpose is to tell the computer what type of file it is. and more importantly, what programs should be used to open it. Because of this, when someone changes a text file’s extension from .txt to .jpg the computer attempts to use a photo viewing application to display it and concludes that the file is unusable. (Downing) Fairly brilliant because it makes it difficult to find with some of the pre-packaged forensics utilities. Another option available to criminals is altering the timestamps of files, which can call into question the legitimacy of a file. There are several utilities that make this easy for the beginner. Basically, these applications alter the creation, modification, and access dates of the incriminating files, calling into question the origin of the file. The last form of data obfuscation is much more insidious, and possibly damaging. File nesting can cause an error within an investigator’s computer and/or software. Therefore, it is extremely important for investigators to use virtual machines. File nesting is accomplished by placing a folder inside of another folder, which is then placed inside of the first folder, and so on. An example commonly given is this C:ParentChildParentChild…. File nesting takes advantage of two characteristics of how computers work to cause these errors. The first is the infinite loop, or recursive programming. The computer will just keep on looking in circles for the program, never reaching its destination. The second is that some programs will register the path that it is attempting to access as greater than two hundred and fifty-five characters, a major problem in New Technology File System (NTFS). (Perklin) All of these are effective at slowing investigators down, wasting government resources. But an investigator can mitigate loss by simply being knowledgeable about these tricks and knowing what to look for.
In the grand scheme of things, hiding data is more effective at thwarting investigators than data obfuscation. In some cases, hiding data can even completely defeat investigators. That is because some of the following methods are so sophisticated that even with knowledge of what has happened, they cannot circumvent the criminal’s techniques. One of the more common and less effective approaches to hiding data is to place it in a hidden directory. Hidden directories are not displayed by default, and files systems use them as part of their normal operations. Most hidden directories contain things like user preferences and utility settings, intending not to bother the users with data that is not pertinent. In the more nefarious uses, the user places the incriminating files within the hidden directory and suddenly anything other than a directed search of the hidden directory will pass right by them, as if they do not even exist. (Maybury) Another scheme that confounds anything other than a directed search is placing data in slack space. There is a well-known tool, Slacker, that will do it for the novice user as well. This tool breaks up a file and places each piece of it in the slack space, or the space left between the end of a file and the end of the file cluster allocated to it, of other files. (MacGregor) Not only does this make the data hard to locate, it means the individual pieces must be located AND assembled like a puzzle before the information can be recovered. One of the most effective data hiding techniques is encryption, which is defined as “converting information or data into a code, especially to prevent unauthorized access.” (Oxford English Dictionary) In various forms, encryption has been in use for many reasons almost since the creation of the written word. A popular example of pre-computer encryption is the enigma code used by the Germans during World War Two. It was considered unbreakable, utilized an early form of mechanical computation, and only through the capture of various tables and hardware were the Allies able to crack it. (Reklaitis) Books could be filled with the various types of encryption and analyses of them, so this essay will only mention two popular secret key algorithms.
Blowfish: Blowfish is a 64-bit symmetric block cipher with variable length key. The algorithm operates with two parts: a key expansion part and a data encryption part. The role of key expansion part is to converts a key of at most 448 bits into several sub key arrays totaling 4168 bytes. The data encryption occurs via a 16-round Feistel network. Each round consists of a key dependent permutation, a key and data-dependent substitution. All operations are EX-ORs and additions on 32-bit words. Blowfish is successor to Twofish.
AES: AES is a block cipher. It has variable key length of 128, 192, or 256 bits; default 256. It encrypts data blocks of 128 bits in 10, 12 and 14 rounds depending on the key size. AES encryption is fast and flexible; it can be implemented on various platforms especially in small devices. Also, AES has been carefully tested for many security applications. (Kumar and Karthikeyan pg.22)
While both are incredibly secure, they are theoretically breakable, although this is extremely unlikely without the most profound luck. For example, AES 256-bit encryption has a key that is a string of characters with 2^256 possibilities, a hard number to comprehend. Stated in layman’s terms, this means that if every computer that has ever existed on earth spent every second of every day trying to decipher the key, it would take an amount of time longer than the universe has even existed to try every possibility. (Downing) As if this was not difficult enough, there is also steganography. Merriam-Webster defines steganography as “the art or practice of concealing a message, image, or file within another message, image, or file.” (Merriam-Webster 2018) This allows a computer user to encrypt a text file, for instance, and then to place this text file into an image that is also encrypted. This can make the job of a forensic investigator extremely difficult, as there are multiple layers of encryption to overcome, and no real guarantee that an investigator will even recognize the existence of such well hidden files.
In order to leave no trail whatsoever for law enforcement, some criminals will completely erase incriminating data and files. That being said, it is not effective to just place the file in the recycle bin. Files placed in the recycle bin still leave traces and sometimes remain in their entirety. (Kelleher pg.16-18) Probably the most common, and certainly cheapest, procedure of doing an effective wipe is to overwrite the storage device with new, nonsensical data. (Kelleher pg.16-18) There are varying standards that determine to what degree the binary code is replaced with random bits, and of course some of the less thorough can be recovered by a diligent and knowledgeable investigator. Degaussing is a full proof and irreversible form of data destruction that uses magnetic fields. Whatever degaussing tool is used, it removes and scrambles the magnetic fields on the storage media, making it unusable and leaving no possibility of any investigator recovering meaningful data. (Kelleher pg.16-18) Physical destruction is also highly effective and comes in many forms. The two best are shredding and melting, as they leave the fewest puzzle pieces to put together. Physical destruction does leave the devices inoperable as well, and in some rare cases, portions of data have been recovered. (Kelleher pg.16-18)
There are many methods criminals use to prevent law enforcement from acquiring digital evidence about their illicit activities. Trail obfuscation is a somewhat effective and easily implemented way to slow down an investigation. Hiding data can achieve a large variety of results, from slowing down an investigation to making it next to impossible to gain access to encrypted and hidden files. Destroying data can be full proof when the proper steps are taken and can leave investigators with no recourse. A truly worst-case scenario for law enforcement is a knowledgeable criminal who uses many different and layered techniques to make it difficult or impossible to locate or even recognize incriminating files.
Downing, Douglas “extension.” Barron’s Business Dictionaries: Dictionary of Computer and Internet Terms, Barron’s Educational Series, 11th edition, 2013. Credo Reference, https://ezproxy.cpcc.edu/login?url=https://search.credoreference.com/content/entry/barronscai/extension/0?institutionId=5375.
Perklin, M. “Computer Anti-forensics Methods and Their Impact on Computer Forensic Investigation.” (2013).
Maybury, Rick. “Boot Camp Top Traumas Solved by Rick Maybury Paranoia Part Three.”The Daily Telegraph, Oct 07, 2003, pp. 35. ProQuest, http://ezproxy.cpcc.edu/login?url=https://search.proquest.com/docview/317783515?accountid=10008.
MacGregor, Cairn. “When is a Hard Disk `slack?’; Unused Space at End of each File can Add Up to Cluster Headache.” The Gazette, Sep 09, 1995. ProQuest, http://ezproxy.cpcc.edu/login?url=https://search.proquest.com/docview/432903257?accountid=10008.
Oxford English Dictionary 2018 https://en.oxforddictionaries.com/definition/encryptionMerriam Webster 2018 https://www.merriam-webster.com/dictionary/steganography?utm_campaign=sd&utm_medium=serp&utm_source=jsonld
Levy, Jeff. “Tech 101; do it; Digging into Details of Windows Recycle Bin.” Los Angeles Times, Jan 18, 2001, pp. T10. ProQuest, http://ezproxy.cpcc.edu/login?url=https://search.proquest.com/docview/421588378?accountid=10008.
Kelleher, Andrew. “How to Responsibly Destroy Hard Drives.” Health Management Technology, vol. 32, no. 10, 2011, pp. 16-18. ProQuest, http://ezproxy.cpcc.edu/login?url=https://search.proquest.com/docview/900317624?accountid=10008.
M, Anand Kumar, and S. Karthikeyan. “Investigating the Efficiency of Blowfish and Rejindael (AES) Algorithms.” International Journal of Computer Network and Information Security, vol. 4, no. 2, 2012, pp. 22-28. ProQuest, http://ezproxy.cpcc.edu/login?url=https://search.proquest.com/docview/1622630518?accountid=10008.
Downing, Douglas “encryption.” Barron’s Business Dictionaries: Dictionary of Computer and Internet Terms, Barron’s Educational Series, 11th edition, 2013. Credo Reference, https://ezproxy.cpcc.edu/login?url=https://search.credoreference.com/content/entry/barronscai/encryption/0?institutionId=5375.
Reklaitis, George. “Enigma.” Encyclopedia of Intelligence & Counterintelligence, Rodney P. Carlisle, Routledge, 1st edition, 2005. Credo Reference, https://ezproxy.cpcc.edu/login?url=https://search.credoreference.com/content/entry/sharpint/enigma/0?institutionId=5375.