@ISACA Volume 18  7 September 2016

Eight Ways Files and Data Are Hidden on Today’s Computers

By Leighton Johnson, CISA, CISM, CIFI, CISSP

Forensics investigators are often presented with data from an investigation where the data and/or files are, at first, not apparent. Several techniques to hide or disguise the true nature of files and data exist. These techniques range from the simple to the complex:

  1. Altered file extensions—Altering file extensions is one of the less complex techniques to hide files and data. Typically it involves using a program’s save-as feature to change the extension. File extensions can be altered with a hex editor.
  2. Hidden attribute—The hidden file attribute extends from the disk operating system (DOS). The property sheet of a file and directory in Windows XP (or a newer operating system) is opened with the right click of the mouse. Use the check box to set the hidden attribute. Perform a catalog of all hidden files.
  3. Streamed data—Windows NT and newer systems include a feature to create alternate data streams (ADS). Intentional creation of streams is possible. ADS is the ability to fork file data into existing files without affecting their functionality, size or display to traditional file browsing utilities, such as dir or Windows Explorer. It is also used to relate new data objects to the file. Found in all versions of NT file systems (NTFS), ADS capabilities were originally conceived to allow for Microsoft compatibility with the Macintosh Hierarchical File System (HFS), where file information is sometimes forked into separate resources.
  4. Bit shifting—Bit shifting hides data via one of several techniques. These techniques include XORed, ORed and ANDed. Recognition of their usage requires analysis. Cryptographers use frequency or pattern analysis to identify the possible structures of the data. Do you recognize a pattern to the unknown data? Does software typical to these techniques exist on the computer?
  5. Alt characters—Alt character usage in some instances is designed to block data discovery. The capability of the tool and the ability of the examiner affect the discovery of alt characters. Again, use analysis techniques from the cryptanalysis world to help decipher this information and gain intelligence from the data.
  6. Block map (bmap)—Bmap has several features, including placing another file system on the disk. Bmap can store data in slack space on any file system. Use bmap tools to detect used slack space and to recover data.
  7. File altering—Files may be altered to include just about anything from malicious code to Aunt Gen’s cake recipe. Establish a known baseline of hashes for the system and system files. Does the computer you examine utilize such a product? Analyze and document the instance. There are General Public License products available to help with this process.
  8. Steganography—Steganography is often defined as hiding information in plain sight inside a binary file. It involves injecting one file into another in a stealthy fashion. A copyrighting technology is used to place a watermark in a file. This hiding process makes data invisible and hard to detect even with a tool. It can hide information in many types of binary files, such as high-quality graphic files, MP3 and other audio files, video clips, or text files.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.


Earn Up to Five CPE Hours at Cybersecurity Virtual Conference


Source: ©iStock.com/
Bojan Senjur

Cyberattacks have become more ruthless and sophisticated as more data are stored on a variety of devices. Protecting and governing data is just as important as mitigating security risk. To help professionals learn how to keep up with the rapidly changing cybersecurity landscape, ISACA is presenting the “Cybersecurity Evolves: Risk in the Age of Dark Data, IoT and Advanced Analytics” virtual conference. This free virtual conference takes place on 21 September from 7:15AM CDT to 4PM CDT (UTC -5 hours). Five free continuing professional education (CPE) hours can be earned at this virtual conference.

The 4 sessions offered at the conference cover compliance gaps, analytics, IoT’s effect on cybersecurity and the progression of an information security career path. In addition to these sessions, attendees will also benefit from dedicated networking time. Attendees will have the ability to ask questions directly to industry leaders and conference speakers.

To learn more about this virtual conference or to register for it, visit the Cybersecurity Evolves: Risk in the Age of Dark Data, IoT and Advanced Analytics page of the ISACA web site.


Security Is More Than Compliance


While many enterprises strive to achieve compliance, they may still be vulnerable to cyberattacks. Compliance alone is not enough to remain secure, so ISACA and CA Technologies have partnered to present the “Compliance = Security: Why the Math Doesn’t Add Up” webinar. This webinar will take place on 8 September at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and passing a related quiz.

Gedeon Hombrebueno, director of security solutions at CA Technologies, and Piyush Pandey, senior manager in cyberrisk services at Deloitte, will lead this webinar. In it, they will discuss IT security measures beyond standards and regulations that are needed to improve an enterprise’s security posture. They will also discuss how establishing the necessary privileged access management controls can help prevent data breaches and satisfy audit and compliance demands.

To learn more about this webinar or to register for it, visit the Compliance = Security: Why the Math Doesn’t Add Up page of the ISACA web site.


New Way to Access ISACA Training and Earn CPE


ISACA’s new CPE On Demand program provides training and an opportunity to earn continuing professional education (CPE) hours any time. The program includes packages of select videos of expert-led presentations recorded live at ISACA’s global conferences and training events. Subscribers have 90 days to access the training with their own computers via high-speed Internet connection and at their own convenience.

The package bundles cover topics such as cybersecurity, GRC, COBIT, IT audit and assurance, and privacy. The CPE that can be earned from these bundles ranges from 1-6 hours, depending on the length of time it takes to complete each bundle. ISACA members are able to purchase the bundles for a discounted price. Enterprise licensing is available for the COBIT series.

To learn more about the CPE On Demand packages, visit the CPE On Demand page of the ISACA web site.


Celebrating 20 Years of COBIT


ISACA continues to mark the 20th anniversary of the COBIT framework with a year-long celebration.

COBIT infographics, a slideshow of COBIT images through the years, photos of COBIT enthusiasts celebrating the anniversary around the world, and written and video testimonials highlighting COBIT’s value are featured on the COBIT 20th Anniversary page of the ISACA web site.

In ISACA’s 2016 Global COBIT Survey, 3 in 4 users said COBIT 5 has helped them address practical business issues beyond governance of enterprise IT (GEIT) and 2 in 3 users said COBIT 5 helped their enterprise integrate business and IT.

“COBIT 5 leverages proven practices and global thought leadership to enable enterprises of all sizes to enhance stakeholder value, especially with IT being a key enabler of business innovation,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, chair of ISACA’s board of directors and group director of information security for INTRALOT. “COBIT has evolved throughout its 20 years to become an even more dynamic framework, facilitating successful governance and management of enterprise IT.”

Join the celebration by visiting the COBIT 20th Anniversary page of the ISACA web site.


2011 CISA, CISM, CGEIT, CRISC Exam Passers—Deadline to Apply for Certification Is Approaching


Source: ©iStock.com/
Marilyn Nieves

Exam passers have 5 years to apply for certification once they have passed the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) or Certified in Risk and Information Systems Control (CRISC) exam. The 5-year period to apply for certification for those who passed a CISA, CISM, CGEIT or CRISC exam in 2011 will end on 31 December 2016. If you fall into this category and have not yet submitted your completed application, you should do so prior to the deadline. Retaking and repassing the examination will be required if the completed application for certification is not submitted within 5 years from the passing date of the examination.

Please note that individuals are not certified and cannot use the CISA, CISM, CGEIT or CRISC designation until the completed application is received and approved by ISACA International Headquarters.

Questions? Contact +1.847.660.5660 or certification@isaca.org.