Just a PoC I made to show how one could hide data within NTFS system files, in this case $MFT and its record slack.
http//
It has been through basic testing, and seems to work fine.
However, regard it as highly experimental and provided for educational purposes, and expect there to be bugs. I strongly advice to not run it on a production volume, yet, until properly tested. Performance is also not amazing, at least not for the good. Only documentation is currently only a short readme included in the download. Though I guess it is self-explanatory, from the examples.
But it is interesting… )
I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?
I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?
Sure. In the end it's just about knowing what data is relevant and not. Run chkdsk afterwards to verify the integrity of the filesystem. Hiding data within the records of the system files themselves, may sometimes produce a chkdsk warning. I have not yet look at what causes that. All other records seems ok. Maybe I just have to extend the data start by 4 bytes..
I had to introduce a "header" to the data, to aid in the reassembly. It looks like this
4 byte signature of choice
4 byte value indicating the fragment number
2 byte value indicating the current fragment size
4 byte value indicating the total size of the hidden data with this signature
New version has speed improvements for both hiding and extraction. And some documentation; http//
interesting program.
did you change other field like "number of attribute" and the "allocated size of MFT record" in the record together?
Nice! )
Just to keep things as together as possible, cross-linking to this
http//www.forensicfocus.com/Forums/viewtopic/t=2883/
jaclaz
Schicht,
Please add a quick blurb about yourself, and the type of copyright you are using into your readme.txt.
Thank you! we might use it in some of our classes.
The source is as open as it can get, and likewise the licensing. Redistribute like you want. Just make a reference back to where it originated when appropriate. Have fun.
New version with a few more added options
- Wiping record slack ("-clean").
- Dumping record+slack to console for individual records.
- Option to specify range of records for the switches "-check" and "-clean".
- Option to specify byte offset within slack for operation to perform.