±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 2
New Yesterday: 10
Overall: 27381
Visitors: 68

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

StegoMft

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

StegoMft

Post Posted: Tue Dec 10, 2013 5:47 pm

Just a PoC I made to show how one could hide data within NTFS system files, in this case $MFT and its record slack.

code.google.com/p/mft2...i/StegoMft

It has been through basic testing, and seems to work fine.

However, regard it as highly experimental and provided for educational purposes, and expect there to be bugs. I strongly advice to not run it on a production volume, yet, until properly tested. Performance is also not amazing, at least not for the good. Only documentation is currently only a short readme included in the download. Though I guess it is self-explanatory, from the examples.

But it is interesting... Smile
_________________
Joakim Schicht

github.com/jschicht 


Last edited by joakims on Wed Dec 11, 2013 4:48 pm; edited 1 time in total

joakims
Senior Member
 
 
  

Re: StegoMft

Post Posted: Tue Dec 10, 2013 9:34 pm

I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?  

jhup
Senior Member
 
 
  

Re: StegoMft

Post Posted: Wed Dec 11, 2013 1:25 am

- jhup
I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?


Sure. In the end it's just about knowing what data is relevant and not. Run chkdsk afterwards to verify the integrity of the filesystem. Hiding data within the records of the system files themselves, may sometimes produce a chkdsk warning. I have not yet look at what causes that. All other records seems ok. Maybe I just have to extend the data start by 4 bytes..

I had to introduce a "header" to the data, to aid in the reassembly. It looks like this:

4 byte signature of choice
4 byte value indicating the fragment number
2 byte value indicating the current fragment size
4 byte value indicating the total size of the hidden data with this signature
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: StegoMft

Post Posted: Wed Dec 11, 2013 4:44 pm

@jhup

New version has speed improvements for both hiding and extraction. And some documentation; code.google.com/p/mft2...i/StegoMft
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: StegoMft

Post Posted: Thu Dec 12, 2013 4:29 am

interesting program.

did you change other field like "number of attribute" and the "allocated size of MFT record" in the record together?  

mansiu
Member
 
 
  

Re: StegoMft

Post Posted: Thu Dec 12, 2013 5:24 am

Nice! Smile

Just to keep things as together as possible, cross-linking to this:
www.forensicfocus.com/...ic/t=2883/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: StegoMft

Post Posted: Thu Dec 12, 2013 5:50 am

@mansiu
The only thing that needed to be changed within the "valid-data" boundary of the original record, is the Update Sequence Array. That is required in order to keep the integrity of the modified sectors.

@jaclaz
Yes that was what got me thinking.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next