±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36296
New Yesterday: 6 Visitors: 238

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

StegoMft

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

joakims
Senior Member
 

StegoMft

Post Posted: Dec 11, 13 03:47

Just a PoC I made to show how one could hide data within NTFS system files, in this case $MFT and its record slack.

code.google.com/p/mft2...i/StegoMft

It has been through basic testing, and seems to work fine.

However, regard it as highly experimental and provided for educational purposes, and expect there to be bugs. I strongly advice to not run it on a production volume, yet, until properly tested. Performance is also not amazing, at least not for the good. Only documentation is currently only a short readme included in the download. Though I guess it is self-explanatory, from the examples.

But it is interesting... Smile
_________________
Joakim Schicht

github.com/jschicht 


Last edited by joakims on Dec 12, 13 02:48; edited 1 time in total
 
  

jhup
Senior Member
 

Re: StegoMft

Post Posted: Dec 11, 13 07:34

I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?  
 
  

joakims
Senior Member
 

Re: StegoMft

Post Posted: Dec 11, 13 11:25

- jhup
I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?


Sure. In the end it's just about knowing what data is relevant and not. Run chkdsk afterwards to verify the integrity of the filesystem. Hiding data within the records of the system files themselves, may sometimes produce a chkdsk warning. I have not yet look at what causes that. All other records seems ok. Maybe I just have to extend the data start by 4 bytes..

I had to introduce a "header" to the data, to aid in the reassembly. It looks like this:

4 byte signature of choice
4 byte value indicating the fragment number
2 byte value indicating the current fragment size
4 byte value indicating the total size of the hidden data with this signature
_________________
Joakim Schicht

github.com/jschicht 
 
  

joakims
Senior Member
 

Re: StegoMft

Post Posted: Dec 12, 13 02:44

@jhup

New version has speed improvements for both hiding and extraction. And some documentation; code.google.com/p/mft2...i/StegoMft
_________________
Joakim Schicht

github.com/jschicht 
 
  

mansiu
Senior Member
 

Re: StegoMft

Post Posted: Dec 12, 13 14:29

interesting program.

did you change other field like "number of attribute" and the "allocated size of MFT record" in the record together?  
 
  

jaclaz
Senior Member
 

Re: StegoMft

Post Posted: Dec 12, 13 15:24

Nice! Smile

Just to keep things as together as possible, cross-linking to this:
www.forensicfocus.com/...ic/t=2883/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

joakims
Senior Member
 

Re: StegoMft

Post Posted: Dec 12, 13 15:50

@mansiu
The only thing that needed to be changed within the "valid-data" boundary of the original record, is the Update Sequence Array. That is required in order to keep the integrity of the modified sectors.

@jaclaz
Yes that was what got me thinking.
_________________
Joakim Schicht

github.com/jschicht 
 

Page 1 of 2
Page 1, 2  Next