Notifications
Clear all

StegoMft

11 Posts
4 Users
0 Likes
1,207 Views
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

Just a PoC I made to show how one could hide data within NTFS system files, in this case $MFT and its record slack.

http//code.google.com/p/mft2csv/wiki/StegoMft

It has been through basic testing, and seems to work fine.

However, regard it as highly experimental and provided for educational purposes, and expect there to be bugs. I strongly advice to not run it on a production volume, yet, until properly tested. Performance is also not amazing, at least not for the good. Only documentation is currently only a short readme included in the download. Though I guess it is self-explanatory, from the examples.

But it is interesting… )

 
Posted : 11/12/2013 3:47 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?

 
Posted : 11/12/2013 7:34 am
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?

Sure. In the end it's just about knowing what data is relevant and not. Run chkdsk afterwards to verify the integrity of the filesystem. Hiding data within the records of the system files themselves, may sometimes produce a chkdsk warning. I have not yet look at what causes that. All other records seems ok. Maybe I just have to extend the data start by 4 bytes..

I had to introduce a "header" to the data, to aid in the reassembly. It looks like this

4 byte signature of choice
4 byte value indicating the fragment number
2 byte value indicating the current fragment size
4 byte value indicating the total size of the hidden data with this signature

 
Posted : 11/12/2013 11:25 am
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

@jhup

New version has speed improvements for both hiding and extraction. And some documentation; http//code.google.com/p/mft2csv/wiki/StegoMft

 
Posted : 12/12/2013 2:44 am
(@mansiu)
Posts: 83
Trusted Member
 

interesting program.

did you change other field like "number of attribute" and the "allocated size of MFT record" in the record together?

 
Posted : 12/12/2013 2:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Nice! )

Just to keep things as together as possible, cross-linking to this
http//www.forensicfocus.com/Forums/viewtopic/t=2883/

jaclaz

 
Posted : 12/12/2013 3:24 pm
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

@mansiu
The only thing that needed to be changed within the "valid-data" boundary of the original record, is the Update Sequence Array. That is required in order to keep the integrity of the modified sectors.

@jaclaz
Yes that was what got me thinking.

 
Posted : 12/12/2013 3:50 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Schicht,

Please add a quick blurb about yourself, and the type of copyright you are using into your readme.txt.

Thank you! we might use it in some of our classes.

 
Posted : 12/12/2013 8:10 pm
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

The source is as open as it can get, and likewise the licensing. Redistribute like you want. Just make a reference back to where it originated when appropriate. Have fun.

 
Posted : 12/12/2013 8:56 pm
joakims
(@joakims)
Posts: 224
Estimable Member
Topic starter
 

New version with a few more added options
- Wiping record slack ("-clean").
- Dumping record+slack to console for individual records.
- Option to specify range of records for the switches "-check" and "-clean".
- Option to specify byte offset within slack for operation to perform.

 
Posted : 16/12/2013 4:02 am
Page 1 / 2
Share: