Tools for hiding da...
 
Notifications
Clear all

Tools for hiding data in slack, bad sectors, in the MBR etc

8 Posts
6 Users
0 Likes
2,021 Views
(@jakeaw03)
Posts: 65
Trusted Member
Topic starter
 

Hello,

I have just read a few articles on the ability to hide data in certain locations on a filesystem (not talking about ADS or small files that can fit in the MFT), but instead purposfully placing files in good blocks marked "bad", unallocated space in a partition, volume slack, unused space in the MBR or 63 unused sectors.

I know that there have to be tools used to put a file in the HPA or to mark a sector bad and then place data there. I can't seem to find the tools that allow someone to do that, only readings that it can be done.

I would like to take a look at some of these tools.

Thanks

 
Posted : 08/09/2008 7:30 pm
(@jakeaw03)
Posts: 65
Trusted Member
Topic starter
 

Just a follow-up, I found this article http//www.cio.com/article/print/114550 and about 1/4 to 1/2 way down are some descriptions of tools used for various anti-forensics.

 
Posted : 09/09/2008 12:21 am
(@lorderon)
Posts: 1
New Member
 

If you want to hide data to the slack space in the file system you can use bmap on Linux. Bmap helps you to hide both file and data into the slack space.

It would be great to know some other tools from other users…

Best,
Lorderon

 
Posted : 03/12/2013 2:37 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

Free DiskCheckup has the ability to detect and set the sizes of the Host Protected Area (HPA) and Device Configuration Overlay (DCO). It doesn't do anything to help you get files or data into the HPA however. So it isn't a complete solution to hiding files.

 
Posted : 03/12/2013 8:22 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I guess that the OP has, in the time passed since 2008, hopefully found a solution or abandoned the quest, but, though not exactly what was asked, our friend Joakim made a nice little tool to hide and protect a few files on NTFS
http//reboot.pro/topic/18573-hideandprotect-ntfs/

jaclaz

 
Posted : 03/12/2013 2:14 pm
(@belkasoft)
Posts: 169
Estimable Member
 

While the files can be "hidden" in many different ways, they will still remain susceptible to the usual carving approach. Carving does not rely solely on the file system. Instead, it looks at actual data based on characteristic signatures that are used to identify file types and calculate their length. Once a file of a certain type is identified, the carving tool may use information from the file system to discover all parts of that file on the disk (if the file is fragmented), or simply analyze the file's header to determine its total length (if the file is contiguous or if no reference exists in the file system).

 
Posted : 03/12/2013 3:04 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

If I get some time one day, I can make a PoC for how to hide data within MFT itself. Something like 30-40% of its total size (very rough estimate) can actually be used for such. I suppose you can get even more creative too, if you go for it.

 
Posted : 03/12/2013 3:41 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If I get some time one day, I can make a PoC for how to hide data within MFT itself. Something like 30-40% of its total size (very rough estimate) can actually be used for such. I suppose you can get even more creative too, if you go for it.

Just to keep things as together as possible, here is the new tool by joakims )
http//www.forensicfocus.com/Forums/viewtopic/t=11288/

jaclaz

 
Posted : 12/12/2013 3:25 pm
Share: