Hello,
I have just read a few articles on the ability to hide data in certain locations on a filesystem (not talking about ADS or small files that can fit in the MFT), but instead purposfully placing files in good blocks marked "bad", unallocated space in a partition, volume slack, unused space in the MBR or 63 unused sectors.
I know that there have to be tools used to put a file in the HPA or to mark a sector bad and then place data there. I can't seem to find the tools that allow someone to do that, only readings that it can be done.
I would like to take a look at some of these tools.
Thanks
Just a follow-up, I found this article http//
If you want to hide data to the slack space in the file system you can use bmap on Linux. Bmap helps you to hide both file and data into the slack space.
It would be great to know some other tools from other users…
Best,
Lorderon
Free
I guess that the OP has, in the time passed since 2008, hopefully found a solution or abandoned the quest, but, though not exactly what was asked, our friend Joakim made a nice little tool to hide and protect a few files on NTFS
http//
jaclaz
While the files can be "hidden" in many different ways, they will still remain susceptible to the usual carving approach. Carving does not rely solely on the file system. Instead, it looks at actual data based on characteristic signatures that are used to identify file types and calculate their length. Once a file of a certain type is identified, the carving tool may use information from the file system to discover all parts of that file on the disk (if the file is fragmented), or simply analyze the file's header to determine its total length (if the file is contiguous or if no reference exists in the file system).
If I get some time one day, I can make a PoC for how to hide data within MFT itself. Something like 30-40% of its total size (very rough estimate) can actually be used for such. I suppose you can get even more creative too, if you go for it.
If I get some time one day, I can make a PoC for how to hide data within MFT itself. Something like 30-40% of its total size (very rough estimate) can actually be used for such. I suppose you can get even more creative too, if you go for it.
Just to keep things as together as possible, here is the new tool by joakims )
http//www.forensicfocus.com/Forums/viewtopic/t=11288/
jaclaz