I am taking an introductory forensics class as part of my networking curriculum at a community college. The class has been assigned a project where we are supposed to make up an evidence thumb drive for our classmates to examine.
I am wondering if it is possible to split a partition so that it appears to be one single partition but there is unallocated space in the middle?
If this is possible some links would be appreciated.
thank you
So let me understand; this is an introductory class that is not even part of a forensic curriculum and you want to be a @#$% and come up with a difficult evidence item to stump your classmates and show just what a genius you are, yet you are not smart enough to build it yourself . . . sheesh.
What are you going to do when your instructor calls you out and wants you to explain your handy work?
When you are ready for help making an evidence item that you will understand and will also benefit your classmates let us know.
Part of the project is to learn. That is what school is about. So get off your high horse BitHead. I am not asking for someone to do this for me. I am asking for links where I can research and try to learn what is involved. BTW my other classmates are doing the same thing of trying to stump others. Problem solving is one way of learning last I heard.
Part of the project is to learn. That is what school is about. So get off your high horse BitHead. I am not asking for someone to do this for me. I am asking for links where I can research and try to learn what is involved. BTW my other classmates are doing the same thing of trying to stump others. Problem solving is one way of learning last I heard.
High horse, wow you really are a tool.
Forum FAQ
3. Say what you've already done to answer the question or solve the problem and don't be afraid to admit your own limitations. This prevents others from going over the same ground but perhaps more importantly it shows that you've already put your own effort in and just can't get any further. In that case most people will be only too happy to help and you'll get the answers you're looking for.
The above tips should help you get the most out of our forums and we look forward to welcoming you to our community.
So what research have you done? (other than post here and not read the FAQs?)
Do you have any experience using a hex editor? What king of experience do you have with file systems? Are you more comfortable in Windows or *nix?
Your original post stated you are taking an "introductory forensics class as part of my networking curriculum at a community college". To me that says you are more into packets than sectors. That you are more into OSI than OS. That you are more into protocol bending than steganography. What good would it do you to have someone give you links to Carrier's book or some of the others that might have relevant reading if that is beyond your scope?
Do you know about volume slack? Do you know about changing entries in FAT to hide data? What about magic numbers?
If you really want help, you need to put in a bit more effort.
BitHead It takes one to know one.
As for your polite request for more information, well here goes
Programs used in the course include
HxD
FtK
proDiscover Basic
Forensic Toolkit
The instructor has focused on NTFS because he, "Prefers to go into detail on one file system then to cover several in less detail"
I can do the hex editing though I am new to it and not fully conversent.
I myself have used Linux for several years but certainly not at the hex level.
In the class we have covered such topics as
slack space in the partitions and files
Partitioning schemes
ansi vs unicode encoding of files.
MFT entries and how to navigate through them.
"Magic Numbers" were just recently covered
Encryption of partitions and files.
Stegnography
So BitHead do I reach to your condescending level of attention? Am I worthy of your godlike knowledge?
Oh and btw don't worry about calling me a tool. Son-of-a-b***h is probably more appropriate.
juntunen,
There are far more 'interesting' ways to doctor an evidence thumb drive than putting a large space in the middle. Honestly, in the real world you rarely care which sector on disk a file is kept, the file is still 'there'.
But, I am going to have to side with BitHead. This is a class. Do your own homework. Class is to get you to learn and grow. That is not possible if you have others do the work for you, even if we didn't hand you an image ready to write to a disk. Trust me when I say that research is far more important than anything else you will learn in class. If you can not do the research now, when will you learn to?
That is to say, turning to the 'answer machine' is a terrible, terrible habit to get into.
Personally I don't have a major problem with the OP's post. Sure, it might have benefited from a little more background but the request for pointers seems perfectly reasonable.
BitHead - your contributions here are highly valued but your comments here are over the line, no matter how well intentioned. Tone it down please.
Jamie
If this is possible some links would be appreciated.
thank you
Type,
hidden volume
into Google. This would be a good starting point. There are lots of tutorials and articles on the subject.
My concern however it that is would be trivial to make a drive (with encryption) that can't be cracked. It is much more challenging to come up with something that is hard to crack, without being impossible.
I am wondering if it is possible to split a partition so that it appears to be one single partition but there is unallocated space in the middle?
Just to try and "narrow" options
You mean that you would like to see a single volume in Disk Management (or in fdisk)?
How large you need the unallocated space?
How big is the device?
You want the volume to be formatted NTFS? (FAT might be easier)
Must the device (the contents of the "unallocated space") be "resilient" to OS tools (as an example defragmenting the volume, file copy/write etc.)?
jaclaz
So BitHead do I reach to your condescending level of attention? Am I worthy of your godlike knowledge?
Oh and btw don't worry about calling me a tool. Son-of-a-b***h is probably more appropriate.
Exasperated more than condescending. But whatever.
Let me just toss this out there, as a network guy what would you think if someone came to a forum you frequent and their first post asked for advice on how to create a DDoS? Would your first inclination be to point them to LOIC? Or maybe to a page on C# coding? What godlike knowledge would you impart?
As Passmark wrote, it is much more challenging to come up with something that is hard to crack, without being impossible.
Along those lines what would you think about NTFS Alternative Data Streams for hiding data? Fragmenting a file (think multiple fragments across the slack of several files)? What about making the disk unreadable in a Windows machine (think multiple primary partitions)?
What about confounding the examiner (think int0x80)? Or what about a time/space waster (think zip 'o death)? How are your coding skills?