Notifications
Clear all

StegoMft

joakims
(@joakims)
Active Member

Just a PoC I made to show how one could hide data within NTFS system files, in this case $MFT and its record slack.

http//code.google.com/p/mft2csv/wiki/StegoMft

It has been through basic testing, and seems to work fine.

However, regard it as highly experimental and provided for educational purposes, and expect there to be bugs. I strongly advice to not run it on a production volume, yet, until properly tested. Performance is also not amazing, at least not for the good. Only documentation is currently only a short readme included in the download. Though I guess it is self-explanatory, from the examples.

But it is interesting… )

Quote
Topic starter Posted : 11/12/2013 3:47 am
jhup
 jhup
(@jhup)
Community Legend

I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?

ReplyQuote
Posted : 11/12/2013 7:34 am
joakims
(@joakims)
Active Member

I will check it out tomorrow, and if it works, I might use it in a class to hide some stuff. Okay with that?

Sure. In the end it's just about knowing what data is relevant and not. Run chkdsk afterwards to verify the integrity of the filesystem. Hiding data within the records of the system files themselves, may sometimes produce a chkdsk warning. I have not yet look at what causes that. All other records seems ok. Maybe I just have to extend the data start by 4 bytes..

I had to introduce a "header" to the data, to aid in the reassembly. It looks like this

4 byte signature of choice
4 byte value indicating the fragment number
2 byte value indicating the current fragment size
4 byte value indicating the total size of the hidden data with this signature

ReplyQuote
Topic starter Posted : 11/12/2013 11:25 am
joakims
(@joakims)
Active Member

@jhup

New version has speed improvements for both hiding and extraction. And some documentation; http//code.google.com/p/mft2csv/wiki/StegoMft

ReplyQuote
Topic starter Posted : 12/12/2013 2:44 am
mansiu
(@mansiu)
Member

interesting program.

did you change other field like "number of attribute" and the "allocated size of MFT record" in the record together?

ReplyQuote
Posted : 12/12/2013 2:29 pm
jaclaz
(@jaclaz)
Community Legend

Nice! )

Just to keep things as together as possible, cross-linking to this
http//www.forensicfocus.com/Forums/viewtopic/t=2883/

jaclaz

ReplyQuote
Posted : 12/12/2013 3:24 pm
joakims
(@joakims)
Active Member

@mansiu
The only thing that needed to be changed within the "valid-data" boundary of the original record, is the Update Sequence Array. That is required in order to keep the integrity of the modified sectors.

@jaclaz
Yes that was what got me thinking.

ReplyQuote
Topic starter Posted : 12/12/2013 3:50 pm
jhup
 jhup
(@jhup)
Community Legend

Schicht,

Please add a quick blurb about yourself, and the type of copyright you are using into your readme.txt.

Thank you! we might use it in some of our classes.

ReplyQuote
Posted : 12/12/2013 8:10 pm
joakims
(@joakims)
Active Member

The source is as open as it can get, and likewise the licensing. Redistribute like you want. Just make a reference back to where it originated when appropriate. Have fun.

ReplyQuote
Topic starter Posted : 12/12/2013 8:56 pm
joakims
(@joakims)
Active Member

New version with a few more added options
- Wiping record slack ("-clean").
- Dumping record+slack to console for individual records.
- Option to specify range of records for the switches "-check" and "-clean".
- Option to specify byte offset within slack for operation to perform.

ReplyQuote
Topic starter Posted : 16/12/2013 4:02 am
joakims
(@joakims)
Active Member

Just realized that the technique was presented at blackhat back in 2006 along with FragFS; http//www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Thompson/BH-Fed-06-Thompson-up.pdf

Never tried the tool though. And from googling I don't think the source was ever released either.. From the doc it seems to share some similarity in the logic, however that implemetation sounds to be slightly different.

ReplyQuote
Topic starter Posted : 08/01/2014 11:54 pm
Share:
Share to...