detection of file-hollowing

mgilhespy · 2016-09-22T15:03:29Z

Folks, looking for some group wisdom here..A few days ago I was given a bunch of files to look at. The context is not related to any criminal investigation. My involvement is essential curiosity.. The files had no headers I could recognise but there were structures in them which persuaded me they were images (only a vague hunch at first). The "file" command (gnuwin version) concurred with me, listing them as TARGA image files (.tga) - however no TARGA file viewer I could find would open them - nor would any other viewer I've tried so far. After reading through various posts here on FF I finally decided to try transplanting headers and eventually got a result by inserting JPEG headers. Now, on viewing the files (irfanview, windows viewer, various others all the same result) they appeared degraded, partially corrupted, with banding around the edges or through the middle. I ran a strings search over the files and discovered some hex encoded ascii (which stood out a mile) and which I believe had been pasted into the middle of the files. Cutting out those bytes resulted in "good" images without any of the prior degraded parts.The question for the group is, how would you go about scanning a system for the presence of other such "hollowed" files, perhaps not all images, being used as a "container" for hidden data? In this case it was the fact that the files did not have recognisable headers that alerted my friend to them. What if the insertion was done while being sure to leave any header/footer intact?Ideas most welcome.ThanksMichael

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by mgilhespy 9 years ago

12 Posts

5 Users

0 Reactions

1,297 Views

RSS

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

27/09/2016 6:08 pm

considering a small padding (front and end) which I had previously missed, the inserted contents are all exactly the same length and are all inserted at position file-len/2.

with that we examined all images on the system to see if we could find hex encoded ascii strings at that location and recovered what we think is the rest of the content.

the naming convention of the files is definitely intended to show a sequence for rebuilding the content.

Good ) , you have now convinced me that it represents a naive attempt at steganography (intentional).
1/2 file size + fixed length are a simple enough "decoding algorithm", fully compatible with "encode some text and put it within files, without considering that the file is not anymore a "standard" format" approach.

jaclaz

ReplyQuote

mgilhespy

(@mgilhespy)

Estimable Member

Joined: 16 years ago

Posts: 102

Topic starter 28/09/2016 12:55 am

Good ) , you have now convinced me that it represents a naive attempt at steganography (intentional).
1/2 file size + fixed length are a simple enough "decoding algorithm", fully compatible with "encode some text and put it within files, without considering that the file is not anymore a "standard" format" approach.

jaclaz

it was your previous comment that had me go back and check the insertion position and then realise that we had missed the padding. after that it all fell together pretty simply.

thanks!

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
320 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed