What is the prize that you win?
I hope it's a $5 wrench!
Like this? Although, this one is $10.93.
Like this? Although, this one is $10.93.
Well, to be worth the time, I guess one of these (beryllium copper) would be more attractive
http//
If you miss the head of the guy and hit (say) a metal scaffolding, you won't risk to generate a spark and initiate a fire.
Safety first. wink
jaclaz
Like this? Although, this one is $10.93.
That is a fancy wrench.
Any chance the file is just hidden and not encrypted at all?
In addition to view hidden files, you can set Explorer to show you system files.
Another way to find a hidden file is use FTK Imager (free) to view the filesystem. FTK Imager will let you see all the files that exist on the filesystem, including some that Windows Explorer will keep hidden from you.
If it is encrypted, one low-tech method for finding encrypted file containers (like TrueCrypt) is to look for files that are larger than they should be. A 2GB picture is very odd.
Quick and brutal would be file signature analysis and exclude matches, then WinHex or 010 Editor (cheap and good) have histogram or entropy analysis, a true crypt file has no signature and the entropy should be perfectly level (even spread of hex values).
With regards to the hidden container within true crypt, provided you follow the advice given on their site, it has absolute plausible deniability. If you do find what you think may be a true crypt container (you can create ones as small as 1KB) try and find a backup or one in SVI and perform a hash block analysis on both. This can at least give an indication of the size of the outer or hidden container and can nullify the defence of 'it is random data as part of disk wiping processes.
If you suspect steganography, again pursue the backup/svi/MRU lists.
Otherwise, buy a wrench.
Happy hunting.
Thanks!
Also, talked to him a little today and apparently the only program he used to hide the file was command prompt. Not sure if that means anything and not really sure how to use command prompt to find files but any insight would be appreciated
Thanks!
Also, talked to him a little today and apparently the only program he used to hide the file was command prompt. Not sure if that means anything and not really sure how to use command prompt to find files but any insight would be appreciated
At a guess, that could mean he just made it an alternate data stream. Opening your hard disk in FTK imager would probably show them up, not sure if there is an easy way to filter them though.
Thanks!
Also, talked to him a little today and apparently the only program he used to hide the file was command prompt. Not sure if that means anything and not really sure how to use command prompt to find files but any insight would be appreciated
Maybe a DIR /x would help.
"Malforming" a file or directory name is/was a common way to hide things (in the sense that they are not easily shown in Explorer and in a "normal" DIR).
Using ALT+0255 or ALT+0160 is as old as DOS, if I recall correctly.
But it's not really-really hidden, it depends on the view chosen in explorer and on how attentively you examine the DIR output.
Example
http//
But since you initially talked of "padding" it is also possible that he added the file at the end of another one.
jaclaz
Regardless of *how* the encrypted files were hidden, probably the best way would be running stochastic analysis on the entire disk content (in low level). Any sectors on the disk containing some very random data should be then linked back to file system records. This will identify encrypted files pretty reliable. At least that's exactly what we're doing in our own tool, Belkasoft Evidence Center, to detect encrypted files.
A very simple thing that springs to mind is that .zip files can be encrypted. A zip file is a file that is a compressed (and sometimes encrypted) version of other file/s. Try extracting the zip file in the file directory. If it asks you for a password, that might be the encryption he is talking about. Bit easier than going all forensic on his a-se. If it does, you can either guess the password, or you can google for software to crack zip passwords.