Finding hidden encr...
 
Notifications
Clear all

Finding hidden encrypted files

24 Posts
11 Users
0 Reactions
6,138 Views
TuckerHST
(@tuckerhst)
Estimable Member
Joined: 16 years ago
Posts: 175
 

What is the prize that you win?

I hope it's a $5 wrench!


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
 

Like this? Although, this one is $10.93.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Like this? Although, this one is $10.93.

Well, to be worth the time, I guess one of these (beryllium copper) would be more attractive
http//www.ngkmetals.com/index.cfm/m/62/fuseaction/store6products.productDetail/productID/417/merchantId/0/departmentId/0/categoryId/1/Adjustable-End-Wrench

If you miss the head of the guy and hit (say) a metal scaffolding, you won't risk to generate a spark and initiate a fire.

Safety first. wink

jaclaz


   
ReplyQuote
Bulldawg
(@bulldawg)
Estimable Member
Joined: 13 years ago
Posts: 190
 

Like this? Although, this one is $10.93.

That is a fancy wrench.

Any chance the file is just hidden and not encrypted at all?

In addition to view hidden files, you can set Explorer to show you system files.

Another way to find a hidden file is use FTK Imager (free) to view the filesystem. FTK Imager will let you see all the files that exist on the filesystem, including some that Windows Explorer will keep hidden from you.

If it is encrypted, one low-tech method for finding encrypted file containers (like TrueCrypt) is to look for files that are larger than they should be. A 2GB picture is very odd.


   
ReplyQuote
(@chroberts39)
Eminent Member
Joined: 16 years ago
Posts: 25
 

Quick and brutal would be file signature analysis and exclude matches, then WinHex or 010 Editor (cheap and good) have histogram or entropy analysis, a true crypt file has no signature and the entropy should be perfectly level (even spread of hex values).

With regards to the hidden container within true crypt, provided you follow the advice given on their site, it has absolute plausible deniability. If you do find what you think may be a true crypt container (you can create ones as small as 1KB) try and find a backup or one in SVI and perform a hash block analysis on both. This can at least give an indication of the size of the outer or hidden container and can nullify the defence of 'it is random data as part of disk wiping processes.

If you suspect steganography, again pursue the backup/svi/MRU lists.

Otherwise, buy a wrench.

Happy hunting.


   
ReplyQuote
(@armstrong)
New Member
Joined: 12 years ago
Posts: 3
Topic starter  

Thanks!

Also, talked to him a little today and apparently the only program he used to hide the file was command prompt. Not sure if that means anything and not really sure how to use command prompt to find files but any insight would be appreciated


   
ReplyQuote
minime2k9
(@minime2k9)
Honorable Member
Joined: 14 years ago
Posts: 481
 

Thanks!

Also, talked to him a little today and apparently the only program he used to hide the file was command prompt. Not sure if that means anything and not really sure how to use command prompt to find files but any insight would be appreciated

At a guess, that could mean he just made it an alternate data stream. Opening your hard disk in FTK imager would probably show them up, not sure if there is an easy way to filter them though.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Thanks!

Also, talked to him a little today and apparently the only program he used to hide the file was command prompt. Not sure if that means anything and not really sure how to use command prompt to find files but any insight would be appreciated

Maybe a DIR /x would help.
"Malforming" a file or directory name is/was a common way to hide things (in the sense that they are not easily shown in Explorer and in a "normal" DIR).
Using ALT+0255 or ALT+0160 is as old as DOS, if I recall correctly.
But it's not really-really hidden, it depends on the view chosen in explorer and on how attentively you examine the DIR output.
Example
http//www.msfn.org/board/topic/131103-win-ntbt-can-be-omitted/page__view__findpost__p__842843

But since you initially talked of "padding" it is also possible that he added the file at the end of another one.

jaclaz


   
ReplyQuote
(@belkasoft)
Estimable Member
Joined: 17 years ago
Posts: 169
 

Regardless of *how* the encrypted files were hidden, probably the best way would be running stochastic analysis on the entire disk content (in low level). Any sectors on the disk containing some very random data should be then linked back to file system records. This will identify encrypted files pretty reliable. At least that's exactly what we're doing in our own tool, Belkasoft Evidence Center, to detect encrypted files.


   
ReplyQuote
(@sydney34)
New Member
Joined: 12 years ago
Posts: 4
 

A very simple thing that springs to mind is that .zip files can be encrypted. A zip file is a file that is a compressed (and sometimes encrypted) version of other file/s. Try extracting the zip file in the file directory. If it asks you for a password, that might be the encryption he is talking about. Bit easier than going all forensic on his a-se. If it does, you can either guess the password, or you can google for software to crack zip passwords.


   
ReplyQuote
Page 2 / 3
Share: