Finding hidden encr...
 
Notifications
Clear all

Finding hidden encrypted files  

Page 2 / 2
  RSS
armstrong
(@armstrong)
New Member

Thanks!

Also, talked to him a little today and apparently the only program he used to hide the file was command prompt. Not sure if that means anything and not really sure how to use command prompt to find files but any insight would be appreciated

ReplyQuote
Posted : 28/06/2013 4:04 pm
minime2k9
(@minime2k9)
Active Member

Thanks!

Also, talked to him a little today and apparently the only program he used to hide the file was command prompt. Not sure if that means anything and not really sure how to use command prompt to find files but any insight would be appreciated

At a guess, that could mean he just made it an alternate data stream. Opening your hard disk in FTK imager would probably show them up, not sure if there is an easy way to filter them though.

ReplyQuote
Posted : 28/06/2013 4:16 pm
jaclaz
(@jaclaz)
Community Legend

Thanks!

Also, talked to him a little today and apparently the only program he used to hide the file was command prompt. Not sure if that means anything and not really sure how to use command prompt to find files but any insight would be appreciated

Maybe a DIR /x would help.
"Malforming" a file or directory name is/was a common way to hide things (in the sense that they are not easily shown in Explorer and in a "normal" DIR).
Using ALT+0255 or ALT+0160 is as old as DOS, if I recall correctly.
But it's not really-really hidden, it depends on the view chosen in explorer and on how attentively you examine the DIR output.
Example
http//www.msfn.org/board/topic/131103-win-ntbt-can-be-omitted/page__view__findpost__p__842843

But since you initially talked of "padding" it is also possible that he added the file at the end of another one.

jaclaz

ReplyQuote
Posted : 28/06/2013 4:49 pm
Belkasoft
(@belkasoft)
Active Member

Regardless of *how* the encrypted files were hidden, probably the best way would be running stochastic analysis on the entire disk content (in low level). Any sectors on the disk containing some very random data should be then linked back to file system records. This will identify encrypted files pretty reliable. At least that's exactly what we're doing in our own tool, Belkasoft Evidence Center, to detect encrypted files.

ReplyQuote
Posted : 08/07/2013 4:09 pm
Sydney34
(@sydney34)
New Member

A very simple thing that springs to mind is that .zip files can be encrypted. A zip file is a file that is a compressed (and sometimes encrypted) version of other file/s. Try extracting the zip file in the file directory. If it asks you for a password, that might be the encryption he is talking about. Bit easier than going all forensic on his a-se. If it does, you can either guess the password, or you can google for software to crack zip passwords.

ReplyQuote
Posted : 09/07/2013 1:55 pm
jaclaz
(@jaclaz)
Community Legend

A very simple thing that springs to mind is that .zip files can be encrypted. A zip file is a file that is a compressed (and sometimes encrypted) version of other file/s. Try extracting the zip file in the file directory. If it asks you for a password, that might be the encryption he is talking about. Bit easier than going all forensic on his a-se. If it does, you can either guess the password, or you can google for software to crack zip passwords.

Sure, but before attempting to decrypt a file, you have to find it, that is the actual first step, as the thread title states "Finding hidden encrypted files"…

jaclaz

ReplyQuote
Posted : 09/07/2013 3:48 pm
jhup
 jhup
(@jhup)
Community Legend

Here is the worst part - there is only few ways to state that there are no hidden files on a media.

ReplyQuote
Posted : 09/07/2013 5:42 pm
jaclaz
(@jaclaz)
Community Legend

Here is the worst part - there is only few ways to state that there are no hidden files on a media.

Right, and here, specifically, there is not even a media 😯 (in the sense of specific hardware/filesystem/partition image, etc.) , since the OP talked about

He ended up giving me couple of folders (so I stopped going on his computer chance I got) and its somewhere inside in them. Some folders contain more folders and there are different kinds of files within them including text files, pictures, a ziped folder, and html files . There's not really *that* much to go through so if you have a "do this thing to every file" method I'll probably use it, regardless of how tedious it it.

jaclaz

ReplyQuote
Posted : 09/07/2013 8:18 pm
JackyFox
(@jackyfox)
New Member

Have you tried the attrib command from the command prompt? You can make a file hidden and system so explorer won't display it even if you have the folder options set to show hidden files

>attrib filename.txt +h +s

ReplyQuote
Posted : 10/07/2013 1:42 am
Page 2 / 2
Share: