Hiding ASCII in Slack
Let me walk through the example that everyone uses for bmap with the file test.gif:
> du -sch test.gif
16.0K total
> echo "redleatheryellowleather" | bmap --putslack test.gif
>du -sch test.gif
16.0K total
>echo "redleatheryellowleather" > text
>du -sch text
4.0K total
So, we can see here, that there du command should be showing a change in the file size due to the slack data. Of which it is not.
So, we can see here, that there du command should be showing a change in the file size due to the slack data. Of which it is not.
>bmap --slack test.gif
getting from block 2051
file was: 13166
slack size: 3218
block size: 4096
redleatheryellowleather
>bmap --slack --outfile sometext test.gif
The 'outfile' option dumps the contents into the file sometext.
>file sometext
sometext: ASCII text
>less sometext
redleatheryellowleather
(it actually gave me a binary file but contained the phrase I was looking for)
The md5 hash of test.gif before and after slack space has been manipulated is exactly the same. However, the cp command does not copy slack. Which I just happened to stumble upon, but was interesting none-the-less. Knowing this, I decided to delete the file with slack space stuffed to see if magicrescue would restore the document with slack in tact. After the search, rescue and another cup of coffee the results are in. The document was recovered but the slack space was empty. This result makes sense. Magicrescue will carve out only the file contents. Which also leads me to believe that a file just stored in slack space will not be recovered by magicrescue as a lost document. Or will it?
Hiding Files in Slack
Hiding ASCII in slack space is similar to carving a file into slack space. Here's how I did it:
>bmap --carve ppt2.ppt | bmap --putslack test.gif
I am testing to see if magicrescue will find ppt2.ppt, thinking it is an unallocated file needing recovery. While working with magicrescue I have noticed that it only recovers data that needed to be recovered. Meaning, files that haven't been deleted don't appear in the results. Of course data that matches the mask you throw at it. So, if something is stuffed in a file's slack space and the file is still considered allocated space, my assumption is that it will get overlooked. Well, that assumption was correct. Multiple scans of one partition with data stored in slack recovered nothing. It did recover one document that was purposefully deleted, yet the slack data was missing.
Other tools?
I haven't found any other tools that detect slack space contents, in a limited amount of searching. Sleuthkit had the ability to search through slack space, but in recent revisions of the app ils, this feature was removed. (reference) Which makes this method of hiding information very tough to detect. I would rank this method of hiding data right up there with alternate data streams in terms of quick and dirty. Now, if anyone really wanted to hide something, one could couple these methods with encrypted filesystems...but that's a topic for another time.
Concluding Remarks
I feel as though I haven't even begun to scratch the surface with forensics. When at the same time, I really learned a lot. My goal out of this course was just to basically broaden my overall understanding of forensic analysis. That was accomplished. The two books proved for perfect stepping stones to get started. They focused mainly on case studies in forensic analysis and business aspects. Also, the details of inspections and analysis were discussed, which lead me down other avenues to research.
What I really liked about this course was the fact that I got to wear the white and the black hat. Answering questions like: How do you hide information? How do you hide information on different file systems? Now that it's hidden, how would you attempt to detect/find it? What tools are are used?
It wasn't until researching these topics that I found out about HPA space on hard disks, ext2 and ext3 slack space stuffing, and NTFS alternate data streams. These three areas are where I spent most of my time. Which lead to work with Sleuthkit, TCT, magicrescue, recuva, bmap and netcat. Each of these tools were fun to learn and essential for proper analysis.
This class piqued my interest again in studying forensics and security. Next semester I am going to be taking a course on the mathematics of encryption. Which sounds very cool! I'm hoping to pair up forensics and encryption to see if anything looks promising for a research topic.
(it actually gave me a binary file but contained the phrase I was looking for)
The md5 hash of test.gif before and after slack space has been manipulated is exactly the same. However, the cp command does not copy slack. Which I just happened to stumble upon, but was interesting none-the-less. Knowing this, I decided to delete the file with slack space stuffed to see if magicrescue would restore the document with slack in tact. After the search, rescue and another cup of coffee the results are in. The document was recovered but the slack space was empty. This result makes sense. Magicrescue will carve out only the file contents. Which also leads me to believe that a file just stored in slack space will not be recovered by magicrescue as a lost document. Or will it?
Hiding Files in Slack
Hiding ASCII in slack space is similar to carving a file into slack space. Here's how I did it:
>bmap --carve ppt2.ppt | bmap --putslack test.gif
I am testing to see if magicrescue will find ppt2.ppt, thinking it is an unallocated file needing recovery. While working with magicrescue I have noticed that it only recovers data that needed to be recovered. Meaning, files that haven't been deleted don't appear in the results. Of course data that matches the mask you throw at it. So, if something is stuffed in a file's slack space and the file is still considered allocated space, my assumption is that it will get overlooked. Well, that assumption was correct. Multiple scans of one partition with data stored in slack recovered nothing. It did recover one document that was purposefully deleted, yet the slack data was missing.
Other tools?
I haven't found any other tools that detect slack space contents, in a limited amount of searching. Sleuthkit had the ability to search through slack space, but in recent revisions of the app ils, this feature was removed. (reference) Which makes this method of hiding information very tough to detect. I would rank this method of hiding data right up there with alternate data streams in terms of quick and dirty. Now, if anyone really wanted to hide something, one could couple these methods with encrypted filesystems...but that's a topic for another time.
Concluding Remarks
I feel as though I haven't even begun to scratch the surface with forensics. When at the same time, I really learned a lot. My goal out of this course was just to basically broaden my overall understanding of forensic analysis. That was accomplished. The two books proved for perfect stepping stones to get started. They focused mainly on case studies in forensic analysis and business aspects. Also, the details of inspections and analysis were discussed, which lead me down other avenues to research.
What I really liked about this course was the fact that I got to wear the white and the black hat. Answering questions like: How do you hide information? How do you hide information on different file systems? Now that it's hidden, how would you attempt to detect/find it? What tools are are used?
It wasn't until researching these topics that I found out about HPA space on hard disks, ext2 and ext3 slack space stuffing, and NTFS alternate data streams. These three areas are where I spent most of my time. Which lead to work with Sleuthkit, TCT, magicrescue, recuva, bmap and netcat. Each of these tools were fun to learn and essential for proper analysis.
This class piqued my interest again in studying forensics and security. Next semester I am going to be taking a course on the mathematics of encryption. Which sounds very cool! I'm hoping to pair up forensics and encryption to see if anything looks promising for a research topic.
