Here's the setup. I created a partition, placed a Microsoft Office created Word document in that partition. I then deleted the document and designated the partition as HPA space. Well, magicrescue doesn't care about HPA space, as it was able to recover the deleted file. Which makes me wonder why this is so easy to find? Also, what are other ways to hide data? Which brought me to these articles on ext2 and ext3 slack space, and NTFS Alternate Data Streams (ADS). Of course I can only find bmap on packetstormsecurity.com. Yet, I can't get it compiled correctly. (sgml2latex error....and you want to be my latex salesman?) What I really want to do is hide data with bmap and see if magicrescue can find it. Also, I would like to hide a file via ADS and see if Identity Finder can locate it on my work computer. Just hoping some things go correctly for me here in the next week and a half. I've had enough of Identity Finder breaking and Symantec Endpoint Protection bombing thus removing my network drivers. But, I digress....
Anyways, this is what I've been attempting to work on. Below are links to other articles I've been reading when I have had a chance. I've been busy with some other forensic-esk work at work lately. Anyone else find that Canadians like to try and hack php servers? I have a simple chat forum running for an event in our office that has been sluggish, to say the least. I attributed it to updates, but that wasn't the case. The error and access logs showed systematic attempts to find administrator login pages. Thousands of them in a short period of time. After blocking those individuals I'm still trying to figure out why it's slow. To be continued I guess.
Articles:
http://www.linuxsecurity.com/content/view/117638/49/
http://blog.crowdway.com/2009/04/15/hide-data-in-hidden-partitions/
http://www.docstoc.com/docs/13637545/Data-hiding-and-finding-on-Linux
http://www.wikistc.org/wiki/Slack_space_data
http://books.google.com/books?id=nEqHuVht7HgC&pg=PA92&lpg=PA92&dq=linux+hide+data+in+slack+space&source=bl&ots=bLewREp97f&sig=ejFTtjwomuaIYNXBOWnL0MYyZRA&hl=en&ei=_D30SryVPInENpmz_OgF&sa=X&oi=book_result&ct=result&resnum=5&ved=0CBQQ6AEwBA#v=onepage&q=&f=false
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment