Beruflich Dokumente
Kultur Dokumente
Hiding Technique
Overview
z History
NO!!
Rootkits hide data on a live system
z
z Hiding from forensic/offline analysis is much
harder
z
z
z
z
z
z
z Hiding
Layer
z Definition:
z The
z Sectors
slacker.exe
marked as bad
z Host Protected Area
z Definition:
z The
File Streams
z File-System Journal Logs
z Reserved but unallocated sectors
Definition:
Hiding in a higher-level format specification
z
z Often a subset of In-Band Data Hiding viewed at
a different level of granularity
z
z
Examples:
Steganography (hiding data within data)
z
z Hidden text within documents
z
z
z
z
z
z
z Forensic
File Streams
z
z Slack space at the end of files
zA
z Experienced
Out-of-Band Analysis
z
Strengths
Being outside the boundaries usually results in
being overlooked
z
z There is often a large amount of space available
z
z Hard to discover without special tools
z
z Resilient
z
z
Weaknesses
Hard to access without special tools
z
z Hard to hide from plain-sight analysis of the outof-band area
z
z
In-Band Analysis
z Coloring
z Strengths
z Usually
devious?
z Weaknesses
z Storage
Strengths
Hiding in plain sight
z
z Often hard to detect
z
z
Weaknesses
Storage quantity varies with the size of underlying
data, but must be relatively small to remain
hidden
z
z Difficult to access without special tools
z
z Complex algorithms to hide/retrieve data
z
z Not resilient
z
z
EnCase Slacker.exe
Determine constraints
z
z
z
z
z
z
An NTFS Overview
z Standard
table
z Stores all file system metadata in one
place
z Can grow, but not shrink
z Not well documented or understood
MFT Entries
z
z
z
MFT Attributes
z
z
z
z
$STANDARD_INFORMATION
z
z
z
z
$FILE_NAME
z
z
z
z
z
z
z
z
z
z
z
z
Name
Name by
by which
which an
an entry
entry is
is known,
known, size,
size, and
and create/rename
create/rename
timestamp
timestamp
z
z
Stores
Stores timestamps,
timestamps, owner
owner ID,
ID, security
security ID,
ID, etc
etc
MFT Entry
z
z
z
z
z
z
22 bytes
bytes reserved
reserved in
in every
every entry
entry header
header
44 byte
byte reserved
reserved in
in resident
resident attributes
attributes
Up
Up to
to 14
14 bytes
bytes are
are reserved
reserved in
in non-resident
non-resident attributes
attributes
All
All attributes
attributes are
are 88 bytes
bytes aligned
aligned
Usage Concerns
z
Common concerns
z
z
z
z
z
z
z
z
z
z
z
z
Reserved Space
Attributes shrink due to going from resident to nonresident, but cant go back to being resident
z
z All directories start as resident and go to non-resident,
but cant go back to being resident
z
z Attributes can be removed
z
z
Avoiding Pitfalls
z
z
z
z
z
z
z
z
z
z
z
z
z
z
Non-resident
Have never been modified
Old
z Base
Additional Issues
Chunking
z
z
Additional Issues
Encryption
z
z
z
z
z
z
z
z
z
z
XOR
Blowfish
LRW-AES (Narrow-block Encryption)
Self-Authenticating encryption is best
Additional Issues
Change Tracking/Redundancy
z What
extra copies
z How
z Do
Additional Issues
Usability
z How
z Reading
FragFS
On-Disk Implementation
z
Format
z
z
z
z
z
z
FragFS
On-Disk Implementation
z Advantages
z Unlimited
redundancy
z Modification detection
z Localization of data corruption
z Easy to relocate or replicate individual
chunks of data
z Disadvantages
z Must
FragFS
In-Memory Implementation
z
Encase - FragFS
Detection Demonstration
Future Considerations
z Hiding
z Should
z Forensic
data
z File systems will be easier to exploit
Q&A
Contributors
z
The Grugq
z
z
z
z
Brian Carrier
z
z
z
z
Sam Stover
z
z
z
z
Fred Jacobs
z
z
z
z
Matt Hartley
z
z
Contact Information
Irby Thompson
lantholin (at) gmail.com
Mathew Monroe
mathew.monroe (at) gmail.com