How To: Hiding Your Data

[RS-232C]

Hi I'm going to be covering some different things here, techniques for hiding your data, recommended forensic proggies, and other related info. When it comes to hiding information..the old method of: "attrib +h" isn't going to cut it for hiding data in situations where other people have access to your box..and are even a little DOS savvy..a simple: dir /ah /s | more <-- would recursively search for any file with the +h attribute set..this obviously isn't secure..hehe. First thing I wanna start off with is a method you can use to store information/small programs on the HDD without it showing up in the filesystem. You can use a HexEditor(which is what will do) and manually modify the sector information. **Important Points** -- as for the Hexeditor..the best one for Windows IMO is: HexWorkShop..and you can download this program from: www.bpsoft.com for your OS(you can use your OS of choice for this)..it's also the one I'll be using for this example. Now, if you are going to use a HexEditor under DOS..there is one called: diskedit.exe from Norton..great proggy btw..you can download it from: http://asgard.kent.edu/smallsys/Norton/diskedit.exe <-- Main EXE http://asgard.kent.edu/smallsys/Norton/diskedit.hlp <-- Help, and the final file is: http://asgard.kent.edu/smallsys/Norton/nlib100.rtl <-- you need the *.rtl file for sure along with the *.exe ..if you wanna get the *.hlp..it's optional. When using diskedit.exe in a DOS environment you gotta make sure the program: "lock" isn't on..this program is internal to "command.com" ..and is seen most under windows9X ..what it basically does is it locks out direct Write/Read access to INT(Interrupt)25(Read)/26(Write) access...if this is on it makes it a real bugger to edit sectors directly hehe..and as soon as you goto write changes..DOS will barf..to turn this off you type: unlock C: <-- that would unlock C: then you can open up norton again and go ahead with the write process. Okay..so for hiding your data..on almost ALL Hard Drives..(modern ones) **Some will not have these free sectors/or not as many** because of things like DDO's(Dynamic Drive Overlays)..Boot Manager apps that use up more of these sectors for their own use after the MBR..or programs like MaxBlast can Remove the 63 Sector Offset. So with The program HexWorkShop..open it up..go under "Disk" ==> "Open Drive" ..then select "Physical Disk 0" ..if you just wanna look around check "Read Only" so you won't accidently modify something. So now that it's open..you'll see the MBR(Master Boot Record) Location: Cylinder 0, Side 0, Sector 0(showed at top in program) ..skip that and goto sector 1(using arrows) ..now *most* of the time..between sector 1 - 62 it will be blank..so: 512 x 62 = 31744 ..you're looking at just a little over 30KB to play with ..now for storing your info..say you have a password..you can encrypt that password..and leave it on the drive..but it can be found..than brute forced..this way it doesn't show up in the filesystem..because where you are putting the info..the filesystem hasen't even started yet..(sector wise) ..so to store a password say..you can take a password like: "foobar" ..encrypt it..MD5 it ..whatever ya want..then store that MD5 string by pasting it on the right hand side in HexWorkShop..and you should see it show up..then just hit "SAVE" from the "File" menu..the great thing about this is..even if you format..it's still going to be there..so you can always access your hidden data..now obviously this isn't 100% foolproof..but it does a good job of hiding data from people who are just going to check the #1 place..which is through your files..that *are* showing up..under a cmd.exe/command.com/explorer.exe. A Couple things to point out..now if you had a LLF proggy that Zero'd *everything* well then your data stored there would be gone..This can be used for legit purposes..however this area..30KB generally worth of free storage to put whatever ya want is used alot for storing virus code..Virii writers make MBR viruses..and then if the code is too big..can call it outta these free sectors..which is lame..but the truth..Here is a pic of my HexWorkShop..I just quickly wrote some stuff in Sector 1..and saved it..



What I don't recommend is if you're storing passwords in it..that you don't just stick them in plaintext..atleast encrypt it first..or run an MD5 on it..and then paste the hash in the sector..so if anyone DOES find it..it's not going to be "Oh Look!..The Login and Pass" ..hehe. You can also do this for floppies/zip disks..right after the bootsector..you usually have a couple sectors to play with..not always though. This next method works with: NT 3.1/3.51/4.0/5.0(Windows 2K)/5.1(WindowsXP) a thing called "ADS" or Alternate Data Streams which with NTFS allows you to basically have hidden data streams linked to a file or directory..why should you care? well, this can actually be used for legit purposes for storing information about files..for example, like if you had a graphic named like: pic.jpg on the HDD..you could store a thumbnail of it in the ADS..and it won't show up in explorer.exe or in a cmd.exe/command.com ..which brings to mind other uses for this hidden stream, using ADS's to do a DoS attack, basically making a small app to write garbage and fill up the Disk, storing virus code..which right now..has already been used by a virus to store part of it's code in the ADS..at this point in time, I haven't seen any AV programs that will scan the ADS's for rogue code, but if more and more virii start expl0iting this..it could be soon built into the engine of the AV app..to search there too. One of the ADS aware apps is notepad.exe ..good ol' little notepad hehe Now remember a couple things here..this only works on NTFS formatted drives, and also..if you have a file say: foobar.txt ..with like a 10MB alternative data stream associated to it thats hidden..and you copy that file to a FAT12/FAT16/FAT32 formatted drive..that ADS isn't going to get carried over..since those filesystems have no clue about that..thats just like with NT's "Native Property Sets"..(right click file) on NTFS partition..goto "Summary" all that stuff you can fill in about a file..but as soon as you copy the file to a FAT filesystem it's not there. Anyway,I'll quit rambling here is a simple example of an Alternate Data Stream:



If you don't know for sure if the drive you wanna do this on is NTFS or not and you wanna quickly check in the DOS box..type
==> chkdsk | find "NTFS" <-- if you get "The type of the file system is NTFS." you're good to go Now as for program to search for all streams on the drive..a good program is: http://www.sysinternals.com/files/streams.zip <--- Well that's about it for streams. Some other methods include Steganography, where you take a file..and use either the empty space in the file/use the redundant infomation in the file to store your program inside another file..Stego programs have got alot better..you can encrypt the data first..then implant it in the file..so it won't be obvious there is another file inside of it..you can check out a list of Stego programs at: http://members.tripod.com/steganogra.../software.html <--- Foresnic Analysis blends into all this stuff..there are some real cool programs for analizing information..to name some: SafeBack, Anadisk, CopyQM, TeleDisk, PDBlock(Write Blocker), Encase..I won't explain each of these..but they are forensic type apps that can do some really nice things for professionals who do this for a living or just people who wanna learn about this stuff..the program "AnaDisk" for example..is nice, it's a Forensic Type of floppy analizer that can do alot of low level stuff..I really like the FAT12 FAT Chain trace...you can view all the clusters and it will show what program on the floppy is associated with those(that) cluster..(diskedit.exe) can also do this btw...last but not least..if you wanna pick up a good book on Forensic Type Applications..I highly recommend: "Incident Response -- Investigating Computer Crime" ..well thats about it.

486F 7065 2059 6F75 2045 6E6A 6F79 6564