November 26th, 2003, 08:43 PM
Basic Data Hiding Tutorial
Basic Data Hiding
This is a basic data hiding tutorial. In this tutorial different ways that people try to hide data will be revealed. You will also learn the most effective ways of hiding data and how to recognize them. Some of the things discussed in this tutorial may seem like common sense but individuals have varying degrees of technical knowledge and may employ any of these techniques. The best bet is just to be armed with knowledge.
Why do people hide data?
People hide data for a few reasons. One reason for hiding data is to protect it from compromise or disclosure. If you have important business information, like a design for a new business system, that information should be protected from disclosure. Another reason people hide data is because they don't want anyone to see it except for them. An example of this would be someone hiding illegal, sexually explicit photographs on their computer. Yet another reason people hide data is for covert communication. Hiding data for covert communication can be very effective if someone is not expecting you to communicate in that way. Another reason someone may not want you to see data is because it contains a virus or Trojan. The better this type of malicious code can hide itself the less chances of it being detected.
One of the first ways of hiding information was around way before the days of computers. This is to make something mean something else, basically a covert code. This could be something like shifting every letter in the alphabet 3 characters to the right, or you could have an agreed upon code for example "Meet me at the bar at 10pm" may actually mean "Meet me by the river at 9pm." This is only semi-effective in the fact that the information is still left out for anyone to interpret and break.
OFF THE SYSTEM
Another way that people have found to hide data is to not have it on their computers at all. This would be some kind of offline or offsite storage. Hiding documents in your hotmail account would be one example of this. There are also other places people can hide data like file servers and yes even HP Printers. High-end HP printers have memory that can be exploited for data storage. Also if someone exploits someone else's computer they can hide their data on their machine. This technique has varying degrees of effectiveness, depending on the method used. If you are doing a forensic investigation on someone, with law enforcement, you should contact their ISP and web mail providers to gather more information. It is easy to tell someone's hotmail account name, not so easy to find out which machines they have exploited and stored data on. That is why someone doing an investigation has to be on the lookout for just about anything. Of course also along these lines is offline storage like CDs, backup tapes, floppy disks, zip disks, etc. These are easy to identify, but will probably be physically hidden.
An extremely basic way of hiding data on a system is just to change the name of the file. I know this might sound weak but just think about it. If you are searching through the contents of your system32 directory and you see nc.exe, and you didn't put Netcat on your computer, a red flag should definitely go up. Now if you are snooping around your system32 directory and you come along a file named msmsgdir.exe, you may not think much of it. This is an extremely basic way to hide data but with today’s modern drives being many gigabytes in size it can actually aid in hiding data.
Another basic way of trying to hide information is to mark it hidden. This can be done in Windows by right-clicking on an item going to properties and selecting hidden. This can also be done at the command prompt by specifying the file with a +h using the attrib command like this:
attrib +h file.txt
For the Linux world from the command prompt you just append a “.” in front of the file or directory. Of course on both operating systems this can be changed easily by letting the operating system show hidden files. In windows this can be done by folder options and allowing to view hidden files In DOS do a dir /a and in Linux do an ls -a. This is another very minimally effective data hiding technique.
Changing the file extension of a file in a Windows environment will often cause the icon to change. The icon will change to whatever the default program associated for that file. The Windows operating system associates with file types based on extension only and not what the file actually is. This provides only very minimal protection also. I mean what would you think if you were looking through the files on a computer and you saw a file extension that was .jpg and the file size was 700mb? Some forensic programs, such as EnCase will look for these mismatched extensions and report them. This would be a red flag that someone is trying to hide data. A lot of people investigating computers use image viewers that will open many different file types. These programs will index files, and allow you to view all of one certain type of file. As you can see this is not an extremely effective way of hiding data.
One of the reasons you should never directly inspect a machine is because it may have been compromised and you will not see all of the data you are looking for. This can be done with a Root Kit. A Root Kit replaces certain files, most commonly on Unix based systems but there are some for NT, with its own version of the files. These files are transparent to the user. For example they can hide data by replacing the ls command and having it only show certain files. This can cover up the fact that the machine has been compromised. One way to protect against Root Kits is to employ a host-based intrusion detection system such as Tripwire. This will allow you to see if any of the system files have been modified.
NTFS ALTERNATE DATA STREAMS
Another way to hide data on an NTFS formatted drive is through the use of alternate data streams. Alternate Data streams allow you to attach the contents of other files, directories, and even executables to a file that is transparent to both the file manager in windows and also to DOS. No combination of the DIR command will show the attached data. When you attach data to a file, the file size will appear the same. One way to detect alternate data streams is through a third party application called "lads" available at www.heysoft.de. Using this program you will be able to view files and their attached data streams. To give an example we are going to create a directory called testing on the C: drive, make a file called test.txt and put some data into it.
c:\testing>echo "this is my test" >test.txt
Now you have a file named test.txt with the text "this is my test" in the file. Now we are going to attach the contents of a directory to the file. I have a directory with just a few files in it called working. So now I am going to attach that directory to the data stream like this specifying the name as hidden:
c:\testing>dir c:\working > test.txt:hidden
You can also specify data in an unnamed stream like this
c:\testing>dir c:\working > :hidden
If you now do a dir on the testing directory you will see that the streams do not show. If you run lads.exe on the directory you will see the data streams.
Now if you want to view the contents of the stream you just made you can do this:
You should now see the contents of the file. Executables and scripts can be hidden inside of these data streams also like this:
C:\testing>type C:\windows\system32\sol.exe > test.txt:card.exe
Then it can be called like this:
I am not delving any deeper into this subject because this obviously can be used for unethical purposes. Just be educated that these streams exist, how to find them, and how they work.
Cryptography is an effective way to hide information. Encryption can be used for both "good" and "bad" purposes. Some encryption programs like BestCrypt from Jetico www.jetico.com and PGP Disk from PGP www.pgp.com allow you to make a section of the hard drive encrypted and all of the files that are saved there get encrypted. This encryption is then protected with a pass phrase. BestCrypt even allows you to create a hidden container inside of an encrypted drive, which is a nice feature if you are trying to hide information. Just be aware that the swap file contains the pass phrase that was used to access the encrypted drive. BestCrypt allows you to wipe the swap file, so it cannot be retrieved. Also individual files might be encrypted before they are emailed or transferred in some way. Usually Disk encryption is done symmetrically (shared key) and things like email are done asymmetrically (pubic key & private key). Native Windows EFS will be avoided by experienced individuals because of several reasons. One reason is because by default stand alone computers have the administrator of the account as the default recovery agent. This means if someone gains access to the Administrator account, if the person's key has not been exported or they are signed in as the Administrator, you have access to the encrypted areas. You might also want to look for a floppy disk that has the exported key on it too. EFS encryption is transparent to the user, so once you are signed in as the user all the information will appear unencrypted to the investigator. Some encryption algorithms are very weak and tools can be found on the Internet that will allow you to break them. An investigator will look for all types of encrypted information when investigating a system. Usually the encryption is broken from getting the password from somewhere else. Often people use the same password for multiple items. Getting a password from an easier source and then applying it to the encrypted data can be very effective.
Stegonagraphy is hiding things in plain sight. It comes from the Greek words for covered writing. Stegonagraphy uses a carrier file that is visible in plain sight to carry invisible, secret information. Stego utilities usually protect information by both hiding and encrypting the data that is contained in the files. S-Tools is a popular program for stegoing files. Stegonagraphy is a highly effective way to hide small amounts of information but is not practical for large amounts of information. It is hard to find suitable carrier files for larger amounts of data. Each carrier file will only allow you to hold a certain amount of information. It is also not easy to find out if a file has been stegoed or not. There are tools that will allow you to test for stegoed content, but some are only specific to a certain program that was used to make the content in the first place. One of the best ways to understand stegonagraphy is to download the tools and play with it. Create a few files with a program and understand how it works.
In conclusion it is important to know the different ways that data can be hidden. If you are investigating the possibility that a computer has been compromised or if you are at home investigation your own computer finding hidden data is a must. Finding stego and encryption programs on a computer you are investigating are a good sign that someone is trying to hide data. If someone says they are just using those for testing ask them if you can view some of the files they have used the utilities on.