data hiding real time analysis - live servers.

Would stegonography hide masses of data, say like 10gb of files? Or is it just the odd file?

Is that the main "data hiding" technique, or do hidden truecrypt/hidden partitions get utilised more frequently?

you need a "container" with the double size of the content. either wav or jpg. Thus more than 50 MB payload would be strange.

To hide lager amounts hidden partitions would do the trick (truecrypt ... or any other tool working this way.)

to be precise, you can of cause store a zip file in a music or image file using stenography, thus hiding hundreds of small files would be no problem. There are tools to find such files by scanning for anormalities in such image or wav files. Google should help.

You can use a tool like http://www.jam-software.com/treesize_free/ to find large container files.
Use a partition manager to identify hidden partitions.

There are other tools possible too, involving the installation of software like: http://fspro.net/hide-folders/
They claim to lock access to files and  folders, not sure how the manipulate the system to "really" hide the files and folders. Maybe you want to test this on a spare system.

to be honest though, I have *never* seen stenography used in a real world scenario; OEMs and vendors often use hidden partitions, malicious software uses silkroping or rootkitting (I guess silkroping could be considered stenography of executable filetypes :) and for a brief period, alternate data streams were popular (until AV vendors started treating them with more suspicion).

Most data hiding is done, not from the user, but from AV products. this is because in order to be useful, the hidden data needs to be accessible, and a convoluted scheme that requires a complex (and unprotected/unhidden) driver to access the hidden data offers a convenient shortcut to finding that data *is* being hidden.  Few users can or even want to detect files on their system that aren't what they claim to be - they rely on AV to draw their attention to such things.

Is identifying "anti forensics" somthing you do first in any investigation you get in? I cant find any sample "forensics workflow (perhaps as each investiation is different" that says when an investigator gets a PC in, they first run this set of tests, then these, then these etc. Do you follow a common "workflow" per investigation? Would you be willing to share?

>>Most data hiding is done, not from the user, but from AV products. this is because in order to be useful, the hidden data needs to be accessible, and a convoluted scheme that requires a complex (and unprotected/unhidden) driver to access the hidden data offers a convenient shortcut to finding that data *is* being hidden.  Few users can or even want to detect files on their system that aren't what they claim to be - they rely on AV to draw their attention to such things.


Does this comment just relate to malware as opposed to a malicious admin hiding for example inappropriate images/vids (porn)

Are there any good "rootkit" or "silkroping" identifacation tools youd recommend on windows servers?

 Silkroping is a generic term for the process of embedding a trojan executable into an existing one, expanding the host exe to suit; while there used to be a specific package called that which performed that task for explicitly trojaned exes, most of the time the process is in-situ and performed by malware - so on the whole, most AV packages can spot known malware silkroped into exe space, and there are some tripwire-like apps that can baseline your system for you, then later on compare working exes to that baseline pointing out those that have been changed.

  Programs to identify rootkits tend to be rootkit specific, and are commonly found on AV vendor sites; famously of course Sony offered a rootkit on a range of their music cds, but on the whole rootkits are commonly found in association with an external attack (either hacker penetration or malware infection).

  A malicious admin hiding inappropriate material is unlikely to resort to such - although a really smart one could (for example) use a rootkit to hide an entire dir structure from external view, that requires fairly specific and non-admin skills; usually, a windows admin will just abuse the local administrator account by assigning it a EFS key, encrypting his (otherwise normally stored) files with that account, and using "run as" to access it when he needs it. Note that changing the local admin password by using domain credentials does *not* give access to such files, but in fact the reverse - it prevents even the original owner accessing the files unless he has an EFS recovery key or first changes the password back to what it was by the same method.

  However, there is little point such an admin doing so unless he wishes to use the server AS a server for the material - either for external access by third parties, or as part of a torrent-style download. In which case, the best approach is to look to see what is listening waiting for connections (you can use the builtin netstat tool for this - just run "netstat -nab" as a server admin and look for lines ending in "LISTEN") and backtrack those to the services and user accounts used for them. Often errant admins are arrogant in their security, and do little other than running it from an otherwise innocently named dir embedded amongst others, and renaming the exe in case anyone sees it running in the task list. Few bother with encryption, or indeed any protection outside of filesystem-level permissions.

Assuming there is an otherwise legitimate webserver or ftp server, go check its config - you may have a site or login that tells you where to find the inappropriate material. If he has material there, and no means of accessing it remotely, it would puzzle me why he would bother having it on a server at all (instead of cheap and easily portable media such as usb thumbdrives or sd cards)