data hiding real time analysis - live servers.

Are there any free tools to identify on a live server common data hiding techniques such as encrypted volumes or hidden partitions? If so could you name the tools. Its not a real case just for testing but it will be interesting.

For large quantities of data - what are the common data hiding techniques above/beyond encrypted volumes/containers and hidden partitions? And if there are others what tools do you use to root out those?
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TolomirAdministratorCommented:
Try this:

https://en.wikipedia.org/wiki/Steganography (lookout for wav, or images files)

One could also install a rootkit on the server to make certain files invisible. (this is why patching si so important)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Would stegonography hide masses of data, say like 10gb of files? Or is it just the odd file?

Is that the main "data hiding" technique, or do hidden truecrypt/hidden partitions get utilised more frequently?

0
TolomirAdministratorCommented:
you need a "container" with the double size of the content. either wav or jpg. Thus more than 50 MB payload would be strange.

To hide lager amounts hidden partitions would do the trick (truecrypt ... or any other tool working this way.)
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

Dave HoweSoftware and Hardware EngineerCommented:
usually, hidden files on a compromised server are hidden in plain sight. This means either:

a) they are files of the appropriate type in the appropriate place - for instance, database-named files in the database store folder.  As an added bonus, often such dirs are excluded from virus scanning, due to the dangers of "quarantining" a host container for a database due to one dodgy string in there; the mounted dbs are then scanned using a database-aware tool.

b) the operating system itself is modified (aka a "rootkit") to hide the otherwise normal containers in use. Take a look at http://www.h-online.com/security/features/CSI-Internet-Open-heart-surgery-1350313.html?view=print for a quite excellent overview of how someone identified and removed such an infection. Mark R ( To which hacker's attempts to compromise a machine "stealthily" just makes life a little more interesting briefly) has a few examples on his blog http://blogs.technet.com/b/markrussinovich/ too.
0
TolomirAdministratorCommented:
to be precise, you can of cause store a zip file in a music or image file using stenography, thus hiding hundreds of small files would be no problem. There are tools to find such files by scanning for anormalities in such image or wav files. Google should help.

You can use a tool like http://www.jam-software.com/treesize_free/ to find large container files.
Use a partition manager to identify hidden partitions.

There are other tools possible too, involving the installation of software like: http://fspro.net/hide-folders/
They claim to lock access to files and  folders, not sure how the manipulate the system to "really" hide the files and folders. Maybe you want to test this on a spare system.
0
Dave HoweSoftware and Hardware EngineerCommented:
to be honest though, I have *never* seen stenography used in a real world scenario; OEMs and vendors often use hidden partitions, malicious software uses silkroping or rootkitting (I guess silkroping could be considered stenography of executable filetypes :) and for a brief period, alternate data streams were popular (until AV vendors started treating them with more suspicion).

Most data hiding is done, not from the user, but from AV products. this is because in order to be useful, the hidden data needs to be accessible, and a convoluted scheme that requires a complex (and unprotected/unhidden) driver to access the hidden data offers a convenient shortcut to finding that data *is* being hidden.  Few users can or even want to detect files on their system that aren't what they claim to be - they rely on AV to draw their attention to such things.
0
pma111Author Commented:
Is identifying "anti forensics" somthing you do first in any investigation you get in? I cant find any sample "forensics workflow (perhaps as each investiation is different" that says when an investigator gets a PC in, they first run this set of tests, then these, then these etc. Do you follow a common "workflow" per investigation? Would you be willing to share?
0
pma111Author Commented:
>>Most data hiding is done, not from the user, but from AV products. this is because in order to be useful, the hidden data needs to be accessible, and a convoluted scheme that requires a complex (and unprotected/unhidden) driver to access the hidden data offers a convenient shortcut to finding that data *is* being hidden.  Few users can or even want to detect files on their system that aren't what they claim to be - they rely on AV to draw their attention to such things.


Does this comment just relate to malware as opposed to a malicious admin hiding for example inappropriate images/vids (porn)
0
pma111Author Commented:
Are there any good "rootkit" or "silkroping" identifacation tools youd recommend on windows servers?
0
Dave HoweSoftware and Hardware EngineerCommented:
 Silkroping is a generic term for the process of embedding a trojan executable into an existing one, expanding the host exe to suit; while there used to be a specific package called that which performed that task for explicitly trojaned exes, most of the time the process is in-situ and performed by malware - so on the whole, most AV packages can spot known malware silkroped into exe space, and there are some tripwire-like apps that can baseline your system for you, then later on compare working exes to that baseline pointing out those that have been changed.

  Programs to identify rootkits tend to be rootkit specific, and are commonly found on AV vendor sites; famously of course Sony offered a rootkit on a range of their music cds, but on the whole rootkits are commonly found in association with an external attack (either hacker penetration or malware infection).

  A malicious admin hiding inappropriate material is unlikely to resort to such - although a really smart one could (for example) use a rootkit to hide an entire dir structure from external view, that requires fairly specific and non-admin skills; usually, a windows admin will just abuse the local administrator account by assigning it a EFS key, encrypting his (otherwise normally stored) files with that account, and using "run as" to access it when he needs it. Note that changing the local admin password by using domain credentials does *not* give access to such files, but in fact the reverse - it prevents even the original owner accessing the files unless he has an EFS recovery key or first changes the password back to what it was by the same method.

  However, there is little point such an admin doing so unless he wishes to use the server AS a server for the material - either for external access by third parties, or as part of a torrent-style download. In which case, the best approach is to look to see what is listening waiting for connections (you can use the builtin netstat tool for this - just run "netstat -nab" as a server admin and look for lines ending in "LISTEN") and backtrack those to the services and user accounts used for them. Often errant admins are arrogant in their security, and do little other than running it from an otherwise innocently named dir embedded amongst others, and renaming the exe in case anyone sees it running in the task list. Few bother with encryption, or indeed any protection outside of filesystem-level permissions.

Assuming there is an otherwise legitimate webserver or ftp server, go check its config - you may have a site or login that tells you where to find the inappropriate material. If he has material there, and no means of accessing it remotely, it would puzzle me why he would bother having it on a server at all (instead of cheap and easily portable media such as usb thumbdrives or sd cards)
0
btanExec ConsultantCommented:
just to share potential hidden areas in this link
@ http://www.forensicswiki.org/wiki/Anti-forensic_techniques

in particular, possibly common ones below

a) HDD with Hidden Protected Area - normally are Protected Service Areas created by the vendors and control visbility through BIOS. Doubt it can be easily exploited, though there are tool to access those area. But it can be HDD specific

@ http://www.thinkwiki.org/wiki/Hidden_Protected_Area

b) File slack such as RAM slack, or Drive slack are easily exploited too. Hidden data in file slack have the danger of being erased/ replaced when the file size increases. As a result, stable files are preferable for this hiding technique. But keyword search should be able to surface out but if encrypted or obfuscated then it is not visible from clone target. Also due to hidden data is usually stored in the file system without any structure or metadata, it is hard to recover them. Recovery is particularly challenging if suspects store data in random order and remove the file signature.  The paper shared more information.

E.g. Metasploit’s Slacker will hide data within the slack space of FAT or NTFS file system.

@ http://www.forensicfocus.com/downloads/ntfs-hidden-data-analysis.pdf
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.