Hiding Files and Covering Tracks

Ways to hide files in Windows systems

• Altermate Data Stream (ADS)

  • A feature of the Windows native NTFS to ensure compatibility with Apple's HFS

  • Has the ability for loads for back-end features built into the OS and applications

  • No one in practice actually uses it because it is easy to spot and triggers all sorts of warnings

  • Allows you to hide files behind any other file, rendering it invisible to directory searches

  • Mitigations

    • Every forensics kit checks for ADS

    • Modern versions of Windows show an executable that's run inside a .txt file in the Task Manager as part of the parent

    • Hunt down ADS using applications like LNS and Sfind

    • In Vista, use directory command dir /r which will display all file stream in the directory

    • Copying files to and from a FAT partition blows away any residual file streams in the directory

# Move contents of the badfile file into the text file with a command 
c:\type c:\badfile.exe > c:\readme.txt:badfile.exe 

# When ready to use the file start it with 
start readme.txt:badfile.exe 

# Create a link to the bad file 
c:\mklink innocent.exe readme.txt:badfile.exe 

What is Steganography?

• Hiding data in pictures

• Two types of semagrams

  • Visual semagram — use an everyday object to convey a message

  • Text semagram — obscures a message in text by using things such as font, size, type or spacing

• Linguistic steganography

  • a collection of techniques and methods that allows the hiding of any digital information within texts based on some linguistic knowledge.

  • Hides the message in the carrier file in a non-obvious way

• Technical Steganography

  • Hides a message using scientific methods

• Tools

  • ImageHide

  • Snow

  • Mp3Stego

  • Blindside

  • S-tools

  • wbStego

  • Stealth

What are the three main logs?

• Application logs — entries specifically related to the applications, and only entries programmed by the developers get in

• System log — Registers system events, such as drivers failing and startup/shutdown times

• Security log — Registers login attempts, access and activities regarding resources

How to hide your tracks in log files

• Be selective in your event log editing

• Go in first and edit what is actually being audited

• Turn off auditing only on the things you'll be hitting, things like:

  • failed resource access

  • failed logins

• Visit the log and get rid of those items that show your presence and activities

• Get rid of the security event log that shows where you edited the audit log

• Another option is to simply corrupt the log file once you are done

Log file location

• Default log file location is %systemroot%\System32\Config

• This can be changed and placed the log files somewhere else by editing the registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog)

Tools

• In Control Panel | Administrative Tools | Local Security Policy — you can set up and change the audit policy for the system

• Top level settings are found under Local Policies | Audit Policy

• Other settings are found in Advanced Audit Policy Configuration

• WinZapper

  • Evidence Eliminator

  • Auditpol - let's you disable event logs on other machines

c:\auditpol \\targetIPaddress /disable