Data Hiding Technologies Introduction
来源:互联网 发布:拍下淘宝怎么改价格 编辑:程序博客网 时间:2024/05/16 03:27
What Is Steganography?
According to Dictionary.com, steganography (also known as "steg" or "stego") is "the art of writing in cipher, or in characters, which are not intelligible except to persons who have the key" .
In computer terms, steganography has evolved into the practice of hiding a message within a larger one in such a way that others cannot discern the presence or contents of the hidden message.
In contemporary terms, steganography has evolved into a digital strategy of hiding a file in some form of multimedia, such as an image, an audio file (like a .wav or mp3) or even a video file.
Current Solutions of Hiding Data
- Disk and file system structure
- Altered BIOS parameters
- Registry entries using new keys or unused keys
- Swap files
- Renamed files (e.g. as .dll)
- Binding of one executable file to another
- Hiding data within documents (e.g. as metadata or using a white font)
- Hiding data within html files
- Encrypted files
- Compressed files
Hard Disk Drive Basics
NTFS vs. FAT
WinFS Architecture
WinFS is not a physical file system; it is built on top of NTFS, and NTFS will remain as the default file system.
WinFS is based on SQL Server and its core feature is to provide a data relations mechanism. This means that your pictures are related to dates, events, and persons and so on. This allows you to perform a search such as "All pictures of Joe taken the last month". This query is not possible for a traditional file system such as NTFS, but will be a trivial part of WinFS.
Item1: Host Protected Area
This was designed to be an area where computer vendors could store data that is protected from normal user activities.
It is not affected by operating system utilities (format, delete, etc.) and cannot be accessed without the use of a special program that reconfigures the controller to access all physical blocks.
It is not difficult, however, to write a program to access these areas, write data to them, and subsequently return the area to a HPA.
Item2: Master Boot Record
It is a small program that is executed when a computer boots up. Typically, the MBR resides on the first sector of the hard disk. The program begins the boot process by looking up the partition table to determine which partition to use for booting. It then transfers program control to the boot sector of that partition, which continues the boot process.
In DOS and Windows systems, you can create the MBR with the FDISK /MBR command.
An MBR virus is a common type of virus that replaces the MBR with its own code. Since the MBR executes every time a computer is started, this type of virus is extremely dangerous..
Item3: Volume Slack
If the partitions on a hard drive do not use up all of the available space, the remaining area cannot be accessed by the operating system by conventional means (e.g., through Windows Explorer). This wasted space is called volume slack.
Item4: Partition Slack
Before an operating system can store and access data within a partition, a file system must be defined.
If the total number of sectors in a partition is not a multiple of the block size, there will be some sectors at the end of the partition that cannot be accessed by the operating system using any typical means.
This is referred to as partition slack and is another place where data can be hidden.
Item5: Non-bootable Partition
Every partition contains a boot sector, even if that partition is not bootable. The boot sectors in non-bootable partitions is available to hide data.
Item6: Unallocated space in a partition
Any space in a partition not currently allocated (i.e., unallocated space) , to a particular file (see Figure 1, item 6) cannot be accessed by the operating system. Until that space has been allocated to a file, it could contain hidden data.
Item7: Good blocks marked “bad”
It is possible to manipulate the file system metadata that identifies bad blocks (e.g. the File Allocation Table in a FAT file system or $BadClus in NTFS) so that usable blocks are marked as bad and therefore will no longer be accessed by the operating system. Such metadata manipulation will produce blocks that can store hidden data.
For Example:
FAT32 (FAT Entry Values)
0000000 (Free Cluster)
0000001 (Reserved Cluster)
0000002 - 0x?FFFFFEF (Used cluster; value points to next cluster)
FFFFFF0 - 0x?FFFFFF6 (Reserved values)
FFFFFF7 (Bad cluster)
FFFFFF8 - 0x?FFFFFFF (Last cluster in file)
Item8: Disk slack
Disk slack is a byproduct of a strategy to accelerate file management.
Modern operating systems write data in complete “blocks” where a block could be a sector (the minimal addressable unit of a disk) or a cluster (same concept as block in Microsoft's terms). If a file is not an exact multiple of the sector size, the operating system must pad the last sector and, in some cases (with older operating systems), this padding is data from memory (hence the historical term “ RAM slack ”).
Modern operating systems tend to pad this area with nulls. If the total amount of data written does not fill an entire block, the remainder of the block from the sector boundary of the last sector within the block actually used by the file to the actual end of the block will remain unused and will likely contain data from a previously deleted file ( file slack ). It may also be effectively used to hide ephemeral data.
Tools
- Winhex
- Sector Editor
- Wipe Information
- WipeIt
Programming Tips about Read/Write Sector Codes
HANDLE hDevice;
DWORD dwBytesread;
// Creating a handle to drive a: using CreateFile () function ..
char szDevicename[] = "////.//C:";
szDevicename[4] += drive;
hDevice = CreateFile(szDevicename,
GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{ return NULL; }
// Setting the pointer to point to the start of the sector we want to read ..
SetFilePointer (hDevice, (startinglogicalsector*512), NULL, FILE_BEGIN);
if (!ReadFile (hDevice, buffer, 512*numberofsectors, &dwBytesread, NULL) )
{ return NULL; }
References
http://www.ntfs.com/#WinFS%20file%20system
http://www.berghel.net/publications/data_hiding/data_hiding.php
http://www.storagereview.com/guide2000/ref/hdd/file/partTradeoff.html
Hide and Seek: Concealing and Recovering Hard Disk Data
metasploit antiforensics project
- Data Hiding Technologies Introduction
- Chapter 5 Data Hiding and Member Functions
- Microsoft Data Access Technologies Road Map
- Introduction to Data Mining
- Introduction to Big Data
- 【CPP Training】Data Abstraction and Hiding the Implementation PA
- Storage Virtualization : Technologies for Simplifying Data Storage and Management
- Database Modeling for Industrial Data Management: Emerging Technologies and Applications
- Web Data Management Practices: Emerging Techniques And Technologies
- XML and Java technologies: Data binding, Part 2: Performance
- introduction to data oriented design
- An Introduction to Data Mining
- An Introduction to Data Mining
- An Introduction to Data Mining
- Introduction - Notes of Data Mining
- An Introduction to Data Mining
- An Introduction to Data Mining
- DATA MINING(1) Data mining introduction
- 由谁进行测试?开发部门还是测试部门?
- 60年大庆
- 批理更改照片大小
- 关于局部变量在内存中的地址
- VC++中的ID
- Data Hiding Technologies Introduction
- 企业对电子商务的误解
- struts2 标签中使用%{#ThemeMainBean.index}
- C++引用优于指针
- const int* a = &b 和 const* int a = &b的区别
- 键盘钩子
- 去掉二维数组重复值[算法]
- ping 的时候 ttl 参数所代表的意义
- sql2000 触发器的应用