Information hiding methods
Information on the hard disk can be hidden by several methods. We will talk about them, starting with the simple and moving on to the complex. An article for those who hides, and does not find. Therefore, the methods of concealment are only indicated. Who will need more detailed information on one or another method - he will find it and, most importantly, introduce its own unique flavor by mixing seasonings. And specific recipes would be useful to those who are looking for, and not hiding.
#one. Moving to the folder "away"
The method is to move information somewhere to C: \ Users \ Walter \ AppData \ Local \ Temp \ 018iasywq8 \ user \ 10ha1pg1vythz21ds778b0ycq9r2. This method is used ... well, those who, in principle, know that the computer is running from the network and is turned on using the button.
How can I find? Well, since videos and images are usually hidden there, then a search through Total Commander: * .jpg; * .avi or * .doc; * .xls and so on.
')
# 2. Hiding in the archive
The method is clear. Archive 10 photos, name the archive hjskdhklgd.zip and combine with method number 1. There should already be a user who imagines what an archiver is.
How can I find? As in the first paragraph, just specify “search in archives”.
# 3. Rename file
Light . Although the method is simple at first glance, it can give some results with in-depth use. It depends on how experienced the user is. If his knowledge is limited to the level described above, then the file “my_schernaya_chegudariya.doc” will be called “code_of_builder_kommunizma.doc”. You can also find as above.
Medium . If a person knows how to include file extensions or is friendly with TC or FAR, and also understands that when renaming a file does not lose its taste, then he can rename it, for example, into intraweb.dat, combining it with the first + second method and get some effect. You can find it only by running a search on the initial characters of the file contents in order to identify the desired type. *. * search for text “II *” is tiff and so on.
#four. Apply Attributes
The method is also clear. Right mouse button, attribute "hidden". At the command line attrib –s –h. A very common tip when querying in Google is "Hide files". I do not know who it is designed for. To find? Guess from 3 times, called.
#five. Rename folder
Light . One of the funniest ways, but with its bright visual effect, it is impressive to many. It is recommended to rename the folder on the desktop to 255 while pressing ALT. The folder name will be empty. A folder icon change to an empty picture. And as if by magic the folder becomes visually invisible.
To find? Hold down the mouse button to select the entire area of ​​the desktop.
Medium . There are still users who give the folder the name of the system. It then takes the form of Fonts. {21EC2020-3AEA-1069-A2DD-08002B30309D}, for example, the control panel and with the 2nd click it really leads there. You can find it if you know that in the My Documents folder there are no links to the control panel for ordinary people. Well, methods 1-2, by itself.
# 6. Encrypted archive
Now we are not talking about how to view information, but about how to find it. Therefore, encryption and passwords are not discussed. The fact is that modern archivers have the ability to hide the name of files in the archive during encryption. Here we have come to something interesting. The user at least spent a few hours to learn about this method and understand it.
To find? You can only find the archive itself, and determine that it is encrypted in such an uneasy way. Files in it are not visible. That is, the fact of hiding information on the computer is detected. For this article, this is enough.
# 7. Installation of special programs
Methods of programs for hiding information are the same as written above or, mainly, below. But the very existence of such a program is already talking about the fact of information hiding. And, of course, after its uninstallation, all files are in full view. This method is useful for those who are curious to the computer. Typically, such programs are under a password, so it's so easy, including when accessing a computer over the network, not to uninstall them.
But ... all existing programs designed for an ordinary user give out the fact of information hiding, and attract more attention to themselves than such information itself. They put huge red signs on folders, run in autorun and tray, have stupid names like “My hidden files”.
One of the most famous vendors in this area, Symantec makes a folder with a huge sign NORTNON PROTECTED !!! Imagine a situation when some intruders decided to hide a stolen two-cassette tape recorder at home before a search. They go to the store, take a passport (and that is how they acquire programs abroad) and buy an expensive super safe. They put it in the middle of their apartment and put there a two-way ticket. Servicemen arrive, bypass the whole house, there is no biconser. Naturally, they ask: “What kind of safe is this in the middle of an apartment?” And they are: “Not your business! This is our Private property! ”Well, of course, the fingers are in the doorway and the safe is open ... So worse than such programs can only be placing all the secret information on the desktop with the inscription:“ My secret files are stored here !!! ”.
#eight. Virtual disks
The method is very common and ... very inefficient. True Crypt, for example, creates an encrypted file that is hundreds of megabytes in size and then mounts it as a disk. At the same time, all the information, and not just the files that are currently needed, is visible both on the network and upon receiving secret surveillance. And most importantly - if you need to hide the fact of information hiding, then this is the most primitive way. Finding a file of, say, 700 MB, which is encrypted is not at all difficult.
#9. Hiding logical drives
The method is not bad, considering that there are no large files, you will not find information by searching. The point is that Windows allows you to connect and disconnect disks. If the disk is disconnected, then it is invisible ... until any disk editor starts. And this of course is not so difficult. And again, during the work all the information opens. And it is visible both on the network and with a remote attack. The downside is that on the move to break an existing disk is unsafe. That is, it is better to take this moment into account when formatting.
#ten. Steganography
Shorthand can be done both manually and with the help of special tools. Information is usually hidden in graphic and video files. Where you can cut the color and the eye will not see the difference. Starting from this point, I will not write how the hidden information can be found, I will only talk about what level of specialist is needed to detect it.
If it is not known with which tool the information was hidden and in which file it was hidden, then I would rate the level of the specialist in finding high enough. Separately, about the categories of people who can find the hidden information, let's talk below.
#eleven. NTFS data streams (ADS)
NTFS allows you to cling to the same file as many streams of data. Such data are not visible to the naked eye; neither the connection of another OS, the safe mode, nor the DOS view will help. On the one hand, it is not so difficult to find it, but ... only for a specialist. A non-expert will not find such information.
On the other hand, the method is not particularly common. If we consider that the information can be hung on the service data of the NTFS itself, then the search in general can be very complicated. If you combine other methods with ADS, then the task becomes simply difficult. A specialist of high and medium level will be required, depending on the combination of different methods with ADS.
#12. Interception of native Windows functions
Despite the fact that this program is used by many programs, it is so stupidly presented that all the charm is lost. But this real freedom, no boundaries, Windows turns into an obedient plasticine ball. It no longer depends on the will of old man Gates, everything becomes in our hands.
The point is to intercept requests from the operating system to the disk and return values ​​with a filter. Despite the fact that Windows is trying hard to show the file "absolutely_secretly.doc", the applied "hook" makes her think that this file does not exist. A healthy minus is that if our hook is pulled down, Windows will again work correctly. Of course, when you start to create, such things as “take down the hook” also do not really allow you to do it, combining this method with other high-level methods.
#13. Games with MFT
On NTFS there is such a bad file called MFT. So, he carefully records all our records on the disk. It is not difficult to guess what can be done, knowing how to use it in such zeal. Here are the indices of objects, and uplinks and substitution, and so on. But, starting from this point, there are no tools for this kind of magic. There must be brains. But the taste difference - as between food and expensive restaurants.
#14. Intervertebral hernia (PGM)
There are such spaces between files that are formed due to the fact that the file weighs 500 bytes, and the sector size is 4 Kb. So this file occupies the entire sector. And then who will occupy free space? There are few people who can put information there, but you should forget about special tools. But the effect! And, of course, suspect that the computer under investigation has a PGM ?! Therefore, experts need the highest class.
#15. Deletion
Interestingly, this simple procedure is at our highest level. Yes, deleting the file, you hid it, and very securely. I will not be here for a long time to ascertain that only a blast furnace deletes information from a hard disk. And I'm not talking about the banal deletion in the basket (by the way, there are users who hide files in RECYCLE). I'm talking about the average file deletion. When Windows and its applications never find the information. Of course, another question is how to work with such information. Here you need to know a lot, to be able to do a lot. And, frankly, there is more theory here, but ... I will give this art a place of honor number 15.
Who can find hidden information
Speaking about this, lovers show off their erudition and impress others around them utter the mystical phrase "special services". Some, especially the "approximate", give the abbreviations NSA, and someone knows the decoding (National Security Agency), SVR, FSB, GRU, and so on.
I always get funny for 2 reasons. Special services that exist in 5-6 cities of the world will not be interested in information and persona ordinary users. Therefore, we will modestly keep silent about these services, their capabilities and methods.
In reality, the information is hidden from the "merchants" in uniform, who seize the PC during the next "action". To pay the standard amount, and not to pay for some secrets that can be discovered, you can hide the information. Or if from the same category of "employees" hide unlicensed software. The "merchants" of knowledge in this area is usually not very deep, so methods 2+ can be considered sufficient in this case.
You can hide a personal, especially intimate part of your life just from everyone. If it’s homework, then almost all methods will work, unless, of course, one of the homeworkers is a representative of the very NSA. If at work, where there is an admin, then the situation is complicated by the fact that there are usually no admin rights, which are needed for simpler methods. So, from simple 6, 8 remains (for example, if TrueCrypt is set up to work without admin rights). And from real 10, 11. But, of course, keeping such information at work is stupid. Moreover, more and more organizations are secretly monitoring employees' computers using a variety of different utilities, such as ActualSpy. And then the meaning of concealment is generally lost.
But all these things are routine and banal. These experts are not sitting in the secret services, but in the companies Toyota, Gazprom, Nokia, Adobe, Oriflame, and so on. The real value is the information where there is a super competitive multi-billion dollar environment. Such companies spend a significant part of the budget on competitive intelligence and counterintelligence, and their specialists, methods, and technologies have been ahead of the Pentagon and Mossad by several years. For such specialists, the methods described above are only a matter of a short time.
Conclusion
The conclusion is very simple and unambiguous: no known methods of hiding information can prevent its detection. So, if the information needs 100% protection, it should be encrypted. However, if the information is securely encrypted and not hidden, then I recommend studying the chapter “Interrogation” of the immortal work of A.I. Solzhenitsyn "GULAG Archipelago" and it will immediately become clear to you that no one will engage in cryptoanalysis if we live in a country with such "glorious" traditions of the Cheka.
#one. Moving to the folder "away"
The method is to move information somewhere to C: \ Users \ Walter \ AppData \ Local \ Temp \ 018iasywq8 \ user \ 10ha1pg1vythz21ds778b0ycq9r2. This method is used ... well, those who, in principle, know that the computer is running from the network and is turned on using the button.
How can I find? Well, since videos and images are usually hidden there, then a search through Total Commander: * .jpg; * .avi or * .doc; * .xls and so on.
')
# 2. Hiding in the archive
The method is clear. Archive 10 photos, name the archive hjskdhklgd.zip and combine with method number 1. There should already be a user who imagines what an archiver is.
How can I find? As in the first paragraph, just specify “search in archives”.
# 3. Rename file
Light . Although the method is simple at first glance, it can give some results with in-depth use. It depends on how experienced the user is. If his knowledge is limited to the level described above, then the file “my_schernaya_chegudariya.doc” will be called “code_of_builder_kommunizma.doc”. You can also find as above.
Medium . If a person knows how to include file extensions or is friendly with TC or FAR, and also understands that when renaming a file does not lose its taste, then he can rename it, for example, into intraweb.dat, combining it with the first + second method and get some effect. You can find it only by running a search on the initial characters of the file contents in order to identify the desired type. *. * search for text “II *” is tiff and so on.
#four. Apply Attributes
The method is also clear. Right mouse button, attribute "hidden". At the command line attrib –s –h. A very common tip when querying in Google is "Hide files". I do not know who it is designed for. To find? Guess from 3 times, called.
#five. Rename folder
Light . One of the funniest ways, but with its bright visual effect, it is impressive to many. It is recommended to rename the folder on the desktop to 255 while pressing ALT. The folder name will be empty. A folder icon change to an empty picture. And as if by magic the folder becomes visually invisible.
To find? Hold down the mouse button to select the entire area of ​​the desktop.
Medium . There are still users who give the folder the name of the system. It then takes the form of Fonts. {21EC2020-3AEA-1069-A2DD-08002B30309D}, for example, the control panel and with the 2nd click it really leads there. You can find it if you know that in the My Documents folder there are no links to the control panel for ordinary people. Well, methods 1-2, by itself.
# 6. Encrypted archive
Now we are not talking about how to view information, but about how to find it. Therefore, encryption and passwords are not discussed. The fact is that modern archivers have the ability to hide the name of files in the archive during encryption. Here we have come to something interesting. The user at least spent a few hours to learn about this method and understand it.
To find? You can only find the archive itself, and determine that it is encrypted in such an uneasy way. Files in it are not visible. That is, the fact of hiding information on the computer is detected. For this article, this is enough.
# 7. Installation of special programs
Methods of programs for hiding information are the same as written above or, mainly, below. But the very existence of such a program is already talking about the fact of information hiding. And, of course, after its uninstallation, all files are in full view. This method is useful for those who are curious to the computer. Typically, such programs are under a password, so it's so easy, including when accessing a computer over the network, not to uninstall them.
But ... all existing programs designed for an ordinary user give out the fact of information hiding, and attract more attention to themselves than such information itself. They put huge red signs on folders, run in autorun and tray, have stupid names like “My hidden files”.
One of the most famous vendors in this area, Symantec makes a folder with a huge sign NORTNON PROTECTED !!! Imagine a situation when some intruders decided to hide a stolen two-cassette tape recorder at home before a search. They go to the store, take a passport (and that is how they acquire programs abroad) and buy an expensive super safe. They put it in the middle of their apartment and put there a two-way ticket. Servicemen arrive, bypass the whole house, there is no biconser. Naturally, they ask: “What kind of safe is this in the middle of an apartment?” And they are: “Not your business! This is our Private property! ”Well, of course, the fingers are in the doorway and the safe is open ... So worse than such programs can only be placing all the secret information on the desktop with the inscription:“ My secret files are stored here !!! ”.
#eight. Virtual disks
The method is very common and ... very inefficient. True Crypt, for example, creates an encrypted file that is hundreds of megabytes in size and then mounts it as a disk. At the same time, all the information, and not just the files that are currently needed, is visible both on the network and upon receiving secret surveillance. And most importantly - if you need to hide the fact of information hiding, then this is the most primitive way. Finding a file of, say, 700 MB, which is encrypted is not at all difficult.
#9. Hiding logical drives
The method is not bad, considering that there are no large files, you will not find information by searching. The point is that Windows allows you to connect and disconnect disks. If the disk is disconnected, then it is invisible ... until any disk editor starts. And this of course is not so difficult. And again, during the work all the information opens. And it is visible both on the network and with a remote attack. The downside is that on the move to break an existing disk is unsafe. That is, it is better to take this moment into account when formatting.
#ten. Steganography
Shorthand can be done both manually and with the help of special tools. Information is usually hidden in graphic and video files. Where you can cut the color and the eye will not see the difference. Starting from this point, I will not write how the hidden information can be found, I will only talk about what level of specialist is needed to detect it.
If it is not known with which tool the information was hidden and in which file it was hidden, then I would rate the level of the specialist in finding high enough. Separately, about the categories of people who can find the hidden information, let's talk below.
#eleven. NTFS data streams (ADS)
NTFS allows you to cling to the same file as many streams of data. Such data are not visible to the naked eye; neither the connection of another OS, the safe mode, nor the DOS view will help. On the one hand, it is not so difficult to find it, but ... only for a specialist. A non-expert will not find such information.
On the other hand, the method is not particularly common. If we consider that the information can be hung on the service data of the NTFS itself, then the search in general can be very complicated. If you combine other methods with ADS, then the task becomes simply difficult. A specialist of high and medium level will be required, depending on the combination of different methods with ADS.
#12. Interception of native Windows functions
Despite the fact that this program is used by many programs, it is so stupidly presented that all the charm is lost. But this real freedom, no boundaries, Windows turns into an obedient plasticine ball. It no longer depends on the will of old man Gates, everything becomes in our hands.
The point is to intercept requests from the operating system to the disk and return values ​​with a filter. Despite the fact that Windows is trying hard to show the file "absolutely_secretly.doc", the applied "hook" makes her think that this file does not exist. A healthy minus is that if our hook is pulled down, Windows will again work correctly. Of course, when you start to create, such things as “take down the hook” also do not really allow you to do it, combining this method with other high-level methods.
#13. Games with MFT
On NTFS there is such a bad file called MFT. So, he carefully records all our records on the disk. It is not difficult to guess what can be done, knowing how to use it in such zeal. Here are the indices of objects, and uplinks and substitution, and so on. But, starting from this point, there are no tools for this kind of magic. There must be brains. But the taste difference - as between food and expensive restaurants.
#14. Intervertebral hernia (PGM)
There are such spaces between files that are formed due to the fact that the file weighs 500 bytes, and the sector size is 4 Kb. So this file occupies the entire sector. And then who will occupy free space? There are few people who can put information there, but you should forget about special tools. But the effect! And, of course, suspect that the computer under investigation has a PGM ?! Therefore, experts need the highest class.
#15. Deletion
Interestingly, this simple procedure is at our highest level. Yes, deleting the file, you hid it, and very securely. I will not be here for a long time to ascertain that only a blast furnace deletes information from a hard disk. And I'm not talking about the banal deletion in the basket (by the way, there are users who hide files in RECYCLE). I'm talking about the average file deletion. When Windows and its applications never find the information. Of course, another question is how to work with such information. Here you need to know a lot, to be able to do a lot. And, frankly, there is more theory here, but ... I will give this art a place of honor number 15.
Who can find hidden information
Speaking about this, lovers show off their erudition and impress others around them utter the mystical phrase "special services". Some, especially the "approximate", give the abbreviations NSA, and someone knows the decoding (National Security Agency), SVR, FSB, GRU, and so on.
I always get funny for 2 reasons. Special services that exist in 5-6 cities of the world will not be interested in information and persona ordinary users. Therefore, we will modestly keep silent about these services, their capabilities and methods.
In reality, the information is hidden from the "merchants" in uniform, who seize the PC during the next "action". To pay the standard amount, and not to pay for some secrets that can be discovered, you can hide the information. Or if from the same category of "employees" hide unlicensed software. The "merchants" of knowledge in this area is usually not very deep, so methods 2+ can be considered sufficient in this case.
You can hide a personal, especially intimate part of your life just from everyone. If it’s homework, then almost all methods will work, unless, of course, one of the homeworkers is a representative of the very NSA. If at work, where there is an admin, then the situation is complicated by the fact that there are usually no admin rights, which are needed for simpler methods. So, from simple 6, 8 remains (for example, if TrueCrypt is set up to work without admin rights). And from real 10, 11. But, of course, keeping such information at work is stupid. Moreover, more and more organizations are secretly monitoring employees' computers using a variety of different utilities, such as ActualSpy. And then the meaning of concealment is generally lost.
But all these things are routine and banal. These experts are not sitting in the secret services, but in the companies Toyota, Gazprom, Nokia, Adobe, Oriflame, and so on. The real value is the information where there is a super competitive multi-billion dollar environment. Such companies spend a significant part of the budget on competitive intelligence and counterintelligence, and their specialists, methods, and technologies have been ahead of the Pentagon and Mossad by several years. For such specialists, the methods described above are only a matter of a short time.
Conclusion
The conclusion is very simple and unambiguous: no known methods of hiding information can prevent its detection. So, if the information needs 100% protection, it should be encrypted. However, if the information is securely encrypted and not hidden, then I recommend studying the chapter “Interrogation” of the immortal work of A.I. Solzhenitsyn "GULAG Archipelago" and it will immediately become clear to you that no one will engage in cryptoanalysis if we live in a country with such "glorious" traditions of the Cheka.
Source: https://habr.com/ru/post/213543/
All Articles