In the following example we will hide some text into slack space. Let’s see what options we have on bmap:
bmap --help
bmap:1.0.17 (12/25/10) newt@scyld.com
Usage: bmap [OPTION]... []
use block-list knowledge to perform special operations on files
--doc VALUE
where VALUE is one of:
version display version and exit
help display options and exit
man generate man page and exit
sgml generate SGML invocation info
--mode VALUE
where VALUE is one of:
map list sector numbers
carve extract a copy from the raw device
slack display data in slack space
putslack place data into slack
wipeslack wipe slack
checkslack test for slack (returns 0 if file has slack)
slackbytes print number of slack bytes available
wipe wipe the file from the raw device
frag display fragmentation information for the file
checkfrag test for fragmentation (returns 0 if file is fragmented)
--outfile write output to ...
--label useless bogus option
--name useless bogus option
--verbose be verbose
--log-thresh logging threshold ...
--target operate on ...
The option I am going to use –mode option with slack, putslack, wipe, map VALUEs. I have created a text file named alex.txt. Let’s see what sectors this file uses.
root@alexandria:~# bmap --mode map alex.txt
67453816
67453817
67453818
67453819
67453820
67453821
67453822
67453823
As you can see from the output of bmap, alex.txt uses 8 sectors starting from 67453816. This corresponds a block in Linux. This text file is too small to use all of these sector in the block.
root@alexandria:~# bmap --mode slack alex.txt
getting from block 8431727
file size was: 20
slack size: 4076
block size: 4096
The file only uses 8 bytes (1 sector is 512 bytes, so it is in the first sector). All of 7 sectors and 504 bytes of the first sector are empty (Linux write null on the slack space, so all they have 0s.)
We can use this slack space to hide data.
root@alexandria:~# echo "I'm hiding this" | bmap --mode putslack alex.txt
stuffing block 8431727
file size was: 20
slack size: 4076
block size: 4096
Now check what we have in slack space:
root@alexandria:~# bmap --mode slack alex.txt
getting from block 8431727
file size was: 20
slack size: 4076
block size: 4096
I'm hiding this
We can now wipe the data we put on slack space.
bmap --mode wipe alex.txt
To verify:
root@alexandia:~# bmap --mode slack alex.txt
getting from block 8431727
file size was: 20
slack size: 4076
block size: 4096
Note:
Slack space can be used for hiding data. Even though advanced forensics tools reveal the hidden information in slack space, most system owners will not check all slack space since this is so time consuming activity. Bmap is one of the tool that helps attackers to hide information into slack space on Linux systems. As security engineers, we need to be careful when we analyze a compromised Linux systems and check slack space as well.
All Done!