Hiding Data and Wipe Data on Slack Space using Bmap

Posted byaleXandriaPosted inLinuxTags:, ,

In the following example we will hide some text into slack space. Let’s see what options we have on bmap:

 bmap --help
 bmap:1.0.17 (12/25/10) newt@scyld.com
 Usage: bmap [OPTION]... []
 use block-list knowledge to perform special operations on files
 --doc VALUE
 where VALUE is one of:
 version display version and exit
 help display options and exit
 man generate man page and exit
 sgml generate SGML invocation info
 --mode VALUE
 where VALUE is one of:
 map list sector numbers
 carve extract a copy from the raw device
 slack display data in slack space
 putslack place data into slack
 wipeslack wipe slack
 checkslack test for slack (returns 0 if file has slack)
 slackbytes print number of slack bytes available
 wipe wipe the file from the raw device
 frag display fragmentation information for the file
 checkfrag test for fragmentation (returns 0 if file is fragmented)
 --outfile write output to ...
 --label useless bogus option
 --name useless bogus option
 --verbose be verbose
 --log-thresh logging threshold ...
 --target operate on ...

The option I am going to use –mode option with slack, putslack, wipe, map VALUEs. I have created a text file named alex.txt. Let’s see what sectors this file uses.


root@alexandria:~# bmap --mode map alex.txt 
67453816
67453817
67453818
67453819
67453820
67453821
67453822
67453823


 As you can see from the output of bmap, alex.txt uses 8 sectors starting from 67453816. This corresponds a block in Linux. This text file is too small to use all of these sector in the block.

root@alexandria:~# bmap --mode slack alex.txt 
getting from block 8431727
file size was: 20
slack size: 4076
block size: 4096

The file only uses 8 bytes (1 sector is 512 bytes, so it is in the first sector). All of 7 sectors and 504 bytes of the first sector are empty (Linux write null on the slack space, so all they have 0s.)

We can use this slack space to hide data.

root@alexandria:~# echo "I'm hiding this" | bmap --mode putslack alex.txt 
stuffing block 8431727
file size was: 20
slack size: 4076
block size: 4096

Now check what we have in slack space:

root@alexandria:~# bmap --mode slack alex.txt 
getting from block 8431727
file size was: 20
slack size: 4076
block size: 4096
I'm hiding this

We can now wipe the data we put on slack space.

bmap --mode wipe alex.txt

To verify:

root@alexandia:~# bmap --mode slack alex.txt
getting from block 8431727
file size was: 20
slack size: 4076
block size: 4096

Note:

Slack space can be used for hiding data. Even though advanced forensics tools reveal the hidden information in slack space, most system owners will not check all slack space since this is so time consuming activity. Bmap is one of the tool that helps attackers to hide information into slack space on Linux systems. As security engineers, we need to be careful when we analyze a compromised Linux systems and check slack space as well.

All Done!

Published by aleXandria

I finished Information security and Ethical Hacking(ISEH) and Motion Graphics Design.

Leave a comment