Tag Archives: hiding data

Hiding Data: Slack Space on Linux

I am going to cover slack space in various operating systems. the first post would be about the slack space in Linux.

What is Slack Space?

Before going to explain slack space, one should know what blocks (on Linux) and clusters mean (on Windows).  Blocks are specific sized containers used by file system to store data. Blocks can also be defined as the smallest pieces of data that a file system can use to store information. Files can consist of a single or multiple blocks/clusters in order to fulfill the size requirements of the file. When data is stored in these blocks two mutually exclusive conditions can occur; The block is completely full, or the block is partially full. If the block is completely full then the most optimal situation for the file system has occurred. If the block is only partially full then the area between the end of the file the end of the container is referred to as slack space. Linux write nulls on slack space. This means to find data in slack space on Linux systems are rare. However, it is not impossible.

Today, I am going to show how to hide data on slack spaces using a tool called bmap.

Bmap

Bmap ,a data hiding tool, can utilize slack space in blocks to hide data.

It can  perform lots of functions interesting to the computer forensics community and the computer security community. However, in this article we will focus on its data hiding capability.

Installing Bmap

Click this link and save the tar.gz file on your Linux desktop.tar xvzf bmap-1.0.17.tar.gz

After untaring the file, we now can go inside of the directory and compile the program.
cd bmap-1.0.17
make

Optional: I placed bmap into /sbin so don’t need to go into the bmap directory each time I want to run the program.
ln -s yourBmapFilePath /sbin/bmap

Hiding Data on Slack Space

In the following example we will hide some text into slack space. Let’s see what options we have with bmap:
bmap --help
bmap:1.0.17 (12/25/10) newt@scyld.com
Usage: bmap [OPTION]... []
use block-list knowledge to perform special operations on files
--doc VALUE
where VALUE is one of:
version display version and exit
help display options and exit
man generate man page and exit
sgml generate SGML invocation info
--mode VALUE
where VALUE is one of:
map list sector numbers
carve extract a copy from the raw device
slack display data in slack space
putslack place data into slack
wipeslack wipe slack
checkslack test for slack (returns 0 if file has slack)
slackbytes print number of slack bytes available
wipe wipe the file from the raw device
frag display fragmentation information for the file
checkfrag test for fragmentation (returns 0 if file is fragmented)
--outfile write output to ...
--label useless bogus option
--name useless bogus option
--verbose be verbose
--log-thresh logging threshold ...
--target operate on ...

The option I am going to use –mode option with slack, putslack, wipe, map VALUEs. I have created a text file named Ismail.txt. Let’s see what sectors this file uses.
bmap --mode map ismail.txt
3113400
3113401
3113402
3113403
3113404
3113405
3113406
3113407

As you can see from the output of bmap, ismail.txt uses 8 sectors starting from 3113400. This corresponds a block in Linux. This text file is too small to use all of these sector in the block.

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096

The file only uses 8 bytes (1 sector is 512 bytes, so it is in the first sector). All of 7 sectors and 504 bytes of the first sector are empty (Linux write null on the slack space, so all they have 0s.)

We can use this slack space to hide data.

echo "I'm hiding this and you cannot easily see it" | bmap --mode putslack ismail.txt
stuffing block 389175
file size was: 8
slack size: 4088
block size: 4096

Now check what we have in slack space:

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096
I'm hiding this and you cannot easily see it

(This command also gives the block number of the file, 389175)

We can now wipe the data we put on slack space.
bmap --mode wipe ismail.txt

bmap --mode slack ismail.txt
getting from block 389175
file size was: 8
slack size: 4088
block size: 4096

Summary

Slack space can be used for hiding data. Even though advanced forensics tools reveal the hidden information in slack space, most system owners will not check all slack space since this is so time consuming activity. Bmap is one of the tool that helps attackers to hide information into slack space on Linux systems. As security engineers, we need to be careful when we analyze a compromised Linux systems and check slack space as well.