Saturday, 29 December 2007

Slacker, or hiding files in NTFS slack space

Slacker is a tool designed for hiding files in NTFS slack space. It is another part of the MAFIA suite. The purpose is to take advantage of NTFS's implementation oddities and move logical and physical file pointers in certain ways to avoid having data zeroed out. That is, to create hidden space in the file slack.

Though a combination of multiple selection techniques such as file splitting and obfuscation using OTP's (one time pads) or XOR'd keys, it is possible to hide data in the slack.
  • A simple search using Encase or strings will not uncover the data.
This is where more advanced techniques come into play. This is why we should all stay familiar with the GPL'd tools.

