Saturday, 6 December 2008

Reversing a file with DD

Back to my posts concerning 'DD'. IN particular, how to reverse a file with dd.

This is actually fairly simple, a small shell script code executed in with the length of the file (based on the sector size) is all that is required. You can either use a default block size (where the individual blocks will be moved into a reverse order), or set the block sieze to 1 in order to completely reverse the file. The flag, "bs=1" is added in order to copy the entire file in reverse - bit by bit.

If the size of the file and its name are known beforehand, the script is particularly simple (note that this script uses the 'count' command which is not foiund on all systems):

$j = [file_size]
$F=[file to copy]
for i in `count 0 $j`; do
dd conv=noerror bs=1 count=1 skip=($i) if=$F > /($j).out
done

In the event that you do not know the size of the file, the following script can be used (or if you want to incorporate this in to a script that changes multiple files at once) you need to feed more information into the script (including a file descriptor). This script is a little messy (I have not made any effort to tidy it up), but does the trick.

#! /bin/bash
# This is a small utility script that will reverse the file that a user inputs
# It is not coded securely and presumes the directory for a number of command - change
# this to run it in a real environment. The main thing is a proof of concept anti-forensic tool.
# This script by reversing files will make the file undetectable as a type of file by commercial
# file checkers. Run it in reverse to get the original back.
#
# Author: Craig S Wright

#Set the file to reverse
echo "Enter the name (and path if necessary) of the file you want to reverse:"; read FILE

#i Work out the file size
SIZE_OF_FILE=`/bin/ls -l $FILE | awk '{print $5}'`
i=0

#The script - not pretty - but the idea was all I was aiming at

K=`expr $SIZE_OF_FILE - $i`
/bin/dd conv=noerror bs=1 skip=$K if=$FILE count=1 > $FILE.out
i=`expr $i + 1`

J_Plus=`expr $SIZE_OF_FILE + 1`

while [ "$i" != "$J_Plus" ]
do
K=`expr $SIZE_OF_FILE - $i`
/bin/dd conv=noerror bs=1 skip=$K if=$FILE count=1 >> $FILE.out
i=`expr $i + 1`
done

To go a little further and add some options, I have included the following example. I have NOT added input checking or other NECESSARY security controls. This is a quick and nasty only. Please fix the paths and input checking if you want to run it.

The following script is called reverse.sh:

#! /bin/bash
#
# reverse.sh
#
# Set the file to reverse - I DO NOT check if the file actually exists - you should!

echo "Enter the name (and path if necessary) of the file you want to reverse:"; read FILE

# Default File output = FILE.out
FILE_OUT=$FILE.out

# Set the file where the reversed file is to be saved - I DO NOT check if the file actually exists - you should!
# echo "Enter the name (and path if necessary) of the file you want ithe output saved as (must be different to the input):"; read $FILE_OUT

#Set the Block Size. This will default to BS=1 for dd
BS_SIZE=1
echo "Enter the Block Size (the default = 1 bit):"; read BS_SIZE

#i Work out the file size
SIZE_OF_FILE=`/bin/ls -l $FILE | awk '{print $5}'`
i=0

#The script - not pretty - but the idea was all I was aiming at

K=`expr $SIZE_OF_FILE - $i`
/bin/dd conv=noerror bs=$BS_SIZE skip=$K if=$FILE count=1 > $FILE_OUT
i=`expr $i + 1`

J_Plus=`expr $SIZE_OF_FILE + 1`

while [ "$i" != "$J_Plus" ]
do
K=`expr $SIZE_OF_FILE - $i`
/bin/dd conv=noerror bs=$BS_SIZE skip=$K if=$FILE count=1 >> $FILE_OUT
i=`expr $i + 1`
done

# The end...

To use the previous script enter (I have not tested using the other block size options):
$ ./reverse.sh

Enter the name of the file you want to reverse and the block size (best left at 1 bit). This will return the bitwise reversed file. If you want to verify it - run it twice and use "diff" to validate that the same file is returned. This will reverse the reverse and get the original back.

This works on text and binary files and with a little tweeking, you can reverse headers but leave the body the same, reverse the body after skipping the file header and many more options.

I am yet to find a forensic tool that will find reversed text...

No comments: