alex.moskalyuk

It’s a week past DefCon, but there’s still one presentation that I wanted to post about. It was one of the late ones, where one feels tired and exhausted, but the content was worth sticking for. Irby Thompson and Mathew Monroe from Lockheed Martin came with exploit and data hiding techniques, that would allow a Windows user to instantly increase available storage. For free.

Windows’ NTFS Master File Table (MFT) is not well documented or well understood, but it contains the map of all the files on NTFS. MFT contains the Windows metadata in a single location, and hence provides plenty of opportunities for data hiding. Each MFT entry header has two bytes reserved, each resident attribute for each entry in MFT has 4 bytes reserved, and the non-resident attributes of the MFT can have up to 14 bytes reserved. Consider how many files a typical Windows installation has, and we’ve suddenly got plenty of room for hiding data without creating any tracks or new files. It’s like magic - you place the data on the hard drive, and not a single byte of free space is wasted.

A clean Windows XP installation has over 12,000 files, a typical Windows XP system would have over 100,000 entries. The interesting thing about MFT is that it never shrinks. The researchers pointed out that about 60% of the MFT entries could be used for data hiding safely. Combine that with an average of 100,000 entries, and we get sweet 36,000,000 bytes, where the data could be safely hidden. Thompson and Monroe created slacker.exe, an application that takes a source data file and spreads it around MTF entries.