Metasploit Anti-Forensics Project (MAFIA) - Slacker.exe

One of the tools in the Metasploit arsenal is slacker.exe, which allows an attacker to hide data in the slack space of NTFS. Recently, I've been playing with this scary awesome tool, and wanted to share what I found:

When a file system allocates space for a file, it allocates that space in a predetermined size data container, referred to as “blocks on Linux/Unix systems, and clusters on Windows systems.” (http://www.wikistc.org/wiki/Slack_space_data) As a file is written, blocks or clusters will be allocated to store the contents of the file, and each block or cluster will either be completely full or partially full. However, the size of most files will not be an even multiple of the block or cluster size. For example, a 1KB file is created and written to a file system with a 4KB block or cluster size. The file system can not allocate anything less than 4KB, thus when the file is written, 3KBs of the block or cluster is left unused. This unused space is referred to as slack space. Since this slack space is allocated but unused, it presents an appealing target for attackers to hide data.

As part of the Metasploit Anti-Forensic Investigation Arsenal (MAFIA), the Slacker tool is the first “tool that allows you to hide files within the slack space of the NTFS file system.” (http://www.metasploit.net/research/projects/antiforensics/) Slacker is a command line tool, here’s the help menu:



To hide a file with slacker.exe, one must choose a directory structure within which to select files to hide the data in ( {path} ), how deep to descend into the directory tree ( {levels} ), a file to store metadata for tracking information ( {metadata} ), a password to encrypt the metadata file ( {password} ), and options for how slack space is selected, data is obfuscated or not, and if you wish to use a file as an XOR key. For the purposes of the following example, the file to be stored in slack space was Salary.xls, a directory containing JPEG image files was used as slack space files (C:\Demo), a high resolution JPEG was used as the metadata file (C:\image.jpg), and the password used was “hide”:



To reverse the process, point slacker.exe at the metadata image file (in this case, C:\image.jpg) and supply the password and a filename for the extracted data:



Md5sum shows the extracted file and the original to be identical:



Looking at one of the files that were used for slack space to store the data and the original file, md5sum shows them to appear as identical as well:



which is the expected behavior, since slacker.exe will reset the file pointer to the original location after it completes it’s work. The same applies to the metadata file:



The only attribute that noticeably changes on either the slack space file or the metadata file is the “Date Modified” attribute, which can be reverted back using another tool in the MAFIA toolkit, timestomp.exe, discussed later. The data stored in the slack space files is unencrypted, but the metadata file information is stored in the slack space encrypted, thus preventing a forensic analysis from easily locating and retrieving the list of files that slacker.exe wrote the data out to. Without a tool that can read raw disk sectors, this type of data hiding would be easily missed, and with such a tool, tedious and very time consuming to locate.