-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Welcome to the Wiki for fishy: A framework for filesystem based data hiding techniques!
This page will give you an introduction to fishy.
If you are looking for a more in-depth presentation on the architecture of the system, look here.
To get a more detailed look at the currently implemented Hiding Techniques, visit this site.
This Wiki is based on the documentation found within the repository and the paper "Adrian V. Kailus, Christian Hecht, Thomas Göbel und Lorenz Liebler, „fishy – Ein Framework zur Umsetzung von Verstecktechniken in Dateisystemen“, in D-A-CH Security, Gelsenkirchen (Germany), September 2018.".
fishy is an anti-forensics toolkit for filesystem based hiding techniques. These hiding techniques usually exploit existing structures on the filesystem layer to hide data from conventional access methods. fishy is intended to introduce people to the concept of established anti-forensics methods associated with data hiding.
Furthermore, this framework is supposed to be easy to use and easy to expand with a consistent interface and extensive documentation. Due to its modular structure, adding compatibility with more filesystems or new hiding techniques can be easily done. For a more detailed introduction to fishy's architecture, visit this Wiki page dedicated to the architecture.
fishy was initiated by the da/sec research group and developed in cooperation with several bachelor students of the Hochschule Darmstadt (h_da), University of Applied Sciences.
Student members: Adrian Kailus, Christian Hecht, Matthias Greune, Deniz Celik, Tim Christen, Dustin Kern, Yannick Mau, Patrick Naili and Jan Türr.
da/sec members: Thomas Göbel, Sebastian Gärtner and Lorenz Liebler.
fishy is currently only tested to run under Linux. Other operating systems may provide different functions to access low level devices.
Currently, fishy can hide multiple files on a filesystem, but is not capable of managing them. Therefore the user has to avoid overwriting data.
There is currently no automatic encryption when hiding data. If the data is supposed to be encrypted, it has to be done manually and prior to using the hiding technique.
-
[1] Adrian V. Kailus, Christian Hecht, Thomas Göbel und Lorenz Liebler, „fishy – Ein Framework zur Umsetzung von Verstecktechniken in Dateisystemen“, in D-A-CH Security, Gelsenkirchen (Germany), September 2018.
-
[2] Thomas Göbel and Harald Baier, „fishy – A Framework for Implementing Filesystem-based Data Hiding Techniques“, in Proceedings of the 10th EAI International Conference on Digital Forensics & Cyber Crime (ICDF2C), New Orleans (United States), September 2018.
-
[3] Thomas Göbel, Jan Türr and Harald Baier, „Revisiting Data Hiding Techniques for Apple File System“, in Proceedings of the 12th International Workshop on Digital Forensics (WSDF) to be held in conjunction with the 14th International Conference on Availability (ARES), Reliability and Security, Canterbury (UK), August 2019.
Any publications using the code must cite and reference the conference paper [1] and [2].
To build the framework you will need
- Python 3.5 or higher
- argparse - parsing arguments from the command line
- construct - parsing FAT filesystem - as of right now, use a construct version < 2.9 (2.8.2 was tested and is working)
- pytsk3 - parsing NTFS filesystem
- simple-crypt - encryption of meta-data
- numpy - Calculating APFS checksums
For testing purposes you will need to also install
- pytest - unit testing framework
- mount & dd unix tools - needed to generate test images
In case you are interested in reading the full documentation on which this Wiki is based you will also need
- sphinx and spinx-argparse - to generate the document in a suitable format
- graphviz - to generate the graphs that are used in the documentation
- If you want to run unit tests before installing:
sudo python setup.py test - Installing the program:
sudo python setup.py install - Generating the documentation:
pip install sphinx sphinx-argparse
python setup.py doc- Generate documentation as pdf:
cd doc
make latexpdf - The following TeX-dependencies are needed:
sudo apt-get install latexmk
sudo apt-get install texlive-formats-extraAs of February 2019 fishy supports four filesystems: FAT, NTFS, ext4 and APFS. Each one has a set of hiding techniques that are already implemented.
In the following tables, "✓" means the respective hiding technique has already been implemented, "✗" means the hiding techniques have been researched and are considered in progress, and "-" means that the hiding technique is not compatible with the corresponding filesystem.
| Command | FAT | NTFS | EXT4 | APFS | Description |
|---|---|---|---|---|---|
| fileslack | ✓ | ✓ | ✓ | ✗ | Uses file slack to hide data |
| mftslack | - | ✓ | - | - | Uses MFT Entry Slack |
| addcluster | ✓ | ✓ | ✗ | ✗ | Allocate additional cluster to data |
| badcluster | ✓ | ✓ | ✗ | - | Bad Cluster allocation |
| reserved_gdt_blocks | - | - | ✓ | - | Exploit reserved GDT block |
| superblock_slack | - | - | ✓ | ✓ | Exploit Superblock slack |
| osd2 | - | - | ✓ | - | Use of osd2 Bytes in Inodes |
| obso_faddr | - | - | ✓ | - | Use of Inode field obso_faddr |
| nanoseconds | - | ✗ | ✓ | ✓ | Use of Nanosecond Timestamp part |
| inode_padding | - | - | - | ✓ | Use of Padding in Inodes |
| write_gen_counter | - | - | - | ✓ | Use of write counter in Inodes |
| ext_field_padding | - | - | - | ✓ | Use of dynamically created Extended Fields |
In addition to the ones already implemented, multiple other hiding techniques have been researched and are planned to be implemented, i.e., the development is currently in progress.
| Command | FAT | NTFS | EXT4 | APFS | Description |
|---|---|---|---|---|---|
| ads | - | ✗ | - | - | Use of Alternate Data Streams |
| superblock_reserved | - | - | ✗ | - | Use of reserved space in Superblocks |
| superblock_backups | - | - | ✗ | - | Exploitation of Superblock Backups |
| bootsector | ✗ | ✗ | ✗ | - | Exploitation of Partition Bootsector |
| null_dir_entries | - | - | ✗ | - | Exploitation of Directory Entries |
| gdt_slack | - | - | ✗ | - | Exploitation of GDT Slack Space |
| groupdescr_reserved | - | - | ✗ | - | Use of reserved space in Group Descriptor |
| gdt_backups | - | - | ✗ | - | Exploitation of GDT Backup Copies |
| blockbitmap_slack | - | - | ✗ | - | Exploitation of Block Bitmap Slack |
| inodebitmap_slack | - | - | ✗ | - | Exploitation of Inode Bitmap Slack |
| inode_slack | - | - | ✗ | - | Exploitation of Inode Record Slack |
| inode_reserved | - | - | ✗ | - | Use of reserved space in Inode Struct |
| uninit_datastructure | - | - | ✗ | - | Exploitation of Data Structures in Uninitialized Block Groups |
| vol_list | - | - | - | ✗ | Exploitation of list of Volume Superblock IDs found in Container Superblocks |
| superblock_test | - | - | - | ✗ | Use of fields in debugging/testing fields found in Container Superblocks |
| unmount_logs | - | - | - | ✗ | Use of Modification logs in Volume Superblocks |
Additionally, there are two more commands related to the hiding techniques:
- fattools: Provides information about a FAT system
- metadata: Provides information about data stored in a metadata file
For further information on the hiding techniques, visit the dedicated section.