Tuesday, October 23, 2007

EnScript to detect use of "slacker.exe", anti-forensic tool

I was playing around with "Slacker", an anti-forensic tool that hides data in the file slack area of various files. The tool has been around for quite awhile and I have heard of its use a few times in real investigations, so I decided to finally write an EnScript to try and detect its use.

I am not into all the anti-forensic hype that goes around the Internet and various conferences, so I usually don't spend a lot of time trying to defeat anti-forensic techniques, they usually defeat themselves. In this case, I had some time to kill and decided to write something to try and detect data hidden with the slacker utility.

I have tested this with two versions of slacker. The one currently available for download as of today and an older verison I had archived:

Written for EnCase v6.

Download Here


H. Carvey Saturday, 27 October, 2007  

Not to pick nits on this, but how does detecting the presence of the file slacker.exe by its hash constitute detecting the use of the tool?

Lance Mueller Saturday, 27 October, 2007  

The detection method does not use the hash values. I merely provided those to confirm which versions of slacker I have tested the EnScript with and where the hidden data was found.

Paul Wednesday, 14 November, 2007  

Can you write up how you go about detecting the use of the tool?

Paul Bobby

Lance Mueller Wednesday, 14 November, 2007  

The detection method is based on the predictable data structure the slacker utility writes to the end of the metadata file. The mestadata file is the file that contains all the information on how to rebuild or recovery the hidden data. The structure is predictable and the EnScript uses that predictablity to detect it use.

Anonymous Saturday, 29 March, 2008  

Can you provide an explanation on its predictability?

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles