Slack Space Hiding

slack Space hinding

Hide data into Slack space :

1 - What is slack Space When you format a partition, you define a block / cluster size (ie: 64b).

Later, you'll copy files on the filesystem. The slack space is the unused size of the blocks you've written on. Let me illustrate : You copy a 110b file on /dev/sda2 which has a block size of 4096b. Then you'll have 4096-110=3986b of unused space on the block. Let'ssay the sectors are 1024b long, then youl'll have the 3 last sectors free of data.

The remaining space of the first sector is called "datahole", which is the free space that you will leave free before writing into the slack space, to let the OS know the file has ended. Sometimes OS will write meta-datas on this space (for instance, MS-Winblows will use a process called alternate data streams (ADS) to let you have small informations on a file (pictures, size...) in writing behind the datahole of teh last block a file is written on).

If you write a 5321b file, it will use a complete block of 4096b and will write 1225b of data in an other one, leaving 2871b of unused space in which the OS will not read.

2 - Why would you write into Slack Space There are several reasons for doing it : - First, the OS will NEVER read into this space. It is supposed to be unused space, the datahole proves the termination of the file, so the OS is not aware of data inside of it. - Second, it has really few chances to be seen. Indeed, as the block is a determined entity, with a fixed length, and the OS is bound to give you the size of a file until the end of its last block, the size will never increase when you use slack space. Programs also don't see when you use it. If you write to slack space, try to use cat, strings blabla, you will never see what you used inside slack space.

3 - How to use Slack Space : You can use an old tool, not maintained but still efficient, called bmap ( It's really easy to use, but remember your data won't be encrypted, but simply hidden.

First, compile it on your host in order to be able to use the tools. If you look at the help, you will see that there are several modes :

unknown:~/bmap-1.0.20# ./bmap --help

bmap:1.0.20 (03/25/14)

Usage: bmap [OPTION]... [ use block-list knowledge to perform special operations on files

--doc VALUE where VALUE is one of:

version display version and exit help display options and exit man generate man page and exit

sgml generate SGML invocation info

--mode VALUE where VALUE is one of:

map list sector numbers

carve extract a copy from the raw device slack

display data in slack space

putslack place data into slack

wipeslack wipe slack

checkslack test for slack (returns 0 if file has slack)

slackbytes print number of slack bytes available wipe wipe the file from the raw device

frag display fragmentation information for the file checkfrag test for fragmentation (returns 0 if file is fragmented)

--outfile write output to ...

--label useless bogus option

--name useless bogus option

--verbose be verbose

--log-thresh logging threshold ...

--target operate on ...


What will be of interest for us is the mode option, which will allow us to play with the slack space.

First give a try with a simple file to see if data are hidden inside, and if not, how many bytes do you have left on the slack space at the end of the block :

unknown:~/bmap-1.0.20# ./bmap --mode checkslack listfiles.lst --verbose

listfiles.lst does not have slack

unknown:~/bmap-1.0.20# ./bmap --mode slackbytes listfiles.lst --verbose



It is easy as that.


You could also list the sector numbers available with the map mode, and output it to a file. Now try to put some stuff inside the file, and check if it is here :

unknown:~/bmap-1.0.20# echo "hidden stuff" | ./bmap --mode putslack listfiles.lst --verbose stuffing

block 952000

file size was: 1499589

slack size: 3643

block size: 4096

unknown:~/bmap-1.0.20# ./bmap --mode checkslack listfiles.lst

listfiles.lst has slack


To make the data appear, nothing more easy too :

unknown:~/bmap-1.0.20# ./bmap --mode slack listfiles.lst --verbose

getting from block 952000

file size was: 1499589

slack size: 3643

block size: 4096

hidden stuff


But if you try with classical methods, you won't be successful :

unknown:~/bmap-1.0.20# grep hidden listfiles.lst

unknown:~/bmap-1.0.20# strings listfiles.lst |grep hidden

unknown:~/bmap-1.0.20# cat listfiles.lst |grep hidden

unknown:~/bmap-1.0.20# hexdump -c listfiles.lst |tail

016e140 / m n t / v a r / r u n / s s h

016e150 d . p i d \n / m n t / v a r / r

016e160 u n / s y s l o g d . p i d \n /

016e170 m n t / v a r / s p o o l / c r

016e180 o n / a t j o b s / . S E Q \n /

016e190 m n t / v a r / s p o o l / e x

016e1a0 i m 4 / d b / r e t r y . l o c 016e1b0 k f i l e \n / m n t / . p w d .

016e1c0 l o c k \n


Now if you want to remove the hidden data :

unknown:~/bmap-1.0.20# ./bmap --mode wipeslack listfiles.lst --verbose

stuffing block 952000

file size was: 1499589

slack size: 3643

block size: 4096

unknown:~/bmap-1.0.20# ./bmap --mode checkslack listfiles.lst --verbose

listfiles.lst does not have slack


Now you will ask, what's the point if people are aware of the tool. The fact is you can hide tons of data, if you just harden a bit the way data are dispatched. Here is an easy example. First simply convert your message to hexadecimal notation, ie :

unknown:~# cat hidden_message |od -t x1|cut -f2- -d' ' |sed -s 's/ /\n/g' > dump.dump


Which will result in something like :















Then do a listing of your filesystem's files, and cut it to the number of lines you have in dump.dump :

unknown:~# find / -type f > filelist && tail -$(cat dump.dump|wc -l) filelist > filelist.lst && rm filelist


And finally hide the data in the files listed in filelist.lst :

unknown:~# sum=$(cat /root/dump.dump |wc -l)

unknown:~# d=0

unknown:~# for i in $( cat listfiles.lst ); do COUNT=$(( sum - d )); SLACK=$(tail -$COUNT /root/dump.dump|head -1 ); echo "$SLACK"|./bmap --mode putslack $i ; d=$(( d + 1 )); done


And if you want to be sure it worked, just use the mode checkslack on the list file

unknown:~# error=0

unknown:~# for i in $( cat listfiles.lst ); do COUNT_ERROR=$( ./bmap --mode checkslack $i ); error=$(( error + 1 )); done echo $error


If it echoes something else than 0, then you have failed (but it shouldn't). Your data are hidden, if you want to restore them, you just have to do the inverse operation on the files listed in filelist.lst and print back the characters to ascii to get your message restored. This is a simple algorithm I gave you, but I am sure you see the extent of possibilities you have with slack space writing.



Comments are closed.