If the file system is FAT32 that greatly narrows the possible ways this could be done.
All of the possibilities below "abuse" the FAT specification in some way:
1. Overwrite proceeding directory entry with 0
In most implementations this causes the directory parsing to stop. However, the subsequent directory entries remain and critically so do the allocated data clusters. If the "hidden" entry contains a sub-directory it and all child folders will also be hidden. In this case, it isn't even necessary to overwrite the whole directory entry, simply replacing the first character of the filename with 0 is sufficient.
You can re-create this scenario easily by:
a. Create a new small FAT volume
b. Create 3 small files
c. List the directory. All three files should be visible
d. Overwrite the first character of the middle file with 0
e. List the directory again. Only the first file remains
This situation would show up in your Hex editor like this:
http://www.binarymarkup.com/ForensicFocus/badfat.jpg
2. Create a new "root" directory
Unlike FAT12/16, FAT32 allows the root directory to be in any data cluster. The root directory is specified in the VBR. A user could create this scenario by:
a. Create sub-folder called "Root"
b. Populate this folder with harmless content
c. Modify VBR to point to the new root
3. Modify attribute bits
FAT uses a single byte in the directory entry to describe the attributes of the file/directory. Changing a single bit in this can change a sub-directory to apparently become a 0 byte file. This will have the effect of hiding the contents of the sub-directory from a casual observer.
4. Use non-standard characters in filename
I haven't tested this scenario but the specification reserves certain characters. It is possible that replacing the first character of the filename with such a character would confuse the directory parsing.
I wouldn't be surprised that there are other methods I haven't thought of and look forward to hearing about them shortly...
Jim
www.binarymarkup.com
↧
