antonymous Posted October 15, 2010 Share Posted October 15, 2010 Since more and more DLP solutions are using file header information to perform analysis of data, I was wondering if there are any programs/scripts out there that can easily change file header info. For example, there might be a security rule preventing a user from emailing Excel spreadsheets, but if you were to alter the file header to look like an mp3, then you could transmit. On the other end, the recipient would need to know what the original header is to reconstruct the file, replacing the mp3 header with the old one (which could be embedded/obfuscated in the file, I suppose). Seems like there should be something out there, but my google-fu fails me. Any thoughts? Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 15, 2010 Share Posted October 15, 2010 hex editor. Easiest way to do it. But you have to know your file headers very well to be playing with this. Too bad it's not a windows environment where you can just rename a file. Linux is awesome in the fact it reads file headers. Quote Link to comment Share on other sites More sharing options...
antonymous Posted October 15, 2010 Author Share Posted October 15, 2010 Yeah, I suppose I could do it in WinHex, but I was hoping that there might be some sort of tool by now to automagically carve out the header and replace it with a different known header to fool the DLP system. Quote Link to comment Share on other sites More sharing options...
Guest Deleted_Account Posted October 15, 2010 Share Posted October 15, 2010 I was just reading about this somewhere! I think it was on here: http://www.anti-forensics.com/ or IronGeek? . Anyways it was a nice walkthrough on using HxD to modify the headers. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 17, 2010 Share Posted October 17, 2010 (edited) I was just reading about this somewhere! I think it was on here: http://www.anti-forensics.com/ or IronGeek? . Anyways it was a nice walkthrough on using HxD to modify the headers. I've spent the whole afternoon yesterday reading articles from that website. After I finished reading, I felt like doing a Computer Forensics course. As a matter of fact, I am considering in taking the course, who knows I might one day work for the police as forensics investigator. Edited October 17, 2010 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Netshroud Posted October 17, 2010 Share Posted October 17, 2010 When I need to do this, I just send whatever file it is in a password-protected archive with the filenames encrypted, and include the password in the email. Quote Link to comment Share on other sites More sharing options...
Guest Deleted_Account Posted October 19, 2010 Share Posted October 19, 2010 Well I found the tool I was thinking of it was Transmogrify by Metasploit Anti-Forensics project though it's not listed any more so I am not sure if it is available or what. Quote Link to comment Share on other sites More sharing options...
Yar Posted October 21, 2010 Share Posted October 21, 2010 (edited) I've spent the whole afternoon yesterday reading articles from that website. After I finished reading, I felt like doing a Computer Forensics course. As a matter of fact, I am considering in taking the course, who knows I might one day work for the police as forensics investigator. I'm glad some of the articles have had influence on you. You can get jobs in private sector as well as work for local police departments, FBI, DOD, ICE, Customs, Homeland Security and so on. I would say aim for private sector employment but that's just because I'm biased against the feds. I have usually seen private firms aim for honesty and integrity, where-as the feds want to convict, convict, convict, destroy evidence, plant evidence, violate civil liberties and so on. Life in private sector forensics where the opposition is usually federal government leaves you paranoid. They will tap lines, data connections, plant bugs and more and make life difficult if they feel threatened. In the private sector I see jobs at large corporations that are more network incident response style down to where I work which is usually on the defense for child pornography and cybercriminals. So I've worked everything from cp distributors and production, bomb threats, spam, murder, "terrorists", copyright infringement, etc. and would have to say it pretty much fucks your mind up after a while. If you want to take a job in the computer forensics field you need to prepare yourself for the changes. You can't look and communicate with people as you do now once you've been changed by the job. Usually it will take over a year of forensics work. You will get a bit paranoid, especially working for the defense, as you see all the gross violations of civil liberties and how at times, nothing can be done. You will be hated and people will want to kill you and you will be loved and praised by others. This is a good blog post about some of the changes. http://johnjustinirvine.com/post/339744451 And below is the article you were talking about with hex editing (if it was on anti-forensics.com and not irongeek). I think I used XVI32 hex editor but usually use HxD. In the end I guess it doesn't matter. http://www.anti-forensics.com/beat-encase-...-windows-system Also, if anyone is really interested in anti-forensics and would like to share methods. You are encouraged to message me. I get a lot of people who want to but in the end bug out once they get their author account. I am now seeing network security related jobs asking for anti-forensics experience, right in the job description. Which I think is great and hey, what better way to promote yourself. What was once a taboo subject that got you wiretapped and fired can now be a plus for job hunters! Edited October 21, 2010 by Yar Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.