Smashing the Slack For Fun and Profit presented at 44Con 2011

by The Grugq,

Summary : Finding new places to store secret data is easy. The explosion of applications using structure file formats has provided today's hackers with a wealth of potential "slack space". The traditional one-off tool development approach is simply too time consuming and crude for effective real world use. Each new tool has to implement data access mechanisms, provide a namespace, along with encryption and obfuscation. This ends now.
The solution to this problem is explored in this talk. An framework for rapidly developing novel antiforensic tools which target specific data hiding vectors. This framework provides everything except the attack specific code, allowing for rapid retargetting to new platforms. Pluggable backend data IO modules can be easily developed for almost any new data hiding attack.
Fully functional example implementations for SQLite, ZIP and other structured formats will be demonstrated. In addition, some novel approaches to data exfiltration will be discussed. These leverage popular web technologies to bypass monitoring and filtering by blending in with normal existing traffic, but without using custom tools which can leave a fingerprint for forensic analysts.