Navigation

Windows

General

Hiding files

Content

Intro
The usual way
Make folder invisible
Melt files together using ZIP/GIF
Melt files together using steganography programs
Alternate Data Streams
.Net-Crazyness

Post comment (Allready 17)

Intro

Encryption of content is, of course, the way to go if you want to restrict access to it. But encrypting is not the only possibility to prevent others from reading your files. You all know that possibility, probably because I mentioned it in the title: You just hide them! You'll probably say "You don't say, captain Obvious", but there is a whole section of science about hiding stuff, called steganography.
Like I wrote in my essay about cryptography (only in german), steganography is way older than cryptography, it's actually 2500 years old. I'll describe various ways to accomplish this in the digital environment in this how to. The parts are ordered at the same time by difficulty and security, meaning that the one at the bottom is the most secure one but also the hardest one. They build on each other, so if you get stuck, look above, maybe I've allready wrote the answer there. The how to is for single files, but you are free to compress your files/folders using zip (7zip, rar, you get the idea) to get a single file.

Back to contents

The usual way

If you happen to allready use file steganography, you'll probably use this way. You take a file and you put it in an obscure directory, for example somewhere in the system folder. Such a folder is C:\Windows\System32 in Windows XP or C:\WINNT\System32 in Windows 2000. In it are many files and folders and even experienced computer users probably won't know all those file name. After you moved your file there, give it the file attribute "hidden".
You can improove this if you alse give it a complicated file name (like drvsys32) and, especially, if you use another file extension.

Display:
How do I set the file attribute and how do I change the file extension?

Back to contents

Make folder invisible

You can also make a folder invisible. It's there, but you can't see it.

Using Windows XP, you do it this way: Mark the folder you want to hide and press F2 to rename it. Now you have to hold your alt key and, at the same time, enter the digits 0160 using your numpad. Then release the alt key and press enter. Now you have a folder that appers to have no name, but which is still visible. Now right-click it and go to properties, go to the customize tab and click on "Choose Picture". There you choose one of the empty ones (scroll to the right to see them). Now you have an invisible folder.
To find it again, use the key combination CTRL-A - it's hidden where something's marked while nothing seems to be there. Just double-click in this area and your folder opens.

Back to contents

Melt files together using ZIP/GIF


You can also carmouflage files as other ones, or "melt them together". First some background information to get you to understand how it works:
The most file formats, like Zip, Jpg, Bmp etc, have several parts. The first part, called header, contains most of the time (but not all times) basic informations about the file. For example, in images, the header contains the resolution, width, height, DPI and so on, sometimes even a little thumbnail image. The middle part usually contains the actual data, for example pixel informations for the image. The last part, the so-called footer, contains sometimes some end informations, but most formats don't use this part.
In the header of some file formats is also the length of the file, an example for that is the image format Gif (JPGs would also work). All data that is after this length is omitted. In other file formats like Zip or Rar, this information is in the footer and all data before it is omitted. This can be used for our purposes. Imagine you just append a Zip file to the end of a Gif file. If you get the computer to believe that this file is a Gif, it will open the image and ignore the data after it, but if you get it to believe that it's a Zip, it will open the Zip and ignore the image in front of it. Exactly this is what we'll do here.
Firstly, get yourself a random Gif image. It works with any Gif, but it's better to use a large one so that the file size is not that suspicious. You can find such an image using Google Image Search. Now put the files you want to hide in a Zip- or Rar-Archive and put this in the same directory that your new Gif is in.
Now you have to navigate to this flder using the Dos console.

Display:
How do I get to this folder in the Dos console?

Now you have to use the following command to melt the files together:
copy "your.gif" /B + "your.zip" /B "output.gif"
For example, if your Gif is named "house.gif" and the Zip archive you want to hide is named "secret.zip" and you'll want to melt them together to the file "melted.gif", you'll command would be: copy "house.gif" /B + "secret.zip" /B "melted.gif"

To test your output file, double-click it. It should open in your image viewer without errors and display the content of your original Gif. Now change the file extension from "gif" to "zip" (see above about how to do this) and doubleclick it again. If everything worked, the ontent of your secret zip file should open as if there never was an image. If it worked, re-rename your file back to the file extension gif and delete the original files (or store them at a secure place, like burning them on a CD and hiding this CD) and be happy :)

An example of this technique is here:
Doppelbild
Download it, change the extension to zip and test it.
Attention: Depending on the Browser you use, it may not work. Some browsers may strip the extra information off the image when you download it.

Back to contents

Melt files together using steganography programs

This method is quite similar to the last one, but it's more advanced. With the last method an attacker could open the file using a hex editor and see that something's wrong. Someone could make a program that automatically searches "too long" Gif files and would be able to check thousands of files in seconds. But there's a possibility to merge files in a stealthier way.
The data of an image consists (usually) of the single pixels. There are three color values per pixel: red, green and blue. Depending on the strength of the color, this value ranges between 0 and 255 (0 = black, 255 = full color). For example, a pixel with the color violet would consist of those values: 255, 0, 255.
Now, would you see the difference between this pixel and a pixel with the values 254, 1, 254? No! That's the base for this method. ALL data on your computer consists of ones and zeroes. Now, what you do is, you distribute the bits (ones and zeroes) of a file (the one you want to hide) to all the pixels of an image. A human viewer would not see any difference, even if he holds the original image right next to the tampered one. The same thing also works using sound files or video files. About no human is able to pinpoint a minor difference in a frequency. The only negative thing about this is that the file you want to hide has to be much smaller that the file (image) you want to hide it in, else the difference between the clean image and the modified image would be way too high.
This would be way too much work to do by hand, but you'll find various programs for that in the internet. A list of such programs can be found here.
I myself don't use this kind of steganography, so I'm not able to give you a hint to the best of those programs.

Back to contents

Alternate Data Streams

Now it's getting interesting. But first, to be able to use this method, you have to use the NTFS file system. This is the default for Windows XP.

Display:
How do I find out if I have the NTFS file system?

Alternate Data Streams (ADS) are another way to hide files into each other. Using this method, you're able to use a file like a folder, stuffing multiple other files in it. Windows XP uses it itself: If you download an executable from the internet, Windows uses ADS to mark this file as downloaded and displays a warning if you want to execute it. The advantage of ADS is that it doen't change the file size of the file you used as a container and that you have no way to find out that the file is not a normal one or get to the hidden content through the windows explorer. Another advantage (or, depending how you see it, a disadvantage) is that the hidden content is lost as soon as the file is written on any non-NTFS file system (advantage: If someone wants to write your files to a CD/DVD to check them at home, he will not get the hidden content)
Now, let's get us started. First, make a file to hide your content in or chose an existing one, file type doesn't matter. Now put the file you want to hide in the same directory. Navigate there using the DOS console and enter the following:
type fileToHide > innocentLookingFile:stream
You can use what you want for the stream, but to make things simple, use the file name of the file you want to hide. For example, if the file you want to hide is named "secret.avi" and the file you want to stuff it into is named "teletubbies.txt", the command would look like this:
type secret.avi > teletubbies.txt:secret
After that, you can delete the secret file but make sure you remember the filename or it will be lost (there are ways to get it again but that requires special programs). By the way, you can stuff as many files as you want it one container file.
Many (but not all) programs are able to access the ADS directly - as long as you tell them where to look using the console. For example, if the hidden file is a text file, you'd use the command "notepad filename:stream". Or, using the previous example, play the vid using "mplayer teletubbies.txt:secret". For an executable, it would be "start filename:stream".
To get a file out of the ADS again (for file formats that can't be opened directly) you need one of two commands. The first one only works for text files:
more < innocentLookingFile:stream > targetFile
It's a bit more complicated for all other hidden files (all non-textual ones). Firstly, you need the program "cat" for it, because Windows can't do this on its own. You can download it from me or get it on Sourceforge. Copy this file (cat.exe) in the folder C:\Windows\System32. Now, to get out the hidden file use this command (again in the console):
cat innocentLookingFile:stream > targetFile
For example, to get out the hidden video from above, use
cat teletubbies.txt:secret > secret.avi

Notice that the secret file is still in the ADS of the container file. To erase an ADS, either move the file to a non-NTFS file system or use the following command:
echo. > innocentLookingFile:stream

Back to contents

.Net-Crazyness

.NET creates some directories which cannot be accessed using the windows explorer. Because of that, these directory are ideal to hide files.
First, install .NET, if you don't have it yet. You can find it here. Then go to the folder C:\WINDOWS\assembly. You'll see that you won't find a subfolder like GAC.
Now, open the DOS-console and get in the same directory. Type in "dir" to get a listing of the files and folders in this directory. Get into one of the folders listed (that diddn't appear in the windows explorer) using the cd command, then move the files you want to hide in it (don't forget to use the full path). You can also hide your file in the ADS of a file there.

Display:
How does the command "move" work?
Back to contents

Comments

#13 Hans-Gerd wrote at 04/24/2012 05:58 PM (EST):
ich habe da mal eine frage wenn ich nun eine EXE Datei hinter oder in eine andere Datei wie eine Bilddatei verstecke und man öffnet diese würde sich dann die EXE Datei Instalieren?

#14 Klaue wrote at 05/13/2012 06:43 PM (EST):
Nein

#12 Vinlino wrote at 04/18/2012 10:28 AM (EST):
Frage zu "Dateien verschmelzen mittels ZIP/GIF"
Das Beispielbild "Stegano1" kann ich nach Umbenennung in ZIP nicht öffnen.Habe es mit Firefox unf Explorer versucht, kann mir vielleicht jemand einen Rat geben.

#15 Klaue wrote at 05/13/2012 06:45 PM (EST):
Manche Browser/Proxis/Antiviren etc hauen das selber ab - Manchmal klappts per Browser, manchmal nicht. Einfach mal lokal bei dir selber ausprobieren :)

#11 Dan wrote at 03/21/2012 10:05 AM (EST):
Ich habe eine Frage zum "Dateien verschmelzen".

Also - mir liegt ein Datei als .jpg vor, die allem Anschein allem Anschein nach(!) mit dem "Dateien verschmelzen"-Verfahren entstanden ist. Wenn ich mir die Datei mit einem HEX-Editor anschaue, sieht dies nämlich danach aus.

Meine Frage ist, wie bekommt man die Dateien wieder getrennt? Eine Umbennenung nach zip und anschließendes Öffnen läuft auf einen Fehler.
Ich habe auch versucht, denn ersten Teil der Datei, bis zum Beginn des Zip mit dem Hexeditor zu löschen, aber dabei erzeuge ich nur inkonsistenten Datenschrott. Hast Du einen Tipp für mich?

Vielen Dank im Voraus!!

#16 Klaue wrote at 05/13/2012 06:52 PM (EST):
Ist es vielleicht kein zip, sondern ein Rar? oder ein gzip? Well du wirklich weisst, wo die erste Datei aufhört und die zweite beginnt, lösch die erste wieder weg und lass dann das unix-tool "file" drüberlaufen, das sollte dir sagen, was es für ein Dateityp ist.

http://gnuwin32.sourceforge.net/packages/file.htm
http://en.wikipedia.org/wiki/File_%28Unix%29

#9 Deepeat wrote at 11/12/2011 02:05 PM (EST):
Hey,
Ich habe auch eine Frage.
Angenommen ich habe diese .exe nun in einem Bild ,,versteckt'', dieses Verfahren ist ja noch relativ Simple.
Doch nun gelingt es mir nicht einen Autostart für die .exe in dem Bild zu integrieren.

Also ich möchte erreichen, dass sobald ich das Bild öffne, die .exe gleichzeitig mit ausgeführt wird.

greetz~

Deepeat

#10 Klaue wrote at 11/12/2011 09:46 PM (EST):
Das geht nicht. Beziehungsweise es würde theoretisch schon gehn, aber da müsste man sich einen eigenen Dateitypenhandler für JPG schreiben und den auf dem System installieren, was um einiges schwerer ist.

Ausserdem ist das ja zum verstecken von Dateien, nicht Viren gedacht.

#7 dani wrote at 02/18/2010 09:01 AM (EST):
Wie packt man denn jetzt einen Ordner hinter eine .exe-Datei? und wie kann man dann den Ordner wiederherstellen?
danke

#8 Klaue wrote at 04/13/2010 12:27 PM (EST):
Du Zipst den ordner und hängst ihn per ADS an die exe an. anders gehts ohne spezialprogramme oder programmierkenntnisse nicht.

#6 dani wrote at 02/18/2010 09:00 AM (EST):
Wie packt man denn jetzt einen Ordner hinter eine .exe-Datei? und wie kann man dann den Ordner wiederherstellen?
danke

#4 Mark wrote at 02/10/2010 08:40 AM (EST):
Funktioniert auch einwandfrei unter Linux, sogar cat ist dann dabei

#5 Klaue wrote at 02/10/2010 08:41 AM (EST):
Ich dachte schon daran, eine Linux-Version zu bauen, aber kam bisher nie dazu

#3 Maximilian Engelhardt wrote at 02/10/2010 08:40 AM (EST):
Hallo!

Ich kenne noch ein Trik:
Wen ihr eine Datei im Open-OficeFormat mit einem Archivprogramm öffnet könnt ihr da auch Dateien drin verstecken.

#0 http://2009.thenextweb.com/?js wrote at 02/10/2010 08:37 AM (EST):
javascript:emo_pop()

#1 Klaue wrote at 02/10/2010 08:38 AM (EST):
Dieser peinliche Hackversuch klappte wohl nicht so ganz. Glaubst du wirklich, ein Service wie Haloscan würde nicht gegen solche billigen (und noch dazu fehlerhaft ausgeführten) Exploits testen? Selbst wenn du es richtig gemacht hättest, hätte es nicht geklappt. Ganz schön peinlich.

#2 Klaue wrote at 02/10/2010 08:39 AM (EST):
Meine eigene implementation fällt da natürlich auch nicht drauf rein

Add comment

*Name:

Email:
(Optional, hidden. Only if you want to be notified of replies)

Homepage:

* Spam check: 3 * 7 =
*Comment:

Back to contents