In this lab, we learn how to hide information within the Windows File System.
We start by logging into the Client and running silenteye-0.4.1-win32 installer.
Once installed we need to make a note of the gtslearning.jpg image creation and last modified date.
Once those dates are noted we need to open WinMD5 and drag the image into there to receive our checksum.
And then just adding the checksum value into the bottom text box.
Now using SilentEye I can open up the image and put in a message.
Now I need to find the saved file and compare the dates.
As you can see the file has been edited by looking at the dates.
Now using the WinMD5 I can drag the new image into the program and generate a new checksum.
In this exercise we try to use software to see if we can find a hidden message.
We need to find the ZIP file stegdetect-0.4 and unzip it then run the program.
Now we need to open the tampered image and look for evidence of tampering.
Now when I inserted the picture I got a negative response, the lab does not say if it should find it or not.
This part in the lab shows how data can be concealed in the Windows file system.
Firstly I must make a rich text file named memo and insert some text in, then make a note of the size and date properties.
Now I need to add this file to WinMD5 and copy the checksum value into the original file box.
Now I need to open an admin cmd and change the directory to \GTSLABS and run these commands.
Now checking the memo properties
I made a few line mistakes hence the syntax error, but I solved it.
Now, what has this done to our memo file?
The change I can see is that the size went up from 197 to 377KB.
Now I need to move the memo file to the documents folder and try run it.
The exe did not run and I just get the programs exe code.
If I try and open it up using the following commands I should get a different result.
mklink memo.lnk memo.rtf:odysseus.exe
This created a symbolic link between the memo file and the Odysseus program.
Now we need to run a program to detect this sort of tampering using adsspy.
Now the lab says to delete the two memo results, but I received three. I’m going to play it safe and delete the two results from my documents.
Now when I try to run the link which I entered and put .ink but it still works the same, I get this.
I have finished the lab.
This lab showed me how easy it is to hide a program within a file, but it was not as dangerous and I thought as the file needs to be run via CMD.
After I finish some of the exercises I am sometimes confused about the intended out come as it does not specify what it should be, so I can only assume I have finished it successfully.
The only mistake I made in this lab was when creating the symbolic link, instead of .lnk I put .ink.