fishy
fishy copied to clipboard
dasec
Toolkit for Filesystem based Data Hiding Techniques.
InodeTable.getAllInodes always returns empty list. Seems like it cannot parse APFS structures correctly.
Parse APFS images that aren't perfectly prepared as the Wiki entry explains. Possible solution: find first NXSB instance and count the used blocks.
e.g. calculate the amount of inodes needed and only extract that amount instead of all inodes (might break info switches - need to be changed as well)
Several improvements can/have to be made to the APFS Timestamp technique: 1. The choice of which timestamps should be written to needs to be simplified and accessible from the console...
When reading larger amounts of hidden data, the technique reads parts of the filesystem structure instead of the hidden data (e.g. seems to happen when reading a volume superblock for...
Some Info-Switches that incorporate both non-metadata and metadata variants throw exceptions after printing the information when no metadata is used. E.g. ext4 Superblock Slack throws a "not implemented" exception.
As of right now, Timestamp Hiding in APFS hides data in 4 bytes of the nanosecond part of the timestamps. This potentially also affects the seconds of the timestamp. To...
MFT record 1 used size: 408 MFT record 2 used size: 303 -> writes Mirror of hidden data 2 (hidden in record 2) to mirror of record 1 at position...
The construct library changed some things in their recent 2.9.X release so that our code is currently incompatible with their current version. Maybe someone has the time to fix those...
The are some inconsistencies in the cli interface. * The `metadata` subcommand does not require a device (`-d`), but all other commands do. * The info option of `fileslack` subcommand...