Hiding Files

Hiding Files: Essential Guide for CEH Exam

Introduction to Hiding Files

Hiding files is a critical concept in system hacking that involves concealing malicious files or data from users and security mechanisms. Understanding this topic is essential for CEH certification as it relates to maintaining persistence after compromising a system.

Why Hiding Files Is Important

Attackers hide files to:
- Maintain persistent access to compromised systems
- Conceal evidence of intrusion
- Store stolen data until exfiltration
- Hide malware and backdoors from security scans
- Evade detection during forensic analysis

Common File Hiding Techniques

1. Attribute Manipulation:
- Setting hidden attributes (attrib +h filename.ext in Windows)
- Changing file attributes to system files

2. Alternate Data Streams (ADS) in NTFS:
- Hiding data in alternate streams (type secret.txt > visible.txt:hidden.txt)
- ADS files remain invisible in standard directory listings

3. Steganography:
- Concealing data within images, audio, or video files
- Tools like OpenStego, Steghide, and OutGuess

4. File Extension Manipulation:
- Changing file extensions to appear as legitimate files
- Using multiple extensions (malware.jpg.exe)

5. Rootkits:
- Using rootkits to hide files at OS level
- Kernel-mode rootkits that modify system calls

6. Timestamp Manipulation:
- Changing file timestamps to blend with legitimate files (timestomping)

7. Encryption and Encoding:
- Encrypting files to make content unreadable
- Using custom encoding schemes

Detection Methods

- File integrity checkers (Tripwire, OSSEC)
- Forensic tools (Autopsy, EnCase)
- Rootkit detectors (RootkitRevealer)
- Command-line tools (dir /a for hidden files in Windows)
- Specialized ADS detection tools
- Comparing file signatures with extensions

Exam Tips: Answering Questions on Hiding Files

1. Understand OS-Specific Techniques:
- Know the differences between Windows, Linux, and macOS hiding techniques
- Memorize important commands for each OS

2. Recognize Tool Functionality:
- Know which tools are used for which hiding techniques
- Understand how each tool works

3. Focus on Countermeasures:
- Learn detection methods for each hiding technique
- Be familiar with prevention strategies

4. Remember the Attack Chain:
- Understand where file hiding fits in the cyber kill chain
- Connect it with persistence and anti-forensics

5. Practice with Scenarios:
- When given a scenario, identify the most appropriate hiding technique
- For multiple-choice questions, eliminate answers that are unrelated to the context

6. Master Technical Details:
- Know specific commands and syntax
- Understand file system structures (especially NTFS for ADS)

7. Look for Contextual Clues:
- If a question mentions "streams," think ADS
- If it mentions images, think steganography
- If it mentions system-level hiding, think rootkits

Remember that the CEH exam will test your understanding of both offensive techniques (how to hide) and defensive approaches (how to detect hidden files). Be prepared to answer questions from both perspectives.