Hiding files with mount

When filesystems are mounted on a directory, existing files in that directory are hidden and will not be accessible until the mount point is removed. This is a relatively decent way to thwart or slow down online analysis of a system. A recursive listing of files will not reveal these hidden files. Most investigators would be hesitant to unmount live filesystems especially if running services have handles to files residing on that mount point. For bonus points, create a dummy file with the same name on the mounted filesystem... 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
user@hostname:/tmp# mkdir folder
user@hostname:/tmp# echo "secret" > ./folder/hidden.txt
user@hostname:/tmp# ls ./folder/
hidden.txt
user@hostname:/tmp# mount /dev/sda1 /tmp/folder/
user@hostname:/tmp# ls ./folder/
bin   build  etc   initrd.img  lib32  libx32      media  opt   root  sbin  srv  tmp  var
boot  dev    home  lib         lib64  lost+found  mnt    proc  run   snap  sys  usr  vmlinuz
user@hostname:/tmp# umount /tmp/folder/
user@hostname:/tmp# ls ./folder/
hidden.txt
user@hostname:/tmp#


Tags: Security

Similar Articles

Hiding compressed files in images - Have been doing this for quite some time, just wanted to share the method. The following code should work on Linux/Mac. Step 1. Zip/Rar/7z your secret file zip hideme.zip s3cr3t Step 2. Append ...
DES key parity bit calculator - I was doing some reverse engineering and I could not find any tool which expands a 56 bit DES key into a 64 bit key with the parity bit included. Expanding the key is a pretty laborious process ...
Bangladesh bank heist - The media initially attributed the hack to a couple of cheap second-hand $10 switches. However, according to further reverse engineering, this is not a snatch and grab but a full scale bank heist ...
Hijacking QR codes - Just finished printing my poster for a school project in which contained a QR code for users to download an android app. It was my first time printing out 300dpi@A1 size and thankfully it turned ...