File Attributes
The easiest way to hide data on a live file system is to simply change the name or extension of the file in question. Changing the name of a program from “malware.exe” to something innocuous such as “sol.exe” would very likely hide it from a casual observer. An administrator specifically looking for something suspicious may be just as likely to miss it, as well, particularly if it were in a directory where such files are expected to be seen. For example, the executable image for the Solitaire card game, sol.exe, is located in the %WINDIR%[1]\system32 directory on most Windows systems.
[1] See %WINDIR% is an environment variable that points to the directory where Windows is installed; it translates to C:\WINNT on Windows NT and ...
Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.