partitionhider

Dangerous and risky bash scripts to conceal and recover partitions using literal writes to MBR
git clone git://git.defalsify.org/partitionhider.git
Info | Log | Files | Refs | README | LICENSE

README.md (3223B)


      1 # mbr-decrypt-and-hide
      2 
      3 ***WARNING WARNING WARNING***
      4 
      5 **This program messes around with raw partitions and the MBR. They can REALLY EASILY destroy data. This code is to be treated as sample code, not a working application. There is weak error handling, and may make a lot of dangerous assumptions. Author assumes NO liability for their usage**
      6 
      7 The imagined use case for this code is to temporarily conceal the existence of data on a block device. It encrypts the partition data into nonsensical random bytes, but also hides the fact that there was a partition there in the first place. The data and scripts required to restore the data partition are embedded in the encrypted blob itself.
      8 
      9 It only works with MBR, _not_ with extended partitions.
     10 
     11 # hide
     12 
     13 First, manually make a note of the partition start sector and sector size. If this numbers are lost, the data cannot be recovered:
     14 
     15 ```
     16 fdisk -l <device>
     17 
     18 eg.
     19 
     20 ]$ sudo fdisk -l /dev/sda
     21 Disk /dev/sda: 111.8 GiB, 120034123776 bytes, 234441648 sectors
     22 Units: sectors of 1 * 512 = 512 bytes <==================================== sector size is here
     23 Sector size (logical/physical): 512 bytes / 512 bytes
     24 I/O size (minimum/optimal): 512 bytes / 512 bytes
     25 Disklabel type: dos
     26 Disk identifier: 0x6ca35cb5
     27 
     28 Device     Boot    Start       End   Sectors  Size Id Type
     29 /dev/sda1           2048  41945087  41943040   20G 83 Linux
     30 /dev/sda2  *    41945088  41947135      2048    1M  4 FAT16 <32M
     31 /dev/sda3       41947136  50335743   8388608    4G 82 Linux swap / Solaris
     32 /dev/sda4       50335744 234441647 184105904 87.8G 83 Linux
     33 
     34                     ^========================= start sector is here
     35 ```
     36 
     37 Then invoke the script:
     38 
     39  
     40 ```
     41 w.sh <device> <partition number>
     42 
     43 eg.
     44 
     45 w.sh /dev/sda 4
     46 ```
     47 
     48 The procedure will:
     49 
     50 * dump and encrypt a partition
     51 * dump the partition table entry for that partition
     52 * create an ext4 fs with the two scripts, plus device/partition information, the data offset, encryption password and size of data, and encrypt it
     53     - this fs will be 1000 times the sector size. When encrypted 32 magic ccrypt bytes will be prepended.
     54 * write this data to the start sector pos of the partition, immediately following each other:
     55     - the encrypted script/data fs
     56     - the partition table entry
     57     - the encrypted partition data itself
     58 * shred and remove data and password from disk, and optionally scripts aswell.
     59 
     60 # reveal
     61 
     62 ```
     63 dd if=<device> bs=1 count=$(((<sector size>*1000)+32)) | ccrypt -d -c > <fsfile>
     64 mount <fsfile> <mntpnt>
     65 cd <mntpnt>
     66 sh r.sh
     67 ```
     68 
     69 The procedure will:
     70 
     71 * Read the device, partition number, the absolute data offset and the encryption password from the stored data file.
     72 * calculates the data size from the LBA size field in the stored partition entry
     73 * writes the partition entry to the partition table
     74 * decrypts and dumps the data to a temporary file
     75 * writes the data back to the original sector offset on the partition
     76 * shreds and deletes the data file, and optionally copies the script files (back) to a desired location 
     77 
     78 # requirements
     79 
     80 This code has been known to successfully run using:
     81 
     82 - linux 4.15.13 (ARCH)
     83 - bash 4.4.19
     84 - coreutils 8.29 (dd, shred ...)
     85 - utils-linux 2.31.1 (fdisk, blockdev, hexdump)
     86 - ccrypt 1.10